From e93172dad8cba10c7541462ca73b5dae5d98fc71 Mon Sep 17 00:00:00 2001 From: Ben Farley <47006790+farleyb-amazon@users.noreply.github.com> Date: Fri, 2 Oct 2020 12:51:56 -0600 Subject: [PATCH 01/16] Post 2.0.0 fixes (#303) * Various fixes/cleanup after release of 2.0 - Update decrypt_oracle and test_vector_handlers to use new constructs - Update changelog with correct commit hashes - Update _ClientConfig docstring to include commitment_policy - Fix oracle CI - Update the release tox environments to reduce risk of releasing to the wrong repo --- .travis.yml | 20 +++++------ CHANGELOG.rst | 2 +- .../aws_encryption_sdk_decrypt_oracle/app.py | 9 ++--- .../integration/integration_test_utils.py | 8 +++-- .../unit/key_providers/test_u_counting.py | 9 +++-- .../test/unit/key_providers/test_u_null.py | 10 +++--- src/aws_encryption_sdk/streaming_client.py | 2 ++ .../compatibility-requirements/1.7.1 | 2 ++ .../compatibility-requirements/2.0.0 | 2 ++ .../awses_test_vectors/internal/aws_kms.py | 7 ++-- .../awses_test_vectors/internal/mypy_types.py | 2 +- .../src/awses_test_vectors/internal/util.py | 1 + .../manifests/full_message/decrypt.py | 7 ++-- .../manifests/full_message/encrypt.py | 8 +++-- .../src/awses_test_vectors/manifests/keys.py | 5 +-- .../manifests/master_key.py | 1 + test_vector_handlers/tox.ini | 4 ++- tox.ini | 33 ++++++++++++++----- 18 files changed, 84 insertions(+), 48 deletions(-) create mode 100644 test_vector_handlers/compatibility-requirements/1.7.1 create mode 100644 test_vector_handlers/compatibility-requirements/2.0.0 diff --git a/.travis.yml b/.travis.yml index a8ca00f68..415f537e0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -56,12 +56,12 @@ matrix: - python: 2.7 env: TEST_VECTOR_HANDLERS=1 - TOXENV=py27-awses_1.3.3 + TOXENV=py27-awses_1.7.1 stage: Test Vector Handler Tests - python: 2.7 env: TEST_VECTOR_HANDLERS=1 - TOXENV=py27-awses_1.3.max + TOXENV=py27-awses_2.0.0 stage: Test Vector Handler Tests - python: 2.7 env: @@ -72,12 +72,12 @@ matrix: - python: 3.5 env: TEST_VECTOR_HANDLERS=1 - TOXENV=py35-awses_1.3.3 + TOXENV=py35-awses_1.7.1 stage: Test Vector Handler Tests - python: 3.5 env: TEST_VECTOR_HANDLERS=1 - TOXENV=py35-awses_1.3.max + TOXENV=py35-awses_2.0.0 stage: Test Vector Handler Tests - python: 3.5 env: @@ -88,12 +88,12 @@ matrix: - python: 3.6 env: TEST_VECTOR_HANDLERS=1 - TOXENV=py36-awses_1.3.3 + TOXENV=py36-awses_1.7.1 stage: Test Vector Handler Tests - python: 3.6 env: TEST_VECTOR_HANDLERS=1 - TOXENV=py36-awses_1.3.max + TOXENV=py36-awses_2.0.0 stage: Test Vector Handler Tests - python: 3.6 env: @@ -104,14 +104,14 @@ matrix: - python: 3.7 env: TEST_VECTOR_HANDLERS=1 - TOXENV=py37-awses_1.3.3 + TOXENV=py37-awses_1.7.1 dist: xenial sudo: true stage: Test Vector Handler Tests - python: 3.7 env: TEST_VECTOR_HANDLERS=1 - TOXENV=py37-awses_1.3.max + TOXENV=py37-awses_2.0.0 dist: xenial sudo: true stage: Test Vector Handler Tests @@ -126,14 +126,14 @@ matrix: - python: 3.8 env: TEST_VECTOR_HANDLERS=1 - TOXENV=py38-awses_1.3.3 + TOXENV=py38-awses_1.7.1 dist: xenial sudo: true stage: Test Vector Handler Tests - python: 3.8 env: TEST_VECTOR_HANDLERS=1 - TOXENV=py38-awses_1.3.max + TOXENV=py38-awses_2.0.0 dist: xenial sudo: true stage: Test Vector Handler Tests diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5d7d1d288..1585e5af2 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -14,7 +14,7 @@ Bugfix Features -------- -* Updates to the AWS Encryption SDK. bdbf00c +* Updates to the AWS Encryption SDK. ef90351 Deprecations ^^^^^^^^^^^^ diff --git a/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/app.py b/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/app.py index c3248add1..b0d8a8d48 100644 --- a/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/app.py +++ b/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/app.py @@ -16,7 +16,7 @@ import os import aws_encryption_sdk -from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider +from aws_encryption_sdk.key_providers.kms import DiscoveryAwsKmsMasterKeyProvider from chalice import Chalice, Response from .key_providers.counting import CountingMasterKey @@ -27,9 +27,9 @@ APP.log.setLevel(logging.DEBUG) -def _master_key_provider() -> KMSMasterKeyProvider: +def _master_key_provider() -> DiscoveryAwsKmsMasterKeyProvider: """Build the V0 master key provider.""" - master_key_provider = KMSMasterKeyProvider() + master_key_provider = DiscoveryAwsKmsMasterKeyProvider() master_key_provider.add_master_key_provider(NullMasterKey()) master_key_provider.add_master_key_provider(CountingMasterKey()) return master_key_provider @@ -59,8 +59,9 @@ def basic_decrypt() -> Response: APP.log.debug(APP.current_request.raw_body) try: + client = aws_encryption_sdk.EncryptionSDKClient() ciphertext = APP.current_request.raw_body - plaintext, _header = aws_encryption_sdk.decrypt(source=ciphertext, key_provider=_master_key_provider()) + plaintext, _header = client.decrypt(source=ciphertext, key_provider=_master_key_provider()) APP.log.debug("Plaintext:") APP.log.debug(plaintext) response = Response(body=plaintext, headers={"Content-Type": "application/octet-stream"}, status_code=200) diff --git a/decrypt_oracle/test/integration/integration_test_utils.py b/decrypt_oracle/test/integration/integration_test_utils.py index 610a930d6..03e50cd0a 100644 --- a/decrypt_oracle/test/integration/integration_test_utils.py +++ b/decrypt_oracle/test/integration/integration_test_utils.py @@ -17,8 +17,10 @@ from collections import namedtuple from typing import Any, Callable, Iterable, Optional, Text +import aws_encryption_sdk import pytest -from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider +from aws_encryption_sdk.identifiers import CommitmentPolicy +from aws_encryption_sdk.key_providers.kms import StrictAwsKmsMasterKeyProvider HERE = os.path.abspath(os.path.dirname(__file__)) DEPLOYMENT_REGION = "AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION" @@ -27,6 +29,8 @@ _KMS_MKP = None _ENDPOINT = None +CLIENT = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) + def decrypt_endpoint() -> Text: """Build the API endpoint based on environment variables.""" @@ -77,7 +81,7 @@ def kms_master_key_provider(cache: Optional[bool] = True): return _KMS_MKP cmk_arn = get_cmk_arn() - _kms_master_key_provider = KMSMasterKeyProvider(key_ids=[cmk_arn]) + _kms_master_key_provider = StrictAwsKmsMasterKeyProvider(key_ids=[cmk_arn]) if cache: _KMS_MKP = _kms_master_key_provider diff --git a/decrypt_oracle/test/unit/key_providers/test_u_counting.py b/decrypt_oracle/test/unit/key_providers/test_u_counting.py index f779b5169..ebeaee198 100644 --- a/decrypt_oracle/test/unit/key_providers/test_u_counting.py +++ b/decrypt_oracle/test/unit/key_providers/test_u_counting.py @@ -11,11 +11,10 @@ # ANY KIND, either express or implied. See the License for the specific # language governing permissions and limitations under the License. """Unit test for ``aws_encryption_sdk_decrypt_oracle.key_providers.counting``.""" -import aws_encryption_sdk import pytest from aws_encryption_sdk_decrypt_oracle.key_providers.counting import CountingMasterKey -from ...integration.integration_test_utils import filtered_test_vectors +from ...integration.integration_test_utils import CLIENT, filtered_test_vectors pytestmark = [pytest.mark.unit, pytest.mark.local] @@ -24,7 +23,7 @@ def test_counting_master_key_decrypt_vectors(vector): master_key = CountingMasterKey() - plaintext, _header = aws_encryption_sdk.decrypt(source=vector.ciphertext, key_provider=master_key) + plaintext, _header = CLIENT.decrypt(source=vector.ciphertext, key_provider=master_key) assert plaintext == vector.plaintext @@ -33,8 +32,8 @@ def test_counting_master_key_cycle(): plaintext = b"some super secret plaintext" master_key = CountingMasterKey() - ciphertext, _header = aws_encryption_sdk.encrypt(source=plaintext, key_provider=master_key) - decrypted, _header = aws_encryption_sdk.decrypt(source=ciphertext, key_provider=master_key) + ciphertext, _header = CLIENT.encrypt(source=plaintext, key_provider=master_key) + decrypted, _header = CLIENT.decrypt(source=ciphertext, key_provider=master_key) assert plaintext != ciphertext assert plaintext == decrypted diff --git a/decrypt_oracle/test/unit/key_providers/test_u_null.py b/decrypt_oracle/test/unit/key_providers/test_u_null.py index 918ef0e5a..4c3a2e4d7 100644 --- a/decrypt_oracle/test/unit/key_providers/test_u_null.py +++ b/decrypt_oracle/test/unit/key_providers/test_u_null.py @@ -11,11 +11,10 @@ # ANY KIND, either express or implied. See the License for the specific # language governing permissions and limitations under the License. """Unit test for ``aws_encryption_sdk_decrypt_oracle.key_providers.null``.""" -import aws_encryption_sdk import pytest from aws_encryption_sdk_decrypt_oracle.key_providers.null import NullMasterKey -from ...integration.integration_test_utils import filtered_test_vectors +from ...integration.integration_test_utils import CLIENT, filtered_test_vectors pytestmark = [pytest.mark.unit, pytest.mark.local] @@ -23,8 +22,7 @@ @pytest.mark.parametrize("vector", filtered_test_vectors(lambda x: x.key_type == "null")) def test_null_master_key_decrypt_vectors(vector): master_key = NullMasterKey() - - plaintext, _header = aws_encryption_sdk.decrypt(source=vector.ciphertext, key_provider=master_key) + plaintext, _header = CLIENT.decrypt(source=vector.ciphertext, key_provider=master_key) assert plaintext == vector.plaintext @@ -33,8 +31,8 @@ def test_null_master_key_cycle(): plaintext = b"some super secret plaintext" master_key = NullMasterKey() - ciphertext, _header = aws_encryption_sdk.encrypt(source=plaintext, key_provider=master_key) - decrypted, _header = aws_encryption_sdk.decrypt(source=ciphertext, key_provider=master_key) + ciphertext, _header = CLIENT.encrypt(source=plaintext, key_provider=master_key) + decrypted, _header = CLIENT.decrypt(source=ciphertext, key_provider=master_key) assert plaintext != ciphertext assert plaintext == decrypted diff --git a/src/aws_encryption_sdk/streaming_client.py b/src/aws_encryption_sdk/streaming_client.py index f33831508..6ac89dcb4 100644 --- a/src/aws_encryption_sdk/streaming_client.py +++ b/src/aws_encryption_sdk/streaming_client.py @@ -72,6 +72,8 @@ class _ClientConfig(object): :param source: Source data to encrypt or decrypt :type source: str, bytes, io.IOBase, or file + :param commitment_policy: The commitment policy to use during encryption and decryption + :type commitment_policy: aws_encryption_sdk.identifiers.CommitmentPolicy :param materials_manager: `CryptoMaterialsManager` from which to obtain cryptographic materials (either `materials_manager` or `key_provider` required) :type materials_manager: aws_encryption_sdk.materials_manager.base.CryptoMaterialsManager diff --git a/test_vector_handlers/compatibility-requirements/1.7.1 b/test_vector_handlers/compatibility-requirements/1.7.1 new file mode 100644 index 000000000..8d01cab7c --- /dev/null +++ b/test_vector_handlers/compatibility-requirements/1.7.1 @@ -0,0 +1,2 @@ +aws-encryption-sdk==1.7.1 +attrs<19.2.0 diff --git a/test_vector_handlers/compatibility-requirements/2.0.0 b/test_vector_handlers/compatibility-requirements/2.0.0 new file mode 100644 index 000000000..14c3b529b --- /dev/null +++ b/test_vector_handlers/compatibility-requirements/2.0.0 @@ -0,0 +1,2 @@ +aws-encryption-sdk==2.0.0 +attrs<19.2.0 diff --git a/test_vector_handlers/src/awses_test_vectors/internal/aws_kms.py b/test_vector_handlers/src/awses_test_vectors/internal/aws_kms.py index 5893c6270..c63e167bc 100644 --- a/test_vector_handlers/src/awses_test_vectors/internal/aws_kms.py +++ b/test_vector_handlers/src/awses_test_vectors/internal/aws_kms.py @@ -15,12 +15,12 @@ from aws_encryption_sdk.identifiers import AlgorithmSuite except ImportError: from aws_encryption_sdk.identifiers import Algorithm as AlgorithmSuite -from aws_encryption_sdk.key_providers.kms import KMSMasterKeyProvider +from aws_encryption_sdk.key_providers.kms import DiscoveryAwsKmsMasterKeyProvider, StrictAwsKmsMasterKeyProvider from awses_test_vectors.internal.defaults import ENCODING # This lets us easily use a single boto3 client per region for all KMS master keys. -KMS_MASTER_KEY_PROVIDER = KMSMasterKeyProvider() +KMS_MASTER_KEY_PROVIDER = DiscoveryAwsKmsMasterKeyProvider() def arn_from_key_id(key_id): @@ -34,7 +34,8 @@ def arn_from_key_id(key_id): :returns: Full Arn for KMS CMK that key ID identifies :rtype: str """ - encrypted_data_key = KMS_MASTER_KEY_PROVIDER.master_key(key_id.encode(ENCODING)).generate_data_key( + provider = StrictAwsKmsMasterKeyProvider(key_ids=[key_id]) + encrypted_data_key = provider.master_key(key_id.encode(ENCODING)).generate_data_key( algorithm=AlgorithmSuite.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, encryption_context={} ) return encrypted_data_key.key_provider.key_info.decode(ENCODING) diff --git a/test_vector_handlers/src/awses_test_vectors/internal/mypy_types.py b/test_vector_handlers/src/awses_test_vectors/internal/mypy_types.py index e669c8a2f..3712643e8 100644 --- a/test_vector_handlers/src/awses_test_vectors/internal/mypy_types.py +++ b/test_vector_handlers/src/awses_test_vectors/internal/mypy_types.py @@ -15,10 +15,10 @@ try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import ( # noqa pylint: disable=unused-import + IO, Any, Callable, Dict, - IO, Iterable, Optional, Tuple, diff --git a/test_vector_handlers/src/awses_test_vectors/internal/util.py b/test_vector_handlers/src/awses_test_vectors/internal/util.py index 4963ff5e7..da5552f13 100644 --- a/test_vector_handlers/src/awses_test_vectors/internal/util.py +++ b/test_vector_handlers/src/awses_test_vectors/internal/util.py @@ -25,6 +25,7 @@ try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import Any, Callable, Dict, Iterable, Type # noqa pylint: disable=unused-import + from awses_test_vectors.internal.mypy_types import ( # noqa pylint: disable=unused-import ISINSTANCE, MANIFEST_VERSION, diff --git a/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py b/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py index 0cfda32e5..13737cbcf 100644 --- a/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py +++ b/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py @@ -21,6 +21,7 @@ import attr import aws_encryption_sdk import six +from aws_encryption_sdk.identifiers import CommitmentPolicy from aws_encryption_sdk.key_providers.base import MasterKeyProvider from awses_test_vectors.internal.defaults import ENCODING @@ -34,7 +35,8 @@ from awses_test_vectors.manifests.master_key import MasterKeySpec, master_key_provider_from_master_key_specs try: # Python 3.5.0 and 3.5.1 have incompatible typing modules - from typing import Callable, Dict, IO, Iterable, Optional # noqa pylint: disable=unused-import + from typing import IO, Callable, Dict, Iterable, Optional # noqa pylint: disable=unused-import + from awses_test_vectors.internal.mypy_types import ( # noqa pylint: disable=unused-import DECRYPT_SCENARIO_SPEC, FULL_MESSAGE_DECRYPT_MANIFEST, @@ -155,7 +157,8 @@ def run(self, name): :param str name: Descriptive name for this scenario to use in any logging or errors """ - plaintext, _header = aws_encryption_sdk.decrypt(source=self.ciphertext, key_provider=self.master_key_provider) + client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + plaintext, _header = client.decrypt(source=self.ciphertext, key_provider=self.master_key_provider) if plaintext != self.plaintext: raise ValueError("Decrypted plaintext does not match expected value for scenario '{}'".format(name)) diff --git a/test_vector_handlers/src/awses_test_vectors/manifests/full_message/encrypt.py b/test_vector_handlers/src/awses_test_vectors/manifests/full_message/encrypt.py index a74612d4a..ba94c1626 100644 --- a/test_vector_handlers/src/awses_test_vectors/manifests/full_message/encrypt.py +++ b/test_vector_handlers/src/awses_test_vectors/manifests/full_message/encrypt.py @@ -40,13 +40,14 @@ from awses_test_vectors.manifests.master_key import MasterKeySpec, master_key_provider_from_master_key_specs try: - from aws_encryption_sdk.identifiers import AlgorithmSuite + from aws_encryption_sdk.identifiers import AlgorithmSuite, CommitmentPolicy except ImportError: from aws_encryption_sdk.identifiers import Algorithm as AlgorithmSuite try: # Python 3.5.0 and 3.5.1 have incompatible typing modules - from typing import Callable, Dict, IO, Iterable, Optional # noqa pylint: disable=unused-import + from typing import IO, Callable, Dict, Iterable, Optional # noqa pylint: disable=unused-import + from awses_test_vectors.internal.mypy_types import ( # noqa pylint: disable=unused-import ENCRYPT_SCENARIO_SPEC, PLAINTEXTS_SPEC, @@ -133,7 +134,8 @@ def run(self, ciphertext_writer, plaintext_uri): :return: Decrypt test scenario that describes the generated scenario :rtype: MessageDecryptionTestScenario """ - ciphertext, _header = aws_encryption_sdk.encrypt( + client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) + ciphertext, _header = client.encrypt( source=self.plaintext, algorithm=self.algorithm, frame_length=self.frame_size, diff --git a/test_vector_handlers/src/awses_test_vectors/manifests/keys.py b/test_vector_handlers/src/awses_test_vectors/manifests/keys.py index 441caac01..4e2d9799b 100644 --- a/test_vector_handlers/src/awses_test_vectors/manifests/keys.py +++ b/test_vector_handlers/src/awses_test_vectors/manifests/keys.py @@ -25,13 +25,14 @@ from awses_test_vectors.internal.util import dictionary_validator, membership_validator, validate_manifest_type try: # Python 3.5.0 and 3.5.1 have incompatible typing modules - from typing import cast, Dict, Iterable, Optional # noqa pylint: disable=unused-import + from