Skip to content

add minimum key size checks and warnings #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Sep 20, 2018
Merged

add minimum key size checks and warnings #81

merged 11 commits into from
Sep 20, 2018
+166 −96

Conversation

mattsb42-aws
Copy link
Member

Issue #, if available: #78

Description of changes:
We now log a warning if you create or load an HMAC key shorter than 128 bits or a RSA key shorter than 2048 bits.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@mattsb42-aws mattsb42-aws requested a review from a team July 26, 2018 19:44
lizroth
lizroth previously approved these changes Jul 26, 2018
View reviewed changes
@mattsb42-aws
Copy link
Member Author

Note: This is still unmerged because something about the tests I added are making Travis fail... I'll be looking into that this week.

@mattsb42-aws
Copy link
Member Author

rebased on top of recent changes; still trying to figure out why this kills Travis...

@mattsb42-aws
disable some tests in Travis
7a3872d
@mattsb42-aws
* rework examples tests to isolate path patching
a5d008b 
* allow integration test utils to import without convenience imports when imported from examples tests
* rework examples tests to perform relative imports of examples rather than patching the path
* specify test directory to re-enable examples tests
@mattsb42-aws
Copy link
Member Author

Changes made to:

  1. Disable these tests on Travis because for some reason they are causing Travis to crash. As we discussed, I am going to focus on getting us off of Travis rather than spending more time diving down this rabbit hole trying to figure out why Travis is crashing.
  2. Re-enable examples tests that became broken at some point. We don't currently run these in CI because they need to interact with a real DDB table.

@mattsb42-aws
Copy link
Member Author

...looks like Travis is still crashing, which tells me it's probably the helpers I added, not the actual tests...for the short-term fix I think I'll try just dropping the Travis runs to the "fast" runs instead of "slow"...

karlw00t
karlw00t reviewed Sep 6, 2018
View reviewed changes
test/functional/delegated_keys/test_jce.py Outdated
_test = JceNameLocalDelegatedKey.generate(algorithm, key_bits)

logging_results = capturing_logger.getvalue()
assert (too_short and error_message in logging_results) or (not too_short and error_message not in logging_results)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not going to block on this, but nested list comprehensions can make this code hard to parse.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@karlw00t That's not a list comprehension, it's just two boolean checks

It just compressed this:

if too_short:
    assert error_message in logging_results
else:
    assert error_message not in logging_results

to this:

assert (too_short and error_message in logging_results) or (not too_short and error_message not in logging_results)

karlw00t
karlw00t suggested changes Sep 6, 2018
View reviewed changes
test/functional/functional_test_utils.py Outdated


@pytest.fixture
def capturing_logger():
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why can't we use Capture Log here?

https://pypi.org/project/pytest-capturelog/

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like they don't document it, but yes, we can use that.

The undocumented bit is that you can actually get the logged data[1].

[1] https://bitbucket.org/memedough/pytest-capturelog/src/039cb3be01c9c6480d3907c47247f5bb0744eb36/pytest_capturelog.py?at=default&fileviewer=file-view-default#pytest_capturelog.py-233:236

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought I remembered this being somewhere else...turns out this is part of pytest now.

https://docs.pytest.org/en/latest/logging.html

@lizroth lizroth dismissed their stale review September 6, 2018 18:21

Need to re-review changes in recent updates

@mattsb42-aws
Copy link
Member Author

In updating to use pytest's built-in caplog fixture, I updated the pytest dependency minimum version because that was the last version that the caplog module was changed. This necessitated an update in the upstream test requirements.

@lizroth lizroth merged commit d46c79d into aws:master Sep 20, 2018
@mattsb42-aws mattsb42-aws deleted the dev-78 branch September 20, 2018 19:01
@farleyb-amazon farleyb-amazon mentioned this pull request Dec 22, 2020
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@karlw00t karlw00t karlw00t approved these changes

@lizroth lizroth lizroth left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mattsb42-aws @karlw00t @lizroth