cleanup

Author: lucasmcdonald3

codebuild/coverage/coverage_mpl.yml

@@ -7,7 +7,7 @@ env:
 phases:
   install:
     runtime-versions:
-      python: latest
+      python: 3.11
   build:
     commands:
       - pip install "tox < 4.0"

examples/src/keyrings/hierarchical_keyring.py

@@ -15,8 +15,6 @@
     CacheTypeDefault,
     CreateAwsKmsHierarchicalKeyringInput,
     DefaultCache,
-    GetBranchKeyIdInput,
-    GetBranchKeyIdOutput,
 )
 from aws_cryptographic_materialproviders.mpl.references import IBranchKeyIdSupplier, IKeyring
 from typing import Dict
@@ -25,6 +23,8 @@
 from aws_encryption_sdk import CommitmentPolicy
 from aws_encryption_sdk.exceptions import AWSEncryptionSDKClientError
 
+from .example_branch_key_id_supplier import ExampleBranchKeyIdSupplier
+
 module_root_dir = '/'.join(__file__.split("/")[:-1])
 
 sys.path.append(module_root_dir)
@@ -73,39 +73,6 @@ def encrypt_and_decrypt_with_keyring(
     branch_key_id_A: str = keystore.create_key(input=CreateKeyInput()).branch_key_identifier
     branch_key_id_B: str = keystore.create_key(input=CreateKeyInput()).branch_key_identifier
 
-    class ExampleBranchKeyIdSupplier(IBranchKeyIdSupplier):
-        """Example implementation of a branch key ID supplier."""
-
-        branch_key_id_for_tenant_A: str
-        branch_key_id_for_tenant_B: str
-
-        def __init__(self, tenant_1_id, tenant_2_id):
-            self.branch_key_id_for_tenant_A = tenant_1_id
-            self.branch_key_id_for_tenant_B = tenant_2_id
-
-        def get_branch_key_id(
-            self,
-            # Change this to `native_input`
-            input: GetBranchKeyIdInput  # noqa pylint: disable=redefined-builtin
-        ) -> GetBranchKeyIdOutput:
-            """Returns branch key ID from the tenant ID in input's encryption context."""
-            encryption_context: Dict[str, str] = input.encryption_context
-
-            if b"tenant" not in encryption_context:
-                raise ValueError("EncryptionContext invalid, does not contain expected tenant key value pair.")
-
-            tenant_key_id: str = encryption_context.get(b"tenant")
-            branch_key_id: str
-
-            if tenant_key_id == b"TenantA":
-                branch_key_id = self.branch_key_id_for_tenant_A
-            elif tenant_key_id == b"TenantB":
-                branch_key_id = self.branch_key_id_for_tenant_B
-            else:
-                raise ValueError(f"Item does not contain valid tenant ID: {tenant_key_id=}")
-
-            return GetBranchKeyIdOutput(branch_key_id=branch_key_id)
-
     # 5. Create a branch key supplier that maps the branch key id to a more readable format
     branch_key_id_supplier: IBranchKeyIdSupplier = ExampleBranchKeyIdSupplier(
         tenant_1_id=branch_key_id_A,
@@ -132,8 +99,10 @@ def get_branch_key_id(
         input=keyring_input
     )
 
-    # The Branch Key Id supplier uses the encryption context to determine which branch key id will
-    # be used to encrypt data.
+    # 7. Create encryption context for both tenants.
+    #    The Branch Key Id supplier uses the encryption context to determine which branch key id will
+    #    be used to encrypt data.
+
     # Create encryption context for TenantA
     encryption_context_A: Dict[str, str] = {
         "tenant": "TenantA",
@@ -154,7 +123,7 @@ def get_branch_key_id(
         "the data you are handling": "is what you think it is",
     }
 
-    # Encrypt the data for encryptionContextA & encryptionContextB
+    # 8. Encrypt the data for encryptionContextA & encryptionContextB
     ciphertext_A, _ = client.encrypt(
         source=EXAMPLE_DATA,
         keyring=hierarchical_keyring,
@@ -166,8 +135,8 @@ def get_branch_key_id(
         encryption_context=encryption_context_B
     )
 
-    # To attest that TenantKeyB cannot decrypt a message written by TenantKeyA
-    # let's construct more restrictive hierarchical keyrings.
+    # 9. To attest that TenantKeyB cannot decrypt a message written by TenantKeyA,
+    #    let's construct more restrictive hierarchical keyrings.
     keyring_input_A: CreateAwsKmsHierarchicalKeyringInput = CreateAwsKmsHierarchicalKeyringInput(
         key_store=keystore,
         branch_key_id=branch_key_id_A,
@@ -198,6 +167,11 @@ def get_branch_key_id(
         input=keyring_input_B
     )
 
+    # 10. Demonstrate that data encrypted by one tenant's key
+    #     cannot be decrypted with by a keyring specific to another tenant.
+    
+    # Keyring with tenant B's branch key cannot decrypt data encrypted with tenant A's branch key
+    # This will fail and raise a AWSEncryptionSDKClientError, which we swallow ONLY for demonstration purposes.
     try:
         client.decrypt(
             source=ciphertext_A,
@@ -206,7 +180,8 @@ def get_branch_key_id(
     except AWSEncryptionSDKClientError:
         pass
 
-    # This should fail
+    # Keyring with tenant A's branch key cannot decrypt data encrypted with tenant B's branch key.
+    # This will fail and raise a AWSEncryptionSDKClientError, which we swallow ONLY for demonstration purposes.
     try:
         client.decrypt(
             source=ciphertext_B,
@@ -215,7 +190,8 @@ def get_branch_key_id(
     except AWSEncryptionSDKClientError:
         pass
 
-    # These should succeed
+    # 10. Demonstrate that data encrypted by one tenant's branch key can be decrypted by that tenant,
+    #     and that the decrypted data matches the input data.
     plaintext_bytes_A, _ = client.decrypt(
         source=ciphertext_A,
         keyring=hierarchical_keyring_A

examples/src/keyrings/module_.py

@@ -1 +1 @@
-"""Should remove this."""
+"""Should remove this once PYTHONPATH issues are resolved by adding doo files."""

examples/src/module_.py

@@ -1 +1 @@
-"""Should remove this."""
+"""Should remove this once PYTHONPATH issues are resolved by adding doo files."""

test/unit/test_crypto_authentication_signer.py

@@ -81,8 +81,10 @@ def test_signer_from_key_bytes(patch_default_backend, patch_serialization, patch
     mock_algorithm_info = MagicMock(return_value=sentinel.algorithm_info, spec=patch_ec.EllipticCurve)
     _algorithm = MagicMock(signing_algorithm_info=mock_algorithm_info)
 
-    # signer = Signer.from_key_bytes(algorithm=_algorithm, key_bytes=sentinel.key_bytes)
-
+    # Explicitly pass in patched serialization module.
+    # Patching the module introduces namespace issues
+    # which causes the method's `isinstance` checks to fail
+    # by changing the namespace from `serialization.Encoding.DER` to `Encoding.DER`.
     signer = Signer.from_key_bytes(
         algorithm=_algorithm,
         key_bytes=sentinel.key_bytes,

test_vector_handlers/tox.ini

@@ -2,7 +2,7 @@
 envlist =
     # The test vectors depend on new features now,
     # so until release we can only effectively test the local version of the ESDK.
-    py{37,38,39,310}-awses_local{,-mpl},
+    py{37,38,39,310}-awses_local
     # 1.2.0 and 1.2.max are being difficult because of attrs
     bandit, doc8, readme,
     {flake8,pylint}{,-tests},
@@ -48,8 +48,6 @@ passenv =
 sitepackages = False
 deps =
     -rtest/requirements.txt
-    # install the MPL if in environment
-    mpl: -r../requirements_mpl.txt
     ..
 commands = 
     {[testenv:base-command]commands}

tox.ini

@@ -59,7 +59,6 @@ envlist =
 commands = pytest --basetemp={envtmpdir} -l {posargs}
 
 [testenv]
-; passenv = AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID,AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2,AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1,AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_SESSION_TOKEN,AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,AWS_PROFILE,PIP_CONFIG_FILE
 passenv =
     # Identifies AWS KMS key id to use in integration tests
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID \
@@ -80,7 +79,7 @@ passenv =
 sitepackages = False
 deps =
     -rdev_requirements/test-requirements.txt
-    # install the MPL if in environment
+    # install the MPL requirements if the `-mpl` suffix is present
     mpl: -rrequirements_mpl.txt
 commands =
     local: {[testenv:base-command]commands} test/ -m local --ignore test/unit/mpl/