From 3b62bc3628d3e39c6704f49be95bb89ce7921395 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Tue, 23 Jul 2019 09:48:43 -0700 Subject: [PATCH 01/20] Testing something, want AppVeyor to run --- tox.ini | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tox.ini b/tox.ini index 06564ef6a..77b46ca70 100644 --- a/tox.ini +++ b/tox.ini @@ -56,6 +56,10 @@ commands = all: {[testenv:base-command]commands} test/ examples/test/ manual: {[testenv:base-command]commands} +[testenv:py34] +basepython = python34 +deps = c:\python35\Lib\runpy.py + # Verify that local tests work without environment variables present [testenv:nocmk] basepython = python3 @@ -252,7 +256,7 @@ commands = python setup.py check -r -s [testenv:bandit] basepython = python3 -deps = +deps = bandit>=1.5.1 commands = bandit -r src/aws_encryption_sdk/ From 626d5ba224c0cbd3f973f4d6bf4f01e3a543d6d9 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Tue, 23 Jul 2019 09:52:40 -0700 Subject: [PATCH 02/20] Quick change --- tox.ini | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tox.ini b/tox.ini index 77b46ca70..cf91274ff 100644 --- a/tox.ini +++ b/tox.ini @@ -57,8 +57,9 @@ commands = manual: {[testenv:base-command]commands} [testenv:py34] -basepython = python34 -deps = c:\python35\Lib\runpy.py +deps = + -rtest/requirements.txt + c:\python35\Lib\runpy.py # Verify that local tests work without environment variables present [testenv:nocmk] From 83f4ff8f9f211bbfd086fea5adf2fa68957d1332 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Tue, 23 Jul 2019 10:39:04 -0700 Subject: [PATCH 03/20] Running AppVeyor --- setup.py | 3 +++ tox.ini | 7 +------ 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/setup.py b/setup.py index 1afa9d869..8bfa1613e 100644 --- a/setup.py +++ b/setup.py @@ -1,6 +1,7 @@ """AWS Encryption SDK for Python.""" import os import re +import ast from setuptools import find_packages, setup @@ -57,3 +58,5 @@ def get_requirements(): "Topic :: Security :: Cryptography", ], ) +if not hasattr(ast, "MatMult"): + print("HERE") diff --git a/tox.ini b/tox.ini index cf91274ff..389aff177 100644 --- a/tox.ini +++ b/tox.ini @@ -55,12 +55,7 @@ commands = examples: {[testenv:base-command]commands} examples/test/ -m examples all: {[testenv:base-command]commands} test/ examples/test/ manual: {[testenv:base-command]commands} - -[testenv:py34] -deps = - -rtest/requirements.txt - c:\python35\Lib\runpy.py - + # Verify that local tests work without environment variables present [testenv:nocmk] basepython = python3 From 534e2251b5f983c73b31edc3bb42e85666f2c652 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Wed, 24 Jul 2019 10:14:09 -0700 Subject: [PATCH 04/20] Added example for using multiple keyrings in multiple regions --- examples/src/multiple_kms_cmk_regions.py | 48 +++++++++++++++++++ .../test/test_i_multiple_kms_cmk_regions.py | 30 ++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 examples/src/multiple_kms_cmk_regions.py create mode 100644 examples/test/test_i_multiple_kms_cmk_regions.py diff --git a/examples/src/multiple_kms_cmk_regions.py b/examples/src/multiple_kms_cmk_regions.py new file mode 100644 index 000000000..ca8f2a2ca --- /dev/null +++ b/examples/src/multiple_kms_cmk_regions.py @@ -0,0 +1,48 @@ +# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). You +# may not use this file except in compliance with the License. A copy of +# the License is located at +# +# http://aws.amazon.com/apache2.0/ +# +# or in the "license" file accompanying this file. This file is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF +# ANY KIND, either express or implied. See the License for the specific +# language governing permissions and limitations under the License. +"""Example showing basic encryption and decryption of a value already in memory using multiple KMS CMKs in multiple regions.""" +import aws_encryption_sdk + + +def encrypt_decrypt(key_arn1, key_arn2, region_name1, region_name2, source_plaintext, botocore_session=None): + """Encrypts and then decrypts a string under one KMS customer master key (CMK). + + :param str key_arn: Amazon Resource Name (ARN) of the KMS CMK + :param bytes source_plaintext: Data to encrypt + :param botocore_session: existing botocore session instance + :type botocore_session: botocore.session.Session + """ + kwargs = dict(key_ids=[key_arn1, key_arn2], region_names=[region_name1, region_name2]) + + if botocore_session is not None: + kwargs["botocore_session"] = botocore_session + + # Create master key provider using the ARN of the key and the session (botocore_session) + kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs) + + # Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header + ciphertext, encrypted_message_header = aws_encryption_sdk.encrypt( + source=source_plaintext, key_provider=kms_key_provider + ) + + # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header + plaintext, decrypted_message_header = aws_encryption_sdk.decrypt(source=ciphertext, key_provider=kms_key_provider) + + # Check if the original message and the decrypted message are the same + assert source_plaintext == plaintext + + # Check if the headers of the encrypted message and decrypted message match + assert all( + pair in encrypted_message_header.encryption_context.items() + for pair in decrypted_message_header.encryption_context.items() + ) diff --git a/examples/test/test_i_multiple_kms_cmk_regions.py b/examples/test/test_i_multiple_kms_cmk_regions.py new file mode 100644 index 000000000..ffa82749c --- /dev/null +++ b/examples/test/test_i_multiple_kms_cmk_regions.py @@ -0,0 +1,30 @@ +# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). You +# may not use this file except in compliance with the License. A copy of +# the License is located at +# +# http://aws.amazon.com/apache2.0/ +# +# or in the "license" file accompanying this file. This file is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF +# ANY KIND, either express or implied. See the License for the specific +# language governing permissions and limitations under the License. +"""Unit test suite for the encryption and decryption using multiple KMS CMKs in multiple regions example.""" + +import botocore.session +import pytest + +from ..src.one_kms_cmk import multiple_kms_cmk_regions +from .examples_test_utils import get_cmk_arn +from .examples_test_utils import static_plaintext + + +pytestmark = [pytest.mark.examples] + + +def test_one_kms_cmk(): + plaintext = static_plaintext + cmk_arn1 = get_cmk_arn() + cmk_arn2 = get_cmk_arn() + encrypt_decrypt(key_arn1=cmk_arn1, key_arn2=cmk_arn2, region_name1="us-west-1", region_name2="us-east-1", source_plaintext=plaintext, botocore_session=botocore.session.Session()) From 42e86ab600a1c790f559885a31ee1e9dfe3898a4 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Wed, 24 Jul 2019 10:18:53 -0700 Subject: [PATCH 05/20] Undid something quickly --- setup.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/setup.py b/setup.py index 8bfa1613e..1afa9d869 100644 --- a/setup.py +++ b/setup.py @@ -1,7 +1,6 @@ """AWS Encryption SDK for Python.""" import os import re -import ast from setuptools import find_packages, setup @@ -58,5 +57,3 @@ def get_requirements(): "Topic :: Security :: Cryptography", ], ) -if not hasattr(ast, "MatMult"): - print("HERE") From fabc5e3d4525e4deb089fdeeca203aabfa3bbac7 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Wed, 24 Jul 2019 10:58:37 -0700 Subject: [PATCH 06/20] Fixed importerror --- examples/test/test_i_multiple_kms_cmk_regions.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/test/test_i_multiple_kms_cmk_regions.py b/examples/test/test_i_multiple_kms_cmk_regions.py index ffa82749c..1f57dcae7 100644 --- a/examples/test/test_i_multiple_kms_cmk_regions.py +++ b/examples/test/test_i_multiple_kms_cmk_regions.py @@ -15,7 +15,7 @@ import botocore.session import pytest -from ..src.one_kms_cmk import multiple_kms_cmk_regions +from ..src.multiple_kms_cmk_regions import encrypt_decrypt from .examples_test_utils import get_cmk_arn from .examples_test_utils import static_plaintext From 30eab330b7b96751c9887262b2f85f88b8271fd9 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Wed, 24 Jul 2019 11:33:12 -0700 Subject: [PATCH 07/20] Formatting fix --- examples/test/test_i_multiple_kms_cmk_regions.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/test/test_i_multiple_kms_cmk_regions.py b/examples/test/test_i_multiple_kms_cmk_regions.py index 1f57dcae7..c23beb444 100644 --- a/examples/test/test_i_multiple_kms_cmk_regions.py +++ b/examples/test/test_i_multiple_kms_cmk_regions.py @@ -27,4 +27,5 @@ def test_one_kms_cmk(): plaintext = static_plaintext cmk_arn1 = get_cmk_arn() cmk_arn2 = get_cmk_arn() - encrypt_decrypt(key_arn1=cmk_arn1, key_arn2=cmk_arn2, region_name1="us-west-1", region_name2="us-east-1", source_plaintext=plaintext, botocore_session=botocore.session.Session()) + encrypt_decrypt(key_arn1=cmk_arn1, key_arn2=cmk_arn2, region_name1="us-west-1", + region_name2="us-east-1", source_plaintext=plaintext, botocore_session=botocore.session.Session()) From 453b82da0ad2e2aa5a535101d1c72d9182e8b8b0 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Thu, 25 Jul 2019 09:53:12 -0700 Subject: [PATCH 08/20] Update tox.ini --- tox.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tox.ini b/tox.ini index 389aff177..47bf379d5 100644 --- a/tox.ini +++ b/tox.ini @@ -55,7 +55,7 @@ commands = examples: {[testenv:base-command]commands} examples/test/ -m examples all: {[testenv:base-command]commands} test/ examples/test/ manual: {[testenv:base-command]commands} - + # Verify that local tests work without environment variables present [testenv:nocmk] basepython = python3 From 22088903515894f2de1d4d0e3dd7077002b306b0 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Thu, 25 Jul 2019 09:53:55 -0700 Subject: [PATCH 09/20] Update tox.ini --- tox.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tox.ini b/tox.ini index 47bf379d5..06564ef6a 100644 --- a/tox.ini +++ b/tox.ini @@ -252,7 +252,7 @@ commands = python setup.py check -r -s [testenv:bandit] basepython = python3 -deps = +deps = bandit>=1.5.1 commands = bandit -r src/aws_encryption_sdk/ From d7243352d24dc14a37837f9bf3d8ef108184d116 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Thu, 25 Jul 2019 11:51:51 -0700 Subject: [PATCH 10/20] Made some changes to the multiple_kms_cmk_regions example/test --- examples/src/multiple_kms_cmk_regions.py | 34 ++++++++++++++----- .../test/test_i_multiple_kms_cmk_regions.py | 11 +++--- 2 files changed, 30 insertions(+), 15 deletions(-) diff --git a/examples/src/multiple_kms_cmk_regions.py b/examples/src/multiple_kms_cmk_regions.py index ca8f2a2ca..84ec797fd 100644 --- a/examples/src/multiple_kms_cmk_regions.py +++ b/examples/src/multiple_kms_cmk_regions.py @@ -14,15 +14,27 @@ import aws_encryption_sdk -def encrypt_decrypt(key_arn1, key_arn2, region_name1, region_name2, source_plaintext, botocore_session=None): - """Encrypts and then decrypts a string under one KMS