feat: enable caching CMM to accept either MKP or keyring

Author: mattsb42-aws

src/aws_encryption_sdk/materials_managers/caching.py

@@ -16,17 +16,20 @@
 
 import attr
 import six
+from attr.validators import instance_of, optional
 
-from ..caches import (
+from aws_encryption_sdk.caches import (
     CryptoMaterialsCacheEntryHints,
     build_decryption_materials_cache_key,
     build_encryption_materials_cache_key,
 )
-from ..caches.base import CryptoMaterialsCache
-from ..exceptions import CacheKeyError
-from ..internal.defaults import MAX_BYTES_PER_KEY, MAX_MESSAGES_PER_KEY
-from ..internal.str_ops import to_bytes
-from ..key_providers.base import MasterKeyProvider
+from aws_encryption_sdk.caches.base import CryptoMaterialsCache
+from aws_encryption_sdk.exceptions import CacheKeyError
+from aws_encryption_sdk.internal.defaults import MAX_BYTES_PER_KEY, MAX_MESSAGES_PER_KEY
+from aws_encryption_sdk.internal.str_ops import to_bytes
+from aws_encryption_sdk.key_providers.base import MasterKeyProvider
+from aws_encryption_sdk.keyrings.base import Keyring
+
 from . import EncryptionMaterialsRequest
 from .base import CryptoMaterialsManager
 from .default import DefaultCryptoMaterialsManager
@@ -59,17 +62,17 @@ class CachingCryptoMaterialsManager(CryptoMaterialsManager):
         value.  If no partition name is provided, a random UUID will be used.
 
     .. note::
-        Either `backing_materials_manager` or `master_key_provider` must be provided.
-        `backing_materials_manager` will always be used if present.
-
-    :param cache: Crypto cache to use with material manager
-    :type cache: aws_encryption_sdk.caches.base.CryptoMaterialsCache
-    :param backing_materials_manager: Crypto material manager to back this caching material manager
-        (either `backing_materials_manager` or `master_key_provider` required)
-    :type backing_materials_manager: aws_encryption_sdk.materials_managers.base.CryptoMaterialsManager
-    :param master_key_provider: Master key provider to use (either `backing_materials_manager` or
-        `master_key_provider` required)
-    :type master_key_provider: aws_encryption_sdk.key_providers.base.MasterKeyProvider
+        Either ``backing_materials_manager``, ``keyring``, or ``master_key_provider`` must be provided.
+        ``backing_materials_manager`` will always be used if present.
+
+    :param CryptoMaterialsCache cache: Crypto cache to use with material manager
+    :param CryptoMaterialsManager backing_materials_manager:
+       Crypto material manager to back this caching material manager
+       (either ``backing_materials_manager``, ``keyring``, or ``master_key_provider`` required)
+    :param MasterKeyProvider master_key_provider: Master key provider to use
+       (either ``backing_materials_manager``, ``keyring``, or ``master_key_provider`` required)
+    :param Keyring keyring: Keyring to use
+       (either ``backing_materials_manager``, ``keyring``, or ``master_key_provider`` required)
     :param float max_age: Maximum time in seconds that a cache entry may be kept in the cache
     :param int max_messages_encrypted: Maximum number of messages that may be encrypted under
         a cache entry (optional)
@@ -78,21 +81,14 @@ class CachingCryptoMaterialsManager(CryptoMaterialsManager):
     :param bytes partition_name: Partition name to use for this instance (optional)
     """
 
-    cache = attr.ib(validator=attr.validators.instance_of(CryptoMaterialsCache))
-    max_age = attr.ib(validator=attr.validators.instance_of(float))
-    max_messages_encrypted = attr.ib(
-        default=MAX_MESSAGES_PER_KEY, validator=attr.validators.instance_of(six.integer_types)
-    )
-    max_bytes_encrypted = attr.ib(default=MAX_BYTES_PER_KEY, validator=attr.validators.instance_of(six.integer_types))
-    partition_name = attr.ib(
-        default=None, converter=to_bytes, validator=attr.validators.optional(attr.validators.instance_of(bytes))
-    )
-    master_key_provider = attr.ib(
-        default=None, validator=attr.validators.optional(attr.validators.instance_of(MasterKeyProvider))
-    )
-    backing_materials_manager = attr.ib(
-        default=None, validator=attr.validators.optional(attr.validators.instance_of(CryptoMaterialsManager))
-    )
+    cache = attr.ib(validator=instance_of(CryptoMaterialsCache))
+    max_age = attr.ib(validator=instance_of(float))
+    max_messages_encrypted = attr.ib(default=MAX_MESSAGES_PER_KEY, validator=instance_of(six.integer_types))
+    max_bytes_encrypted = attr.ib(default=MAX_BYTES_PER_KEY, validator=instance_of(six.integer_types))
+    partition_name = attr.ib(default=None, converter=to_bytes, validator=optional(instance_of(bytes)))
+    master_key_provider = attr.ib(default=None, validator=optional(instance_of(MasterKeyProvider)))
+    backing_materials_manager = attr.ib(default=None, validator=optional(instance_of(CryptoMaterialsManager)))
+    keyring = attr.ib(default=None, validator=optional(instance_of(Keyring)))
 
     def __attrs_post_init__(self):
         """Applies post-processing which cannot be handled by attrs."""
@@ -111,10 +107,21 @@ def __attrs_post_init__(self):
         if self.max_age <= 0.0:
             raise ValueError("max_age cannot be less than or equal to 0")
 
