def test_aws_kms_single_cmk_keyring_on_decrypt_multiple_cmk(fake_generator_and_child):
generator, child = fake_generator_and_child
encrypting_keyring = AwsKmsKeyring(generator_key_id=generator, key_ids=(child,))
decrypting_keyring = _AwsKmsSingleCmkKeyring(key_id=child, client_supplier=DefaultClientSupplier())
initial_encryption_materials = EncryptionMaterials(algorithm=ALGORITHM, encryption_context={})
encryption_materials = encrypting_keyring.on_encrypt(initial_encryption_materials)
initial_decryption_materials = DecryptionMaterials(
algorithm=encryption_materials.algorithm, encryption_context=encryption_materials.encryption_context
)
result_materials = decrypting_keyring.on_decrypt(
decryption_materials=initial_decryption_materials, encrypted_data_keys=encryption_materials.encrypted_data_keys
)
generator_flags = _matching_flags(
MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=generator), result_materials.keyring_trace
)
assert len(generator_flags) == 0
child_flags = _matching_flags(
MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=child), result_materials.keyring_trace
)
assert KeyringTraceFlag.DECRYPTED_DATA_KEY in child_flags
assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in child_flags
def test_aws_kms_single_cmk_keyring_on_decrypt_existing_datakey(caplog):
# In this context there are no KMS CMKs, so any calls to KMS will fail.
caplog.set_level(logging.DEBUG)
keyring = _AwsKmsSingleCmkKeyring(key_id="foo", client_supplier=DefaultClientSupplier())
initial_materials = DecryptionMaterials(
algorithm=ALGORITHM,
encryption_context={},
data_encryption_key=RawDataKey(
key_provider=MasterKeyInfo(provider_id="foo", key_info=b"bar"), data_key=os.urandom(ALGORITHM.kdf_input_len)
),
)
result_materials = keyring.on_decrypt(
decryption_materials=initial_materials,
encrypted_data_keys=(
EncryptedDataKey(
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=b"foo"), encrypted_data_key=b"bar"
),
),
)
assert result_materials.data_encryption_key == initial_materials.data_encryption_key
log_data = caplog.text
# This means that it did NOT try to decrypt the EDK.
assert "Unable to decrypt encrypted data key from" not in log_data
def test_aws_kms_single_cmk_keyring_on_encrypt_fail():
# In this context there are no KMS CMKs, so any calls to KMS will fail.
keyring = _AwsKmsSingleCmkKeyring(key_id="foo", client_supplier=DefaultClientSupplier())
initial_materials = EncryptionMaterials(algorithm=ALGORITHM, encryption_context={})
with pytest.raises(EncryptKeyError) as excinfo:
keyring.on_encrypt(initial_materials)
excinfo.match(r"Unable to generate or encrypt data key using *")
def test_aws_kms_single_cmk_keyring_on_decrypt_no_match(fake_generator_and_child):
generator, child = fake_generator_and_child
encrypting_keyring = _AwsKmsSingleCmkKeyring(key_id=generator, client_supplier=DefaultClientSupplier())
decrypting_keyring = _AwsKmsSingleCmkKeyring(key_id=child, client_supplier=DefaultClientSupplier())
initial_encryption_materials = EncryptionMaterials(algorithm=ALGORITHM, encryption_context={})
encryption_materials = encrypting_keyring.on_encrypt(initial_encryption_materials)
initial_decryption_materials = DecryptionMaterials(
algorithm=encryption_materials.algorithm, encryption_context=encryption_materials.encryption_context
)
result_materials = decrypting_keyring.on_decrypt(
decryption_materials=initial_decryption_materials, encrypted_data_keys=encryption_materials.encrypted_data_keys
)
assert result_materials.data_encryption_key is None
def test_aws_kms_single_cmk_keyring_on_encrypt_empty_materials(fake_generator):
keyring = _AwsKmsSingleCmkKeyring(key_id=fake_generator, client_supplier=DefaultClientSupplier())
initial_materials = EncryptionMaterials(algorithm=ALGORITHM, encryption_context={})
result_materials = keyring.on_encrypt(initial_materials)
assert result_materials.data_encryption_key is not None
assert len(result_materials.encrypted_data_keys) == 1
generator_flags = _matching_flags(
MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), result_materials.keyring_trace
)
assert KeyringTraceFlag.GENERATED_DATA_KEY in generator_flags
assert KeyringTraceFlag.ENCRYPTED_DATA_KEY in generator_flags
assert KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT in generator_flags
def test_aws_kms_single_cmk_keyring_on_decrypt_fail(caplog):
# In this context there are no KMS CMKs, so any calls to KMS will fail.
caplog.set_level(logging.DEBUG)
keyring = _AwsKmsSingleCmkKeyring(key_id="foo", client_supplier=DefaultClientSupplier())
initial_materials = DecryptionMaterials(algorithm=ALGORITHM, encryption_context={})
result_materials = keyring.on_decrypt(
decryption_materials=initial_materials,
encrypted_data_keys=(
EncryptedDataKey(
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=b"foo"), encrypted_data_key=b"bar"
),
),
)
assert not result_materials.data_encryption_key
log_data = caplog.text
# This means that it did actually try to decrypt the EDK but encountered an error talking to KMS.
assert "Unable to decrypt encrypted data key from" in log_data
def test_aws_kms_single_cmk_keyring_on_decrypt_single_cmk(fake_generator):
keyring = _AwsKmsSingleCmkKeyring(key_id=fake_generator, client_supplier=DefaultClientSupplier())
initial_encryption_materials = EncryptionMaterials(algorithm=ALGORITHM, encryption_context={})
encryption_materials = keyring.on_encrypt(initial_encryption_materials)
initial_decryption_materials = DecryptionMaterials(
algorithm=encryption_materials.algorithm, encryption_context=encryption_materials.encryption_context
)
result_materials = keyring.on_decrypt(
decryption_materials=initial_decryption_materials, encrypted_data_keys=encryption_materials.encrypted_data_keys
)
assert result_materials is not initial_decryption_materials
assert result_materials.data_encryption_key is not None
generator_flags = _matching_flags(
MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), result_materials.keyring_trace
)
assert KeyringTraceFlag.DECRYPTED_DATA_KEY in generator_flags
assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in generator_flags
def encryption_materials_for_discovery_decrypt(fake_generator):
encrypting_keyring = _AwsKmsSingleCmkKeyring(key_id=fake_generator, client_supplier=DefaultClientSupplier())
initial_encryption_materials = EncryptionMaterials(algorithm=ALGORITHM, encryption_context={})
return fake_generator, encrypting_keyring.on_encrypt(initial_encryption_materials)
def test_aws_kms_single_cmk_keyring_invalid_parameters(kwargs):
with pytest.raises(TypeError):
_AwsKmsSingleCmkKeyring(**kwargs)