guard native cx

lucasmcdonald3 · lucasmcdonald3 · commit 310b9b8cd8af · 2024-04-17T13:01:06.000-07:00
diff --git a/src/aws_encryption_sdk/__init__.py b/src/aws_encryption_sdk/__init__.py
@@ -186,7 +186,8 @@ def decrypt(self, **kwargs):
                 to the end of the stream and tell() to find the length of source data.
 
         :param dict encryption_context: Dictionary defining encryption context to validate
-            on decrypt.
+            on decrypt. This is ONLY validated on decrypt if using a CMM from the
+            aws-cryptographic-material-providers library.
         :param int max_body_length: Maximum frame size (or content length for non-framed messages)
             in bytes to read from ciphertext message.
         :returns: Tuple containing the decrypted plaintext and the message header object
diff --git a/src/aws_encryption_sdk/streaming_client.py b/src/aws_encryption_sdk/streaming_client.py
@@ -963,13 +963,18 @@ def _create_decrypt_materials_request(self, header):
         # If encryption_context is provided on decrypt,
         # pass it to the DecryptionMaterialsRequest as reproduced_encryption_context
         if hasattr(self.config, "encryption_context"):
-            return DecryptionMaterialsRequest(
-                encrypted_data_keys=header.encrypted_data_keys,
-                algorithm=header.algorithm,
-                encryption_context=header.encryption_context,
-                commitment_policy=self.config.commitment_policy,
-                reproduced_encryption_context=self.config.encryption_context
-            )
+            if (_HAS_MPL
+                    and isinstance(self.config.materials_manager, CryptoMaterialsManagerFromMPL)):
+                return DecryptionMaterialsRequest(
+                    encrypted_data_keys=header.encrypted_data_keys,
+                    algorithm=header.algorithm,
+                    encryption_context=header.encryption_context,
+                    commitment_policy=self.config.commitment_policy,
+                    reproduced_encryption_context=self.config.encryption_context
+                )
+            else:
+                raise TypeError("encryption_context on decrypt is only supported for CMMs and keyrings "\
+                                "from the aws-cryptographic-material-providers library.")
         return DecryptionMaterialsRequest(
             encrypted_data_keys=header.encrypted_data_keys,
             algorithm=header.algorithm,
