2019-09-13 14:08:26 -07:00
# -*- coding: utf-8 -*-
2015-06-30 05:44:39 -04:00
from __future__ import unicode_literals
2019-08-27 13:42:36 -07:00
import base64
import re
2015-06-30 05:44:39 -04:00
import boto . kms
2020-02-19 09:12:13 -05:00
import boto3
2019-08-27 13:42:36 -07:00
import sure # noqa
2015-06-30 05:44:39 -04:00
from boto . exception import JSONResponseError
2015-07-22 11:42:26 -04:00
from boto . kms . exceptions import AlreadyExistsException , NotFoundException
2020-10-06 07:54:49 +02:00
import pytest
2020-01-16 12:10:38 -06:00
from moto . core . exceptions import JsonRESTError
from moto . kms . models import KmsBackend
2019-04-26 20:52:24 +01:00
from moto . kms . exceptions import NotFoundException as MotoNotFoundException
2020-02-19 09:12:13 -05:00
from moto import mock_kms_deprecated , mock_kms
2019-08-27 13:42:36 -07:00
2020-11-11 15:55:37 +00:00
PLAINTEXT_VECTORS = [
b " some encodeable plaintext " ,
b " some unencodeable plaintext \xec \x8a \xcf \xb6 r \xe9 \xb5 \xeb \xff \xa2 3 \x16 " ,
" some unicode characters ø˚∆øˆˆ∆ßçøˆˆçßøˆ¨¥ " ,
]
2015-06-30 05:44:39 -04:00
2017-02-23 21:37:43 -05:00
2019-09-13 14:08:26 -07:00
def _get_encoded_value ( plaintext ) :
2021-07-26 07:40:39 +01:00
if isinstance ( plaintext , bytes ) :
2019-09-13 14:08:26 -07:00
return plaintext
return plaintext . encode ( " utf-8 " )
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-06-30 05:44:39 -04:00
def test_describe_key ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key " , key_usage = " ENCRYPT_DECRYPT "
)
2019-08-27 13:42:36 -07:00
key_id = key [ " KeyMetadata " ] [ " KeyId " ]
2015-06-30 05:44:39 -04:00
key = conn . describe_key ( key_id )
2019-08-27 13:42:36 -07:00
key [ " KeyMetadata " ] [ " Description " ] . should . equal ( " my key " )
key [ " KeyMetadata " ] [ " KeyUsage " ] . should . equal ( " ENCRYPT_DECRYPT " )
2015-06-30 05:44:39 -04:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2016-10-03 01:33:59 +11:00
def test_describe_key_via_alias ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key " , key_usage = " ENCRYPT_DECRYPT "
)
conn . create_alias (
alias_name = " alias/my-key-alias " , target_key_id = key [ " KeyMetadata " ] [ " KeyId " ]
)
2016-10-03 01:33:59 +11:00
2019-08-27 13:42:36 -07:00
alias_key = conn . describe_key ( " alias/my-key-alias " )
alias_key [ " KeyMetadata " ] [ " Description " ] . should . equal ( " my key " )
alias_key [ " KeyMetadata " ] [ " KeyUsage " ] . should . equal ( " ENCRYPT_DECRYPT " )
alias_key [ " KeyMetadata " ] [ " Arn " ] . should . equal ( key [ " KeyMetadata " ] [ " Arn " ] )
2016-10-03 01:33:59 +11:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2016-10-03 01:33:59 +11:00
def test_describe_key_via_alias_not_found ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key " , key_usage = " ENCRYPT_DECRYPT "
)
conn . create_alias (
alias_name = " alias/my-key-alias " , target_key_id = key [ " KeyMetadata " ] [ " KeyId " ]
)
2016-10-03 01:33:59 +11:00
2019-10-31 08:44:26 -07:00
conn . describe_key . when . called_with ( " alias/not-found-alias " ) . should . throw (
NotFoundException
)
2016-10-03 01:33:59 +11:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2016-10-03 01:33:59 +11:00
def test_describe_key_via_arn ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key " , key_usage = " ENCRYPT_DECRYPT "
)
2019-08-27 13:42:36 -07:00
arn = key [ " KeyMetadata " ] [ " Arn " ]
2016-10-03 01:33:59 +11:00
the_key = conn . describe_key ( arn )
2019-08-27 13:42:36 -07:00
the_key [ " KeyMetadata " ] [ " Description " ] . should . equal ( " my key " )
the_key [ " KeyMetadata " ] [ " KeyUsage " ] . should . equal ( " ENCRYPT_DECRYPT " )
the_key [ " KeyMetadata " ] [ " KeyId " ] . should . equal ( key [ " KeyMetadata " ] [ " KeyId " ] )
2016-10-03 01:33:59 +11:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-06-30 05:44:39 -04:00
def test_describe_missing_key ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-08-27 23:55:08 -07:00
conn . describe_key . when . called_with ( " not-a-key " ) . should . throw ( NotFoundException )
