Post 2.0.0 fixes (#303)

* Various fixes/cleanup after release of 2.0

  - Update decrypt_oracle and test_vector_handlers to use new constructs
  - Update changelog with correct commit hashes
  - Update _ClientConfig docstring to include commitment_policy
  - Fix oracle CI
  - Update the release tox environments to reduce risk of releasing to the wrong repo

Author: farleyb-amazon

.travis.yml

@@ -56,12 +56,12 @@ matrix:
     - python: 2.7
       env:
         TEST_VECTOR_HANDLERS=1
-        TOXENV=py27-awses_1.3.3
+        TOXENV=py27-awses_1.7.1
       stage: Test Vector Handler Tests
     - python: 2.7
       env:
         TEST_VECTOR_HANDLERS=1
-        TOXENV=py27-awses_1.3.max
+        TOXENV=py27-awses_2.0.0
       stage: Test Vector Handler Tests
     - python: 2.7
       env:
@@ -72,12 +72,12 @@ matrix:
     - python: 3.5
       env:
         TEST_VECTOR_HANDLERS=1
-        TOXENV=py35-awses_1.3.3
+        TOXENV=py35-awses_1.7.1
       stage: Test Vector Handler Tests
     - python: 3.5
       env:
         TEST_VECTOR_HANDLERS=1
-        TOXENV=py35-awses_1.3.max
+        TOXENV=py35-awses_2.0.0
       stage: Test Vector Handler Tests
     - python: 3.5
       env:
@@ -88,12 +88,12 @@ matrix:
     - python: 3.6
       env:
         TEST_VECTOR_HANDLERS=1
-        TOXENV=py36-awses_1.3.3
+        TOXENV=py36-awses_1.7.1
       stage: Test Vector Handler Tests
     - python: 3.6
       env:
         TEST_VECTOR_HANDLERS=1
-        TOXENV=py36-awses_1.3.max
+        TOXENV=py36-awses_2.0.0
       stage: Test Vector Handler Tests
     - python: 3.6
       env:
@@ -104,14 +104,14 @@ matrix:
     - python: 3.7
       env:
         TEST_VECTOR_HANDLERS=1
-        TOXENV=py37-awses_1.3.3
+        TOXENV=py37-awses_1.7.1
       dist: xenial
       sudo: true
       stage: Test Vector Handler Tests
     - python: 3.7
       env:
         TEST_VECTOR_HANDLERS=1
-        TOXENV=py37-awses_1.3.max
+        TOXENV=py37-awses_2.0.0
       dist: xenial
       sudo: true
       stage: Test Vector Handler Tests
@@ -126,14 +126,14 @@ matrix:
     - python: 3.8
       env:
         TEST_VECTOR_HANDLERS=1
-        TOXENV=py38-awses_1.3.3
+        TOXENV=py38-awses_1.7.1
       dist: xenial
       sudo: true
       stage: Test Vector Handler Tests
     - python: 3.8
       env:
         TEST_VECTOR_HANDLERS=1
-        TOXENV=py38-awses_1.3.max
+        TOXENV=py38-awses_2.0.0
       dist: xenial
       sudo: true
       stage: Test Vector Handler Tests

CHANGELOG.rst

@@ -7,7 +7,7 @@ Changelog
 
 Features
 --------
-* Updates to the AWS Encryption SDK. 1cceceb
+* Updates to the AWS Encryption SDK. 73cce71
 
 Breaking Changes
 ^^^^^^^^^^^^^^^^
@@ -26,7 +26,7 @@ for more details.
 
 Features
 --------
-* Updates to the AWS Encryption SDK. bdbf00c
+* Updates to the AWS Encryption SDK. ef90351
 
 Deprecations
 ^^^^^^^^^^^^

decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/app.py

@@ -16,7 +16,7 @@
 import os
 
 import aws_encryption_sdk
-from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider
+from aws_encryption_sdk.key_providers.kms import DiscoveryAwsKmsMasterKeyProvider
 from chalice import Chalice, Response
 
 from .key_providers.counting import CountingMasterKey
@@ -27,9 +27,9 @@
 APP.log.setLevel(logging.DEBUG)
 
 
-def _master_key_provider() -> KMSMasterKeyProvider:
+def _master_key_provider() -> DiscoveryAwsKmsMasterKeyProvider:
     """Build the V0 master key provider."""
-    master_key_provider = KMSMasterKeyProvider()
+    master_key_provider = DiscoveryAwsKmsMasterKeyProvider()
     master_key_provider.add_master_key_provider(NullMasterKey())
     master_key_provider.add_master_key_provider(CountingMasterKey())
     return master_key_provider
@@ -59,8 +59,9 @@ def basic_decrypt() -> Response:
     APP.log.debug(APP.current_request.raw_body)
 
     try:
+        client = aws_encryption_sdk.EncryptionSDKClient()
         ciphertext = APP.current_request.raw_body
-        plaintext, _header = aws_encryption_sdk.decrypt(source=ciphertext, key_provider=_master_key_provider())
+        plaintext, _header = client.decrypt(source=ciphertext, key_provider=_master_key_provider())
         APP.log.debug("Plaintext:")
         APP.log.debug(plaintext)
         response = Response(body=plaintext, headers={"Content-Type": "application/octet-stream"}, status_code=200)

decrypt_oracle/test/integration/integration_test_utils.py

@@ -17,8 +17,10 @@
 from collections import namedtuple
 from typing import Any, Callable, Iterable, Optional, Text
 
+import aws_encryption_sdk
 import pytest
-from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider
+from aws_encryption_sdk.identifiers import CommitmentPolicy
+from aws_encryption_sdk.key_providers.kms import StrictAwsKmsMasterKeyProvider
 
 HERE = os.path.abspath(os.path.dirname(__file__))
 DEPLOYMENT_REGION = "AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION"
@@ -27,6 +29,8 @@
 _KMS_MKP = None
 _ENDPOINT = None
 
+CLIENT = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT)
+
 
 def decrypt_endpoint() -> Text:
     """Build the API endpoint based on environment variables."""
@@ -77,7 +81,7 @@ def kms_master_key_provider(cache: Optional[bool] = True):
         return _KMS_MKP
 
     cmk_arn = get_cmk_arn()
-    _kms_master_key_provider = KMSMasterKeyProvider(key_ids=[cmk_arn])
+    _kms_master_key_provider = StrictAwsKmsMasterKeyProvider(key_ids=[cmk_arn])
 
     if cache:
         _KMS_MKP = _kms_master_key_provider

decrypt_oracle/test/unit/key_providers/test_u_counting.py

@@ -11,11 +11,10 @@
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
 """Unit test for ``aws_encryption_sdk_decrypt_oracle.key_providers.counting``."""
-import aws_encryption_sdk
 import pytest
 from aws_encryption_sdk_decrypt_oracle.key_providers.counting import CountingMasterKey
 
-from ...integration.integration_test_utils import filtered_test_vectors
+from ...integration.integration_test_utils import CLIENT, filtered_test_vectors
 
 pytestmark = [pytest.mark.unit, pytest.mark.local]
 
@@ -24,7 +23,7 @@
 def test_counting_master_key_decrypt_vectors(vector):
     master_key = CountingMasterKey()
 
-    plaintext, _header = aws_encryption_sdk.decrypt(source=vector.ciphertext, key_provider=master_key)
+    plaintext, _header = CLIENT.decrypt(source=vector.ciphertext, key_provider=master_key)
 
     assert plaintext == vector.plaintext
 
@@ -33,8 +32,8 @@ def test_counting_master_key_cycle():
     plaintext = b"some super secret plaintext"
     master_key = CountingMasterKey()
 
-    ciphertext, _header = aws_encryption_sdk.encrypt(source=plaintext, key_provider=master_key)
-    decrypted, _header = aws_encryption_sdk.decrypt(source=ciphertext, key_provider=master_key)
+    ciphertext, _header = CLIENT.encrypt(source=plaintext, key_provider=master_key)
+    decrypted, _header = CLIENT.decrypt(source=ciphertext, key_provider=master_key)
 
     assert plaintext != ciphertext
     assert plaintext == decrypted

decrypt_oracle/test/unit/key_providers/test_u_null.py

@@ -11,20 +11,18 @@
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
 """Unit test for ``aws_encryption_sdk_decrypt_oracle.key_providers.null``."""
-import aws_encryption_sdk
 import pytest
 from aws_encryption_sdk_decrypt_oracle.key_providers.null import NullMasterKey
 
-from ...integration.integration_test_utils import filtered_test_vectors
+from ...integration.integration_test_utils import CLIENT, filtered_test_vectors
 
 pytestmark = [pytest.mark.unit, pytest.mark.local]
 
 
 @pytest.mark.parametrize("vector", filtered_test_vectors(lambda x: x.key_type == "null"))
 def test_null_master_key_decrypt_vectors(vector):
     master_key = NullMasterKey()
-
-    plaintext, _header = aws_encryption_sdk.decrypt(source=vector.ciphertext, key_provider=master_key)
+    plaintext, _header = CLIENT.decrypt(source=vector.ciphertext, key_provider=master_key)
 
     assert plaintext == vector.plaintext
 
@@ -33,8 +31,8 @@ def test_null_master_key_cycle():
     plaintext = b"some super secret plaintext"
     master_key = NullMasterKey()
 
