TypeError: unhashable type: 'EncryptedDataKey' - possible incompatibility with attrs-17.1.0

[rjw]

Hi

I'm getting the above error when trying to encrypt using aws_encryption_sdk.encrypt() as per the README.md instructions here at this location:

/aws_encryption_sdk/internal/utils.py", line 173, in prepare_data_keys
    encrypted_data_keys.add(encrypted_key)
TypeError: unhashable type: 'EncryptedDataKey'

I'm using Python 2.7.4 with aws-encryption-sdk-1.2.0 and attrs-17.1.0 (which I think is the cause of the problem). Installation of the SDK looked fine, and the dependencies installed fine too.

The __hash__ method on encrypted_key is None, so it's unable to add it to the set being returned by prepare_data_keys().

When I edit aws_encryption_sdk/structures.py and add frozen=True to the @attr.s() decoration on class MasterKeyInfo(object) and class EncryptedDataKey(object), the objects become hashable courtesy of attrs, and it seems to work OK.

The changes to attrs could be the problem here, looking at commits since 16.3.0, there are a few relating to frozen classes and hashing behaviour.

Reverting to attrs-16.3.0 works fine, which would seem to confirm this.

I'm using a fresh CMK loaded into a KMSMasterKeyProvider as per the instructions:

kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[
    'arn:aws:kms:ap-southeast-2:123456789012:key/749cd1b6-dc9b-4a1d-9a90-86ef2b11012a'
])

The EncryptedDataKey encrypted_key that's obtained and returned looks OK and is:

EncryptedDataKey(key_provider=MasterKeyInfo(provider_id=u'aws-kms', key_info='arn:aws:kms:ap-southeast-2:123456789012:key/749cd1b6-dc9b-4a1d-9a90-86ef2b11012a'), encrypted_data_key="\x01\x02\x02\x00x\x1b\x825\xa7\x9aZ^k:0\xa5\xd2rD\xb8\xc3U\xea+\x1d\xe5\x90\xe8\x1b\x90\xe7'X\x00\xa7s+\x01\xbb\x87\xa2w\x04\xe7y\xe6u\xd4I\xa5\x813j+\x00\x00\x00~0|\x06\t*\x86H\x86\xf7\r\x01\x07\x06\xa0o0m\x02\x01\x000h\x06\t*\x86H\x86\xf7\r\x01\x07\x010\x1e\x06\t`\x86H\x01e\x03\x04\x01.0\x11\x04\x0c\xc7\xc3\xe0\x1f\r\xd8\xe0c\x13r?\xd1\x02\x01\x10\x80;J5c\x943\xf9\x965\xd6p%\x1a\xb1S\x9e\x13\x8f\xceV\\\xe6v\xacD9o\x89\xd7\x147\xca\xa8\x84\xc0i\x169?\xef\xe1\xcan~\xe0\xd20_^\xd1M\xc4\x166\x9am\xbe\xa47\xcb")

Please let me know if you need any further information?

Thanks
Richard

[mattsb42-aws]

I was actually just reading through the changelog for attrs 17.1.0 the other day, and yes, I believe your conclusion is correct. Attrs called this out as a breaking change in 17.1.0. For the moment, stick with 16.3.0. I'll take a look and run through our tests to see what we need to update to work with 17.1.0.

[rjw]

Great, thanks very much, that makes sense.

The SDK is working perfectly with 16.3.0 and I'm very happy with the functionality, it's turning out to be really useful!

Cheers
Richard

[mattsb42-aws]

Great to hear!
Testing is going well, so we'll build 17.1.0-compatible functionality into the next release.

[mattsb42-aws]

The immediate effect of this is addressed in:

Fix onto 16.3.0 in setup.py: ec0c80a
Fix onto 16.3.0 in requirements and bump patch version: f4cbe48
Updated pypi patch version: https://pypi.python.org/pypi/aws-encryption-sdk/1.2.2

The next release will bump up to ==17.1.0 with all necessary corresponding changes.