2015-06-30 05:44:39 -04:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-06-30 05:44:39 -04:00
def test_list_keys ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
conn . create_key (
policy = " my policy " , description = " my key1 " , key_usage = " ENCRYPT_DECRYPT "
)
conn . create_key (
policy = " my policy " , description = " my key2 " , key_usage = " ENCRYPT_DECRYPT "
)
2015-06-30 05:44:39 -04:00
keys = conn . list_keys ( )
2019-08-27 13:42:36 -07:00
keys [ " Keys " ] . should . have . length_of ( 2 )
2015-07-22 11:42:26 -04:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-11-24 23:44:55 +00:00
def test_enable_key_rotation ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key " , key_usage = " ENCRYPT_DECRYPT "
)
2019-08-27 13:42:36 -07:00
key_id = key [ " KeyMetadata " ] [ " KeyId " ]
2015-11-24 23:44:55 +00:00
conn . enable_key_rotation ( key_id )
2019-08-27 13:42:36 -07:00
conn . get_key_rotation_status ( key_id ) [ " KeyRotationEnabled " ] . should . equal ( True )
2017-02-23 21:37:43 -05:00
2015-11-24 23:44:55 +00:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2016-10-03 01:33:59 +11:00
def test_enable_key_rotation_via_arn ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key " , key_usage = " ENCRYPT_DECRYPT "
)
2019-08-27 13:42:36 -07:00
key_id = key [ " KeyMetadata " ] [ " Arn " ]
2016-10-03 01:33:59 +11:00
conn . enable_key_rotation ( key_id )
2019-08-27 13:42:36 -07:00
conn . get_key_rotation_status ( key_id ) [ " KeyRotationEnabled " ] . should . equal ( True )
2016-10-03 01:33:59 +11:00
2015-11-24 23:44:55 +00:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-11-24 23:44:55 +00:00
def test_enable_key_rotation_with_missing_key ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
conn . enable_key_rotation . when . called_with ( " not-a-key " ) . should . throw (
NotFoundException
)
2015-11-24 23:44:55 +00:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2016-10-03 01:33:59 +11:00
def test_enable_key_rotation_with_alias_name_should_fail ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key " , key_usage = " ENCRYPT_DECRYPT "
)
conn . create_alias (
alias_name = " alias/my-key-alias " , target_key_id = key [ " KeyMetadata " ] [ " KeyId " ]
)
2016-10-03 01:33:59 +11:00
2019-08-27 13:42:36 -07:00
alias_key = conn . describe_key ( " alias/my-key-alias " )
alias_key [ " KeyMetadata " ] [ " Arn " ] . should . equal ( key [ " KeyMetadata " ] [ " Arn " ] )
2016-10-03 01:33:59 +11:00
2019-10-31 08:44:26 -07:00
conn . enable_key_rotation . when . called_with ( " alias/my-alias " ) . should . throw (
NotFoundException
)
2016-10-03 01:33:59 +11:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-11-24 23:44:55 +00:00
def test_disable_key_rotation ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key " , key_usage = " ENCRYPT_DECRYPT "
)
2019-08-27 13:42:36 -07:00
key_id = key [ " KeyMetadata " ] [ " KeyId " ]
2015-11-24 23:44:55 +00:00
conn . enable_key_rotation ( key_id )
2019-08-27 13:42:36 -07:00
conn . get_key_rotation_status ( key_id ) [ " KeyRotationEnabled " ] . should . equal ( True )
2015-11-24 23:44:55 +00:00
conn . disable_key_rotation ( key_id )
2019-08-27 13:42:36 -07:00
conn . get_key_rotation_status ( key_id ) [ " KeyRotationEnabled " ] . should . equal ( False )
2015-11-24 23:44:55 +00:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2019-08-27 13:42:36 -07:00
def test_generate_data_key ( ) :
2017-02-09 19:36:24 -08:00
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key " , key_usage = " ENCRYPT_DECRYPT "
)
2019-08-27 13:42:36 -07:00
key_id = key [ " KeyMetadata " ] [ " KeyId " ]
key_arn = key [ " KeyMetadata " ] [ " Arn " ]
response = conn . generate_data_key ( key_id = key_id , number_of_bytes = 32 )
# CiphertextBlob must NOT be base64-encoded
2020-10-06 07:54:49 +02:00
with pytest . raises ( Exception ) :
2019-08-27 13:42:36 -07:00
base64 . b64decode ( response [ " CiphertextBlob " ] , validate = True )
# Plaintext must NOT be base64-encoded
2020-10-06 07:54:49 +02:00