-    ciphertext, _header = aws_encryption_sdk.encrypt(source=plaintext, key_provider=master_key)
-    decrypted, _header = aws_encryption_sdk.decrypt(source=ciphertext, key_provider=master_key)
+    ciphertext, _header = CLIENT.encrypt(source=plaintext, key_provider=master_key)
+    decrypted, _header = CLIENT.decrypt(source=ciphertext, key_provider=master_key)
 
     assert plaintext != ciphertext
     assert plaintext == decrypted

src/aws_encryption_sdk/streaming_client.py

@@ -75,6 +75,8 @@ class _ClientConfig(object):
 
     :param source: Source data to encrypt or decrypt
     :type source: str, bytes, io.IOBase, or file
+    :param commitment_policy: The commitment policy to use during encryption and decryption
+    :type commitment_policy: aws_encryption_sdk.identifiers.CommitmentPolicy
     :param materials_manager: `CryptoMaterialsManager` from which to obtain cryptographic materials
         (either `materials_manager` or `key_provider` required)
     :type materials_manager: aws_encryption_sdk.materials_manager.base.CryptoMaterialsManager

test_vector_handlers/compatibility-requirements/1.7.1

@@ -0,0 +1,2 @@
+aws-encryption-sdk==1.7.1
+attrs<19.2.0

test_vector_handlers/compatibility-requirements/2.0.0

@@ -0,0 +1,2 @@
+aws-encryption-sdk==2.0.0
+attrs<19.2.0

test_vector_handlers/src/awses_test_vectors/internal/aws_kms.py

@@ -15,12 +15,12 @@
     from aws_encryption_sdk.identifiers import AlgorithmSuite
 except ImportError:
     from aws_encryption_sdk.identifiers import Algorithm as AlgorithmSuite
-from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider
+from aws_encryption_sdk.key_providers.kms import DiscoveryAwsKmsMasterKeyProvider, StrictAwsKmsMasterKeyProvider
 
 from awses_test_vectors.internal.defaults import ENCODING
 
 # This lets us easily use a single boto3 client per region for all KMS master keys.
-KMS_MASTER_KEY_PROVIDER = KMSMasterKeyProvider()
+KMS_MASTER_KEY_PROVIDER = DiscoveryAwsKmsMasterKeyProvider()
 
 
 def arn_from_key_id(key_id):
@@ -34,7 +34,8 @@ def arn_from_key_id(key_id):
     :returns: Full Arn for KMS CMK that key ID identifies
     :rtype: str
     """
-    encrypted_data_key = KMS_MASTER_KEY_PROVIDER.master_key(key_id.encode(ENCODING)).generate_data_key(
+    provider = StrictAwsKmsMasterKeyProvider(key_ids=[key_id])
+    encrypted_data_key = provider.master_key(key_id.encode(ENCODING)).generate_data_key(
         algorithm=AlgorithmSuite.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, encryption_context={}
     )
     return encrypted_data_key.key_provider.key_info.decode(ENCODING)

test_vector_handlers/src/awses_test_vectors/internal/mypy_types.py

@@ -15,10 +15,10 @@
 
 try:  # Python 3.5.0 and 3.5.1 have incompatible typing modules
     from typing import (  # noqa pylint: disable=unused-import
+        IO,
         Any,
         Callable,
         Dict,
-        IO,
         Iterable,
         Optional,
         Tuple,

test_vector_handlers/src/awses_test_vectors/internal/util.py

@@ -25,6 +25,7 @@
 
 try:  # Python 3.5.0 and 3.5.1 have incompatible typing modules
     from typing import Any, Callable, Dict, Iterable, Type  # noqa pylint: disable=unused-import
+
     from awses_test_vectors.internal.mypy_types import (  # noqa pylint: disable=unused-import
         ISINSTANCE,
         MANIFEST_VERSION,

test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py

@@ -21,6 +21,7 @@
 import attr
 import aws_encryption_sdk
 import six
+from aws_encryption_sdk.identifiers import CommitmentPolicy
 from aws_encryption_sdk.key_providers.base import MasterKeyProvider
 
 from awses_test_vectors.internal.defaults import ENCODING
@@ -34,7 +35,8 @@
 from awses_test_vectors.manifests.master_key import MasterKeySpec, master_key_provider_from_master_key_specs
 
 try:  # Python 3.5.0 and 3.5.1 have incompatible typing modules
-    from typing import Callable, Dict, IO, Iterable, Optional  # noqa pylint: disable=unused-import
+    from typing import IO, Callable, Dict, Iterable, Optional  # noqa pylint: disable=unused-import
+
     from awses_test_vectors.internal.mypy_types import (  # noqa pylint: disable=unused-import
         DECRYPT_SCENARIO_SPEC,
         FULL_MESSAGE_DECRYPT_MANIFEST,
@@ -155,7 +157,8 @@ def run(self, name):
 
