AWS KMS test vectors and related fixes (aws#24)

* * add direct AWS KMS encrypted item test vectors
* fix issues with AWS KMS CMP building KMS encryption context
* fix issues with handling decimals

Author: mattsb42-aws

src/dynamodb_encryption_sdk/internal/formatting/deserialize/attribute.py

@@ -90,8 +90,8 @@ def _transform_number_value(value):
         :rtype: dynamodb_encryption_sdk.internal.dynamodb_types.STRING
         """
         raw_value = codecs.decode(value, TEXT_ENCODING)
-        decimal_value = Decimal(to_str(raw_value))
-        return str(decimal_value.normalize())
+        decimal_value = Decimal(to_str(raw_value)).normalize()
+        return '{0:f}'.format(decimal_value)
 
     def _deserialize_number(stream):
         # type: (io.BytesIO) -> Dict[str, dynamodb_types.STRING]

src/dynamodb_encryption_sdk/internal/formatting/serialize/attribute.py

@@ -78,9 +78,8 @@ def _transform_number_value(value):
         # by dynamodb.TypeSerializer, so all numbers are str. However, TypeSerializer
         # leaves trailing zeros if they are defined in the Decimal call, but we need to
         # strip all trailing zeros.
-        decimal_value = DYNAMODB_CONTEXT.create_decimal(value)
-        raw_value = '{:f}'.format(decimal_value.normalize())
-        return to_bytes(raw_value)
+        decimal_value = DYNAMODB_CONTEXT.create_decimal(value).normalize()
+        return '{0:f}'.format(decimal_value).encode('utf-8')
 
     def _serialize_number(_attribute):
         # type: (str) -> bytes

src/dynamodb_encryption_sdk/material_providers/aws_kms.py

@@ -82,6 +82,29 @@ class KeyInfo(object):
     algorithm = attr.ib(validator=attr.validators.instance_of(six.string_types))
     length = attr.ib(validator=attr.validators.instance_of(six.integer_types))
 
+    @classmethod
+    def from_description(cls, description, default_key_length=None):
+        # type: (Text) -> KeyInfo
+        """Load key info from key info description.
+
+        :param str description: Key info description
+        :param int default_key_length: Key length to use if not found in description
+        """
+        description_parts = description.split('/', 1)
+        algorithm = description_parts[0]
+        try:
+            key_length = int(description_parts[1])
+        except IndexError:
+            if default_key_length is None:
+                raise ValueError(
+                    'Description "{}" does not contain key length and no default key length is provided'.format(
+                        description
+                    )
+                )
+
+            key_length = default_key_length
+        return cls(description, algorithm, key_length)
+
     @classmethod
     def from_material_description(cls, material_description, description_key, default_algorithm, default_key_length):
         # type: (Dict[Text, Text], Text, Text, int) -> KeyInfo
@@ -90,18 +113,12 @@ def from_material_description(cls, material_description, description_key, defaul
         :param dict material_description: Material description to read
         :param str description_key: Material description key containing desired key info description
         :param str default_algorithm: Algorithm name to use if not found in material description
-        :param int default_key_length: Key length to use if not found in material description
+        :param int default_key_length: Key length to use if not found in key info description
         :returns: Key info loaded from material description, with defaults applied if necessary
         :rtype: dynamodb_encryption_sdk.material_providers.aws_kms.KeyInfo
         """
         description = material_description.get(description_key, default_algorithm)
-        description_parts = description.split('/', 1)
-        algorithm = description_parts[0]
-        try:
-            key_length = int(description_parts[1])
-        except IndexError:
-            key_length = default_key_length
-        return cls(description, algorithm, key_length)
+        return cls.from_description(description, default_key_length)
 
 
 @attr.s
@@ -234,7 +251,7 @@ def _attribute_to_value(self, attribute):
         attribute_type, attribute_value = list(attribute.items())[0]
         if attribute_type == 'B':
             return base64.b64encode(attribute_value.value).decode(TEXT_ENCODING)
-        if attribute_type == 'S':
+        if attribute_type in ('S', 'N'):
             return attribute_value
         raise ValueError('Attribute of type "{}" cannot be used in KMS encryption context.'.format(attribute_type))
 