typing import Dict, Iterable, Optional, cast # noqa pylint: disable=unused-import + from awses_test_vectors.internal.mypy_types import ( # noqa pylint: disable=unused-import AWS_KMS_KEY_SPEC, - MANUAL_KEY_SPEC, KEY_SPEC, KEYS_MANIFEST, MANIFEST_VERSION, + MANUAL_KEY_SPEC, ) except ImportError: # pragma: no cover # We only actually need these imports when running the mypy checks diff --git a/test_vector_handlers/src/awses_test_vectors/manifests/master_key.py b/test_vector_handlers/src/awses_test_vectors/manifests/master_key.py index b018f21a5..05975ccbf 100644 --- a/test_vector_handlers/src/awses_test_vectors/manifests/master_key.py +++ b/test_vector_handlers/src/awses_test_vectors/manifests/master_key.py @@ -34,6 +34,7 @@ try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import Iterable # noqa pylint: disable=unused-import + from awses_test_vectors.internal.mypy_types import MASTER_KEY_SPEC # noqa pylint: disable=unused-import except ImportError: # pragma: no cover # We only actually need these imports when running the mypy checks diff --git a/test_vector_handlers/tox.ini b/test_vector_handlers/tox.ini index 420032dd0..c2aeda5a1 100644 --- a/test_vector_handlers/tox.ini +++ b/test_vector_handlers/tox.ini @@ -1,6 +1,6 @@ [tox] envlist = - py{27,34,35,36,37}-awses_{1.3.3,1.3.max,latest}, + py{27,34,35,36,37}-awses_{1.7.1,2.0.0,latest}, # 1.2.0 and 1.2.max are being difficult because of attrs bandit, doc8, readme, docs, {flake8,pylint}{,-tests}, @@ -48,6 +48,8 @@ deps = -rtest/requirements.txt awses_1.3.3: -rcompatibility-requirements/1.3.3 awses_1.3.max: -rcompatibility-requirements/1.3.max + awses_1.7.1: -rcompatibility-requirements/1.7.1 + awses_2.0.0: -rcompatibility-requirements/2.0.0 awses_latest: -rcompatibility-requirements/latest commands = {[testenv:base-command]commands} diff --git a/tox.ini b/tox.ini index 2ea33b9e5..830fc617f 100644 --- a/tox.ini +++ b/tox.ini @@ -343,12 +343,31 @@ deps = {[testenv:build]deps} twine passenv = + # Intentionally omit TWINE_REPOSITORY_URL from the passenv list, + # as this overrides other ways of setting the repository and could + # unexpectedly result in releasing to the wrong repo {[testenv]passenv} \ TWINE_USERNAME \ - TWINE_PASSWORD \ - TWINE_REPOSITORY_URL + TWINE_PASSWORD commands = {[testenv:build]commands} + +[testenv:release-private] +basepython = python3 +skip_install = true +deps = {[testenv:release-base]deps} +passenv = + {[testenv:release-base]passenv} \ + TWINE_REPOSITORY_URL +setenv = + # Explicitly set the URL as the env variable value, which will cause us to + # throw an error if the variable is not set. Otherwise, omission of the + # env variable could cause us to unintentionally upload to the wrong repo + TWINE_REPOSITORY_URL = {env:TWINE_REPOSITORY_URL} +commands = + {[testenv:release-base]commands} + # Omitting an explicit repository will cause twine to use the repository + # specified in the environment variable twine upload --skip-existing {toxinidir}/dist/* [testenv:test-release] @@ -357,9 +376,9 @@ skip_install = true deps = {[testenv:release-base]deps} passenv = {[testenv:release-base]passenv} -setenv = - TWINE_REPOSITORY_URL = https://test.pypi.org/legacy/ -commands = {[testenv:release-base]commands} +commands = + {[testenv:release-base]commands} + twine upload --skip-existing --repository testpypi {toxinidir}/dist/* [testenv:release] basepython = python3 @@ -367,8 +386,6 @@ skip_install = true deps = {[testenv:release-base]deps} passenv = {[testenv:release-base]passenv} -whitelist_externals = unset commands = - # Unsetting the TWINE_REPOSITORY_URL defaults twine to using production PyPI - unset TWINE_REPOSITORY_URL {[testenv:release-base]commands} + twine upload --skip-existing --repository pypi {toxinidir}/dist/* From ea6098287f1e6b228eef4f38e4ff262b007710fc Mon Sep 17 00:00:00 2001 From: Ben Farley <47006790+farleyb-amazon@users.noreply.github.com> Date: Mon, 14 Dec 2020 14:44:23 -0700 Subject: [PATCH 02/16] chore: Update README section on using StrictAwsKmsKeyProvider (#312) * chore: Update README section on using StrictAwsKmsKeyProvider Be more explicit about the fact that, when using a StrictAwsKmsMasterKeyProvider, key aliases are not supported on decryption * chore: remove test requirement dependency on old versions of attrs --- README.rst | 6 +++++- src/aws_encryption_sdk/key_providers/kms.py | 1 - test_vector_handlers/compatibility-requirements/1.7.1 | 1 - test_vector_handlers/compatibility-requirements/2.0.0 | 1 - 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/README.rst b/README.rst index f51f61b55..d8b3bafea 100644 --- a/README.rst +++ b/README.rst @@ -128,7 +128,10 @@ pre-existing instance of a ``botocore session`` to the ``StrictAwsKmsMasterKeyPr This latter option can be useful if you have an alternate way to store your AWS credentials or you want to reuse an existing instance of a botocore session in order to decrease startup costs. -To create a ``StrictAwsKmsMasterKeyProvider`` you must provide one or more CMKs. +To create a ``StrictAwsKmsMasterKeyProvider`` you must provide one or more CMKs. For providers that will only +be used for encryption, you can use any valid `KMS key identifier`_. For providers that will be used for decryption, you +must use the key ARN; key ids, alias names, and alias ARNs are not supported. + If you configure the the ``StrictAwsKmsMasterKeyProvider`` with multiple CMKs, the `final message`_ will include a copy of the data key encrypted by each configured CMK. @@ -312,6 +315,7 @@ to your use-case in order to obtain peak performance. .. _GitHub: https://github.com/aws/aws-encryption-sdk-python/ .. _AWS KMS: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html .. _KMS customer master key (CMK): https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys +.. _KMS key identifier: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id .. _boto3 SDK: https://boto3.readthedocs.io/en/latest/ .. _standard means by which boto3 locates credentials: https://boto3.readthedocs.io/en/latest/guide/configuration.html .. _final message: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html diff --git a/src/aws_encryption_sdk/key_providers/kms.py b/src/aws_encryption_sdk/key_providers/kms.py index ff5ef350d..3d1397cc9 100644 --- a/src/aws_encryption_sdk/key_providers/kms.py +++ b/src/aws_encryption_sdk/key_providers/kms.py @@ -283,7 +283,6 @@ class StrictAwsKmsMasterKeyProvider(BaseKMSMasterKeyProvider): ... 'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222', ... 'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333' ... ]) - >>> kms_key_provider.add_master_key('arn:aws:kms:ap-northeast-1:4444444444444:alias/another-key') .. note:: If no botocore_session is provided, the default botocore session will be used. diff --git a/test_vector_handlers/compatibility-requirements/1.7.1 b/test_vector_handlers/compatibility-requirements/1.7.1 index 8d01cab7c..d7dfcfa92 100644 --- a/test_vector_handlers/compatibility-requirements/1.7.1 +++ b/test_vector_handlers/compatibility-requirements/1.7.1 @@ -1,2 +1 @@ aws-encryption-sdk==1.7.1 -attrs<19.2.0 diff --git a/test_vector_handlers/compatibility-requirements/2.0.0 b/test_vector_handlers/compatibility-requirements/2.0.0 index 14c3b529b..1622ff09d 100644 --- a/test_vector_handlers/compatibility-requirements/2.0.0 +++ b/test_vector_handlers/compatibility-requirements/2.0.0 @@ -1,2 +1 @@ aws-encryption-sdk==2.0.0 -attrs<19.2.0 From 709ac1b89245526156380f3454e30a27aee48ec9 Mon Sep 17 00:00:00 2001 From: seebees Date: Tue, 22 Dec 2020 13:54:36 -0800 Subject: [PATCH 03/16] chore: Add AWS CodeBuild buildspec (#313) Adding buildspec to batch build multiple Python runtimes * Python 2.7 * Python 3.5 * Python 3.6 * Python 3.7 * Python 3.8 --- .gitignore | 1 + buildspec.yml | 59 +++++++++++++++++++++++++++++++++ codebuild/py27/awses_1.7.1.yml | 21 ++++++++++++ codebuild/py27/awses_2.0.0.yml | 21 ++++++++++++ codebuild/py27/awses_latest.yml | 21 ++++++++++++ codebuild/py27/examples.yml | 18 ++++++++++ codebuild/py27/integ.yml | 18 ++++++++++ codebuild/py35/awses_1.7.1.yml | 23 +++++++++++++ codebuild/py35/awses_2.0.0.yml | 23 +++++++++++++ codebuild/py35/awses_latest.yml | 23 +++++++++++++ codebuild/py35/examples.yml | 20 +++++++++++ codebuild/py35/integ.yml | 20 +++++++++++ codebuild/py36/awses_1.7.1.yml | 21 ++++++++++++ codebuild/py36/awses_2.0.0.yml | 21 ++++++++++++ codebuild/py36/awses_latest.yml | 21 ++++++++++++ codebuild/py36/examples.yml | 18 ++++++++++ codebuild/py36/integ.yml | 18 ++++++++++ codebuild/py37/awses_1.7.1.yml | 23 +++++++++++++ codebuild/py37/awses_2.0.0.yml | 23 +++++++++++++ codebuild/py37/awses_latest.yml | 23 +++++++++++++ codebuild/py37/examples.yml | 20 +++++++++++ codebuild/py37/integ.yml | 20 +++++++++++ codebuild/py38/awses_1.7.1.yml | 21 ++++++++++++ codebuild/py38/awses_2.0.0.yml | 21 ++++++++++++ codebuild/py38/awses_latest.yml | 21 ++++++++++++ codebuild/py38/examples.yml | 18 ++++++++++ codebuild/py38/integ.yml | 18 ++++++++++ decrypt_oracle/tox.ini | 2 ++ test_vector_handlers/tox.ini | 5 ++- tox.ini | 2 ++ 30 files changed, 583 insertions(+), 1 deletion(-) create mode 100644 buildspec.yml create mode 100644 codebuild/py27/awses_1.7.1.yml create mode 100644 codebuild/py27/awses_2.0.0.yml create mode 100644 codebuild/py27/awses_latest.yml create mode 100644 codebuild/py27/examples.yml create mode 100644 codebuild/py27/integ.yml create mode 100644 codebuild/py35/awses_1.7.1.yml create mode 100644 codebuild/py35/awses_2.0.0.yml create mode 100644 codebuild/py35/awses_latest.yml create mode 100644 codebuild/py35/examples.yml create mode 100644 codebuild/py35/integ.yml create mode 100644 codebuild/py36/awses_1.7.1.yml create mode 100644 codebuild/py36/awses_2.0.0.yml create mode 100644 codebuild/py36/awses_latest.yml create mode 100644 codebuild/py36/examples.yml create mode 100644 codebuild/py36/integ.yml create mode 100644 codebuild/py37/awses_1.7.1.yml create mode 100644 codebuild/py37/awses_2.0.0.yml create mode 100644 codebuild/py37/awses_latest.yml create mode 100644 codebuild/py37/examples.yml create mode 100644 codebuild/py37/integ.yml create mode 100644 codebuild/py38/awses_1.7.1.yml create mode 100644 codebuild/py38/awses_2.0.0.yml create mode 100644 codebuild/py38/awses_latest.yml create mode 100644 codebuild/py38/examples.yml create mode 100644 codebuild/py38/integ.yml diff --git a/.gitignore b/.gitignore index 6a18f3190..63097dcba 100644 --- a/.gitignore +++ b/.gitignore @@ -41,3 +41,4 @@ venv/ # Chalice */.chalice/deployments */.chalice/venv +/.history diff --git a/buildspec.yml b/buildspec.yml new file mode 100644 index 000000000..e31d4f845 --- /dev/null +++ b/buildspec.yml @@ -0,0 +1,59 @@ +version: 0.2 + +batch: + fast-fail: false + build-list: + - identifier: py27_integ + buildspec: codebuild/py27/integ.yml + - identifier: py27_examples + buildspec: codebuild/py27/examples.yml + - identifier: py27_awses_1_7_1 + buildspec: codebuild/py27/awses_1.7.1.yml + - identifier: py27_awses_2_0_0 + buildspec: codebuild/py27/awses_2.0.0.yml + - identifier: py27_awses_latest + buildspec: codebuild/py27/awses_latest.yml + + - identifier: py35_integ + buildspec: codebuild/py35/integ.yml + - identifier: py35_examples + buildspec: codebuild/py35/examples.yml + - identifier: py35_awses_1_7_1 + buildspec: codebuild/py35/awses_1.7.1.yml + - identifier: py35_awses_2_0_0 + buildspec: codebuild/py35/awses_2.0.0.yml + - identifier: py35_awses_latest + buildspec: codebuild/py35/awses_latest.yml + + - identifier: py36_integ + buildspec: codebuild/py36/integ.yml + - identifier: py36_examples + buildspec: codebuild/py36/examples.yml + - identifier: py36_awses_1_7_1 + buildspec: codebuild/py36/awses_1.7.1.yml + - identifier: py36_awses_2_0_0 + buildspec: codebuild/py36/awses_2.0.0.yml + - identifier: py36_awses_latest + buildspec: codebuild/py36/awses_latest.yml + + - identifier: py37_integ + buildspec: codebuild/py37/integ.yml + - identifier: py37_examples + buildspec: codebuild/py37/examples.yml + - identifier: py37_awses_1_7_1 + buildspec: codebuild/py37/awses_1.7.1.yml + - identifier: py37_awses_2_0_0 + buildspec: codebuild/py37/awses_2.0.0.yml + - identifier: py37_awses_latest + buildspec: codebuild/py37/awses_latest.yml + + - identifier: py38_integ + buildspec: codebuild/py38/integ.yml + - identifier: py38_examples + buildspec: codebuild/py38/examples.yml + - identifier: py38_awses_1_7_1 + buildspec: codebuild/py38/awses_1.7.1.yml + - identifier: py38_awses_2_0_0 + buildspec: codebuild/py38/awses_2.0.0.yml + - identifier: py38_awses_latest + buildspec: codebuild/py38/awses_latest.yml diff --git a/codebuild/py27/awses_1.7.1.yml b/codebuild/py27/awses_1.7.1.yml new file mode 100644 index 000000000..8f5cca0ec --- /dev/null +++ b/codebuild/py27/awses_1.7.1.yml @@ -0,0 +1,21 @@ +version: 0.2 + +env: + variables: + TOXENV: "py27-awses_1.7.1" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - cd test_vector_handlers + - tox diff --git a/codebuild/py27/awses_2.0.0.yml b/codebuild/py27/awses_2.0.0.yml new file mode 100644 index 000000000..bb667f4df --- /dev/null +++ b/codebuild/py27/awses_2.0.0.yml @@ -0,0 +1,21 @@ +version: 0.2 + +env: + variables: + TOXENV: "py27-awses_2.0.0" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - cd test_vector_handlers + - tox diff --git a/codebuild/py27/awses_latest.yml b/codebuild/py27/awses_latest.yml new file mode 100644 index 000000000..a813060e8 --- /dev/null +++ b/codebuild/py27/awses_latest.yml @@ -0,0 +1,21 @@ +version: 0.2 + +env: + variables: + TOXENV: "py27-awses_latest" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - cd test_vector_handlers + - tox diff --git a/codebuild/py27/examples.yml b/codebuild/py27/examples.yml new file mode 100644 index 000000000..19091ebdb --- /dev/null +++ b/codebuild/py27/examples.yml @@ -0,0 +1,18 @@ +version: 0.2 + +env: + variables: + TOXENV: "py27-examples" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - tox diff --git a/codebuild/py27/integ.yml b/codebuild/py27/integ.yml new file mode 100644 index 000000000..497226f01 --- /dev/null +++ b/codebuild/py27/integ.yml @@ -0,0 +1,18 @@ +version: 0.2 + +env: + variables: + TOXENV: "py27-integ" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - tox diff --git a/codebuild/py35/awses_1.7.1.yml b/codebuild/py35/awses_1.7.1.yml new file mode 100644 index 000000000..d7c6e3bd4 --- /dev/null +++ b/codebuild/py35/awses_1.7.1.yml @@ -0,0 +1,23 @@ +version: 0.2 + +env: + variables: + TOXENV: "py35-awses_1.7.1" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.5.9 + - pyenv local 3.5.9 + - pip install tox tox-pyenv + - cd test_vector_handlers + - tox diff --git a/codebuild/py35/awses_2.0.0.yml b/codebuild/py35/awses_2.0.0.yml new file mode 100644 index 000000000..ae47785fa --- /dev/null +++ b/codebuild/py35/awses_2.0.0.yml @@ -0,0 +1,23 @@ +version: 0.2 + +env: + variables: + TOXENV: "py35-awses_2.0.0" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.5.9 + - pyenv local 3.5.9 + - pip install tox tox-pyenv + - cd test_vector_handlers + - tox diff --git a/codebuild/py35/awses_latest.yml b/codebuild/py35/awses_latest.yml new file mode 100644 index 000000000..d56efa94f --- /dev/null +++ b/codebuild/py35/awses_latest.yml @@ -0,0 +1,23 @@ +version: 0.2 + +env: + variables: + TOXENV: "py35-awses_latest" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.5.9 + - pyenv local 3.5.9 + - pip install tox tox-pyenv + - cd test_vector_handlers + - tox diff --git a/codebuild/py35/examples.yml b/codebuild/py35/examples.yml new file mode 100644 index 000000000..b700465ad --- /dev/null +++ b/codebuild/py35/examples.yml @@ -0,0 +1,20 @@ +version: 0.2 + +env: + variables: + TOXENV: "py35-examples" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.5.9 + - pyenv local 3.5.9 + - pip install tox tox-pyenv + - tox diff --git a/codebuild/py35/integ.yml b/codebuild/py35/integ.yml new file mode 100644 index 000000000..b7e9ba2d7 --- /dev/null +++ b/codebuild/py35/integ.yml @@ -0,0 +1,20 @@ +version: 0.2 + +env: + variables: + TOXENV: "py35-integ" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.5.9 + - pyenv local 3.5.9 + - pip install tox tox-pyenv + - tox diff --git a/codebuild/py36/awses_1.7.1.yml b/codebuild/py36/awses_1.7.1.yml new file mode 100644 index 000000000..80d2a67e3 --- /dev/null +++ b/codebuild/py36/awses_1.7.1.yml @@ -0,0 +1,21 @@ +version: 0.2 + +env: + variables: + TOXENV: "py36-awses_1.7.1" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - cd test_vector_handlers + - tox diff --git a/codebuild/py36/awses_2.0.0.yml b/codebuild/py36/awses_2.0.0.yml new file mode 100644 index 000000000..c54afd266 --- /dev/null +++ b/codebuild/py36/awses_2.0.0.yml @@ -0,0 +1,21 @@ +version: 0.2 + +env: + variables: + TOXENV: "py36-awses_2.0.0" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - cd test_vector_handlers + - tox diff --git a/codebuild/py36/awses_latest.yml b/codebuild/py36/awses_latest.yml new file mode 100644 index 000000000..f4f141d28 --- /dev/null +++ b/codebuild/py36/awses_latest.yml @@ -0,0 +1,21 @@ +version: 0.2 + +env: + variables: + TOXENV: "py36-awses_latest" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - cd test_vector_handlers + - tox diff --git a/codebuild/py36/examples.yml b/codebuild/py36/examples.yml new file mode 100644 index 000000000..efd098578 --- /dev/null +++ b/codebuild/py36/examples.yml @@ -0,0 +1,18 @@ +version: 0.2 + +env: + variables: + TOXENV: "py36-examples" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - tox diff --git a/codebuild/py36/integ.yml b/codebuild/py36/integ.yml new file mode 100644 index 000000000..021741dbe --- /dev/null +++ b/codebuild/py36/integ.yml @@ -0,0 +1,18 @@ +version: 0.2 + +env: + variables: + TOXENV: "py36-integ" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - tox diff --git a/codebuild/py37/awses_1.7.1.yml b/codebuild/py37/awses_1.7.1.yml new file mode 100644 index 000000000..08584fb4b --- /dev/null +++ b/codebuild/py37/awses_1.7.1.yml @@ -0,0 +1,23 @@ +version: 0.2 + +env: + variables: + TOXENV: "py37-awses_1.7.1" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.7.9 + - pyenv local 3.7.9 + - pip install tox tox-pyenv + - cd test_vector_handlers + - tox diff --git a/codebuild/py37/awses_2.0.0.yml b/codebuild/py37/awses_2.0.0.yml new file mode 100644 index 000000000..3935d4b53 --- /dev/null +++ b/codebuild/py37/awses_2.0.0.yml @@ -0,0 +1,23 @@ +version: 0.2 + +env: + variables: + TOXENV: "py37-awses_2.0.0" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.7.9 + - pyenv local 3.7.9 + - pip install tox tox-pyenv + - cd test_vector_handlers + - tox diff --git a/codebuild/py37/awses_latest.yml b/codebuild/py37/awses_latest.yml new file mode 100644 index 000000000..ec882400b --- /dev/null +++ b/codebuild/py37/awses_latest.yml @@ -0,0 +1,23 @@ +version: 0.2 + +env: + variables: + TOXENV: "py37-awses_latest" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.7.9 + - pyenv local 3.7.9 + - pip install tox tox-pyenv + - cd test_vector_handlers + - tox diff --git a/codebuild/py37/examples.yml b/codebuild/py37/examples.yml new file mode 100644 index 000000000..a43ac5b84 --- /dev/null +++ b/codebuild/py37/examples.yml @@ -0,0 +1,20 @@ +version: 0.2 + +env: + variables: + TOXENV: "py37-examples" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.7.9 + - pyenv local 3.7.9 + - pip install tox tox-pyenv + - tox diff --git a/codebuild/py37/integ.yml b/codebuild/py37/integ.yml new file mode 100644 index 000000000..7f886c213 --- /dev/null +++ b/codebuild/py37/integ.yml @@ -0,0 +1,20 @@ +version: 0.2 + +env: + variables: + TOXENV: "py37-integ" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.7.9 + - pyenv local 3.7.9 + - pip install tox tox-pyenv + - tox diff --git a/codebuild/py38/awses_1.7.1.yml b/codebuild/py38/awses_1.7.1.yml new file mode 100644 index 000000000..450166b3f --- /dev/null +++ b/codebuild/py38/awses_1.7.1.yml @@ -0,0 +1,21 @@ +version: 0.2 + +env: + variables: + TOXENV: "py38-awses_1.7.1" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - cd test_vector_handlers + - tox diff --git a/codebuild/py38/awses_2.0.0.yml b/codebuild/py38/awses_2.0.0.yml new file mode 100644 index 000000000..5d7210748 --- /dev/null +++ b/codebuild/py38/awses_2.0.0.yml @@ -0,0 +1,21 @@ +version: 0.2 + +env: + variables: + TOXENV: "py38-awses_2.0.0" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - cd test_vector_handlers + - tox diff --git a/codebuild/py38/awses_latest.yml b/codebuild/py38/awses_latest.yml new file mode 100644 index 000000000..ba8c26514 --- /dev/null +++ b/codebuild/py38/awses_latest.yml @@ -0,0 +1,21 @@ +version: 0.2 + +env: + variables: + TOXENV: "py38-awses_latest" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - cd test_vector_handlers + - tox diff --git a/codebuild/py38/examples.yml b/codebuild/py38/examples.yml new file mode 100644 index 000000000..7033cb3a3 --- /dev/null +++ b/codebuild/py38/examples.yml @@ -0,0 +1,18 @@ +version: 0.2 + +env: + variables: + TOXENV: "py38-examples" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - tox diff --git a/codebuild/py38/integ.yml b/codebuild/py38/integ.yml new file mode 100644 index 000000000..7ab243334 --- /dev/null +++ b/codebuild/py38/integ.yml @@ -0,0 +1,18 @@ +version: 0.2 + +env: + variables: + TOXENV: "py38-integ" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - tox diff --git a/decrypt_oracle/tox.ini b/decrypt_oracle/tox.ini index f0a7804e5..31ef18772 100644 --- a/decrypt_oracle/tox.ini +++ b/decrypt_oracle/tox.ini @@ -95,6 +95,8 @@ passenv = AWS_DEFAULT_REGION \ # Pass through AWS credentials pointer in ECS/CodeBuild AWS_CONTAINER_CREDENTIALS_RELATIVE_URI \ + # AWS Role access in CodeBuild is via the contaner URI + AWS_CONTAINER_CREDENTIALS_RELATIVE_URI \ # Used to manage test generators AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_GENERATE_TEST_VECTORS \ AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION \ diff --git a/test_vector_handlers/tox.ini b/test_vector_handlers/tox.ini index c2aeda5a1..484c3dddc 100644 --- a/test_vector_handlers/tox.ini +++ b/test_vector_handlers/tox.ini @@ -41,6 +41,8 @@ commands = pytest --basetemp={envtmpdir} -l --cov awses_test_vectors test/ {posa passenv = # Pass through AWS credentials AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN \ + # AWS Role access in CodeBuild is via the contaner URI + AWS_CONTAINER_CREDENTIALS_RELATIVE_URI \ # Pass through AWS profile name (useful for local testing) AWS_PROFILE sitepackages = False @@ -90,7 +92,8 @@ commands = {[testenv:mypy-coverage]commands} [testenv:mypy-py2] -basepython = {[testenv:mypy-common]basepython} +# We only test 2.7, please upgrade +basepython = python2.7 deps = {[testenv:mypy-common]deps} commands = python -m mypy \ diff --git a/tox.ini b/tox.ini index 830fc617f..f0908d5d4 100644 --- a/tox.ini +++ b/tox.ini @@ -46,6 +46,8 @@ passenv = AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2 \ # Pass through AWS credentials AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN \ + # AWS Role access in CodeBuild is via the contaner URI + AWS_CONTAINER_CREDENTIALS_RELATIVE_URI \ # Pass through AWS profile name (useful for local testing) AWS_PROFILE \ # Pass through custom pip config file settings From b34cfadbba070388fab563103f5448f4a9723586 Mon Sep 17 00:00:00 2001 From: seebees Date: Wed, 30 Dec 2020 14:51:37 -0800 Subject: [PATCH 04/16] chore: Remove Travis CI (#314) Moving to CodeBuild for CI --- .travis.yml | 156 ---------------------------------------------------- README.rst | 6 -- 2 files changed, 162 deletions(-) delete mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 415f537e0..000000000 --- a/.travis.yml +++ /dev/null @@ -1,156 +0,0 @@ -sudo: false -language: python -matrix: - include: - # CPython 2.7 - - python: 2.7 - env: TOXENV=py27-integ - stage: Client Tests - - python: 2.7 - env: TOXENV=py27-examples - stage: Client Tests - # CPython 3.5 - - python: 3.5 - env: TOXENV=py35-integ - stage: Client Tests - - python: 3.5 - env: TOXENV=py35-examples - stage: Client Tests - # CPython 3.6 - - python: 3.6 - env: TOXENV=py36-integ - stage: Client Tests - - python: 3.6 - env: TOXENV=py36-examples - stage: Client Tests - # CPython 3.7 - # xenial + sudo are currently needed to get 3.7 - # https://github.com/travis-ci/travis-ci/issues/9815 - - python: 3.7 - env: TOXENV=py37-integ - dist: xenial - sudo: true - stage: Client Tests - - python: 3.7 - env: TOXENV=py37-examples - dist: xenial - sudo: true - stage: Client Tests - # CPython 3.8 - # xenial + sudo are currently needed to get 3.8 - # https://github.com/travis-ci/travis-ci/issues/9815 - - python: 3.8 - env: TOXENV=py38-integ - dist: xenial - sudo: true - stage: Client Tests - - python: 3.8 - env: TOXENV=py38-examples - dist: xenial - sudo: true - stage: Client Tests - ######################## - # Test Vector Handlers # - ######################## - # CPython 2.7 - - python: 2.7 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py27-awses_1.7.1 - stage: Test Vector Handler Tests - - python: 2.7 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py27-awses_2.0.0 - stage: Test Vector Handler Tests - - python: 2.7 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py27-awses_latest - stage: Test Vector Handler Tests - # CPython 3.5 - - python: 3.5 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py35-awses_1.7.1 - stage: Test Vector Handler Tests - - python: 3.5 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py35-awses_2.0.0 - stage: Test Vector Handler Tests - - python: 3.5 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py35-awses_latest - stage: Test Vector Handler Tests - # CPython 3.6 - - python: 3.6 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py36-awses_1.7.1 - stage: Test Vector Handler Tests - - python: 3.6 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py36-awses_2.0.0 - stage: Test Vector Handler Tests - - python: 3.6 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py36-awses_latest - stage: Test Vector Handler Tests - # CPython 3.7 - - python: 3.7 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py37-awses_1.7.1 - dist: xenial - sudo: true - stage: Test Vector Handler Tests - - python: 3.7 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py37-awses_2.0.0 - dist: xenial - sudo: true - stage: Test Vector Handler Tests - - python: 3.7 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py37-awses_latest - dist: xenial - sudo: true - stage: Test Vector Handler Tests - # CPython 3.8 - - python: 3.8 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py38-awses_1.7.1 - dist: xenial - sudo: true - stage: Test Vector Handler Tests - - python: 3.8 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py38-awses_2.0.0 - dist: xenial - sudo: true - stage: Test Vector Handler Tests - - python: 3.8 - env: - TEST_VECTOR_HANDLERS=1 - TOXENV=py38-awses_latest - dist: xenial - sudo: true - stage: Test Vector Handler Tests -install: pip install tox -script: - - | - if [[ -n $TEST_VECTOR_HANDLERS ]]; - then cd test_vector_handlers; - else if [[ -n $DECRYPT_ORACLE ]]; - then cd decrypt_oracle; - fi; - fi - - tox diff --git a/README.rst b/README.rst index d8b3bafea..805ff4da5 100644 --- a/README.rst +++ b/README.rst @@ -18,12 +18,6 @@ aws-encryption-sdk :target: https://aws-encryption-sdk-python.readthedocs.io/en/stable/ :alt: Documentation Status -.. image:: https://travis-ci.org/aws/aws-encryption-sdk-python.svg?branch=master - :target: https://travis-ci.org/aws/aws-encryption-sdk-python - -.. image:: https://ci.appveyor.com/api/projects/status/p3e2e63gsnp3cwd8/branch/master?svg=true - :target: https://ci.appveyor.com/project/mattsb42-aws/aws-encryption-sdk-python-qvyet/branch/master - The AWS Encryption SDK for Python provides a fully compliant, native Python implementation of the `AWS Encryption SDK`_. The latest full documentation can be found at `Read the Docs`_. From abacb0c71fd7c556409fc42a6dd075b216b0336a Mon Sep 17 00:00:00 2001 From: lavaleri <49660121+lavaleri@users.noreply.github.com> Date: Tue, 26 Jan 2021 17:18:50 -0800 Subject: [PATCH 05/16] chore: Clarify StrictAwsKmsMasterKeyProvider docs (#316) --- README.rst | 10 +++++----- src/aws_encryption_sdk/key_providers/kms.py | 10 +++++++--- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/README.rst b/README.rst index 805ff4da5..b9cf2e5cf 100644 --- a/README.rst +++ b/README.rst @@ -113,7 +113,11 @@ StrictAwsKmsMasterKeyProvider A ``StrictAwsKmsMasterKeyProvider`` is configured with an explicit list of AWS KMS CMKs with which to encrypt and decrypt data. On encryption, it encrypts the plaintext with all configured CMKs. On decryption, it only attempts to decrypt ciphertexts that have been wrapped -with one of the configured CMKs. +with a CMK that matches one of the configured CMK ARNs. + +To create a ``StrictAwsKmsMasterKeyProvider`` you must provide one or more CMKs. For providers that will only +be used for encryption, you can use any valid `KMS key identifier`_. For providers that will be used for decryption, you +must use the key ARN; key ids, alias names, and alias ARNs are not supported. Because the ``StrictAwsKmsMasterKeyProvider`` uses the `boto3 SDK`_ to interact with `AWS KMS`_, it requires AWS Credentials. @@ -122,10 +126,6 @@ pre-existing instance of a ``botocore session`` to the ``StrictAwsKmsMasterKeyPr This latter option can be useful if you have an alternate way to store your AWS credentials or you want to reuse an existing instance of a botocore session in order to decrease startup costs. -To create a ``StrictAwsKmsMasterKeyProvider`` you must provide one or more CMKs. For providers that will only -be used for encryption, you can use any valid `KMS key identifier`_. For providers that will be used for decryption, you -must use the key ARN; key ids, alias names, and alias ARNs are not supported. - If you configure the the ``StrictAwsKmsMasterKeyProvider`` with multiple CMKs, the `final message`_ will include a copy of the data key encrypted by each configured CMK. diff --git a/src/aws_encryption_sdk/key_providers/kms.py b/src/aws_encryption_sdk/key_providers/kms.py index 3d1397cc9..23ac6b7a1 100644 --- a/src/aws_encryption_sdk/key_providers/kms.py +++ b/src/aws_encryption_sdk/key_providers/kms.py @@ -274,9 +274,13 @@ def validate_config(self): class StrictAwsKmsMasterKeyProvider(BaseKMSMasterKeyProvider): """Strict Master Key Provider for KMS. It is configured with an explicit list of AWS KMS master keys that - should be used for encryption in decryption. On encryption, the plaintext will be encrypted with all configured - master keys. On decryption, the ciphertext will be decrypted with the first master key that can decrypt. If the - ciphertext is encrypted with a master key that was not explicitly configured, decryption will fail. + should be used for encryption and decryption. On encryption, the plaintext will be encrypted with all configured + master keys. On decryption, it only attempts to decrypt ciphertexts that have been wrapped with a CMK that + matches one of the configured CMK ARNs. If the ciphertext is encrypted with a master key that was not + explicitly configured, decryption will fail. To create a StrictAwsKmsMasterKeyProvider you must provide + one or more CMKs. For providers that will only be used for encryption, you can use any valid KMS key + identifier. For providers that will be used for decryption, you must use the key ARN; key ids, alias names, and + alias ARNs are not supported. >>> import aws_encryption_sdk >>> kms_key_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(key_ids=[ From 015c61effbefae759a71b8d8f6b1dd94a0764d20 Mon Sep 17 00:00:00 2001 From: Ben Farley <47006790+farleyb-amazon@users.noreply.github.com> Date: Tue, 2 Feb 2021 10:24:37 -0700 Subject: [PATCH 06/16] feat: Update dependency on boto3 (#317) --- README.rst | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.rst b/README.rst index b9cf2e5cf..7d893243b 100644 --- a/README.rst +++ b/README.rst @@ -34,7 +34,7 @@ Required Prerequisites * Python 2.7+ or 3.4+ * cryptography >= 2.5.0 -* boto3 +* boto3 >= 1.10.0 * attrs Installation diff --git a/requirements.txt b/requirements.txt index 51badb814..fab293c05 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -boto3>=1.4.4 +boto3>=1.10.0 cryptography>=2.5.0 attrs>=17.4.0 wrapt>=1.10.11 From 154278681a5d59cf35d9f584ca4c87226b494fd7 Mon Sep 17 00:00:00 2001 From: lavaleri <49660121+lavaleri@users.noreply.github.com> Date: Fri, 26 Feb 2021 10:40:10 -0800 Subject: [PATCH 07/16] chore: Mark pylint false positive (#320) --- src/aws_encryption_sdk/internal/crypto/elliptic_curve.py | 2 +- test/unit/test_streaming_client_encryption_stream.py | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/aws_encryption_sdk/internal/crypto/elliptic_curve.py b/src/aws_encryption_sdk/internal/crypto/elliptic_curve.py index 47af50b8c..83e6b2def 100644 --- a/src/aws_encryption_sdk/internal/crypto/elliptic_curve.py +++ b/src/aws_encryption_sdk/internal/crypto/elliptic_curve.py @@ -123,7 +123,7 @@ def _ecc_decode_compressed_point(curve, compressed_point): y_order_map = {b"\x02": 0, b"\x03": 1} raw_x = compressed_point[1:] raw_x = to_bytes(raw_x) - x = int_from_bytes(raw_x, "big") + x = int_from_bytes(raw_x, "big") # pylint: disable=not-callable raw_y = compressed_point[0] # In Python3, bytes index calls return int values rather than strings if isinstance(raw_y, six.integer_types): diff --git a/test/unit/test_streaming_client_encryption_stream.py b/test/unit/test_streaming_client_encryption_stream.py index 9aa1361b4..342711247 100644 --- a/test/unit/test_streaming_client_encryption_stream.py +++ b/test/unit/test_streaming_client_encryption_stream.py @@ -344,7 +344,7 @@ def test_next(self): ) self.mock_source_stream.closed = False mock_stream.readline = MagicMock(return_value=sentinel.line) - test = mock_stream.next() + test = mock_stream.next() # pylint: disable=not-callable mock_stream.readline.assert_called_once_with() assert test is sentinel.line @@ -355,7 +355,7 @@ def test_next_stream_closed(self): mock_stream.close() with pytest.raises(StopIteration): - mock_stream.next() + mock_stream.next() # pylint: disable=not-callable def test_next_source_stream_closed_and_buffer_empty(self): mock_stream = MockEncryptionStream( @@ -365,7 +365,7 @@ def test_next_source_stream_closed_and_buffer_empty(self): mock_stream.output_buffer = b"" with pytest.raises(StopIteration): - mock_stream.next() + mock_stream.next() # pylint: disable=not-callable @patch("aws_encryption_sdk.streaming_client._EncryptionStream.closed", new_callable=PropertyMock) def test_iteration(self, mock_closed): From 198725688f289e336fc022f76d5d92bc841440d8 Mon Sep 17 00:00:00 2001 From: Ben Farley <47006790+farleyb-amazon@users.noreply.github.com> Date: Wed, 17 Mar 2021 15:57:59 -0600 Subject: [PATCH 08/16] chore: Add 'release' buildspecs for codebuild (#321) This is a step towards a more continuous release process. If this ends up being a productive path, we can expect to pull more validation into these codebuild specs. --- codebuild/release/prod-release.yml | 28 ++++++++++++++++++++++++++++ codebuild/release/test-release.yml | 25 +++++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 codebuild/release/prod-release.yml create mode 100644 codebuild/release/test-release.yml diff --git a/codebuild/release/prod-release.yml b/codebuild/release/prod-release.yml new file mode 100644 index 000000000..9efe26593 --- /dev/null +++ b/codebuild/release/prod-release.yml @@ -0,0 +1,28 @@ +version: 0.2 + +env: + variables: + BRANCH: "master" + secrets-manager: + TWINE_USERNAME: PyPiAdmin:username + TWINE_PASSWORD: PyPiAdmin:password + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - git checkout $BRANCH + - tox -e park + - tox -e release + - git clone https://github.com/aws-samples/busy-engineers-document-bucket.git + - cd busy-engineers-document-bucket/exercises/python/encryption-context-complete + - tox -e test + + +batch: + fast-fail: false + build-list: + - identifier: prod_release diff --git a/codebuild/release/test-release.yml b/codebuild/release/test-release.yml new file mode 100644 index 000000000..8189050b2 --- /dev/null +++ b/codebuild/release/test-release.yml @@ -0,0 +1,25 @@ +version: 0.2 + +env: + variables: + BRANCH: "master" + secrets-manager: + TWINE_USERNAME: TestPyPiCryptoTools:username + TWINE_PASSWORD: TestPyPiCryptoTools:password + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - git checkout $BRANCH + - tox -e park + - tox -e test-release + + +batch: + fast-fail: false + build-list: + - identifier: test_release From 7024a9d4704b65b21a4298d237ebc3c1e37069d0 Mon Sep 17 00:00:00 2001 From: Benjamin Farley Date: Fri, 19 Mar 2021 11:07:20 -0600 Subject: [PATCH 09/16] Explicitly override version when validating release Otherwise it just pulls down "latest", and with eventual consistency on PyPi we might end up pulling down a previous version and not actually validating our release. This has the downside that, again due to eventual consistency, the new version might not show up yet causing the build to fail. Since this build is idempotent this is not the end of the world, but we may want to make this more robust in the future. --- codebuild/release/prod-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/codebuild/release/prod-release.yml b/codebuild/release/prod-release.yml index 9efe26593..63db04621 100644 --- a/codebuild/release/prod-release.yml +++ b/codebuild/release/prod-release.yml @@ -19,6 +19,7 @@ phases: - tox -e release - git clone https://github.com/aws-samples/busy-engineers-document-bucket.git - cd busy-engineers-document-bucket/exercises/python/encryption-context-complete + - sed -i "s/aws_encryption_sdk/aws_encryption_sdk==$VERSION/" requirements-dev.txt - tox -e test From a7fca20f7a79a5a182bb8766f2eb3714ef69e6de Mon Sep 17 00:00:00 2001 From: Benjamin Farley Date: Fri, 19 Mar 2021 14:22:31 -0600 Subject: [PATCH 10/16] Fix flake8 failures --- .../src/awses_test_vectors/manifests/full_message/decrypt.py | 2 ++ test_vector_handlers/src/awses_test_vectors/manifests/keys.py | 1 + 2 files changed, 3 insertions(+) diff --git a/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py b/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py index 13737cbcf..1c685c0de 100644 --- a/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py +++ b/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py @@ -91,6 +91,7 @@ def __init__( description=None, # type: Optional[str] ): # noqa=D107 # type: (...) -> None + """Set initial values for the test scenario.""" # Workaround pending resolution of attrs/mypy interaction. # https://github.com/python/mypy/issues/2088 # https://github.com/python-attrs/attrs/issues/215 @@ -200,6 +201,7 @@ def __init__( client_version=aws_encryption_sdk.__version__, # type: Optional[str] ): # noqa=D107 # type: (...) -> None + """Set initial values for the manifest.""" # Workaround pending resolution of attrs/mypy interaction. # https://github.com/python/mypy/issues/2088 # https://github.com/python-attrs/attrs/issues/215 diff --git a/test_vector_handlers/src/awses_test_vectors/manifests/keys.py b/test_vector_handlers/src/awses_test_vectors/manifests/keys.py index 4e2d9799b..783ae9da6 100644 --- a/test_vector_handlers/src/awses_test_vectors/manifests/keys.py +++ b/test_vector_handlers/src/awses_test_vectors/manifests/keys.py @@ -142,6 +142,7 @@ def __init__( material, # type: Iterable[str] ): # noqa=D107 # type: (...) -> None + """Set initial values for the ManualKeySpec.""" # Workaround pending resolution of attrs/mypy interaction. # https://github.com/python/mypy/issues/2088 # https://github.com/python-attrs/attrs/issues/215 From 646e32eda7cbeddc3c6728746354cc5c1e8d26b2 Mon Sep 17 00:00:00 2001 From: Ben Farley <47006790+farleyb-amazon@users.noreply.github.com> Date: Fri, 26 Mar 2021 11:12:48 -0600 Subject: [PATCH 11/16] chore: Fail build if code coverage is too low (#325) --- buildspec.yml | 3 +++ codebuild/coverage/coverage.yml | 14 ++++++++++++++ setup.cfg | 1 + tox.ini | 10 +++++++++- 4 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 codebuild/coverage/coverage.yml diff --git a/buildspec.yml b/buildspec.yml index e31d4f845..cdda2a550 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -57,3 +57,6 @@ batch: buildspec: codebuild/py38/awses_2.0.0.yml - identifier: py38_awses_latest buildspec: codebuild/py38/awses_latest.yml + + - identifier: code_coverage + buildspec: codebuild/coverage/coverage.yml diff --git a/codebuild/coverage/coverage.yml b/codebuild/coverage/coverage.yml new file mode 100644 index 000000000..f82a3a982 --- /dev/null +++ b/codebuild/coverage/coverage.yml @@ -0,0 +1,14 @@ +version: 0.2 + +env: + variables: + TOXENV: "coverage" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pip install tox + - tox diff --git a/setup.cfg b/setup.cfg index 038fc5924..1f83b2654 100644 --- a/setup.cfg +++ b/setup.cfg @@ -9,6 +9,7 @@ branch = True [coverage:report] show_missing = True +fail_under = 95 [tool:pytest] log_level = DEBUG diff --git a/tox.ini b/tox.ini index f0908d5d4..40f50bd04 100644 --- a/tox.ini +++ b/tox.ini @@ -35,8 +35,12 @@ envlist = # test-release :: Builds dist files and uploads to testpypi pypirc profile. # release :: Builds dist files and uploads to pypi pypirc profile. +# Reporting environments: +# +# coverage :: Runs code coverage, failing the build if coverage is below the configured threshold + [testenv:base-command] -commands = pytest --basetemp={envtmpdir} -l --cov aws_encryption_sdk {posargs} +commands = pytest --basetemp={envtmpdir} -l {posargs} [testenv] passenv = @@ -62,6 +66,10 @@ commands = all: {[testenv:base-command]commands} test/ examples/test/ manual: {[testenv:base-command]commands} +# Run code coverage on the unit tests +[testenv:coverage] +commands = {[testenv:base-command]commands} --cov aws_encryption_sdk test/ -m local + # Verify that local tests work without environment variables present [testenv:nocmk] basepython = python3 From 0544be5a2e7b1d35c554bc0b2bd2ccd11d75b8e2 Mon Sep 17 00:00:00 2001 From: Ben Farley <47006790+farleyb-amazon@users.noreply.github.com> Date: Fri, 26 Mar 2021 14:13:51 -0600 Subject: [PATCH 12/16] chore: Add validation to test release codebuild spec (#326) Now the test release validation does the same checks as the prod release (running the sample application against the new version). To support this I've also refactored out the validation steps into a dedicated spec so both the prod and test specs can depend on it. --- codebuild/release/prod-release.yml | 32 ++++++++++++++++++++---------- codebuild/release/test-release.yml | 28 +++++++++++++++++++++----- codebuild/release/validate.yml | 16 +++++++++++++++ 3 files changed, 61 insertions(+), 15 deletions(-) create mode 100644 codebuild/release/validate.yml diff --git a/codebuild/release/prod-release.yml b/codebuild/release/prod-release.yml index 63db04621..aa985e361 100644 --- a/codebuild/release/prod-release.yml +++ b/codebuild/release/prod-release.yml @@ -9,21 +9,33 @@ env: phases: install: + commands: + - pip install tox + - pip install --upgrade pip runtime-versions: python: latest + pre_build: + commands: + - git checkout $COMMIT_ID + - FOUND_VERSION=$(sed -n 's/__version__ = "\(.*\)"/\1/p' src/aws_encryption_sdk/identifiers.py) + - | + if expr ${FOUND_VERSION} != ${VERSION}; then + echo "identifiers.py version (${FOUND_VERSION}) does not match expected version (${VERSION}), stopping" + exit 1; + fi build: commands: - - pip install tox - - git checkout $BRANCH - tox -e park - tox -e release - - git clone https://github.com/aws-samples/busy-engineers-document-bucket.git - - cd busy-engineers-document-bucket/exercises/python/encryption-context-complete - - sed -i "s/aws_encryption_sdk/aws_encryption_sdk==$VERSION/" requirements-dev.txt - - tox -e test - batch: - fast-fail: false - build-list: - - identifier: prod_release + fast-fail: true + build-graph: + - identifier: release_to_prod + - identifier: validate_prod_release + depend-on: + - release_to_prod + buildspec: codebuild/release/validate.yml + env: + variables: + PIP_INDEX_URL: https://pypi.python.org/simple/ diff --git a/codebuild/release/test-release.yml b/codebuild/release/test-release.yml index 8189050b2..6c0ce85c9 100644 --- a/codebuild/release/test-release.yml +++ b/codebuild/release/test-release.yml @@ -9,17 +9,35 @@ env: phases: install: + commands: + - pip install tox + - pip install --upgrade pip runtime-versions: python: latest + pre_build: + commands: + - git checkout $COMMIT_ID + - FOUND_VERSION=$(sed -n 's/__version__ = "\(.