Multi keyrings (#166)

* Adding Keyring API

* Delete __init__.py

* Delete raw_keyring.py

* Added docstring to public class

* Edited docstring

* Edited docstring again

* Changes in docstring statements

* Docstring changes

* Changes in docstring

* Raw keyring initial

* Raw keyring encrypt commit

* Encrypt functions for Raw RSA and AES

* Raw RSA and AES initial

* raw keyrings first commit

* Multi keyring first commit

* Changes in the base file

* Temporary changes in multiple files

* Committing initial code

* Deleted raw aes test

* Multi Keyrings

* Updating base API and raw keyrings

* Corrected tox errors

* Added typehints

* Updated raw keyrings

* Updated raw keyrings

* Changes in error conditions for multi keyrings

* Made all suggested changes in multi-keyrings

* Corrected tox errors

* Added docstring to __attrs_post_init__

* Changed variable name neither_generator_nor_children_defined to neither_generator_nor_children

* Changed raw keyrings

* Corrected tox errors

* Updated raw keyrings

* Updated raw keyrings and functional test for multi keyrings

* Functional tests for multi-keyrings work

* Autoformat errors corrected and changed Exception to BaseException to solve broad exception error

* Added pylint disable broad except to raw keyrings and added multi parametrize to multi keyrings functional test

* Removed duplicate import statements

* Changes in functional test for multi keyrings according to change in raw keyrings

* Changed RSA key structure to RSAPublicKey/RSAPrivateKey and functional test passes

* Removed unwanted commented lines from test

* Pylint errors

* More pylint errors

* Made suggested changes in multi keyring

* Multi keyring unit tests

* Optimized loop for decryption keyring

* Unit tests for multi keyrings and added sample encryption materials and multi keyrings in test_utils

* Multi keyrings unit tests

* Making changes in tests and API

* Almost all unit tests done

* Unit tests for multi keyrings

* Unit tests for multi keyrings

* Unit tests for multi-keyrings working except the one to check if no further keyrings are called if data encryption key is added

* Made changes in raw keyrings to match the latest version

* Removed unused imports

* Made suggested changes

* Removed unused imports

* Resolved formatting errors

* Made suggested changes - partial

* Made all suggested changes

* apply autoformatting x_x

Author: MeghaShetty

src/aws_encryption_sdk/keyring/multi_keyring.py

@@ -0,0 +1,105 @@
+# Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""Resources required for Multi Keyrings."""
+import itertools
+
+import attr
+from attr.validators import deep_iterable, instance_of, optional
+
+from aws_encryption_sdk.exceptions import EncryptKeyError, GenerateKeyError
+from aws_encryption_sdk.keyring.base import DecryptionMaterials, EncryptedDataKey, EncryptionMaterials, Keyring
+
+try:  # Python 3.5.0 and 3.5.1 have incompatible typing modules
+    from typing import Iterable  # noqa pylint: disable=unused-import
+except ImportError:  # pragma: no cover
+    # We only actually need these imports when running the mypy checks
+    pass
+
+
+@attr.s
+class MultiKeyring(Keyring):
+    """Public class for Multi Keyring.
+
+    :param generator: Generator keyring used to generate data encryption key (optional)
+    :type generator: Keyring
+    :param list children: List of keyrings used to encrypt the data encryption key (optional)
+    :raises EncryptKeyError: if encryption of data key fails for any reason
+    """
+
+    children = attr.ib(
+        default=attr.Factory(tuple), validator=optional(deep_iterable(member_validator=instance_of(Keyring)))
+    )
+    generator = attr.ib(default=None, validator=optional(instance_of(Keyring)))
+
+    def __attrs_post_init__(self):
+        # type: () -> None
+        """Prepares initial values not handled by attrs."""
+        neither_generator_nor_children = self.generator is None and not self.children
+        if neither_generator_nor_children:
+            raise TypeError("At least one of generator or children must be provided")
+
+        _generator = (self.generator,) if self.generator is not None else ()
+        self._decryption_keyrings = list(itertools.chain(_generator, self.children))
+
+    def on_encrypt(self, encryption_materials):
+        # type: (EncryptionMaterials) -> EncryptionMaterials
+        """Generate a data key using generator keyring
+        and encrypt it using any available wrapping key in any child keyring.
+
+        :param encryption_materials: Encryption materials for keyring to modify.
+        :type encryption_materials: aws_encryption_sdk.materials_managers.EncryptionMaterials
+        :returns: Optionally modified encryption materials.
+        :rtype: aws_encryption_sdk.materials_managers.EncryptionMaterials
+        :raises EncryptKeyError: if unable to encrypt data key.
+        """
+        # Check if generator keyring is not provided and data key is not generated
+        if self.generator is None and encryption_materials.data_encryption_key is None:
+            raise EncryptKeyError(
+                "Generator keyring not provided "
+                "and encryption materials do not already contain a plaintext data key."
+            )
+
+        # Call on_encrypt on the generator keyring if it is provided
+        if self.generator is not None:
+
+            encryption_materials = self.generator.on_encrypt(encryption_materials=encryption_materials)
+
+        # Check if data key is generated
+        if encryption_materials.data_encryption_key is None:
+            raise GenerateKeyError("Unable to generate data encryption key.")
+
+        # Call on_encrypt on all other keyrings
+        for keyring in self.children:
+            encryption_materials = keyring.on_encrypt(encryption_materials=encryption_materials)
+
+        return encryption_materials
+
+    def on_decrypt(self, decryption_materials, encrypted_data_keys):
+        # type: (DecryptionMaterials, Iterable[EncryptedDataKey]) -> DecryptionMaterials
+        """Attempt to decrypt the encrypted data keys.
+
+        :param decryption_materials: Decryption materials for keyring to modify.
+        :type decryption_materials: aws_encryption_sdk.materials_managers.DecryptionMaterials
+        :param encrypted_data_keys: List of encrypted data keys.
+        :type: List of `aws_encryption_sdk.structures.EncryptedDataKey`
+        :returns: Optionally modified decryption materials.
+        :rtype: aws_encryption_sdk.materials_managers.DecryptionMaterials
+        """
+        # Call on_decrypt on all keyrings till decryption is successful
+        for keyring in self._decryption_keyrings:
+            if decryption_materials.data_encryption_key is not None:
+                return decryption_materials
+            decryption_materials = keyring.on_decrypt(
+                decryption_materials=decryption_materials, encrypted_data_keys=encrypted_data_keys
+            )
+        return decryption_materials

