Merge branch 'mpl-reviewed' into mpl-1.7.3

.github/workflows/ci_test-vector-handler.yaml

@@ -19,7 +19,7 @@ jobs:
         os:
           - ubuntu-latest
           - windows-latest
-          - macos-12
+          - macos-13
         python:
           - 3.8
           - 3.x
@@ -34,7 +34,7 @@ jobs:
           # x86 builds are only meaningful for Windows
           - os: ubuntu-latest
             architecture: x86
-          - os: macos-12
+          - os: macos-13
             architecture: x86
     steps:
       - uses: aws-actions/configure-aws-credentials@v4

.github/workflows/ci_tests.yaml

@@ -26,7 +26,7 @@ jobs:
         os:
           - ubuntu-latest
           - windows-latest
-          - macos-12
+          - macos-13
         python:
           - 3.8
           - 3.9
@@ -54,7 +54,7 @@ jobs:
           # x86 builds are only meaningful for Windows
           - os: ubuntu-latest
             architecture: x86
-          - os: macos-12
+          - os: macos-13
             architecture: x86
           # MPL is not supported on <3.11
           - python: 3.7

buildspec.yml

@@ -206,6 +206,14 @@ batch:
       buildspec: codebuild/py311/decrypt_keyrings_with_js.yml
       env:
         image: aws/codebuild/standard:7.0
+    - identifier: py311_decrypt_golden_manifest_with_keyrings
+      buildspec: codebuild/py311/decrypt_golden_manifest_with_keyrings.yml
+      env:
+        image: aws/codebuild/standard:7.0
+    - identifier: py311_decrypt_golden_manifest_with_masterkey
+      buildspec: codebuild/py311/decrypt_golden_manifest_with_masterkey.yml
+      env:
+        image: aws/codebuild/standard:7.0
 
 
     - identifier: py312_integ
@@ -318,6 +326,14 @@ batch:
       buildspec: codebuild/py312/decrypt_hkeyring_with_net.yml
       env:
         image: aws/codebuild/standard:7.0
+    - identifier: py312_decrypt_golden_manifest_with_keyrings
+      buildspec: codebuild/py312/decrypt_golden_manifest_with_keyrings.yml
+      env:
+        image: aws/codebuild/standard:7.0
+    - identifier: py312_decrypt_golden_manifest_with_masterkey
+      buildspec: codebuild/py312/decrypt_golden_manifest_with_masterkey.yml
+      env:
+        image: aws/codebuild/standard:7.0
 
     - identifier: code_coverage
       buildspec: codebuild/coverage/coverage.yml

codebuild/py311/decrypt_golden_manifest_with_keyrings.yml

@@ -0,0 +1,31 @@
+version: 0.2
+
+env:
+  variables:
+    TOXENV: "py311-full_decrypt-mpl"
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
+      arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
+      arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.11
+  pre_build:
+    commands:
+      # Download "golden manifest"
+      - curl -L -o python-2.3.0.zip https://github.com/awslabs/aws-encryption-sdk-test-vectors/raw/master/vectors/awses-decrypt/python-2.3.0.zip
+      - unzip python-2.3.0.zip -d python-2.3.0
+  build:
+    commands:
+      - pip install "tox < 4.0"
+      - cd test_vector_handlers
+      - |
+        tox -- \
+          --input ../python-2.3.0/manifest.json \
+          --keyrings

codebuild/py311/decrypt_golden_manifest_with_masterkey.yml

@@ -0,0 +1,30 @@
+version: 0.2
+
+env:
+  variables:
+    TOXENV: "py311-full_decrypt-mpl"
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
+      arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
+      arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.11
+  pre_build:
+    commands:
+      # Download "golden manifest"
+      - curl -L -o python-2.3.0.zip https://github.com/awslabs/aws-encryption-sdk-test-vectors/raw/master/vectors/awses-decrypt/python-2.3.0.zip
+      - unzip python-2.3.0.zip -d python-2.3.0
+  build:
+    commands:
+      - pip install "tox < 4.0"
+      - cd test_vector_handlers
+      - |
+        tox -- \
+          --input ../python-2.3.0/manifest.json