with pytest . raises ( Exception ) :
2019-08-27 13:42:36 -07:00
base64 . b64decode ( response [ " Plaintext " ] , validate = True )
response [ " KeyId " ] . should . equal ( key_arn )
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-11-24 23:44:55 +00:00
def test_disable_key_rotation_with_missing_key ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
conn . disable_key_rotation . when . called_with ( " not-a-key " ) . should . throw (
NotFoundException
)
2015-11-24 23:44:55 +00:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-11-24 23:44:55 +00:00
def test_get_key_rotation_status_with_missing_key ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
conn . get_key_rotation_status . when . called_with ( " not-a-key " ) . should . throw (
NotFoundException
)
2015-11-24 23:44:55 +00:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-11-24 23:44:55 +00:00
def test_get_key_rotation_status ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key " , key_usage = " ENCRYPT_DECRYPT "
)
2019-08-27 13:42:36 -07:00
key_id = key [ " KeyMetadata " ] [ " KeyId " ]
2015-11-24 23:44:55 +00:00
2019-08-27 13:42:36 -07:00
conn . get_key_rotation_status ( key_id ) [ " KeyRotationEnabled " ] . should . equal ( False )
2015-11-24 23:44:55 +00:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-11-24 23:44:55 +00:00
def test_create_key_defaults_key_rotation ( ) :
conn = boto . kms . connect_to_region ( " us-west-2 " )
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key " , key_usage = " ENCRYPT_DECRYPT "
)
2019-08-27 13:42:36 -07:00
key_id = key [ " KeyMetadata " ] [ " KeyId " ]
2015-11-24 23:44:55 +00:00
2019-08-27 13:42:36 -07:00
conn . get_key_rotation_status ( key_id ) [ " KeyRotationEnabled " ] . should . equal ( False )
2015-11-24 23:44:55 +00:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-11-25 19:50:55 +00:00
def test_get_key_policy ( ) :
2019-08-27 13:42:36 -07:00
conn = boto . kms . connect_to_region ( " us-west-2 " )
2015-11-25 19:50:55 +00:00
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key1 " , key_usage = " ENCRYPT_DECRYPT "
)
2019-08-27 13:42:36 -07:00
key_id = key [ " KeyMetadata " ] [ " KeyId " ]
2015-11-25 19:50:55 +00:00
2019-08-27 13:42:36 -07:00
policy = conn . get_key_policy ( key_id , " default " )
policy [ " Policy " ] . should . equal ( " my policy " )
2015-11-25 19:50:55 +00:00
2017-02-23 21:37:43 -05:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2016-10-03 01:33:59 +11:00
def test_get_key_policy_via_arn ( ) :
2019-08-27 13:42:36 -07:00
conn = boto . kms . connect_to_region ( " us-west-2 " )
2016-10-03 01:33:59 +11:00
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key1 " , key_usage = " ENCRYPT_DECRYPT "
)
2019-08-27 13:42:36 -07:00
policy = conn . get_key_policy ( key [ " KeyMetadata " ] [ " Arn " ] , " default " )
2016-10-03 01:33:59 +11:00
2019-08-27 13:42:36 -07:00
policy [ " Policy " ] . should . equal ( " my policy " )
2015-11-25 19:50:55 +00:00
2017-02-23 21:37:43 -05:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-11-25 19:50:55 +00:00
def test_put_key_policy ( ) :
2019-08-27 13:42:36 -07:00
conn = boto . kms . connect_to_region ( " us-west-2 " )
2015-11-25 19:50:55 +00:00
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key1 " , key_usage = " ENCRYPT_DECRYPT "
)
2019-08-27 13:42:36 -07:00
key_id = key [ " KeyMetadata " ] [ " KeyId " ]
2015-11-25 19:50:55 +00:00
2019-08-27 13:42:36 -07:00
conn . put_key_policy ( key_id , " default " , " new policy " )
policy = conn . get_key_policy ( key_id , " default " )
policy [ " Policy " ] . should . equal ( " new policy " )
2015-11-25 19:50:55 +00:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2016-10-03 01:33:59 +11:00
def test_put_key_policy_via_arn ( ) :
2019-08-27 13:42:36 -07:00
conn = boto . kms . connect_to_region ( " us-west-2 " )
2016-10-03 01:33:59 +11:00
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key1 " , key_usage = " ENCRYPT_DECRYPT "
)
2019-08-27 13:42:36 -07:00
key_id = key [ " KeyMetadata " ] [ " Arn " ]
2016-10-03 01:33:59 +11:00
2019-08-27 13:42:36 -07:00
conn . put_key_policy ( key_id , " default " , " new policy " )
policy = conn . get_key_policy ( key_id , " default " )
policy [ " Policy " ] . should . equal ( " new policy " )
2016-10-03 01:33:59 +11:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2016-10-03 01:33:59 +11:00
def test_put_key_policy_via_alias_should_not_update ( ) :
2019-08-27 13:42:36 -07:00
conn = boto . kms . connect_to_region ( " us-west-2 " )
2016-10-03 01:33:59 +11:00
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key1 " , key_usage = " ENCRYPT_DECRYPT "
)
conn . create_alias (
alias_name = " alias/my-key-alias " , target_key_id = key [ " KeyMetadata " ] [ " KeyId " ]
)
2016-10-03 01:33:59 +11:00
2019-10-31 08:44:26 -07:00
conn . put_key_policy . when . called_with (
" alias/my-key-alias " , " default " , " new policy "
) . should . throw ( NotFoundException )
2016-10-03 01:33:59 +11:00
2019-08-27 13:42:36 -07:00
policy = conn . get_key_policy ( key [ " KeyMetadata " ] [ " KeyId " ] , " default " )
policy [ " Policy " ] . should . equal ( " my policy " )
2016-10-03 01:33:59 +11:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-11-25 19:50:55 +00:00
def test_list_key_policies ( ) :
2019-08-27 13:42:36 -07:00
conn = boto . kms . connect_to_region ( " us-west-2 " )
2015-11-25 19:50:55 +00:00
2019-10-31 08:44:26 -07:00
key = conn . create_key (
policy = " my policy " , description = " my key1 " , key_usage = " ENCRYPT_DECRYPT "
)
2019-08-27 13:42:36 -07:00
key_id = key [ " KeyMetadata " ] [ " KeyId " ]
2015-11-25 19:50:55 +00:00
policies = conn . list_key_policies ( key_id )
2019-08-27 13:42:36 -07:00
policies [ " PolicyNames " ] . should . equal ( [ " default " ] )
2015-11-25 19:50:55 +00:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-07-22 11:42:26 -04:00
def test__create_alias__returns_none_if_correct ( ) :
kms = boto . connect_kms ( )
create_resp = kms . create_key ( )
2019-08-27 13:42:36 -07:00
key_id = create_resp [ " KeyMetadata " ] [ " KeyId " ]
2015-07-22 11:42:26 -04:00
2019-08-27 13:42:36 -07:00
resp = kms . create_alias ( " alias/my-alias " , key_id )
2015-07-22 11:42:26 -04:00
resp . should . be . none
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-07-22 11:42:26 -04:00
def test__create_alias__raises_if_reserved_alias ( ) :
kms = boto . connect_kms ( )
create_resp = kms . create_key ( )
2019-08-27 13:42:36 -07:00
key_id = create_resp [ " KeyMetadata " ] [ " KeyId " ]
2015-07-22 11:42:26 -04:00
2019-10-31 08:44:26 -07:00
reserved_aliases = [
" alias/aws/ebs " ,
" alias/aws/s3 " ,
" alias/aws/redshift " ,
" alias/aws/rds " ,
]
2015-07-22 11:42:26 -04:00
for alias_name in reserved_aliases :
2020-10-06 07:54:49 +02:00
with pytest . raises ( JSONResponseError ) as err :
2015-07-22 11:42:26 -04:00
kms . create_alias ( alias_name , key_id )
2020-10-06 08:04:09 +02:00
ex = err . value
2015-07-22 11:42:26 -04:00
ex . error_message . should . be . none
2019-08-27 13:42:36 -07:00
ex . error_code . should . equal ( " NotAuthorizedException " )
ex . body . should . equal ( { " __type " : " NotAuthorizedException " } )
ex . reason . should . equal ( " Bad Request " )
2015-07-22 11:42:26 -04:00
ex . status . should . equal ( 400 )
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-07-22 11:42:26 -04:00
def test__create_alias__can_create_multiple_aliases_for_same_key_id ( ) :
kms = boto . connect_kms ( )
create_resp = kms . create_key ( )
2019-08-27 13:42:36 -07:00
key_id = create_resp [ " KeyMetadata " ] [ " KeyId " ]
2015-07-22 11:42:26 -04:00
2019-08-27 13:42:36 -07:00
kms . create_alias ( " alias/my-alias3 " , key_id ) . should . be . none
kms . create_alias ( " alias/my-alias4 " , key_id ) . should . be . none
kms . create_alias ( " alias/my-alias5 " , key_id ) . should . be . none
2015-07-22 11:42:26 -04:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-07-22 11:42:26 -04:00
def test__create_alias__raises_if_wrong_prefix ( ) :
kms = boto . connect_kms ( )
create_resp = kms . create_key ( )
2019-08-27 13:42:36 -07:00
key_id = create_resp [ " KeyMetadata " ] [ " KeyId " ]
2015-07-22 11:42:26 -04:00
2020-10-06 07:54:49 +02:00
with pytest . raises ( JSONResponseError ) as err :
2019-08-27 13:42:36 -07:00
kms . create_alias ( " wrongprefix/my-alias " , key_id )
2015-07-22 11:42:26 -04:00
2020-10-06 08:04:09 +02:00
ex = err . value
2019-08-27 13:42:36 -07:00
ex . error_message . should . equal ( " Invalid identifier " )
ex . error_code . should . equal ( " ValidationException " )
2019-10-31 08:44:26 -07:00
ex . body . should . equal (
{ " message " : " Invalid identifier " , " __type " : " ValidationException " }
)
2019-08-27 13:42:36 -07:00
ex . reason . should . equal ( " Bad Request " )
2015-07-22 11:42:26 -04:00
ex . status . should . equal ( 400 )
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-07-22 11:42:26 -04:00
def test__create_alias__raises_if_duplicate ( ) :
2019-08-27 13:42:36 -07:00
region = " us-west-2 "
2015-07-22 11:42:26 -04:00
kms = boto . kms . connect_to_region ( region )
create_resp = kms . create_key ( )
2019-08-27 13:42:36 -07:00
key_id = create_resp [ " KeyMetadata " ] [ " KeyId " ]
alias = " alias/my-alias "
2015-07-22 11:42:26 -04:00
kms . create_alias ( alias , key_id )
2020-10-06 07:54:49 +02:00
with pytest . raises ( AlreadyExistsException ) as err :
2015-07-22 11:42:26 -04:00
kms . create_alias ( alias , key_id )
2020-10-06 08:04:09 +02:00
ex = err . value
2019-08-27 13:42:36 -07:00
ex . error_message . should . match (
2019-10-31 08:44:26 -07:00
r " An alias with the name arn:aws:kms: {region} : \ d {{ 12}}: {alias} already exists " . format (
* * locals ( )
)
2019-08-27 13:42:36 -07:00
)
2015-07-22 11:42:26 -04:00
ex . error_code . should . be . none
ex . box_usage . should . be . none
ex . request_id . should . be . none
2019-08-27 13:42:36 -07:00
ex . body [ " message " ] . should . match (
2019-10-31 08:44:26 -07:00
r " An alias with the name arn:aws:kms: {region} : \ d {{ 12}}: {alias} already exists " . format (
* * locals ( )
)
2019-08-27 13:42:36 -07:00
)
ex . body [ " __type " ] . should . equal ( " AlreadyExistsException " )
ex . reason . should . equal ( " Bad Request " )
2015-07-22 11:42:26 -04:00
ex . status . should . equal ( 400 )
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-07-22 11:42:26 -04:00
def test__create_alias__raises_if_alias_has_restricted_characters ( ) :
kms = boto . connect_kms ( )
create_resp = kms . create_key ( )
2019-08-27 13:42:36 -07:00
key_id = create_resp [ " KeyMetadata " ] [ " KeyId " ]
2015-07-22 11:42:26 -04:00
2019-10-31 08:44:26 -07:00
alias_names_with_restricted_characters = [
" alias/my-alias! " ,
" alias/my-alias$ " ,
" alias/my-alias@ " ,
]
2015-07-22 11:42:26 -04:00
for alias_name in alias_names_with_restricted_characters :
2020-10-06 07:54:49 +02:00
with pytest . raises ( JSONResponseError ) as err :
2015-07-22 11:42:26 -04:00
kms . create_alias ( alias_name , key_id )
2020-10-06 08:04:09 +02:00
ex = err . value
2019-08-27 13:42:36 -07:00
ex . body [ " __type " ] . should . equal ( " ValidationException " )
ex . body [ " message " ] . should . equal (
" 1 validation error detected: Value ' {alias_name} ' at ' aliasName ' failed to satisfy constraint: Member must satisfy regular expression pattern: ^[a-zA-Z0-9:/_-]+$ " . format (
* * locals ( )
)
)
ex . error_code . should . equal ( " ValidationException " )
2017-02-23 21:37:43 -05:00
ex . message . should . equal (
2019-08-27 13:42:36 -07:00
" 1 validation error detected: Value ' {alias_name} ' at ' aliasName ' failed to satisfy constraint: Member must satisfy regular expression pattern: ^[a-zA-Z0-9:/_-]+$ " . format (
* * locals ( )
)
)
ex . reason . should . equal ( " Bad Request " )
2015-07-22 11:42:26 -04:00
ex . status . should . equal ( 400 )
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-07-22 11:42:26 -04:00
def test__create_alias__raises_if_alias_has_colon_character ( ) :
2017-02-23 21:37:43 -05:00
# For some reason, colons are not accepted for an alias, even though they
# are accepted by regex ^[a-zA-Z0-9:/_-]+$
2015-07-22 11:42:26 -04:00
kms = boto . connect_kms ( )
create_resp = kms . create_key ( )
2019-08-27 13:42:36 -07:00
key_id = create_resp [ " KeyMetadata " ] [ " KeyId " ]
2015-07-22 11:42:26 -04:00
2019-08-27 13:42:36 -07:00
alias_names_with_restricted_characters = [ " alias/my:alias " ]
2015-07-22 11:42:26 -04:00
for alias_name in alias_names_with_restricted_characters :
2020-10-06 07:54:49 +02:00
with pytest . raises ( JSONResponseError ) as err :
2015-07-22 11:42:26 -04:00
kms . create_alias ( alias_name , key_id )
2020-10-06 08:04:09 +02:00
ex = err . value
2019-08-27 13:42:36 -07:00
ex . body [ " __type " ] . should . equal ( " ValidationException " )
2019-10-31 08:44:26 -07:00
ex . body [ " message " ] . should . equal (
" {alias_name} contains invalid characters for an alias " . format ( * * locals ( ) )
)
2019-08-27 13:42:36 -07:00
ex . error_code . should . equal ( " ValidationException " )
2019-10-31 08:44:26 -07:00
ex . message . should . equal (
" {alias_name} contains invalid characters for an alias " . format ( * * locals ( ) )
)
2019-08-27 13:42:36 -07:00
ex . reason . should . equal ( " Bad Request " )
2015-07-22 11:42:26 -04:00
ex . status . should . equal ( 400 )
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2020-11-11 15:54:01 +00:00
@pytest.mark.parametrize ( " alias_name " , [ " alias/my-alias_/ " , " alias/my_alias-/ " ] )
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2019-08-27 23:52:44 -07:00
def test__create_alias__accepted_characters ( alias_name ) :
2015-07-22 11:42:26 -04:00
kms = boto . connect_kms ( )
create_resp = kms . create_key ( )
2019-08-27 13:42:36 -07:00
key_id = create_resp [ " KeyMetadata " ] [ " KeyId " ]
2015-07-22 11:42:26 -04:00
2019-08-27 23:52:44 -07:00
kms . create_alias ( alias_name , key_id )
2015-07-22 11:42:26 -04:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-07-22 11:42:26 -04:00
def test__create_alias__raises_if_target_key_id_is_existing_alias ( ) :
kms = boto . connect_kms ( )
create_resp = kms . create_key ( )
2019-08-27 13:42:36 -07:00
key_id = create_resp [ " KeyMetadata " ] [ " KeyId " ]
alias = " alias/my-alias "
2015-07-22 11:42:26 -04:00
kms . create_alias ( alias , key_id )
2020-10-06 07:54:49 +02:00
with pytest . raises ( JSONResponseError ) as err :
2015-07-22 11:42:26 -04:00
kms . create_alias ( alias , alias )
2020-10-06 08:04:09 +02:00
ex = err . value
2019-08-27 13:42:36 -07:00
ex . body [ " __type " ] . should . equal ( " ValidationException " )
ex . body [ " message " ] . should . equal ( " Aliases must refer to keys. Not aliases " )
ex . error_code . should . equal ( " ValidationException " )
ex . message . should . equal ( " Aliases must refer to keys. Not aliases " )
ex . reason . should . equal ( " Bad Request " )
2015-07-22 11:42:26 -04:00
ex . status . should . equal ( 400 )
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-07-22 11:42:26 -04:00
def test__delete_alias ( ) :
kms = boto . connect_kms ( )
create_resp = kms . create_key ( )
2019-08-27 13:42:36 -07:00
key_id = create_resp [ " KeyMetadata " ] [ " KeyId " ]
alias = " alias/my-alias "
2015-07-22 11:42:26 -04:00
2017-11-27 21:36:25 +11:00
# added another alias here to make sure that the deletion of the alias can
# be done when there are multiple existing aliases.
another_create_resp = kms . create_key ( )
2019-08-27 13:42:36 -07:00
another_key_id = create_resp [ " KeyMetadata " ] [ " KeyId " ]
another_alias = " alias/another-alias "
2017-11-27 21:36:25 +11:00
2015-07-22 11:42:26 -04:00
kms . create_alias ( alias , key_id )
2017-11-27 21:36:25 +11:00
kms . create_alias ( another_alias , another_key_id )
2015-07-22 11:42:26 -04:00
resp = kms . delete_alias ( alias )
resp . should . be . none
# we can create the alias again, since it has been deleted
kms . create_alias ( alias , key_id )
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-07-22 11:42:26 -04:00
def test__delete_alias__raises_if_wrong_prefix ( ) :
kms = boto . connect_kms ( )
2020-10-06 07:54:49 +02:00
with pytest . raises ( JSONResponseError ) as err :
2019-08-27 13:42:36 -07:00
kms . delete_alias ( " wrongprefix/my-alias " )
2015-07-22 11:42:26 -04:00
2020-10-06 08:04:09 +02:00
ex = err . value
2019-08-27 13:42:36 -07:00
ex . body [ " __type " ] . should . equal ( " ValidationException " )
ex . body [ " message " ] . should . equal ( " Invalid identifier " )
ex . error_code . should . equal ( " ValidationException " )
ex . message . should . equal ( " Invalid identifier " )
ex . reason . should . equal ( " Bad Request " )
2015-07-22 11:42:26 -04:00
ex . status . should . equal ( 400 )
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-07-22 11:42:26 -04:00
def test__delete_alias__raises_if_alias_is_not_found ( ) :
2019-08-27 13:42:36 -07:00
region = " us-west-2 "
2015-07-22 11:42:26 -04:00
kms = boto . kms . connect_to_region ( region )
2019-08-27 13:42:36 -07:00
alias_name = " alias/unexisting-alias "
2015-07-22 11:42:26 -04:00
2020-10-06 07:54:49 +02:00
with pytest . raises ( NotFoundException ) as err :
2015-07-22 11:42:26 -04:00
kms . delete_alias ( alias_name )
2020-11-11 15:55:37 +00:00
expected_message_match = r " Alias arn:aws:kms: {region} :[0-9] {{ 12}}: {alias_name} is not found. " . format (
region = region , alias_name = alias_name
2019-08-27 23:52:44 -07:00
)
2020-10-06 08:04:09 +02:00
ex = err . value
2019-08-27 13:42:36 -07:00
ex . body [ " __type " ] . should . equal ( " NotFoundException " )
2019-08-27 23:52:44 -07:00
ex . body [ " message " ] . should . match ( expected_message_match )
2015-07-22 11:42:26 -04:00
ex . box_usage . should . be . none
ex . error_code . should . be . none
2019-08-27 23:52:44 -07:00
ex . message . should . match ( expected_message_match )
2019-08-27 13:42:36 -07:00
ex . reason . should . equal ( " Bad Request " )
2015-07-22 11:42:26 -04:00
ex . request_id . should . be . none
ex . status . should . equal ( 400 )
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-07-22 11:42:26 -04:00
def test__list_aliases ( ) :
region = " eu-west-1 "
kms = boto . kms . connect_to_region ( region )
create_resp = kms . create_key ( )
2019-08-27 13:42:36 -07:00
key_id = create_resp [ " KeyMetadata " ] [ " KeyId " ]
kms . create_alias ( " alias/my-alias1 " , key_id )
kms . create_alias ( " alias/my-alias2 " , key_id )
kms . create_alias ( " alias/my-alias3 " , key_id )
2015-07-22 11:42:26 -04:00
resp = kms . list_aliases ( )
2019-08-27 13:42:36 -07:00
resp [ " Truncated " ] . should . be . false
2015-07-22 11:42:26 -04:00
2019-08-27 13:42:36 -07:00
aliases = resp [ " Aliases " ]
2015-07-22 11:42:26 -04:00
def has_correct_arn ( alias_obj ) :
2019-08-27 13:42:36 -07:00
alias_name = alias_obj [ " AliasName " ]
alias_arn = alias_obj [ " AliasArn " ]
return re . match (
2019-10-31 08:44:26 -07:00
r " arn:aws:kms: {region} : \ d {{ 12}}: {alias_name} " . format (
region = region , alias_name = alias_name
) ,
alias_arn ,
2019-08-27 13:42:36 -07:00
)
len (
2019-10-31 08:44:26 -07:00
[
alias
for alias in aliases
if has_correct_arn ( alias ) and " alias/aws/ebs " == alias [ " AliasName " ]
]
) . should . equal ( 1 )
len (
[
alias
for alias in aliases
if has_correct_arn ( alias ) and " alias/aws/rds " == alias [ " AliasName " ]
]
) . should . equal ( 1 )
len (
[
alias
for alias in aliases
if has_correct_arn ( alias ) and " alias/aws/redshift " == alias [ " AliasName " ]
]
) . should . equal ( 1 )
len (
[
alias
for alias in aliases
if has_correct_arn ( alias ) and " alias/aws/s3 " == alias [ " AliasName " ]
]
2019-08-27 13:42:36 -07:00
) . should . equal ( 1 )
len (
2019-10-31 08:44:26 -07:00
[
alias
for alias in aliases
if has_correct_arn ( alias ) and " alias/my-alias1 " == alias [ " AliasName " ]
]
2019-08-27 13:42:36 -07:00
) . should . equal ( 1 )
len (
2019-10-31 08:44:26 -07:00
[
alias
for alias in aliases
if has_correct_arn ( alias ) and " alias/my-alias2 " == alias [ " AliasName " ]
]
2019-08-27 13:42:36 -07:00
) . should . equal ( 1 )
2019-10-31 08:44:26 -07:00
len (
[
alias
for alias in aliases
if " TargetKeyId " in alias and key_id == alias [ " TargetKeyId " ]
]
) . should . equal ( 3 )
2015-07-22 11:42:26 -04:00
len ( aliases ) . should . equal ( 7 )
2015-11-24 23:44:55 +00:00
2017-02-15 22:35:45 -05:00
@mock_kms_deprecated
2015-11-25 19:50:55 +00:00
def test__assert_default_policy ( ) :
from moto . kms . responses import _assert_default_policy
2019-10-31 08:44:26 -07:00
_assert_default_policy . when . called_with ( " not-default " ) . should . throw (
MotoNotFoundException
)
_assert_default_policy . when . called_with ( " default " ) . should_not . throw (
MotoNotFoundException
)
2020-02-18 13:40:34 -06:00
2021-07-26 07:40:39 +01:00
sort = lambda l : sorted ( l , key = lambda d : d . keys ( ) )
2020-02-19 09:12:13 -05:00
2021-09-22 18:35:50 +02:00
def _check_tags ( key_id , created_tags , client ) :
result = client . list_resource_tags ( KeyId = key_id )
actual = result . get ( " Tags " , [ ] )
assert sort ( created_tags ) == sort ( actual )
client . untag_resource ( KeyId = key_id , TagKeys = [ " key1 " ] )
actual = client . list_resource_tags ( KeyId = key_id ) . get ( " Tags " , [ ] )
expected = [ { " TagKey " : " key2 " , " TagValue " : " value2 " } ]
assert sort ( expected ) == sort ( actual )
2020-02-19 09:12:13 -05:00
@mock_kms
def test_key_tag_on_create_key_happy ( ) :
2020-02-18 13:40:34 -06:00
client = boto3 . client ( " kms " , region_name = " us-east-1 " )
2020-02-19 09:12:13 -05:00
tags = [
{ " TagKey " : " key1 " , " TagValue " : " value1 " } ,
{ " TagKey " : " key2 " , " TagValue " : " value2 " } ,
]
key = client . create_key ( Description = " test-key-tagging " , Tags = tags )
2021-09-22 18:35:50 +02:00
_check_tags ( key [ " KeyMetadata " ] [ " KeyId " ] , tags , client )
2020-02-18 13:40:34 -06:00
2020-02-19 09:12:13 -05:00
2021-09-22 18:35:50 +02:00
@mock_kms
def test_key_tag_on_create_key_on_arn_happy ( ) :
client = boto3 . client ( " kms " , region_name = " us-east-1 " )
2020-02-19 09:12:13 -05:00
2021-09-22 18:35:50 +02:00
tags = [
{ " TagKey " : " key1 " , " TagValue " : " value1 " } ,
{ " TagKey " : " key2 " , " TagValue " : " value2 " } ,
]
key = client . create_key ( Description = " test-key-tagging " , Tags = tags )
_check_tags ( key [ " KeyMetadata " ] [ " Arn " ] , tags , client )
2020-02-19 09:12:13 -05:00
@mock_kms
def test_key_tag_added_happy ( ) :
client = boto3 . client ( " kms " , region_name = " us-east-1 " )
key = client . create_key ( Description = " test-key-tagging " )
key_id = key [ " KeyMetadata " ] [ " KeyId " ]
tags = [
{ " TagKey " : " key1 " , " TagValue " : " value1 " } ,
{ " TagKey " : " key2 " , " TagValue " : " value2 " } ,
]
2020-02-18 13:40:34 -06:00
client . tag_resource ( KeyId = key_id , Tags = tags )
2021-09-22 18:35:50 +02:00
_check_tags ( key_id , tags , client )
2020-02-18 13:40:34 -06:00
2021-09-22 18:35:50 +02:00
@mock_kms
def test_key_tag_added_arn_based_happy ( ) :
client = boto3 . client ( " kms " , region_name = " us-east-1 " )
2020-02-18 13:40:34 -06:00
2021-09-22 18:35:50 +02:00
key = client . create_key ( Description = " test-key-tagging " )
key_id = key [ " KeyMetadata " ] [ " Arn " ]
tags = [
{ " TagKey " : " key1 " , " TagValue " : " value1 " } ,
{ " TagKey " : " key2 " , " TagValue " : " value2 " } ,
]
client . tag_resource ( KeyId = key_id , Tags = tags )
_check_tags ( key_id , tags , client )
2020-02-18 13:40:34 -06:00
2021-09-22 20:37:03 +00:00
# Has boto3 equivalent
2020-02-19 09:18:01 -06:00
@mock_kms_deprecated
2020-02-18 13:40:34 -06:00
def test_key_tagging_sad ( ) :
b = KmsBackend ( )
try :
2020-02-19 09:12:13 -05:00
b . tag_resource ( " unknown " , [ ] )
raise " tag_resource should fail if KeyId is not known "
2020-02-18 13:40:34 -06:00
except JsonRESTError :
pass
try :
2020-02-19 09:12:13 -05:00
b . untag_resource ( " unknown " , [ ] )
raise " untag_resource should fail if KeyId is not known "
2020-02-18 13:40:34 -06:00
except JsonRESTError :
pass
try :
2020-02-19 09:12:13 -05:00
b . list_resource_tags ( " unknown " )
raise " list_resource_tags should fail if KeyId is not known "
2020-02-18 13:40:34 -06:00
except JsonRESTError :
pass
