feat(test_vector_handlers): TestVectors test with MPL constructs

[lucasmcdonald3]

Issue #, if available:

Description of changes:

• Modify test vector suite for all supported Python versions:
  • Add test decrypting generated test vectors from the most recent successful run of ESDK-Dafny "Daily CI": current most recent
    • "most recent" will update daily, so the vectors used will update daily
  • Add test decrypting required encryption context CMM manifest: link
    • For Python <3.10, MPL is not supported, and required encryption context CMM is not supported. However, this manifest also has "Default" CMM scenarios. As part of these changes, test vector runners without the MPL installed will filter out scenarios with the required encryption context CMM, and only test the "Default" CMM scenarios.
  • Add test generating decrypt vectors with master key constructs, then decrypting them with Python master key constructs and the JS decrypt oracle.
  • Add test encrypting vectors with master key constructs.
  • Remove running awses_local; this test is now redundant by the additions above.
    • This consisted of 2 tests: 1) "test encrypt"; 2) "test generate decrypt vectors, then decrypt those vectors". These are now covered by the above.
• Add test vectors if the MPL is installed:
  • Add test generating decrypt vectors with keyring constructs, then decrypting them with Python keyrings, Python master keys, and the JS decrypt oracle.
  • Add test decrypting the master key-generated vectors with keyrings.
  • Add test encrypting vectors with keyring constructs.

Out of Scope

• Hierarchy keyring test vectors. Tracked in feat(test_vector_handlers): Hierarchy keyring test vectors #674.
• Decrypt with NET. Will be tracked separately. This requires publishing .NET MPL TestVectors and merging in test(test_vectors): Support reading manifests that specify a hierarchy keyring aws-encryption-sdk#649.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Check any applicable:

• Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.

[lucasmcdonald3]

Weird hack #2 is NOT present in Java.
Java test vectors use a modified keys.json file from other manifests: https://github.com/aws/aws-encryption-sdk-java/blob/master/src/test/resources/keys.json#L45
This is changed from "key-id": "rsa-4096-private" to "key-id": "rsa-4096"; similarly on the public key.
This allows the edk.keyProviderInfo == keyring.keyName check to pass, and the keyring "works".
But (afaik) all of these vector suites provide their own keys.json that still have key-ids that specify private/public, so Java would not work with those vector suites.

This code should probably be in the TestVectors Dafny. It's only here because I debugged this in Python, and want some feedback before changing the Dafny.

[seebees]

I'm not sure I'm following, I follow up.
This sounds like these hacks are fighting. The name of the key and the name of the key info are not the same thing.

[lucasmcdonald3]

I'd describe it as "coordinating" rather than fighting :)
The primary evidence for this is that the test vectors pass with this change

I think the plan of action here SHOULD be some combination of 1) editing key manifests going forward, so the key name of a public/private key pair is the same; 2) add a "legacy" check in TestVectors to align the key name of any keys with names "rsa-4096-private" and "rsa-4096-public"

[seebees]

Is this plan of action going to happen here or is this happening somewhere else?

[seebees]

So we generate with master key, and then decrypt with JS and master key.
How do we test keyring? Does the master key target do both?

[seebees]

Should this be in the MPL Test vectors project?

[lucasmcdonald3]

If it isn't already, I think that's a good idea

[lucasmcdonald3]

Chatted with Jose, it's a good idea to put this in the test vector framework.

[seebees]

Can I resolve this? If this is done, just resolve the conversation plz :)

[seebees]

I'm not sure I'm following, I follow up.
This sounds like these hacks are fighting. The name of the key and the name of the key info are not the same thing.

[lucasmcdonald3]

So we generate with master key, and then decrypt with JS and master key.
How do we test keyring? Does the master key target do both?

That is correct for Python <3.11.
For Python 3.11 and 3.12, the matrix is

Generate: [master key, keyring]
Decrypt: [master key, keyring, JS]

[seebees]

Looks good! So many commits!

[seebees]

Just wondering do we have a way to enforce this?

[lucasmcdonald3]

Yes! PyPI will not let you publish a package that uses GitHub directly. We MUST refer to the published MPL to publish the new ESDK-Python.

[lucasmcdonald3]

https://setuptools.pypa.io/en/latest/userguide/dependency_management.html#

[seebees]

Just wondering why we are deleting these?

[lucasmcdonald3]

This might be a diff issue... let me double check

[lucasmcdonald3]

Ah! This was a merge conflict issue. I committed this test when I shouldn't have.
The behavior from this test is no longer valid.
This test would assert that encryption context on decrypt works for native (ESDK-Python) CMMs.
We decided that encryption context on decrypt would not be supported in this thread.
The new behavior validating encryption context on decrypt raises an exception is present here.