added custom mpl cmm example

RitvikKapila · RitvikKapila · commit 8e0a31730cfc · 2024-06-21T13:40:02.000-07:00
diff --git a/examples/src/custom_mpl_cmm_example.py b/examples/src/custom_mpl_cmm_example.py
@@ -0,0 +1,112 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Example to create a custom implementation of the ESDK-MPL ICryptographicMaterialsManager class."""
+
+from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders
+from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig
+from aws_cryptographic_materialproviders.mpl.models import CreateDefaultCryptographicMaterialsManagerInput, SignatureAlgorithmNone
+from aws_cryptographic_materialproviders.mpl.references import ICryptographicMaterialsManager, IKeyring
+
+import aws_encryption_sdk
+from aws_encryption_sdk import CommitmentPolicy
+
+
+# Custom CMM implementation using the MPL.
+# This CMM only allows encryption/decryption using signing algorithms.
+# It wraps an underlying CMM implementation and checks its materials
+# to ensure that it is only using signed encryption algorithms.
+class MPLCustomSigningSuiteOnlyCMM(ICryptographicMaterialsManager):
+    """Example custom crypto materials manager class."""
+
+    def __init__(self, keyring: IKeyring) -> None:
+        """Constructor for MPLCustomSigningSuiteOnlyCMM class."""
+        mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders(
+            config=MaterialProvidersConfig()
+        )
+
+        # Create a CryptographicMaterialsManager for encryption and decryption
+        cmm_input: CreateDefaultCryptographicMaterialsManagerInput = \
+            CreateDefaultCryptographicMaterialsManagerInput(
+                keyring=keyring
+            )
+
+        self.underlying_cmm: ICryptographicMaterialsManager = mat_prov.create_default_cryptographic_materials_manager(
+            input=cmm_input
+        )
+
+    def get_encryption_materials(self, param):
+        """Provides encryption materials appropriate for the request for the custom CMM.
+
+        :param aws_cryptographic_materialproviders.mpl.models.GetEncryptionMaterialsInput param: Input object to
+        provide to a crypto material manager's `get_encryption_materials` method.
+        :returns: Encryption materials output
+        :rtype: aws_cryptographic_materialproviders.mpl.models.GetEncryptionMaterialsOutput
+        """
+        materials = self.underlying_cmm.get_encryption_materials(param)
+        if isinstance(materials.encryption_materials.algorithm_suite.signature, SignatureAlgorithmNone):
+            raise ValueError(
+                "Algorithm provided to MPLCustomSigningSuiteOnlyCMM"
+                  + " is not a supported signing algorithm: " + str(materials.encryption_materials.algorithm_suite)
+                  )
+        return materials
+
+    def decrypt_materials(self, param):
+        """Provides decryption materials appropriate for the request for the custom CMM.
+
+        :param aws_cryptographic_materialproviders.mpl.models.DecryptMaterialsInput param: Input object to provide
+        to a crypto material manager's `decrypt_materials` method.
+        :returns: Decryption materials output
+        :rtype: aws_cryptographic_materialproviders.mpl.models.GetDecryptionMaterialsOutput
+        """
+        materials = self.underlying_cmm.decrypt_materials(param)
+        if isinstance(materials.decryption_materials.algorithm_suite.signature, SignatureAlgorithmNone):
+            raise ValueError(
+                "Algorithm provided to MPLCustomSigningSuiteOnlyCMM"
+                  + " is not a supported signing algorithm: " + str(materials.decryption_materials.algorithm_suite)
+                  )
+        return materials
+
+
+EXAMPLE_DATA: bytes = b"Hello World"
+
+
+def encrypt_decrypt_with_cmm(
+    cmm: ICryptographicMaterialsManager
+):
+    """Encrypts and decrypts a string using a custom CMM.
+
+    :param ICryptographicMaterialsManager cmm: CMM to use for encryption and decryption
+    :param bytes source_plaintext: Data to encrypt
+    """
+    # Set up an encryption client with an explicit commitment policy. Note that if you do not explicitly choose a
+    # commitment policy, REQUIRE_ENCRYPT_REQUIRE_DECRYPT is used by default.
+    client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT)
+
+    # Encrypt the plaintext source data
+    ciphertext, encryptor_header = client.encrypt(
+        source=EXAMPLE_DATA,
+        materials_manager=cmm
+    )
+
+    # Decrypt the ciphertext
+    cycled_plaintext, decrypted_header = client.decrypt(
+        source=ciphertext,
+        materials_manager=cmm
+    )
+
+    # Verify that the "cycled" (encrypted, then decrypted) plaintext is identical to the source plaintext
+    assert cycled_plaintext == EXAMPLE_DATA
+
+    # Verify that the encryption context used in the decrypt operation includes all key pairs from
+    # the encrypt operation. (The SDK can add pairs, so don't require an exact match.)
+    #
+    # In production, always use a meaningful encryption context. In this sample, we omit the
+    # encryption context (no key pairs).
+    # The encryptor_header.encryption_context has items of the form
+    #     b'key': b'value'
+    # We convert these to strings for easier comparison with the decrypted header below.
+    for k, v in encryptor_header.encryption_context.items():
+        k = str(k.decode("utf-8"))
+        v = str(v.decode("utf-8"))
+        assert v == decrypted_header.encryption_context[k], \
+            "Encryption context does not match expected values"
diff --git a/examples/src/legacy/custom_cmm_example.py b/examples/src/legacy/custom_cmm_example.py
@@ -29,20 +29,20 @@ def get_encryption_materials(self, request):
         """
         materials = self.underlying_cmm.get_encryption_materials(request)
         if not materials.algorithm.is_signing():
-            raise AssertionError(
+            raise ValueError(
                 "Algorithm provided to CustomSigningSuiteOnlyCMM"
                   + " is not a supported signing algorithm: " + materials.algorithm
                   )
         return materials
 
