Techdebt: KMS: Mock RSA calls in some tests (#5782)

This commit is contained in:
Bert Blommers 2022-12-17 20:35:07 -01:00 committed by GitHub
parent f67abbe1f3
commit 42d8216623
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 78 additions and 75 deletions

View File

@ -1,6 +1,8 @@
import json
from datetime import datetime
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa
from unittest import mock
from dateutil.tz import tzutc
import base64
import os
@ -167,7 +169,10 @@ def test_replicate_key():
with pytest.raises(to_region_client.exceptions.NotFoundException):
to_region_client.describe_key(KeyId=key_id)
from_region_client.replicate_key(KeyId=key_id, ReplicaRegion=region_to_replicate_to)
with mock.patch.object(rsa, "generate_private_key", return_value=""):
from_region_client.replicate_key(
KeyId=key_id, ReplicaRegion=region_to_replicate_to
)
to_region_client.describe_key(KeyId=key_id)
from_region_client.describe_key(KeyId=key_id)
@ -212,7 +217,7 @@ def test_describe_key(id_or_arn):
def test_get_key_policy_default():
# given
client = boto3.client("kms", region_name="us-east-1")
key_id = client.create_key()["KeyMetadata"]["KeyId"]
key_id = create_simple_key(client)
# when
policy = client.get_key_policy(KeyId=key_id, PolicyName="default")["Policy"]
@ -238,8 +243,7 @@ def test_get_key_policy_default():
@mock_kms
def test_describe_key_via_alias():
client = boto3.client("kms", region_name="us-east-1")
response = client.create_key(Description="my key")
key_id = response["KeyMetadata"]["KeyId"]
key_id = create_simple_key(client, description="my key")
client.create_alias(AliasName="alias/my-alias", TargetKeyId=key_id)
@ -250,8 +254,7 @@ def test_describe_key_via_alias():
@mock_kms
def test__create_alias__can_create_multiple_aliases_for_same_key_id():
client = boto3.client("kms", region_name="us-east-1")
response = client.create_key(Description="my key")
key_id = response["KeyMetadata"]["KeyId"]
key_id = create_simple_key(client)
alias_names = ["alias/al1", "alias/al2", "alias/al3"]
for name in alias_names:
@ -270,7 +273,7 @@ def test__create_alias__can_create_multiple_aliases_for_same_key_id():
def test_list_aliases():
region = "us-west-1"
client = boto3.client("kms", region_name=region)
client.create_key(Description="my key")
create_simple_key(client)
aliases = client.list_aliases()["Aliases"]
aliases.should.have.length_of(14)
@ -292,7 +295,6 @@ def test_list_aliases():
@mock_kms
def test_describe_key_via_alias_invalid_alias(key_id):
client = boto3.client("kms", region_name="us-east-1")
client.create_key(Description="key")
with pytest.raises(client.exceptions.NotFoundException):
client.describe_key(KeyId=key_id)
@ -301,6 +303,7 @@ def test_describe_key_via_alias_invalid_alias(key_id):
@mock_kms
def test_list_keys():
client = boto3.client("kms", region_name="us-east-1")
with mock.patch.object(rsa, "generate_private_key", return_value=""):
k1 = client.create_key(Description="key1")["KeyMetadata"]
k2 = client.create_key(Description="key2")["KeyMetadata"]
@ -314,8 +317,7 @@ def test_list_keys():
@mock_kms
def test_enable_key_rotation(id_or_arn):
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="key1")["KeyMetadata"]
key_id = key[id_or_arn]
key_id = create_simple_key(client, id_or_arn=id_or_arn)
client.get_key_rotation_status(KeyId=key_id)["KeyRotationEnabled"].should.equal(
False
@ -335,8 +337,7 @@ def test_enable_key_rotation(id_or_arn):
@mock_kms
def test_enable_key_rotation_with_alias_name_should_fail():
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="my key")["KeyMetadata"]
key_id = key["KeyId"]
key_id = create_simple_key(client)
client.create_alias(AliasName="alias/my-alias", TargetKeyId=key_id)
with pytest.raises(ClientError) as ex:
@ -443,10 +444,10 @@ def test_kms_encrypt(plaintext):
@mock_kms
def test_disable_key():
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="disable-key")
client.disable_key(KeyId=key["KeyMetadata"]["KeyId"])
key_id = create_simple_key(client)
client.disable_key(KeyId=key_id)
result = client.describe_key(KeyId=key["KeyMetadata"]["KeyId"])
result = client.describe_key(KeyId=key_id)
assert result["KeyMetadata"]["Enabled"] is False
