def test_deny_regions_supplier_denies_denied_region(): test = DenyRegionsClientSupplier(denied_regions=["us-west-2", "us-east-2"]) with pytest.raises(UnknownRegionError) as excinfo: test("us-west-2") excinfo.match("Unable to provide client for region 'us-west-2'")
def test_allow_deny_nested_supplier(): test_allow = AllowRegionsClientSupplier( allowed_regions=["us-west-2", "us-east-2"], client_supplier=DefaultClientSupplier()) test_deny = DenyRegionsClientSupplier(denied_regions=["us-west-2"], client_supplier=test_allow) # test_allow allows us-west-2 test_allow("us-west-2") # test_deny denies us-west-2 even though its internal supplier (test_allow) allows it with pytest.raises(UnknownRegionError) as excinfo: test_deny("us-west-2") excinfo.match("Unable to provide client for region 'us-west-2'")
def run(aws_kms_cmk, source_plaintext): # type: (str, bytes) -> None """Demonstrate configuring an AWS KMS discovery-like keyring a particular AWS region and failover to others. :param str aws_kms_cmk: The ARN of an AWS KMS CMK that protects data keys :param bytes source_plaintext: Plaintext to encrypt """ # Prepare your encryption context. # Remember that your encryption context is NOT SECRET. # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context encryption_context = { "encryption": "context", "is not": "secret", "but adds": "useful metadata", "that can help you": "be confident that", "the data you are handling": "is what you think it is", } # Create the keyring that determines how your data keys are protected. encrypt_keyring = AwsKmsKeyring(generator_key_id=aws_kms_cmk) # To create our decrypt keyring, we need to know our current default AWS region. # # Create a throw-away boto3 session to discover the default region. local_region = Session().region_name # Now, use that region name to create two AWS KMS discovery keyrings: # # One that only works in the local region local_region_decrypt_keyring = AwsKmsKeyring( is_discovery=True, client_supplier=AllowRegionsClientSupplier(allowed_regions=[local_region]) ) # and one that will work in any other region but NOT the local region. other_regions_decrypt_keyring = AwsKmsKeyring( is_discovery=True, client_supplier=DenyRegionsClientSupplier(denied_regions=[local_region]) ) # Finally, combine those two keyrings into a multi-keyring. # # The multi-keyring steps through its member keyrings in the order that you provide them, # attempting to decrypt every encrypted data key with each keyring before moving on to the next keyring. # Because of this, other_regions_decrypt_keyring will not be called # unless local_region_decrypt_keyring fails to decrypt every encrypted data key. decrypt_keyring = MultiKeyring(children=[local_region_decrypt_keyring, other_regions_decrypt_keyring]) # Encrypt your plaintext data. ciphertext, _encrypt_header = aws_encryption_sdk.encrypt( source=source_plaintext, encryption_context=encryption_context, keyring=encrypt_keyring ) # Demonstrate that the ciphertext and plaintext are different. assert ciphertext != source_plaintext # Decrypt your encrypted data using the multi-keyring. # # You do not need to specify the encryption context on decrypt # because the header of the encrypted message includes the encryption context. decrypted, decrypt_header = aws_encryption_sdk.decrypt(source=ciphertext, keyring=decrypt_keyring) # Demonstrate that the decrypted plaintext is identical to the original plaintext. assert decrypted == source_plaintext # Verify that the encryption context used in the decrypt operation includes # the encryption context that you specified when encrypting. # The AWS Encryption SDK can add pairs, so don't require an exact match. # # In production, always use a meaningful encryption context. assert set(encryption_context.items()) <= set(decrypt_header.encryption_context.items())
def test_deny_regions_supplier_invalid_parameters(kwargs): with pytest.raises(TypeError): DenyRegionsClientSupplier(**kwargs)
def test_deny_regions_supplier_allows_not_denied_region(): test = DenyRegionsClientSupplier(denied_regions=["us-west-2", "us-east-2"]) assert test("ap-northeast-2")