customer master key (CMK). +def encrypt(kms_key_provider, source_plaintext): + return aws_encryption_sdk.encrypt(source=source_plaintext, key_provider=kms_key_provider) - :param str key_arn: Amazon Resource Name (ARN) of the KMS CMK + +def decrypt(kms_key_provider, ciphertext): + return aws_encryption_sdk.decrypt(source=ciphertext, key_provider=kms_key_provider) + + +def multiple_kms_cmk_regions(key_arn1, key_arn2, source_plaintext, botocore_session=None): + """Encrypts and then decrypts a string under multiple KMS customer master keys (CMKs) in multiple regions. + + :param str key_arn1: Amazon Resource Name (ARN) of the KMS CMK + :param str key_arn2: Amazon Resource Name (ARN) of another KMS CMK :param bytes source_plaintext: Data to encrypt :param botocore_session: existing botocore session instance :type botocore_session: botocore.session.Session """ - kwargs = dict(key_ids=[key_arn1, key_arn2], region_names=[region_name1, region_name2]) + # Check that these keys are in different regions + assert not key_arn1[12:21] == key_arn2[12:21] + + kwargs = dict(key_ids=[key_arn1, key_arn2]) if botocore_session is not None: kwargs["botocore_session"] = botocore_session @@ -31,15 +43,19 @@ def encrypt_decrypt(key_arn1, key_arn2, region_name1, region_name2, source_plain kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs) # Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header - ciphertext, encrypted_message_header = aws_encryption_sdk.encrypt( - source=source_plaintext, key_provider=kms_key_provider - ) + ciphertext, encrypted_message_header = encrypt(kms_key_provider, source_plaintext) + + # Check if both key ARNs are in the message headers + assert len(encrypted_message_header.encryption_context.items()) == 2 # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header - plaintext, decrypted_message_header = aws_encryption_sdk.decrypt(source=ciphertext, key_provider=kms_key_provider) + # Either of our keys can be used to decrypt the message + plaintext1, decrypted_message_header1 = decrypt(aws_encryption_sdk.KMSMasterKeyProvider(key_arn1), ciphertext) + plaintext2, decrypted_message_header2 = decrypt(aws_encryption_sdk.KMSMasterKeyProvider(key_arn2), ciphertext) # Check if the original message and the decrypted message are the same - assert source_plaintext == plaintext + assert source_plaintext == plaintext1 + assert source_plaintext == plaintext2 # Check if the headers of the encrypted message and decrypted message match assert all( diff --git a/examples/test/test_i_multiple_kms_cmk_regions.py b/examples/test/test_i_multiple_kms_cmk_regions.py index c23beb444..93710f283 100644 --- a/examples/test/test_i_multiple_kms_cmk_regions.py +++ b/examples/test/test_i_multiple_kms_cmk_regions.py @@ -15,7 +15,7 @@ import botocore.session import pytest -from ..src.multiple_kms_cmk_regions import encrypt_decrypt +from ..src.multiple_kms_cmk_regions import multiple_kms_cmk_regions from .examples_test_utils import get_cmk_arn from .examples_test_utils import static_plaintext @@ -23,9 +23,8 @@ pytestmark = [pytest.mark.examples] -def test_one_kms_cmk(): +def test_multiple_kms_cmk_regions(): plaintext = static_plaintext - cmk_arn1 = get_cmk_arn() - cmk_arn2 = get_cmk_arn() - encrypt_decrypt(key_arn1=cmk_arn1, key_arn2=cmk_arn2, region_name1="us-west-1", - region_name2="us-east-1", source_plaintext=plaintext, botocore_session=botocore.session.Session()) + cmk_arn1 = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + cmk_arn2 = "arn:aws:kms:eu-central-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + multiple_kms_cmk_regions(cmk_arn1, cmk_arn2, source_plaintext=plaintext, botocore_session=botocore.session.Session()) From 306d1a9717f740116374ce75231bcd1f8073697e Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Thu, 25 Jul 2019 13:45:02 -0700 Subject: [PATCH 11/20] This is my next interation of the code for the example; however, I am still working on populating the tests correctly, so the CI will fail, but I tested the code with my own KMS CMK ARNs, so I know it will work once the tests are populated (working with Tejeswini on this) --- examples/src/multiple_kms_cmk_regions.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/examples/src/multiple_kms_cmk_regions.py b/examples/src/multiple_kms_cmk_regions.py index 84ec797fd..6a725379f 100644 --- a/examples/src/multiple_kms_cmk_regions.py +++ b/examples/src/multiple_kms_cmk_regions.py @@ -46,12 +46,12 @@ def multiple_kms_cmk_regions(key_arn1, key_arn2, source_plaintext, botocore_sess ciphertext, encrypted_message_header = encrypt(kms_key_provider, source_plaintext) # Check if both key ARNs are in the message headers - assert len(encrypted_message_header.encryption_context.items()) == 2 + assert len(encrypted_message_header.encrypted_data_keys) == 2 # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header # Either of our keys can be used to decrypt the message - plaintext1, decrypted_message_header1 = decrypt(aws_encryption_sdk.KMSMasterKeyProvider(key_arn1), ciphertext) - plaintext2, decrypted_message_header2 = decrypt(aws_encryption_sdk.KMSMasterKeyProvider(key_arn2), ciphertext) + plaintext1, decrypted_message_header1 = decrypt(aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn1])), ciphertext) + plaintext2, decrypted_message_header2 = decrypt(aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn2])), ciphertext) # Check if the original message and the decrypted message are the same assert source_plaintext == plaintext1 @@ -60,5 +60,9 @@ def multiple_kms_cmk_regions(key_arn1, key_arn2, source_plaintext, botocore_sess # Check if the headers of the encrypted message and decrypted message match assert all( pair in encrypted_message_header.encryption_context.items() - for pair in decrypted_message_header.encryption_context.items() + for pair in decrypted_message_header1.encryption_context.items() + ) + assert all( + pair in encrypted_message_header.encryption_context.items() + for pair in decrypted_message_header2.encryption_context.items() ) From bde7a56bb614b7ee76f436baf4ae93d8150d14b0 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Fri, 26 Jul 2019 09:57:54 -0700 Subject: [PATCH 12/20] Changed the example to test two CMKs in the same region until Issue #178 is cleared up --- examples/src/multiple_kms_cmk_regions.py | 68 ------------------- .../test/test_i_multiple_kms_cmk_regions.py | 30 -------- 2 files changed, 98 deletions(-) delete mode 100644 examples/src/multiple_kms_cmk_regions.py delete mode 100644 examples/test/test_i_multiple_kms_cmk_regions.py diff --git a/examples/src/multiple_kms_cmk_regions.py b/examples/src/multiple_kms_cmk_regions.py deleted file mode 100644 index 6a725379f..000000000 --- a/examples/src/multiple_kms_cmk_regions.py +++ /dev/null @@ -1,68 +0,0 @@ -# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"). You -# may not use this file except in compliance with the License. A copy of -# the License is located at -# -# http://aws.amazon.com/apache2.0/ -# -# or in the "license" file accompanying this file. This file is -# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF -# ANY KIND, either express or implied. See the License for the specific -# language governing permissions and limitations under the License. -"""Example showing basic encryption and decryption of a value already in memory using multiple KMS CMKs in multiple regions.""" -import aws_encryption_sdk - - -def encrypt(kms_key_provider, source_plaintext): - return aws_encryption_sdk.encrypt(source=source_plaintext, key_provider=kms_key_provider) - - -def decrypt(kms_key_provider, ciphertext): - return aws_encryption_sdk.decrypt(source=ciphertext, key_provider=kms_key_provider) - - -def multiple_kms_cmk_regions(key_arn1, key_arn2, source_plaintext, botocore_session=None): - """Encrypts and then decrypts a string under multiple KMS customer master keys (CMKs) in multiple regions. - - :param str key_arn1: Amazon Resource Name (ARN) of the KMS CMK - :param str key_arn2: Amazon Resource Name (ARN) of another KMS CMK - :param bytes source_plaintext: Data to encrypt - :param botocore_session: existing botocore session instance - :type botocore_session: botocore.session.Session - """ - # Check that these keys are in different regions - assert not key_arn1[12:21] == key_arn2[12:21] - - kwargs = dict(key_ids=[key_arn1, key_arn2]) - - if botocore_session is not None: - kwargs["botocore_session"] = botocore_session - - # Create master key provider using the ARN of the key and the session (botocore_session) - kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs) - - # Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header - ciphertext, encrypted_message_header = encrypt(kms_key_provider, source_plaintext) - - # Check if both key ARNs are in the message headers - assert len(encrypted_message_header.encrypted_data_keys) == 2 - - # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header - # Either of our keys can be used to decrypt the message - plaintext1, decrypted_message_header1 = decrypt(aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn1])), ciphertext) - plaintext2, decrypted_message_header2 = decrypt(aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn2])), ciphertext) - - # Check if the original message and the decrypted message are the same - assert source_plaintext == plaintext1 - assert source_plaintext == plaintext2 - - # Check if the headers of the encrypted message and decrypted message match - assert all( - pair in encrypted_message_header.encryption_context.items() - for pair in decrypted_message_header1.encryption_context.items() - ) - assert all( - pair in encrypted_message_header.encryption_context.items() - for pair in decrypted_message_header2.encryption_context.items() - ) diff --git a/examples/test/test_i_multiple_kms_cmk_regions.py b/examples/test/test_i_multiple_kms_cmk_regions.py deleted file mode 100644 index 93710f283..000000000 --- a/examples/test/test_i_multiple_kms_cmk_regions.py +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"). You -# may not use this file except in compliance with the License. A copy of -# the License is located at -# -# http://aws.amazon.com/apache2.0/ -# -# or in the "license" file accompanying this file. This file is -# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF -# ANY KIND, either express or implied. See the License for the specific -# language governing permissions and limitations under the License. -"""Unit test suite for the encryption and decryption using multiple KMS CMKs in multiple regions example.""" - -import botocore.session -import pytest - -from ..src.multiple_kms_cmk_regions import multiple_kms_cmk_regions -from .examples_test_utils import get_cmk_arn -from .examples_test_utils import static_plaintext - - -pytestmark = [pytest.mark.examples] - - -def test_multiple_kms_cmk_regions(): - plaintext = static_plaintext - cmk_arn1 = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" - cmk_arn2 = "arn:aws:kms:eu-central-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" - multiple_kms_cmk_regions(cmk_arn1, cmk_arn2, source_plaintext=plaintext, botocore_session=botocore.session.Session()) From b7e9dd1f663a462d2c07f738acf2478e559bd049 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Fri, 26 Jul 2019 10:59:46 -0700 Subject: [PATCH 13/20] Found out how to make a new valid test key, so now there are two valid test keys in different regions for this example --- examples/src/multiple_kms_cmk_regions.py | 67 +++++++++++++++++++ .../test/test_i_multiple_kms_cmk_regions.py | 29 ++++++++ 2 files changed, 96 insertions(+) create mode 100644 examples/src/multiple_kms_cmk_regions.py create mode 100644 examples/test/test_i_multiple_kms_cmk_regions.py diff --git a/examples/src/multiple_kms_cmk_regions.py b/examples/src/multiple_kms_cmk_regions.py new file mode 100644 index 000000000..618d43631 --- /dev/null +++ b/examples/src/multiple_kms_cmk_regions.py @@ -0,0 +1,67 @@ +# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). You +# may not use this file except in compliance with the License. A copy of +# the License is located at +# +# http://aws.amazon.com/apache2.0/ +# +# or in the "license" file accompanying this file. This file is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF +# ANY KIND, either express or implied. See the License for the specific +# language governing permissions and limitations under the License. +"""Example showing basic encryption and decryption of a value already in memory using multiple KMS CMKs in multiple regions.""" +import aws_encryption_sdk + + +def encrypt(kms_key_provider, source_plaintext): + return aws_encryption_sdk.encrypt(source=source_plaintext, key_provider=kms_key_provider) + + +def decrypt(kms_key_provider, ciphertext): + return aws_encryption_sdk.decrypt(source=ciphertext, key_provider=kms_key_provider) + +def multiple_kms_cmk_regions(key_arn1, key_arn2, source_plaintext, botocore_session=None): + """Encrypts and then decrypts a string under multiple KMS customer master keys (CMKs) in multiple regions. + + :param str key_arn1: Amazon Resource Name (ARN) of the KMS CMK + :param str key_arn2: Amazon Resource Name (ARN) of another KMS CMK + :param bytes source_plaintext: Data to encrypt + :param botocore_session: existing botocore session instance + :type botocore_session: botocore.session.Session + """ + # Check that these keys are in different regions + assert not key_arn1[12:21] == key_arn2[12:21] + + kwargs = dict(key_ids=[key_arn1, key_arn2]) + + if botocore_session is not None: + kwargs["botocore_session"] = botocore_session + + # Create master key provider using the ARN of the key and the session (botocore_session) + kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs) + + # Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header + ciphertext, encrypted_message_header = encrypt(kms_key_provider, source_plaintext) + + # Check if both key ARNs are in the message headers + assert len(encrypted_message_header.encrypted_data_keys) == 2 + + # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header + # Either of our keys can be used to decrypt the message + plaintext1, decrypted_message_header1 = decrypt(aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn1])), ciphertext) + plaintext2, decrypted_message_header2 = decrypt(aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn2])), ciphertext) + + # Check if the original message and the decrypted message are the same + assert source_plaintext == plaintext1 + assert source_plaintext == plaintext2 + + # Check if the headers of the encrypted message and decrypted message match + assert all( + pair in encrypted_message_header.encryption_context.items() + for pair in decrypted_message_header1.encryption_context.items() + ) + assert all( + pair in encrypted_message_header.encryption_context.items() + for pair in decrypted_message_header2.encryption_context.items() + ) diff --git a/examples/test/test_i_multiple_kms_cmk_regions.py b/examples/test/test_i_multiple_kms_cmk_regions.py new file mode 100644 index 000000000..48869c8e5 --- /dev/null +++ b/examples/test/test_i_multiple_kms_cmk_regions.py @@ -0,0 +1,29 @@ +# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). You +# may not use this file except in compliance with the License. A copy of +# the License is located at +# +# http://aws.amazon.com/apache2.0/ +# +# or in the "license" file accompanying this file. This file is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF +# ANY KIND, either express or implied. See the License for the specific +# language governing permissions and limitations under the License. +"""Unit test suite for the encryption and decryption using multiple KMS CMKs in multiple regions example.""" + +import botocore.session +import pytest + +from ..src.multiple_kms_cmk_regions import multiple_kms_cmk_regions +#from .examples_test_utils import get_cmk_arn +from .examples_test_utils import static_plaintext + + +pytestmark = [pytest.mark.examples] + +def test_multiple_kms_cmk_regions(): + plaintext = static_plaintext + cmk_arn1 = "arn:aws:kms:us-west-1:658956600833:alias/EncryptDecrypt" + cmk_arn2 = "arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt" + multiple_kms_cmk_regions(cmk_arn1, cmk_arn2, source_plaintext=plaintext, botocore_session=botocore.session.Session()) From 4d8c7a0502273cabea0197c8d4ffa359bb0af98b Mon Sep 17 00:00:00 2001 From: Tibbetts Date: Fri, 26 Jul 2019 11:29:00 -0700 Subject: [PATCH 14/20] Ran autoformat --- examples/src/multiple_kms_cmk_regions.py | 9 +++++++-- examples/test/test_i_multiple_kms_cmk_regions.py | 8 ++++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/examples/src/multiple_kms_cmk_regions.py b/examples/src/multiple_kms_cmk_regions.py index 618d43631..e0dae1976 100644 --- a/examples/src/multiple_kms_cmk_regions.py +++ b/examples/src/multiple_kms_cmk_regions.py @@ -21,6 +21,7 @@ def encrypt(kms_key_provider, source_plaintext): def decrypt(kms_key_provider, ciphertext): return aws_encryption_sdk.decrypt(source=ciphertext, key_provider=kms_key_provider) + def multiple_kms_cmk_regions(key_arn1, key_arn2, source_plaintext, botocore_session=None): """Encrypts and then decrypts a string under multiple KMS customer master keys (CMKs) in multiple regions. @@ -49,8 +50,12 @@ def multiple_kms_cmk_regions(key_arn1, key_arn2, source_plaintext, botocore_sess # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header # Either of our keys can be used to decrypt the message - plaintext1, decrypted_message_header1 = decrypt(aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn1])), ciphertext) - plaintext2, decrypted_message_header2 = decrypt(aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn2])), ciphertext) + plaintext1, decrypted_message_header1 = decrypt( + aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn1])), ciphertext + ) + plaintext2, decrypted_message_header2 = decrypt( + aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn2])), ciphertext + ) # Check if the original message and the decrypted message are the same assert source_plaintext == plaintext1 diff --git a/examples/test/test_i_multiple_kms_cmk_regions.py b/examples/test/test_i_multiple_kms_cmk_regions.py index 48869c8e5..9ecda6244 100644 --- a/examples/test/test_i_multiple_kms_cmk_regions.py +++ b/examples/test/test_i_multiple_kms_cmk_regions.py @@ -16,14 +16,18 @@ import pytest from ..src.multiple_kms_cmk_regions import multiple_kms_cmk_regions -#from .examples_test_utils import get_cmk_arn + +# from .examples_test_utils import get_cmk_arn from .examples_test_utils import static_plaintext pytestmark = [pytest.mark.examples] + def test_multiple_kms_cmk_regions(): plaintext = static_plaintext cmk_arn1 = "arn:aws:kms:us-west-1:658956600833:alias/EncryptDecrypt" cmk_arn2 = "arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt" - multiple_kms_cmk_regions(cmk_arn1, cmk_arn2, source_plaintext=plaintext, botocore_session=botocore.session.Session()) + multiple_kms_cmk_regions( + cmk_arn1, cmk_arn2, source_plaintext=plaintext, botocore_session=botocore.session.Session() + ) From 1fdbb32b5fa9c783ffdedadeac4e4d9ad6433d69 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Fri, 26 Jul 2019 13:05:31 -0700 Subject: [PATCH 15/20] Added some docstrings --- examples/src/multiple_kms_cmk_regions.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/src/multiple_kms_cmk_regions.py b/examples/src/multiple_kms_cmk_regions.py index e0dae1976..31b25ed45 100644 --- a/examples/src/multiple_kms_cmk_regions.py +++ b/examples/src/multiple_kms_cmk_regions.py @@ -15,10 +15,12 @@ def encrypt(kms_key_provider, source_plaintext): + """Encrypts source_plaintext with the key(s) in kms_key_provider""" return aws_encryption_sdk.encrypt(source=source_plaintext, key_provider=kms_key_provider) def decrypt(kms_key_provider, ciphertext): + """Decrypts ciphertext with the key(s) in kms_key_provider""" return aws_encryption_sdk.decrypt(source=ciphertext, key_provider=kms_key_provider) From d3240ebcd383f99092573c4093d6c5c2bbc4be7b Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Fri, 26 Jul 2019 13:22:41 -0700 Subject: [PATCH 16/20] Formatting will be the death of me --- examples/src/multiple_kms_cmk_regions.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/examples/src/multiple_kms_cmk_regions.py b/examples/src/multiple_kms_cmk_regions.py index 31b25ed45..047a16521 100644 --- a/examples/src/multiple_kms_cmk_regions.py +++ b/examples/src/multiple_kms_cmk_regions.py @@ -10,7 +10,10 @@ # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF # ANY KIND, either express or implied. See the License for the specific # language governing permissions and limitations under the License. -"""Example showing basic encryption and decryption of a value already in memory using multiple KMS CMKs in multiple regions.""" +""" +Example showing basic encryption and decryption of a value already in memory +using multiple KMS CMKs in multiple regions. +""" import aws_encryption_sdk From 4eb5fdee31244d25091b04e5bece3e1849f26a0a Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Fri, 26 Jul 2019 14:17:29 -0700 Subject: [PATCH 17/20] Used correct keys in test --- examples/test/test_i_multiple_kms_cmk_regions.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/test/test_i_multiple_kms_cmk_regions.py b/examples/test/test_i_multiple_kms_cmk_regions.py index 9ecda6244..c2722d9b1 100644 --- a/examples/test/test_i_multiple_kms_cmk_regions.py +++ b/examples/test/test_i_multiple_kms_cmk_regions.py @@ -26,8 +26,8 @@ def test_multiple_kms_cmk_regions(): plaintext = static_plaintext - cmk_arn1 = "arn:aws:kms:us-west-1:658956600833:alias/EncryptDecrypt" - cmk_arn2 = "arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt" + cmk_arn1 = "arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt" + cmk_arn2 = "arn:aws:kms:eu-central-1:658956600833:alias/EncryptDecrypt" multiple_kms_cmk_regions( cmk_arn1, cmk_arn2, source_plaintext=plaintext, botocore_session=botocore.session.Session() ) From bb6c650e08f850e5b965b18f21495da9674f3f53 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Mon, 29 Jul 2019 11:30:52 -0700 Subject: [PATCH 18/20] Updated some comments --- examples/src/multiple_kms_cmk_regions.