         :param str name: Descriptive name for this scenario to use in any logging or errors
         """
-        plaintext, _header = aws_encryption_sdk.decrypt(source=self.ciphertext, key_provider=self.master_key_provider)
+        client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
+        plaintext, _header = client.decrypt(source=self.ciphertext, key_provider=self.master_key_provider)
         if plaintext != self.plaintext:
             raise ValueError("Decrypted plaintext does not match expected value for scenario '{}'".format(name))
 

test_vector_handlers/src/awses_test_vectors/manifests/full_message/encrypt.py

@@ -40,13 +40,14 @@
 from awses_test_vectors.manifests.master_key import MasterKeySpec, master_key_provider_from_master_key_specs
 
 try:
-    from aws_encryption_sdk.identifiers import AlgorithmSuite
+    from aws_encryption_sdk.identifiers import AlgorithmSuite, CommitmentPolicy
 except ImportError:
     from aws_encryption_sdk.identifiers import Algorithm as AlgorithmSuite
 
 
 try:  # Python 3.5.0 and 3.5.1 have incompatible typing modules
-    from typing import Callable, Dict, IO, Iterable, Optional  # noqa pylint: disable=unused-import
+    from typing import IO, Callable, Dict, Iterable, Optional  # noqa pylint: disable=unused-import
+
     from awses_test_vectors.internal.mypy_types import (  # noqa pylint: disable=unused-import
         ENCRYPT_SCENARIO_SPEC,
         PLAINTEXTS_SPEC,
@@ -133,7 +134,8 @@ def run(self, ciphertext_writer, plaintext_uri):
         :return: Decrypt test scenario that describes the generated scenario
         :rtype: MessageDecryptionTestScenario
         """
-        ciphertext, _header = aws_encryption_sdk.encrypt(
+        client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
+        ciphertext, _header = client.encrypt(
             source=self.plaintext,
             algorithm=self.algorithm,
             frame_length=self.frame_size,

test_vector_handlers/src/awses_test_vectors/manifests/keys.py

@@ -25,13 +25,14 @@
 from awses_test_vectors.internal.util import dictionary_validator, membership_validator, validate_manifest_type
 
 try:  # Python 3.5.0 and 3.5.1 have incompatible typing modules
-    from typing import cast, Dict, Iterable, Optional  # noqa pylint: disable=unused-import
+    from typing import Dict, Iterable, Optional, cast  # noqa pylint: disable=unused-import
+
     from awses_test_vectors.internal.mypy_types import (  # noqa pylint: disable=unused-import
         AWS_KMS_KEY_SPEC,
-        MANUAL_KEY_SPEC,
         KEY_SPEC,
         KEYS_MANIFEST,
         MANIFEST_VERSION,
+        MANUAL_KEY_SPEC,
     )
 except ImportError:  # pragma: no cover
     # We only actually need these imports when running the mypy checks

test_vector_handlers/src/awses_test_vectors/manifests/master_key.py

@@ -34,6 +34,7 @@
 
 try:  # Python 3.5.0 and 3.5.1 have incompatible typing modules
     from typing import Iterable  # noqa pylint: disable=unused-import
+
     from awses_test_vectors.internal.mypy_types import MASTER_KEY_SPEC  # noqa pylint: disable=unused-import
 except ImportError:  # pragma: no cover
     # We only actually need these imports when running the mypy checks

test_vector_handlers/tox.ini

@@ -1,6 +1,6 @@
 [tox]
 envlist =
-    py{27,34,35,36,37}-awses_{1.3.3,1.3.max,latest},
+    py{27,34,35,36,37}-awses_{1.7.1,2.0.0,latest},
     # 1.2.0 and 1.2.max are being difficult because of attrs
     bandit, doc8, readme, docs,
     {flake8,pylint}{,-tests},
@@ -48,6 +48,8 @@ deps =
     -rtest/requirements.txt
     awses_1.3.3: -rcompatibility-requirements/1.3.3
     awses_1.3.max: -rcompatibility-requirements/1.3.max
+    awses_1.7.1: -rcompatibility-requirements/1.7.1
+    awses_2.0.0: -rcompatibility-requirements/2.0.0
     awses_latest: -rcompatibility-requirements/latest
 commands = {[testenv:base-command]commands}