def test_add_master_keys_invalid_arn(self, non_arn):
"""Check that the provider throws an error when creating a new key with an invalid arn."""
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
# //= type=test
# //# In discovery mode, the requested
# //# AWS KMS key identifier MUST be a well formed AWS KMS ARN.
provider = MRKAwareDiscoveryAwsKmsMasterKeyProvider(
discovery_region="us-east-1")
with pytest.raises(MalformedArnError):
provider._new_master_key(non_arn)
def test_add_master_keys_mrk_sdk_default(self):
"""Check that an MRK-aware provider without an explicit discovery_region uses its default region when creating
new keys if the requested keys are MRKs."""
grant_tokens = (sentinel.grant_token2, sentinel.grant_token2)
original_arn = arn_from_str(
"arn:aws:kms:eu-west-2:222222222222:key/mrk-aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb"
)
with patch.object(self.mock_botocore_session,
"get_config_variable",
return_value="us-west-2") as mock_get_config:
provider = MRKAwareDiscoveryAwsKmsMasterKeyProvider(
botocore_session=self.mock_botocore_session,
grant_tokens=grant_tokens)
mock_get_config.assert_called_once_with("region")
master_key = provider._new_master_key(original_arn.to_string())
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
# //= type=test
# //# Otherwise if the mode is discovery then
# //# the AWS Region MUST be the discovery MRK region.
assert master_key.__class__ == MRKAwareKMSMasterKey
self.mock_boto3_session.assert_called_with(botocore_session=ANY)
self.mock_boto3_session_instance.client.assert_called_with(
"kms",
region_name=provider.default_region,
config=provider._user_agent_adding_config,
)
assert provider.default_region in master_key._key_id
assert original_arn.region not in master_key._key_id
assert master_key.config.grant_tokens is grant_tokens
def test_add_master_keys_mrk_with_discovery_region(self):
"""Check that an MRK-aware provider with an explicit discovery_region uses its configured region when creating
new keys if the requested keys are MRKs."""
grant_tokens = (sentinel.grant_token2, sentinel.grant_token2)
original_arn = arn_from_str(
"arn:aws:kms:eu-west-2:222222222222:key/mrk-aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb"
)
configured_region = "us-east-1"
provider = MRKAwareDiscoveryAwsKmsMasterKeyProvider(
discovery_region=configured_region, grant_tokens=grant_tokens)
master_key = provider._new_master_key(original_arn.to_string())
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
# //= type=test
# //# In discovery mode a AWS KMS MRK Aware Master Key (aws-kms-mrk-aware-
# //# master-key.md) MUST be returned configured with
assert master_key.__class__ == MRKAwareKMSMasterKey
self.mock_boto3_session.assert_called_with(botocore_session=ANY)
self.mock_boto3_session_instance.client.assert_called_with(
"kms",
region_name=configured_region,
config=provider._user_agent_adding_config,
)
assert configured_region in master_key._key_id
assert original_arn.region not in master_key._key_id
assert master_key.config.grant_tokens is grant_tokens
def test_add_master_keys_srk(self):
"""Check that the MRK-aware provider uses the original key region when creating new keys if the requested
keys are SRKs."""
original_arn = "arn:aws:kms:eu-west-2:222222222222:key/aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb"
provider = MRKAwareDiscoveryAwsKmsMasterKeyProvider(
discovery_region="us-east-1")
master_key = provider._new_master_key(original_arn)
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7
# //= type=test
# //# Otherwise if the requested AWS KMS key
# //# identifier is identified as a multi-Region key (aws-kms-key-
# //# arn.md#identifying-an-aws-kms-multi-region-key), then AWS Region MUST
# //# be the region from the AWS KMS key ARN stored in the provider info
# //# from the encrypted data key.
assert master_key.__class__ == MRKAwareKMSMasterKey
self.mock_boto3_session.assert_called_with(botocore_session=ANY)
self.mock_boto3_session_instance.client.assert_called_with(
"kms",
region_name="eu-west-2",
config=provider._user_agent_adding_config,
)
assert master_key._key_id == original_arn