Skip to content

Commit 1d9189d

Browse files
mattsb42-awsmattsb42-aws
authored
fix: expose the KMS keyring key namespace value for public access (aws#234)
1 parent 353b0e2 commit 1d9189d

File tree

2 files changed

+27
-25
lines changed

2 files changed

+27
-25
lines changed

src/aws_encryption_sdk/keyrings/aws_kms/__init__.py

+10-8
Original file line numberDiff line numberDiff line change
@@ -30,14 +30,16 @@
3030
# We only actually need these imports when running the mypy checks
3131
pass
3232

33-
__all__ = ("KmsKeyring",)
33+
__all__ = ("KmsKeyring", "KEY_NAMESPACE")
3434

3535
_LOGGER = logging.getLogger(__name__)
36-
_PROVIDER_ID = "aws-kms"
3736
_GENERATE_FLAGS = {KeyringTraceFlag.GENERATED_DATA_KEY}
3837
_ENCRYPT_FLAGS = {KeyringTraceFlag.ENCRYPTED_DATA_KEY, KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT}
3938
_DECRYPT_FLAGS = {KeyringTraceFlag.DECRYPTED_DATA_KEY, KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT}
4039

40+
#: Key namespace used for all encrypted data keys created by the KMS keyring.
41+
KEY_NAMESPACE = "aws-kms"
42+
4143

4244
@attr.s
4345
class KmsKeyring(Keyring):
@@ -179,7 +181,7 @@ class _AwsKmsSingleCmkKeyring(Keyring):
179181

180182
def on_encrypt(self, encryption_materials):
181183
# type: (EncryptionMaterials) -> EncryptionMaterials
182-
trace_info = MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=self._key_id)
184+
trace_info = MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=self._key_id)
183185
new_materials = encryption_materials
184186
try:
185187
if new_materials.data_encryption_key is None:
@@ -221,7 +223,7 @@ def on_decrypt(self, decryption_materials, encrypted_data_keys):
221223
return new_materials
222224

223225
if (
224-
edk.key_provider.provider_id == _PROVIDER_ID
226+
edk.key_provider.provider_id == KEY_NAMESPACE
225227
and edk.key_provider.key_info.decode("utf-8") == self._key_id
226228
):
227229
new_materials = _try_aws_kms_decrypt(
@@ -265,7 +267,7 @@ def on_decrypt(self, decryption_materials, encrypted_data_keys):
265267
if new_materials.data_encryption_key is not None:
266268
return new_materials
267269

268-
if edk.key_provider.provider_id == _PROVIDER_ID:
270+
if edk.key_provider.provider_id == KEY_NAMESPACE:
269271
new_materials = _try_aws_kms_decrypt(
270272
client_supplier=self._client_supplier,
271273
decryption_materials=new_materials,
@@ -327,7 +329,7 @@ def _do_aws_kms_decrypt(client_supplier, key_name, encrypted_data_key, encryptio
327329
" actual '{actual}' != expected '{expected}'".format(actual=response_key_id, expected=key_name)
328330
)
329331
return RawDataKey(
330-
key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=response_key_id), data_key=response["Plaintext"]
332+
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=response_key_id), data_key=response["Plaintext"]
331333
)
332334

333335

@@ -346,7 +348,7 @@ def _do_aws_kms_encrypt(client_supplier, key_name, plaintext_data_key, encryptio
346348
GrantTokens=grant_tokens,
347349
)
348350
return EncryptedDataKey(
349-
key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=response["KeyId"]),
351+
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=response["KeyId"]),
350352
encrypted_data_key=response["CiphertextBlob"],
351353
)
352354

@@ -368,7 +370,7 @@ def _do_aws_kms_generate_data_key(client_supplier, key_name, encryption_context,
368370
EncryptionContext=encryption_context,
369371
GrantTokens=grant_tokens,
370372
)
371-
provider = MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=response["KeyId"])
373+
provider = MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=response["KeyId"])
372374
plaintext_key = RawDataKey(key_provider=provider, data_key=response["Plaintext"])
373375
encrypted_key = EncryptedDataKey(key_provider=provider, encrypted_data_key=response["CiphertextBlob"])
374376
return plaintext_key, encrypted_key

test/functional/keyrings/aws_kms/test_aws_kms.py

+17-17
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
from aws_encryption_sdk.identifiers import KeyringTraceFlag
1414
from aws_encryption_sdk.internal.defaults import ALGORITHM
1515
from aws_encryption_sdk.keyrings.aws_kms import (
16-
_PROVIDER_ID,
16+
KEY_NAMESPACE,
1717
KmsKeyring,
1818
_AwsKmsDiscoveryKeyring,
1919
_AwsKmsSingleCmkKeyring,
@@ -58,7 +58,7 @@ def test_aws_kms_single_cmk_keyring_on_encrypt_empty_materials(fake_generator):
5858
assert len(result_materials.encrypted_data_keys) == 1
5959

6060
generator_flags = _matching_flags(
61-
MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=fake_generator), result_materials.keyring_trace
61+
MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), result_materials.keyring_trace
6262
)
6363

6464
assert KeyringTraceFlag.GENERATED_DATA_KEY in generator_flags
@@ -84,7 +84,7 @@ def test_aws_kms_single_cmk_keyring_on_encrypt_existing_data_key(fake_generator)
8484
assert len(result_materials.encrypted_data_keys) == 1
8585

8686
generator_flags = _matching_flags(
87-
MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=fake_generator), result_materials.keyring_trace
87+
MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), result_materials.keyring_trace
8888
)
8989

9090
assert KeyringTraceFlag.GENERATED_DATA_KEY not in generator_flags
@@ -123,7 +123,7 @@ def test_aws_kms_single_cmk_keyring_on_decrypt_existing_datakey(caplog):
123123
decryption_materials=initial_materials,
124124
encrypted_data_keys=(
125125
EncryptedDataKey(
126-
key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=b"foo"), encrypted_data_key=b"bar"
126+
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=b"foo"), encrypted_data_key=b"bar"
127127
),
128128
),
129129
)
@@ -154,7 +154,7 @@ def test_aws_kms_single_cmk_keyring_on_decrypt_single_cmk(fake_generator):
154154
assert result_materials.data_encryption_key is not None
155155

156156
generator_flags = _matching_flags(
157-
MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=fake_generator), result_materials.keyring_trace
157+
MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), result_materials.keyring_trace
158158
)
159159

160160
assert KeyringTraceFlag.DECRYPTED_DATA_KEY in generator_flags
@@ -180,12 +180,12 @@ def test_aws_kms_single_cmk_keyring_on_decrypt_multiple_cmk(fake_generator_and_c
180180
)
181181

182182
generator_flags = _matching_flags(
183-
MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=generator), result_materials.keyring_trace
183+
MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=generator), result_materials.keyring_trace
184184
)
185185
assert len(generator_flags) == 0
186186

187187
child_flags = _matching_flags(
188-
MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=child), result_materials.keyring_trace
188+
MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=child), result_materials.keyring_trace
189189
)
190190

191191
assert KeyringTraceFlag.DECRYPTED_DATA_KEY in child_flags
@@ -225,7 +225,7 @@ def test_aws_kms_single_cmk_keyring_on_decrypt_fail(caplog):
225225
decryption_materials=initial_materials,
226226
encrypted_data_keys=(
227227
EncryptedDataKey(
228-
key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=b"foo"), encrypted_data_key=b"bar"
228+
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=b"foo"), encrypted_data_key=b"bar"
229229
),
230230
),
231231
)
@@ -275,7 +275,7 @@ def test_aws_kms_discovery_keyring_on_decrypt(encryption_materials_for_discovery
275275
assert result_materials.data_encryption_key is not None
276276

277277
generator_flags = _matching_flags(
278-
MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=generator_key_id), result_materials.keyring_trace
278+
MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=generator_key_id), result_materials.keyring_trace
279279
)
280280

281281
assert KeyringTraceFlag.DECRYPTED_DATA_KEY in generator_flags
@@ -300,7 +300,7 @@ def test_aws_kms_discovery_keyring_on_decrypt_existing_data_key(caplog):
300300
decryption_materials=initial_materials,
301301
encrypted_data_keys=(
302302
EncryptedDataKey(
303-
key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=b"foo"), encrypted_data_key=b"bar"
303+
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=b"foo"), encrypted_data_key=b"bar"
304304
),
305305
),
306306
)
@@ -346,7 +346,7 @@ def test_aws_kms_discovery_keyring_on_decrypt_fail(caplog):
346346
decryption_materials=initial_materials,
347347
encrypted_data_keys=(
348348
EncryptedDataKey(
349-
key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=b"bar"), encrypted_data_key=b"bar"
349+
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=b"bar"), encrypted_data_key=b"bar"
350350
),
351351
),
352352
)
@@ -365,7 +365,7 @@ def test_try_aws_kms_decrypt_succeed(fake_generator):
365365
response = kms.encrypt(KeyId=fake_generator, Plaintext=plaintext, EncryptionContext=encryption_context)
366366

367367
encrypted_data_key = EncryptedDataKey(
368-
key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=response["KeyId"]),
368+
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=response["KeyId"]),
369369
encrypted_data_key=response["CiphertextBlob"],
370370
)
371371

@@ -381,7 +381,7 @@ def test_try_aws_kms_decrypt_succeed(fake_generator):
381381
assert result_materials.data_encryption_key.data_key == plaintext
382382

383383
generator_flags = _matching_flags(
384-
MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=fake_generator), result_materials.keyring_trace
384+
MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), result_materials.keyring_trace
385385
)
386386

387387
assert KeyringTraceFlag.DECRYPTED_DATA_KEY in generator_flags
@@ -394,7 +394,7 @@ def test_try_aws_kms_decrypt_error(caplog):
394394
caplog.set_level(logging.DEBUG)
395395

396396
encrypted_data_key = EncryptedDataKey(
397-
key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=b"foo"), encrypted_data_key=b"bar"
397+
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=b"foo"), encrypted_data_key=b"bar"
398398
)
399399

400400
initial_decryption_materials = DecryptionMaterials(algorithm=ALGORITHM, encryption_context={},)
@@ -420,7 +420,7 @@ def test_do_aws_kms_decrypt(fake_generator):
420420
response = kms.encrypt(KeyId=fake_generator, Plaintext=plaintext, EncryptionContext=encryption_context)
421421

422422
encrypted_data_key = EncryptedDataKey(
423-
key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=response["KeyId"]),
423+
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=response["KeyId"]),
424424
encrypted_data_key=response["CiphertextBlob"],
425425
)
426426

@@ -442,7 +442,7 @@ def test_do_aws_kms_decrypt_unexpected_key_id(fake_generator_and_child):
442442
response = kms.encrypt(KeyId=encryptor, Plaintext=plaintext, EncryptionContext=encryption_context)
443443

444444
encrypted_data_key = EncryptedDataKey(
445-
key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=response["KeyId"]),
445+
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=response["KeyId"]),
446446
encrypted_data_key=response["CiphertextBlob"],
447447
)
448448

@@ -466,7 +466,7 @@ def test_do_aws_kms_encrypt(fake_generator):
466466
client_supplier=DefaultClientSupplier(),
467467
key_name=fake_generator,
468468
plaintext_data_key=RawDataKey(
469-
key_provider=MasterKeyInfo(provider_id=_PROVIDER_ID, key_info=fake_generator), data_key=plaintext
469+
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=fake_generator), data_key=plaintext
470470
),
471471
encryption_context=encryption_context,
472472
grant_tokens=[],

0 commit comments

Comments
 (0)