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/src/multiple_kms_cmk_regions.py b/examples/src/multiple_kms_cmk_regions.py index 047a16521..7a7a9ba9a 100644 --- a/examples/src/multiple_kms_cmk_regions.py +++ b/examples/src/multiple_kms_cmk_regions.py @@ -44,13 +44,13 @@ def multiple_kms_cmk_regions(key_arn1, key_arn2, source_plaintext, botocore_sess if botocore_session is not None: kwargs["botocore_session"] = botocore_session - # Create master key provider using the ARN of the key and the session (botocore_session) + # Create master key provider using the ARNs of the keys and the session (botocore_session) kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs) # Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header ciphertext, encrypted_message_header = encrypt(kms_key_provider, source_plaintext) - # Check if both key ARNs are in the message headers + # Check that both key ARNs are in the message headers assert len(encrypted_message_header.encrypted_data_keys) == 2 # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header @@ -62,11 +62,11 @@ def multiple_kms_cmk_regions(key_arn1, key_arn2, source_plaintext, botocore_sess aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn2])), ciphertext ) - # Check if the original message and the decrypted message are the same + # Check that the original message and the decrypted message are the same assert source_plaintext == plaintext1 assert source_plaintext == plaintext2 - # Check if the headers of the encrypted message and decrypted message match + # Check that the headers of the encrypted message and decrypted message match assert all( pair in encrypted_message_header.encryption_context.items() for pair in decrypted_message_header1.encryption_context.items() From 9e5fcd44f2b360ef70cbf2c4cc71fbf2642fb336 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Mon, 5 Aug 2019 14:55:02 -0700 Subject: [PATCH 19/20] Update the integration tests --- examples/src/multiple_kms_cmk_regions.py | 43 ++++++++----------- .../test/test_i_multiple_kms_cmk_regions.py | 8 ++-- test/integration/README.rst | 3 +- test/integration/integration_test_utils.py | 21 +++++++++ 4 files changed, 46 insertions(+), 29 deletions(-) diff --git a/examples/src/multiple_kms_cmk_regions.py b/examples/src/multiple_kms_cmk_regions.py index 7a7a9ba9a..f036e9121 100644 --- a/examples/src/multiple_kms_cmk_regions.py +++ b/examples/src/multiple_kms_cmk_regions.py @@ -15,37 +15,29 @@ using multiple KMS CMKs in multiple regions. """ import aws_encryption_sdk +from aws_encryption_sdk.key_providers.kms import KMSMasterKey, KMSMasterKeyProvider +from aws_encryption_sdk.internal.crypto.encryption import encrypt, decrypt -def encrypt(kms_key_provider, source_plaintext): - """Encrypts source_plaintext with the key(s) in kms_key_provider""" - return aws_encryption_sdk.encrypt(source=source_plaintext, key_provider=kms_key_provider) - - -def decrypt(kms_key_provider, ciphertext): - """Decrypts ciphertext with the key(s) in kms_key_provider""" - return aws_encryption_sdk.decrypt(source=ciphertext, key_provider=kms_key_provider) - - -def multiple_kms_cmk_regions(key_arn1, key_arn2, source_plaintext, botocore_session=None): +def multiple_kms_cmk_regions(key_arn_1, key_arn_2, source_plaintext, botocore_session=None): """Encrypts and then decrypts a string under multiple KMS customer master keys (CMKs) in multiple regions. - :param str key_arn1: Amazon Resource Name (ARN) of the KMS CMK - :param str key_arn2: Amazon Resource Name (ARN) of another KMS CMK + :param str key_arn_1: Amazon Resource Name (ARN) of the KMS CMK + :param str key_arn_2: Amazon Resource Name (ARN) of another KMS CMK :param bytes source_plaintext: Data to encrypt :param botocore_session: existing botocore session instance :type botocore_session: botocore.session.Session """ # Check that these keys are in different regions - assert not key_arn1[12:21] == key_arn2[12:21] + assert not key_arn_1.split(":")[3] == key_arn_2.split(":")[3] - kwargs = dict(key_ids=[key_arn1, key_arn2]) + kwargs = dict(key_ids=[key_arn_1, key_arn_2]) if botocore_session is not None: kwargs["botocore_session"] = botocore_session # Create master key provider using the ARNs of the keys and the session (botocore_session) - kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs) + kms_key_provider = KMSMasterKeyProvider(**kwargs) # Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header ciphertext, encrypted_message_header = encrypt(kms_key_provider, source_plaintext) @@ -55,23 +47,26 @@ def multiple_kms_cmk_regions(key_arn1, key_arn2, source_plaintext, botocore_sess # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header # Either of our keys can be used to decrypt the message - plaintext1, decrypted_message_header1 = decrypt( - aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn1])), ciphertext + plaintext_1, decrypted_message_header_1 = decrypt( + KMSMasterKey(key_id=key_arn_1), ciphertext ) - plaintext2, decrypted_message_header2 = decrypt( - aws_encryption_sdk.KMSMasterKeyProvider(**dict(key_ids=[key_arn2])), ciphertext + plaintext_2, decrypted_message_header_2 = decrypt( + KMSMasterKey(key_id=key_arn_2), ciphertext ) # Check that the original message and the decrypted message are the same - assert source_plaintext == plaintext1 - assert source_plaintext == plaintext2 + if not isinstance(source_plaintext, bytes): + plaintext1 = plaintext_1.decode("utf-8") + plaintext2 = plaintext_2.decode("utf-8") + assert source_plaintext == plaintext_1 + assert source_plaintext == plaintext_2 # Check that the headers of the encrypted message and decrypted message match assert all( pair in encrypted_message_header.encryption_context.items() - for pair in decrypted_message_header1.encryption_context.items() + for pair in decrypted_message_header_1.encryption_context.items() ) assert all( pair in encrypted_message_header.encryption_context.items() - for pair in decrypted_message_header2.encryption_context.items() + for pair in decrypted_message_header_2.encryption_context.items() ) diff --git a/examples/test/test_i_multiple_kms_cmk_regions.py b/examples/test/test_i_multiple_kms_cmk_regions.py index c2722d9b1..15a604f69 100644 --- a/examples/test/test_i_multiple_kms_cmk_regions.py +++ b/examples/test/test_i_multiple_kms_cmk_regions.py @@ -17,7 +17,7 @@ from ..src.multiple_kms_cmk_regions import multiple_kms_cmk_regions -# from .examples_test_utils import get_cmk_arn +from .examples_test_utils import get_cmk_arn from .examples_test_utils import static_plaintext @@ -26,8 +26,8 @@ def test_multiple_kms_cmk_regions(): plaintext = static_plaintext - cmk_arn1 = "arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt" - cmk_arn2 = "arn:aws:kms:eu-central-1:658956600833:alias/EncryptDecrypt" + cmk_arn_1 = get_cmk_arn("us-west-2") + cmk_arn_2 = get_cmk_arn("eu-central-1") multiple_kms_cmk_regions( - cmk_arn1, cmk_arn2, source_plaintext=plaintext, botocore_session=botocore.session.Session() + cmk_arn_1, cmk_arn_2, source_plaintext=plaintext, botocore_session=botocore.session.Session() ) diff --git a/test/integration/README.rst b/test/integration/README.rst index 33ecbbedd..eb3453e25 100644 --- a/test/integration/README.rst +++ b/test/integration/README.rst @@ -5,7 +5,8 @@ aws-encryption-sdk Integration Tests In order to run these integration tests successfully, these things must be configured. #. Ensure that AWS credentials are available in one of the `automatically discoverable credential locations`_. -#. Set environment variable ``AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID`` to valid +#. Set environment variable ``AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID`` + and ``AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2`` to valid `AWS KMS key id`_ to use for integration tests. .. _automatically discoverable credential locations: http://boto3.readthedocs.io/en/latest/guide/configuration.html diff --git a/test/integration/integration_test_utils.py b/test/integration/integration_test_utils.py index a5b4d6001..4169131b2 100644 --- a/test/integration/integration_test_utils.py +++ b/test/integration/integration_test_utils.py @@ -16,6 +16,7 @@ from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider AWS_KMS_KEY_ID = "AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID" +AWS_KMS_KEY_ID_2 = "AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2" _KMS_MKP = None @@ -32,6 +33,26 @@ def get_cmk_arn(): return arn raise ValueError("KMS CMK ARN provided for integration tests much be a key not an alias") +def get_cmk_arn(region_name='us-west-2'): + """Retrieves a CMK ARN based on the requested region_name""" + if AWS_KMS_KEY_ID in os.environ and AWS_KMS_KEY_ID_2 in os.environ: + raise ValueError( + 'Environment variable "{}" or "{}" must be set to a valid KMS CMK ARN for integration tests to run'.format( + AWS_KMS_KEY_ID, AWS_KMS_KEY_ID_2 + ) + ) + arn_1 = os.environ.get(AWS_KMS_KEY_ID, None) + arn_2 = os.environ.get(AWS_KMS_KEY_ID_2, None) + if arn_1.split(':')[3] == region_name: + return os.environ.get(AWS_KMS_KEY_ID, None) + elif arn_2.split(':')[3] == region_name: + return os.environ.get(AWS_KMS_KEY_ID_2, None) + else: + raise ValueError( + 'No CMK in the region {} exist in either of your environment variables "{}" or "{}"'.format( + region_name, AWS_KMS_KEY_ID, AWS_KMS_KEY_ID_2 + ) + ) def setup_kms_master_key_provider(cache=True): """Reads the test_values config file and builds the requested KMS Master Key Provider.""" From 38e27574c3ee8538116b1dbf5fc45edf78335889 Mon Sep 17 00:00:00 2001 From: Caitlin Tibbetts Date: Mon, 5 Aug 2019 15:25:37 -0700 Subject: [PATCH 20/20] Small changes --- test/integration/integration_test_utils.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/integration/integration_test_utils.py b/test/integration/integration_test_utils.py index 4169131b2..2072cc0ff 100644 --- a/test/integration/integration_test_utils.py +++ b/test/integration/integration_test_utils.py @@ -33,7 +33,7 @@ def get_cmk_arn(): return arn raise ValueError("KMS CMK ARN provided for integration tests much be a key not an alias") -def get_cmk_arn(region_name='us-west-2'): +def get_cmk_arn(region_name): """Retrieves a CMK ARN based on the requested region_name""" if AWS_KMS_KEY_ID in os.environ and AWS_KMS_KEY_ID_2 in os.environ: raise ValueError( @@ -44,9 +44,9 @@ def get_cmk_arn(region_name='us-west-2'): arn_1 = os.environ.get(AWS_KMS_KEY_ID, None) arn_2 = os.environ.get(AWS_KMS_KEY_ID_2, None) if arn_1.split(':')[3] == region_name: - return os.environ.get(AWS_KMS_KEY_ID, None) + return arn_1 elif arn_2.split(':')[3] == region_name: - return os.environ.get(AWS_KMS_KEY_ID_2, None) + return arn_2 else: raise ValueError( 'No CMK in the region {} exist in either of your environment variables "{}" or "{}"'.format(