linter

Author: imabhichow

Examples/runtimes/python/DynamoDBEncryption/src/create_keystore_key_example.py

@@ -3,20 +3,18 @@
 """
 Example for creating a new key in a KeyStore.
 
-The Hierarchical Keyring Example and Searchable Encryption Examples
-rely on the existence of a DDB-backed key store with pre-existing
-branch key material or beacon key material.
+The Hierarchical Keyring Example and Searchable Encryption Examples rely on the
+existence of a DDB-backed key store with pre-existing branch key material or
+beacon key material.
 
-See the "Create KeyStore Table Example" for how to first set up
-the DDB Table that will back this KeyStore.
+See the "Create KeyStore Table Example" for how to first set up the DDB Table
+that will back this KeyStore.
 
-This example demonstrates configuring a KeyStore and then
-using a helper method to create a branch key and beacon key
-that share the same Id, then return that Id.
-We will always create a new beacon key alongside a new branch key,
-even if you are not using searchable encryption.
+Demonstrates configuring a KeyStore and using a helper method to create a branch
+key and beacon key that share the same Id. A new beacon key is always created
+alongside a new branch key, even if searchable encryption is not being used.
 
-This key creation should occur within your control plane.
+Note: This key creation should occur within your control plane.
 """
 
 import boto3

Examples/runtimes/python/DynamoDBEncryption/src/create_keystore_table_example.py

@@ -1,18 +1,18 @@
 # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 """
-The Hierarchical Keyring Example and Searchable Encryption Examples
-rely on the existence of a DDB-backed key store with pre-existing
-branch key material or beacon key material.
-
-This example demonstrates configuring a KeyStore and then
-using a helper method to create the DDB table that will be
-used to persist branch keys and beacons keys for this KeyStore.
-
-This table creation should occur within your control plane. This
-only needs to occur once. While not demonstrated in this example,
-you should additionally use the `VersionKey` API on the KeyStore
-to periodically rotate your branch key material.
+Example for creating a DynamoDB table for use as a KeyStore.
+
+The Hierarchical Keyring Example and Searchable Encryption Examples rely on the
+existence of a DDB-backed key store with pre-existing branch key material or
+beacon key material.
+
+Shows how to configure a KeyStore and use a helper method to create the DDB table
+that will be used to persist branch keys and beacons keys for this KeyStore.
+
+This table creation should occur within your control plane and only needs to occur
+once. While not demonstrated in this example, you should additionally use the
+`VersionKey` API on the KeyStore to periodically rotate your branch key material.
 """
 
 import boto3
@@ -24,12 +24,9 @@
 )
 
 
-def keystore_create_table(
-    keystore_table_name: str,
-    logical_keystore_name: str,
-    kms_key_arn: str
-):
-    """Create KeyStore Table Example.
+def keystore_create_table(keystore_table_name: str, logical_keystore_name: str, kms_key_arn: str):
+    """
+    Create KeyStore Table Example.
 
     :param keystore_table_name: The name of the DynamoDB table to create
     :param logical_keystore_name: The logical name for this keystore
@@ -42,10 +39,10 @@ def keystore_create_table(
     #    when they are stored in your DDB table.
     keystore = KeyStore(
         config=KeyStoreConfig(
-            ddb_client=boto3.client('dynamodb'),
+            ddb_client=boto3.client("dynamodb"),
             ddb_table_name=keystore_table_name,
             logical_key_store_name=logical_keystore_name,
-            kms_client=boto3.client('kms'),
+            kms_client=boto3.client("kms"),
             kms_configuration=KMSConfigurationKmsKeyArn(kms_key_arn),
         )
     )

Examples/runtimes/python/DynamoDBEncryption/src/keyring/__init__.py

@@ -1,3 +1,3 @@
 # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
-"""Stub to allow relative imports of examples from tests."""
+"""Stub to allow relative imports of examples from tests."""

Examples/runtimes/python/DynamoDBEncryption/src/keyring/kms_rsa_keyring_example.py