assert result["KeyMetadata"]["KeyState"] == "Disabled"
@ -454,11 +455,11 @@ def test_disable_key():
@mock_kms
def test_enable_key():
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="enable-key")
client.disable_key(KeyId=key["KeyMetadata"]["KeyId"])
client.enable_key(KeyId=key["KeyMetadata"]["KeyId"])
key_id = create_simple_key(client)
client.disable_key(KeyId=key_id)
client.enable_key(KeyId=key_id)
result = client.describe_key(KeyId=key["KeyMetadata"]["KeyId"])
result = client.describe_key(KeyId=key_id)
assert result["KeyMetadata"]["Enabled"] is True
assert result["KeyMetadata"]["KeyState"] == "Enabled"
@ -466,20 +467,20 @@ def test_enable_key():
@mock_kms
def test_schedule_key_deletion():
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="schedule-key-deletion")
key_id = create_simple_key(client)
if os.environ.get("TEST_SERVER_MODE", "false").lower() == "false":
with freeze_time("2015-01-01 12:00:00"):
response = client.schedule_key_deletion(KeyId=key["KeyMetadata"]["KeyId"])
assert response["KeyId"] == key["KeyMetadata"]["KeyId"]
response = client.schedule_key_deletion(KeyId=key_id)
assert response["KeyId"] == key_id
assert response["DeletionDate"] == datetime(
2015, 1, 31, 12, 0, tzinfo=tzutc()
)
else:
# Can't manipulate time in server mode
response = client.schedule_key_deletion(KeyId=key["KeyMetadata"]["KeyId"])
assert response["KeyId"] == key["KeyMetadata"]["KeyId"]
response = client.schedule_key_deletion(KeyId=key_id)
assert response["KeyId"] == key_id
result = client.describe_key(KeyId=key["KeyMetadata"]["KeyId"])
result = client.describe_key(KeyId=key_id)
assert result["KeyMetadata"]["Enabled"] is False
assert result["KeyMetadata"]["KeyState"] == "PendingDeletion"
assert "DeletionDate" in result["KeyMetadata"]
@ -528,8 +529,7 @@ def test_cancel_key_deletion():
@mock_kms
def test_update_key_description():
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="old_description")
key_id = key["KeyMetadata"]["KeyId"]
key_id = create_simple_key(client)
result = client.update_key_description(KeyId=key_id, Description="new_description")
assert "ResponseMetadata" in result
@ -606,21 +606,19 @@ def test_unknown_tag_methods():
@mock_kms
def test_list_resource_tags_after_untagging():
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="cancel-key-deletion")
response = client.schedule_key_deletion(KeyId=key["KeyMetadata"]["KeyId"])
key_id = create_simple_key(client)
keyid = response["KeyId"]
client.tag_resource(
KeyId=keyid,
KeyId=key_id,
Tags=[
{"TagKey": "key1", "TagValue": "s1"},
{"TagKey": "key2", "TagValue": "s2"},
],
)
client.untag_resource(KeyId=keyid, TagKeys=["key2"])
client.untag_resource(KeyId=key_id, TagKeys=["key2"])
tags = client.list_resource_tags(KeyId=keyid)["Tags"]
tags = client.list_resource_tags(KeyId=key_id)["Tags"]
tags.should.equal([{"TagKey": "key1", "TagValue": "s1"}])
@ -637,9 +635,9 @@ def test_list_resource_tags_after_untagging():
@mock_kms
def test_generate_data_key_sizes(kwargs, expected_key_length):
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="generate-data-key-size")
key_id = create_simple_key(client)
response = client.generate_data_key(KeyId=key["KeyMetadata"]["KeyId"], **kwargs)
response = client.generate_data_key(KeyId=key_id, **kwargs)
assert len(response["Plaintext"]) == expected_key_length
@ -920,8 +918,7 @@ def test_get_key_policy(id_or_arn):
@mock_kms
def test_put_key_policy(id_or_arn):
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="key1", Policy="initial policy")
key_id = key["KeyMetadata"][id_or_arn]
key_id = create_simple_key(client, id_or_arn)
client.put_key_policy(KeyId=key_id, PolicyName="default", Policy="policy 2.0")
@ -932,8 +929,7 @@ def test_put_key_policy(id_or_arn):
@mock_kms
def test_put_key_policy_using_alias_shouldnt_work():
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="key1", Policy="initial policy")
key_id = key["KeyMetadata"]["KeyId"]
key_id = create_simple_key(client, policy="my policy")
client.create_alias(AliasName="alias/my-alias", TargetKeyId=key_id)
with pytest.raises(ClientError) as ex:
@ -945,14 +941,13 @@ def test_put_key_policy_using_alias_shouldnt_work():
