added CustomSigningSuiteOnlyCMM; refactoring

RitvikKapila · RitvikKapila · commit c296556f3f5e · 2024-06-18T15:47:43.000-07:00
diff --git a/examples/src/legacy/custom_cmm_example.py b/examples/src/legacy/custom_cmm_example.py
@@ -0,0 +1,86 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Example to create a custom crypto material manager class."""
+
+import aws_encryption_sdk
+from aws_encryption_sdk import CommitmentPolicy
+from aws_encryption_sdk.materials_managers.base import CryptoMaterialsManager
+
+
+# Custom CMM implementation.
+# This CMM only allows encryption/decryption using signing algorithms.
+# It wraps an underlying CMM implementation and checks its materials
+# to ensure that it is only using signed encryption algorithms.
+class CustomSigningSuiteOnlyCMM(CryptoMaterialsManager):
+    """Example custom crypto materials manager class."""
+
+    def __init__(self, cmm: CryptoMaterialsManager) -> None:
+        super().__init__()
+        self.underlying_cmm = cmm
+
+    def get_encryption_materials(self, request):
+        """Provides encryption materials appropriate for the request for the custom CMM.
+
+        :param EncryptionMaterialsRequest request: Request object to provide to a
+        crypto material manager's `get_encryption_materials` method.
+        :returns: Encryption materials
+        :rtype: EncryptionMaterials
+        """
+        materials = self.underlying_cmm.get_encryption_materials(request)
+        if not materials.algorithm.is_signing():
+            raise AssertionError(
+                "Algorithm provided to CustomSigningSuiteOnlyCMM"
+                  + " is not a supported signing algorithm: " + materials.algorithm
+                  )
+        return materials
+
+    def decrypt_materials(self, request):
+        """Provider decryption materials appropriate for the request.
+
+        :param DecryptionMaterialsRequest request: Request object to provide to a
+        crypto material manager's `decrypt_materials` method.
+        """
+        if not request.algorithm.is_signing():
+            raise AssertionError(
+                "Algorithm provided to CustomSigningSuiteOnlyCMM"
+                  + " is not a supported signing algorithm: " + request.algorithm
+                  )
+        return self.underlying_cmm.decrypt_materials(request)
+
+
+def encrypt_decrypt_with_cmm(
+    cmm: CryptoMaterialsManager,
+    source_plaintext: str
+):
+    """Encrypts and decrypts a string using a CMM.
+
+    :param CryptoMaterialsManager cmm: CMM to use for encryption and decryption
+    :param bytes source_plaintext: Data to encrypt
+    """
+    # Set up an encryption client with an explicit commitment policy. Note that if you do not explicitly choose a
+    # commitment policy, REQUIRE_ENCRYPT_REQUIRE_DECRYPT is used by default.
+    client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT)
+
+    # Encrypt the plaintext source data
+    ciphertext, encryptor_header = client.encrypt(
+        source=source_plaintext,
+        materials_manager=cmm
+    )
+
+    # Decrypt the ciphertext
+    cycled_plaintext, decrypted_header = client.decrypt(
+        source=ciphertext,
+        materials_manager=cmm
+    )
+
+    # Verify that the "cycled" (encrypted, then decrypted) plaintext is identical to the source plaintext
+    assert cycled_plaintext == source_plaintext
+
+    # Verify that the encryption context used in the decrypt operation includes all key pairs from
+    # the encrypt operation. (The SDK can add pairs, so don't require an exact match.)
+    #
+    # In production, always use a meaningful encryption context. In this sample, we omit the
+    # encryption context (no key pairs).
+    assert all(
+        pair in decrypted_header.encryption_context.items() for pair in encryptor_header.encryption_context.items()
+    )
diff --git a/examples/test/legacy/test_i_v3_default_cmm.py b/examples/test/legacy/test_i_v3_default_cmm.py
@@ -1,20 +1,51 @@
 # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
-"""Test suite for encryption and decryption using V3 defualt CMM."""
+"""Test suite for encryption and decryption using custom CMM."""
 
 import botocore.session
 import pytest
 
-from ...src.legacy.v3_default_cmm import encrypt_decrypt_with_v3_default_cmm
+import aws_encryption_sdk
+from ...src.legacy.custom_cmm_example import encrypt_decrypt_with_cmm, CustomSigningSuiteOnlyCMM
+from .v3_default_cmm import V3DefaultCryptoMaterialsManager
 from .examples_test_utils import get_cmk_arn, static_plaintext
 
 pytestmark = [pytest.mark.examples]
 
 
+def test_custom_cmm_example():
+    """Test method for encryption and decryption using V3 default CMM."""
+    plaintext = static_plaintext
+    cmk_arn = get_cmk_arn()
+    botocore_session = botocore.session.Session()
+
+    # Create a KMS master key provider.
+    kms_kwargs = dict(key_ids=[cmk_arn])
+    if botocore_session is not None:
+        kms_kwargs["botocore_session"] = botocore_session
+    master_key_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(**kms_kwargs)
+
+    # Create the V3 default CMM (V3DefaultCryptoMaterialsManager) using the master_key_provider
+    cmm = CustomSigningSuiteOnlyCMM(master_key_provider=master_key_provider)
+
+    encrypt_decrypt_with_cmm(cmm=cmm,
+                             source_plaintext=plaintext)
+
+
 def test_v3_default_cmm():
-    """Test method for encryption and decryption using V3 defualt CMM."""
+    """Test method for encryption and decryption using V3 default CMM."""
     plaintext = static_plaintext
     cmk_arn = get_cmk_arn()
-    encrypt_decrypt_with_v3_default_cmm(key_arn=cmk_arn,
-                                        source_plaintext=plaintext,
-                                        botocore_session=botocore.session.Session())
+    botocore_session = botocore.session.Session()
+
+    # Create a KMS master key provider.
+    kms_kwargs = dict(key_ids=[cmk_arn])
+    if botocore_session is not None:
+        kms_kwargs["botocore_session"] = botocore_session
+    master_key_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(**kms_kwargs)
+
+    # Create the V3 default CMM (V3DefaultCryptoMaterialsManager) using the master_key_provider
+    cmm = V3DefaultCryptoMaterialsManager(master_key_provider=master_key_provider)
+
+    encrypt_decrypt_with_cmm(cmm=cmm,
+                             source_plaintext=plaintext)
diff --git a/examples/test/legacy/v3_default_cmm.py b/examples/test/legacy/v3_default_cmm.py
@@ -1,11 +1,10 @@
 # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
-"""Default crypto material manager class example for ESDK V3."""
+"""Copy-paste of the V3 default CMM."""
 import logging
 
 import attr
 
-import aws_encryption_sdk
 from aws_encryption_sdk.exceptions import MasterKeyProviderError, SerializationError
 from aws_encryption_sdk.identifiers import CommitmentPolicy
 from aws_encryption_sdk.internal.crypto.authentication import Signer, Verifier
@@ -156,51 +155,3 @@ def decrypt_materials(self, request):
         )
 
         return DecryptionMaterials(data_key=data_key, verification_key=verification_key)
-
-
-def encrypt_decrypt_with_v3_default_cmm(key_arn,
-                                        source_plaintext,
-                                        botocore_session):
-    """Encrypts and decrypts a string using a V3 default CMM.
-
-    :param str key_arn: Amazon Resource Name (ARN) of the KMS CMK
-    :param bytes source_plaintext: Data to encrypt
-    :param botocore_session: existing botocore session instance
-    :type botocore_session: botocore.session.Session
-    """
-    # Set up an encryption client with an explicit commitment policy. Note that if you do not explicitly choose a
-    # commitment policy, REQUIRE_ENCRYPT_REQUIRE_DECRYPT is used by default.
-    client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT)
-
-    # Create a KMS master key provider.
-    kms_kwargs = dict(key_ids=[key_arn])
-    if botocore_session is not None:
-        kms_kwargs["botocore_session"] = botocore_session
-    master_key_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(**kms_kwargs)
-
-    # Create the V3 default CMM (V3DefaultCryptoMaterialsManager) using the master_key_provider
-    default_cmm = V3DefaultCryptoMaterialsManager(master_key_provider=master_key_provider)
-
-    # Encrypt the plaintext source data
-    ciphertext, encryptor_header = client.encrypt(
-        source=source_plaintext,
-        materials_manager=default_cmm
-    )
-
-    # Decrypt the ciphertext
-    cycled_plaintext, decrypted_header = client.decrypt(
-        source=ciphertext,
-        key_provider=master_key_provider
-    )
-
-    # Verify that the "cycled" (encrypted, then decrypted) plaintext is identical to the source plaintext
-    assert cycled_plaintext == source_plaintext
-
-    # Verify that the encryption context used in the decrypt operation includes all key pairs from
-    # the encrypt operation. (The SDK can add pairs, so don't require an exact match.)
-    #
-    # In production, always use a meaningful encryption context. In this sample, we omit the
-    # encryption context (no key pairs).
-    assert all(
-        pair in decrypted_header.encryption_context.items() for pair in encryptor_header.encryption_context.items()
-    )