@@ -255,14 +272,22 @@ def _kms_encryption_context(self, encryption_context, encryption_description, si
         }
 
         if encryption_context.partition_key_name is not None:
-            partition_key_attribute = encryption_context.attributes.get(encryption_context.partition_key_name)
-            kms_encryption_context[encryption_context.partition_key_name] = self._attribute_to_value(
-                partition_key_attribute
-            )
+            try:
+                partition_key_attribute = encryption_context.attributes[encryption_context.partition_key_name]
+            except KeyError:
+                pass
+            else:
+                kms_encryption_context[encryption_context.partition_key_name] = self._attribute_to_value(
+                    partition_key_attribute
+                )
 
         if encryption_context.sort_key_name is not None:
-            sort_key_attribute = encryption_context.attributes.get(encryption_context.sort_key_name)
-            kms_encryption_context[encryption_context.sort_key_name] = self._attribute_to_value(sort_key_attribute)
+            try:
+                sort_key_attribute = encryption_context.attributes[encryption_context.sort_key_name]
+            except KeyError:
+                pass
+            else:
+                kms_encryption_context[encryption_context.sort_key_name] = self._attribute_to_value(sort_key_attribute)
 
         if encryption_context.table_name is not None:
             kms_encryption_context[_TABLE_NAME_EC_KEY] = encryption_context.table_name

test/acceptance/acceptance_test_utils.py

@@ -22,6 +22,7 @@
 
 from dynamodb_encryption_sdk.delegated_keys.jce import JceNameLocalDelegatedKey
 from dynamodb_encryption_sdk.identifiers import EncryptionKeyTypes, KeyEncodingType
+from dynamodb_encryption_sdk.material_providers.aws_kms import AwsKmsCryptographicMaterialsProvider
 from dynamodb_encryption_sdk.material_providers.static import StaticCryptographicMaterialsProvider
 from dynamodb_encryption_sdk.material_providers.wrapped import WrappedCryptographicMaterialsProvider
 from dynamodb_encryption_sdk.materials.raw import RawDecryptionMaterials
@@ -171,9 +172,15 @@ def _build_wrapped_cmp(decrypt_key, verify_key):
     )
 
 
+def _build_aws_kms_cmp(decrypt_key, verify_key):
+    key_id = decrypt_key['keyId']
+    return AwsKmsCryptographicMaterialsProvider(key_id=key_id)
+
+
 _CMP_TYPE_MAP = {
     'STATIC': _build_static_cmp,
-    'WRAPPED': _build_wrapped_cmp
+    'WRAPPED': _build_wrapped_cmp,
+    'AWSKMS': _build_aws_kms_cmp
 }
 
 

test/acceptance/encrypted/test_item.py

@@ -18,7 +18,7 @@
 from dynamodb_encryption_sdk.structures import EncryptionContext
 from ..acceptance_test_utils import load_scenarios
 
-pytestmark = [pytest.mark.acceptance, pytest.mark.local]
+pytestmark = [pytest.mark.acceptance, pytest.mark.integ]
 
 
 @pytest.mark.parametrize(
@@ -36,7 +36,8 @@ def test_item_encryptor(
     encryption_context = EncryptionContext(
         table_name=table_name,
         partition_key_name=table_index['partition'],
-        sort_key_name=table_index.get('sort', None)
+        sort_key_name=table_index.get('sort', None),
+        attributes=ciphertext_item
     )
     crypto_config = CryptoConfig(
         materials_provider=materials_provider,

test/functional/functional_test_vector_generators.py

@@ -47,7 +47,7 @@ def _decode_string(_value):
         return _value
 
     def _decode_number(_value):
-        return str(Decimal(_value).normalize())
+        return '{0:f}'.format(Decimal(_value))
 
     def _decode_binary(_value):
         raw = base64.b64decode(_value)