feat: add keyrings #249
Merged
feat: add keyrings #249
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ed to EncryptionMaterials
…add_data_encryption_key can be called
…but no data_encryption_key
…ted_data_keys to tuple
Keyring materials
Add keyring interface
* Adding Keyring API * Delete __init__.py * Delete raw_keyring.py * Added docstring to public class * Edited docstring * Edited docstring again * Changes in docstring statements * Docstring changes * Changes in docstring * Raw keyring initial * Raw keyring encrypt commit * Encrypt functions for Raw RSA and AES * Raw RSA and AES initial * Changes in raw keyrings according to new keyring materials * Updated with autoformat * Modified base * Corrected tox and flake errors * Docstring error correction * Added docstrings and corrected errors * Some more changes in docstrings * Updating base API * Made all suggested changes * Corrected tox and flake8 errors * Minor change in raw-keyrings * Adding Keyring API * Delete __init__.py * Delete raw_keyring.py * Added docstring to public class * Edited docstring * Edited docstring again * Changes in docstring statements * Docstring changes * Changes in docstring * Raw keyring initial * Raw keyring encrypt commit * Encrypt functions for Raw RSA and AES * Raw RSA and AES initial * bump attrs to 19.1.0 * add keyring trace and integrate into updated encrytion/decryption materials * s/KeyRing/Keyring/g * align cryptographic materials and add write-only interface * encrypted_data_keys must only contain EncryptedDataKey * fix test to be Python 2 compatible * Changes in raw keyrings according to new keyring materials * Updated with autoformat * Modified base * data encryption key must be set before encrypted data keys can be added to EncryptionMaterials * Corrected tox and flake errors * Docstring error correction * Added docstrings and corrected errors * Some more changes in docstrings * Updating base API * add signing/verification key checks to Encryption/DecryptionMaterials * DecryptionMaterials.algorithm must be set before DecryptionMaterials.add_data_encryption_key can be called * update materials docs and typehints * Made all suggested changes * EncryptionMaterials must not be initialized with encrypted_data_keys but no data_encryption_key * add is_complete properties to EncryptionMaterials and DecryptionMaterials * Corrected tox and flake8 errors * Minor change in raw-keyrings * change KeyringTraceFlag values to bitshifted ints to match other implementations * normalize EncryptionMaterials._encrypted_data_keys to list and encrypted_data_keys to tuple * temporarily pin pydocstyle at <4.0.0 to avoid issue breaking flake8-docstrings * temporarily cap pydocstyle at <4.0.0 for decrypt oracle * Changes to keyring trace in raw keyrings * Adding test files * Adding tests * Changed data encryption key type to RawDataKey * Added keyring trace to pytest encryption materials * Changed value of keyring_trace.wrapping_key * Few changes to match new API * Tox errors * Functional tests pass * Formatting errors corrected and functional tests pass * Corrected too broad exception error and deleted empty return statement from tests * Changed Exeception to BaseException to solve broad exception error * Added suppress broad exception * Added pylint disable broad exception * Changed wrapping keys for RSA keyrings from WrappingKey to cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey/RSAPublicKey * Fixed tox errors * More tox errors * Moved code for generation of plaintext to be before the check for key being private or public * Tox errors * Added metaclass to base API and unit tests for base API * Changed metaclass to six.add_metaclass in base API * Fixed pylint errors * Fixed more pylint errors * Removed RawAESKeyring instance * Changed on_encrypt_helper to generate_data_key and removed on_decrypt_helper. Renamed base API unit test file * Changed docstring for generate_data_key * Changed decryption_materials.data_key to decryption_materials.data_encryption_key and fixed pylint errors * Fixed pylint errors * Changed raw keyrings to have class methods for PEM and DER encoded keys * Unit tests for raw keyrings * Changes for PEM encoding * Changed base API to remove metaclass and modified tests * Delete raw_keyring.py * Delete test_f_keyring_raw_aes.py * Delete test_f_keyring_raw_rsa.py * Delete test_keyring_raw_aes.py * Delete test_keyring_raw_rsa.py * Suggested changes * Made suggested changes to base API and tests * Made suggested changes to base API tests * Ignore commit * Corrected tox and pylint errors in base API unit tests * Removed try except for Iterable * Removed try except for Iterable from test_utils * Added try except for Iterable in base API * Resolved isort errors