*\)"/\1/p' src/aws_encryption_sdk/identifiers.py) + - | + if expr ${FOUND_VERSION} != ${VERSION}; then + echo "identifiers.py version (${FOUND_VERSION}) does not match expected version (${VERSION}), stopping" + exit 1; + fi build: commands: - - pip install tox - - git checkout $BRANCH - tox -e park - tox -e test-release batch: - fast-fail: false - build-list: - - identifier: test_release + fast-fail: true + build-graph: + - identifier: release_to_staging + - identifier: validate_staging_release + depend-on: + - release_to_staging + buildspec: codebuild/release/validate.yml + env: + variables: + PIP_INDEX_URL: https://test.pypi.org/simple/ + PIP_EXTRA_INDEX_URL: https://pypi.python.org/simple/ diff --git a/codebuild/release/validate.yml b/codebuild/release/validate.yml new file mode 100644 index 000000000..1f65c0631 --- /dev/null +++ b/codebuild/release/validate.yml @@ -0,0 +1,16 @@ +version: 0.2 + +phases: + install: + commands: + - pip install tox + runtime-versions: + python: latest + pre_build: + commands: + - git clone https://github.com/aws-samples/busy-engineers-document-bucket.git + - cd busy-engineers-document-bucket/exercises/python/encryption-context-complete + - sed -i "s/aws_encryption_sdk/aws_encryption_sdk==$VERSION/" requirements-dev.txt + build: + commands: + - tox -e test From 1925add5fd7cc6d97fa66b8c837262742d425e8e Mon Sep 17 00:00:00 2001 From: Ben Farley <47006790+farleyb-amazon@users.noreply.github.com> Date: Mon, 12 Apr 2021 12:42:12 -0600 Subject: [PATCH 13/16] chore: Add py38 and p39 to CI (#329) --- .github/workflows/ci_tests.yaml | 1 + buildspec.yml | 11 +++++++++++ codebuild/py39/awses_1.7.1.yml | 23 +++++++++++++++++++++++ codebuild/py39/awses_2.0.0.yml | 23 +++++++++++++++++++++++ codebuild/py39/awses_latest.yml | 23 +++++++++++++++++++++++ codebuild/py39/examples.yml | 20 ++++++++++++++++++++ codebuild/py39/integ.yml | 20 ++++++++++++++++++++ setup.py | 2 ++ tox.ini | 2 +- 9 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 codebuild/py39/awses_1.7.1.yml create mode 100644 codebuild/py39/awses_2.0.0.yml create mode 100644 codebuild/py39/awses_latest.yml create mode 100644 codebuild/py39/examples.yml create mode 100644 codebuild/py39/integ.yml diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index c2f297ea2..3e035d9dd 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -29,6 +29,7 @@ jobs: - 3.6 - 3.7 - 3.8 + - 3.9 - 3.x architecture: - x64 diff --git a/buildspec.yml b/buildspec.yml index cdda2a550..4a6bdac42 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -58,5 +58,16 @@ batch: - identifier: py38_awses_latest buildspec: codebuild/py38/awses_latest.yml + - identifier: py39_integ + buildspec: codebuild/py39/integ.yml + - identifier: py39_examples + buildspec: codebuild/py39/examples.yml + - identifier: py39_awses_1_7_1 + buildspec: codebuild/py39/awses_1.7.1.yml + - identifier: py39_awses_2_0_0 + buildspec: codebuild/py39/awses_2.0.0.yml + - identifier: py39_awses_latest + buildspec: codebuild/py39/awses_latest.yml + - identifier: code_coverage buildspec: codebuild/coverage/coverage.yml diff --git a/codebuild/py39/awses_1.7.1.yml b/codebuild/py39/awses_1.7.1.yml new file mode 100644 index 000000000..2ab614cfb --- /dev/null +++ b/codebuild/py39/awses_1.7.1.yml @@ -0,0 +1,23 @@ +version: 0.2 + +env: + variables: + TOXENV: "py39-awses_1.7.1" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.9.0 + - pyenv local 3.9.0 + - pip install tox tox-pyenv + - cd test_vector_handlers + - tox diff --git a/codebuild/py39/awses_2.0.0.yml b/codebuild/py39/awses_2.0.0.yml new file mode 100644 index 000000000..ed4f0e37b --- /dev/null +++ b/codebuild/py39/awses_2.0.0.yml @@ -0,0 +1,23 @@ +version: 0.2 + +env: + variables: + TOXENV: "py39-awses_2.0.0" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.9.0 + - pyenv local 3.9.0 + - pip install tox tox-pyenv + - cd test_vector_handlers + - tox diff --git a/codebuild/py39/awses_latest.yml b/codebuild/py39/awses_latest.yml new file mode 100644 index 000000000..21b37c2bd --- /dev/null +++ b/codebuild/py39/awses_latest.yml @@ -0,0 +1,23 @@ +version: 0.2 + +env: + variables: + TOXENV: "py39-awses_latest" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.9.0 + - pyenv local 3.9.0 + - pip install tox tox-pyenv + - cd test_vector_handlers + - tox diff --git a/codebuild/py39/examples.yml b/codebuild/py39/examples.yml new file mode 100644 index 000000000..892cdaa63 --- /dev/null +++ b/codebuild/py39/examples.yml @@ -0,0 +1,20 @@ +version: 0.2 + +env: + variables: + TOXENV: "py39-examples" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.9.0 + - pyenv local 3.9.0 + - pip install tox tox-pyenv + - tox diff --git a/codebuild/py39/integ.yml b/codebuild/py39/integ.yml new file mode 100644 index 000000000..c652c7b25 --- /dev/null +++ b/codebuild/py39/integ.yml @@ -0,0 +1,20 @@ +version: 0.2 + +env: + variables: + TOXENV: "py39-integ" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - pyenv install 3.9.0 + - pyenv local 3.9.0 + - pip install tox tox-pyenv + - tox diff --git a/setup.py b/setup.py index 6ceb2d8fb..98d24c563 100644 --- a/setup.py +++ b/setup.py @@ -52,6 +52,8 @@ def get_requirements(): "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", + "Programming Language :: Python :: 3.8", + "Programming Language :: Python :: 3.9", "Programming Language :: Python :: Implementation :: CPython", "Topic :: Security", "Topic :: Security :: Cryptography", diff --git a/tox.ini b/tox.ini index 40f50bd04..43030695e 100644 --- a/tox.ini +++ b/tox.ini @@ -1,6 +1,6 @@ [tox] envlist = - py{27,34,35,36,37}-{local,integ,accept,examples}, nocmk, + py{27,34,35,36,37,38,39}-{local,integ,accept,examples}, nocmk, bandit, doc8, readme, docs, {flake8,pylint}{,-tests,-examples}, isort-check, black-check, From d0f49b152117391df90cf98ee9d603605c14872f Mon Sep 17 00:00:00 2001 From: Tony Knapp <5892063+texastony@users.noreply.github.com> Date: Thu, 15 Apr 2021 11:14:30 -0700 Subject: [PATCH 14/16] doc: address aws#331 Address Issue aws#331 Typo in docstring for StreamDecryptor by correctly referring to the classes actions as decryption as compared to encryption. --- src/aws_encryption_sdk/streaming_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/aws_encryption_sdk/streaming_client.py b/src/aws_encryption_sdk/streaming_client.py index 6ac89dcb4..78ea70b7a 100644 --- a/src/aws_encryption_sdk/streaming_client.py +++ b/src/aws_encryption_sdk/streaming_client.py @@ -730,7 +730,7 @@ class DecryptorConfig(_ClientConfig): class StreamDecryptor(_EncryptionStream): # pylint: disable=too-many-instance-attributes - """Provides a streaming encryptor for encrypting a stream source. + """Provides a streaming decryptor for decrypting a stream source. Behaves as a standard file-like object. .. note:: From 92deb3cbb3b55ee17bdc361bad6ddd263bf731b4 Mon Sep 17 00:00:00 2001 From: Ben Farley <47006790+farleyb-amazon@users.noreply.github.com> Date: Tue, 20 Apr 2021 10:22:13 -0600 Subject: [PATCH 15/16] chore: Update README to correctly show supported python versions (#335) We had a copy/paste error and were pointing at the CLI --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index 7d893243b..d01707a31 100644 --- a/README.rst +++ b/README.rst @@ -6,7 +6,7 @@ aws-encryption-sdk :target: https://pypi.python.org/pypi/aws-encryption-sdk :alt: Latest Version -.. image:: https://img.shields.io/pypi/pyversions/aws-encryption-sdk-cli.svg +.. image:: https://img.shields.io/pypi/pyversions/aws-encryption-sdk.svg :target: https://pypi.python.org/pypi/aws-encryption-sdk :alt: Supported Python Versions From 1fb6cb4ecb93c4a62acb2f0e97e765d608a73883 Mon Sep 17 00:00:00 2001 From: Robin Salkeld Date: Tue, 27 Apr 2021 17:01:27 -0700 Subject: [PATCH 16/16] fix: Downgrade decrypt oracle commitment policy (#338) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The policy set earlier doesn’t exist in the 1.x branch. and this value should be perfectly equivalent since the decrypt oracle only decrypts. --- decrypt_oracle/test/integration/integration_test_utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/decrypt_oracle/test/integration/integration_test_utils.py b/decrypt_oracle/test/integration/integration_test_utils.py index 03e50cd0a..eeb6219ac 100644 --- a/decrypt_oracle/test/integration/integration_test_utils.py +++ b/decrypt_oracle/test/integration/integration_test_utils.py @@ -29,7 +29,7 @@ _KMS_MKP = None _ENDPOINT = None -CLIENT = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT) +CLIENT = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) def decrypt_endpoint() -> Text: