Yasuke/moto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

KMS: encrypt() now validates payloads that are too large (#7102)

Browse Source
This commit is contained in:
Bert Blommers 2023-12-08 20:58:49 -01:00 committed by GitHub
parent 167d4afde8
commit 85156f5939
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 54 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
moto/kms/utils.py
View File

@ -379,6 +379,10 @@ def encrypt(
raise ValidationException( raise ValidationException(
"1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length greater than or equal to 1" "1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length greater than or equal to 1"
) )
if len(plaintext) > 4096:
raise ValidationException(
"1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length less than or equal to 4096"
)
iv = os.urandom(IV_LEN) iv = os.urandom(IV_LEN)
aad = _serialize_encryption_context(encryption_context=encryption_context) aad = _serialize_encryption_context(encryption_context=encryption_context)

29
tests/test_kms/__init__.py
View File

@ -1 +1,28 @@
# This file is intentionally left blank. import os
from functools import wraps
from moto import mock_kms
def kms_aws_verified(func):
"""
Function that is verified to work against AWS.
Can be run against AWS at any time by setting:
MOTO_TEST_ALLOW_AWS_REQUEST=true
If this environment variable is not set, the function runs in a `mock_kms` context.
"""
@wraps(func)
def pagination_wrapper():
allow_aws_request = (
os.environ.get("MOTO_TEST_ALLOW_AWS_REQUEST", "false").lower() == "true"
)
if allow_aws_request:
return func()
else:
with mock_kms():
return func()
return pagination_wrapper

25
tests/test_kms/test_kms_encrypt.py
View File

@ -6,13 +6,15 @@ from botocore.exceptions import ClientError
from moto import mock_kms from moto import mock_kms
from . import kms_aws_verified
from .test_kms_boto3 import PLAINTEXT_VECTORS, _get_encoded_value from .test_kms_boto3 import PLAINTEXT_VECTORS, _get_encoded_value
@mock_kms @pytest.mark.aws_verified
def test_create_key_with_empty_content(): @kms_aws_verified
def test_encrypt_key_with_empty_content():
client_kms = boto3.client("kms", region_name="ap-northeast-1") client_kms = boto3.client("kms", region_name="ap-northeast-1")
metadata = client_kms.create_key(Policy="my policy")["KeyMetadata"] metadata = client_kms.create_key()["KeyMetadata"]
with pytest.raises(ClientError) as exc: with pytest.raises(ClientError) as exc:
client_kms.encrypt(KeyId=metadata["KeyId"], Plaintext="") client_kms.encrypt(KeyId=metadata["KeyId"], Plaintext="")
err = exc.value.response["Error"] err = exc.value.response["Error"]
@ -21,6 +23,23 @@ def test_create_key_with_empty_content():
err["Message"] err["Message"]
== "1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length greater than or equal to 1" == "1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length greater than or equal to 1"
) )
client_kms.schedule_key_deletion(KeyId=metadata["KeyId"], PendingWindowInDays=7)
@pytest.mark.aws_verified
@kms_aws_verified
def test_encrypt_key_with_large_content():
client_kms = boto3.client("kms", region_name="ap-northeast-1")
metadata = client_kms.create_key()["KeyMetadata"]
with pytest.raises(ClientError) as exc:
client_kms.encrypt(KeyId=metadata["KeyId"], Plaintext=b"x" * 4097)
err = exc.value.response["Error"]
assert err["Code"] == "ValidationException"
assert (
err["Message"]
== "1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length less than or equal to 4096"
)
client_kms.schedule_key_deletion(KeyId=metadata["KeyId"], PendingWindowInDays=7)
@pytest.mark.parametrize("plaintext", PLAINTEXT_VECTORS) @pytest.mark.parametrize("plaintext", PLAINTEXT_VECTORS)