err["Message"].should.equal("Invalid keyId alias/my-alias")
response = client.get_key_policy(KeyId=key_id, PolicyName="default")
response["Policy"].should.equal("initial policy")
response["Policy"].should.equal("my policy")
@mock_kms
def test_list_key_policies():
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="key1", Policy="initial policy")
key_id = key["KeyMetadata"]["KeyId"]
key_id = create_simple_key(client)
policies = client.list_key_policies(KeyId=key_id)
policies["PolicyNames"].should.equal(["default"])
@ -965,8 +960,7 @@ def test_list_key_policies():
@mock_kms
def test__create_alias__raises_if_reserved_alias(reserved_alias):
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="key1", Policy="initial policy")
key_id = key["KeyMetadata"]["KeyId"]
key_id = create_simple_key(client)
with pytest.raises(ClientError) as ex:
client.create_alias(AliasName=reserved_alias, TargetKeyId=key_id)
@ -981,8 +975,7 @@ def test__create_alias__raises_if_reserved_alias(reserved_alias):
@mock_kms
def test__create_alias__raises_if_alias_has_restricted_characters(name):
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="key1", Policy="initial policy")
key_id = key["KeyMetadata"]["KeyId"]
key_id = create_simple_key(client)
with pytest.raises(ClientError) as ex:
client.create_alias(AliasName=name, TargetKeyId=key_id)
@ -997,8 +990,7 @@ def test__create_alias__raises_if_alias_has_restricted_characters(name):
def test__create_alias__raises_if_alias_has_restricted_characters_semicolon():
# Similar test as above, but with different error msg
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="key1", Policy="initial policy")
key_id = key["KeyMetadata"]["KeyId"]
key_id = create_simple_key(client)
with pytest.raises(ClientError) as ex:
client.create_alias(AliasName="alias/my:alias", TargetKeyId=key_id)
@ -1013,8 +1005,7 @@ def test__create_alias__raises_if_alias_has_restricted_characters_semicolon():
@mock_kms
def test__create_alias__accepted_characters(name):
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="key1", Policy="initial policy")
key_id = key["KeyMetadata"]["KeyId"]
key_id = create_simple_key(client)
client.create_alias(AliasName=name, TargetKeyId=key_id)
@ -1022,8 +1013,7 @@ def test__create_alias__accepted_characters(name):
@mock_kms
def test__create_alias__raises_if_target_key_id_is_existing_alias():
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="key1", Policy="initial policy")
key_id = key["KeyMetadata"]["KeyId"]
key_id = create_simple_key(client)
name = "alias/my-alias"
client.create_alias(AliasName=name, TargetKeyId=key_id)
@ -1038,8 +1028,7 @@ def test__create_alias__raises_if_target_key_id_is_existing_alias():
@mock_kms
def test__create_alias__raises_if_wrong_prefix():
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="key1", Policy="initial policy")
key_id = key["KeyMetadata"]["KeyId"]
key_id = create_simple_key(client)
with pytest.raises(ClientError) as ex:
client.create_alias(AliasName="wrongprefix/my-alias", TargetKeyId=key_id)
@ -1051,8 +1040,7 @@ def test__create_alias__raises_if_wrong_prefix():
@mock_kms
def test__create_alias__raises_if_duplicate():
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="key1", Policy="initial policy")
key_id = key["KeyMetadata"]["KeyId"]
key_id = create_simple_key(client)
alias = "alias/my-alias"
client.create_alias(AliasName=alias, TargetKeyId=key_id)
@ -1070,16 +1058,16 @@ def test__create_alias__raises_if_duplicate():
def test__delete_alias():
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="key1", Policy="initial policy")
client.create_alias(AliasName="alias/a1", TargetKeyId=key["KeyMetadata"]["KeyId"])
key_id = create_simple_key(client)
client.create_alias(AliasName="alias/a1", TargetKeyId=key_id)
key = client.create_key(Description="key2", Policy="initial policy")
client.create_alias(AliasName="alias/a2", TargetKeyId=key["KeyMetadata"]["KeyId"])
key_id = create_simple_key(client)
client.create_alias(AliasName="alias/a2", TargetKeyId=key_id)
client.delete_alias(AliasName="alias/a1")
# we can create the alias again, since it has been deleted
client.create_alias(AliasName="alias/a1", TargetKeyId=key["KeyMetadata"]["KeyId"])
