feat: remove specific value definition for keyring trace flags #215

src/aws_encryption_sdk/identifiers.py

@@ -14,6 +14,7 @@
 import struct
 from enum import Enum
 
+import attr
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric import ec, padding, rsa
 from cryptography.hazmat.primitives.ciphers import algorithms, modes
@@ -333,8 +334,22 @@ class ContentAADString(Enum):
 class KeyringTraceFlag(Enum):
     """KeyRing Trace actions."""
 
-    WRAPPING_KEY_GENERATED_DATA_KEY = 1
-    WRAPPING_KEY_ENCRYPTED_DATA_KEY = 1 << 1
-    WRAPPING_KEY_DECRYPTED_DATA_KEY = 1 << 2
-    WRAPPING_KEY_SIGNED_ENC_CTX = 1 << 3
-    WRAPPING_KEY_VERIFIED_ENC_CTX = 1 << 4
+    @attr.s
+    class KeyringTraceFlagValue(object):
+        """Keyring trace flags do not have defined serializable values."""
+
+        name = attr.ib()
+
+    #: A flag to represent that a keyring has generated a plaintext data key.
+    GENERATED_DATA_KEY = KeyringTraceFlagValue("GENERATED_DATA_KEY")
+    #: A flag to represent that a keyring has created an encrypted data key.
+    ENCRYPTED_DATA_KEY = KeyringTraceFlagValue("ENCRYPTED_DATA_KEY")
+    #: A flag to represent that a keyring has obtained
+    #: the corresponding plaintext data key from an encrypted data key.
+    DECRYPTED_DATA_KEY = KeyringTraceFlagValue("DECRYPTED_DATA_KEY")
+    #: A flag to represent that the keyring has cryptographically
+    #: bound the encryption context to a newly created encrypted data key.
+    SIGNED_ENCRYPTION_CONTEXT = KeyringTraceFlagValue("SIGNED_ENCRYPTION_CONTEXT")
+    #: A flag to represent that the keyring has verified that an encrypted
+    #: data key was originally created with a particular encryption context.
+    VERIFIED_ENCRYPTION_CONTEXT = KeyringTraceFlagValue("VERIFIED_ENCRYPTION_CONTEXT")

src/aws_encryption_sdk/keyrings/aws_kms/__init__.py

@@ -34,9 +34,9 @@
 
 _LOGGER = logging.getLogger(__name__)
 _PROVIDER_ID = "aws-kms"
-_GENERATE_FLAGS = {KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY}
-_ENCRYPT_FLAGS = {KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY, KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX}
-_DECRYPT_FLAGS = {KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY, KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX}
+_GENERATE_FLAGS = {KeyringTraceFlag.GENERATED_DATA_KEY}
+_ENCRYPT_FLAGS = {KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT}
+_DECRYPT_FLAGS = {KeyringTraceFlag.DECRYPTED_DATA_KEY, KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT}
 
 
 @attr.s

src/aws_encryption_sdk/keyrings/raw.py

@@ -55,7 +55,7 @@ def _generate_data_key(
         raise GenerateKeyError("Unable to generate data encryption key.")
 
     # Create a keyring trace
-    keyring_trace = KeyringTrace(wrapping_key=key_provider, flags={KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY})
+    keyring_trace = KeyringTrace(wrapping_key=key_provider, flags={KeyringTraceFlag.GENERATED_DATA_KEY})
 
     # plaintext_data_key to RawDataKey
     data_encryption_key = RawDataKey(key_provider=key_provider, data_key=plaintext_data_key)
@@ -150,7 +150,7 @@ def on_encrypt(self, encryption_materials):
 
         # Update Keyring Trace
         keyring_trace = KeyringTrace(
-            wrapping_key=encrypted_data_key.key_provider, flags={KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY}
+            wrapping_key=encrypted_data_key.key_provider, flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY}
         )
 
         # Add encrypted data key to encryption_materials
@@ -201,9 +201,7 @@ def on_decrypt(self, decryption_materials, encrypted_data_keys):
                 return decryption_materials
 
             # Create a keyring trace
-            keyring_trace = KeyringTrace(
-                wrapping_key=self._key_provider, flags={KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY}
-            )
+            keyring_trace = KeyringTrace(wrapping_key=self._key_provider, flags={KeyringTraceFlag.DECRYPTED_DATA_KEY})
 
             # Update decryption materials
             data_encryption_key = RawDataKey(key_provider=self._key_provider, data_key=plaintext_data_key)
@@ -367,7 +365,7 @@ def on_encrypt(self, encryption_materials):
 