+        options_provided = [
+            option is not None for option in (self.backing_materials_manager, self.keyring, self.master_key_provider)
+        ]
+        provided_count = len([is_set for is_set in options_provided if is_set])
+
+        if provided_count != 1:
+            raise TypeError("Exactly one of 'materials_manager', 'keyring', or 'key_provider' must be provided")
+
         if self.backing_materials_manager is None:
-            if self.master_key_provider is None:
-                raise TypeError("Either backing_materials_manager or master_key_provider must be defined")
-            self.backing_materials_manager = DefaultCryptoMaterialsManager(self.master_key_provider)
+            if self.master_key_provider is not None:
+                self.backing_materials_manager = DefaultCryptoMaterialsManager(
+                    master_key_provider=self.master_key_provider
+                )
+            else:
+                self.backing_materials_manager = DefaultCryptoMaterialsManager(keyring=self.keyring)
 
         if self.partition_name is None:
             self.partition_name = to_bytes(str(uuid.uuid4()))

src/aws_encryption_sdk/materials_managers/default.py

@@ -40,9 +40,9 @@ class DefaultCryptoMaterialsManager(CryptoMaterialsManager):
        The *keyring* parameter.
 
     :param MasterKeyProvider master_key_provider: Master key provider to use
-       (either `keyring` or `master_key_provider` is required)
+       (either ``keyring`` or ``master_key_provider`` is required)
     :param Keyring keyring: Keyring to use
-       (either `keyring` or `master_key_provider` is required)
+       (either ``keyring`` or ``master_key_provider`` is required)
     """
 
     algorithm = ALGORITHM

test/unit/materials_managers/test_caching.py

@@ -13,16 +13,18 @@
 """Unit test suite for CachingCryptoMaterialsManager"""
 import pytest
 from mock import MagicMock, sentinel
-from pytest_mock import mocker  # noqa pylint: disable=unused-import
 
 import aws_encryption_sdk.materials_managers.caching
 from aws_encryption_sdk.caches.base import CryptoMaterialsCache
+from aws_encryption_sdk.caches.local import LocalCryptoMaterialsCache
 from aws_encryption_sdk.exceptions import CacheKeyError
 from aws_encryption_sdk.internal.defaults import MAX_BYTES_PER_KEY, MAX_MESSAGES_PER_KEY
 from aws_encryption_sdk.internal.str_ops import to_bytes
-from aws_encryption_sdk.key_providers.base import MasterKeyProvider
 from aws_encryption_sdk.materials_managers.base import CryptoMaterialsManager
 from aws_encryption_sdk.materials_managers.caching import CachingCryptoMaterialsManager
+from aws_encryption_sdk.materials_managers.default import DefaultCryptoMaterialsManager
+
+from ..unit_test_utils import ephemeral_raw_aes_keyring, ephemeral_raw_aes_master_key
 
 pytestmark = [pytest.mark.unit, pytest.mark.local]
 
@@ -54,7 +56,7 @@ def fake_encryption_request():
         dict(max_messages_encrypted=None),
         dict(max_bytes_encrypted=None),
         dict(partition_name=55),
-        dict(master_key_provider=None, backing_materials_manager=None),
+        dict(master_key_provider=None, backing_materials_manager=None, keyring=None),
     ),
 )
 def test_attrs_fail(invalid_kwargs):
@@ -88,20 +90,26 @@ def test_custom_partition_name(patch_uuid4):
     assert test.partition_name == custom_partition_name
 
 
-def test_mkp_to_default_cmm(mocker):
-    mocker.patch.object(aws_encryption_sdk.materials_managers.caching, "DefaultCryptoMaterialsManager")
-    mock_mkp = MagicMock(__class__=MasterKeyProvider)
+def test_mkp_to_default_cmm():
+    mkp = ephemeral_raw_aes_master_key()
+
     test = CachingCryptoMaterialsManager(
-        cache=MagicMock(__class__=CryptoMaterialsCache), max_age=10.0, master_key_provider=mock_mkp
+        cache=LocalCryptoMaterialsCache(capacity=10), max_age=10.0, master_key_provider=mkp
     )
 
-    aws_encryption_sdk.materials_managers.caching.DefaultCryptoMaterialsManager.assert_called_once_with(
-        mock_mkp
-    )  # noqa pylint: disable=line-too-long
-    assert (
-        test.backing_materials_manager
-        is aws_encryption_sdk.materials_managers.caching.DefaultCryptoMaterialsManager.return_value
-    )  # noqa pylint: disable=line-too-long
+    assert isinstance(test.backing_materials_manager, DefaultCryptoMaterialsManager)
+    assert test.backing_materials_manager.master_key_provider is mkp
+    assert test.backing_materials_manager.keyring is None
+
+
+def test_keyring_to_default_cmm():
+    keyring = ephemeral_raw_aes_keyring()
+
+    test = CachingCryptoMaterialsManager(cache=LocalCryptoMaterialsCache(capacity=10), max_age=10.0, keyring=keyring)
+
+    assert isinstance(test.backing_materials_manager, DefaultCryptoMaterialsManager)
+    assert test.backing_materials_manager.keyring is keyring
+    assert test.backing_materials_manager.master_key_provider is None
 
 
 @pytest.mark.parametrize(