* Adding Keyring API * Delete __init__.py * Delete raw_keyring.py * Added docstring to public class * Edited docstring * Edited docstring again * Changes in docstring statements * Docstring changes * Changes in docstring * Raw keyring initial * Raw keyring encrypt commit * Encrypt functions for Raw RSA and AES * Raw RSA and AES initial * Changes in raw keyrings according to new keyring materials * Updated with autoformat * Modified base * Corrected tox and flake errors * Docstring error correction * Added docstrings and corrected errors * Some more changes in docstrings * Updating base API * Made all suggested changes * Corrected tox and flake8 errors * Minor change in raw-keyrings * Adding Keyring API * Delete __init__.py * Delete raw_keyring.py * Added docstring to public class * Edited docstring * Edited docstring again * Changes in docstring statements * Docstring changes * Changes in docstring * Raw keyring initial * Raw keyring encrypt commit * Encrypt functions for Raw RSA and AES * Raw RSA and AES initial * bump attrs to 19.1.0 * add keyring trace and integrate into updated encrytion/decryption materials * s/KeyRing/Keyring/g * align cryptographic materials and add write-only interface * encrypted_data_keys must only contain EncryptedDataKey * fix test to be Python 2 compatible * Changes in raw keyrings according to new keyring materials * Updated with autoformat * Modified base * data encryption key must be set before encrypted data keys can be added to EncryptionMaterials * Corrected tox and flake errors * Docstring error correction * Added docstrings and corrected errors * Some more changes in docstrings * Updating base API * add signing/verification key checks to Encryption/DecryptionMaterials * DecryptionMaterials.algorithm must be set before DecryptionMaterials.add_data_encryption_key can be called * update materials docs and typehints * Made all suggested changes * EncryptionMaterials must not be initialized with encrypted_data_keys but no data_encryption_key * add is_complete properties to EncryptionMaterials and DecryptionMaterials * Corrected tox and flake8 errors * Minor change in raw-keyrings * change KeyringTraceFlag values to bitshifted ints to match other implementations * normalize EncryptionMaterials._encrypted_data_keys to list and encrypted_data_keys to tuple * temporarily pin pydocstyle at <4.0.0 to avoid issue breaking flake8-docstrings * temporarily cap pydocstyle at <4.0.0 for decrypt oracle * Changes to keyring trace in raw keyrings * Adding test files * Adding tests * Changed data encryption key type to RawDataKey * Added keyring trace to pytest encryption materials * Changed value of keyring_trace.wrapping_key * Few changes to match new API * Tox errors * Functional tests pass * Formatting errors corrected and functional tests pass * Corrected too broad exception error and deleted empty return statement from tests * Changed Exeception to BaseException to solve broad exception error * Added suppress broad exception * Added pylint disable broad exception * Changed wrapping keys for RSA keyrings from WrappingKey to cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey/RSAPublicKey * Fixed tox errors * More tox errors * Moved code for generation of plaintext to be before the check for key being private or public * Tox errors * Added metaclass to base API and unit tests for base API * Changed metaclass to six.add_metaclass in base API * Fixed pylint errors * Fixed more pylint errors * Removed RawAESKeyring instance * Changed on_encrypt_helper to generate_data_key and removed on_decrypt_helper. Renamed base API unit test file * Changed docstring for generate_data_key * Changed decryption_materials.data_key to decryption_materials.data_encryption_key and fixed pylint errors * Fixed pylint errors * Changed raw keyrings to have class methods for PEM and DER encoded keys * Unit tests for raw keyrings * Changes for PEM encoding * Made suggested changes to raw keyrings * partial commit for raw keyrings * Made suggested changes * Changed wrapping_key_id in deserialize_wrapped_key() back to self.key_name * Decryption and PEM input now works * Adding sample * Removed test comments * Unit tests for raw aes and rsa * All unit tests working * All unit tests done. Functional tests - key_info_prefix_vectors for AES and compatibility with MKP for RSA remaining * Delete sample_aes.py * Corrected tox and pylint errors * Removed print statements used while debugging * Partial commit for changes to tests * Partial commit for tests for raw keyrings * All tests except compatibility of raw rsa with mkp and key info prefix in raw aes * Pulled from keyring branch * Updated base API * Added test for key info prefix * Changed unittest.mock to mock * Raw keyrings test partial commit * All tests for raw keyrings work * Removed unused imports * Removed unused imports
