aws · caitlin-tibbetts · Jul 23, 2019 · Jul 23, 2019 · Jul 23, 2019 · Jul 24, 2019
@@ -0,0 +1,48 @@
+# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""Example showing basic encryption and decryption of a value already in memory using multiple KMS CMKs in multiple regions."""
+import aws_encryption_sdk
+
+
+def encrypt_decrypt(key_arn1, key_arn2, region_name1, region_name2, source_plaintext, botocore_session=None):
+    """Encrypts and then decrypts a string under one KMS customer master key (CMK).
+
+    :param str key_arn: Amazon Resource Name (ARN) of the KMS CMK
+    :param bytes source_plaintext: Data to encrypt
+    :param botocore_session: existing botocore session instance
+    :type botocore_session: botocore.session.Session
+    """
+    kwargs = dict(key_ids=[key_arn1, key_arn2], region_names=[region_name1, region_name2])
+
+    if botocore_session is not None:
+        kwargs["botocore_session"] = botocore_session
+
+    # Create master key provider using the ARN of the key and the session (botocore_session)
+    kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs)
+
+    # Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header
+    ciphertext, encrypted_message_header = aws_encryption_sdk.encrypt(
+        source=source_plaintext, key_provider=kms_key_provider
+    )
+
+    # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header
+    plaintext, decrypted_message_header = aws_encryption_sdk.decrypt(source=ciphertext, key_provider=kms_key_provider)
+
+    # Check if the original message and the decrypted message are the same
+    assert source_plaintext == plaintext
+
+    # Check if the headers of the encrypted message and decrypted message match
+    assert all(
+        pair in encrypted_message_header.encryption_context.items()
+        for pair in decrypted_message_header.encryption_context.items()
+    )
@@ -0,0 +1,31 @@
+# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""Unit test suite for the encryption and decryption using multiple KMS CMKs in multiple regions example."""
+
+import botocore.session
+import pytest
+
+from ..src.multiple_kms_cmk_regions import encrypt_decrypt
+from .examples_test_utils import get_cmk_arn
+from .examples_test_utils import static_plaintext
+
+
+pytestmark = [pytest.mark.examples]
+
+
+def test_one_kms_cmk():
+    plaintext = static_plaintext
+    cmk_arn1 = get_cmk_arn()
+    cmk_arn2 = get_cmk_arn()
+    encrypt_decrypt(key_arn1=cmk_arn1, key_arn2=cmk_arn2, region_name1="us-west-1",
+        region_name2="us-east-1", source_plaintext=plaintext, botocore_session=botocore.session.Session())
diff --git a/tox.ini b/tox.ini
@@ -55,7 +55,7 @@ commands =
     examples: {[testenv:base-command]commands} examples/test/ -m examples
     all: {[testenv:base-command]commands} test/ examples/test/
     manual: {[testenv:base-command]commands}
-
+    
 # Verify that local tests work without environment variables present
 [testenv:nocmk]
 basepython = python3
@@ -252,7 +252,7 @@ commands = python setup.py check -r -s
 
 [testenv:bandit]
 basepython = python3
-deps = 
+deps =
     bandit>=1.5.1
 commands = bandit -r src/aws_encryption_sdk/