fix: Use FORBID_ENCRYPT_ALLOW_DECRYPT policy for decrypt oracle (aws#538)

* fix: Use FORBID_ENCRYPT_ALLOW_DECRYPT policy for decrypt oracle

* fix: pin tox version < 4.0

* Update decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/app.py

Co-authored-by: seebees <[email protected]>

* fix: change forward-slashes to pound for comment

* fix: linting issue - ran autoformatter

Co-authored-by: Shubham Chaturvedi <[email protected]>
Co-authored-by: seebees <[email protected]>

Author: 3 people

codebuild/coverage/coverage.yml

@@ -10,5 +10,5 @@ phases:
       python: latest
   build:
     commands:
-      - pip install tox
+      - pip install "tox < 4.0"
       - tox

codebuild/py310/awses_local.yml

@@ -22,6 +22,6 @@ phases:
     commands:
       - pyenv install 3.10.0
       - pyenv local 3.10.0
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
       - cd test_vector_handlers
       - tox

codebuild/py310/examples.yml

@@ -20,5 +20,5 @@ phases:
     commands:
       - pyenv install 3.10.0
       - pyenv local 3.10.0
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
       - tox

codebuild/py310/integ.yml

@@ -20,5 +20,5 @@ phases:
     commands:
       - pyenv install 3.10.0
       - pyenv local 3.10.0
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
       - tox

codebuild/py37/awses_local.yml

@@ -22,6 +22,6 @@ phases:
     commands:
       - pyenv install 3.7.12
       - pyenv local 3.7.12
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
       - cd test_vector_handlers
       - tox

codebuild/py37/examples.yml

@@ -20,5 +20,5 @@ phases:
     commands:
       - pyenv install 3.7.12
       - pyenv local 3.7.12
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
       - tox

codebuild/py37/integ.yml

@@ -20,5 +20,5 @@ phases:
     commands:
       - pyenv install 3.7.12
       - pyenv local 3.7.12
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
       - tox

codebuild/py38/awses_local.yml

@@ -22,6 +22,6 @@ phases:
     commands:
       - pyenv install 3.8.12
       - pyenv local 3.8.12
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
       - cd test_vector_handlers
       - tox

codebuild/py38/examples.yml

@@ -20,5 +20,5 @@ phases:
     commands:
       - pyenv install 3.8.12
       - pyenv local 3.8.12
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
       - tox

codebuild/py38/integ.yml

@@ -20,5 +20,5 @@ phases:
     commands:
       - pyenv install 3.8.12
       - pyenv local 3.8.12
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
       - tox

codebuild/py39/awses_1.7.1.yml

@@ -22,6 +22,6 @@ phases:
     commands:
       - pyenv install 3.9.7
       - pyenv local 3.9.7
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
       - cd test_vector_handlers
       - tox

codebuild/py39/awses_2.0.0.yml

@@ -22,6 +22,6 @@ phases:
     commands:
       - pyenv install 3.9.7
       - pyenv local 3.9.7
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
       - cd test_vector_handlers
       - tox

codebuild/py39/awses_latest.yml

@@ -22,6 +22,6 @@ phases:
     commands:
       - pyenv install 3.9.7
       - pyenv local 3.9.7
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
       - cd test_vector_handlers
       - tox

codebuild/py39/examples.yml

@@ -20,5 +20,5 @@ phases:
     commands:
       - pyenv install 3.9.7
       - pyenv local 3.9.7
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
       - tox

codebuild/py39/integ.yml

@@ -20,5 +20,5 @@ phases:
     commands:
       - pyenv install 3.9.7
       - pyenv local 3.9.7
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
       - tox

codebuild/release/prod-release.yml

@@ -10,7 +10,7 @@ env:
 phases:
   install:
     commands:
-      - pip install tox
+      - pip install "tox < 4.0"
       - pip install --upgrade pip
     runtime-versions:
       python: latest

codebuild/release/test-release.yml

@@ -10,7 +10,7 @@ env:
 phases:
   install:
     commands:
-      - pip install tox
+      - pip install "tox < 4.0"
       - pip install --upgrade pip
     runtime-versions:
       python: latest

codebuild/release/validate.yml

@@ -3,7 +3,7 @@ version: 0.2
 phases:
   install:
     commands:
-      - pip install tox
+      - pip install "tox < 4.0"
     runtime-versions:
       python: latest
   pre_build:
@@ -13,7 +13,7 @@ phases:
       - sed -i "s/aws_encryption_sdk/aws_encryption_sdk==$VERSION/" requirements-dev.txt
       - pyenv install 3.8.12
       - pyenv local 3.8.12
-      - pip install tox tox-pyenv
+      - pip install "tox < 4.0"
   build:
     commands:
       - NUM_RETRIES=3

decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/app.py

@@ -16,6 +16,7 @@
 import os
 
 import aws_encryption_sdk
+from aws_encryption_sdk.identifiers import CommitmentPolicy
 from aws_encryption_sdk.key_providers.kms import DiscoveryAwsKmsMasterKeyProvider
 from chalice import Chalice, Response
 
@@ -59,7 +60,9 @@ def basic_decrypt() -> Response:
     APP.log.debug(APP.current_request.raw_body)
 
     try:
-        client = aws_encryption_sdk.EncryptionSDKClient()
+        # The decrypt oracle needs to be able to decrypt any message
+        # it does not encrypt messages for anyone.
+        client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
         ciphertext = APP.current_request.raw_body
         plaintext, _header = client.decrypt(source=ciphertext, key_provider=_master_key_provider())
         APP.log.debug("Plaintext:")