def test_deny_regions_supplier_denies_denied_region():
test = DenyRegionsClientSupplier(denied_regions=["us-west-2", "us-east-2"])
with pytest.raises(UnknownRegionError) as excinfo:
test("us-west-2")
excinfo.match("Unable to provide client for region 'us-west-2'")
def test_allow_deny_nested_supplier():
test_allow = AllowRegionsClientSupplier(
allowed_regions=["us-west-2", "us-east-2"],
client_supplier=DefaultClientSupplier())
test_deny = DenyRegionsClientSupplier(denied_regions=["us-west-2"],
client_supplier=test_allow)
# test_allow allows us-west-2
test_allow("us-west-2")
# test_deny denies us-west-2 even though its internal supplier (test_allow) allows it
with pytest.raises(UnknownRegionError) as excinfo:
test_deny("us-west-2")
excinfo.match("Unable to provide client for region 'us-west-2'")
def run(aws_kms_cmk, source_plaintext):
# type: (str, bytes) -> None
"""Demonstrate configuring an AWS KMS discovery-like keyring a particular AWS region and failover to others.
:param str aws_kms_cmk: The ARN of an AWS KMS CMK that protects data keys
:param bytes source_plaintext: Plaintext to encrypt
"""
# Prepare your encryption context.
# Remember that your encryption context is NOT SECRET.
# https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
encryption_context = {
"encryption": "context",
"is not": "secret",
"but adds": "useful metadata",
"that can help you": "be confident that",
"the data you are handling": "is what you think it is",
}
# Create the keyring that determines how your data keys are protected.
encrypt_keyring = AwsKmsKeyring(generator_key_id=aws_kms_cmk)
# To create our decrypt keyring, we need to know our current default AWS region.
#
# Create a throw-away boto3 session to discover the default region.
local_region = Session().region_name
# Now, use that region name to create two AWS KMS discovery keyrings:
#
# One that only works in the local region
local_region_decrypt_keyring = AwsKmsKeyring(
is_discovery=True, client_supplier=AllowRegionsClientSupplier(allowed_regions=[local_region])
)
# and one that will work in any other region but NOT the local region.
other_regions_decrypt_keyring = AwsKmsKeyring(
is_discovery=True, client_supplier=DenyRegionsClientSupplier(denied_regions=[local_region])
)
# Finally, combine those two keyrings into a multi-keyring.
#
# The multi-keyring steps through its member keyrings in the order that you provide them,
# attempting to decrypt every encrypted data key with each keyring before moving on to the next keyring.
# Because of this, other_regions_decrypt_keyring will not be called
# unless local_region_decrypt_keyring fails to decrypt every encrypted data key.
decrypt_keyring = MultiKeyring(children=[local_region_decrypt_keyring, other_regions_decrypt_keyring])
# Encrypt your plaintext data.
ciphertext, _encrypt_header = aws_encryption_sdk.encrypt(
source=source_plaintext, encryption_context=encryption_context, keyring=encrypt_keyring
)
# Demonstrate that the ciphertext and plaintext are different.
assert ciphertext != source_plaintext
# Decrypt your encrypted data using the multi-keyring.
#
# You do not need to specify the encryption context on decrypt
# because the header of the encrypted message includes the encryption context.
decrypted, decrypt_header = aws_encryption_sdk.decrypt(source=ciphertext, keyring=decrypt_keyring)
# Demonstrate that the decrypted plaintext is identical to the original plaintext.
assert decrypted == source_plaintext
# Verify that the encryption context used in the decrypt operation includes
# the encryption context that you specified when encrypting.
# The AWS Encryption SDK can add pairs, so don't require an exact match.
#
# In production, always use a meaningful encryption context.
assert set(encryption_context.items()) <= set(decrypt_header.encryption_context.items())
def test_deny_regions_supplier_invalid_parameters(kwargs):
with pytest.raises(TypeError):
DenyRegionsClientSupplier(**kwargs)
def test_deny_regions_supplier_allows_not_denied_region():
test = DenyRegionsClientSupplier(denied_regions=["us-west-2", "us-east-2"])
assert test("ap-northeast-2")