From a8e491d49bd5b6d1de55fb0f5960420f33e0dbfb Mon Sep 17 00:00:00 2001 From: Matthew Jones Date: Mon, 10 Aug 2020 12:48:39 -0700 Subject: [PATCH 1/8] refactor: Remove keyring trace --- src/aws_encryption_sdk/__init__.py | 18 ++- src/aws_encryption_sdk/exceptions.py | 7 - src/aws_encryption_sdk/identifiers.py | 24 ---- .../keyrings/aws_kms/__init__.py | 30 ++--- src/aws_encryption_sdk/keyrings/raw.py | 42 ++---- .../materials_managers/__init__.py | 127 ++++-------------- src/aws_encryption_sdk/streaming_client.py | 3 - src/aws_encryption_sdk/structures.py | 28 +--- .../keyrings/aws_kms/test_aws_kms.py | 59 +------- test/functional/keyrings/raw/test_raw_aes.py | 9 +- test/functional/keyrings/raw/test_raw_rsa.py | 9 +- test/functional/keyrings/test_multi.py | 10 +- test/functional/test_client.py | 22 --- test/unit/keyrings/raw/test_raw_aes.py | 79 +---------- test/unit/keyrings/raw/test_raw_rsa.py | 67 +-------- .../test_material_managers.py | 99 ++------------ test/unit/test_structures.py | 14 +- test/unit/unit_test_utils.py | 44 +----- 18 files changed, 90 insertions(+), 601 deletions(-) diff --git a/src/aws_encryption_sdk/__init__.py b/src/aws_encryption_sdk/__init__.py index 88da93d25..a213b01fb 100644 --- a/src/aws_encryption_sdk/__init__.py +++ b/src/aws_encryption_sdk/__init__.py @@ -28,10 +28,10 @@ def encrypt(**kwargs): When using this function, the entire ciphertext message is encrypted into memory before returning any data. If streaming is desired, see :class:`aws_encryption_sdk.stream`. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 The *keyring* parameter. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 For backwards compatibility, the new :class:`CryptoResult` return value also unpacks like a 2-member tuple. @@ -80,16 +80,15 @@ def encrypt(**kwargs): :param algorithm: Algorithm to use for encryption :type algorithm: aws_encryption_sdk.identifiers.Algorithm :param int frame_length: Frame length in bytes - :returns: Encrypted message, message metadata (header), and keyring trace + :returns: Encrypted message, and message metadata (header) :rtype: CryptoResult """ with StreamEncryptor(**kwargs) as encryptor: ciphertext = encryptor.read() header_copy = copy.deepcopy(encryptor.header) - keyring_trace_copy = copy.deepcopy(encryptor.keyring_trace) - return CryptoResult(result=ciphertext, header=header_copy, keyring_trace=keyring_trace_copy) + return CryptoResult(result=ciphertext, header=header_copy) def decrypt(**kwargs): @@ -99,10 +98,10 @@ def decrypt(**kwargs): When using this function, the entire ciphertext message is decrypted into memory before returning any data. If streaming is desired, see :class:`aws_encryption_sdk.stream`. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 The *keyring* parameter. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 For backwards compatibility, the new :class:`CryptoResult` return value also unpacks like a 2-member tuple. @@ -142,16 +141,15 @@ def decrypt(**kwargs): :param int max_body_length: Maximum frame size (or content length for non-framed messages) in bytes to read from ciphertext message. - :returns: Decrypted plaintext, message metadata (header), and keyring trace + :returns: Decrypted plaintext, and message metadata (header) :rtype: CryptoResult """ with StreamDecryptor(**kwargs) as decryptor: plaintext = decryptor.read() header_copy = copy.deepcopy(decryptor.header) - keyring_trace_copy = copy.deepcopy(decryptor.keyring_trace) - return CryptoResult(result=plaintext, header=header_copy, keyring_trace=keyring_trace_copy) + return CryptoResult(result=plaintext, header=header_copy) def stream(**kwargs): diff --git a/src/aws_encryption_sdk/exceptions.py b/src/aws_encryption_sdk/exceptions.py index 3c58dcea1..2c77f5839 100644 --- a/src/aws_encryption_sdk/exceptions.py +++ b/src/aws_encryption_sdk/exceptions.py @@ -43,13 +43,6 @@ class InvalidDataKeyError(AWSEncryptionSDKClientError): """Exception class for Invalid Data Keys.""" -class InvalidKeyringTraceError(AWSEncryptionSDKClientError): - """Exception class for invalid Keyring Traces. - - .. versionadded:: 1.5.0 - """ - - class InvalidProviderIdError(AWSEncryptionSDKClientError): """Exception class for Invalid Provider IDs.""" diff --git a/src/aws_encryption_sdk/identifiers.py b/src/aws_encryption_sdk/identifiers.py index 269afd702..b3d8551b1 100644 --- a/src/aws_encryption_sdk/identifiers.py +++ b/src/aws_encryption_sdk/identifiers.py @@ -329,27 +329,3 @@ class ContentAADString(Enum): FRAME_STRING_ID = b"AWSKMSEncryptionClient Frame" FINAL_FRAME_STRING_ID = b"AWSKMSEncryptionClient Final Frame" NON_FRAMED_STRING_ID = b"AWSKMSEncryptionClient Single Block" - - -class KeyringTraceFlag(Enum): - """KeyRing Trace actions.""" - - @attr.s - class KeyringTraceFlagValue(object): - """Keyring trace flags do not have defined serializable values.""" - - name = attr.ib() - - #: A flag to represent that a keyring has generated a plaintext data key. - GENERATED_DATA_KEY = KeyringTraceFlagValue("GENERATED_DATA_KEY") - #: A flag to represent that a keyring has created an encrypted data key. - ENCRYPTED_DATA_KEY = KeyringTraceFlagValue("ENCRYPTED_DATA_KEY") - #: A flag to represent that a keyring has obtained - #: the corresponding plaintext data key from an encrypted data key. - DECRYPTED_DATA_KEY = KeyringTraceFlagValue("DECRYPTED_DATA_KEY") - #: A flag to represent that the keyring has cryptographically - #: bound the encryption context to a newly created encrypted data key. - SIGNED_ENCRYPTION_CONTEXT = KeyringTraceFlagValue("SIGNED_ENCRYPTION_CONTEXT") - #: A flag to represent that the keyring has verified that an encrypted - #: data key was originally created with a particular encryption context. - VERIFIED_ENCRYPTION_CONTEXT = KeyringTraceFlagValue("VERIFIED_ENCRYPTION_CONTEXT") diff --git a/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py b/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py index f6340af65..b04fb4cc4 100644 --- a/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py +++ b/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py @@ -2,7 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 """Keyring for use with AWS Key Management Service (KMS). -.. versionadded:: 1.5.0 +.. versionadded:: 2.0.0 """ import logging @@ -17,7 +17,7 @@ from aws_encryption_sdk.keyrings.base import Keyring from aws_encryption_sdk.keyrings.multi import MultiKeyring from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials -from aws_encryption_sdk.structures import EncryptedDataKey, KeyringTrace, KeyringTraceFlag, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import EncryptedDataKey, MasterKeyInfo, RawDataKey from .client_suppliers import DefaultClientSupplier @@ -33,9 +33,6 @@ __all__ = ("AwsKmsKeyring", "KEY_NAMESPACE") _LOGGER = logging.getLogger(__name__) -_GENERATE_FLAGS = {KeyringTraceFlag.GENERATED_DATA_KEY} -_ENCRYPT_FLAGS = {KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT} -_DECRYPT_FLAGS = {KeyringTraceFlag.DECRYPTED_DATA_KEY, KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT} #: Key namespace used for all encrypted data keys created by the KMS keyring. KEY_NAMESPACE = "aws-kms" @@ -77,7 +74,7 @@ class AwsKmsKeyring(Keyring): .. _discovery mode: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/choose-keyring.html#kms-keyring-discovery - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param ClientSupplier client_supplier: Client supplier that provides AWS KMS clients (optional) :param bool is_discovery: Should this be a discovery keyring (optional) @@ -165,7 +162,7 @@ class _AwsKmsSingleCmkKeyring(Keyring): This keyring should never be used directly. It should only ever be used internally by :class:`AwsKmsKeyring`. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param str key_id: CMK key ID :param ClientSupplier client_supplier: Client supplier to use when asking for clients @@ -181,7 +178,6 @@ class _AwsKmsSingleCmkKeyring(Keyring): def on_encrypt(self, encryption_materials): # type: (EncryptionMaterials) -> EncryptionMaterials - trace_info = MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=self._key_id) new_materials = encryption_materials try: if new_materials.data_encryption_key is None: @@ -194,7 +190,6 @@ def on_encrypt(self, encryption_materials): ) new_materials = new_materials.with_data_encryption_key( data_encryption_key=plaintext_key, - keyring_trace=KeyringTrace(wrapping_key=trace_info, flags=_GENERATE_FLAGS), ) else: encrypted_key = _do_aws_kms_encrypt( @@ -206,12 +201,14 @@ def on_encrypt(self, encryption_materials): ) except Exception: # pylint: disable=broad-except # We intentionally WANT to catch all exceptions here - message = "Unable to generate or encrypt data key using {}".format(trace_info) + message = "Unable to generate or encrypt data key using {}".format( + MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=self._key_id) + ) _LOGGER.exception(message) raise EncryptKeyError(message) return new_materials.with_encrypted_data_key( - encrypted_data_key=encrypted_key, keyring_trace=KeyringTrace(wrapping_key=trace_info, flags=_ENCRYPT_FLAGS) + encrypted_data_key=encrypted_key, ) def on_decrypt(self, decryption_materials, encrypted_data_keys): @@ -243,7 +240,7 @@ class _AwsKmsDiscoveryKeyring(Keyring): This keyring should never be used directly. It should only ever be used internally by :class:`AwsKmsKeyring`. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param ClientSupplier client_supplier: Client supplier to use when asking for clients :param List[str] grant_tokens: AWS KMS grant tokens to include in requests (optional) @@ -284,7 +281,7 @@ def _try_aws_kms_decrypt(client_supplier, decryption_materials, grant_tokens, en Any errors encountered are caught and logged. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 """ try: @@ -302,7 +299,6 @@ def _try_aws_kms_decrypt(client_supplier, decryption_materials, grant_tokens, en return decryption_materials.with_data_encryption_key( data_encryption_key=plaintext_key, - keyring_trace=KeyringTrace(wrapping_key=encrypted_data_key.key_provider, flags=_DECRYPT_FLAGS), ) @@ -312,7 +308,7 @@ def _do_aws_kms_decrypt(client_supplier, key_name, encrypted_data_key, encryptio Any errors encountered are passed up the chain without comment. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 """ region = _region_from_key_id(encrypted_data_key.key_provider.key_info.decode("utf-8")) @@ -359,7 +355,7 @@ def _do_aws_kms_generate_data_key(client_supplier, key_name, encryption_context, Any errors encountered are passed up the chain without comment. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 """ region = _region_from_key_id(key_name) @@ -382,7 +378,7 @@ def _region_from_key_id(key_id): If the region cannot be found, ``None`` is returned instead. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 """ parts = key_id.split(":", 4) diff --git a/src/aws_encryption_sdk/keyrings/raw.py b/src/aws_encryption_sdk/keyrings/raw.py index ddb07fb03..029e750be 100644 --- a/src/aws_encryption_sdk/keyrings/raw.py +++ b/src/aws_encryption_sdk/keyrings/raw.py @@ -12,14 +12,14 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey from aws_encryption_sdk.exceptions import EncryptKeyError, GenerateKeyError -from aws_encryption_sdk.identifiers import EncryptionKeyType, KeyringTraceFlag, WrappingAlgorithm +from aws_encryption_sdk.identifiers import EncryptionKeyType, WrappingAlgorithm from aws_encryption_sdk.internal.crypto.wrapping_keys import EncryptedData, WrappingKey from aws_encryption_sdk.internal.formatting.deserialize import deserialize_wrapped_key from aws_encryption_sdk.internal.formatting.serialize import serialize_raw_master_key_prefix, serialize_wrapped_key from aws_encryption_sdk.key_providers.raw import RawMasterKey from aws_encryption_sdk.keyrings.base import Keyring from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials -from aws_encryption_sdk.structures import EncryptedDataKey, KeyringTrace, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import EncryptedDataKey, MasterKeyInfo, RawDataKey try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import Iterable # noqa pylint: disable=unused-import @@ -55,14 +55,11 @@ def _generate_data_key( _LOGGER.exception(error_message) raise GenerateKeyError("Unable to generate data encryption key.") - # Create a keyring trace - keyring_trace = KeyringTrace(wrapping_key=key_provider, flags={KeyringTraceFlag.GENERATED_DATA_KEY}) - # plaintext_data_key to RawDataKey data_encryption_key = RawDataKey(key_provider=key_provider, data_key=plaintext_data_key) return encryption_materials.with_data_encryption_key( - data_encryption_key=data_encryption_key, keyring_trace=keyring_trace + data_encryption_key=data_encryption_key, ) @@ -71,7 +68,7 @@ class RawAESKeyring(Keyring): """Generate an instance of Raw AES Keyring which encrypts using AES-GCM algorithm using wrapping key provided as a byte array - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param str key_namespace: String defining the keyring. :param bytes key_name: Key ID @@ -168,13 +165,7 @@ def on_encrypt(self, encryption_materials): _LOGGER.exception(error_message) raise EncryptKeyError(error_message) - # Update Keyring Trace - keyring_trace = KeyringTrace( - wrapping_key=self._key_provider, - flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT}, - ) - - return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key, keyring_trace=keyring_trace) + return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key) def on_decrypt(self, decryption_materials, encrypted_data_keys): # type: (DecryptionMaterials, Iterable[EncryptedDataKey]) -> DecryptionMaterials @@ -221,18 +212,10 @@ def on_decrypt(self, decryption_materials, encrypted_data_keys): # until it either succeeds or runs out of encrypted data keys. continue - # Create a keyring trace - keyring_trace = KeyringTrace( - wrapping_key=self._key_provider, - flags={KeyringTraceFlag.DECRYPTED_DATA_KEY, KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT}, - ) - # Update decryption materials data_encryption_key = RawDataKey(key_provider=self._key_provider, data_key=plaintext_data_key) - return new_materials.with_data_encryption_key( - data_encryption_key=data_encryption_key, keyring_trace=keyring_trace - ) + return new_materials.with_data_encryption_key(data_encryption_key=data_encryption_key) return new_materials @@ -242,7 +225,7 @@ class RawRSAKeyring(Keyring): """Generate an instance of Raw RSA Keyring which performs asymmetric encryption and decryption using public and private keys provided - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param str key_namespace: String defining the keyring ID :param bytes key_name: Key ID @@ -407,11 +390,9 @@ def on_encrypt(self, encryption_materials): _LOGGER.exception(error_message) raise EncryptKeyError(error_message) - # Update Keyring Trace - keyring_trace = KeyringTrace(wrapping_key=self._key_provider, flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY}) # Add encrypted data key to encryption_materials - return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key, keyring_trace=keyring_trace) + return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key) def on_decrypt(self, decryption_materials, encrypted_data_keys): # type: (DecryptionMaterials, Iterable[EncryptedDataKey]) -> DecryptionMaterials @@ -451,14 +432,9 @@ def on_decrypt(self, decryption_materials, encrypted_data_keys): # until it either succeeds or runs out of encrypted data keys. continue - # Create a keyring trace - keyring_trace = KeyringTrace(wrapping_key=self._key_provider, flags={KeyringTraceFlag.DECRYPTED_DATA_KEY}) - # Update decryption materials data_encryption_key = RawDataKey(key_provider=self._key_provider, data_key=plaintext_data_key) - return new_materials.with_data_encryption_key( - data_encryption_key=data_encryption_key, keyring_trace=keyring_trace - ) + return new_materials.with_data_encryption_key(data_encryption_key=data_encryption_key) return new_materials diff --git a/src/aws_encryption_sdk/materials_managers/__init__.py b/src/aws_encryption_sdk/materials_managers/__init__.py index 8c8c33886..c41507030 100644 --- a/src/aws_encryption_sdk/materials_managers/__init__.py +++ b/src/aws_encryption_sdk/materials_managers/__init__.py @@ -20,11 +20,11 @@ import six from attr.validators import deep_iterable, deep_mapping, instance_of, optional -from aws_encryption_sdk.exceptions import InvalidDataKeyError, InvalidKeyringTraceError, SignatureKeyError -from aws_encryption_sdk.identifiers import Algorithm, KeyringTraceFlag +from aws_encryption_sdk.exceptions import InvalidDataKeyError, SignatureKeyError +from aws_encryption_sdk.identifiers import Algorithm from aws_encryption_sdk.internal.crypto.authentication import Signer, Verifier from aws_encryption_sdk.internal.utils.streams import ROStream -from aws_encryption_sdk.structures import DataKey, EncryptedDataKey, KeyringTrace, RawDataKey +from aws_encryption_sdk.structures import DataKey, EncryptedDataKey, RawDataKey try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import Any, Iterable, Tuple, Union # noqa pylint: disable=unused-import @@ -75,13 +75,11 @@ def _data_key_to_raw_data_key(data_key): class CryptographicMaterials(object): """Cryptographic materials core. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param Algorithm algorithm: Algorithm to use for encrypting message :param dict encryption_context: Encryption context tied to `encrypted_data_keys` :param RawDataKey data_encryption_key: Plaintext data key to use for encrypting message - :param keyring_trace: Any KeyRing trace entries - :type keyring_trace: list of :class:`KeyringTrace` """ algorithm = attr.ib(validator=optional(instance_of(Algorithm))) @@ -93,9 +91,6 @@ class CryptographicMaterials(object): data_encryption_key = attr.ib( default=None, validator=optional(instance_of(RawDataKey)), converter=_data_key_to_raw_data_key ) - _keyring_trace = attr.ib( - default=attr.Factory(list), validator=optional(deep_iterable(member_validator=instance_of(KeyringTrace))) - ) _initialized = False def __attrs_post_init__(self): @@ -115,31 +110,19 @@ def _setattr(self, key, value): """Special __setattr__ to avoid having to perform multi-level super calls.""" super(CryptographicMaterials, self).__setattr__(key, value) - def _validate_data_encryption_key(self, data_encryption_key, keyring_trace, required_flags): - # type: (Union[DataKey, RawDataKey], KeyringTrace, Iterable[KeyringTraceFlag]) -> None - """Validate that the provided data encryption key and keyring trace match for each other and the materials. + def _validate_data_encryption_key(self, data_encryption_key): + # type: (Union[DataKey, RawDataKey]) -> None + """Validate that the provided data encryption key matches the materials. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param RawDataKey data_encryption_key: Data encryption key - :param KeyringTrace keyring_trace: Keyring trace corresponding to data_encryption_key - :param required_flags: Iterable of required flags - :type required_flags: iterable of :class:`KeyringTraceFlag` :raises AttributeError: if data encryption key is already set - :raises InvalidKeyringTraceError: if keyring trace does not match decrypt action - :raises InvalidKeyringTraceError: if keyring trace does not match data key provider :raises InvalidDataKeyError: if data key length does not match algorithm suite """ if self.data_encryption_key is not None: raise AttributeError("Data encryption key is already set.") - for flag in required_flags: - if flag not in keyring_trace.flags: - raise InvalidKeyringTraceError("Keyring flags do not match action.") - - if keyring_trace.wrapping_key != data_encryption_key.key_provider: - raise InvalidKeyringTraceError("Keyring trace does not match data key provider.") - if len(data_encryption_key.data_key) != self.algorithm.kdf_input_len: raise InvalidDataKeyError( "Invalid data key length {actual} must be {expected}.".format( @@ -147,24 +130,18 @@ def _validate_data_encryption_key(self, data_encryption_key, keyring_trace, requ ) ) - def _with_data_encryption_key(self, data_encryption_key, keyring_trace, required_flags): - # type: (Union[DataKey, RawDataKey], KeyringTrace, Iterable[KeyringTraceFlag]) -> CryptographicMaterials + def _with_data_encryption_key(self, data_encryption_key): + # type: (Union[DataKey, RawDataKey]) -> CryptographicMaterials """Get new cryptographic materials that include this data encryption key. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param RawDataKey data_encryption_key: Data encryption key - :param KeyringTrace keyring_trace: Trace of actions that a keyring performed - while getting this data encryption key - :param required_flags: Iterable of required flags - :type required_flags: iterable of :class:`KeyringTraceFlag` :raises AttributeError: if data encryption key is already set - :raises InvalidKeyringTraceError: if keyring trace does not match required actions - :raises InvalidKeyringTraceError: if keyring trace does not match data key provider :raises InvalidDataKeyError: if data key length does not match algorithm suite """ self._validate_data_encryption_key( - data_encryption_key=data_encryption_key, keyring_trace=keyring_trace, required_flags=required_flags + data_encryption_key=data_encryption_key ) new_materials = copy.copy(self) @@ -173,19 +150,9 @@ def _with_data_encryption_key(self, data_encryption_key, keyring_trace, required new_materials._setattr( # simplify access to copies pylint: disable=protected-access "data_encryption_key", data_key ) - new_materials._keyring_trace.append(keyring_trace) # simplify access to copies pylint: disable=protected-access return new_materials - @property - def keyring_trace(self): - # type: () -> Tuple[KeyringTrace] - """Return a read-only version of the keyring trace. - - :rtype: tuple - """ - return tuple(self._keyring_trace) - @attr.s(hash=False, init=False) class EncryptionMaterials(CryptographicMaterials): @@ -193,11 +160,7 @@ class EncryptionMaterials(CryptographicMaterials): .. versionadded:: 1.3.0 - .. versionadded:: 1.5.0 - - The **keyring_trace** parameter. - - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 Most parameters are now optional. @@ -207,8 +170,6 @@ class EncryptionMaterials(CryptographicMaterials): :type encrypted_data_keys: list of :class:`EncryptedDataKey` :param dict encryption_context: Encryption context tied to `encrypted_data_keys` :param bytes signing_key: Encoded signing key (optional) - :param keyring_trace: Any KeyRing trace entries (optional) - :type keyring_trace: list of :class:`KeyringTrace` """ _encrypted_data_keys = attr.ib( @@ -257,7 +218,6 @@ def __copy__(self): encrypted_data_keys=copy.copy(self._encrypted_data_keys), encryption_context=self.encryption_context.copy(), signing_key=self.signing_key, - keyring_trace=copy.copy(self._keyring_trace), ) @property @@ -287,68 +247,46 @@ def is_complete(self): return True - def with_data_encryption_key(self, data_encryption_key, keyring_trace): - # type: (Union[DataKey, RawDataKey], KeyringTrace) -> EncryptionMaterials + def with_data_encryption_key(self, data_encryption_key): + # type: (Union[DataKey, RawDataKey]) -> EncryptionMaterials """Get new encryption materials that also include this data encryption key. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param RawDataKey data_encryption_key: Data encryption key - :param KeyringTrace keyring_trace: Trace of actions that a keyring performed - while getting this data encryption key :rtype: EncryptionMaterials :raises AttributeError: if data encryption key is already set - :raises InvalidKeyringTraceError: if keyring trace does not match generate action - :raises InvalidKeyringTraceError: if keyring trace does not match data key provider :raises InvalidDataKeyError: if data key length does not match algorithm suite """ return self._with_data_encryption_key( data_encryption_key=data_encryption_key, - keyring_trace=keyring_trace, - required_flags={KeyringTraceFlag.GENERATED_DATA_KEY}, ) - def with_encrypted_data_key(self, encrypted_data_key, keyring_trace): - # type: (EncryptedDataKey, KeyringTrace) -> EncryptionMaterials - """Get new encryption materials that also include this encrypted data key with corresponding keyring trace. + def with_encrypted_data_key(self, encrypted_data_key): + # type: (EncryptedDataKey) -> EncryptionMaterials + """Get new encryption materials that also include this encrypted data key. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param EncryptedDataKey encrypted_data_key: Encrypted data key to add - :param KeyringTrace keyring_trace: Trace of actions that a keyring performed - while getting this encrypted data key :rtype: EncryptionMaterials :raises AttributeError: if data encryption key is not set - :raises InvalidKeyringTraceError: if keyring trace does not match generate action - :raises InvalidKeyringTraceError: if keyring trace does not match data key encryptor """ if self.data_encryption_key is None: raise AttributeError("Data encryption key is not set.") - if KeyringTraceFlag.ENCRYPTED_DATA_KEY not in keyring_trace.flags: - raise InvalidKeyringTraceError("Keyring flags do not match action.") - - if not all( - ( - keyring_trace.wrapping_key.provider_id == encrypted_data_key.key_provider.provider_id, - keyring_trace.wrapping_key.key_name == encrypted_data_key.key_provider.key_name, - ) - ): - raise InvalidKeyringTraceError("Keyring trace does not match data key encryptor.") - new_materials = copy.copy(self) new_materials._encrypted_data_keys.append( # simplify access to copies pylint: disable=protected-access encrypted_data_key ) - new_materials._keyring_trace.append(keyring_trace) # simplify access to copies pylint: disable=protected-access return new_materials def with_signing_key(self, signing_key): # type: (bytes) -> EncryptionMaterials """Get new encryption materials that also include this signing key. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param bytes signing_key: Signing key :rtype: EncryptionMaterials @@ -402,11 +340,11 @@ class DecryptionMaterials(CryptographicMaterials): .. versionadded:: 1.3.0 - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 - The **algorithm**, **data_encryption_key**, **encryption_context**, and **keyring_trace** parameters. + The **algorithm**, **data_encryption_key**, and **encryption_context** parameters. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 All parameters are now optional. @@ -414,8 +352,6 @@ class DecryptionMaterials(CryptographicMaterials): :param RawDataKey data_encryption_key: Plaintext data key to use for encrypting message (optional) :param dict encryption_context: Encryption context tied to `encrypted_data_keys` (optional) :param bytes verification_key: Raw signature verification key (optional) - :param keyring_trace: Any KeyRing trace entries (optional) - :type keyring_trace: list of :class:`KeyringTrace` """ verification_key = attr.ib(default=None, repr=False, validator=optional(instance_of(bytes))) @@ -450,7 +386,6 @@ def __copy__(self): data_encryption_key=self.data_encryption_key, encryption_context=copy.copy(self.encryption_context), verification_key=self.verification_key, - keyring_trace=copy.copy(self._keyring_trace), ) @property @@ -477,19 +412,15 @@ def data_key(self): """Backwards-compatible shim for access to data key.""" return self.data_encryption_key - def with_data_encryption_key(self, data_encryption_key, keyring_trace): - # type: (Union[DataKey, RawDataKey], KeyringTrace) -> DecryptionMaterials + def with_data_encryption_key(self, data_encryption_key): + # type: (Union[DataKey, RawDataKey]) -> DecryptionMaterials """Get new decryption materials that also include this data encryption key. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param RawDataKey data_encryption_key: Data encryption key - :param KeyringTrace keyring_trace: Trace of actions that a keyring performed - while getting this data encryption key :rtype: DecryptionMaterials :raises AttributeError: if data encryption key is already set - :raises InvalidKeyringTraceError: if keyring trace does not match decrypt action - :raises InvalidKeyringTraceError: if keyring trace does not match data key provider :raises InvalidDataKeyError: if data key length does not match algorithm suite """ if self.algorithm is None: @@ -497,15 +428,13 @@ def with_data_encryption_key(self, data_encryption_key, keyring_trace): return self._with_data_encryption_key( data_encryption_key=data_encryption_key, - keyring_trace=keyring_trace, - required_flags={KeyringTraceFlag.DECRYPTED_DATA_KEY}, ) def with_verification_key(self, verification_key): # type: (bytes) -> DecryptionMaterials """Get new decryption materials that also include this verification key. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 :param bytes verification_key: Verification key :rtype: DecryptionMaterials diff --git a/src/aws_encryption_sdk/streaming_client.py b/src/aws_encryption_sdk/streaming_client.py index ff549563d..678b80fe3 100644 --- a/src/aws_encryption_sdk/streaming_client.py +++ b/src/aws_encryption_sdk/streaming_client.py @@ -137,7 +137,6 @@ class _EncryptionStream(io.IOBase): _message_prepped = None # type: bool source_stream = None _stream_length = None # type: int - keyring_trace = () def __new__(cls, **kwargs): """Perform necessary handling for _EncryptionStream instances that should be @@ -444,7 +443,6 @@ def _prep_message(self): self._encryption_materials = self.config.materials_manager.get_encryption_materials( request=encryption_materials_request ) - self.keyring_trace = self._encryption_materials.keyring_trace if self.config.algorithm is not None and self._encryption_materials.algorithm != self.config.algorithm: raise ActionNotAllowedError( @@ -781,7 +779,6 @@ def _read_header(self): encryption_context=header.encryption_context, ) decryption_materials = self.config.materials_manager.decrypt_materials(request=decrypt_materials_request) - self.keyring_trace = decryption_materials.keyring_trace if decryption_materials.verification_key is None: self.verifier = None diff --git a/src/aws_encryption_sdk/structures.py b/src/aws_encryption_sdk/structures.py index 4e8275a2c..1b6f58026 100644 --- a/src/aws_encryption_sdk/structures.py +++ b/src/aws_encryption_sdk/structures.py @@ -17,7 +17,7 @@ import six from attr.validators import deep_iterable, deep_mapping, instance_of, optional -from aws_encryption_sdk.identifiers import Algorithm, ContentType, KeyringTraceFlag, ObjectType, SerializationVersion +from aws_encryption_sdk.identifiers import Algorithm, ContentType, ObjectType, SerializationVersion from aws_encryption_sdk.internal.str_ops import to_bytes, to_str try: # Python 3.5.0 and 3.5.1 have incompatible typing modules @@ -37,7 +37,7 @@ class MasterKeyInfo(object): For all other keyrings and master keys, ``key_info`` and ``key_name`` should always be the same. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 ``key_name`` :param str provider_id: MasterKey provider_id value @@ -60,7 +60,7 @@ def __attrs_post_init__(self): def key_namespace(self): """Access the key namespace value (previously, provider ID). - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 """ return self.provider_id @@ -83,7 +83,7 @@ def from_data_key(cls, data_key): # type: (DataKey) -> RawDataKey """Build an :class:`RawDataKey` from a :class:`DataKey`. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 """ if not isinstance(data_key, DataKey): raise TypeError("data_key must be type DataKey not {}".format(type(data_key).__name__)) @@ -123,7 +123,7 @@ def from_data_key(cls, data_key): # type: (DataKey) -> EncryptedDataKey """Build an :class:`EncryptedDataKey` from a :class:`DataKey`. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 """ if not isinstance(data_key, DataKey): raise TypeError("data_key must be type DataKey not {}".format(type(data_key).__name__)) @@ -133,20 +133,6 @@ def from_data_key(cls, data_key): ) -@attr.s -class KeyringTrace(object): - """Record of all actions that a KeyRing performed with a wrapping key. - - .. versionadded:: 1.5.0 - - :param MasterKeyInfo wrapping_key: Wrapping key used - :param Set[KeyringTraceFlag] flags: Actions performed - """ - - wrapping_key = attr.ib(validator=instance_of(MasterKeyInfo)) - flags = attr.ib(validator=deep_iterable(member_validator=instance_of(KeyringTraceFlag))) - - @attr.s(hash=True) class MessageHeader(object): # pylint: disable=too-many-instance-attributes @@ -185,7 +171,7 @@ class MessageHeader(object): class CryptoResult(object): """Result container for one-shot cryptographic API results. - .. versionadded:: 1.5.0 + .. versionadded:: 2.0.0 .. note:: @@ -195,12 +181,10 @@ class CryptoResult(object): :param bytes result: Binary results of the cryptographic operation :param MessageHeader header: Encrypted message metadata - :param Tuple[KeyringTrace] keyring_trace: Keyring trace entries """ result = attr.ib(validator=instance_of(bytes)) header = attr.ib(validator=instance_of(MessageHeader)) - keyring_trace = attr.ib(validator=deep_iterable(member_validator=instance_of(KeyringTrace))) def __attrs_post_init__(self): """Construct the inner tuple for backwards compatibility.""" diff --git a/test/functional/keyrings/aws_kms/test_aws_kms.py b/test/functional/keyrings/aws_kms/test_aws_kms.py index 2aca1c15a..407bed25a 100644 --- a/test/functional/keyrings/aws_kms/test_aws_kms.py +++ b/test/functional/keyrings/aws_kms/test_aws_kms.py @@ -10,7 +10,6 @@ from moto.kms import mock_kms from aws_encryption_sdk.exceptions import DecryptKeyError, EncryptKeyError -from aws_encryption_sdk.identifiers import KeyringTraceFlag from aws_encryption_sdk.internal.defaults import ALGORITHM from aws_encryption_sdk.keyrings.aws_kms import ( KEY_NAMESPACE, @@ -24,7 +23,7 @@ ) from aws_encryption_sdk.keyrings.aws_kms.client_suppliers import DefaultClientSupplier from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials -from aws_encryption_sdk.structures import EncryptedDataKey, KeyringTrace, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import EncryptedDataKey, MasterKeyInfo, RawDataKey # used as fixtures from ...functional_test_utils import fake_generator # noqa pylint: disable=unused-import @@ -40,13 +39,6 @@ pytestmark = [pytest.mark.functional, pytest.mark.local] -def _matching_flags(wrapping_key, keyring_trace): - # type: (MasterKeyInfo, Iterable[KeyringTrace]) -> List[KeyringTraceFlag] - return list( - itertools.chain.from_iterable([entry.flags for entry in keyring_trace if entry.wrapping_key == wrapping_key]) - ) - - def test_aws_kms_single_cmk_keyring_on_encrypt_empty_materials(fake_generator): keyring = _AwsKmsSingleCmkKeyring(key_id=fake_generator, client_supplier=DefaultClientSupplier()) @@ -57,14 +49,6 @@ def test_aws_kms_single_cmk_keyring_on_encrypt_empty_materials(fake_generator): assert result_materials.data_encryption_key is not None assert len(result_materials.encrypted_data_keys) == 1 - generator_flags = _matching_flags( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), result_materials.keyring_trace - ) - - assert KeyringTraceFlag.GENERATED_DATA_KEY in generator_flags - assert KeyringTraceFlag.ENCRYPTED_DATA_KEY in generator_flags - assert KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT in generator_flags - def test_aws_kms_single_cmk_keyring_on_encrypt_existing_data_key(fake_generator): keyring = _AwsKmsSingleCmkKeyring(key_id=fake_generator, client_supplier=DefaultClientSupplier()) @@ -83,14 +67,6 @@ def test_aws_kms_single_cmk_keyring_on_encrypt_existing_data_key(fake_generator) assert result_materials.data_encryption_key is not None assert len(result_materials.encrypted_data_keys) == 1 - generator_flags = _matching_flags( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), result_materials.keyring_trace - ) - - assert KeyringTraceFlag.GENERATED_DATA_KEY not in generator_flags - assert KeyringTraceFlag.ENCRYPTED_DATA_KEY in generator_flags - assert KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT in generator_flags - @mock_kms def test_aws_kms_single_cmk_keyring_on_encrypt_fail(): @@ -153,13 +129,6 @@ def test_aws_kms_single_cmk_keyring_on_decrypt_single_cmk(fake_generator): assert result_materials is not initial_decryption_materials assert result_materials.data_encryption_key is not None - generator_flags = _matching_flags( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), result_materials.keyring_trace - ) - - assert KeyringTraceFlag.DECRYPTED_DATA_KEY in generator_flags - assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in generator_flags - def test_aws_kms_single_cmk_keyring_on_decrypt_multiple_cmk(fake_generator_and_child): generator, child = fake_generator_and_child @@ -179,18 +148,6 @@ def test_aws_kms_single_cmk_keyring_on_decrypt_multiple_cmk(fake_generator_and_c decryption_materials=initial_decryption_materials, encrypted_data_keys=encryption_materials.encrypted_data_keys ) - generator_flags = _matching_flags( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=generator), result_materials.keyring_trace - ) - assert len(generator_flags) == 0 - - child_flags = _matching_flags( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=child), result_materials.keyring_trace - ) - - assert KeyringTraceFlag.DECRYPTED_DATA_KEY in child_flags - assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in child_flags - def test_aws_kms_single_cmk_keyring_on_decrypt_no_match(fake_generator_and_child): generator, child = fake_generator_and_child @@ -274,13 +231,6 @@ def test_aws_kms_discovery_keyring_on_decrypt(encryption_materials_for_discovery assert result_materials is not initial_decryption_materials assert result_materials.data_encryption_key is not None - generator_flags = _matching_flags( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=generator_key_id), result_materials.keyring_trace - ) - - assert KeyringTraceFlag.DECRYPTED_DATA_KEY in generator_flags - assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in generator_flags - @mock_kms def test_aws_kms_discovery_keyring_on_decrypt_existing_data_key(caplog): @@ -380,13 +330,6 @@ def test_try_aws_kms_decrypt_succeed(fake_generator): assert result_materials.data_encryption_key.data_key == plaintext - generator_flags = _matching_flags( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), result_materials.keyring_trace - ) - - assert KeyringTraceFlag.DECRYPTED_DATA_KEY in generator_flags - assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in generator_flags - @mock_kms def test_try_aws_kms_decrypt_error(caplog): diff --git a/test/functional/keyrings/raw/test_raw_aes.py b/test/functional/keyrings/raw/test_raw_aes.py index 9759f2ce9..e08c94c8e 100644 --- a/test/functional/keyrings/raw/test_raw_aes.py +++ b/test/functional/keyrings/raw/test_raw_aes.py @@ -18,7 +18,6 @@ Algorithm, EncryptionKeyType, EncryptionType, - KeyringTraceFlag, WrappingAlgorithm, ) from aws_encryption_sdk.internal.crypto import WrappingKey @@ -26,7 +25,7 @@ from aws_encryption_sdk.key_providers.raw import RawMasterKey from aws_encryption_sdk.keyrings.raw import RawAESKeyring from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials -from aws_encryption_sdk.structures import KeyringTrace, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import MasterKeyInfo, RawDataKey pytestmark = [pytest.mark.functional, pytest.mark.local] @@ -54,12 +53,6 @@ def sample_encryption_materials(): ), encryption_context=_ENCRYPTION_CONTEXT, signing_key=_SIGNING_KEY, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID), - flags={KeyringTraceFlag.GENERATED_DATA_KEY}, - ) - ], ), ] diff --git a/test/functional/keyrings/raw/test_raw_rsa.py b/test/functional/keyrings/raw/test_raw_rsa.py index f72ffee51..a883bfb3e 100644 --- a/test/functional/keyrings/raw/test_raw_rsa.py +++ b/test/functional/keyrings/raw/test_raw_rsa.py @@ -22,14 +22,13 @@ Algorithm, EncryptionKeyType, EncryptionType, - KeyringTraceFlag, WrappingAlgorithm, ) from aws_encryption_sdk.internal.crypto import WrappingKey from aws_encryption_sdk.key_providers.raw import RawMasterKey from aws_encryption_sdk.keyrings.raw import RawRSAKeyring from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials -from aws_encryption_sdk.structures import KeyringTrace, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import MasterKeyInfo, RawDataKey pytestmark = [pytest.mark.functional, pytest.mark.local] @@ -93,12 +92,6 @@ def sample_encryption_materials(): data_key=b'*!\xa1"^-(\xf3\x105\x05i@B\xc2\xa2\xb7\xdd\xd5\xd5\xa9\xddm\xfae\xa8\\$\xf9d\x1e(', ), encryption_context=_ENCRYPTION_CONTEXT, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID), - flags={KeyringTraceFlag.GENERATED_DATA_KEY}, - ) - ], ), ] diff --git a/test/functional/keyrings/test_multi.py b/test/functional/keyrings/test_multi.py index 43833a41a..b2674bd8d 100644 --- a/test/functional/keyrings/test_multi.py +++ b/test/functional/keyrings/test_multi.py @@ -16,12 +16,12 @@ from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.asymmetric import rsa -from aws_encryption_sdk.identifiers import KeyringTraceFlag, WrappingAlgorithm +from aws_encryption_sdk.identifiers import WrappingAlgorithm from aws_encryption_sdk.internal.defaults import ALGORITHM from aws_encryption_sdk.keyrings.multi import MultiKeyring from aws_encryption_sdk.keyrings.raw import RawAESKeyring, RawRSAKeyring from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials -from aws_encryption_sdk.structures import KeyringTrace, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import MasterKeyInfo, RawDataKey pytestmark = [pytest.mark.functional, pytest.mark.local] @@ -41,12 +41,6 @@ data_key=b'*!\xa1"^-(\xf3\x105\x05i@B\xc2\xa2\xb7\xdd\xd5\xd5\xa9\xddm\xfae\xa8\\$\xf9d\x1e(', ), encryption_context=_ENCRYPTION_CONTEXT, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_KEY_ID), - flags={KeyringTraceFlag.GENERATED_DATA_KEY}, - ) - ], ) _rsa_private_key_a = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) diff --git a/test/functional/test_client.py b/test/functional/test_client.py index ebe7e14d1..89d9d2a7d 100644 --- a/test/functional/test_client.py +++ b/test/functional/test_client.py @@ -469,31 +469,9 @@ def run_raw_provider_check( ) decrypt_result = aws_encryption_sdk.decrypt(source=encrypt_result.result, **decrypt_kwargs) - if isinstance(encrypting_provider, Keyring): - trace_entries = ( - entry - for entry in encrypt_result.keyring_trace - if ( - entry.wrapping_key.provider_id == encrypting_provider.key_namespace - and entry.wrapping_key.key_info == encrypting_provider.key_name - ) - ) - assert trace_entries - assert decrypt_result.result == VALUES["plaintext_128"] assert_key_not_logged(encrypting_provider, log_capturer.text) - if isinstance(decrypting_provider, Keyring): - trace_entries = ( - entry - for entry in decrypt_result.keyring_trace - if ( - entry.wrapping_key.provider_id == decrypting_provider.key_namespace - and entry.wrapping_key.key_info == decrypting_provider.key_name - ) - ) - assert trace_entries - @pytest.mark.parametrize( "encrypt_param_name, encrypting_provider, decrypt_param_name, decrypting_provider", diff --git a/test/unit/keyrings/raw/test_raw_aes.py b/test/unit/keyrings/raw/test_raw_aes.py index 72961c7d4..954d4f6c9 100644 --- a/test/unit/keyrings/raw/test_raw_aes.py +++ b/test/unit/keyrings/raw/test_raw_aes.py @@ -20,7 +20,7 @@ import aws_encryption_sdk.key_providers.raw import aws_encryption_sdk.keyrings.raw from aws_encryption_sdk.exceptions import EncryptKeyError -from aws_encryption_sdk.identifiers import Algorithm, KeyringTraceFlag, WrappingAlgorithm +from aws_encryption_sdk.identifiers import Algorithm, WrappingAlgorithm from aws_encryption_sdk.internal.crypto.wrapping_keys import WrappingKey from aws_encryption_sdk.keyrings.base import Keyring from aws_encryption_sdk.keyrings.raw import GenerateKeyError, RawAESKeyring, _generate_data_key @@ -129,25 +129,6 @@ def test_on_encrypt_when_data_encryption_key_given(raw_aes_keyring, patch_genera assert not patch_generate_data_key.called -def test_keyring_trace_on_encrypt_when_data_encryption_key_given(raw_aes_keyring): - test_raw_aes_keyring = raw_aes_keyring - - test = test_raw_aes_keyring.on_encrypt(encryption_materials=get_encryption_materials_with_data_encryption_key()) - - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_aes_keyring._key_provider] - assert len(trace_entries) == 1 - - generate_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.GENERATED_DATA_KEY}] - assert len(generate_traces) == 0 - - encrypt_traces = [ - entry - for entry in trace_entries - if entry.flags == {KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT} - ] - assert len(encrypt_traces) == 1 - - def test_on_encrypt_when_data_encryption_key_not_given(raw_aes_keyring): test_raw_aes_keyring = raw_aes_keyring @@ -160,20 +141,6 @@ def test_on_encrypt_when_data_encryption_key_not_given(raw_aes_keyring): # Check if data key is generated assert test.data_encryption_key is not None - - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_aes_keyring._key_provider] - assert len(trace_entries) == 2 - - generate_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.GENERATED_DATA_KEY}] - assert len(generate_traces) == 1 - - encrypt_traces = [ - entry - for entry in trace_entries - if entry.flags == {KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT} - ] - assert len(encrypt_traces) == 1 - assert len(test.encrypted_data_keys) == original_number_of_encrypted_data_keys + 1 @@ -199,17 +166,6 @@ def test_on_decrypt_when_data_key_given(raw_aes_keyring, decryption_materials, e assert not patch_decrypt_on_wrapping_key.called -def test_on_decrypt_keyring_trace_when_data_key_given(raw_aes_keyring): - test_raw_aes_keyring = raw_aes_keyring - test = test_raw_aes_keyring.on_decrypt( - decryption_materials=get_decryption_materials_with_data_encryption_key(), - encrypted_data_keys=[_ENCRYPTED_DATA_KEY_AES], - ) - - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_aes_keyring._key_provider] - assert len(trace_entries) == 0 - - @pytest.mark.parametrize( "decryption_materials, edk", ( @@ -223,11 +179,8 @@ def test_on_decrypt_when_data_key_and_edk_not_provided( test_raw_aes_keyring = raw_aes_keyring test = test_raw_aes_keyring.on_decrypt(decryption_materials=decryption_materials, encrypted_data_keys=edk) - assert not patch_decrypt_on_wrapping_key.called - - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_aes_keyring._key_provider] - assert len(trace_entries) == 0 + assert not patch_decrypt_on_wrapping_key.called assert test.data_encryption_key is None @@ -243,25 +196,6 @@ def test_on_decrypt_when_data_key_not_provided_and_edk_provided(raw_aes_keyring, ) -def test_on_decrypt_keyring_trace_when_data_key_not_provided_and_edk_provided(raw_aes_keyring): - test_raw_aes_keyring = raw_aes_keyring - - test = test_raw_aes_keyring.on_decrypt( - decryption_materials=get_decryption_materials_without_data_encryption_key(), - encrypted_data_keys=[_ENCRYPTED_DATA_KEY_AES], - ) - - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_aes_keyring._key_provider] - assert len(trace_entries) == 1 - - decrypt_traces = [ - entry - for entry in trace_entries - if entry.flags == {KeyringTraceFlag.DECRYPTED_DATA_KEY, KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT} - ] - assert len(decrypt_traces) == 1 - - def test_on_decrypt_continues_through_edks_on_failure(raw_aes_keyring, patch_decrypt_on_wrapping_key): patch_decrypt_on_wrapping_key.side_effect = (Exception("DECRYPT FAIL"), _DATA_KEY) @@ -293,7 +227,7 @@ def test_generate_data_key_error_when_data_key_exists(): assert exc_info.match("Data encryption key already exists.") -def test_generate_data_key_keyring_trace(): +def test_generate_data_key_provider_info(): encryption_materials_without_data_key = EncryptionMaterials( algorithm=Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, encryption_context=_ENCRYPTION_CONTEXT, @@ -306,13 +240,6 @@ def test_generate_data_key_keyring_trace(): assert new_materials is not encryption_materials_without_data_key assert encryption_materials_without_data_key.data_encryption_key is None - assert not encryption_materials_without_data_key.keyring_trace assert new_materials.data_encryption_key is not None assert new_materials.data_encryption_key.key_provider == key_provider_info - - trace_entries = [entry for entry in new_materials.keyring_trace if entry.wrapping_key == key_provider_info] - assert len(trace_entries) == 1 - - generate_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.GENERATED_DATA_KEY}] - assert len(generate_traces) == 1 diff --git a/test/unit/keyrings/raw/test_raw_rsa.py b/test/unit/keyrings/raw/test_raw_rsa.py index 55b91de92..eba58b6e4 100644 --- a/test/unit/keyrings/raw/test_raw_rsa.py +++ b/test/unit/keyrings/raw/test_raw_rsa.py @@ -20,7 +20,7 @@ import aws_encryption_sdk.key_providers.raw import aws_encryption_sdk.keyrings.raw from aws_encryption_sdk.exceptions import EncryptKeyError -from aws_encryption_sdk.identifiers import KeyringTraceFlag, WrappingAlgorithm +from aws_encryption_sdk.identifiers import WrappingAlgorithm from aws_encryption_sdk.internal.crypto.wrapping_keys import WrappingKey from aws_encryption_sdk.keyrings.base import Keyring from aws_encryption_sdk.keyrings.raw import RawRSAKeyring @@ -165,21 +165,6 @@ def test_on_encrypt_no_public_key(raw_rsa_keyring): excinfo.match("A public key is required to encrypt") -def test_on_encrypt_keyring_trace_when_data_encryption_key_given(raw_rsa_keyring): - materials = get_encryption_materials_with_data_encryption_key() - test = raw_rsa_keyring.on_encrypt(encryption_materials=materials) - assert test is not materials - - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_rsa_keyring._key_provider] - assert len(trace_entries) == 1 - - encrypt_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.ENCRYPTED_DATA_KEY}] - assert len(encrypt_traces) == 1 - - generate_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.GENERATED_DATA_KEY}] - assert len(generate_traces) == 0 - - def test_on_encrypt_when_data_encryption_key_not_given(raw_rsa_keyring): test_raw_rsa_keyring = raw_rsa_keyring @@ -189,15 +174,6 @@ def test_on_encrypt_when_data_encryption_key_not_given(raw_rsa_keyring): test = test_raw_rsa_keyring.on_encrypt(encryption_materials=get_encryption_materials_without_data_encryption_key()) - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_rsa_keyring._key_provider] - assert len(trace_entries) == 2 - - encrypt_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.ENCRYPTED_DATA_KEY}] - assert len(encrypt_traces) == 1 - - generate_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.GENERATED_DATA_KEY}] - assert len(generate_traces) == 1 - assert test.data_encryption_key.data_key is not None assert len(test.encrypted_data_keys) == original_number_of_encrypted_data_keys + 1 @@ -221,16 +197,6 @@ def test_on_decrypt_no_private_key(raw_rsa_keyring): assert test is materials -def test_on_decrypt_keyring_trace_when_data_key_given(raw_rsa_keyring): - test_raw_rsa_keyring = raw_rsa_keyring - test = test_raw_rsa_keyring.on_decrypt( - decryption_materials=get_decryption_materials_with_data_encryption_key(), - encrypted_data_keys=[_ENCRYPTED_DATA_KEY_RSA], - ) - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_rsa_keyring._key_provider] - assert len(trace_entries) == 0 - - def test_on_decrypt_when_data_key_and_edk_not_provided(raw_rsa_keyring, patch_decrypt_on_wrapping_key): test_raw_rsa_keyring = raw_rsa_keyring @@ -239,9 +205,6 @@ def test_on_decrypt_when_data_key_and_edk_not_provided(raw_rsa_keyring, patch_de ) assert not patch_decrypt_on_wrapping_key.called - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_rsa_keyring._key_provider] - assert len(trace_entries) == 0 - assert test.data_encryption_key is None @@ -267,9 +230,6 @@ def test_on_decrypt_when_data_key_not_provided_and_edk_not_in_keyring(raw_rsa_ke ) assert not patch_decrypt_on_wrapping_key.called - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_rsa_keyring._key_provider] - assert not trace_entries - assert test.data_encryption_key is None @@ -286,25 +246,6 @@ def test_on_decrypt_when_data_key_not_provided_and_edk_provided(raw_rsa_keyring, ) -def test_on_decrypt_keyring_trace_when_data_key_not_provided_and_edk_provided(raw_rsa_keyring): - test_raw_rsa_keyring = raw_rsa_keyring - - test = test_raw_rsa_keyring.on_decrypt( - decryption_materials=get_decryption_materials_without_data_encryption_key(), - encrypted_data_keys=test_raw_rsa_keyring.on_encrypt( - encryption_materials=get_encryption_materials_without_data_encryption_key() - ).encrypted_data_keys, - ) - - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_rsa_keyring._key_provider] - assert len(trace_entries) == 1 - - decrypt_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.DECRYPTED_DATA_KEY}] - assert len(decrypt_traces) == 1 - - assert test.data_encryption_key is not None - - def test_on_decrypt_continues_through_edks_on_failure(raw_rsa_keyring, mocker): patched_wrapping_key_decrypt = mocker.patch.object(raw_rsa_keyring._private_wrapping_key, "decrypt") patched_wrapping_key_decrypt.side_effect = (Exception("DECRYPT FAIL"), _DATA_KEY) @@ -316,10 +257,4 @@ def test_on_decrypt_continues_through_edks_on_failure(raw_rsa_keyring, mocker): assert patched_wrapping_key_decrypt.call_count == 2 - trace_entries = [entry for entry in test.keyring_trace if entry.wrapping_key == raw_rsa_keyring._key_provider] - assert len(trace_entries) == 1 - - decrypt_traces = [entry for entry in trace_entries if entry.flags == {KeyringTraceFlag.DECRYPTED_DATA_KEY}] - assert len(decrypt_traces) == 1 - assert test.data_encryption_key.data_key == _DATA_KEY diff --git a/test/unit/materials_managers/test_material_managers.py b/test/unit/materials_managers/test_material_managers.py index 62314298e..5fcdf83b3 100644 --- a/test/unit/materials_managers/test_material_managers.py +++ b/test/unit/materials_managers/test_material_managers.py @@ -17,8 +17,8 @@ from cryptography.hazmat.primitives.asymmetric import ec from mock import MagicMock -from aws_encryption_sdk.exceptions import InvalidDataKeyError, InvalidKeyringTraceError, SignatureKeyError -from aws_encryption_sdk.identifiers import AlgorithmSuite, KeyringTraceFlag +from aws_encryption_sdk.exceptions import InvalidDataKeyError, SignatureKeyError +from aws_encryption_sdk.identifiers import AlgorithmSuite from aws_encryption_sdk.internal.crypto.authentication import Signer, Verifier from aws_encryption_sdk.internal.defaults import ALGORITHM from aws_encryption_sdk.internal.utils.streams import ROStream @@ -30,7 +30,7 @@ EncryptionMaterialsRequest, _data_key_to_raw_data_key, ) -from aws_encryption_sdk.structures import DataKey, EncryptedDataKey, KeyringTrace, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import DataKey, EncryptedDataKey, MasterKeyInfo, RawDataKey pytestmark = [pytest.mark.unit, pytest.mark.local] @@ -50,12 +50,6 @@ algorithm=ALGORITHM, encryption_context={"additional": "data"}, data_encryption_key=_DATA_KEY, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id="Provider", key_info=b"Info"), - flags={KeyringTraceFlag.GENERATED_DATA_KEY}, - ) - ], ), "EncryptionMaterialsRequest": dict( encryption_context={}, @@ -95,7 +89,6 @@ def _copy_and_update_kwargs(class_name, mod_kwargs): (CryptographicMaterials, dict(encryption_context=1234)), (CryptographicMaterials, dict(data_encryption_key=1234)), (CryptographicMaterials, dict(encrypted_data_keys=1234)), - (CryptographicMaterials, dict(keyring_trace=1234)), (EncryptionMaterialsRequest, dict(encryption_context=None)), (EncryptionMaterialsRequest, dict(frame_length="not an int")), (EncryptionMaterialsRequest, dict(algorithm="not an Algorithm or None")), @@ -184,8 +177,6 @@ def _cryptographic_materials_attributes(): "algorithm", "encryption_context", "data_encryption_key", - "_keyring_trace", - "keyring_trace", "_initialized", ): yield material, attribute @@ -207,24 +198,6 @@ def test_cryptographic_materials_cannot_change_attribute(material_class, attribu excinfo.match("can't set attribute") -@pytest.mark.parametrize("material_class", (CryptographicMaterials, EncryptionMaterials, DecryptionMaterials)) -def test_immutable_keyring_trace(material_class): - materials = material_class(**_VALID_KWARGS[material_class.__name__]) - - with pytest.raises(AttributeError): - materials.keyring_trace.append(42) - - -@pytest.mark.parametrize("material_class", (CryptographicMaterials, EncryptionMaterials, DecryptionMaterials)) -def test_empty_keyring_trace(material_class): - materials = material_class(**_copy_and_update_kwargs(material_class.__name__, dict(keyring_trace=_REMOVE))) - - trace = materials.keyring_trace - - assert isinstance(trace, tuple) - assert not trace - - def test_immutable_encrypted_data_keys(): materials = EncryptionMaterials(**_VALID_KWARGS["EncryptionMaterials"]) @@ -242,13 +215,13 @@ def test_empty_encrypted_data_keys(): @pytest.mark.parametrize( - "material_class, flag", + "material_class", ( - (EncryptionMaterials, KeyringTraceFlag.GENERATED_DATA_KEY), - (DecryptionMaterials, KeyringTraceFlag.DECRYPTED_DATA_KEY), + (EncryptionMaterials), + (DecryptionMaterials), ), ) -def test_with_data_encryption_key_success(material_class, flag): +def test_with_data_encryption_key_success(material_class): kwargs = _copy_and_update_kwargs( material_class.__name__, dict(data_encryption_key=_REMOVE, data_key=_REMOVE, encrypted_data_keys=_REMOVE) ) @@ -258,45 +231,23 @@ def test_with_data_encryption_key_success(material_class, flag): data_encryption_key=RawDataKey( key_provider=MasterKeyInfo(provider_id="a", key_info=b"b"), data_key=b"1" * ALGORITHM.kdf_input_len ), - keyring_trace=KeyringTrace(wrapping_key=MasterKeyInfo(provider_id="a", key_info=b"b"), flags={flag}), ) assert new_materials is not materials def _add_data_encryption_key_test_cases(): - for material_class, required_flags in ( - (EncryptionMaterials, KeyringTraceFlag.GENERATED_DATA_KEY), - (DecryptionMaterials, KeyringTraceFlag.DECRYPTED_DATA_KEY), - ): + for material_class in (EncryptionMaterials, DecryptionMaterials): yield ( material_class, dict(data_encryption_key=_RAW_DATA_KEY, data_key=_REMOVE, encrypted_data_keys=_REMOVE), _RAW_DATA_KEY, - KeyringTrace(wrapping_key=_RAW_DATA_KEY.key_provider, flags={required_flags}), AttributeError, "Data encryption key is already set.", ) - yield ( - material_class, - dict(data_encryption_key=_REMOVE, data_key=_REMOVE, encrypted_data_keys=_REMOVE), - _RAW_DATA_KEY, - KeyringTrace(wrapping_key=_RAW_DATA_KEY.key_provider, flags=set()), - InvalidKeyringTraceError, - "Keyring flags do not match action.", - ) - yield ( - material_class, - dict(data_encryption_key=_REMOVE, data_key=_REMOVE, encrypted_data_keys=_REMOVE), - RawDataKey(key_provider=MasterKeyInfo(provider_id="a", key_info=b"b"), data_key=b"asdf"), - KeyringTrace(wrapping_key=MasterKeyInfo(provider_id="c", key_info=b"d"), flags={required_flags}), - InvalidKeyringTraceError, - "Keyring trace does not match data key provider.", - ) yield ( material_class, dict(data_encryption_key=_REMOVE, data_key=_REMOVE, encrypted_data_keys=_REMOVE), RawDataKey(key_provider=_RAW_DATA_KEY.key_provider, data_key=b"1234"), - KeyringTrace(wrapping_key=_RAW_DATA_KEY.key_provider, flags={required_flags}), InvalidDataKeyError, r"Invalid data key length *", ) @@ -304,24 +255,23 @@ def _add_data_encryption_key_test_cases(): DecryptionMaterials, dict(data_encryption_key=_REMOVE, data_key=_REMOVE, encrypted_data_keys=_REMOVE, algorithm=_REMOVE), RawDataKey(key_provider=_RAW_DATA_KEY.key_provider, data_key=b"1234"), - KeyringTrace(wrapping_key=_RAW_DATA_KEY.key_provider, flags={required_flags}), AttributeError, "Algorithm is not set", ) @pytest.mark.parametrize( - "material_class, mod_kwargs, data_encryption_key, keyring_trace, exception_type, exception_message", + "material_class, mod_kwargs, data_encryption_key, exception_type, exception_message", _add_data_encryption_key_test_cases(), ) def test_with_data_encryption_key_fail( - material_class, mod_kwargs, data_encryption_key, keyring_trace, exception_type, exception_message + material_class, mod_kwargs, data_encryption_key, exception_type, exception_message ): kwargs = _copy_and_update_kwargs(material_class.__name__, mod_kwargs) materials = material_class(**kwargs) with pytest.raises(exception_type) as excinfo: - materials.with_data_encryption_key(data_encryption_key=data_encryption_key, keyring_trace=keyring_trace) + materials.with_data_encryption_key(data_encryption_key=data_encryption_key) excinfo.match(exception_message) @@ -332,48 +282,27 @@ def test_with_encrypted_data_key_success(): new_materials = materials.with_encrypted_data_key( _ENCRYPTED_DATA_KEY, - keyring_trace=KeyringTrace( - wrapping_key=_ENCRYPTED_DATA_KEY.key_provider, flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY} - ), ) assert new_materials is not materials @pytest.mark.parametrize( - "mod_kwargs, encrypted_data_key, keyring_trace, exception_type, exception_message", + "mod_kwargs, encrypted_data_key, exception_type, exception_message", ( - ( - {}, - _ENCRYPTED_DATA_KEY, - KeyringTrace(wrapping_key=_ENCRYPTED_DATA_KEY.key_provider, flags=set()), - InvalidKeyringTraceError, - "Keyring flags do not match action.", - ), - ( - {}, - EncryptedDataKey(key_provider=MasterKeyInfo(provider_id="a", key_info=b"b"), encrypted_data_key=b"asdf"), - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id="not a match", key_info=b"really not a match"), - flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY}, - ), - InvalidKeyringTraceError, - "Keyring trace does not match data key encryptor.", - ), ( dict(data_encryption_key=_REMOVE, encrypted_data_keys=_REMOVE), _ENCRYPTED_DATA_KEY, - KeyringTrace(wrapping_key=_ENCRYPTED_DATA_KEY.key_provider, flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY}), AttributeError, "Data encryption key is not set.", ), ), ) -def test_with_encrypted_data_key_fail(mod_kwargs, encrypted_data_key, keyring_trace, exception_type, exception_message): +def test_with_encrypted_data_key_fail(mod_kwargs, encrypted_data_key, exception_type, exception_message): kwargs = _copy_and_update_kwargs("EncryptionMaterials", mod_kwargs) materials = EncryptionMaterials(**kwargs) with pytest.raises(exception_type) as excinfo: - materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key, keyring_trace=keyring_trace) + materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key) excinfo.match(exception_message) diff --git a/test/unit/test_structures.py b/test/unit/test_structures.py index 26cef17ec..16eb142b0 100644 --- a/test/unit/test_structures.py +++ b/test/unit/test_structures.py @@ -13,12 +13,11 @@ """Unit test suite for aws_encryption_sdk.structures""" import pytest -from aws_encryption_sdk.identifiers import Algorithm, ContentType, KeyringTraceFlag, ObjectType, SerializationVersion +from aws_encryption_sdk.identifiers import Algorithm, ContentType, ObjectType, SerializationVersion from aws_encryption_sdk.structures import ( CryptoResult, DataKey, EncryptedDataKey, - KeyringTrace, MasterKeyInfo, MessageHeader, RawDataKey, @@ -65,11 +64,6 @@ key_provider=MasterKeyInfo(provider_id="asjnoa", key_info=b"aosjfoaiwej"), encrypted_data_key=b"aisofiawjef" ) ], - KeyringTrace: [ - dict( - wrapping_key=MasterKeyInfo(provider_id="foo", key_info=b"bar"), flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY}, - ) - ], CryptoResult: [ dict( result=b"super secret stuff", @@ -85,12 +79,6 @@ header_iv_length=32456, frame_length=234567, ), - keyring_trace=( - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id="foo", key_info=b"bar"), - flags={KeyringTraceFlag.ENCRYPTED_DATA_KEY}, - ), - ), ) ], } diff --git a/test/unit/unit_test_utils.py b/test/unit/unit_test_utils.py index bd6a9a82f..35bafd609 100644 --- a/test/unit/unit_test_utils.py +++ b/test/unit/unit_test_utils.py @@ -14,7 +14,7 @@ from cryptography.hazmat.primitives.asymmetric import rsa from aws_encryption_sdk.exceptions import DecryptKeyError -from aws_encryption_sdk.identifiers import AlgorithmSuite, EncryptionKeyType, KeyringTraceFlag, WrappingAlgorithm +from aws_encryption_sdk.identifiers import AlgorithmSuite, EncryptionKeyType, WrappingAlgorithm from aws_encryption_sdk.internal.crypto.wrapping_keys import WrappingKey from aws_encryption_sdk.internal.utils.streams import InsistentReaderBytesIO from aws_encryption_sdk.key_providers.base import MasterKeyProvider, MasterKeyProviderConfig @@ -23,7 +23,7 @@ from aws_encryption_sdk.keyrings.multi import MultiKeyring from aws_encryption_sdk.keyrings.raw import RawAESKeyring, RawRSAKeyring from aws_encryption_sdk.materials_managers import DecryptionMaterials, EncryptionMaterials -from aws_encryption_sdk.structures import EncryptedDataKey, KeyringTrace, MasterKeyInfo, RawDataKey +from aws_encryption_sdk.structures import EncryptedDataKey, MasterKeyInfo, RawDataKey try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import Dict, Iterable, Optional # noqa pylint: disable=unused-import @@ -101,7 +101,6 @@ def on_encrypt(self, encryption_materials): ) encryption_materials = encryption_materials.with_data_encryption_key( data_encryption_key=data_encryption_key, - keyring_trace=KeyringTrace(wrapping_key=key_provider, flags={KeyringTraceFlag.GENERATED_DATA_KEY}), ) return encryption_materials @@ -119,12 +118,6 @@ def get_encryption_materials_with_data_key(): ), encryption_context=_ENCRYPTION_CONTEXT, signing_key=_SIGNING_KEY, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), - flags={KeyringTraceFlag.GENERATED_DATA_KEY}, - ) - ], ) @@ -137,12 +130,6 @@ def get_encryption_materials_with_data_encryption_key(): ), encryption_context=_ENCRYPTION_CONTEXT, signing_key=_SIGNING_KEY, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), - flags={KeyringTraceFlag.GENERATED_DATA_KEY}, - ) - ], ) @@ -170,12 +157,6 @@ def get_encryption_materials_with_encrypted_data_key(): ], encryption_context=_ENCRYPTION_CONTEXT, signing_key=_SIGNING_KEY, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), - flags={KeyringTraceFlag.GENERATED_DATA_KEY, KeyringTraceFlag.ENCRYPTED_DATA_KEY}, - ) - ], ) @@ -189,12 +170,6 @@ def get_encryption_materials_with_encrypted_data_key_aes(): encrypted_data_keys=[_ENCRYPTED_DATA_KEY_AES], encryption_context=_ENCRYPTION_CONTEXT, signing_key=_SIGNING_KEY, - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), - flags={KeyringTraceFlag.GENERATED_DATA_KEY, KeyringTraceFlag.ENCRYPTED_DATA_KEY}, - ) - ], ) @@ -223,12 +198,6 @@ def get_decryption_materials_with_data_key(): ), encryption_context=_ENCRYPTION_CONTEXT, verification_key=b"ex_verification_key", - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), - flags={KeyringTraceFlag.DECRYPTED_DATA_KEY}, - ) - ], ) @@ -241,12 +210,6 @@ def get_decryption_materials_with_data_encryption_key(): ), encryption_context=_ENCRYPTION_CONTEXT, verification_key=b"ex_verification_key", - keyring_trace=[ - KeyringTrace( - wrapping_key=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=_EXISTING_KEY_ID), - flags={KeyringTraceFlag.DECRYPTED_DATA_KEY}, - ) - ], ) @@ -587,7 +550,6 @@ def _break_encryption_materials(self, encryption_materials): encrypted_data_keys=encryption_materials.encrypted_data_keys, encryption_context=self._broken_encryption_context(encryption_materials.encryption_context), signing_key=self._broken_key(encryption_materials.signing_key), - keyring_trace=encryption_materials.keyring_trace, ) def _break_decryption_materials(self, decryption_materials): @@ -597,7 +559,6 @@ def _break_decryption_materials(self, decryption_materials): data_encryption_key=decryption_materials.data_encryption_key, encryption_context=self._broken_encryption_context(decryption_materials.encryption_context), verification_key=self._broken_key(decryption_materials.verification_key), - keyring_trace=decryption_materials.keyring_trace, ) def on_encrypt(self, encryption_materials): @@ -625,7 +586,6 @@ def on_encrypt(self, encryption_materials): data_encryption_key=materials.data_encryption_key, encryption_context=materials.encryption_context, signing_key=materials.signing_key, - keyring_trace=materials.keyring_trace, ) def on_decrypt(self, decryption_materials, encrypted_data_keys): From d1b913742cef0fe85237925123a548531f43dfe3 Mon Sep 17 00:00:00 2001 From: Matthew Jones Date: Mon, 10 Aug 2020 12:52:25 -0700 Subject: [PATCH 2/8] chore: run autoformat --- .../keyrings/aws_kms/__init__.py | 17 ++++++----------- src/aws_encryption_sdk/keyrings/raw.py | 5 +---- .../materials_managers/__init__.py | 12 +++--------- test/functional/keyrings/raw/test_raw_aes.py | 7 +------ test/functional/keyrings/raw/test_raw_rsa.py | 7 +------ .../test_material_managers.py | 14 +++----------- 6 files changed, 15 insertions(+), 47 deletions(-) diff --git a/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py b/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py index b04fb4cc4..a4822df9f 100644 --- a/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py +++ b/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py @@ -25,6 +25,7 @@ try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import Dict, Iterable, Union # noqa pylint: disable=unused-import + from .client_suppliers import ClientSupplierType # noqa pylint: disable=unused-import except ImportError: # pragma: no cover # We only actually need these imports when running the mypy checks @@ -188,9 +189,7 @@ def on_encrypt(self, encryption_materials): algorithm=new_materials.algorithm, grant_tokens=self._grant_tokens, ) - new_materials = new_materials.with_data_encryption_key( - data_encryption_key=plaintext_key, - ) + new_materials = new_materials.with_data_encryption_key(data_encryption_key=plaintext_key,) else: encrypted_key = _do_aws_kms_encrypt( client_supplier=self._client_supplier, @@ -202,14 +201,12 @@ def on_encrypt(self, encryption_materials): except Exception: # pylint: disable=broad-except # We intentionally WANT to catch all exceptions here message = "Unable to generate or encrypt data key using {}".format( - MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=self._key_id) - ) + MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=self._key_id) + ) _LOGGER.exception(message) raise EncryptKeyError(message) - return new_materials.with_encrypted_data_key( - encrypted_data_key=encrypted_key, - ) + return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_key,) def on_decrypt(self, decryption_materials, encrypted_data_keys): # type: (DecryptionMaterials, Iterable[EncryptedDataKey]) -> DecryptionMaterials @@ -297,9 +294,7 @@ def _try_aws_kms_decrypt(client_supplier, decryption_materials, grant_tokens, en _LOGGER.exception("Unable to decrypt encrypted data key from %s", encrypted_data_key.key_provider) return decryption_materials - return decryption_materials.with_data_encryption_key( - data_encryption_key=plaintext_key, - ) + return decryption_materials.with_data_encryption_key(data_encryption_key=plaintext_key,) def _do_aws_kms_decrypt(client_supplier, key_name, encrypted_data_key, encryption_context, grant_tokens): diff --git a/src/aws_encryption_sdk/keyrings/raw.py b/src/aws_encryption_sdk/keyrings/raw.py index 029e750be..31ce6d04e 100644 --- a/src/aws_encryption_sdk/keyrings/raw.py +++ b/src/aws_encryption_sdk/keyrings/raw.py @@ -58,9 +58,7 @@ def _generate_data_key( # plaintext_data_key to RawDataKey data_encryption_key = RawDataKey(key_provider=key_provider, data_key=plaintext_data_key) - return encryption_materials.with_data_encryption_key( - data_encryption_key=data_encryption_key, - ) + return encryption_materials.with_data_encryption_key(data_encryption_key=data_encryption_key,) @attr.s @@ -390,7 +388,6 @@ def on_encrypt(self, encryption_materials): _LOGGER.exception(error_message) raise EncryptKeyError(error_message) - # Add encrypted data key to encryption_materials return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_data_key) diff --git a/src/aws_encryption_sdk/materials_managers/__init__.py b/src/aws_encryption_sdk/materials_managers/__init__.py index c41507030..2d6c795f9 100644 --- a/src/aws_encryption_sdk/materials_managers/__init__.py +++ b/src/aws_encryption_sdk/materials_managers/__init__.py @@ -140,9 +140,7 @@ def _with_data_encryption_key(self, data_encryption_key): :raises AttributeError: if data encryption key is already set :raises InvalidDataKeyError: if data key length does not match algorithm suite """ - self._validate_data_encryption_key( - data_encryption_key=data_encryption_key - ) + self._validate_data_encryption_key(data_encryption_key=data_encryption_key) new_materials = copy.copy(self) @@ -258,9 +256,7 @@ def with_data_encryption_key(self, data_encryption_key): :raises AttributeError: if data encryption key is already set :raises InvalidDataKeyError: if data key length does not match algorithm suite """ - return self._with_data_encryption_key( - data_encryption_key=data_encryption_key, - ) + return self._with_data_encryption_key(data_encryption_key=data_encryption_key,) def with_encrypted_data_key(self, encrypted_data_key): # type: (EncryptedDataKey) -> EncryptionMaterials @@ -426,9 +422,7 @@ def with_data_encryption_key(self, data_encryption_key): if self.algorithm is None: raise AttributeError("Algorithm is not set") - return self._with_data_encryption_key( - data_encryption_key=data_encryption_key, - ) + return self._with_data_encryption_key(data_encryption_key=data_encryption_key,) def with_verification_key(self, verification_key): # type: (bytes) -> DecryptionMaterials diff --git a/test/functional/keyrings/raw/test_raw_aes.py b/test/functional/keyrings/raw/test_raw_aes.py index e08c94c8e..d7ba53195 100644 --- a/test/functional/keyrings/raw/test_raw_aes.py +++ b/test/functional/keyrings/raw/test_raw_aes.py @@ -14,12 +14,7 @@ import pytest -from aws_encryption_sdk.identifiers import ( - Algorithm, - EncryptionKeyType, - EncryptionType, - WrappingAlgorithm, -) +from aws_encryption_sdk.identifiers import Algorithm, EncryptionKeyType, EncryptionType, WrappingAlgorithm from aws_encryption_sdk.internal.crypto import WrappingKey from aws_encryption_sdk.internal.formatting.serialize import serialize_raw_master_key_prefix from aws_encryption_sdk.key_providers.raw import RawMasterKey diff --git a/test/functional/keyrings/raw/test_raw_rsa.py b/test/functional/keyrings/raw/test_raw_rsa.py index a883bfb3e..f4b020b68 100644 --- a/test/functional/keyrings/raw/test_raw_rsa.py +++ b/test/functional/keyrings/raw/test_raw_rsa.py @@ -18,12 +18,7 @@ from cryptography.hazmat.primitives.asymmetric import rsa from aws_encryption_sdk.exceptions import EncryptKeyError -from aws_encryption_sdk.identifiers import ( - Algorithm, - EncryptionKeyType, - EncryptionType, - WrappingAlgorithm, -) +from aws_encryption_sdk.identifiers import Algorithm, EncryptionKeyType, EncryptionType, WrappingAlgorithm from aws_encryption_sdk.internal.crypto import WrappingKey from aws_encryption_sdk.key_providers.raw import RawMasterKey from aws_encryption_sdk.keyrings.raw import RawRSAKeyring diff --git a/test/unit/materials_managers/test_material_managers.py b/test/unit/materials_managers/test_material_managers.py index 5fcdf83b3..6483015b5 100644 --- a/test/unit/materials_managers/test_material_managers.py +++ b/test/unit/materials_managers/test_material_managers.py @@ -47,9 +47,7 @@ _VALID_KWARGS = { "CryptographicMaterials": dict( - algorithm=ALGORITHM, - encryption_context={"additional": "data"}, - data_encryption_key=_DATA_KEY, + algorithm=ALGORITHM, encryption_context={"additional": "data"}, data_encryption_key=_DATA_KEY, ), "EncryptionMaterialsRequest": dict( encryption_context={}, @@ -215,11 +213,7 @@ def test_empty_encrypted_data_keys(): @pytest.mark.parametrize( - "material_class", - ( - (EncryptionMaterials), - (DecryptionMaterials), - ), + "material_class", ((EncryptionMaterials), (DecryptionMaterials),), ) def test_with_data_encryption_key_success(material_class): kwargs = _copy_and_update_kwargs( @@ -280,9 +274,7 @@ def test_with_encrypted_data_key_success(): kwargs = _copy_and_update_kwargs("EncryptionMaterials", {}) materials = EncryptionMaterials(**kwargs) - new_materials = materials.with_encrypted_data_key( - _ENCRYPTED_DATA_KEY, - ) + new_materials = materials.with_encrypted_data_key(_ENCRYPTED_DATA_KEY,) assert new_materials is not materials From 4f41399c8e797a618c9bcb24a6654071b60610e9 Mon Sep 17 00:00:00 2001 From: Matthew Jones Date: Mon, 10 Aug 2020 15:38:39 -0700 Subject: [PATCH 3/8] chore: Make linters happy --- src/aws_encryption_sdk/identifiers.py | 1 - .../keyrings/aws_kms/test_aws_kms.py | 23 +------------------ test/functional/test_client.py | 1 - test/unit/caches/test_local.py | 4 +--- 4 files changed, 2 insertions(+), 27 deletions(-) diff --git a/src/aws_encryption_sdk/identifiers.py b/src/aws_encryption_sdk/identifiers.py index b3d8551b1..e3c13c1ea 100644 --- a/src/aws_encryption_sdk/identifiers.py +++ b/src/aws_encryption_sdk/identifiers.py @@ -14,7 +14,6 @@ import struct from enum import Enum -import attr from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import ec, padding, rsa from cryptography.hazmat.primitives.ciphers import algorithms, modes diff --git a/test/functional/keyrings/aws_kms/test_aws_kms.py b/test/functional/keyrings/aws_kms/test_aws_kms.py index 407bed25a..7dbfcc612 100644 --- a/test/functional/keyrings/aws_kms/test_aws_kms.py +++ b/test/functional/keyrings/aws_kms/test_aws_kms.py @@ -1,7 +1,6 @@ # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 """Functional tests for ``aws_encryption_sdk.keyrings.aws_kms``.""" -import itertools import logging import os @@ -13,7 +12,6 @@ from aws_encryption_sdk.internal.defaults import ALGORITHM from aws_encryption_sdk.keyrings.aws_kms import ( KEY_NAMESPACE, - AwsKmsKeyring, _AwsKmsDiscoveryKeyring, _AwsKmsSingleCmkKeyring, _do_aws_kms_decrypt, @@ -130,25 +128,6 @@ def test_aws_kms_single_cmk_keyring_on_decrypt_single_cmk(fake_generator): assert result_materials.data_encryption_key is not None -def test_aws_kms_single_cmk_keyring_on_decrypt_multiple_cmk(fake_generator_and_child): - generator, child = fake_generator_and_child - - encrypting_keyring = AwsKmsKeyring(generator_key_id=generator, key_ids=(child,)) - decrypting_keyring = _AwsKmsSingleCmkKeyring(key_id=child, client_supplier=DefaultClientSupplier()) - - initial_encryption_materials = EncryptionMaterials(algorithm=ALGORITHM, encryption_context={}) - - encryption_materials = encrypting_keyring.on_encrypt(initial_encryption_materials) - - initial_decryption_materials = DecryptionMaterials( - algorithm=encryption_materials.algorithm, encryption_context=encryption_materials.encryption_context - ) - - result_materials = decrypting_keyring.on_decrypt( - decryption_materials=initial_decryption_materials, encrypted_data_keys=encryption_materials.encrypted_data_keys - ) - - def test_aws_kms_single_cmk_keyring_on_decrypt_no_match(fake_generator_and_child): generator, child = fake_generator_and_child @@ -216,7 +195,7 @@ def encryption_materials_for_discovery_decrypt(fake_generator): def test_aws_kms_discovery_keyring_on_decrypt(encryption_materials_for_discovery_decrypt): - generator_key_id, encryption_materials = encryption_materials_for_discovery_decrypt + _, encryption_materials = encryption_materials_for_discovery_decrypt decrypting_keyring = _AwsKmsDiscoveryKeyring(client_supplier=DefaultClientSupplier()) diff --git a/test/functional/test_client.py b/test/functional/test_client.py index 89d9d2a7d..cbfba60a0 100644 --- a/test/functional/test_client.py +++ b/test/functional/test_client.py @@ -27,7 +27,6 @@ from aws_encryption_sdk.internal.formatting.encryption_context import serialize_encryption_context from aws_encryption_sdk.key_providers.base import MasterKeyProvider, MasterKeyProviderConfig from aws_encryption_sdk.key_providers.raw import RawMasterKeyProvider -from aws_encryption_sdk.keyrings.base import Keyring from aws_encryption_sdk.keyrings.raw import RawRSAKeyring from aws_encryption_sdk.materials_managers import DecryptionMaterialsRequest, EncryptionMaterialsRequest diff --git a/test/unit/caches/test_local.py b/test/unit/caches/test_local.py index db2b21ff1..a0ec14f1a 100644 --- a/test/unit/caches/test_local.py +++ b/test/unit/caches/test_local.py @@ -305,9 +305,7 @@ def test_get_encryption_materials(patch_get_single_entry): test = cache.get_encryption_materials(cache_key=sentinel.cache_key, plaintext_length=plaintext_length) patch_get_single_entry.assert_called_once_with(sentinel.cache_key) - patch_get_single_entry.return_value._update_with_message_bytes_encrypted.assert_called_once_with( - plaintext_length - ) + patch_get_single_entry.return_value._update_with_message_bytes_encrypted.assert_called_once_with(plaintext_length) assert test is patch_get_single_entry.return_value From 93e5f1d4844e19d5e36d864bc02deaaeb29f1d64 Mon Sep 17 00:00:00 2001 From: MatthewBennington Date: Thu, 13 Aug 2020 08:43:38 -0700 Subject: [PATCH 4/8] Update src/aws_encryption_sdk/__init__.py Co-authored-by: Matt Bullock --- src/aws_encryption_sdk/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/aws_encryption_sdk/__init__.py b/src/aws_encryption_sdk/__init__.py index a213b01fb..b85f4a535 100644 --- a/src/aws_encryption_sdk/__init__.py +++ b/src/aws_encryption_sdk/__init__.py @@ -80,7 +80,7 @@ def encrypt(**kwargs): :param algorithm: Algorithm to use for encryption :type algorithm: aws_encryption_sdk.identifiers.Algorithm :param int frame_length: Frame length in bytes - :returns: Encrypted message, and message metadata (header) + :returns: Encrypted message and message metadata (header) :rtype: CryptoResult """ with StreamEncryptor(**kwargs) as encryptor: From 559a4881fa69935a04d1b87a5719db6c385da619 Mon Sep 17 00:00:00 2001 From: MatthewBennington Date: Thu, 13 Aug 2020 08:43:48 -0700 Subject: [PATCH 5/8] Update src/aws_encryption_sdk/__init__.py Co-authored-by: Matt Bullock --- src/aws_encryption_sdk/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/aws_encryption_sdk/__init__.py b/src/aws_encryption_sdk/__init__.py index b85f4a535..dcb5b6879 100644 --- a/src/aws_encryption_sdk/__init__.py +++ b/src/aws_encryption_sdk/__init__.py @@ -141,7 +141,7 @@ def decrypt(**kwargs): :param int max_body_length: Maximum frame size (or content length for non-framed messages) in bytes to read from ciphertext message. - :returns: Decrypted plaintext, and message metadata (header) + :returns: Decrypted plaintext and message metadata (header) :rtype: CryptoResult """ with StreamDecryptor(**kwargs) as decryptor: From a808ba62c3523e07180d6cbcb037536fa10d85ec Mon Sep 17 00:00:00 2001 From: MatthewBennington Date: Thu, 13 Aug 2020 08:46:19 -0700 Subject: [PATCH 6/8] Update src/aws_encryption_sdk/keyrings/aws_kms/__init__.py Co-authored-by: Matt Bullock --- src/aws_encryption_sdk/keyrings/aws_kms/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py b/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py index a4822df9f..ad1c07ffb 100644 --- a/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py +++ b/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py @@ -189,7 +189,7 @@ def on_encrypt(self, encryption_materials): algorithm=new_materials.algorithm, grant_tokens=self._grant_tokens, ) - new_materials = new_materials.with_data_encryption_key(data_encryption_key=plaintext_key,) + new_materials = new_materials.with_data_encryption_key(data_encryption_key=plaintext_key) else: encrypted_key = _do_aws_kms_encrypt( client_supplier=self._client_supplier, From c11f95ab0a297ebbc2fc8501ba9a01ca2f090549 Mon Sep 17 00:00:00 2001 From: MatthewBennington Date: Thu, 13 Aug 2020 08:46:30 -0700 Subject: [PATCH 7/8] Update src/aws_encryption_sdk/keyrings/aws_kms/__init__.py Co-authored-by: Matt Bullock --- src/aws_encryption_sdk/keyrings/aws_kms/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py b/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py index ad1c07ffb..1e9c38e68 100644 --- a/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py +++ b/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py @@ -206,7 +206,7 @@ def on_encrypt(self, encryption_materials): _LOGGER.exception(message) raise EncryptKeyError(message) - return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_key,) + return new_materials.with_encrypted_data_key(encrypted_data_key=encrypted_key) def on_decrypt(self, decryption_materials, encrypted_data_keys): # type: (DecryptionMaterials, Iterable[EncryptedDataKey]) -> DecryptionMaterials From 057608faea603c02a92f848fc89bb5e7c2b6e3e9 Mon Sep 17 00:00:00 2001 From: MatthewBennington Date: Thu, 13 Aug 2020 08:46:50 -0700 Subject: [PATCH 8/8] Apply suggestions from code review Co-authored-by: Matt Bullock --- src/aws_encryption_sdk/keyrings/aws_kms/__init__.py | 2 +- src/aws_encryption_sdk/materials_managers/__init__.py | 2 +- test/unit/materials_managers/test_material_managers.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py b/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py index 1e9c38e68..5309166cf 100644 --- a/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py +++ b/src/aws_encryption_sdk/keyrings/aws_kms/__init__.py @@ -294,7 +294,7 @@ def _try_aws_kms_decrypt(client_supplier, decryption_materials, grant_tokens, en _LOGGER.exception("Unable to decrypt encrypted data key from %s", encrypted_data_key.key_provider) return decryption_materials - return decryption_materials.with_data_encryption_key(data_encryption_key=plaintext_key,) + return decryption_materials.with_data_encryption_key(data_encryption_key=plaintext_key) def _do_aws_kms_decrypt(client_supplier, key_name, encrypted_data_key, encryption_context, grant_tokens): diff --git a/src/aws_encryption_sdk/materials_managers/__init__.py b/src/aws_encryption_sdk/materials_managers/__init__.py index 2d6c795f9..354f3c49e 100644 --- a/src/aws_encryption_sdk/materials_managers/__init__.py +++ b/src/aws_encryption_sdk/materials_managers/__init__.py @@ -422,7 +422,7 @@ def with_data_encryption_key(self, data_encryption_key): if self.algorithm is None: raise AttributeError("Algorithm is not set") - return self._with_data_encryption_key(data_encryption_key=data_encryption_key,) + return self._with_data_encryption_key(data_encryption_key=data_encryption_key) def with_verification_key(self, verification_key): # type: (bytes) -> DecryptionMaterials diff --git a/test/unit/materials_managers/test_material_managers.py b/test/unit/materials_managers/test_material_managers.py index 6483015b5..9223e42bf 100644 --- a/test/unit/materials_managers/test_material_managers.py +++ b/test/unit/materials_managers/test_material_managers.py @@ -274,7 +274,7 @@ def test_with_encrypted_data_key_success(): kwargs = _copy_and_update_kwargs("EncryptionMaterials", {}) materials = EncryptionMaterials(**kwargs) - new_materials = materials.with_encrypted_data_key(_ENCRYPTED_DATA_KEY,) + new_materials = materials.with_encrypted_data_key(_ENCRYPTED_DATA_KEY) assert new_materials is not materials