@@ -1,30 +1,30 @@
 # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 """
-  This example sets up DynamoDb Encryption for the AWS SDK client
-  using the KMS RSA Keyring. This keyring uses a KMS RSA key pair to
-  encrypt and decrypt records. The client uses the downloaded public key
-  to encrypt items it adds to the table.
-  The keyring uses the private key to decrypt existing table items it retrieves,
-  by calling KMS' decrypt API.
-
-  Running this example requires access to the DDB Table whose name
-  is provided in CLI arguments.
-  This table must be configured with the following
-  primary key configuration:
-    - Partition key is named "partition_key" with type (S)
-    - Sort key is named "sort_key" with type (S)
-  This example also requires access to a KMS RSA key.
-  Our tests provide a KMS RSA ARN that anyone can use, but you
-  can also provide your own KMS RSA key.
-  To use your own KMS RSA key, you must have either:
-   - Its public key downloaded in a UTF-8 encoded PEM file
-   - kms:GetPublicKey permissions on that key
-  If you do not have the public key downloaded, running this example
-  through its main method will download the public key for you
-  by calling kms:GetPublicKey.
-  You must also have kms:Decrypt permissions on the KMS RSA key.
+Example demonstrating DynamoDb Encryption using a KMS RSA Keyring.
+
+The KMS RSA Keyring uses a KMS RSA key pair to encrypt and decrypt records. The client
+uses the downloaded public key to encrypt items it adds to the table. The keyring
+uses the private key to decrypt existing table items it retrieves by calling
+KMS' decrypt API.
+
+Running this example requires access to the DDB Table whose name is provided
+in CLI arguments. This table must be configured with the following primary key
+configuration:
+  - Partition key is named "partition_key" with type (S)
+  - Sort key is named "sort_key" with type (S)
+
+The example also requires access to a KMS RSA key. Our tests provide a KMS RSA
+ARN that anyone can use, but you can also provide your own KMS RSA key.
+To use your own KMS RSA key, you must have either:
+ - Its public key downloaded in a UTF-8 encoded PEM file
+ - kms:GetPublicKey permissions on that key
+
+If you do not have the public key downloaded, running this example through its
+main method will download the public key for you by calling kms:GetPublicKey.
+You must also have kms:Decrypt permissions on the KMS RSA key.
 """
+
 import os
 
 import boto3
@@ -43,14 +43,12 @@
     CryptoAction,
 )
 from cryptography.hazmat.primitives import serialization
-from cryptography.hazmat.primitives.asymmetric import padding
 
 DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME = "KmsRsaKeyringExamplePublicKey.pem"
 
+
 def kms_rsa_keyring_example(
-    ddb_table_name: str,
-    rsa_key_arn: str,
-    rsa_public_key_filename: str = DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME
+    ddb_table_name: str, rsa_key_arn: str, rsa_public_key_filename: str = DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME
 ):
     """
     Create a KMS RSA keyring and use it to encrypt/decrypt DynamoDB items.
@@ -65,7 +63,7 @@ def kms_rsa_keyring_example(
     #    the KMS RSA key, retrieve its public key, and store it
     #    in a PEM file for example use.
     try:
-        with open(rsa_public_key_filename, 'rb') as f:
+        with open(rsa_public_key_filename, "rb") as f:
             public_key_utf8_encoded = f.read()
     except IOError as e:
         raise RuntimeError("IOError while reading public key from file") from e
@@ -77,20 +75,16 @@ def kms_rsa_keyring_example(
     #     - public_key: A ByteBuffer of a UTF-8 encoded PEM file representing the public
     #                  key for the key passed into kms_key_id
     #     - encryption_algorithm: Must be either RSAES_OAEP_SHA_256 or RSAES_OAEP_SHA_1
-    mat_prov = AwsCryptographicMaterialProviders(
-        config=MaterialProvidersConfig()
-    )
+    mat_prov = AwsCryptographicMaterialProviders(config=MaterialProvidersConfig())
 
     keyring_input = CreateAwsKmsRsaKeyringInput(
         kms_key_id=rsa_key_arn,
-        kms_client=boto3.client('kms'),
+        kms_client=boto3.client("kms"),
         public_key=public_key_utf8_encoded,
-        encryption_algorithm="RSAES_OAEP_SHA_256"
+        encryption_algorithm="RSAES_OAEP_SHA_256",
     )
 
-    kms_rsa_keyring = mat_prov.create_aws_kms_rsa_keyring(
-        input=keyring_input
-    )
+    kms_rsa_keyring = mat_prov.create_aws_kms_rsa_keyring(input=keyring_input)
 
     # 3. Configure which attributes are encrypted and/or signed when writing new items.
     #    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
@@ -101,7 +95,7 @@ def kms_rsa_keyring_example(
     attribute_actions = {
         "partition_key": CryptoAction.SIGN_ONLY,  # Our partition attribute must be SIGN_ONLY
         "sort_key": CryptoAction.SIGN_ONLY,  # Our sort attribute must be SIGN_ONLY
-        "sensitive_data": CryptoAction.ENCRYPT_AND_SIGN
+        "sensitive_data": CryptoAction.ENCRYPT_AND_SIGN,
     }
 
     # 4. Configure which attributes we expect to be included in the signature
@@ -148,58 +142,47 @@ def kms_rsa_keyring_example(
         # Specify algorithmSuite without asymmetric signing here
         # As of v3.0.0, the only supported algorithmSuite without asymmetric signing is
         # ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_SYMSIG_HMAC_SHA384.
-        algorithm_suite_id=DBEAlgorithmSuiteId.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_SYMSIG_HMAC_SHA384
+        algorithm_suite_id=DBEAlgorithmSuiteId.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_SYMSIG_HMAC_SHA384,
     )
 
     table_configs = {ddb_table_name: table_config}
     tables_config = DynamoDbTablesEncryptionConfig(table_encryption_configs=table_configs)
 