client.create_alias(AliasName="alias/a1", TargetKeyId=key_id)
@mock_kms
@ -1150,8 +1138,7 @@ def test_key_tag_on_create_key_on_arn_happy():
def test_key_tag_added_happy():
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="test-key-tagging")
key_id = key["KeyMetadata"]["KeyId"]
key_id = create_simple_key(client)
tags = [
{"TagKey": "key1", "TagValue": "value1"},
{"TagKey": "key2", "TagValue": "value2"},
@ -1164,8 +1151,7 @@ def test_key_tag_added_happy():
def test_key_tag_added_arn_based_happy():
client = boto3.client("kms", region_name="us-east-1")
key = client.create_key(Description="test-key-tagging")
key_id = key["KeyMetadata"]["Arn"]
key_id = create_simple_key(client)
tags = [
{"TagKey": "key1", "TagValue": "value1"},
{"TagKey": "key2", "TagValue": "value2"},
@ -1430,3 +1416,13 @@ def test_verify_empty_signature():
err["Message"].should.equal(
"1 validation error detected: Value at 'Signature' failed to satisfy constraint: Member must have length greater than or equal to 1"
)
def create_simple_key(client, id_or_arn="KeyId", description=None, policy=None):
with mock.patch.object(rsa, "generate_private_key", return_value=""):
params = {}
if description:
params["Description"] = description
if policy:
params["Policy"] = policy
return client.create_key(**params)["KeyMetadata"][id_or_arn]

View File

@ -1,6 +1,8 @@
import boto3
import sure # noqa # pylint: disable=unused-import
import pytest
from cryptography.hazmat.primitives.asymmetric import rsa
from unittest import mock
from moto import mock_kms
from moto.core import DEFAULT_ACCOUNT_ID as ACCOUNT_ID
@ -14,7 +16,7 @@ grantee_principal = (
@mock_kms
def test_create_grant():
client = boto3.client("kms", region_name="us-east-1")
key_id = client.create_key(Policy="my policy")["KeyMetadata"]["KeyId"]
key_id = create_key(client)
resp = client.create_grant(
KeyId=key_id,
@ -29,7 +31,7 @@ def test_create_grant():
@mock_kms
def test_list_grants():
client = boto3.client("kms", region_name="us-east-1")
key_id = client.create_key(Policy="my policy")["KeyMetadata"]["KeyId"]
key_id = create_key(client)
client.list_grants(KeyId=key_id).should.have.key("Grants").equals([])
@ -81,8 +83,8 @@ def test_list_grants():
@mock_kms
def test_list_retirable_grants():
client = boto3.client("kms", region_name="us-east-1")
key_id1 = client.create_key(Policy="my policy")["KeyMetadata"]["KeyId"]
key_id2 = client.create_key(Policy="my policy")["KeyMetadata"]["KeyId"]
key_id1 = create_key(client)
key_id2 = create_key(client)
client.create_grant(
KeyId=key_id1,
@ -121,7 +123,7 @@ def test_list_retirable_grants():
def test_revoke_grant():
client = boto3.client("kms", region_name="us-east-1")
key_id = client.create_key(Policy="my policy")["KeyMetadata"]["KeyId"]
key_id = create_key(client)
client.list_grants(KeyId=key_id).should.have.key("Grants").equals([])
@ -140,7 +142,7 @@ def test_revoke_grant():
@mock_kms
def test_revoke_grant_raises_when_grant_does_not_exist():
client = boto3.client("kms", region_name="us-east-1")
key_id = client.create_key(Policy="my policy")["KeyMetadata"]["KeyId"]
key_id = create_key(client)
not_existent_grant_id = "aabbccdd"
with pytest.raises(client.exceptions.NotFoundException) as ex:
@ -156,7 +158,7 @@ def test_revoke_grant_raises_when_grant_does_not_exist():
def test_retire_grant_by_token():
client = boto3.client("kms", region_name="us-east-1")
key_id = client.create_key(Policy="my policy")["KeyMetadata"]["KeyId"]
key_id = create_key(client)
for idx in range(0, 3):
grant_token = client.create_grant(
@ -175,7 +177,7 @@ def test_retire_grant_by_token():
def test_retire_grant_by_grant_id():
client = boto3.client("kms", region_name="us-east-1")
key_id = client.create_key(Policy="my policy")["KeyMetadata"]["KeyId"]
key_id = create_key(client)
for idx in range(0, 3):
grant_id = client.create_grant(
@ -188,3 +190,8 @@ def test_retire_grant_by_grant_id():
client.retire_grant(KeyId=key_id, GrantId=grant_id)
client.list_grants(KeyId=key_id)["Grants"].should.have.length_of(2)
def create_key(client):
with mock.patch.object(rsa, "generate_private_key", return_value=""):
return client.create_key(Policy="my policy")["KeyMetadata"]["KeyId"]