Comments (4)
Verified that the DDB encryption context passed to the _decrypt_initial_materials
call does contain the partition and sort key name values, but the KMS encryption context does not.
ddb_table_name = 'DDBEC-test-resources-TestTable-HS6VNXM82B6J'
aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(_key_id='arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2...rant_tokens=(), _material_description={}, _regional_clients={'us-west-2': <botocore.client.KMS object at 0x11053ca58>})
parametrized_actions = AttributeActions(default_action=<CryptoAction.SIGN_ONLY: 1>, attribute_actions={'number_set': <CryptoAction.DO_NOTHING...: <CryptoAction.DO_NOTHING: 0>, 'binary_set': <CryptoAction.DO_NOTHING: 0>, 'map': <CryptoAction.ENCRYPT_AND_SIGN: 2>})
parametrized_item = {'binary': b'this is a bytestring! \x01', 'binary_set': {b'\x00\x00\x00', b'\x00\x00\x02', b'\x00\x01\x00'}, 'decimal': Decimal('123.456'), 'int': 5, ...}
def test_ephemeral_batch_item_cycle_scan_paginator_kms(ddb_table_name, aws_kms_cmp, parametrized_actions, parametrized_item):
"""Test a the AWS KMS CMP against a small number of curated items using the scan paginator."""
functional_test_utils.client_cycle_batch_items_check_scan_paginator(
> aws_kms_cmp, parametrized_actions, parametrized_item, ddb_table_name
)
aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(_key_id='arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f', _botocore_session=<botocore.session.Session object at 0x110037f60>, _grant_tokens=(), _material_description={}, _regional_clients={'us-west-2': <botocore.client.KMS object at 0x11053ca58>})
ddb_table_name = 'DDBEC-test-resources-TestTable-HS6VNXM82B6J'
parametrized_actions = AttributeActions(default_action=<CryptoAction.SIGN_ONLY: 1>, attribute_actions={'number_set': <CryptoAction.DO_NOTHING: 0>, 'string_set': <CryptoAction.DO_NOTHING: 0>, 'binary_set': <CryptoAction.DO_NOTHING: 0>, 'map': <CryptoAction.ENCRYPT_AND_SIGN: 2>})
parametrized_item = {'binary': b'this is a bytestring! \x01',
'binary_set': {b'\x00\x00\x00', b'\x00\x01\x00', b'\x00\x00\x02'},
'decimal': Decimal('123.456'),
'int': 5,
'list': [5,
Decimal('123.456'),
'this is a string',
b'this is a bytestring! \x01',
{3, 4, 5},
{'abc', 'def', 'geh'},
{b'\x00\x00\x00', b'\x00\x01\x00', b'\x00\x00\x02'}],
'map': {'binary': b'this is a bytestring! \x01',
'binary_set': {b'\x00\x00\x00', b'\x00\x01\x00', b'\x00\x00\x02'},
'decimal': Decimal('123.456'),
'int': 5,
'list': [5,
Decimal('123.456'),
'this is a string',
b'this is a bytestring! \x01',
{3, 4, 5},
{'abc', 'def', 'geh'},
{b'\x00\x00\x00', b'\x00\x01\x00', b'\x00\x00\x02'}],
'number_set': {3, 4, 5},
'string': 'this is a string',
'string_set': {'abc', 'def', 'geh'}},
'number_set': {3, 4, 5},
'string': 'this is a string',
'string_set': {'abc', 'def', 'geh'}}
test/integration/encrypted/test_client.py:69:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
test/functional/functional_test_utils.py:734: in client_cycle_batch_items_check_scan_paginator
for page in encrypted_paginator.paginate(TableName=table_name, ConsistentRead=True):
.tox/py37-manual/lib/python3.7/site-packages/dynamodb_encryption_sdk/encrypted/client.py:108: in paginate
page["Items"][pos] = self._decrypt_method(item=value, crypto_config=crypto_config)
.tox/py37-manual/lib/python3.7/site-packages/dynamodb_encryption_sdk/encrypted/item.py:199: in decrypt_dynamodb_item
decryption_materials = inner_crypto_config.decryption_materials()
.tox/py37-manual/lib/python3.7/site-packages/dynamodb_encryption_sdk/encrypted/__init__.py:88: in decryption_materials
return self.materials_provider.decryption_materials(self.encryption_context)
.tox/py37-manual/lib/python3.7/site-packages/dynamodb_encryption_sdk/material_providers/aws_kms.py:461: in decryption_materials
initial_material = self._decrypt_initial_material(encryption_context)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
self = AwsKmsCryptographicMaterialsProvider(_key_id='arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2...rant_tokens=(), _material_description={}, _regional_clients={'us-west-2': <botocore.client.KMS object at 0x11053ca58>})
encryption_context = EncryptionContext(table_name='DDBEC-test-resources-TestTable-HS6VNXM82B6J', partition_key_name='partition_attribute', ...': '/CBC/PKCS5Padding', 'amzn-ddb-sig-alg': 'HmacSHA256/256', 'amzn-ddb-wrap-alg': 'kms', 'aws-kms-ec-attr': '*keys*'})
def _decrypt_initial_material(self, encryption_context):
# type: (EncryptionContext) -> bytes
"""Decrypt an encrypted initial cryptographic material value.
:param encryption_context: Encryption context providing information about request
:type encryption_context: EncryptionContext
:returns: Plaintext of initial cryptographic material
:rtype: bytes
"""
key_id = self._select_key_id(encryption_context)
self._validate_key_id(key_id, encryption_context)
kms_encryption_context = self._kms_encryption_context(
encryption_context=encryption_context,
encryption_description=encryption_context.material_description.get(
MaterialDescriptionKeys.CONTENT_ENCRYPTION_ALGORITHM.value
),
signing_description=encryption_context.material_description.get(
MaterialDescriptionKeys.ITEM_SIGNATURE_ALGORITHM.value
),
)
encrypted_initial_material = base64.b64decode(
to_bytes(encryption_context.material_description.get(MaterialDescriptionKeys.WRAPPED_DATA_KEY.value))
)
kms_params = dict(CiphertextBlob=encrypted_initial_material, EncryptionContext=kms_encryption_context)
if self._grant_tokens:
kms_params["GrantTokens"] = self._grant_tokens
# Catch any boto3 errors and normalize to expected UnwrappingError
try:
response = self._client(key_id).decrypt(**kms_params)
return response["Plaintext"]
except (botocore.exceptions.ClientError, KeyError):
message = "Failed to unwrap AWS KMS protected materials"
_LOGGER.exception(message)
> raise UnwrappingError(message)
E dynamodb_encryption_sdk.exceptions.UnwrappingError: Failed to unwrap AWS KMS protected materials
encrypted_initial_material = (b"\x01\x01\x01\x00x@\xf3\x8c'^1\tt\x16\xc1\x07)QPW\x19d\xad\xa3\xef\x1c!\xe9"
b'L\x8b\xa0\xbd\xbc\x9d\x0f\xb4\x14\x00\x00\x00~0|\x06\t*\x86H\x86\xf7\r\x01'
b'\x07\x06\xa0o0m\x02\x01\x000h\x06\t*\x86H\x86\xf7\r\x01\x07\x010\x1e'
b'\x06\t`\x86H\x01e\x03\x04\x01.0\x11\x04\x0c\xa0\xcb,\xfe\x9d\xf1\xfa\xc9<'
b'k\x0e\x1f\x02\x01\x10\x80;\x8a\x97\x99\x7f\xb5\xa9\xe3\xb5\n\x12\x90\xce'
b'Z\xf7\xe9\xa2\x8bH\x08\xfc\xd0I;E\r-?w\xdbs\xcd\xb4"\x11\x03\xd9'
b':\x8f\xf8\x85\x87\xd0\x7fd\x0e\xe3\x0c\xe9p\x084\x88w\xd8\x93\x81\x1d\xc1c')
encryption_context = EncryptionContext(table_name='DDBEC-test-resources-TestTable-HS6VNXM82B6J', partition_key_name='partition_attribute', sort_key_name='sort_attribute', attributes={}, material_description={'amzn-ddb-env-alg': 'AES/256', 'amzn-ddb-env-key': 'AQEBAHhA84wnXjEJdBbBBylRUFcZZK2j7xwh6UyLoL28nQ+0FAAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDKDLLP6d8frJPGsOHwIBEIA7ipeZf7Wp47UKEpDOWvfpootICPzQSTtFDS0/d9tzzbQiEQPZOo/4hYfQf2QO4wzpcAg0iHfYk4EdwWM=', 'amzn-ddb-map-signingAlg': 'HmacSHA256', 'amzn-ddb-map-sym-mode': '/CBC/PKCS5Padding', 'amzn-ddb-sig-alg': 'HmacSHA256/256', 'amzn-ddb-wrap-alg': 'kms', 'aws-kms-ec-attr': '*keys*'})
key_id = 'arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f'
kms_encryption_context = {'*amzn-ddb-env-alg*': 'AES/256',
'*amzn-ddb-sig-alg*': 'HmacSHA256/256',
'*aws-kms-table*': 'DDBEC-test-resources-TestTable-HS6VNXM82B6J'}
kms_params = {'CiphertextBlob': b"\x01\x01\x01\x00x@\xf3\x8c'^1\tt\x16\xc1\x07)QPW"
b'\x19d\xad\xa3\xef\x1c!\xe9L\x8b\xa0\xbd\xbc\x9d\x0f\xb4'
b'\x14\x00\x00\x00~0|\x06\t*\x86H\x86\xf7\r\x01\x07\x06\xa0o'
b'0m\x02\x01\x000h\x06\t*\x86H\x86\xf7\r\x01\x07\x010\x1e'
b'\x06\t`\x86H\x01e\x03\x04\x01.0\x11\x04\x0c\xa0'
b'\xcb,\xfe\x9d\xf1\xfa\xc9<k\x0e\x1f\x02\x01\x10\x80;'
b'\x8a\x97\x99\x7f\xb5\xa9\xe3\xb5\n\x12\x90\xce'
b'Z\xf7\xe9\xa2\x8bH\x08\xfc\xd0I;E\r-?w\xdbs\xcd\xb4'
b'"\x11\x03\xd9:\x8f\xf8\x85\x87\xd0\x7fd\x0e\xe3\x0c\xe9'
b'p\x084\x88w\xd8\x93\x81\x1d\xc1c',
'EncryptionContext': {'*amzn-ddb-env-alg*': 'AES/256',
'*amzn-ddb-sig-alg*': 'HmacSHA256/256',
'*aws-kms-table*': 'DDBEC-test-resources-TestTable-HS6VNXM82B6J'}}
message = 'Failed to unwrap AWS KMS protected materials'
self = AwsKmsCryptographicMaterialsProvider(_key_id='arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f', _botocore_session=<botocore.session.Session object at 0x110037f60>, _grant_tokens=(), _material_description={}, _regional_clients={'us-west-2': <botocore.client.KMS object at 0x11053ca58>})
from aws-dynamodb-encryption-python.
However, the attributes are not set in the DDB encryption context.
This results in the KMS encryption context not containing the values because when we try to retrieve them from the DDB encryption context item attributes, they are not present.
from aws-dynamodb-encryption-python.
x_x ...looks like the paginator decrypt logic missed out on an update that called the decrypt method with crypto_config.with_item
rather than the bare crypto_config
.
from aws-dynamodb-encryption-python.
This shipped in 1.1.1
from aws-dynamodb-encryption-python.
Related Issues (20)
- downstream tests in upstream library failing but upstream tests passing HOT 1
- AwsKmsCryptographicMaterialsProvider - __attrs_post_init__ overrides custom regional clients HOT 2
- Creation of regional clients modifies default botocore session's region
- Add repr=False to attributes in EncryptionContext
- Unable to use dynamodb-encryption-sdk as layer HOT 5
- CPython 3.4 support HOT 1
- Migrate CI/CD to GitHub Actions
- aws_kms_encrypted_table.py giving "Failed to generate materials using AWS KMS" HOT 4
- what should the metastore do if the material type version is not present?
- refine hypothesis strategies
- Invalid transformation format:AES/256/CBC/PKCS5Padding : Interoperabilty between Python and Java SDKs HOT 3
- Add Attested Materials provider HOT 2
- AwsKmsCryptographicMaterialsProvider Design/Behavior Improvements HOT 3
- Upgrading "Do Nothing" model to one with a single action fails to decrypt old items
- Compatibility with AWS' automatic KMS key rotation? HOT 2
- Getting null values in `desc` and `sign` fields when I fetch the item using get_item function in boto3 HOT 2
- Support transactional methods in EncryptionClient HOT 2
- Wrong formatting in the deprecated python warning HOT 3
- typehints and imports HOT 2
- /lib64/libc.so.6: version `GLIBC_2.28' not found (required by /var/task/cryptography/hazmat/bindings/_rust.abi3.so)" HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-dynamodb-encryption-python.