KMS: encrypt() now validates payloads that are too large (#7102)

2023-12-08 20:58:49 -01:00 · 2023-12-08 20:58:49 -01:00 · 85156f5939
commit 85156f5939
parent 167d4afde8
3 changed files with 54 additions and 4 deletions
--- a/moto/kms/utils.py
+++ b/moto/kms/utils.py
@ -379,6 +379,10 @@ def encrypt(
        raise ValidationException(
            "1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length greater than or equal to 1"
        )
+    if len(plaintext) > 4096:
+        raise ValidationException(
+            "1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length less than or equal to 4096"
+        )

    iv = os.urandom(IV_LEN)
    aad = _serialize_encryption_context(encryption_context=encryption_context)
--- a/tests/test_kms/init.py
+++ b/tests/test_kms/init.py
@ -1 +1,28 @@
-# This file is intentionally left blank.
+import os
+from functools import wraps
+
+from moto import mock_kms
+
+
+def kms_aws_verified(func):
+    """
+    Function that is verified to work against AWS.
+    Can be run against AWS at any time by setting:
+      MOTO_TEST_ALLOW_AWS_REQUEST=true
+
+    If this environment variable is not set, the function runs in a `mock_kms` context.
+    """
+
+    @wraps(func)
+    def pagination_wrapper():
+        allow_aws_request = (
+            os.environ.get("MOTO_TEST_ALLOW_AWS_REQUEST", "false").lower() == "true"
+        )
+
+        if allow_aws_request:
+            return func()
+        else:
+            with mock_kms():
+                return func()
+
+    return pagination_wrapper
--- a/tests/test_kms/test_kms_encrypt.py
+++ b/tests/test_kms/test_kms_encrypt.py
@ -6,13 +6,15 @@ from botocore.exceptions import ClientError

 from moto import mock_kms

+from . import kms_aws_verified
 from .test_kms_boto3 import PLAINTEXT_VECTORS, _get_encoded_value


-@mock_kms
-def test_create_key_with_empty_content():
+@pytest.mark.aws_verified
+@kms_aws_verified
+def test_encrypt_key_with_empty_content():
    client_kms = boto3.client("kms", region_name="ap-northeast-1")
-    metadata = client_kms.create_key(Policy="my policy")["KeyMetadata"]
+    metadata = client_kms.create_key()["KeyMetadata"]
    with pytest.raises(ClientError) as exc:
        client_kms.encrypt(KeyId=metadata["KeyId"], Plaintext="")
    err = exc.value.response["Error"]
@ -21,6 +23,23 @@ def test_create_key_with_empty_content():
        err["Message"]
        == "1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length greater than or equal to 1"
    )
+    client_kms.schedule_key_deletion(KeyId=metadata["KeyId"], PendingWindowInDays=7)
+
+
+@pytest.mark.aws_verified
+@kms_aws_verified
+def test_encrypt_key_with_large_content():
+    client_kms = boto3.client("kms", region_name="ap-northeast-1")
+    metadata = client_kms.create_key()["KeyMetadata"]
+    with pytest.raises(ClientError) as exc:
+        client_kms.encrypt(KeyId=metadata["KeyId"], Plaintext=b"x" * 4097)
+    err = exc.value.response["Error"]
+    assert err["Code"] == "ValidationException"
+    assert (
+        err["Message"]
+        == "1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length less than or equal to 4096"
+    )
+    client_kms.schedule_key_deletion(KeyId=metadata["KeyId"], PendingWindowInDays=7)


@pytest.mark.parametrize("plaintext", PLAINTEXT_VECTORS)