diff --git a/buildspec.yml b/buildspec.yml index 4665ac89e..4065dc4e8 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -206,6 +206,14 @@ batch: buildspec: codebuild/py311/decrypt_keyrings_with_js.yml env: image: aws/codebuild/standard:7.0 + - identifier: py311_decrypt_golden_manifest_with_keyrings + buildspec: codebuild/py311/decrypt_golden_manifest_with_keyrings.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py311_decrypt_golden_manifest_with_masterkey + buildspec: codebuild/py311/decrypt_golden_manifest_with_masterkey.yml + env: + image: aws/codebuild/standard:7.0 - identifier: py312_integ @@ -318,6 +326,14 @@ batch: buildspec: codebuild/py312/decrypt_hkeyring_with_net.yml env: image: aws/codebuild/standard:7.0 + - identifier: py312_decrypt_golden_manifest_with_keyrings + buildspec: codebuild/py312/decrypt_golden_manifest_with_keyrings.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_decrypt_golden_manifest_with_masterkey + buildspec: codebuild/py312/decrypt_golden_manifest_with_masterkey.yml + env: + image: aws/codebuild/standard:7.0 - identifier: code_coverage buildspec: codebuild/coverage/coverage.yml diff --git a/codebuild/py311/decrypt_golden_manifest_with_keyrings.yml b/codebuild/py311/decrypt_golden_manifest_with_keyrings.yml new file mode 100644 index 000000000..154863bcc --- /dev/null +++ b/codebuild/py311/decrypt_golden_manifest_with_keyrings.yml @@ -0,0 +1,31 @@ +version: 0.2 + +env: + variables: + TOXENV: "py311-full_decrypt-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.11 + pre_build: + commands: + # Download "golden manifest" + - curl -L -o python-2.3.0.zip https://github.com/awslabs/aws-encryption-sdk-test-vectors/raw/master/vectors/awses-decrypt/python-2.3.0.zip + - unzip python-2.3.0.zip -d python-2.3.0 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../python-2.3.0/manifest.json \ + --keyrings diff --git a/codebuild/py311/decrypt_golden_manifest_with_masterkey.yml b/codebuild/py311/decrypt_golden_manifest_with_masterkey.yml new file mode 100644 index 000000000..4ae4bb280 --- /dev/null +++ b/codebuild/py311/decrypt_golden_manifest_with_masterkey.yml @@ -0,0 +1,30 @@ +version: 0.2 + +env: + variables: + TOXENV: "py311-full_decrypt-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.11 + pre_build: + commands: + # Download "golden manifest" + - curl -L -o python-2.3.0.zip https://github.com/awslabs/aws-encryption-sdk-test-vectors/raw/master/vectors/awses-decrypt/python-2.3.0.zip + - unzip python-2.3.0.zip -d python-2.3.0 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../python-2.3.0/manifest.json diff --git a/codebuild/py312/decrypt_golden_manifest_with_keyrings.yml b/codebuild/py312/decrypt_golden_manifest_with_keyrings.yml new file mode 100644 index 000000000..54bb10c33 --- /dev/null +++ b/codebuild/py312/decrypt_golden_manifest_with_keyrings.yml @@ -0,0 +1,31 @@ +version: 0.2 + +env: + variables: + TOXENV: "py312-full_decrypt-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.12 + pre_build: + commands: + # Download "golden manifest" + - curl -L -o python-2.3.0.zip https://github.com/awslabs/aws-encryption-sdk-test-vectors/raw/master/vectors/awses-decrypt/python-2.3.0.zip + - unzip python-2.3.0.zip -d python-2.3.0 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../python-2.3.0/manifest.json \ + --keyrings diff --git a/codebuild/py312/decrypt_golden_manifest_with_masterkey.yml b/codebuild/py312/decrypt_golden_manifest_with_masterkey.yml new file mode 100644 index 000000000..df204d4c5 --- /dev/null +++ b/codebuild/py312/decrypt_golden_manifest_with_masterkey.yml @@ -0,0 +1,30 @@ +version: 0.2 + +env: + variables: + TOXENV: "py312-full_decrypt-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.12 + pre_build: + commands: + # Download "golden manifest" + - curl -L -o python-2.3.0.zip https://github.com/awslabs/aws-encryption-sdk-test-vectors/raw/master/vectors/awses-decrypt/python-2.3.0.zip + - unzip python-2.3.0.zip -d python-2.3.0 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../python-2.3.0/manifest.json diff --git a/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py b/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py index c942d8bf4..a938106bd 100644 --- a/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py +++ b/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py @@ -264,7 +264,7 @@ def __init__( attr.validate(self) @classmethod - def from_scenario( + def from_scenario( # noqa: C901 cls, scenario, # type: DECRYPT_SCENARIO_SPEC plaintext_reader, # type: Callable[[str], bytes] @@ -273,7 +273,7 @@ def from_scenario( keyrings, # type: bool keys_uri, # type: str ): - # pylint: disable=too-many-locals + # pylint: disable=too-many-locals,too-many-branches # type: (...) -> MessageDecryptionTestScenario """Load from a scenario specification. @@ -330,11 +330,16 @@ def master_key_provider_fn(): # If unspecified, set "Default" as the default cmm_type = "Default" - # If this scenario does not have any key providers, - # do not create a scenario. - # Caller logic should expect `None` to mean "no scenario". - if master_key_provider_fn() is None: - return None + try: + # If this scenario does not have any key providers, + # do not create a scenario. + # Caller logic should expect `None` to mean "no scenario". + if master_key_provider_fn() is None: + return None + except Exception: # nosec,pylint: disable=broad-except + # If there is any exception when loading the key, continue to create the test scenario. + # Some test scenarios have bad keys that should fail during the test execution. + pass return cls( ciphertext_uri=scenario["ciphertext"], diff --git a/test_vector_handlers/src/awses_test_vectors/manifests/mpl_keyring.py b/test_vector_handlers/src/awses_test_vectors/manifests/mpl_keyring.py index 8d972d2c5..3ed7913d2 100644 --- a/test_vector_handlers/src/awses_test_vectors/manifests/mpl_keyring.py +++ b/test_vector_handlers/src/awses_test_vectors/manifests/mpl_keyring.py @@ -90,7 +90,8 @@ def from_scenario(cls, spec): padding_hash=spec.get("padding-hash"), ) - def keyring(self, keys_uri, mode): + def keyring(self, keys_uri, mode): # noqa: C901 + # pylint: disable=too-many-branches # type: (KeysManifest) -> IKeyring """Build a keyring using this specification. :param str keys_uri: Path to the keys manifest @@ -113,6 +114,14 @@ def keyring(self, keys_uri, mode): input_kwargs["padding-algorithm"] = self.padding_algorithm if self.padding_hash is not None: input_kwargs["padding-hash"] = self.padding_hash + if self.default_mrk_region is not None: + input_kwargs["default-mrk-region"] = self.default_mrk_region + if self.discovery_filter is not None: + input_kwargs["aws-kms-discovery-filter"] = {} + if self.discovery_filter.partition is not None: + input_kwargs["aws-kms-discovery-filter"]["partition"] = self.discovery_filter.partition + if self.discovery_filter.account_ids is not None: + input_kwargs["aws-kms-discovery-filter"]["account-ids"] = self.discovery_filter.account_ids if input_kwargs["type"] == "raw" \ and input_kwargs["encryption-algorithm"] == "rsa":