feat: Add MPL and hierarchy keyring example (#634)

Author: lucasmcdonald3

.coveragerc

@@ -0,0 +1,7 @@
+# .coveragerc file when running coverage WITHOUT coverage for the MPL
+# This prevents the ESDK without the MPL from considering the MPL-specific modules as "missed" coverage
+[run]
+omit = */aws_encryption_sdk/materials_managers/mpl/*
+
+[report]
+omit = */aws_encryption_sdk/materials_managers/mpl/*

.coveragercmpl

@@ -0,0 +1 @@
+# .coveragerc file when running coverage WITH coverage for the MPL

.github/workflows/ci_tests.yaml

@@ -25,7 +25,11 @@ jobs:
       matrix:
         os:
           - ubuntu-latest
-          - windows-latest
+          # Windows fails due to "No module named 'Wrappers'"
+          # This SHOULD be fixed once Dafny generates fully-qualified import statements
+          # (i.e. doo files, per-package module names)
+          # Disable for now
+          # - windows-latest
           - macos-latest
         python:
           - 3.7
@@ -41,17 +45,40 @@ jobs:
         category:
           - local
           - accept
+          - mpllocal
 # These require credentials.
 # Enable them once we sort how to provide them.
 #          - integ
 #          - examples
+        # Append '-mpl' to some test environments.
+        # This suffix signals to tox to install the MPL in the test environment. 
+        optional_mpl_dependency:
+          - ""
+          - -mpl
         exclude:
           # x86 builds are only meaningful for Windows
           - os: ubuntu-latest
             architecture: x86
           - os: macos-latest
             architecture: x86
+          # MPL is not supported on <3.11
+          - python: 3.7
+            optional_mpl_dependency: -mpl
+          - python: 3.8
+            optional_mpl_dependency: -mpl
+          - python: 3.9
+            optional_mpl_dependency: -mpl
+          - python: 3.10
+            optional_mpl_dependency: -mpl
+          # mpllocal requires the MPL to be installed
+          - category: mpllocal
+            optional_mpl_dependency: ""
     steps:
+      # Support long Dafny filenames (used in MPL and DBESDK repos)
+      - name: Support longpaths
+        run: |
+          git config --global core.longpaths true
+
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v4
         with:
@@ -62,7 +89,7 @@ jobs:
           pip install --upgrade -r dev_requirements/ci-requirements.txt
       - name: run test
         env:
-          TOXENV: ${{ matrix.category }}
+          TOXENV: ${{ matrix.category }}${{ matrix.optional_mpl_dependency }}
         run: tox -- -vv
   upstream-py311:
     runs-on: ubuntu-latest
@@ -82,5 +109,5 @@ jobs:
             pip install --upgrade -r dev_requirements/ci-requirements.txt
         - name: run test
           env:
-            TOXENV: ${{ matrix.category }}
+            TOXENV: ${{ matrix.category }}${{ matrix.optional_mpl_dependency }}
           run: tox -- -vv

.gitignore

@@ -19,8 +19,9 @@ docs/build
 __pycache__
 *.egg-info
 
-# Coverage.py
-.coverage*
+# Coverage.py, NOT .coveragerc nor .coveragercmpl
+.coverage
+.coverage.py
 
 # MyPy
 .mypy_cache

buildspec.yml

@@ -58,30 +58,58 @@ batch:
       buildspec: codebuild/py311/integ.yml
       env:
         image: aws/codebuild/standard:7.0
+    - identifier: py311_integ_mpl
+      buildspec: codebuild/py311/integ_mpl.yml
+      env:
+        image: aws/codebuild/standard:7.0
     - identifier: py311_examples
       buildspec: codebuild/py311/examples.yml
       env:
         image: aws/codebuild/standard:7.0
+    - identifier: py311_examples_mpl
+      buildspec: codebuild/py311/examples_mpl.yml
+      env:
+        image: aws/codebuild/standard:7.0
     - identifier: py311_awses_latest
       buildspec: codebuild/py311/awses_local.yml
       env:
         image: aws/codebuild/standard:7.0
+    - identifier: py311_awses_latest_mpl
+      buildspec: codebuild/py311/awses_local_mpl.yml
+      env:
+        image: aws/codebuild/standard:7.0
 
     - identifier: py312_integ
       buildspec: codebuild/py312/integ.yml
       env:
         image: aws/codebuild/standard:7.0
+    - identifier: py312_integ_mpl
+      buildspec: codebuild/py312/integ_mpl.yml
+      env:
+        image: aws/codebuild/standard:7.0
     - identifier: py312_examples
       buildspec: codebuild/py312/examples.yml
       env:
         image: aws/codebuild/standard:7.0
+    - identifier: py312_examples_mpl
+      buildspec: codebuild/py312/examples_mpl.yml
+      env:
+        image: aws/codebuild/standard:7.0
     - identifier: py312_awses_latest
       buildspec: codebuild/py312/awses_local.yml
       env:
         image: aws/codebuild/standard:7.0
+    - identifier: py312_awses_latest_mpl
+      buildspec: codebuild/py312/awses_local_mpl.yml
+      env:
+        image: aws/codebuild/standard:7.0
 