     # 6. Create the EncryptedClient
-    ddb_client = boto3.client('dynamodb')
-    encrypted_ddb_client = EncryptedClient(
-        client=ddb_client,
-        encryption_config=tables_config
-    )
+    ddb_client = boto3.client("dynamodb")
+    encrypted_ddb_client = EncryptedClient(client=ddb_client, encryption_config=tables_config)
 
     # 7. Put an item into our table using the above client.
     #    Before the item gets sent to DynamoDb, it will be encrypted
     #    client-side using the KMS RSA keyring.
     item = {
         "partition_key": {"S": "awsKmsRsaKeyringItem"},
         "sort_key": {"N": "0"},
-        "sensitive_data": {"S": "encrypt and sign me!"}
+        "sensitive_data": {"S": "encrypt and sign me!"},
     }
 
-    put_response = encrypted_ddb_client.put_item(
-        TableName=ddb_table_name,
-        Item=item
-    )
+    put_response = encrypted_ddb_client.put_item(TableName=ddb_table_name, Item=item)
 
     # Demonstrate that PutItem succeeded
-    assert put_response['ResponseMetadata']['HTTPStatusCode'] == 200
+    assert put_response["ResponseMetadata"]["HTTPStatusCode"] == 200
 
     # 8. Get the item back from our table using the client.
     #    The client will decrypt the item client-side using the RSA keyring
     #    and return the original item.
-    key_to_get = {
-        "partition_key": {"S": "awsKmsRsaKeyringItem"},
-        "sort_key": {"N": "0"}
-    }
+    key_to_get = {"partition_key": {"S": "awsKmsRsaKeyringItem"}, "sort_key": {"N": "0"}}
 
-    get_response = encrypted_ddb_client.get_item(
-        TableName=ddb_table_name,
-        Key=key_to_get
-    )
+    get_response = encrypted_ddb_client.get_item(TableName=ddb_table_name, Key=key_to_get)
 
     # Demonstrate that GetItem succeeded and returned the decrypted item
-    assert get_response['ResponseMetadata']['HTTPStatusCode'] == 200
-    returned_item = get_response['Item']
+    assert get_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+    returned_item = get_response["Item"]
     assert returned_item["sensitive_data"]["S"] == "encrypt and sign me!"
 
 
 def should_get_new_public_key(rsa_public_key_filename: str = DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME) -> bool:
-    """Check if we need to get a new public key.
-    
+    """
+    Check if we need to get a new public key.
+
     :param rsa_public_key_filename: Path to the public key PEM file
     :return: True if we need to get a new public key, False otherwise
     """
@@ -215,11 +198,11 @@ def should_get_new_public_key(rsa_public_key_filename: str = DEFAULT_EXAMPLE_RSA
 
 
 def write_public_key_pem_for_rsa_key(
-    rsa_key_arn: str,
-    rsa_public_key_filename: str = DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME
+    rsa_key_arn: str, rsa_public_key_filename: str = DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME
 ):
-    """Get the public key from KMS and write it to a PEM file.
-    
+    """
+    Get the public key from KMS and write it to a PEM file.
+
     :param rsa_key_arn: The ARN of the KMS RSA key
     :param rsa_public_key_filename: Path to write the public key PEM file
     """
@@ -230,23 +213,19 @@ def write_public_key_pem_for_rsa_key(
     # This code will call KMS to get the public key for the KMS RSA key.
     # You must have kms:GetPublicKey permissions on the key for this to succeed.
     # The public key will be written to the file EXAMPLE_RSA_PUBLIC_KEY_FILENAME.
-    kms_client = boto3.client('kms')
-    response = kms_client.get_public_key(
-        KeyId=rsa_key_arn
-    )
-    public_key_bytes = response['PublicKey']
+    kms_client = boto3.client("kms")
+    response = kms_client.get_public_key(KeyId=rsa_key_arn)
+    public_key_bytes = response["PublicKey"]
 
     # Convert the public key to PEM format
     public_key = serialization.load_der_public_key(public_key_bytes)
     pem_data = public_key.public_bytes(
-        encoding=serialization.Encoding.PEM,
-        format=serialization.PublicFormat.SubjectPublicKeyInfo
+        encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo
     )
 
     # Write the PEM file
     try:
-        with open(rsa_public_key_filename, 'wb') as f:
+        with open(rsa_public_key_filename, "wb") as f:
             f.write(pem_data)
     except IOError as e:
         raise RuntimeError("IOError while writing public key PEM") from e
-