         # Update Keyring Trace
         keyring_trace = KeyringTrace(
-            wrapping_key=encrypted_data_key.key_provider, flags={KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY}
+            wrapping_key=encrypted_data_key.key_provider, flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY}
         )
 
         # Add encrypted data key to encryption_materials
@@ -408,9 +406,7 @@ def on_decrypt(self, decryption_materials, encrypted_data_keys):
                 continue
 
             # Create a keyring trace
-            keyring_trace = KeyringTrace(
-                wrapping_key=self._key_provider, flags={KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY}
-            )
+            keyring_trace = KeyringTrace(wrapping_key=self._key_provider, flags={KeyringTraceFlag.DECRYPTED_DATA_KEY})
 
             # Update decryption materials
             data_encryption_key = RawDataKey(key_provider=self._key_provider, data_key=plaintext_data_key)

src/aws_encryption_sdk/materials_managers/__init__.py

@@ -280,7 +280,7 @@ def add_data_encryption_key(self, data_encryption_key, keyring_trace):
         self._add_data_encryption_key(
             data_encryption_key=data_encryption_key,
             keyring_trace=keyring_trace,
-            required_flags={KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY},
+            required_flags={KeyringTraceFlag.GENERATED_DATA_KEY},
         )
 
     def add_encrypted_data_key(self, encrypted_data_key, keyring_trace):
@@ -299,7 +299,7 @@ def add_encrypted_data_key(self, encrypted_data_key, keyring_trace):
         if self.data_encryption_key is None:
             raise AttributeError("Data encryption key is not set.")
 
-        if KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY not in keyring_trace.flags:
+        if KeyringTraceFlag.ENCRYPTED_DATA_KEY not in keyring_trace.flags:
             raise InvalidKeyringTraceError("Keyring flags do not match action.")
 
         if keyring_trace.wrapping_key != encrypted_data_key.key_provider:
@@ -445,7 +445,7 @@ def add_data_encryption_key(self, data_encryption_key, keyring_trace):
         self._add_data_encryption_key(
             data_encryption_key=data_encryption_key,
             keyring_trace=keyring_trace,
-            required_flags={KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY},
+            required_flags={KeyringTraceFlag.DECRYPTED_DATA_KEY},
         )
 
     def add_verification_key(self, verification_key):

test/functional/keyrings/aws_kms/test_aws_kms.py

@@ -61,9 +61,9 @@ def test_aws_kms_single_cmk_keyring_on_encrypt_empty_materials(fake_generator):
         MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=fake_generator), result_materials.keyring_trace
     )
 
-    assert KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY in generator_flags
-    assert KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY in generator_flags
-    assert KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX in generator_flags
+    assert KeyringTraceFlag.GENERATED_DATA_KEY in generator_flags
+    assert KeyringTraceFlag.ENCRYPTED_DATA_KEY in generator_flags
+    assert KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT in generator_flags
 
 
 def test_aws_kms_single_cmk_keyring_on_encrypt_existing_data_key(fake_generator):
@@ -86,9 +86,9 @@ def test_aws_kms_single_cmk_keyring_on_encrypt_existing_data_key(fake_generator)
         MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=fake_generator), result_materials.keyring_trace
     )
 
-    assert KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY not in generator_flags
-    assert KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY in generator_flags
-    assert KeyringTraceFlag.WRAPPING_KEY_SIGNED_ENC_CTX in generator_flags
+    assert KeyringTraceFlag.GENERATED_DATA_KEY not in generator_flags
+    assert KeyringTraceFlag.ENCRYPTED_DATA_KEY in generator_flags
+    assert KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT in generator_flags
 
 
 @mock_kms
@@ -155,8 +155,8 @@ def test_aws_kms_single_cmk_keyring_on_decrypt_single_cmk(fake_generator):
         MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=fake_generator), result_materials.keyring_trace
     )
 
-    assert KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY in generator_flags
-    assert KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX in generator_flags
+    assert KeyringTraceFlag.DECRYPTED_DATA_KEY in generator_flags
+    assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in generator_flags
 
 
 def test_aws_kms_single_cmk_keyring_on_decrypt_multiple_cmk(fake_generator_and_child):
@@ -186,8 +186,8 @@ def test_aws_kms_single_cmk_keyring_on_decrypt_multiple_cmk(fake_generator_and_c
         MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=child), result_materials.keyring_trace
     )
 
-    assert KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY in child_flags
-    assert KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX in child_flags
+    assert KeyringTraceFlag.DECRYPTED_DATA_KEY in child_flags
+    assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in child_flags
 
 
 def test_aws_kms_single_cmk_keyring_on_decrypt_no_match(fake_generator_and_child):
@@ -274,8 +274,8 @@ def test_aws_kms_discovery_keyring_on_decrypt(encryption_materials_for_discovery
         MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=generator_key_id), result_materials.keyring_trace
     )
 
-    assert KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY in generator_flags
-    assert KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX in generator_flags
+    assert KeyringTraceFlag.DECRYPTED_DATA_KEY in generator_flags
+    assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in generator_flags
 
 
 @mock_kms
@@ -380,8 +380,8 @@ def test_try_aws_kms_decrypt_succeed(fake_generator):
         MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=fake_generator), result_materials.keyring_trace
     )
 
-    assert KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY in generator_flags
-    assert KeyringTraceFlag.WRAPPING_KEY_VERIFIED_ENC_CTX in generator_flags
+    assert KeyringTraceFlag.DECRYPTED_DATA_KEY in generator_flags
+    assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in generator_flags
 
 
 @mock_kms

test/functional/keyrings/raw/test_raw_aes.py

@@ -57,7 +57,7 @@ def sample_encryption_materials():
             keyring_trace=[
                 KeyringTrace(
                     wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID),
-                    flags={KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY},
+                    flags={KeyringTraceFlag.GENERATED_DATA_KEY},
                 )
             ],
         ),

test/functional/keyrings/raw/test_raw_rsa.py

@@ -133,7 +133,7 @@ def sample_encryption_materials():
             keyring_trace=[
                 KeyringTrace(
                     wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID),
-                    flags={KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY},
+                    flags={KeyringTraceFlag.GENERATED_DATA_KEY},
                 )
             ],
         ),

test/functional/keyrings/test_multi.py

@@ -44,7 +44,7 @@
     keyring_trace=[
         KeyringTrace(
             wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID),
-            flags={KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY},
+            flags={KeyringTraceFlag.GENERATED_DATA_KEY},
         )
     ],
 )

test/unit/keyrings/raw/test_raw_aes.py

@@ -129,8 +129,8 @@ def test_keyring_trace_on_encrypt_when_data_encryption_key_given(raw_aes_keyring
 
     for keyring_trace in test.keyring_trace:
         if keyring_trace.wrapping_key.key_info == _KEY_ID:
-            # Check keyring trace does not contain KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY
-            assert KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY not in keyring_trace.flags
+            # Check keyring trace does not contain KeyringTraceFlag.GENERATED_DATA_KEY
+            assert KeyringTraceFlag.GENERATED_DATA_KEY not in keyring_trace.flags
 
 
 def test_on_encrypt_when_data_encryption_key_not_given(raw_aes_keyring):
@@ -152,11 +152,11 @@ def test_on_encrypt_when_data_encryption_key_not_given(raw_aes_keyring):
     for keyring_trace in test.keyring_trace:
         if (
             keyring_trace.wrapping_key.key_info == _KEY_ID
-            and KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY in keyring_trace.flags
+            and KeyringTraceFlag.GENERATED_DATA_KEY in keyring_trace.flags
         ):
-            # Check keyring trace contains KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY
+            # Check keyring trace contains KeyringTraceFlag.GENERATED_DATA_KEY
             generated_flag_count += 1
-        if KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY in keyring_trace.flags:
+        if KeyringTraceFlag.ENCRYPTED_DATA_KEY in keyring_trace.flags:
             encrypted_flag_count += 1
 
     assert generated_flag_count == 1
@@ -187,8 +187,8 @@ def test_keyring_trace_on_decrypt_when_data_key_given(raw_aes_keyring):
     )
     for keyring_trace in test.keyring_trace:
         if keyring_trace.wrapping_key.key_info == _KEY_ID:
-            # Check keyring trace does not contain KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY
-            assert KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY not in keyring_trace.flags
+            # Check keyring trace does not contain KeyringTraceFlag.DECRYPTED_DATA_KEY
+            assert KeyringTraceFlag.DECRYPTED_DATA_KEY not in keyring_trace.flags
 
 
 @pytest.mark.parametrize(
@@ -208,7 +208,7 @@ def test_on_decrypt_when_data_key_and_edk_not_provided(
 
     for keyring_trace in test.keyring_trace:
         if keyring_trace.wrapping_key.key_info == _KEY_ID:
-            assert KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY not in keyring_trace.flags
+            assert KeyringTraceFlag.DECRYPTED_DATA_KEY not in keyring_trace.flags
 
     assert test.data_encryption_key is None
 
@@ -235,7 +235,7 @@ def test_keyring_trace_when_data_key_not_provided_and_edk_provided(raw_aes_keyri
     decrypted_flag_count = 0
 
     for keyring_trace in test.keyring_trace:
-        if KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY in keyring_trace.flags:
+        if KeyringTraceFlag.DECRYPTED_DATA_KEY in keyring_trace.flags:
             decrypted_flag_count += 1
 
     assert decrypted_flag_count == 1
@@ -277,6 +277,6 @@ def test_generate_data_key_keyring_trace():
     generate_flag_count = 0
 
     for keyring_trace in encryption_materials_without_data_key.keyring_trace:
-        if KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY in keyring_trace.flags:
+        if KeyringTraceFlag.GENERATED_DATA_KEY in keyring_trace.flags:
             generate_flag_count += 1
     assert generate_flag_count == 1

test/unit/keyrings/raw/test_raw_rsa.py

@@ -130,8 +130,8 @@ def test_keyring_trace_on_encrypt_when_data_encryption_key_given(raw_rsa_keyring
 
     for keyring_trace in test.keyring_trace:
         if keyring_trace.wrapping_key.key_info == _KEY_ID:
-            # Check keyring trace does not contain KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY
-            assert KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY not in keyring_trace.flags
+            # Check keyring trace does not contain KeyringTraceFlag.GENERATED_DATA_KEY
+            assert KeyringTraceFlag.GENERATED_DATA_KEY not in keyring_trace.flags
 
 
 def test_on_encrypt_when_data_encryption_key_not_given(raw_rsa_keyring):
@@ -152,11 +152,11 @@ def test_on_encrypt_when_data_encryption_key_not_given(raw_rsa_keyring):
     for keyring_trace in test.keyring_trace:
         if (
             keyring_trace.wrapping_key.key_info == _KEY_ID
-            and KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY in keyring_trace.flags
+            and KeyringTraceFlag.GENERATED_DATA_KEY in keyring_trace.flags
         ):
-            # Check keyring trace contains KeyringTraceFlag.WRAPPING_KEY_GENERATED_DATA_KEY
+            # Check keyring trace contains KeyringTraceFlag.GENERATED_DATA_KEY
             generated_flag_count += 1
-        if KeyringTraceFlag.WRAPPING_KEY_ENCRYPTED_DATA_KEY in keyring_trace.flags:
+        if KeyringTraceFlag.ENCRYPTED_DATA_KEY in keyring_trace.flags:
             encrypted_flag_count += 1
 
     assert generated_flag_count == 1
@@ -183,8 +183,8 @@ def test_keyring_trace_on_decrypt_when_data_key_given(raw_rsa_keyring):
     )
     for keyring_trace in test.keyring_trace:
         if keyring_trace.wrapping_key.key_info == _KEY_ID:
-            # Check keyring trace does not contain KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY
-            assert KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY not in keyring_trace.flags
+            # Check keyring trace does not contain KeyringTraceFlag.DECRYPTED_DATA_KEY
+            assert KeyringTraceFlag.DECRYPTED_DATA_KEY not in keyring_trace.flags
 
 
 def test_on_decrypt_when_data_key_and_edk_not_provided(raw_rsa_keyring, patch_decrypt_on_wrapping_key):
@@ -196,7 +196,7 @@ def test_on_decrypt_when_data_key_and_edk_not_provided(raw_rsa_keyring, patch_de
     assert not patch_decrypt_on_wrapping_key.called
 
     for keyring_trace in test.keyring_trace:
-        assert KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY not in keyring_trace.flags
+        assert KeyringTraceFlag.DECRYPTED_DATA_KEY not in keyring_trace.flags
 
     assert test.data_encryption_key is None
 
@@ -212,7 +212,7 @@ def test_on_decrypt_when_data_key_not_provided_and_edk_not_in_keyring(raw_rsa_ke
 
     for keyring_trace in test.keyring_trace:
         if keyring_trace.wrapping_key.key_info == _KEY_ID:
-            assert KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY not in keyring_trace.flags
+            assert KeyringTraceFlag.DECRYPTED_DATA_KEY not in keyring_trace.flags
 
     assert test.data_encryption_key is None
 
@@ -242,7 +242,7 @@ def test_keyring_trace_when_data_key_not_provided_and_edk_provided(raw_rsa_keyri
     decrypted_flag_count = 0
 
     for keyring_trace in test.keyring_trace:
-        if KeyringTraceFlag.WRAPPING_KEY_DECRYPTED_DATA_KEY in keyring_trace.flags:
+        if KeyringTraceFlag.DECRYPTED_DATA_KEY in keyring_trace.flags:
             decrypted_flag_count += 1
 
     assert decrypted_flag_count == 1