Yasuke/moto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

KMS: Add TargetKeyId to default kms key alias response. (#5805)

Browse Source
This commit is contained in:
Brendan Keane 2023-01-11 12:43:48 -08:00 committed by GitHub
parent 2c47ee10b1
commit 180b0b902f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 37 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
moto/kms/responses.py
View File

@ -5,7 +5,7 @@ import re
import warnings
from moto.core.responses import BaseResponse
from moto.kms.utils import RESERVED_ALIASES
from moto.kms.utils import RESERVED_ALIASES, RESERVED_ALIASE_TARGET_KEY_IDS
from .models import kms_backends, KmsBackend
from .policy_validator import validate_policy
from .exceptions import (
@ -273,14 +273,16 @@ class KmsResponse(BaseResponse):
"TargetKeyId": target_key_id,
}
)
for reserved_alias in RESERVED_ALIASES:
for reserved_alias, target_key_id in RESERVED_ALIASE_TARGET_KEY_IDS.items():
exsisting = [
a for a in response_aliases if a["AliasName"] == reserved_alias
]
if not exsisting:
arn = f"arn:aws:kms:{region}:{self.current_account}:{reserved_alias}"
response_aliases.append(
{
"AliasArn": f"arn:aws:kms:{region}:{self.current_account}:{reserved_alias}",
"TargetKeyId": target_key_id,
"AliasArn": arn,
"AliasName": reserved_alias,
}
)

36
moto/kms/utils.py
View File

@ -25,22 +25,26 @@ HEADER_LEN = KEY_ID_LEN + IV_LEN + TAG_LEN
CIPHERTEXT_HEADER_FORMAT = f">{KEY_ID_LEN}s{IV_LEN}s{TAG_LEN}s"
Ciphertext = namedtuple("Ciphertext", ("key_id", "iv", "ciphertext", "tag"))
RESERVED_ALIASES = [
"alias/aws/acm",
"alias/aws/dynamodb",
"alias/aws/ebs",
"alias/aws/elasticfilesystem",
"alias/aws/es",
"alias/aws/glue",
"alias/aws/kinesisvideo",
"alias/aws/lambda",
"alias/aws/rds",
"alias/aws/redshift",
"alias/aws/s3",
"alias/aws/secretsmanager",
"alias/aws/ssm",
"alias/aws/xray",
]
RESERVED_ALIASE_TARGET_KEY_IDS = {
# NOTE: These would technically differ across account, but in that they are
# out of customer control, testing that they are different would be redundant.
"alias/aws/acm": "4f58743d-e279-4214-9270-8cc28277958d",
"alias/aws/dynamodb": "7e6aa0ea-15a4-4e72-8b32-58e46e776888",
"alias/aws/ebs": "7adeb491-68c9-4a5b-86ec-a86ce5364094",
"alias/aws/elasticfilesystem": "0ef0f111-cdc8-4dda-b0bc-bf625bd5f154",
"alias/aws/es": "3c7c1880-c353-4cea-9866-d8bc12f05573",
"alias/aws/glue": "90fd783f-e582-4cc2-a207-672ee67f8d58",
"alias/aws/kinesisvideo": "7fd4bff3-6eb7-4283-8f11-a7e0a793a181",
"alias/aws/lambda": "ff9c4f27-2f29-4d9b-bf38-02f88b52a70c",
"alias/aws/rds": "f5f30938-abed-41a2-a0f6-5482d02a2489",
"alias/aws/redshift": "dcdae9aa-593a-4e0b-9153-37325591901f",
"alias/aws/s3": "8c3faf07-f43c-4d11-abdb-9183079214c7",
"alias/aws/secretsmanager": "fee5173a-3972-428e-ae73-cd4c2a371222",
"alias/aws/ssm": "cb3f6250-5078-48c0-a75f-0290bf47694e",
"alias/aws/xray": "e9b758eb-6230-4744-93d1-ad3b7d71f2f6",
}
RESERVED_ALIASES = list(RESERVED_ALIASE_TARGET_KEY_IDS.keys())
def generate_key_id(multi_region=False):

14
tests/test_kms/test_kms_boto3.py
View File

@ -275,13 +275,23 @@ def test_list_aliases():
client = boto3.client("kms", region_name=region)
create_simple_key(client)
default_alias_target_keys = {
"aws/ebs": "7adeb491-68c9-4a5b-86ec-a86ce5364094",
"aws/s3": "8c3faf07-f43c-4d11-abdb-9183079214c7",
"aws/redshift": "dcdae9aa-593a-4e0b-9153-37325591901f",
"aws/rds": "f5f30938-abed-41a2-a0f6-5482d02a2489",
}
default_alias_names = list(default_alias_target_keys.keys())
aliases = client.list_aliases()["Aliases"]
aliases.should.have.length_of(14)
default_alias_names = ["aws/ebs", "aws/s3", "aws/redshift", "aws/rds"]
for name in default_alias_names:
full_name = f"alias/{name}"
arn = f"arn:aws:kms:{region}:{ACCOUNT_ID}:{full_name}"
aliases.should.contain({"AliasName": full_name, "AliasArn": arn})
target_key_id = default_alias_target_keys[name]
aliases.should.contain(
{"AliasName": full_name, "AliasArn": arn, "TargetKeyId": target_key_id}
)
@pytest.mark.parametrize(