     def decrypt_materials(self, request):
-        """Provider decryption materials appropriate for the request.
+        """Provides decryption materials appropriate for the request for the custom CMM.
 
         :param DecryptionMaterialsRequest request: Request object to provide to a
         crypto material manager's `decrypt_materials` method.
         """
         if not request.algorithm.is_signing():
-            raise AssertionError(
+            raise ValueError(
                 "Algorithm provided to CustomSigningSuiteOnlyCMM"
                   + " is not a supported signing algorithm: " + request.algorithm
                   )
@@ -53,7 +53,7 @@ def encrypt_decrypt_with_cmm(
     cmm: CryptoMaterialsManager,
     source_plaintext: str
 ):
-    """Encrypts and decrypts a string using a CMM.
+    """Encrypts and decrypts a string using a custom CMM.
 
     :param CryptoMaterialsManager cmm: CMM to use for encryption and decryption
     :param bytes source_plaintext: Data to encrypt
diff --git a/examples/test/legacy/test_i_custom_cmm_example.py b/examples/test/legacy/test_i_custom_cmm_example.py
@@ -1,7 +1,6 @@
 # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 """Test suite for encryption and decryption using custom CMM."""
-
 import botocore.session
 import pytest
 
diff --git a/examples/test/test_i_custom_mpl_cmm_example.py b/examples/test/test_i_custom_mpl_cmm_example.py
@@ -0,0 +1,39 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Test suite for encryption and decryption using custom CMM."""
+import boto3
+import pytest
+from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders
+from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig
+from aws_cryptographic_materialproviders.mpl.models import CreateAwsKmsKeyringInput
+from aws_cryptographic_materialproviders.mpl.references import IKeyring
+
+from ..src.custom_mpl_cmm_example import MPLCustomSigningSuiteOnlyCMM, encrypt_decrypt_with_cmm
+
+pytestmark = [pytest.mark.examples]
+
+
+def test_custom_cmm_example():
+    """Test method for encryption and decryption using V3 default CMM."""
+    kms_key_id = "arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f"
+
+    # Create KMS keyring to use with the CMM
+    kms_client = boto3.client('kms', region_name="us-west-2")
+
+    mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders(
+        config=MaterialProvidersConfig()
+    )
+
+    keyring_input: CreateAwsKmsKeyringInput = CreateAwsKmsKeyringInput(
+        kms_key_id=kms_key_id,
+        kms_client=kms_client
+    )
+
+    kms_keyring: IKeyring = mat_prov.create_aws_kms_keyring(
+        input=keyring_input
+    )
+
+    # Create the custom MPL signing CMM using the keyring
+    cmm = MPLCustomSigningSuiteOnlyCMM(keyring=kms_keyring)
+
+    encrypt_decrypt_with_cmm(cmm=cmm)