     - identifier: code_coverage
       buildspec: codebuild/coverage/coverage.yml
+    - identifier: code_coverage_mpl
+      buildspec: codebuild/coverage/coverage_mpl.yml
+      env:
+        image: aws/codebuild/standard:7.0
 
     - identifier: compliance
       buildspec: codebuild/compliance/compliance.yml

codebuild/coverage/coverage_mpl.yml

@@ -0,0 +1,14 @@
+version: 0.2
+
+env:
+  variables:
+    TOXENV: "mplcoverage-mpl"
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.11
+  build:
+    commands:
+      - pip install "tox < 4.0"
+      - tox

codebuild/py311/awses_local_mpl.yml

@@ -0,0 +1,26 @@
+version: 0.2
+
+env:
+  variables:
+    TOXENV: "py311-awses_local-mpl"
+    REGION: "us-west-2"
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
+      arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
+      arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb"
+    AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2"
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.11
+  build:
+    commands:
+      - pip install "tox < 4.0"
+      - cd test_vector_handlers
+      - tox

codebuild/py311/examples_mpl.yml

@@ -0,0 +1,34 @@
+version: 0.2
+
+env:
+  variables:
+    # No TOXENV. This runs multiple environments.
+    REGION: "us-west-2"
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
+      arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
+      arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.11
+  build:
+    commands:
+      - pip install "tox < 4.0"
+      # Run non-MPL-specific tests with the MPL installed
+      - tox -e py311-examples-mpl
+      # Assume special role to access keystore
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Python-Role-us-west-2" --role-session-name "CB-Py311ExamplesMpl")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+      # Run MPL-specific tests with special role
+      - tox -e py311-mplexamples-mpl
+

codebuild/py311/integ_mpl.yml

@@ -0,0 +1,23 @@
+version: 0.2
+
+env:
+  variables:
+    TOXENV: "py311-integ-mpl"
+    REGION: "us-west-2"
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
+      arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
+      arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.11
+  build:
+    commands:
+      - pip install "tox < 4.0"
+      - tox

codebuild/py312/awses_local_mpl.yml

@@ -0,0 +1,33 @@
+# Runs the same tests as awses_local in an environment with the MPL installed.
+# This asserts existing tests continue to pass with the MPL installed.
+version: 0.2
+
+env:
+  variables:
+    TOXENV: "py312-awses_local-mpl"
+    REGION: "us-west-2"
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
+      arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
+      arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb"
+    AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2"
+
+phases:
+  install:
+    runtime-versions:
+      python: latest
+  build:
+    commands:
+      - cd /root/.pyenv/plugins/python-build/../.. && git pull && cd -
+      - pyenv install --skip-existing 3.12.0
+      - pyenv local 3.12.0
+      - pip install --upgrade pip
+      - pip install setuptools
+      - pip install "tox < 4.0"
+      - cd test_vector_handlers
+      - tox

codebuild/py312/examples_mpl.yml

@@ -0,0 +1,41 @@
+# Runs the same tests as examples in an environment with the MPL installed
+# to assert existing tests continue to pass with the MPL installed.
+# Then, run MPL-specific tests.
+version: 0.2
+
+env:
+  variables:
+    # No TOXENV. This runs multiple environments.
+    REGION: "us-west-2"
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
+      arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
+      arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+
+phases:
+  install:
+    runtime-versions:
+      python: latest
+  build:
+    commands:
+      - cd /root/.pyenv/plugins/python-build/../.. && git pull && cd -
+      - pyenv install --skip-existing 3.12.0
+      - pyenv local 3.12.0
+      - pip install --upgrade pip
+      - pip install setuptools
+      - pip install "tox < 4.0"
+      # Run non-MPL-specific tests with the MPL installed
+      - tox -e py312-examples-mpl
+      # Assume special role to access keystore
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Python-Role-us-west-2" --role-session-name "CB-Py311ExamplesMpl")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+      # Run MPL-specific tests with special role
+      - tox -e py312-mplexamples-mpl

codebuild/py312/integ_mpl.yml

@@ -0,0 +1,30 @@
+# Runs the same tests as integ in an environment with the MPL installed.
+# This asserts existing tests continue to pass with the MPL installed.
+version: 0.2
+
+env:
+  variables:
+    TOXENV: "py312-integ-mpl"
+    REGION: "us-west-2"
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
+      arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
+      arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+
+phases:
+  install:
+    runtime-versions:
+      python: latest
+  build:
+    commands:
+      - cd /root/.pyenv/plugins/python-build/../.. && git pull && cd -
+      - pyenv install --skip-existing 3.12.0
+      - pyenv local 3.12.0
+      - pip install --upgrade pip
+      - pip install setuptools
+      - pip install "tox < 4.0"
+      - tox

examples/src/keyrings/__init__.py

@@ -0,0 +1,3 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Stub module indicator to make linter configuration simpler."""