* Adding Keyring API * Delete __init__.py * Delete raw_keyring.py * Added docstring to public class * Edited docstring * Edited docstring again * Changes in docstring statements * Docstring changes * Changes in docstring * Raw keyring initial * Raw keyring encrypt commit * Encrypt functions for Raw RSA and AES * Raw RSA and AES initial * raw keyrings first commit * Multi keyring first commit * Changes in the base file * Temporary changes in multiple files * Committing initial code * Deleted raw aes test * Multi Keyrings * Updating base API and raw keyrings * Corrected tox errors * Added typehints * Updated raw keyrings * Updated raw keyrings * Changes in error conditions for multi keyrings * Made all suggested changes in multi-keyrings * Corrected tox errors * Added docstring to __attrs_post_init__ * Changed variable name neither_generator_nor_children_defined to neither_generator_nor_children * Changed raw keyrings * Corrected tox errors * Updated raw keyrings * Updated raw keyrings and functional test for multi keyrings * Functional tests for multi-keyrings work * Autoformat errors corrected and changed Exception to BaseException to solve broad exception error * Added pylint disable broad except to raw keyrings and added multi parametrize to multi keyrings functional test * Removed duplicate import statements * Changes in functional test for multi keyrings according to change in raw keyrings * Changed RSA key structure to RSAPublicKey/RSAPrivateKey and functional test passes * Removed unwanted commented lines from test * Pylint errors * More pylint errors * Made suggested changes in multi keyring * Multi keyring unit tests * Optimized loop for decryption keyring * Unit tests for multi keyrings and added sample encryption materials and multi keyrings in test_utils * Multi keyrings unit tests * Making changes in tests and API * Almost all unit tests done * Unit tests for multi keyrings * Unit tests for multi keyrings * Unit tests for multi-keyrings working except the one to check if no further keyrings are called if data encryption key is added * Made changes in raw keyrings to match the latest version * Removed unused imports * Made suggested changes * Removed unused imports * Resolved formatting errors * Made suggested changes - partial * Made all suggested changes * apply autoformatting x_x
* Update PR template * Added a check for max_age being greater than 0 (#172) * Added a check for max_age being greater than 0 * Fixed flake8 by adding missing pydocstyle dependency * Added the dependency to decrypt_oracle as well * Added test for max_age<=0 ValueError * Updated test for max_age<=0.0 ValueError * Added negative test case * Fixed KMS master key provider tests when default AWS region is configured (#179) * Fixed KMS master key provider tests for users who have their default AWS region configured * created fixture for botocore session with no region set * add auto-used fixture in KMS master key provider unit tests to test against both with and without default region * Wrote example and test for using one kms cmk with an unsigned algorithm * Update one_kms_cmk_unsigned.py * Update examples/src/one_kms_cmk_unsigned.py Co-Authored-By: Matt Bullock <[email protected]> * isort-check now succeeds * [issue-190] Regional clients modify default botocore session (#193) * [issue-190] Creation of regional clients modifies default botocore session's region * update changelog with changes for 1.4.1 release * bump version to 1.4.1 * Updates to handle new pylint requirements (#196) * pylint max-attributes appears to be ratcheted down recently * remove unnecessary comprehensions * whitelist some pylint use-constant-test false-positives * reorganize backwards compatibility test requirements definitions attrs==19.2.0 removed a deprecated feature that aws-encryption-sdk==1.3.3 depended on. This reorganization lets us define specific requirements bounds for old versions of aws-encryption-sdk that will probably continue to be necessary as these old versions age. * remove unnecessary comprehensions * add newlines to the end of all requirements files * help pylint ignore mypy type use
* reorganize keyring tests to match #100 and keyring namespace to simplify names * change aws_encryption_sdk.keyring to aws_encryption_sdk.keyrings for consistency in namespace names * autoformat * disable pylint similarity checks on imports Because we provide multiple implementations of certain types of things (keyrings, etc), this was triggering pylint due to them all needing to import the same types in order to function. * remove aws_encryption_sdk namespace layer in test reorg
* reorganize keyring tests to match #100 and keyring namespace to simplify names * change aws_encryption_sdk.keyring to aws_encryption_sdk.keyrings for consistency in namespace names * autoformat * disable pylint similarity checks on imports Because we provide multiple implementations of certain types of things (keyrings, etc), this was triggering pylint due to them all needing to import the same types in order to function. * reorganize functional and integration tests * define structure for unit tests reorg * reorganize unit tests * rename test_values to vectors to avoid it being confused for a test file * remove aws_encryption_sdk from functional test namespace * remove aws_encryption_sdk from integration test namespace * remove aws_encryption_sdk from unit test namespace * rename test_crypto to vectors to avoid confusion * autoformat
* refactor MasterKeyProvider.decrypt_data_key and break out master key location to master_keys_for_data_key * simplify MasterKey.owns_data_key * autoformat * fix linting issues
* chore: add __all__ values for keyring modules * chore: add versionadded tags for keyrings * feat: plump keyrings into stream handlers and default CMM * chore: incorporate keyrings into tests * add raw AES keyring-MKP compatibility tests * add raw RSA MKP-keyring compatibility tests * fix: fix integ test to run when default region is set * chore: add public-private keyring-MKP compat tests * fix: fix typo * add DefaultCryptographicMaterialsProvider tests for keyrings that return incomplete or broken materials * feat: enable caching CMM to accept either MKP or keyring * fix: rename test keyring to avoid name collision * chore: caching CMM has too many instance attributes and that's ok * docs: add versionadded flags to docstrings for keyring values * docs: update docs on encrypt/decrypt helper functions to match underlying docs * chore: update copyright notices on modified files * docs: render keyring docs * docs: clean up keyring method docs * fix: fix linting issues * fix: autoformat * docs: fix typo * fix: fix docs and error message inconsistency * fix: re-order checks to avoid misleading error messages if materials are invalid * chore: test broken paths in default CMM with more algorithm suites * docs: make docs correctly link to pyca/cryptography docs
* chore: remove CPython3.4 advertised support and add CPython3.8 * docs: update readmes to reflect 3.5 minimum
chore: migrate non-integ CI to GitHub Actions workflows
Co-Authored-By: Wesley Rosenblum <[email protected]>
docs: add master key provider examples
…#240) * fix: correct KMS keyring parameter name from child_key_ids to additional_key_ids * feat: rename kms keyring parameter from additional_key_ids to key_ids
* docs: add CMM examples * docs: add CMM examples to readme * docs: apply suggestions from code review Co-Authored-By: Wesley Rosenblum <[email protected]> * docs: fix and refine examples docs * chore: remove redundant example * docs: clarify "filtering CMM" references in examples comments * chore: autoformat * docs: refactor algorithm restricting example focus * docs: revise framing of encryption context example and KMS references * docs: apply suggestions from code review Co-Authored-By: Wesley Rosenblum <[email protected]> Co-authored-by: Wesley Rosenblum <[email protected]>
* feat: deprecate master key providers * docs: change main API examples from MKP to keyring * docs: add deprecation notices in MKP docstrings * docs: add future guidance in MKP deprecation comment * docs: remove examples from readme and replace concepts with dev guide concepts * docs: add link to dev guide concepts section * docs: update CHANGELOG.rst Co-Authored-By: Wesley Rosenblum <[email protected]> * docs: refine wording in MKP removal statements * docs: replace copy-paste concepts descriptions with links to developer guide Co-authored-by: Wesley Rosenblum <[email protected]>
this example is replaced by the onestep_unsigned example
chore: merge master into keyring
* docs: fix security issue notifications link in readme * docs: update README.rst Co-Authored-By: seebees <[email protected]> Co-authored-by: seebees <[email protected]>
|
Is this blocked on doc updates due to the link to data_key_caching_basic.py? |
|
Ah, good call. It might be, I'll check. |
This was referenced Apr 15, 2020
WesleyRosenblum
approved these changes
Apr 16, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
All changes in
keyringhave already been reviewed, andmasterwas merged intokeyringin #244, with no changes tomastersince then.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Check any applicable: