diff --git a/buildspec.yml b/buildspec.yml index 5dbd3f2b8..873e5941e 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -2,7 +2,9 @@ version: 0.2 batch: fast-fail: false - build-list: + build-graph: + + # 3.7 - identifier: py37_integ buildspec: codebuild/py37/integ.yml env: @@ -11,11 +13,36 @@ batch: buildspec: codebuild/py37/examples.yml env: image: aws/codebuild/standard:5.0 - - identifier: py37_awses_local - buildspec: codebuild/py37/awses_local.yml + - identifier: py37_decrypt_dafny_esdk_vectors + buildspec: codebuild/py37/decrypt_dafny_esdk_vectors.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py37_decrypt_net_401_vectors + buildspec: codebuild/py37/decrypt_net_401_vectors.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py37_encrypt_masterkey + buildspec: codebuild/py37/encrypt_masterkey.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py37_generate_decrypt_vectors_masterkey + buildspec: codebuild/py37/generate_decrypt_vectors_masterkey.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py37_decrypt_masterkey_with_masterkey + depend-on: + - py37_generate_decrypt_vectors_masterkey + buildspec: codebuild/py37/decrypt_masterkey_with_masterkey.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py37_decrypt_masterkey_with_js + depend-on: + - py37_generate_decrypt_vectors_masterkey + buildspec: codebuild/py37/decrypt_masterkey_with_js.yml env: image: aws/codebuild/standard:5.0 + # 3.8 - identifier: py38_integ buildspec: codebuild/py38/integ.yml env: @@ -24,11 +51,36 @@ batch: buildspec: codebuild/py38/examples.yml env: image: aws/codebuild/standard:5.0 - - identifier: py38_awses_local - buildspec: codebuild/py38/awses_local.yml + - identifier: py38_decrypt_dafny_esdk_vectors + buildspec: codebuild/py38/decrypt_dafny_esdk_vectors.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py38_decrypt_net_401_vectors + buildspec: codebuild/py38/decrypt_net_401_vectors.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py38_encrypt_masterkey + buildspec: codebuild/py38/encrypt_masterkey.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py38_generate_decrypt_vectors_masterkey + buildspec: codebuild/py38/generate_decrypt_vectors_masterkey.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py38_decrypt_masterkey_with_masterkey + depend-on: + - py38_generate_decrypt_vectors_masterkey + buildspec: codebuild/py38/decrypt_masterkey_with_masterkey.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py38_decrypt_masterkey_with_js + depend-on: + - py38_generate_decrypt_vectors_masterkey + buildspec: codebuild/py38/decrypt_masterkey_with_js.yml env: image: aws/codebuild/standard:5.0 + # 3.9 - identifier: py39_integ buildspec: codebuild/py39/integ.yml env: @@ -37,10 +89,36 @@ batch: buildspec: codebuild/py39/examples.yml env: image: aws/codebuild/standard:5.0 - - identifier: py39_awses_latest + - identifier: py39_decrypt_dafny_esdk_vectors + buildspec: codebuild/py39/decrypt_dafny_esdk_vectors.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py39_decrypt_net_401_vectors + buildspec: codebuild/py39/decrypt_net_401_vectors.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py39_encrypt_masterkey + buildspec: codebuild/py39/encrypt_masterkey.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py39_generate_decrypt_vectors_masterkey + buildspec: codebuild/py39/generate_decrypt_vectors_masterkey.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py39_decrypt_masterkey_with_masterkey + depend-on: + - py39_generate_decrypt_vectors_masterkey + buildspec: codebuild/py39/decrypt_masterkey_with_masterkey.yml + env: + image: aws/codebuild/standard:5.0 + - identifier: py39_decrypt_masterkey_with_js + depend-on: + - py39_generate_decrypt_vectors_masterkey + buildspec: codebuild/py39/decrypt_masterkey_with_js.yml env: image: aws/codebuild/standard:5.0 + # 3.10 - identifier: py310_integ buildspec: codebuild/py310/integ.yml env: @@ -49,8 +127,32 @@ batch: buildspec: codebuild/py310/examples.yml env: image: aws/codebuild/standard:6.0 - - identifier: py310_awses_latest - buildspec: codebuild/py310/awses_local.yml + - identifier: py310_decrypt_dafny_esdk_vectors + buildspec: codebuild/py310/decrypt_dafny_esdk_vectors.yml + env: + image: aws/codebuild/standard:6.0 + - identifier: py310_decrypt_net_401_vectors + buildspec: codebuild/py310/decrypt_net_401_vectors.yml + env: + image: aws/codebuild/standard:6.0 + - identifier: py310_encrypt_masterkey + buildspec: codebuild/py310/encrypt_masterkey.yml + env: + image: aws/codebuild/standard:6.0 + - identifier: py310_generate_decrypt_vectors_masterkey + buildspec: codebuild/py310/generate_decrypt_vectors_masterkey.yml + env: + image: aws/codebuild/standard:6.0 + - identifier: py310_decrypt_masterkey_with_masterkey + depend-on: + - py310_generate_decrypt_vectors_masterkey + buildspec: codebuild/py310/decrypt_masterkey_with_masterkey.yml + env: + image: aws/codebuild/standard:6.0 + - identifier: py310_decrypt_masterkey_with_js + depend-on: + - py310_generate_decrypt_vectors_masterkey + buildspec: codebuild/py310/decrypt_masterkey_with_js.yml env: image: aws/codebuild/standard:6.0 @@ -70,14 +172,75 @@ batch: buildspec: codebuild/py311/examples_mpl.yml env: image: aws/codebuild/standard:7.0 - - identifier: py311_awses_latest - buildspec: codebuild/py311/awses_local.yml + - identifier: py311_decrypt_dafny_esdk_vectors_masterkey + buildspec: codebuild/py311/decrypt_dafny_esdk_vectors_masterkey.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py311_decrypt_dafny_esdk_vectors_keyrings + buildspec: codebuild/py311/decrypt_dafny_esdk_vectors_keyrings.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py311_decrypt_net_401_vectors_masterkey + buildspec: codebuild/py311/decrypt_net_401_vectors_masterkey.yml env: image: aws/codebuild/standard:7.0 - - identifier: py311_awses_latest_mpl - buildspec: codebuild/py311/awses_local_mpl.yml + - identifier: py311_decrypt_net_401_vectors_keyrings + buildspec: codebuild/py311/decrypt_net_401_vectors_keyrings.yml env: image: aws/codebuild/standard:7.0 + - identifier: py311_encrypt_masterkey + buildspec: codebuild/py311/encrypt_masterkey.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py311_encrypt_keyrings + buildspec: codebuild/py311/encrypt_keyrings.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py311_generate_decrypt_vectors_masterkey + buildspec: codebuild/py311/generate_decrypt_vectors_masterkey.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py311_decrypt_masterkey_with_masterkey + depend-on: + - py311_generate_decrypt_vectors_masterkey + buildspec: codebuild/py311/decrypt_masterkey_with_masterkey.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py311_decrypt_masterkey_with_keyrings + depend-on: + - py311_generate_decrypt_vectors_masterkey + buildspec: codebuild/py311/decrypt_masterkey_with_keyrings.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py311_decrypt_masterkey_with_js + depend-on: + - py311_generate_decrypt_vectors_masterkey + buildspec: codebuild/py311/decrypt_masterkey_with_js.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py311_generate_decrypt_vectors_keyrings + buildspec: codebuild/py311/generate_decrypt_vectors_keyrings.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py311_decrypt_keyrings_with_masterkey + depend-on: + - py311_generate_decrypt_vectors_keyrings + buildspec: codebuild/py311/decrypt_keyrings_with_masterkey.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py311_decrypt_keyrings_with_keyrings + depend-on: + - py311_generate_decrypt_vectors_keyrings + buildspec: codebuild/py311/decrypt_keyrings_with_keyrings.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py311_decrypt_keyrings_with_js + depend-on: + - py311_generate_decrypt_vectors_keyrings + buildspec: codebuild/py311/decrypt_keyrings_with_js.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_integ buildspec: codebuild/py312/integ.yml @@ -95,15 +258,76 @@ batch: buildspec: codebuild/py312/examples_mpl.yml env: image: aws/codebuild/standard:7.0 - - identifier: py312_awses_latest - buildspec: codebuild/py312/awses_local.yml + - identifier: py312_decrypt_dafny_esdk_vectors_masterkey + buildspec: codebuild/py312/decrypt_dafny_esdk_vectors_masterkey.yml env: image: aws/codebuild/standard:7.0 - - identifier: py312_awses_latest_mpl - buildspec: codebuild/py312/awses_local_mpl.yml + - identifier: py312_decrypt_dafny_esdk_vectors_keyrings + buildspec: codebuild/py312/decrypt_dafny_esdk_vectors_keyrings.yml env: image: aws/codebuild/standard:7.0 - + - identifier: py312_decrypt_net_401_vectors_masterkey + buildspec: codebuild/py312/decrypt_net_401_vectors_masterkey.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_decrypt_net_401_vectors_keyrings + buildspec: codebuild/py312/decrypt_net_401_vectors_keyrings.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_encrypt_masterkey + buildspec: codebuild/py312/encrypt_masterkey.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_encrypt_keyrings + buildspec: codebuild/py312/encrypt_keyrings.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_generate_decrypt_vectors_masterkey + buildspec: codebuild/py312/generate_decrypt_vectors_masterkey.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_decrypt_masterkey_with_masterkey + depend-on: + - py312_generate_decrypt_vectors_masterkey + buildspec: codebuild/py312/decrypt_masterkey_with_masterkey.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_decrypt_masterkey_with_keyrings + depend-on: + - py312_generate_decrypt_vectors_masterkey + buildspec: codebuild/py312/decrypt_masterkey_with_keyrings.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_decrypt_masterkey_with_js + depend-on: + - py312_generate_decrypt_vectors_masterkey + buildspec: codebuild/py312/decrypt_masterkey_with_js.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_generate_decrypt_vectors_keyrings + buildspec: codebuild/py312/generate_decrypt_vectors_keyrings.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_decrypt_keyrings_with_masterkey + depend-on: + - py312_generate_decrypt_vectors_keyrings + buildspec: codebuild/py312/decrypt_keyrings_with_masterkey.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_decrypt_keyrings_with_keyrings + depend-on: + - py312_generate_decrypt_vectors_keyrings + buildspec: codebuild/py312/decrypt_keyrings_with_keyrings.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_decrypt_keyrings_with_js + depend-on: + - py312_generate_decrypt_vectors_keyrings + buildspec: codebuild/py312/decrypt_keyrings_with_js.yml + env: + image: aws/codebuild/standard:7.0 + + - identifier: code_coverage buildspec: codebuild/coverage/coverage.yml - identifier: code_coverage_mpl diff --git a/codebuild/py310/decrypt_dafny_esdk_vectors.yml b/codebuild/py310/decrypt_dafny_esdk_vectors.yml new file mode 100644 index 000000000..505f3157c --- /dev/null +++ b/codebuild/py310/decrypt_dafny_esdk_vectors.yml @@ -0,0 +1,58 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py310-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + git-credential-helper: yes + secrets-manager: + GITHUB_TOKEN: Github/lucasmcdonald3-fgpat:actions read + +phases: + install: + runtime-versions: + python: 3.10 + pre_build: + commands: + # Fetch test vectors from Dafny ESDK's most recent run + # (Assuming the first result is most recent; seems to be correct...) + - | + MOST_RECENT_RUN_ID=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token ${GITHUB_TOKEN}" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs?branch=mainline&status=completed&page=1&exclude_pull_requests=true" \ + | jq 'first(.workflow_runs[] | select(.name=="Daily CI") | .id)') + - | + echo "DEBUG: Fetching artifact from run $MOST_RECENT_RUN_ID" + - | + MOST_RECENT_RUN_DOWNLOAD_URL=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs/$MOST_RECENT_RUN_ID/artifacts?name=ubuntu-latest_vector_artifact" \ + | jq '.artifacts[0].archive_download_url') + - | + echo "DEBUG: Fetching artifact at $MOST_RECENT_RUN_DOWNLOAD_URL" + - | + curl -L -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + $(echo $MOST_RECENT_RUN_DOWNLOAD_URL | tr -d '"') -o ubuntu-latest_test_vector_artifact.zip + # This unzips to `net41.zip`. + - unzip ubuntu-latest_test_vector_artifact + # This unzips to `net41/`. + - unzip net41.zip -d net41 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../net41/manifest.json diff --git a/codebuild/py310/decrypt_masterkey_with_js.yml b/codebuild/py310/decrypt_masterkey_with_js.yml new file mode 100644 index 000000000..fdfb2363c --- /dev/null +++ b/codebuild/py310/decrypt_masterkey_with_js.yml @@ -0,0 +1,34 @@ +version: 0.2 + +env: + variables: + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.10 + commands: + - n 16 + # Install the Javascript ESDK run test vectors + - npm install -g @aws-crypto/integration-node + + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/310_masterkey.zip 310_masterkey.zip + # Repackage zip in expected format + - unzip 310_masterkey.zip + - cd 310_masterkey + - zip -r vectors.zip . + build: + commands: + # Decrypt generated vectors with Javascript ESDK + - integration-node decrypt -v vectors.zip \ No newline at end of file diff --git a/codebuild/py310/decrypt_masterkey_with_masterkey.yml b/codebuild/py310/decrypt_masterkey_with_masterkey.yml new file mode 100644 index 000000000..577e81b9a --- /dev/null +++ b/codebuild/py310/decrypt_masterkey_with_masterkey.yml @@ -0,0 +1,30 @@ +version: 0.2 + +env: + variables: + TOXENV: "py310-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.10 + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/310_masterkey.zip 310_masterkey.zip + - unzip 310_masterkey.zip + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../310_masterkey/manifest.json \ No newline at end of file diff --git a/codebuild/py310/decrypt_net_401_vectors.yml b/codebuild/py310/decrypt_net_401_vectors.yml new file mode 100644 index 000000000..82ac642d9 --- /dev/null +++ b/codebuild/py310/decrypt_net_401_vectors.yml @@ -0,0 +1,35 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py310-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.10 + pre_build: + commands: + # Fetch ESDK .NET v4.0.1 Test Vectors + - VECTOR_ZIP=$CODEBUILD_SRC_DIR/v4-Net-4.0.1.zip + - VECTORS_URL=https://github.com/aws/aws-encryption-sdk-dafny/raw/mainline/AwsEncryptionSDK/runtimes/net/TestVectorsNative/TestVectors/resources/v4-Net-4.0.1.zip + - curl -s --output $VECTOR_ZIP --location $VECTORS_URL + - UNZIPPED_VECTORS_DIR=$CODEBUILD_SRC_DIR/test_vector_handlers/net_401_vectors + - unzip $VECTOR_ZIP -d $UNZIPPED_VECTORS_DIR + build: + commands: + # NOTE: We need to pass the absolute path of the vectors + - pip install "tox < 4.0" + - cd $CODEBUILD_SRC_DIR/test_vector_handlers + - | + tox -- \ + --input $UNZIPPED_VECTORS_DIR/manifest.json diff --git a/codebuild/py310/encrypt_masterkey.yml b/codebuild/py310/encrypt_masterkey.yml new file mode 100644 index 000000000..9cd89fb8f --- /dev/null +++ b/codebuild/py310/encrypt_masterkey.yml @@ -0,0 +1,25 @@ +version: 0.2 + +env: + variables: + TOXENV: "py310-full_encrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.10 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0003-awses-message-encryption.v2.json diff --git a/codebuild/py310/generate_decrypt_vectors_masterkey.yml b/codebuild/py310/generate_decrypt_vectors_masterkey.yml new file mode 100644 index 000000000..640fb72d6 --- /dev/null +++ b/codebuild/py310/generate_decrypt_vectors_masterkey.yml @@ -0,0 +1,28 @@ +version: 0.2 + +env: + variables: + TOXENV: "py310-full_decrypt_generate" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.10 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0006-awses-message-decryption-generation.v2.json \ + --output 310_masterkey + - zip -r 310_masterkey.zip 310_masterkey + - aws s3 cp 310_masterkey.zip s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/310_masterkey.zip diff --git a/codebuild/py311/decrypt_dafny_esdk_vectors_keyrings.yml b/codebuild/py311/decrypt_dafny_esdk_vectors_keyrings.yml new file mode 100644 index 000000000..d69ce9370 --- /dev/null +++ b/codebuild/py311/decrypt_dafny_esdk_vectors_keyrings.yml @@ -0,0 +1,59 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py311-full_decrypt-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + git-credential-helper: yes + secrets-manager: + GITHUB_TOKEN: Github/lucasmcdonald3-fgpat:actions read + +phases: + install: + runtime-versions: + python: 3.11 + pre_build: + commands: + # Fetch test vectors from Dafny ESDK's most recent run + # (Assuming the first result is most recent; seems to be correct...) + - | + MOST_RECENT_RUN_ID=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token ${GITHUB_TOKEN}" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs?branch=mainline&status=completed&page=1&exclude_pull_requests=true" \ + | jq 'first(.workflow_runs[] | select(.name=="Daily CI") | .id)') + - | + echo "DEBUG: Fetching artifact from run $MOST_RECENT_RUN_ID" + - | + MOST_RECENT_RUN_DOWNLOAD_URL=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs/$MOST_RECENT_RUN_ID/artifacts?name=ubuntu-latest_vector_artifact" \ + | jq '.artifacts[0].archive_download_url') + - | + echo "DEBUG: Fetching artifact at $MOST_RECENT_RUN_DOWNLOAD_URL" + - | + curl -L -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + $(echo $MOST_RECENT_RUN_DOWNLOAD_URL | tr -d '"') -o ubuntu-latest_test_vector_artifact.zip + # This unzips to `net41.zip`. + - unzip ubuntu-latest_test_vector_artifact + # This unzips to `net41/`. + - unzip net41.zip -d net41 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../net41/manifest.json \ + --keyrings diff --git a/codebuild/py311/decrypt_dafny_esdk_vectors_masterkey.yml b/codebuild/py311/decrypt_dafny_esdk_vectors_masterkey.yml new file mode 100644 index 000000000..6106906b5 --- /dev/null +++ b/codebuild/py311/decrypt_dafny_esdk_vectors_masterkey.yml @@ -0,0 +1,58 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py311-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + git-credential-helper: yes + secrets-manager: + GITHUB_TOKEN: Github/lucasmcdonald3-fgpat:actions read + +phases: + install: + runtime-versions: + python: 3.11 + pre_build: + commands: + # Fetch test vectors from Dafny ESDK's most recent run + # (Assuming the first result is most recent; seems to be correct...) + - | + MOST_RECENT_RUN_ID=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token ${GITHUB_TOKEN}" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs?branch=mainline&status=completed&page=1&exclude_pull_requests=true" \ + | jq 'first(.workflow_runs[] | select(.name=="Daily CI") | .id)') + - | + echo "DEBUG: Fetching artifact from run $MOST_RECENT_RUN_ID" + - | + MOST_RECENT_RUN_DOWNLOAD_URL=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs/$MOST_RECENT_RUN_ID/artifacts?name=ubuntu-latest_vector_artifact" \ + | jq '.artifacts[0].archive_download_url') + - | + echo "DEBUG: Fetching artifact at $MOST_RECENT_RUN_DOWNLOAD_URL" + - | + curl -L -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + $(echo $MOST_RECENT_RUN_DOWNLOAD_URL | tr -d '"') -o ubuntu-latest_test_vector_artifact.zip + # This unzips to `net41.zip`. + - unzip ubuntu-latest_test_vector_artifact + # This unzips to `net41/`. + - unzip net41.zip -d net41 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../net41/manifest.json diff --git a/codebuild/py311/decrypt_keyrings_with_js.yml b/codebuild/py311/decrypt_keyrings_with_js.yml new file mode 100644 index 000000000..578b83cab --- /dev/null +++ b/codebuild/py311/decrypt_keyrings_with_js.yml @@ -0,0 +1,34 @@ +version: 0.2 + +env: + variables: + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.11 + commands: + - n 16 + # Install the Javascript ESDK run test vectors + - npm install -g @aws-crypto/integration-node + + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/311_keyrings.zip 311_keyrings.zip + # Repackage zip in expected format + - unzip 311_keyrings.zip + - cd 311_keyrings + - zip -r vectors.zip . + build: + commands: + # Decrypt generated vectors with Javascript ESDK + - integration-node decrypt -v vectors.zip \ No newline at end of file diff --git a/codebuild/py311/decrypt_keyrings_with_keyrings.yml b/codebuild/py311/decrypt_keyrings_with_keyrings.yml new file mode 100644 index 000000000..fec275d48 --- /dev/null +++ b/codebuild/py311/decrypt_keyrings_with_keyrings.yml @@ -0,0 +1,31 @@ +version: 0.2 + +env: + variables: + TOXENV: "py311-full_decrypt-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.11 + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/311_keyrings.zip 311_keyrings.zip + - unzip 311_keyrings.zip + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../311_keyrings/manifest.json \ + --keyrings \ No newline at end of file diff --git a/codebuild/py311/decrypt_keyrings_with_masterkey.yml b/codebuild/py311/decrypt_keyrings_with_masterkey.yml new file mode 100644 index 000000000..714882c54 --- /dev/null +++ b/codebuild/py311/decrypt_keyrings_with_masterkey.yml @@ -0,0 +1,30 @@ +version: 0.2 + +env: + variables: + TOXENV: "py311-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.11 + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/311_keyrings.zip 311_keyrings.zip + - unzip 311_keyrings.zip + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../311_keyrings/manifest.json \ No newline at end of file diff --git a/codebuild/py311/decrypt_masterkey_with_js.yml b/codebuild/py311/decrypt_masterkey_with_js.yml new file mode 100644 index 000000000..a73e93580 --- /dev/null +++ b/codebuild/py311/decrypt_masterkey_with_js.yml @@ -0,0 +1,34 @@ +version: 0.2 + +env: + variables: + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.11 + commands: + - n 16 + # Install the Javascript ESDK run test vectors + - npm install -g @aws-crypto/integration-node + + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/311_masterkey.zip 311_masterkey.zip + # Repackage zip in expected format + - unzip 311_masterkey.zip + - cd 311_masterkey + - zip -r vectors.zip . + build: + commands: + # Decrypt generated vectors with Javascript ESDK + - integration-node decrypt -v vectors.zip \ No newline at end of file diff --git a/codebuild/py311/decrypt_masterkey_with_keyrings.yml b/codebuild/py311/decrypt_masterkey_with_keyrings.yml new file mode 100644 index 000000000..8543077bd --- /dev/null +++ b/codebuild/py311/decrypt_masterkey_with_keyrings.yml @@ -0,0 +1,31 @@ +version: 0.2 + +env: + variables: + TOXENV: "py311-full_decrypt-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.11 + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/311_masterkey.zip 311_masterkey.zip + - unzip 311_masterkey.zip + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../311_masterkey/manifest.json \ + --keyrings \ No newline at end of file diff --git a/codebuild/py311/decrypt_masterkey_with_masterkey.yml b/codebuild/py311/decrypt_masterkey_with_masterkey.yml new file mode 100644 index 000000000..dd64d2dff --- /dev/null +++ b/codebuild/py311/decrypt_masterkey_with_masterkey.yml @@ -0,0 +1,30 @@ +version: 0.2 + +env: + variables: + TOXENV: "py311-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.11 + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/311_masterkey.zip 311_masterkey.zip + - unzip 311_masterkey.zip + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../311_masterkey/manifest.json \ No newline at end of file diff --git a/codebuild/py311/decrypt_net_401_vectors_keyrings.yml b/codebuild/py311/decrypt_net_401_vectors_keyrings.yml new file mode 100644 index 000000000..1a23f0917 --- /dev/null +++ b/codebuild/py311/decrypt_net_401_vectors_keyrings.yml @@ -0,0 +1,36 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py311-full_decrypt-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.11 + pre_build: + commands: + # Fetch ESDK .NET v4.0.1 Test Vectors + - VECTOR_ZIP=$CODEBUILD_SRC_DIR/v4-Net-4.0.1.zip + - VECTORS_URL=https://github.com/aws/aws-encryption-sdk-dafny/raw/mainline/AwsEncryptionSDK/runtimes/net/TestVectorsNative/TestVectors/resources/v4-Net-4.0.1.zip + - curl -s --output $VECTOR_ZIP --location $VECTORS_URL + - UNZIPPED_VECTORS_DIR=$CODEBUILD_SRC_DIR/test_vector_handlers/net_401_vectors + - unzip $VECTOR_ZIP -d $UNZIPPED_VECTORS_DIR + build: + commands: + # NOTE: We need to pass the absolute path of the vectors + - pip install "tox < 4.0" + - cd $CODEBUILD_SRC_DIR/test_vector_handlers + - | + tox -- \ + --input $UNZIPPED_VECTORS_DIR/manifest.json \ + --keyrings diff --git a/codebuild/py311/decrypt_net_401_vectors_masterkey.yml b/codebuild/py311/decrypt_net_401_vectors_masterkey.yml new file mode 100644 index 000000000..f6f0482e7 --- /dev/null +++ b/codebuild/py311/decrypt_net_401_vectors_masterkey.yml @@ -0,0 +1,45 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py311-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: 3.11 + pre_build: + commands: + # Assume Role to access non-prod resources + - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Python-Role-us-west-2" --role-session-name "CB-TestVectorResources") + - export TMP_ROLE + - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId') + - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey') + - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken') + - aws sts get-caller-identity + + # Fetch ESDK .NET v4.0.1 Test Vectors + - VECTOR_ZIP=$CODEBUILD_SRC_DIR/v4-Net-4.0.1.zip + - VECTORS_URL=https://github.com/aws/aws-encryption-sdk-dafny/raw/mainline/AwsEncryptionSDK/runtimes/net/TestVectorsNative/TestVectors/resources/v4-Net-4.0.1.zip + - curl -s --output $VECTOR_ZIP --location $VECTORS_URL + - UNZIPPED_VECTORS_DIR=$CODEBUILD_SRC_DIR/test_vector_handlers/net_401_vectors + - unzip $VECTOR_ZIP -d $UNZIPPED_VECTORS_DIR + build: + commands: + # NOTE: We need to pass the absolute path of the vectors + - pip install "tox < 4.0" + - cd $CODEBUILD_SRC_DIR/test_vector_handlers + - | + tox -- \ + --input $UNZIPPED_VECTORS_DIR/manifest.json \ No newline at end of file diff --git a/codebuild/py311/encrypt_keyrings.yml b/codebuild/py311/encrypt_keyrings.yml new file mode 100644 index 000000000..8b7cb94b4 --- /dev/null +++ b/codebuild/py311/encrypt_keyrings.yml @@ -0,0 +1,26 @@ +version: 0.2 + +env: + variables: + TOXENV: "py311-full_encrypt-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.11 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0003-awses-message-encryption.v2.json \ + --keyrings \ No newline at end of file diff --git a/codebuild/py311/encrypt_masterkey.yml b/codebuild/py311/encrypt_masterkey.yml new file mode 100644 index 000000000..226e1586d --- /dev/null +++ b/codebuild/py311/encrypt_masterkey.yml @@ -0,0 +1,25 @@ +version: 0.2 + +env: + variables: + TOXENV: "py311-full_encrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.11 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0003-awses-message-encryption.v2.json diff --git a/codebuild/py311/generate_decrypt_vectors_keyrings.yml b/codebuild/py311/generate_decrypt_vectors_keyrings.yml new file mode 100644 index 000000000..179ec0f12 --- /dev/null +++ b/codebuild/py311/generate_decrypt_vectors_keyrings.yml @@ -0,0 +1,29 @@ +version: 0.2 + +env: + variables: + TOXENV: "py311-full_decrypt_generate-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.11 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0006-awses-message-decryption-generation.v2.json \ + --output 311_keyrings \ + --keyrings + - zip -r 311_keyrings.zip 311_keyrings + - aws s3 cp 311_keyrings.zip s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/311_keyrings.zip diff --git a/codebuild/py311/generate_decrypt_vectors_masterkey.yml b/codebuild/py311/generate_decrypt_vectors_masterkey.yml new file mode 100644 index 000000000..84db3f176 --- /dev/null +++ b/codebuild/py311/generate_decrypt_vectors_masterkey.yml @@ -0,0 +1,28 @@ +version: 0.2 + +env: + variables: + TOXENV: "py311-full_decrypt_generate" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.11 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0006-awses-message-decryption-generation.v2.json \ + --output 311_masterkey + - zip -r 311_masterkey.zip 311_masterkey + - aws s3 cp 311_masterkey.zip s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/311_masterkey.zip diff --git a/codebuild/py312/awses_local.yml b/codebuild/py312/awses_local.yml index 0a81984ee..844cc7993 100644 --- a/codebuild/py312/awses_local.yml +++ b/codebuild/py312/awses_local.yml @@ -17,14 +17,9 @@ env: phases: install: runtime-versions: - python: latest + python: 3.12 build: commands: - - cd /root/.pyenv/plugins/python-build/../.. && git pull && cd - - - pyenv install --skip-existing 3.12.0 - - pyenv local 3.12.0 - - pip install --upgrade pip - - pip install setuptools - pip install "tox < 4.0" - cd test_vector_handlers - tox diff --git a/codebuild/py312/awses_local_mpl.yml b/codebuild/py312/awses_local_mpl.yml index 1d0f80319..c92265541 100644 --- a/codebuild/py312/awses_local_mpl.yml +++ b/codebuild/py312/awses_local_mpl.yml @@ -20,7 +20,7 @@ env: phases: install: runtime-versions: - python: latest + python: 3.12 build: commands: - cd /root/.pyenv/plugins/python-build/../.. && git pull && cd - diff --git a/codebuild/py312/decrypt_dafny_esdk_vectors_keyrings.yml b/codebuild/py312/decrypt_dafny_esdk_vectors_keyrings.yml new file mode 100644 index 000000000..810d16b74 --- /dev/null +++ b/codebuild/py312/decrypt_dafny_esdk_vectors_keyrings.yml @@ -0,0 +1,59 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py312-full_decrypt-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + git-credential-helper: yes + secrets-manager: + GITHUB_TOKEN: Github/lucasmcdonald3-fgpat:actions read + +phases: + install: + runtime-versions: + python: 3.12 + pre_build: + commands: + # Fetch test vectors from Dafny ESDK's most recent run + # (Assuming the first result is most recent; seems to be correct...) + - | + MOST_RECENT_RUN_ID=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token ${GITHUB_TOKEN}" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs?branch=mainline&status=completed&page=1&exclude_pull_requests=true" \ + | jq 'first(.workflow_runs[] | select(.name=="Daily CI") | .id)') + - | + echo "DEBUG: Fetching artifact from run $MOST_RECENT_RUN_ID" + - | + MOST_RECENT_RUN_DOWNLOAD_URL=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs/$MOST_RECENT_RUN_ID/artifacts?name=ubuntu-latest_vector_artifact" \ + | jq '.artifacts[0].archive_download_url') + - | + echo "DEBUG: Fetching artifact at $MOST_RECENT_RUN_DOWNLOAD_URL" + - | + curl -L -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + $(echo $MOST_RECENT_RUN_DOWNLOAD_URL | tr -d '"') -o ubuntu-latest_test_vector_artifact.zip + # This unzips to `net41.zip`. + - unzip ubuntu-latest_test_vector_artifact + # This unzips to `net41/`. + - unzip net41.zip -d net41 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../net41/manifest.json \ + --keyrings diff --git a/codebuild/py312/decrypt_dafny_esdk_vectors_masterkey.yml b/codebuild/py312/decrypt_dafny_esdk_vectors_masterkey.yml new file mode 100644 index 000000000..b375651c5 --- /dev/null +++ b/codebuild/py312/decrypt_dafny_esdk_vectors_masterkey.yml @@ -0,0 +1,58 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py312-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + git-credential-helper: yes + secrets-manager: + GITHUB_TOKEN: Github/lucasmcdonald3-fgpat:actions read + +phases: + install: + runtime-versions: + python: 3.12 + pre_build: + commands: + # Fetch test vectors from Dafny ESDK's most recent run + # (Assuming the first result is most recent; seems to be correct...) + - | + MOST_RECENT_RUN_ID=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token ${GITHUB_TOKEN}" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs?branch=mainline&status=completed&page=1&exclude_pull_requests=true" \ + | jq 'first(.workflow_runs[] | select(.name=="Daily CI") | .id)') + - | + echo "DEBUG: Fetching artifact from run $MOST_RECENT_RUN_ID" + - | + MOST_RECENT_RUN_DOWNLOAD_URL=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs/$MOST_RECENT_RUN_ID/artifacts?name=ubuntu-latest_vector_artifact" \ + | jq '.artifacts[0].archive_download_url') + - | + echo "DEBUG: Fetching artifact at $MOST_RECENT_RUN_DOWNLOAD_URL" + - | + curl -L -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + $(echo $MOST_RECENT_RUN_DOWNLOAD_URL | tr -d '"') -o ubuntu-latest_test_vector_artifact.zip + # This unzips to `net41.zip`. + - unzip ubuntu-latest_test_vector_artifact + # This unzips to `net41/`. + - unzip net41.zip -d net41 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../net41/manifest.json diff --git a/codebuild/py312/decrypt_keyrings_with_js.yml b/codebuild/py312/decrypt_keyrings_with_js.yml new file mode 100644 index 000000000..9b1ebc270 --- /dev/null +++ b/codebuild/py312/decrypt_keyrings_with_js.yml @@ -0,0 +1,34 @@ +version: 0.2 + +env: + variables: + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.12 + commands: + - n 16 + # Install the Javascript ESDK run test vectors + - npm install -g @aws-crypto/integration-node + + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/312_keyrings.zip 312_keyrings.zip + # Repackage zip in expected format + - unzip 312_keyrings.zip + - cd 312_keyrings + - zip -r vectors.zip . + build: + commands: + # Decrypt generated vectors with Javascript ESDK + - integration-node decrypt -v vectors.zip \ No newline at end of file diff --git a/codebuild/py312/decrypt_keyrings_with_keyrings.yml b/codebuild/py312/decrypt_keyrings_with_keyrings.yml new file mode 100644 index 000000000..3ab7058f9 --- /dev/null +++ b/codebuild/py312/decrypt_keyrings_with_keyrings.yml @@ -0,0 +1,31 @@ +version: 0.2 + +env: + variables: + TOXENV: "py312-full_decrypt-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.12 + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/312_keyrings.zip 312_keyrings.zip + - unzip 312_keyrings.zip + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../312_keyrings/manifest.json \ + --keyrings \ No newline at end of file diff --git a/codebuild/py312/decrypt_keyrings_with_masterkey.yml b/codebuild/py312/decrypt_keyrings_with_masterkey.yml new file mode 100644 index 000000000..bb06ba4a2 --- /dev/null +++ b/codebuild/py312/decrypt_keyrings_with_masterkey.yml @@ -0,0 +1,30 @@ +version: 0.2 + +env: + variables: + TOXENV: "py312-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.12 + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/312_keyrings.zip 312_keyrings.zip + - unzip 312_keyrings.zip + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../312_keyrings/manifest.json \ No newline at end of file diff --git a/codebuild/py312/decrypt_masterkey_with_js.yml b/codebuild/py312/decrypt_masterkey_with_js.yml new file mode 100644 index 000000000..7c57c3111 --- /dev/null +++ b/codebuild/py312/decrypt_masterkey_with_js.yml @@ -0,0 +1,34 @@ +version: 0.2 + +env: + variables: + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.12 + commands: + - n 16 + # Install the Javascript ESDK run test vectors + - npm install -g @aws-crypto/integration-node + + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/312_masterkey.zip 312_masterkey.zip + # Repackage zip in expected format + - unzip 312_masterkey.zip + - cd 312_masterkey + - zip -r vectors.zip . + build: + commands: + # Decrypt generated vectors with Javascript ESDK + - integration-node decrypt -v vectors.zip \ No newline at end of file diff --git a/codebuild/py312/decrypt_masterkey_with_keyrings.yml b/codebuild/py312/decrypt_masterkey_with_keyrings.yml new file mode 100644 index 000000000..21f646370 --- /dev/null +++ b/codebuild/py312/decrypt_masterkey_with_keyrings.yml @@ -0,0 +1,31 @@ +version: 0.2 + +env: + variables: + TOXENV: "py312-full_decrypt-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.12 + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/312_masterkey.zip 312_masterkey.zip + - unzip 312_masterkey.zip + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../312_masterkey/manifest.json \ + --keyrings \ No newline at end of file diff --git a/codebuild/py312/decrypt_masterkey_with_masterkey.yml b/codebuild/py312/decrypt_masterkey_with_masterkey.yml new file mode 100644 index 000000000..0529fd894 --- /dev/null +++ b/codebuild/py312/decrypt_masterkey_with_masterkey.yml @@ -0,0 +1,30 @@ +version: 0.2 + +env: + variables: + TOXENV: "py312-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.12 + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/312_masterkey.zip 312_masterkey.zip + - unzip 312_masterkey.zip + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../312_masterkey/manifest.json \ No newline at end of file diff --git a/codebuild/py312/decrypt_net_401_vectors_keyrings.yml b/codebuild/py312/decrypt_net_401_vectors_keyrings.yml new file mode 100644 index 000000000..aec3916e5 --- /dev/null +++ b/codebuild/py312/decrypt_net_401_vectors_keyrings.yml @@ -0,0 +1,36 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py312-full_decrypt-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.12 + pre_build: + commands: + # Fetch ESDK .NET v4.0.1 Test Vectors + - VECTOR_ZIP=$CODEBUILD_SRC_DIR/v4-Net-4.0.1.zip + - VECTORS_URL=https://github.com/aws/aws-encryption-sdk-dafny/raw/mainline/AwsEncryptionSDK/runtimes/net/TestVectorsNative/TestVectors/resources/v4-Net-4.0.1.zip + - curl -s --output $VECTOR_ZIP --location $VECTORS_URL + - UNZIPPED_VECTORS_DIR=$CODEBUILD_SRC_DIR/test_vector_handlers/net_401_vectors + - unzip $VECTOR_ZIP -d $UNZIPPED_VECTORS_DIR + build: + commands: + # NOTE: We need to pass the absolute path of the vectors + - pip install "tox < 4.0" + - cd $CODEBUILD_SRC_DIR/test_vector_handlers + - | + tox -- \ + --input $UNZIPPED_VECTORS_DIR/manifest.json \ + --keyrings diff --git a/codebuild/py312/decrypt_net_401_vectors_masterkey.yml b/codebuild/py312/decrypt_net_401_vectors_masterkey.yml new file mode 100644 index 000000000..5d1ef9d94 --- /dev/null +++ b/codebuild/py312/decrypt_net_401_vectors_masterkey.yml @@ -0,0 +1,45 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py312-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: 3.12 + pre_build: + commands: + # Assume Role to access non-prod resources + - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Python-Role-us-west-2" --role-session-name "CB-TestVectorResources") + - export TMP_ROLE + - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId') + - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey') + - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken') + - aws sts get-caller-identity + + # Fetch ESDK .NET v4.0.1 Test Vectors + - VECTOR_ZIP=$CODEBUILD_SRC_DIR/v4-Net-4.0.1.zip + - VECTORS_URL=https://github.com/aws/aws-encryption-sdk-dafny/raw/mainline/AwsEncryptionSDK/runtimes/net/TestVectorsNative/TestVectors/resources/v4-Net-4.0.1.zip + - curl -s --output $VECTOR_ZIP --location $VECTORS_URL + - UNZIPPED_VECTORS_DIR=$CODEBUILD_SRC_DIR/test_vector_handlers/net_401_vectors + - unzip $VECTOR_ZIP -d $UNZIPPED_VECTORS_DIR + build: + commands: + # NOTE: We need to pass the absolute path of the vectors + - pip install "tox < 4.0" + - cd $CODEBUILD_SRC_DIR/test_vector_handlers + - | + tox -- \ + --input $UNZIPPED_VECTORS_DIR/manifest.json \ No newline at end of file diff --git a/codebuild/py312/encrypt_keyrings.yml b/codebuild/py312/encrypt_keyrings.yml new file mode 100644 index 000000000..56a389e6f --- /dev/null +++ b/codebuild/py312/encrypt_keyrings.yml @@ -0,0 +1,26 @@ +version: 0.2 + +env: + variables: + TOXENV: "py312-full_encrypt-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.12 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0003-awses-message-encryption.v2.json \ + --keyrings \ No newline at end of file diff --git a/codebuild/py312/encrypt_masterkey.yml b/codebuild/py312/encrypt_masterkey.yml new file mode 100644 index 000000000..940f336a2 --- /dev/null +++ b/codebuild/py312/encrypt_masterkey.yml @@ -0,0 +1,25 @@ +version: 0.2 + +env: + variables: + TOXENV: "py312-full_encrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.12 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0003-awses-message-encryption.v2.json diff --git a/codebuild/py312/examples.yml b/codebuild/py312/examples.yml index 691ea0e60..855a8fcdb 100644 --- a/codebuild/py312/examples.yml +++ b/codebuild/py312/examples.yml @@ -15,13 +15,8 @@ env: phases: install: runtime-versions: - python: latest + python: 3.12 build: commands: - - cd /root/.pyenv/plugins/python-build/../.. && git pull && cd - - - pyenv install --skip-existing 3.12.0 - - pyenv local 3.12.0 - - pip install --upgrade pip - - pip install setuptools - pip install "tox < 4.0" - tox diff --git a/codebuild/py312/examples_mpl.yml b/codebuild/py312/examples_mpl.yml index 366222441..bca624742 100644 --- a/codebuild/py312/examples_mpl.yml +++ b/codebuild/py312/examples_mpl.yml @@ -19,7 +19,7 @@ env: phases: install: runtime-versions: - python: latest + python: 3.12 build: commands: - cd /root/.pyenv/plugins/python-build/../.. && git pull && cd - @@ -31,7 +31,7 @@ phases: # Run non-MPL-specific tests with the MPL installed - tox -e py312-examples-mpl # Assume special role to access keystore - - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Python-Role-us-west-2" --role-session-name "CB-Py311ExamplesMpl") + - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Python-Role-us-west-2" --role-session-name "CB-Py312ExamplesMpl") - export TMP_ROLE - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId') - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey') diff --git a/codebuild/py312/generate_decrypt_vectors_keyrings.yml b/codebuild/py312/generate_decrypt_vectors_keyrings.yml new file mode 100644 index 000000000..ae79b86ce --- /dev/null +++ b/codebuild/py312/generate_decrypt_vectors_keyrings.yml @@ -0,0 +1,29 @@ +version: 0.2 + +env: + variables: + TOXENV: "py312-full_decrypt_generate-mpl" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.12 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0006-awses-message-decryption-generation.v2.json \ + --output 312_keyrings \ + --keyrings + - zip -r 312_keyrings.zip 312_keyrings + - aws s3 cp 312_keyrings.zip s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/312_keyrings.zip diff --git a/codebuild/py312/generate_decrypt_vectors_masterkey.yml b/codebuild/py312/generate_decrypt_vectors_masterkey.yml new file mode 100644 index 000000000..1fadba985 --- /dev/null +++ b/codebuild/py312/generate_decrypt_vectors_masterkey.yml @@ -0,0 +1,28 @@ +version: 0.2 + +env: + variables: + TOXENV: "py312-full_decrypt_generate" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.12 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0006-awses-message-decryption-generation.v2.json \ + --output 312_masterkey + - zip -r 312_masterkey.zip 312_masterkey + - aws s3 cp 312_masterkey.zip s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/312_masterkey.zip diff --git a/codebuild/py312/integ.yml b/codebuild/py312/integ.yml index 10899f1df..2ccad8913 100644 --- a/codebuild/py312/integ.yml +++ b/codebuild/py312/integ.yml @@ -15,13 +15,8 @@ env: phases: install: runtime-versions: - python: latest + python: 3.12 build: commands: - - cd /root/.pyenv/plugins/python-build/../.. && git pull && cd - - - pyenv install --skip-existing 3.12.0 - - pyenv local 3.12.0 - - pip install --upgrade pip - - pip install setuptools - pip install "tox < 4.0" - tox diff --git a/codebuild/py312/integ_mpl.yml b/codebuild/py312/integ_mpl.yml index e292acc57..7c6f046fe 100644 --- a/codebuild/py312/integ_mpl.yml +++ b/codebuild/py312/integ_mpl.yml @@ -18,7 +18,7 @@ env: phases: install: runtime-versions: - python: latest + python: 3.12 build: commands: - cd /root/.pyenv/plugins/python-build/../.. && git pull && cd - diff --git a/codebuild/py37/decrypt_dafny_esdk_vectors.yml b/codebuild/py37/decrypt_dafny_esdk_vectors.yml new file mode 100644 index 000000000..ee2d428c7 --- /dev/null +++ b/codebuild/py37/decrypt_dafny_esdk_vectors.yml @@ -0,0 +1,58 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py37-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + git-credential-helper: yes + secrets-manager: + GITHUB_TOKEN: Github/lucasmcdonald3-fgpat:actions read + +phases: + install: + runtime-versions: + python: 3.7 + pre_build: + commands: + # Fetch test vectors from Dafny ESDK's most recent run + # (Assuming the first result is most recent; seems to be correct...) + - | + MOST_RECENT_RUN_ID=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token ${GITHUB_TOKEN}" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs?branch=mainline&status=completed&page=1&exclude_pull_requests=true" \ + | jq 'first(.workflow_runs[] | select(.name=="Daily CI") | .id)') + - | + echo "DEBUG: Fetching artifact from run $MOST_RECENT_RUN_ID" + - | + MOST_RECENT_RUN_DOWNLOAD_URL=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs/$MOST_RECENT_RUN_ID/artifacts?name=ubuntu-latest_vector_artifact" \ + | jq '.artifacts[0].archive_download_url') + - | + echo "DEBUG: Fetching artifact at $MOST_RECENT_RUN_DOWNLOAD_URL" + - | + curl -L -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + $(echo $MOST_RECENT_RUN_DOWNLOAD_URL | tr -d '"') -o ubuntu-latest_test_vector_artifact.zip + # This unzips to `net41.zip`. + - unzip ubuntu-latest_test_vector_artifact + # This unzips to `net41/`. + - unzip net41.zip -d net41 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../net41/manifest.json diff --git a/codebuild/py37/decrypt_masterkey_with_js.yml b/codebuild/py37/decrypt_masterkey_with_js.yml new file mode 100644 index 000000000..8a44e11e7 --- /dev/null +++ b/codebuild/py37/decrypt_masterkey_with_js.yml @@ -0,0 +1,34 @@ +version: 0.2 + +env: + variables: + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.7 + commands: + - n 16 + # Install the Javascript ESDK run test vectors + - npm install -g @aws-crypto/integration-node + + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/37_masterkey.zip 37_masterkey.zip + # Repackage zip in expected format + - unzip 37_masterkey.zip + - cd 37_masterkey + - zip -r vectors.zip . + build: + commands: + # Decrypt generated vectors with Javascript ESDK + - integration-node decrypt -v vectors.zip \ No newline at end of file diff --git a/codebuild/py37/decrypt_masterkey_with_masterkey.yml b/codebuild/py37/decrypt_masterkey_with_masterkey.yml new file mode 100644 index 000000000..1774b05f4 --- /dev/null +++ b/codebuild/py37/decrypt_masterkey_with_masterkey.yml @@ -0,0 +1,30 @@ +version: 0.2 + +env: + variables: + TOXENV: "py37-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.7 + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/37_masterkey.zip 37_masterkey.zip + - unzip 37_masterkey.zip + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../37_masterkey/manifest.json \ No newline at end of file diff --git a/codebuild/py37/decrypt_net_401_vectors.yml b/codebuild/py37/decrypt_net_401_vectors.yml new file mode 100644 index 000000000..1dfb48ce8 --- /dev/null +++ b/codebuild/py37/decrypt_net_401_vectors.yml @@ -0,0 +1,35 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py37-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.7 + pre_build: + commands: + # Fetch ESDK .NET v4.0.1 Test Vectors + - VECTOR_ZIP=$CODEBUILD_SRC_DIR/v4-Net-4.0.1.zip + - VECTORS_URL=https://github.com/aws/aws-encryption-sdk-dafny/raw/mainline/AwsEncryptionSDK/runtimes/net/TestVectorsNative/TestVectors/resources/v4-Net-4.0.1.zip + - curl -s --output $VECTOR_ZIP --location $VECTORS_URL + - UNZIPPED_VECTORS_DIR=$CODEBUILD_SRC_DIR/test_vector_handlers/net_401_vectors + - unzip $VECTOR_ZIP -d $UNZIPPED_VECTORS_DIR + build: + commands: + # NOTE: We need to pass the absolute path of the vectors + - pip install "tox < 4.0" + - cd $CODEBUILD_SRC_DIR/test_vector_handlers + - | + tox -- \ + --input $UNZIPPED_VECTORS_DIR/manifest.json diff --git a/codebuild/py37/encrypt_masterkey.yml b/codebuild/py37/encrypt_masterkey.yml new file mode 100644 index 000000000..7cdc7848e --- /dev/null +++ b/codebuild/py37/encrypt_masterkey.yml @@ -0,0 +1,25 @@ +version: 0.2 + +env: + variables: + TOXENV: "py37-full_encrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.7 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0003-awses-message-encryption.v2.json diff --git a/codebuild/py37/generate_decrypt_vectors_masterkey.yml b/codebuild/py37/generate_decrypt_vectors_masterkey.yml new file mode 100644 index 000000000..55ec3e9e4 --- /dev/null +++ b/codebuild/py37/generate_decrypt_vectors_masterkey.yml @@ -0,0 +1,28 @@ +version: 0.2 + +env: + variables: + TOXENV: "py37-full_decrypt_generate" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.7 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0006-awses-message-decryption-generation.v2.json \ + --output 37_masterkey + - zip -r 37_masterkey.zip 37_masterkey + - aws s3 cp 37_masterkey.zip s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/37_masterkey.zip diff --git a/codebuild/py38/decrypt_dafny_esdk_vectors.yml b/codebuild/py38/decrypt_dafny_esdk_vectors.yml new file mode 100644 index 000000000..968a74690 --- /dev/null +++ b/codebuild/py38/decrypt_dafny_esdk_vectors.yml @@ -0,0 +1,58 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py38-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + git-credential-helper: yes + secrets-manager: + GITHUB_TOKEN: Github/lucasmcdonald3-fgpat:actions read + +phases: + install: + runtime-versions: + python: 3.8 + pre_build: + commands: + # Fetch test vectors from Dafny ESDK's most recent run + # (Assuming the first result is most recent; seems to be correct...) + - | + MOST_RECENT_RUN_ID=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token ${GITHUB_TOKEN}" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs?branch=mainline&status=completed&page=1&exclude_pull_requests=true" \ + | jq 'first(.workflow_runs[] | select(.name=="Daily CI") | .id)') + - | + echo "DEBUG: Fetching artifact from run $MOST_RECENT_RUN_ID" + - | + MOST_RECENT_RUN_DOWNLOAD_URL=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs/$MOST_RECENT_RUN_ID/artifacts?name=ubuntu-latest_vector_artifact" \ + | jq '.artifacts[0].archive_download_url') + - | + echo "DEBUG: Fetching artifact at $MOST_RECENT_RUN_DOWNLOAD_URL" + - | + curl -L -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + $(echo $MOST_RECENT_RUN_DOWNLOAD_URL | tr -d '"') -o ubuntu-latest_test_vector_artifact.zip + # This unzips to `net41.zip`. + - unzip ubuntu-latest_test_vector_artifact + # This unzips to `net41/`. + - unzip net41.zip -d net41 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../net41/manifest.json diff --git a/codebuild/py38/decrypt_masterkey_with_js.yml b/codebuild/py38/decrypt_masterkey_with_js.yml new file mode 100644 index 000000000..953e8818a --- /dev/null +++ b/codebuild/py38/decrypt_masterkey_with_js.yml @@ -0,0 +1,34 @@ +version: 0.2 + +env: + variables: + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.8 + commands: + - n 16 + # Install the Javascript ESDK run test vectors + - npm install -g @aws-crypto/integration-node + + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/38_masterkey.zip 38_masterkey.zip + # Repackage zip in expected format + - unzip 38_masterkey.zip + - cd 38_masterkey + - zip -r vectors.zip . + build: + commands: + # Decrypt generated vectors with Javascript ESDK + - integration-node decrypt -v vectors.zip \ No newline at end of file diff --git a/codebuild/py38/decrypt_masterkey_with_masterkey.yml b/codebuild/py38/decrypt_masterkey_with_masterkey.yml new file mode 100644 index 000000000..6b32dcf15 --- /dev/null +++ b/codebuild/py38/decrypt_masterkey_with_masterkey.yml @@ -0,0 +1,30 @@ +version: 0.2 + +env: + variables: + TOXENV: "py38-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.8 + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/38_masterkey.zip 38_masterkey.zip + - unzip 38_masterkey.zip + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../38_masterkey/manifest.json \ No newline at end of file diff --git a/codebuild/py38/decrypt_net_401_vectors.yml b/codebuild/py38/decrypt_net_401_vectors.yml new file mode 100644 index 000000000..298711975 --- /dev/null +++ b/codebuild/py38/decrypt_net_401_vectors.yml @@ -0,0 +1,35 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py38-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.8 + pre_build: + commands: + # Fetch ESDK .NET v4.0.1 Test Vectors + - VECTOR_ZIP=$CODEBUILD_SRC_DIR/v4-Net-4.0.1.zip + - VECTORS_URL=https://github.com/aws/aws-encryption-sdk-dafny/raw/mainline/AwsEncryptionSDK/runtimes/net/TestVectorsNative/TestVectors/resources/v4-Net-4.0.1.zip + - curl -s --output $VECTOR_ZIP --location $VECTORS_URL + - UNZIPPED_VECTORS_DIR=$CODEBUILD_SRC_DIR/test_vector_handlers/net_401_vectors + - unzip $VECTOR_ZIP -d $UNZIPPED_VECTORS_DIR + build: + commands: + # NOTE: We need to pass the absolute path of the vectors + - pip install "tox < 4.0" + - cd $CODEBUILD_SRC_DIR/test_vector_handlers + - | + tox -- \ + --input $UNZIPPED_VECTORS_DIR/manifest.json diff --git a/codebuild/py38/encrypt_masterkey.yml b/codebuild/py38/encrypt_masterkey.yml new file mode 100644 index 000000000..b05396cc2 --- /dev/null +++ b/codebuild/py38/encrypt_masterkey.yml @@ -0,0 +1,25 @@ +version: 0.2 + +env: + variables: + TOXENV: "py38-full_encrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.8 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0003-awses-message-encryption.v2.json diff --git a/codebuild/py38/generate_decrypt_vectors_masterkey.yml b/codebuild/py38/generate_decrypt_vectors_masterkey.yml new file mode 100644 index 000000000..8705ef57c --- /dev/null +++ b/codebuild/py38/generate_decrypt_vectors_masterkey.yml @@ -0,0 +1,28 @@ +version: 0.2 + +env: + variables: + TOXENV: "py38-full_decrypt_generate" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.8 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0006-awses-message-decryption-generation.v2.json \ + --output 38_masterkey + - zip -r 38_masterkey.zip 38_masterkey + - aws s3 cp 38_masterkey.zip s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/38_masterkey.zip diff --git a/codebuild/py39/decrypt_dafny_esdk_vectors.yml b/codebuild/py39/decrypt_dafny_esdk_vectors.yml new file mode 100644 index 000000000..ddb50db1c --- /dev/null +++ b/codebuild/py39/decrypt_dafny_esdk_vectors.yml @@ -0,0 +1,58 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py39-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + git-credential-helper: yes + secrets-manager: + GITHUB_TOKEN: Github/lucasmcdonald3-fgpat:actions read + +phases: + install: + runtime-versions: + python: 3.9 + pre_build: + commands: + # Fetch test vectors from Dafny ESDK's most recent run + # (Assuming the first result is most recent; seems to be correct...) + - | + MOST_RECENT_RUN_ID=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token ${GITHUB_TOKEN}" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs?branch=mainline&status=completed&page=1&exclude_pull_requests=true" \ + | jq 'first(.workflow_runs[] | select(.name=="Daily CI") | .id)') + - | + echo "DEBUG: Fetching artifact from run $MOST_RECENT_RUN_ID" + - | + MOST_RECENT_RUN_DOWNLOAD_URL=$(curl -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/aws/aws-encryption-sdk-dafny/actions/runs/$MOST_RECENT_RUN_ID/artifacts?name=ubuntu-latest_vector_artifact" \ + | jq '.artifacts[0].archive_download_url') + - | + echo "DEBUG: Fetching artifact at $MOST_RECENT_RUN_DOWNLOAD_URL" + - | + curl -L -H "Accept: application/vnd.github+json" \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + $(echo $MOST_RECENT_RUN_DOWNLOAD_URL | tr -d '"') -o ubuntu-latest_test_vector_artifact.zip + # This unzips to `net41.zip`. + - unzip ubuntu-latest_test_vector_artifact + # This unzips to `net41/`. + - unzip net41.zip -d net41 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../net41/manifest.json diff --git a/codebuild/py39/decrypt_masterkey_with_js.yml b/codebuild/py39/decrypt_masterkey_with_js.yml new file mode 100644 index 000000000..53f6433f8 --- /dev/null +++ b/codebuild/py39/decrypt_masterkey_with_js.yml @@ -0,0 +1,34 @@ +version: 0.2 + +env: + variables: + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.9 + commands: + - n 16 + # Install the Javascript ESDK run test vectors + - npm install -g @aws-crypto/integration-node + + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/39_masterkey.zip 39_masterkey.zip + # Repackage zip in expected format + - unzip 39_masterkey.zip + - cd 39_masterkey + - zip -r vectors.zip . + build: + commands: + # Decrypt generated vectors with Javascript ESDK + - integration-node decrypt -v vectors.zip \ No newline at end of file diff --git a/codebuild/py39/decrypt_masterkey_with_masterkey.yml b/codebuild/py39/decrypt_masterkey_with_masterkey.yml new file mode 100644 index 000000000..fcd9d3220 --- /dev/null +++ b/codebuild/py39/decrypt_masterkey_with_masterkey.yml @@ -0,0 +1,30 @@ +version: 0.2 + +env: + variables: + TOXENV: "py39-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.9 + pre_build: + commands: + # Download previously generated vectors + - aws s3 cp s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/39_masterkey.zip 39_masterkey.zip + - unzip 39_masterkey.zip + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input ../39_masterkey/manifest.json \ No newline at end of file diff --git a/codebuild/py39/decrypt_net_401_vectors.yml b/codebuild/py39/decrypt_net_401_vectors.yml new file mode 100644 index 000000000..635abc95b --- /dev/null +++ b/codebuild/py39/decrypt_net_401_vectors.yml @@ -0,0 +1,35 @@ +version: 0.2 +# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM + +env: + variables: + TOXENV: "py39-full_decrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.9 + pre_build: + commands: + # Fetch ESDK .NET v4.0.1 Test Vectors + - VECTOR_ZIP=$CODEBUILD_SRC_DIR/v4-Net-4.0.1.zip + - VECTORS_URL=https://github.com/aws/aws-encryption-sdk-dafny/raw/mainline/AwsEncryptionSDK/runtimes/net/TestVectorsNative/TestVectors/resources/v4-Net-4.0.1.zip + - curl -s --output $VECTOR_ZIP --location $VECTORS_URL + - UNZIPPED_VECTORS_DIR=$CODEBUILD_SRC_DIR/test_vector_handlers/net_401_vectors + - unzip $VECTOR_ZIP -d $UNZIPPED_VECTORS_DIR + build: + commands: + # NOTE: We need to pass the absolute path of the vectors + - pip install "tox < 4.0" + - cd $CODEBUILD_SRC_DIR/test_vector_handlers + - | + tox -- \ + --input $UNZIPPED_VECTORS_DIR/manifest.json diff --git a/codebuild/py39/encrypt_masterkey.yml b/codebuild/py39/encrypt_masterkey.yml new file mode 100644 index 000000000..3bf18fbde --- /dev/null +++ b/codebuild/py39/encrypt_masterkey.yml @@ -0,0 +1,25 @@ +version: 0.2 + +env: + variables: + TOXENV: "py39-full_encrypt" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.9 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0003-awses-message-encryption.v2.json diff --git a/codebuild/py39/generate_decrypt_vectors_masterkey.yml b/codebuild/py39/generate_decrypt_vectors_masterkey.yml new file mode 100644 index 000000000..eb57d915a --- /dev/null +++ b/codebuild/py39/generate_decrypt_vectors_masterkey.yml @@ -0,0 +1,28 @@ +version: 0.2 + +env: + variables: + TOXENV: "py39-full_decrypt_generate" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: 3.9 + build: + commands: + - pip install "tox < 4.0" + - cd test_vector_handlers + - | + tox -- \ + --input test/aws-crypto-tools-test-vector-framework/features/CANONICAL-GENERATED-MANIFESTS/0006-awses-message-decryption-generation.v2.json \ + --output 39_masterkey + - zip -r 39_masterkey.zip 39_masterkey + - aws s3 cp 39_masterkey.zip s3://generated-vectors-artifacts-bucket/$CODEBUILD_RESOLVED_SOURCE_VERSION/39_masterkey.zip diff --git a/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py b/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py index 91f9fd834..da9bc9b6b 100644 --- a/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py +++ b/src/aws_encryption_sdk/internal/crypto/wrapping_keys.py @@ -98,9 +98,12 @@ def decrypt(self, encrypted_wrapped_data_key, encryption_context): if self.wrapping_key_type is EncryptionKeyType.PUBLIC: raise IncorrectMasterKeyError("Public key cannot decrypt") if self.wrapping_key_type is EncryptionKeyType.PRIVATE: - return self._wrapping_key.decrypt( - ciphertext=encrypted_wrapped_data_key.ciphertext, padding=self.wrapping_algorithm.padding - ) + try: + return self._wrapping_key.decrypt( + ciphertext=encrypted_wrapped_data_key.ciphertext, padding=self.wrapping_algorithm.padding + ) + except ValueError: + raise IncorrectMasterKeyError("_wrapping_key cannot decrypt provided ciphertext") serialized_encryption_context = serialize_encryption_context(encryption_context=encryption_context) return decrypt( algorithm=self.wrapping_algorithm.algorithm, diff --git a/src/aws_encryption_sdk/internal/formatting/deserialize.py b/src/aws_encryption_sdk/internal/formatting/deserialize.py index b06b5ba11..1b46a8b7d 100644 --- a/src/aws_encryption_sdk/internal/formatting/deserialize.py +++ b/src/aws_encryption_sdk/internal/formatting/deserialize.py @@ -475,7 +475,7 @@ def deserialize_frame(stream, header, verifier=None): frame_data["iv"] = frame_iv if final_frame is True: (content_length,) = unpack_values(">I", stream, verifier) - if content_length >= header.frame_length: + if content_length > header.frame_length: raise SerializationError( "Invalid final frame length: {final} >= {normal}".format( final=content_length, normal=header.frame_length diff --git a/test_vector_handlers/requirements_mpl.txt b/test_vector_handlers/requirements_mpl.txt new file mode 100644 index 000000000..c7927a851 --- /dev/null +++ b/test_vector_handlers/requirements_mpl.txt @@ -0,0 +1 @@ +amazon-cryptographic-material-providers-test-vectors @ git+https://github.com/aws/aws-cryptographic-material-providers-library.git@lucmcdon/python-mpl#subdirectory=TestVectorsAwsCryptographicMaterialProviders/runtimes/python \ No newline at end of file diff --git a/test_vector_handlers/src/awses_test_vectors/commands/full_message_decrypt.py b/test_vector_handlers/src/awses_test_vectors/commands/full_message_decrypt.py index baf1d1f03..2a44cd597 100644 --- a/test_vector_handlers/src/awses_test_vectors/commands/full_message_decrypt.py +++ b/test_vector_handlers/src/awses_test_vectors/commands/full_message_decrypt.py @@ -15,6 +15,13 @@ from awses_test_vectors.manifests.full_message.decrypt import MessageDecryptionManifest +try: + import aws_cryptographic_materialproviders # noqa pylint: disable=unused-import,import-error + _HAS_MPL = True +except ImportError: + _HAS_MPL = False + + try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import Iterable, Optional # noqa pylint: disable=unused-import except ImportError: # pragma: no cover @@ -29,9 +36,19 @@ def cli(args=None): parser.add_argument( "--input", required=True, type=argparse.FileType("r"), help="Existing full message decrypt manifest" ) + parser.add_argument( + "--keyrings", + action="store_true", + required=False, + default=False, + help="Use keyring interfaces to encrypt", + ) parsed = parser.parse_args(args) - decrypt_manifest = MessageDecryptionManifest.from_file(parsed.input) + if parsed.keyrings and not _HAS_MPL: + raise ImportError("The --keyrings flag requires the aws-cryptographic-material-providers library.") + + decrypt_manifest = MessageDecryptionManifest.from_file(parsed.input, parsed.keyrings) decrypt_manifest.run() diff --git a/test_vector_handlers/src/awses_test_vectors/commands/full_message_decrypt_generate.py b/test_vector_handlers/src/awses_test_vectors/commands/full_message_decrypt_generate.py index 5d8b94893..69fe44d78 100644 --- a/test_vector_handlers/src/awses_test_vectors/commands/full_message_decrypt_generate.py +++ b/test_vector_handlers/src/awses_test_vectors/commands/full_message_decrypt_generate.py @@ -15,6 +15,12 @@ from awses_test_vectors.manifests.full_message.decrypt_generation import MessageDecryptionGenerationManifest +try: + import aws_cryptographic_materialproviders # noqa pylint: disable=unused-import,import-error + _HAS_MPL = True +except ImportError: + _HAS_MPL = False + try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import Iterable, Optional # noqa pylint: disable=unused-import except ImportError: # pragma: no cover @@ -39,9 +45,19 @@ def cli(args=None): dest="json_indent", help="Output human-readable JSON", ) + parser.add_argument( + "--keyrings", + action="store_true", + required=False, + default=False, + help="Use keyring interfaces to encrypt", + ) parsed = parser.parse_args(args) - encrypt_manifest = MessageDecryptionGenerationManifest.from_file(parsed.input) + if parsed.keyrings and not _HAS_MPL: + raise ImportError("The --keyrings flag requires the aws-cryptographic-material-providers library.") + + encrypt_manifest = MessageDecryptionGenerationManifest.from_file(parsed.input, parsed.keyrings) encrypt_manifest.run_and_write_to_dir(target_directory=parsed.output, json_indent=parsed.json_indent) diff --git a/test_vector_handlers/src/awses_test_vectors/commands/full_message_encrypt.py b/test_vector_handlers/src/awses_test_vectors/commands/full_message_encrypt.py index 2b8b92f3c..268d7ca99 100644 --- a/test_vector_handlers/src/awses_test_vectors/commands/full_message_encrypt.py +++ b/test_vector_handlers/src/awses_test_vectors/commands/full_message_encrypt.py @@ -15,6 +15,13 @@ from awses_test_vectors.manifests.full_message.encrypt import MessageEncryptionManifest +try: + import aws_cryptographic_materialproviders # noqa pylint: disable=unused-import,import-error + _HAS_MPL = True +except ImportError: + _HAS_MPL = False + + try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import Iterable, Optional # noqa pylint: disable=unused-import except ImportError: # pragma: no cover @@ -29,9 +36,19 @@ def cli(args=None): parser.add_argument( "--input", required=True, type=argparse.FileType("r"), help="Existing full message encrypt manifest" ) + parser.add_argument( + "--keyrings", + action="store_true", + required=False, + default=False, + help="Use keyring interfaces to encrypt", + ) parsed = parser.parse_args(args) - encrypt_manifest = MessageEncryptionManifest.from_file(parsed.input) + if parsed.keyrings and not _HAS_MPL: + raise ImportError("The --keyrings flag requires the aws-cryptographic-material-providers library.") + + encrypt_manifest = MessageEncryptionManifest.from_file(parsed.input, parsed.keyrings) encrypt_manifest.run() diff --git a/test_vector_handlers/src/awses_test_vectors/internal/mpl/__init__.py b/test_vector_handlers/src/awses_test_vectors/internal/mpl/__init__.py new file mode 100644 index 000000000..11e9569d9 --- /dev/null +++ b/test_vector_handlers/src/awses_test_vectors/internal/mpl/__init__.py @@ -0,0 +1,3 @@ +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +"""Internal modules that require the aws-cryptographic-material-providers library.""" diff --git a/test_vector_handlers/src/awses_test_vectors/internal/mpl/keyvectors_provider.py b/test_vector_handlers/src/awses_test_vectors/internal/mpl/keyvectors_provider.py new file mode 100644 index 000000000..305459026 --- /dev/null +++ b/test_vector_handlers/src/awses_test_vectors/internal/mpl/keyvectors_provider.py @@ -0,0 +1,27 @@ +"""Singleton provider for the KeyVectors client.""" +# # Ignore missing MPL TestVectors for pylint, but the MPL TestVectors is required for this file +# pylint: disable=import-error +from aws_cryptography_materialproviderstestvectorkeys.smithygenerated.\ + aws_cryptography_materialproviderstestvectorkeys.client import ( + KeyVectors, + ) +from aws_cryptography_materialproviderstestvectorkeys.smithygenerated.\ + aws_cryptography_materialproviderstestvectorkeys.config import ( + KeyVectorsConfig + ) + +keyvectors_instances = {} + + +# pylint: disable=too-few-public-methods +class KeyVectorsProvider: + """Singleton manager for the KeyVectors client.""" + + instance: KeyVectors + + @classmethod + def get_keyvectors(cls, keys_path): + """Return the singleton KeyVectors client.""" + if keys_path not in keyvectors_instances: + keyvectors_instances[keys_path] = KeyVectors(KeyVectorsConfig(key_manifest_path=keys_path)) + return keyvectors_instances[keys_path] diff --git a/test_vector_handlers/src/awses_test_vectors/internal/mpl/tampering_mpl_materials.py b/test_vector_handlers/src/awses_test_vectors/internal/mpl/tampering_mpl_materials.py new file mode 100644 index 000000000..29a820ecc --- /dev/null +++ b/test_vector_handlers/src/awses_test_vectors/internal/mpl/tampering_mpl_materials.py @@ -0,0 +1,179 @@ +"""Allows using ESDK-MPL interfaces with the tampering tests. +These must ONLY be used in testing and NOT in production. +""" +from copy import copy +import attr +import six + + +from aws_encryption_sdk.materials_managers.base import CryptoMaterialsManager + +# Ignore missing MPL for pylint, but the MPL is required for this class +# pylint: disable=import-error,no-name-in-module +from aws_encryption_sdk.materials_managers.mpl.materials import ( + EncryptionMaterialsFromMPL +) +from aws_encryption_sdk.materials_managers.mpl.cmm import ( + CryptoMaterialsManagerFromMPL +) +from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders +from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig +from aws_cryptographic_materialproviders.mpl.models import ( + CreateDefaultCryptographicMaterialsManagerInput, +) + +try: + from aws_encryption_sdk.identifiers import AlgorithmSuite +except ImportError: + from aws_encryption_sdk.identifiers import Algorithm as AlgorithmSuite + + +class HalfSigningCryptoMaterialsManagerFromMPL(CryptoMaterialsManagerFromMPL): + """ + Custom CMM that uses HalfSigningEncryptionMaterialsFromMPL. + This extends CryptoMaterialsManagerFromMPL so ESDK-internal checks + follow MPL logic. + + THIS IS ONLY USED TO CREATE INVALID MESSAGES and should never be used in + production! + """ + + wrapped_default_cmm = attr.ib(validator=attr.validators.instance_of(CryptoMaterialsManagerFromMPL)) + + def __init__(self, master_key_provider): + """Create a new CMM that wraps a the given CMM.""" + mpl = AwsCryptographicMaterialProviders(MaterialProvidersConfig()) + mpl_cmm = mpl.create_default_cryptographic_materials_manager( + CreateDefaultCryptographicMaterialsManagerInput( + keyring=master_key_provider + ) + ) + self.wrapped_default_cmm = CryptoMaterialsManagerFromMPL(mpl_cmm=mpl_cmm) + + def get_encryption_materials(self, request): + """ + Generate half-signing materials by requesting signing materials + from the wrapped default CMM, and then changing the algorithm suite + and removing the signing key from teh result. + """ + if request.algorithm == AlgorithmSuite.AES_256_GCM_HKDF_SHA512_COMMIT_KEY: + signing_request = copy(request) + signing_request.algorithm = AlgorithmSuite.AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384 + + result = HalfSigningEncryptionMaterialsFromMPL( + self.wrapped_default_cmm.get_encryption_materials(signing_request) + ) + + result.algorithm = request.algorithm + result.signing_key = None + + return result + + raise NotImplementedError( + "The half-sign tampering method is only supported on the " + "AES_256_GCM_HKDF_SHA512_COMMIT_KEY algorithm suite." + ) + + def decrypt_materials(self, request): + """Thunks to the wrapped default CMM""" + return self.wrapped_default_cmm.decrypt_materials(request) + + +class HalfSigningEncryptionMaterialsFromMPL(EncryptionMaterialsFromMPL): + """Allows overriding properties inside the EncryptionMaterialsFromMPL. + The test vectors to this to "tamper" with the messages + and ensure they fail with expected errors. + This must ONLY be used in testing and NOT in production. + This is used in testing malicious message modification (HalfSigningTampering). + """ + + _underlying_materials: EncryptionMaterialsFromMPL + + def __init__(self, underlying_materials): + """Create a HalfSigningEncryptionMaterialsFromMPL wrapper + around underlying_materials. + """ + self._underlying_materials = underlying_materials + + # pylint thinks EncryptionMaterialsFromMPL.algorithm is a method + # pylint: disable=invalid-overridden-method + @property + def algorithm(self): + """Return any previously-provided overriden algorithm; + if none was provided, returns underlying algorithm from encryption materials. + """ + if hasattr(self, "set_algorithm"): + return self.set_algorithm + return self._underlying_materials.algorithm + + @algorithm.setter + def algorithm(self, algorithm): + self.set_algorithm = algorithm + + # pylint thinks EncryptionMaterialsFromMPL.signing_key is a method + # pylint: disable=invalid-overridden-method + @property + def signing_key(self): + """Return any previously-provided overriden signing_key; + if none was provided, returns underlying signing_key from encryption materials. + """ + if hasattr(self, "set_signing_key"): + return self.set_signing_key + return self._underlying_materials.algorithm + + @signing_key.setter + def signing_key(self, signing_key): + self.set_signing_key = signing_key + + @property + def encryption_context(self): + """Get encryption_context from _underlying_materials.""" + return self._underlying_materials.encryption_context + + @property + def encrypted_data_keys(self): + """Get encrypted_data_keys from _underlying_materials.""" + return self._underlying_materials.encrypted_data_keys + + @property + def data_encryption_key(self): + """Get data_encryption_key from _underlying_materials.""" + return self._underlying_materials.data_encryption_key + + @property + def required_encryption_context_keys(self): + """Get required_encryption_context_keys from _underlying_materials.""" + return self._underlying_materials.required_encryption_context_keys + + +class ProviderInfoChangingCryptoMaterialsManagerFromMPL(CryptoMaterialsManagerFromMPL): + """ + Custom CMM that modifies the provider info field on EDKs. + This extends CryptoMaterialsManagerFromMPL so ESDK-internal checks + follow MPL logic. + + THIS IS ONLY USED TO CREATE INVALID MESSAGES and should never be used in + production! + """ + + wrapped_cmm = attr.ib(validator=attr.validators.instance_of(CryptoMaterialsManager)) + new_provider_info = attr.ib(validator=attr.validators.instance_of(six.string_types)) + + def __init__(self, materials_manager, new_provider_info): + """Create a new CMM that wraps a the given CMM.""" + self.wrapped_cmm = materials_manager + self.new_provider_info = new_provider_info + + def get_encryption_materials(self, request): + """ + Request materials from the wrapped CMM, and then change the provider info + on each EDK. + """ + result = self.wrapped_cmm.get_encryption_materials(request) + for encrypted_data_key in result.encrypted_data_keys: + encrypted_data_key.key_provider.key_info = self.new_provider_info + return result + + def decrypt_materials(self, request): + """Thunks to the wrapped CMM""" + return self.wrapped_cmm.decrypt_materials(request) diff --git a/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py b/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py index c94fd1452..2aaaf1bca 100644 --- a/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py +++ b/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py @@ -35,6 +35,21 @@ from awses_test_vectors.manifests.keys import KeysManifest from awses_test_vectors.manifests.master_key import MasterKeySpec, master_key_provider_from_master_key_specs +try: + from awses_test_vectors.manifests.mpl_keyring import KeyringSpec, keyring_from_master_key_specs + from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders + from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig + from aws_cryptographic_materialproviders.mpl.references import ICryptographicMaterialsManager + from aws_cryptographic_materialproviders.mpl.models import ( + CreateDefaultCryptographicMaterialsManagerInput, + CreateRequiredEncryptionContextCMMInput, + ) + + _HAS_MPL = True +except ImportError: + _HAS_MPL = False + + try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import IO, Callable, Dict, Iterable, Optional # noqa pylint: disable=unused-import @@ -49,7 +64,7 @@ CLIENT_NAME = "aws/aws-encryption-sdk-python" CURRENT_VERSION = 2 -SUPPORTED_VERSIONS = (2,) +SUPPORTED_VERSIONS = (2, 4,) @attr.s(init=False) @@ -181,7 +196,7 @@ class DecryptionMethod(Enum): @attr.s(init=False) class MessageDecryptionTestScenario(object): - # pylint: disable=too-many-arguments + # pylint: disable=too-many-arguments,too-many-instance-attributes """Data class for a single full message decrypt test scenario. Handles serialization and deserialization to and from manifest specs. @@ -192,6 +207,10 @@ class MessageDecryptionTestScenario(object): :param master_key_specs: Iterable of master key specifications :type master_key_specs: iterable of :class:`MasterKeySpec` :param Callable master_key_provider_fn: + :param bool keyrings: True if should decrypt with keyring interfaces; False otherwise + :param str cmm_type: `cmm` from test vector manifest; "Default" if not specified + :param str encryption_context: Any encryption context to validate on decrypt if using + keyrings AND the required encryption context CMM :param str description: Description of test scenario (optional) """ @@ -202,6 +221,8 @@ class MessageDecryptionTestScenario(object): master_key_specs = attr.ib(validator=iterable_validator(list, MasterKeySpec)) master_key_provider_fn = attr.ib(validator=attr.validators.is_callable()) result = attr.ib(validator=attr.validators.instance_of(MessageDecryptionTestResult)) + keyrings = attr.ib(validator=attr.validators.instance_of(bool)) + cmm_type = attr.ib(validator=attr.validators.instance_of(str)) decryption_method = attr.ib( default=None, validator=attr.validators.optional(attr.validators.instance_of(DecryptionMethod)) ) @@ -216,6 +237,9 @@ def __init__( result, # type: MessageDecryptionTestResult master_key_specs, # type: Iterable[MasterKeySpec] master_key_provider_fn, # type: Callable + keyrings, # type: bool + cmm_type, # type: str + encryption_context, # type: Dict[str, str] decryption_method=None, # type: Optional[DecryptionMethod] description=None, # type: Optional[str] ): # noqa=D107 @@ -229,6 +253,9 @@ def __init__( self.result = result self.master_key_specs = master_key_specs self.master_key_provider_fn = master_key_provider_fn + self.keyrings = keyrings + self.cmm_type = cmm_type + self.encryption_context = encryption_context self.decryption_method = decryption_method self.description = description attr.validate(self) @@ -240,7 +267,10 @@ def from_scenario( plaintext_reader, # type: Callable[[str], bytes] ciphertext_reader, # type: Callable[[str], bytes] keys, # type: KeysManifest + keyrings, # type: bool + keys_uri, # type: str ): + # pylint: disable=too-many-locals # type: (...) -> MessageDecryptionTestScenario """Load from a scenario specification. @@ -252,9 +282,18 @@ def from_scenario( :rtype: MessageDecryptionTestScenario """ raw_master_key_specs = scenario["master-keys"] # type: Iterable[MASTER_KEY_SPEC] - master_key_specs = [MasterKeySpec.from_scenario(spec) for spec in raw_master_key_specs] + if keyrings: + master_key_specs = [ + KeyringSpec.from_scenario(spec) for spec in raw_master_key_specs + ] + else: + master_key_specs = [ + MasterKeySpec.from_scenario(spec) for spec in raw_master_key_specs + ] def master_key_provider_fn(): + if keyrings: + return keyring_from_master_key_specs(keys_uri, master_key_specs, "decrypt") return master_key_provider_from_master_key_specs(keys, master_key_specs) decryption_method_spec = scenario.get("decryption-method") @@ -262,12 +301,39 @@ def master_key_provider_fn(): result_spec = scenario["result"] result = MessageDecryptionTestResult.from_result_spec(result_spec, plaintext_reader) + if "encryption-context" in scenario: + encryption_context = scenario["encryption-context"] + else: + encryption_context = {} + + # MPL test vectors add CMM types to the test vectors manifests + if "cmm" in scenario: + if scenario["cmm"] == "Default": + # Master keys and keyrings can handle default CMM + cmm_type = scenario["cmm"] + elif scenario["cmm"] == "RequiredEncryptionContext": + # Skip RequiredEncryptionContext CMM for master keys; + # RequiredEncryptionContext is unsupported for master keys. + # Caller logic should expect `None` to mean "no scenario". + if keyrings: + cmm_type = scenario["cmm"] + else: + return None + else: + raise ValueError("Unrecognized cmm_type: " + cmm_type) + else: + # If unspecified, set "Default" as the default + cmm_type = "Default" + return cls( ciphertext_uri=scenario["ciphertext"], ciphertext=ciphertext_reader(scenario["ciphertext"]), master_key_specs=master_key_specs, master_key_provider_fn=master_key_provider_fn, result=result, + keyrings=keyrings, + encryption_context=encryption_context, + cmm_type=cmm_type, decryption_method=decryption_method, description=scenario.get("description"), ) @@ -293,12 +359,98 @@ def scenario_spec(self): def _one_shot_decrypt(self): client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - return client.decrypt(source=self.ciphertext, key_provider=self.master_key_provider_fn()) + if self.cmm_type == "Default": + if self.keyrings: + return client.decrypt(source=self.ciphertext, keyring=self.master_key_provider_fn()) + return client.decrypt(source=self.ciphertext, key_provider=self.master_key_provider_fn()) + if self.cmm_type == "RequiredEncryptionContext": + # We need to make a custom CMM and pass it into the client + if not self.keyrings: + raise ValueError("Must provide keyrings arg to use RequiredEncryptionContext") + if not _HAS_MPL: + raise ValueError("Must install the aws-cryptographic-material-providers library" + "to use RequiredEncryptionContext") + + mpl: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders( + config=MaterialProvidersConfig() + ) + + underlying_cmm: ICryptographicMaterialsManager = \ + mpl.create_default_cryptographic_materials_manager( + CreateDefaultCryptographicMaterialsManagerInput( + keyring=self.master_key_provider_fn() + ) + ) + + required_ec_cmm: ICryptographicMaterialsManager = \ + mpl.create_required_encryption_context_cmm( + CreateRequiredEncryptionContextCMMInput( + # Currently, the test vector manifest assumes these + # are the only required encryption context keys for any message. + # If this assumption changes, this logic must be augmented. + required_encryption_context_keys=["key1", "key2"], + underlying_cmm=underlying_cmm, + ) + ) + + return client.decrypt( + source=self.ciphertext, + materials_manager=required_ec_cmm, + encryption_context=self.encryption_context, + ) + + # If the cmm type was not in if/elif above, raise error + raise ValueError(f"Unrecognized cmm_type: {self.cmm_type}") def _streaming_decrypt(self): result = bytearray() client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - with client.stream(source=self.ciphertext, mode="d", key_provider=self.master_key_provider_fn()) as decryptor: + + kwargs = { + "source": self.ciphertext, + "mode": "d" + } + if self.cmm_type == "Default": + if self.keyrings: + kwargs["keyring"] = self.master_key_provider_fn() + else: + kwargs["key_provider"] = self.master_key_provider_fn() + elif self.cmm_type == "RequiredEncryptionContext": + # We need to make a custom CMM and pass it into the client + if not self.keyrings: + raise ValueError("Must provide keyrings arg to use RequiredEncryptionContext") + if not _HAS_MPL: + raise ValueError("Must install the aws-cryptographic-material-providers library" + "to use RequiredEncryptionContext") + + mpl: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders( + config=MaterialProvidersConfig() + ) + + underlying_cmm: ICryptographicMaterialsManager = \ + mpl.create_default_cryptographic_materials_manager( + CreateDefaultCryptographicMaterialsManagerInput( + keyring=self.master_key_provider_fn() + ) + ) + + required_ec_cmm: ICryptographicMaterialsManager = \ + mpl.create_required_encryption_context_cmm( + CreateRequiredEncryptionContextCMMInput( + # Currently, the test vector manifest assumes these + # are the only required encryption context keys for any message. + # If this assumption changes, this logic must be augmented. + required_encryption_context_keys=["key1", "key2"], + underlying_cmm=underlying_cmm, + ) + ) + + kwargs["materials_manager"] = required_ec_cmm + kwargs["encryption_context"] = self.encryption_context + else: + raise ValueError(f"Unrecognized cmm_type: {self.cmm_type}") + + with client.stream(**kwargs) as decryptor: for chunk in decryptor: result.extend(chunk) return result, decryptor.header @@ -306,9 +458,53 @@ def _streaming_decrypt(self): def _streaming_decrypt_unsigned(self): result = bytearray() client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) - with client.stream( - source=self.ciphertext, mode="decrypt-unsigned", key_provider=self.master_key_provider_fn() - ) as decryptor: + + stream_kwargs = { + "source": self.ciphertext, + "mode": "decrypt-unsigned", + } + + if self.cmm_type == "Default": + if self.keyrings: + stream_kwargs["keyring"] = self.master_key_provider_fn() + else: + stream_kwargs["key_provider"] = self.master_key_provider_fn() + elif self.cmm_type == "RequiredEncryptionContext": + # We need to make a custom CMM and pass it into the client + if not self.keyrings: + raise ValueError("Must provide keyrings arg to use RequiredEncryptionContext") + if not _HAS_MPL: + raise ValueError("Must install the aws-cryptographic-material-providers library" + "to use RequiredEncryptionContext") + + mpl: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders( + config=MaterialProvidersConfig() + ) + + underlying_cmm: ICryptographicMaterialsManager = \ + mpl.create_default_cryptographic_materials_manager( + CreateDefaultCryptographicMaterialsManagerInput( + keyring=self.master_key_provider_fn() + ) + ) + + required_ec_cmm: ICryptographicMaterialsManager = \ + mpl.create_required_encryption_context_cmm( + CreateRequiredEncryptionContextCMMInput( + # Currently, the test vector manifest assumes these + # are the only required encryption context keys for any message. + # If this assumption changes, this logic must be augmented. + required_encryption_context_keys=["key1", "key2"], + underlying_cmm=underlying_cmm, + ) + ) + + stream_kwargs["materials_manager"] = required_ec_cmm + stream_kwargs["encryption_context"] = self.encryption_context + else: + raise ValueError(f"Unrecognized cmm_type: {self.cmm_type}") + + with client.stream(**stream_kwargs) as decryptor: for chunk in decryptor: result.extend(chunk) return result, decryptor.header @@ -388,11 +584,13 @@ def manifest_spec(self): return {"manifest": manifest_spec, "client": client_spec, "keys": self.keys_uri, "tests": test_specs} @classmethod - def from_file(cls, input_file): + def from_file(cls, input_file, keyrings): + # pylint: disable=too-many-locals # type: (IO) -> MessageDecryptionManifest """Load from a file containing a full message decrypt manifest. :param file input_file: File object for file containing JSON manifest + :param bool keyrings: True if should decrypt with keyring interfaces; False otherwise :return: Loaded manifest :rtype: MessageDecryptionManifest """ @@ -407,6 +605,11 @@ def from_file(cls, input_file): version = raw_manifest["manifest"]["version"] # type: int keys_uri = raw_manifest["keys"] # type: str + # MPL TestVector keyring needs to know the path to the keys file + keys_uri = raw_manifest["keys"] + keys_filename = keys_uri.replace("file://", "") + keys_abs_path = os.path.join(parent_dir, keys_filename) + raw_keys_manifest = json.loads(root_reader(keys_uri).decode(ENCODING)) keys = KeysManifest.from_manifest_spec(raw_keys_manifest) @@ -415,10 +618,38 @@ def from_file(cls, input_file): raw_scenarios = raw_manifest["tests"] # type: Dict[str, DECRYPT_SCENARIO_SPEC] test_scenarios = { name: MessageDecryptionTestScenario.from_scenario( - scenario=scenario, plaintext_reader=root_reader, ciphertext_reader=root_reader, keys=keys + scenario=scenario, + plaintext_reader=root_reader, + ciphertext_reader=root_reader, + keys=keys, + keyrings=False, + keys_uri=keys_abs_path, ) for name, scenario in raw_scenarios.items() } + # If optional keyrings argument is true, + # also add scenarios to decrypt with keyrings. + if keyrings: + keyrings_test_scenarios = { + name + "-keyring": MessageDecryptionTestScenario.from_scenario( + scenario=scenario, + plaintext_reader=root_reader, + ciphertext_reader=root_reader, + keys=keys, + keyrings=True, + keys_uri=keys_abs_path, + ) + for name, scenario in raw_scenarios.items() + } + # Merge keyring scenarios into test_scenarios + test_scenarios = {**keyrings_test_scenarios, **test_scenarios} + + # Remove any `None` scenarios from test scenarios. + # `None` scenarios indicate the loader determined the scenario is invalid. + # e.g. cmm_type = "RequiredEncryptionContext" with master keys + for name in list(test_scenarios.keys()): + if test_scenarios[name] is None: + del test_scenarios[name] return cls( keys_uri=keys_uri, diff --git a/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt_generation.py b/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt_generation.py index e407a1b65..50c14a091 100644 --- a/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt_generation.py +++ b/test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt_generation.py @@ -23,10 +23,38 @@ import attr import six from aws_encryption_sdk.caches.local import LocalCryptoMaterialsCache +from aws_encryption_sdk.key_providers.base import MasterKeyProvider from aws_encryption_sdk.materials_managers.base import CryptoMaterialsManager from aws_encryption_sdk.materials_managers.caching import CachingCryptoMaterialsManager from aws_encryption_sdk.materials_managers.default import DefaultCryptoMaterialsManager +try: + from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders + from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig + from aws_cryptographic_materialproviders.mpl.references import ( + IKeyring, + ) + from aws_cryptographic_materialproviders.mpl.models import ( + CreateDefaultCryptographicMaterialsManagerInput, + ) + from aws_encryption_sdk.materials_managers.mpl.cmm import CryptoMaterialsManagerFromMPL + + from awses_test_vectors.manifests.mpl_keyring import KeyringSpec, keyring_from_master_key_specs + + from aws_encryption_sdk.materials_managers.mpl.materials import ( + EncryptionMaterialsFromMPL + ) + from awses_test_vectors.internal.mpl.tampering_mpl_materials import ( + HalfSigningEncryptionMaterialsFromMPL, + ProviderInfoChangingCryptoMaterialsManagerFromMPL, + HalfSigningCryptoMaterialsManagerFromMPL, + ) + + _HAS_MPL = True +except ImportError: + _HAS_MPL = False + + from awses_test_vectors.internal.defaults import ENCODING from awses_test_vectors.internal.util import ( dictionary_validator, @@ -92,9 +120,23 @@ def run_scenario_with_tampering(self, ciphertext_writer, generation_scenario, pl return: a list of (ciphertext, result) pairs """ - materials_manager = DefaultCryptoMaterialsManager( - generation_scenario.encryption_scenario.master_key_provider_fn() - ) + key_provider = generation_scenario.encryption_scenario.master_key_provider_fn() + if isinstance(key_provider, MasterKeyProvider): + materials_manager = DefaultCryptoMaterialsManager( + key_provider + ) + elif _HAS_MPL and isinstance(key_provider, IKeyring): + mpl = AwsCryptographicMaterialProviders(MaterialProvidersConfig()) + mpl_cmm = mpl.create_default_cryptographic_materials_manager( + CreateDefaultCryptographicMaterialsManagerInput( + keyring=key_provider + ) + ) + materials_manager = CryptoMaterialsManagerFromMPL( + mpl_cmm=mpl_cmm + ) + else: + raise ValueError(f"Unrecognized master_key_provider_fn return type: {str(key_provider)}") ciphertext_to_decrypt = generation_scenario.encryption_scenario.run(materials_manager) if generation_scenario.result: expected_result = generation_scenario.result @@ -131,16 +173,31 @@ def run_scenario_with_tampering(self, ciphertext_writer, generation_scenario, _p master_key_provider = generation_scenario.encryption_scenario.master_key_provider_fn() # Use a caching CMM to avoid generating a new data key every time. - cache = LocalCryptoMaterialsCache(10) - caching_cmm = CachingCryptoMaterialsManager( - master_key_provider=master_key_provider, - cache=cache, - max_age=60.0, - max_messages_encrypted=100, - ) + if isinstance(master_key_provider, MasterKeyProvider): + cache = LocalCryptoMaterialsCache(10) + caching_cmm = CachingCryptoMaterialsManager( + master_key_provider=master_key_provider, + cache=cache, + max_age=60.0, + max_messages_encrypted=100, + ) + cmm = caching_cmm + # No caching CMM in MPL :( + # Use default CMM + elif _HAS_MPL and isinstance(master_key_provider, IKeyring): + mpl = AwsCryptographicMaterialProviders(MaterialProvidersConfig()) + mpl_cmm = mpl.create_default_cryptographic_materials_manager( + CreateDefaultCryptographicMaterialsManagerInput( + keyring=master_key_provider + ) + ) + cmm = CryptoMaterialsManagerFromMPL(mpl_cmm=mpl_cmm) + else: + raise TypeError(f"Unrecognized master_key_provider type: {master_key_provider}") + return [ self.run_scenario_with_new_provider_info( - ciphertext_writer, generation_scenario, caching_cmm, new_provider_info + ciphertext_writer, generation_scenario, cmm, new_provider_info ) for new_provider_info in self.new_provider_infos ] @@ -149,7 +206,18 @@ def run_scenario_with_new_provider_info( self, ciphertext_writer, generation_scenario, materials_manager, new_provider_info ): """Run with tampering for a specific new provider info value""" - tampering_materials_manager = ProviderInfoChangingCryptoMaterialsManager(materials_manager, new_provider_info) + if _HAS_MPL and isinstance(materials_manager, CryptoMaterialsManagerFromMPL): + tampering_materials_manager = ProviderInfoChangingCryptoMaterialsManagerFromMPL( + materials_manager, + new_provider_info + ) + elif isinstance(materials_manager, CryptoMaterialsManager): + tampering_materials_manager = ProviderInfoChangingCryptoMaterialsManager( + materials_manager, + new_provider_info + ) + else: + raise TypeError(f"Unrecognized materials_manager type: {materials_manager}") ciphertext_to_decrypt = generation_scenario.encryption_scenario.run(tampering_materials_manager) expected_result = MessageDecryptionTestResult.expect_error( "Incorrect encrypted data key provider info: " + new_provider_info @@ -253,9 +321,20 @@ def run_scenario_with_tampering(self, ciphertext_writer, generation_scenario, _p return: a list of (ciphertext, result) pairs. """ - tampering_materials_manager = HalfSigningCryptoMaterialsManager( - generation_scenario.encryption_scenario.master_key_provider_fn() - ) + if isinstance( + generation_scenario.encryption_scenario.master_key_provider_fn(), + MasterKeyProvider + ): + tampering_materials_manager = HalfSigningCryptoMaterialsManager( + generation_scenario.encryption_scenario.master_key_provider_fn() + ) + elif _HAS_MPL and isinstance( + generation_scenario.encryption_scenario.master_key_provider_fn(), + IKeyring + ): + tampering_materials_manager = HalfSigningCryptoMaterialsManagerFromMPL( + generation_scenario.encryption_scenario.master_key_provider_fn() + ) ciphertext_to_decrypt = generation_scenario.encryption_scenario.run(tampering_materials_manager) expected_result = MessageDecryptionTestResult.expect_error( "Unsigned message using a data key with a public key" @@ -296,6 +375,11 @@ def get_encryption_materials(self, request): signing_request.algorithm = AlgorithmSuite.AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384 result = self.wrapped_default_cmm.get_encryption_materials(signing_request) + + if _HAS_MPL: + if isinstance(result, EncryptionMaterialsFromMPL): + result = HalfSigningEncryptionMaterialsFromMPL(result) + result.algorithm = request.algorithm result.signing_key = None @@ -326,6 +410,7 @@ class MessageDecryptionTestScenarioGenerator(object): :type decryption_master_key_specs: iterable of :class:`MasterKeySpec` :param Callable decryption_master_key_provider_fn: :param result: + :param bool keyrings: True if should encrypt with keyring interfaces; False otherwise """ encryption_scenario = attr.ib(validator=attr.validators.instance_of(MessageEncryptionTestScenario)) @@ -334,29 +419,46 @@ class MessageDecryptionTestScenarioGenerator(object): decryption_master_key_specs = attr.ib(validator=iterable_validator(list, MasterKeySpec)) decryption_master_key_provider_fn = attr.ib(validator=attr.validators.is_callable()) result = attr.ib(validator=attr.validators.optional(attr.validators.instance_of(MessageDecryptionTestResult))) + keyrings = attr.ib(validator=attr.validators.instance_of(bool)) @classmethod - def from_scenario(cls, scenario, keys, plaintexts): + def from_scenario(cls, scenario, keys, plaintexts, keyrings, keys_uri): + # pylint: disable=too-many-arguments,too-many-locals """Load from a scenario specification. :param dict scenario: Scenario specification JSON :param KeysManifest keys: Loaded keys :param dict plaintexts: Mapping of plaintext names to plaintext values + :param bool keyrings: True if should encrypt with keyring interfaces; False otherwise + :param string keys_uri: Filepath to keys manifest. Used by MPL TestVector keyring constructor. :return: Loaded test scenario :rtype: MessageDecryptionTestScenarioGenerator """ encryption_scenario_spec = scenario["encryption-scenario"] - encryption_scenario = MessageEncryptionTestScenario.from_scenario(encryption_scenario_spec, keys, plaintexts) + encryption_scenario = MessageEncryptionTestScenario.from_scenario( + encryption_scenario_spec, + keys, + plaintexts, + keyrings, + keys_uri, + ) tampering = scenario.get("tampering") tampering_method = TamperingMethod.from_tampering_spec(tampering) decryption_method_spec = scenario.get("decryption-method") decryption_method = DecryptionMethod(decryption_method_spec) if decryption_method_spec else None if "decryption-master-keys" in scenario: - decryption_master_key_specs = [ - MasterKeySpec.from_scenario(spec) for spec in scenario["decryption-master-keys"] - ] + if keyrings: + decryption_master_key_specs = [ + KeyringSpec.from_scenario(spec) for spec in scenario["decryption-master-keys"] + ] + else: + decryption_master_key_specs = [ + MasterKeySpec.from_scenario(spec) for spec in scenario["decryption-master-keys"] + ] def decryption_master_key_provider_fn(): + if keyrings: + return keyring_from_master_key_specs(keys_uri, decryption_master_key_specs, "decrypt-generation") return master_key_provider_from_master_key_specs(keys, decryption_master_key_specs) else: @@ -372,6 +474,7 @@ def decryption_master_key_provider_fn(): decryption_master_key_specs=decryption_master_key_specs, decryption_master_key_provider_fn=decryption_master_key_provider_fn, result=result, + keyrings=keyrings, ) def run(self, ciphertext_writer, plaintext_uri): @@ -400,6 +503,9 @@ def decryption_test_scenario_pair(self, ciphertext_writer, ciphertext_to_decrypt master_key_provider_fn=self.decryption_master_key_provider_fn, decryption_method=self.decryption_method, result=expected_result, + keyrings=self.keyrings, + cmm_type="Default", + encryption_context={} ), ) @@ -414,12 +520,14 @@ class MessageDecryptionGenerationManifest(object): :param KeysManifest keys: Loaded keys :param dict plaintexts: Mapping of plaintext names to plaintext values :param dict tests: Mapping of test scenario names to :class:`MessageDecryptionGenerationManifest`s + :param bool keyrings: True if should encrypt with keyring interfaces; False otherwise """ version = attr.ib(validator=membership_validator(SUPPORTED_VERSIONS)) keys = attr.ib(validator=attr.validators.instance_of(KeysManifest)) plaintexts = attr.ib(validator=dictionary_validator(six.string_types, six.binary_type)) tests = attr.ib(validator=dictionary_validator(six.string_types, MessageDecryptionTestScenarioGenerator)) + keyrings = attr.ib(validator=attr.validators.instance_of(bool)) type_name = "awses-decrypt-generate" @staticmethod @@ -434,11 +542,12 @@ def _generate_plaintexts(plaintexts_specs): return {name: os.urandom(size) for name, size in plaintexts_specs.items()} @classmethod - def from_file(cls, input_file): + def from_file(cls, input_file, keyrings): # type: (IO) -> MessageDecryptionGenerationManifest """Load from a file containing a full message encrypt manifest. :param file input_file: File object for file containing JSON manifest + :param bool keyrings: True if should encrypt with keyring interfaces; False otherwise :return: Loaded manifest :rtype: MessageEncryptionManifest """ @@ -449,18 +558,30 @@ def from_file(cls, input_file): parent_dir = os.path.abspath(os.path.dirname(input_file.name)) reader = file_reader(parent_dir) - raw_keys_manifest = json.loads(reader(raw_manifest["keys"]).decode(ENCODING)) + + # MPL TestVector keyring needs to know the path to the keys file + keys_uri = raw_manifest["keys"] + keys_filename = keys_uri.replace("file://", "") + keys_abs_path = os.path.join(parent_dir, keys_filename) + + raw_keys_manifest = json.loads(reader(keys_uri).decode(ENCODING)) keys = KeysManifest.from_manifest_spec(raw_keys_manifest) plaintexts = cls._generate_plaintexts(raw_manifest["plaintexts"]) tests = {} for name, scenario in raw_manifest["tests"].items(): try: tests[name] = MessageDecryptionTestScenarioGenerator.from_scenario( - scenario=scenario, keys=keys, plaintexts=plaintexts + scenario=scenario, keys=keys, plaintexts=plaintexts, keyrings=keyrings, keys_uri=keys_abs_path, ) except NotImplementedError: continue - return cls(version=raw_manifest["manifest"]["version"], keys=keys, plaintexts=plaintexts, tests=tests) + return cls( + version=raw_manifest["manifest"]["version"], + keys=keys, + plaintexts=plaintexts, + tests=tests, + keyrings=keyrings, + ) def run_and_write_to_dir(self, target_directory, json_indent=None): # type: (str, Optional[int]) -> None diff --git a/test_vector_handlers/src/awses_test_vectors/manifests/full_message/encrypt.py b/test_vector_handlers/src/awses_test_vectors/manifests/full_message/encrypt.py index c77fed1ce..57de8504c 100644 --- a/test_vector_handlers/src/awses_test_vectors/manifests/full_message/encrypt.py +++ b/test_vector_handlers/src/awses_test_vectors/manifests/full_message/encrypt.py @@ -22,6 +22,8 @@ import aws_encryption_sdk import six +from aws_encryption_sdk.key_providers.base import MasterKeyProvider + from awses_test_vectors.internal.defaults import ENCODING from awses_test_vectors.internal.util import ( algorithm_suite_from_string_id, @@ -34,11 +36,23 @@ from awses_test_vectors.manifests.keys import KeysManifest from awses_test_vectors.manifests.master_key import MasterKeySpec, master_key_provider_from_master_key_specs + try: from aws_encryption_sdk.identifiers import AlgorithmSuite, CommitmentPolicy except ImportError: from aws_encryption_sdk.identifiers import Algorithm as AlgorithmSuite +try: + from aws_cryptographic_materialproviders.mpl.references import ( + IKeyring, + ) + + from awses_test_vectors.manifests.mpl_keyring import KeyringSpec, keyring_from_master_key_specs + + _HAS_MPL = True +except ImportError: + _HAS_MPL = False + try: # Python 3.5.0 and 3.5.1 have incompatible typing modules from typing import IO, Callable, Dict, Iterable, Optional # noqa pylint: disable=unused-import @@ -78,22 +92,36 @@ class MessageEncryptionTestScenario(object): encryption_context = attr.ib(validator=dictionary_validator(six.string_types, six.string_types)) master_key_specs = attr.ib(validator=iterable_validator(list, MasterKeySpec)) master_key_provider_fn = attr.ib(validator=attr.validators.is_callable()) + keyrings = attr.ib(validator=attr.validators.instance_of(bool)) @classmethod - def from_scenario(cls, scenario, keys, plaintexts): - # type: (ENCRYPT_SCENARIO_SPEC, KeysManifest, Dict[str, bytes]) -> MessageEncryptionTestScenario + def from_scenario(cls, scenario, keys, plaintexts, keyrings, keys_uri): + # pylint: disable=too-many-arguments + # type: (ENCRYPT_SCENARIO_SPEC, KeysManifest, Dict[str, bytes], bool, str) -> MessageEncryptionTestScenario """Load from a scenario specification. :param dict scenario: Scenario specification JSON :param KeysManifest keys: Loaded keys :param dict plaintexts: Mapping of plaintext names to plaintext values + :param bool keyrings: True if should encrypt with keyring interfaces; False otherwise + :param str keys_uri: Path to the keys manifest :return: Loaded test scenario :rtype: MessageEncryptionTestScenario """ algorithm = algorithm_suite_from_string_id(scenario["algorithm"]) - master_key_specs = [MasterKeySpec.from_scenario(spec) for spec in scenario["master-keys"]] + + if keyrings: + master_key_specs = [ + KeyringSpec.from_scenario(spec) for spec in scenario["master-keys"] + ] + else: + master_key_specs = [ + MasterKeySpec.from_scenario(spec) for spec in scenario["master-keys"] + ] def master_key_provider_fn(): + if keyrings: + return keyring_from_master_key_specs(keys_uri, master_key_specs, "encrypt") return master_key_provider_from_master_key_specs(keys, master_key_specs) return cls( @@ -104,6 +132,7 @@ def master_key_provider_fn(): encryption_context=scenario["encryption-context"], master_key_specs=master_key_specs, master_key_provider_fn=master_key_provider_fn, + keyrings=keyrings, ) def run(self, materials_manager=None): @@ -129,8 +158,12 @@ def run(self, materials_manager=None): ) if materials_manager: encrypt_kwargs["materials_manager"] = materials_manager - else: + elif isinstance(self.master_key_provider_fn(), MasterKeyProvider): encrypt_kwargs["key_provider"] = self.master_key_provider_fn() + elif _HAS_MPL and isinstance(self.master_key_provider_fn(), IKeyring): + encrypt_kwargs["keyring"] = self.master_key_provider_fn() + else: + raise TypeError(f"Unrecognized master_key_provider_fn return type: {self.master_key_provider_fn()}") ciphertext, _header = client.encrypt(**encrypt_kwargs) return ciphertext @@ -165,11 +198,12 @@ def _generate_plaintexts(plaintexts_specs): return {name: os.urandom(size) for name, size in plaintexts_specs.items()} @classmethod - def from_file(cls, input_file): + def from_file(cls, input_file, keyrings): # type: (IO) -> MessageEncryptionManifest """Load frome a file containing a full message encrypt manifest. :param file input_file: File object for file containing JSON manifest + :param bool keyrings: True if should encrypt with keyring interfaces; False otherwise :return: Loaded manifest :rtype: MessageEncryptionManifest """ @@ -180,14 +214,20 @@ def from_file(cls, input_file): parent_dir = os.path.abspath(os.path.dirname(input_file.name)) reader = file_reader(parent_dir) - raw_keys_manifest = json.loads(reader(raw_manifest["keys"]).decode(ENCODING)) + + # MPL TestVector keyring needs to know the path to the keys file + keys_uri = raw_manifest["keys"] + keys_filename = keys_uri.replace("file://", "") + keys_abs_path = os.path.join(parent_dir, keys_filename) + + raw_keys_manifest = json.loads(reader(keys_uri).decode(ENCODING)) keys = KeysManifest.from_manifest_spec(raw_keys_manifest) plaintexts = cls._generate_plaintexts(raw_manifest["plaintexts"]) tests = {} for name, scenario in raw_manifest["tests"].items(): try: tests[name] = MessageEncryptionTestScenario.from_scenario( - scenario=scenario, keys=keys, plaintexts=plaintexts + scenario=scenario, keys=keys, plaintexts=plaintexts, keyrings=keyrings, keys_uri=keys_abs_path ) except NotImplementedError: continue diff --git a/test_vector_handlers/src/awses_test_vectors/manifests/mpl_keyring.py b/test_vector_handlers/src/awses_test_vectors/manifests/mpl_keyring.py new file mode 100644 index 000000000..ec35147c0 --- /dev/null +++ b/test_vector_handlers/src/awses_test_vectors/manifests/mpl_keyring.py @@ -0,0 +1,182 @@ +# Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). You +# may not use this file except in compliance with the License. A copy of +# the License is located at +# +# http://aws.amazon.com/apache2.0/ +# +# or in the "license" file accompanying this file. This file is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF +# ANY KIND, either express or implied. See the License for the specific +# language governing permissions and limitations under the License. +"""Keyring Manifest handler. + +This REQUIRES the aws-cryptographic-material-providers library. +""" +import json +import attr + +# Ignore missing MPL for pylint, but the MPL is required for this example +# noqa pylint: disable=import-error +from aws_cryptography_materialproviderstestvectorkeys.smithygenerated.\ + aws_cryptography_materialproviderstestvectorkeys.models import ( + GetKeyDescriptionInput, + GetKeyDescriptionOutput, + TestVectorKeyringInput, + ) +from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders +from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig +from aws_cryptographic_materialproviders.mpl.references import IKeyring +from aws_cryptographic_materialproviders.mpl.models import CreateMultiKeyringInput + +import _dafny +import UTF8 + +# Ignore pylint not being able to read a module that requires the MPL +# pylint: disable=no-name-in-module +from awses_test_vectors.internal.mpl.keyvectors_provider import KeyVectorsProvider +from awses_test_vectors.manifests.keys import KeysManifest # noqa: disable=F401 + + +from .master_key import MasterKeySpec + + +@attr.s +class KeyringSpec(MasterKeySpec): # pylint: disable=too-many-instance-attributes + """AWS Encryption SDK master key specification utilities. + + Described in AWS Crypto Tools Test Vector Framework features #0003 and #0004. + + :param str type_name: Master key type name + :param str key_name: Name of key in keys spec + :param str provider_id: Master key provider ID + :param str encryption_algorithm: Wrapping key encryption algorithm (required for raw master keys) + :param str padding_algorithm: Wrapping key padding algorithm (required for raw master keys) + :param str padding_hash: Wrapping key padding hash (required for raw master keys) + """ + + def keyring(self, keys_uri, mode): + # type: (KeysManifest) -> IKeyring + """Build a keyring using this specification. + :param str keys_uri: Path to the keys manifest + """ + keyvectors = KeyVectorsProvider.get_keyvectors(keys_path=keys_uri) + + # Variable to flag whether we changed anything in weird hack #1. + # Signals to weird hack #2 whether it should execute. + changed_key_name_from_private_to_public = False + + # Construct the input to KeyVectorsConfig + input_kwargs = { + "type": self.type_name, + "key": self.key_name, + "provider-id": self.provider_id, + "encryption-algorithm": self.encryption_algorithm, + + } + if self.padding_algorithm is not None and self.padding_algorithm != "": + input_kwargs["padding-algorithm"] = self.padding_algorithm + if self.padding_hash is not None: + input_kwargs["padding-hash"] = self.padding_hash + + if input_kwargs["type"] == "raw" \ + and input_kwargs["encryption-algorithm"] == "rsa": + # Weird hack #1: + # Gets public key for encryption instead of private key. + # + # If generating decrypt vectors (i.e. encrypting) + # and the manifest specified an RSA private key, + # change the input to KeyVectors to a public key. + # KeyVectors requires a public key to encrypt. + # If this is not done, then keyring.OnEncrypt fails with + # "A RawRSAKeyring without a public key cannot provide OnEncrypt" + if input_kwargs["key"] == "rsa-4096-private" \ + and mode in ("decrypt-generate", "encrypt"): + changed_key_name_from_private_to_public = True + input_kwargs["key"] = "rsa-4096-public" + # Specify default padding-hash + if "padding-hash" not in input_kwargs: + input_kwargs["padding-hash"] = "sha1" + + # stringify the dict + input_as_string = json.dumps(input_kwargs) + # convert to unicode code point (expected representation) + encoded_json = [ord(c) for c in input_as_string] + + output: GetKeyDescriptionOutput = keyvectors.get_key_description( + GetKeyDescriptionInput(json=encoded_json) + ) + + keyring: IKeyring = keyvectors.create_test_vector_keyring( + TestVectorKeyringInput( + key_description=output.key_description + ) + ) + + # Weird hack #2: + # Sets keyProviderInfo to "private" even though the material is "public". + # + # Weird hack #1 allows the encrypting keyring to be created with a public key. + # However, it also changes the keyName of the encrypting keyring. + # This hack changes it back. + # + # If this is not done, then decryption fails + # (for BOTH native master keys and MPL keyrings) + # with error + # native master keys: "Unable to decrypt any data key" + # MPL: "Raw RSA Key was unable to decrypt any encrypted data key" + # + # Digging, the keyring is unable to decrypt in the MPL + # because the EDK keyProviderInfo differs from the keyring keyName, + # and this check fails: + # https://github.com/aws/aws-cryptographic-material-providers-library/blob/bd549c88cefc93ba8a2d204bd23134b3b12c69fb/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/RawRSAKeyring.dfy#L382 + # due to the two variables not being equal: + # edk.keyProviderInfo='rsa-4096-public' + # keyring.keyName='rsa-4096-private' + # + # Changing the encrypting keyring's keyName back to 'rsa-4096-private' + # sets any EDKs this keyring encrypts to now have + # keyName="rsa-4096-private". + # However, keyvectors has still retrieved the public key material to encrypt with. + # So it any EDKs it encrypts will use the public material, but have keyName="rsa-4096-private". + # + # This configuration seems to be correct, because + # all of the test vectors (master keys and MPL) pass with these two hacks. + # But this seems weird, and we didn't have to do this in Java. + if hasattr(keyring, "_impl"): # pylint: disable=protected-access + if hasattr(keyring._impl, "_keyName"): # pylint: disable=protected-access + if keyring._impl._keyName == UTF8.default__.Encode(_dafny.Seq("rsa-4096-public")).value \ + and mode in ("decrypt-generate", "encrypt"): # pylint: disable=protected-access + if changed_key_name_from_private_to_public: + # pylint: disable=protected-access + keyring._impl._keyName = UTF8.default__.Encode(_dafny.Seq("rsa-4096-private")).value + + return keyring + + +def keyring_from_master_key_specs(keys_uri, master_key_specs, mode): + # type: (str, list[KeyringSpec]) -> IKeyring + """Build and combine all keyrings identified by the provided specs and + using the provided keys. + + :param str keys_uri: Path to the keys manifest + :param master_key_specs: Master key specs from which to load master keys + :type master_key_specs: iterable of MasterKeySpec + :return: Master key provider combining all loaded master keys + :rtype: IKeyring + """ + keyrings = [spec.keyring(keys_uri, mode) for spec in master_key_specs] + primary = keyrings[0] + others = keyrings[1:] + + mpl: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders( + MaterialProvidersConfig() + ) + multi_keyring: IKeyring = mpl.create_multi_keyring( + CreateMultiKeyringInput( + generator=primary, + child_keyrings=others + ) + ) + return multi_keyring diff --git a/test_vector_handlers/tox.ini b/test_vector_handlers/tox.ini index 580b641e0..cdb1137fb 100644 --- a/test_vector_handlers/tox.ini +++ b/test_vector_handlers/tox.ini @@ -36,7 +36,7 @@ envlist = # release :: Builds dist files and uploads to pypi pypirc profile. [testenv:base-command] -commands = pytest --basetemp={envtmpdir} -l --cov awses_test_vectors test/ {posargs} +commands = pytest --basetemp={envtmpdir} -l --cov awses_test_vectors test/ --ignore test/mpl {posargs} [testenv] passenv = @@ -50,10 +50,13 @@ sitepackages = False deps = -rtest/requirements.txt # Install the MPL requirements if the `-mpl` suffix is present - mpl: -r../requirements_mpl.txt + mpl: -rrequirements_mpl.txt .. commands = - {[testenv:base-command]commands} + awses_local: {[testenv:base-command]commands} + full_decrypt_generate: awses-full-message-decrypt-generate {posargs} + full_decrypt: awses-full-message-decrypt {posargs} + full_encrypt: awses-full-message-encrypt {posargs} [testenv:full-encrypt] basepython = python3