test/functional/test_f_multi_keyring.py

@@ -0,0 +1,132 @@
+# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""Functional tests for Multi keyring encryption decryption path."""
+
+import pytest
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import rsa
+
+from aws_encryption_sdk.identifiers import KeyringTraceFlag, WrappingAlgorithm
+from aws_encryption_sdk.internal.defaults import ALGORITHM
+from aws_encryption_sdk.keyring.multi_keyring import MultiKeyring
+from aws_encryption_sdk.keyring.raw_keyring import RawAESKeyring, RawRSAKeyring
+from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials
+from aws_encryption_sdk.structures import KeyringTrace, MasterKeyInfo, RawDataKey
+
+pytestmark = [pytest.mark.functional, pytest.mark.local]
+
+_ENCRYPTION_CONTEXT = {"encryption": "context", "values": "here"}
+_PROVIDER_ID = "Random Raw Keys"
+_KEY_ID = b"5325b043-5843-4629-869c-64794af77ada"
+_WRAPPING_KEY_AES = b"\xeby-\x80A6\x15rA8\x83#,\xe4\xab\xac`\xaf\x99Z\xc1\xce\xdb\xb6\x0f\xb7\x805\xb2\x14J3"
+
+_ENCRYPTION_MATERIALS_WITHOUT_DATA_KEY = EncryptionMaterials(
+    algorithm=ALGORITHM, encryption_context=_ENCRYPTION_CONTEXT
+)
+
+_ENCRYPTION_MATERIALS_WITH_DATA_KEY = EncryptionMaterials(
+    algorithm=ALGORITHM,
+    data_encryption_key=RawDataKey(
+        key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID),
+        data_key=b'*!\xa1"^-(\xf3\x105\x05i@B\xc2\xa2\xb7\xdd\xd5\xd5\xa9\xddm\xfae\xa8\\$\xf9d\x1e(',
+    ),
+    encryption_context=_ENCRYPTION_CONTEXT,
+    keyring_trace=[
+        KeyringTrace(
+            wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID),
+            flags={KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY},
+        )
+    ],
+)
+
+_MULTI_KEYRING_WITH_GENERATOR_AND_CHILDREN = MultiKeyring(
+    generator=RawAESKeyring(
+        key_namespace=_PROVIDER_ID,
+        key_name=_KEY_ID,
+        wrapping_algorithm=WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING,
+        wrapping_key=_WRAPPING_KEY_AES,
+    ),
+    children=[
+        RawRSAKeyring(
+            key_namespace=_PROVIDER_ID,
+            key_name=_KEY_ID,
+            wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1,
+            private_wrapping_key=rsa.generate_private_key(
+                public_exponent=65537, key_size=2048, backend=default_backend()
+            ),
+        ),
+        RawRSAKeyring(
+            key_namespace=_PROVIDER_ID,
+            key_name=_KEY_ID,
+            wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1,
+            private_wrapping_key=rsa.generate_private_key(
+                public_exponent=65537, key_size=2048, backend=default_backend()
+            ),
+        ),
+    ],
+)
+
+_MULTI_KEYRING_WITHOUT_CHILDREN = MultiKeyring(
+    generator=RawRSAKeyring(
+        key_namespace=_PROVIDER_ID,
+        key_name=_KEY_ID,
+        wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1,
+        private_wrapping_key=rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()),
+    )
+)
+
+_MULTI_KEYRING_WITHOUT_GENERATOR = MultiKeyring(
+    children=[
+        RawRSAKeyring(
+            key_namespace=_PROVIDER_ID,
+            key_name=_KEY_ID,
+            wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1,
+            private_wrapping_key=rsa.generate_private_key(
+                public_exponent=65537, key_size=2048, backend=default_backend()
+            ),
+        ),
+        RawAESKeyring(
+            key_namespace=_PROVIDER_ID,
+            key_name=_KEY_ID,
+            wrapping_algorithm=WrappingAlgorithm.AES_128_GCM_IV12_TAG16_NO_PADDING,
+            wrapping_key=_WRAPPING_KEY_AES,
+        ),
+    ]
+)
+
+
+@pytest.mark.parametrize(
+    "multi_keyring, encryption_materials",
+    [
+        (_MULTI_KEYRING_WITH_GENERATOR_AND_CHILDREN, _ENCRYPTION_MATERIALS_WITHOUT_DATA_KEY),
+        (_MULTI_KEYRING_WITH_GENERATOR_AND_CHILDREN, _ENCRYPTION_MATERIALS_WITH_DATA_KEY),
+        (_MULTI_KEYRING_WITHOUT_CHILDREN, _ENCRYPTION_MATERIALS_WITH_DATA_KEY),
+        (_MULTI_KEYRING_WITHOUT_GENERATOR, _ENCRYPTION_MATERIALS_WITH_DATA_KEY),
+    ],
+)
+def test_multi_keyring_encryption_decryption(multi_keyring, encryption_materials):
+    # Call on_encrypt function for the keyring
+    encryption_materials = multi_keyring.on_encrypt(encryption_materials)
+
+    # Generate decryption materials
+    decryption_materials = DecryptionMaterials(
+        algorithm=ALGORITHM, verification_key=b"ex_verification_key", encryption_context=_ENCRYPTION_CONTEXT
+    )
+
+    # Call on_decrypt function for the keyring
+    decryption_materials = multi_keyring.on_decrypt(
+        decryption_materials=decryption_materials, encrypted_data_keys=encryption_materials.encrypted_data_keys
+    )
+
+    # Check if the data keys match
+    assert encryption_materials.data_encryption_key == decryption_materials.data_encryption_key