codebuild/py312/decrypt_golden_manifest_with_keyrings.yml

@@ -0,0 +1,31 @@
+version: 0.2
+
+env:
+  variables:
+    TOXENV: "py312-full_decrypt-mpl"
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
+      arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
+      arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.12
+  pre_build:
+    commands:
+      # Download "golden manifest"
+      - curl -L -o python-2.3.0.zip https://github.com/awslabs/aws-encryption-sdk-test-vectors/raw/master/vectors/awses-decrypt/python-2.3.0.zip
+      - unzip python-2.3.0.zip -d python-2.3.0
+  build:
+    commands:
+      - pip install "tox < 4.0"
+      - cd test_vector_handlers
+      - |
+        tox -- \
+          --input ../python-2.3.0/manifest.json \
+          --keyrings

codebuild/py312/decrypt_golden_manifest_with_masterkey.yml

@@ -0,0 +1,30 @@
+version: 0.2
+
+env:
+  variables:
+    TOXENV: "py312-full_decrypt-mpl"
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
+      arn:aws:kms:us-west-2:658956600833:key/b35311ef1-d8dc-4780-9f5a-55776cbb2f7f
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-
+      arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >-
+      arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+    AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >-
+      arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7
+
+phases:
+  install:
+    runtime-versions:
+      python: 3.12
+  pre_build:
+    commands:
+      # Download "golden manifest"
+      - curl -L -o python-2.3.0.zip https://github.com/awslabs/aws-encryption-sdk-test-vectors/raw/master/vectors/awses-decrypt/python-2.3.0.zip
+      - unzip python-2.3.0.zip -d python-2.3.0
+  build:
+    commands:
+      - pip install "tox < 4.0"
+      - cd test_vector_handlers
+      - |
+        tox -- \
+          --input ../python-2.3.0/manifest.json

test_vector_handlers/src/awses_test_vectors/manifests/full_message/decrypt.py

@@ -264,7 +264,7 @@ def __init__(
         attr.validate(self)
 
     @classmethod
-    def from_scenario(
+    def from_scenario(  # noqa: C901
         cls,
         scenario,  # type: DECRYPT_SCENARIO_SPEC
         plaintext_reader,  # type: Callable[[str], bytes]
@@ -273,7 +273,7 @@ def from_scenario(
         keyrings,  # type: bool
         keys_uri,  # type: str
     ):
-        # pylint: disable=too-many-locals
+        # pylint: disable=too-many-locals,too-many-branches
         # type: (...) -> MessageDecryptionTestScenario
         """Load from a scenario specification.
 
@@ -330,11 +330,16 @@ def master_key_provider_fn():
             # If unspecified, set "Default" as the default
             cmm_type = "Default"
 
-        # If this scenario does not have any key providers,
-        # do not create a scenario.
-        # Caller logic should expect `None` to mean "no scenario".
-        if master_key_provider_fn() is None:
-            return None
+        try:
+            # If this scenario does not have any key providers,
+            # do not create a scenario.
+            # Caller logic should expect `None` to mean "no scenario".
+            if master_key_provider_fn() is None:
+                return None
+        except Exception:  # nosec,pylint: disable=broad-except
+            # If there is any exception when loading the key, continue to create the test scenario.
+            # Some test scenarios have bad keys that should fail during the test execution.
+            pass
 
         return cls(
             ciphertext_uri=scenario["ciphertext"],

test_vector_handlers/src/awses_test_vectors/manifests/mpl_keyring.py

@@ -90,7 +90,8 @@ def from_scenario(cls, spec):
             padding_hash=spec.get("padding-hash"),
         )
 
-    def keyring(self, keys_uri, mode):
+    def keyring(self, keys_uri, mode):  # noqa: C901
+        # pylint: disable=too-many-branches
         # type: (KeysManifest) -> IKeyring
         """Build a keyring using this specification.
         :param str keys_uri: Path to the keys manifest
@@ -113,6 +114,14 @@ def keyring(self, keys_uri, mode):
             input_kwargs["padding-algorithm"] = self.padding_algorithm
         if self.padding_hash is not None:
             input_kwargs["padding-hash"] = self.padding_hash
+        if self.default_mrk_region is not None:
+            input_kwargs["default-mrk-region"] = self.default_mrk_region
+        if self.discovery_filter is not None:
+            input_kwargs["aws-kms-discovery-filter"] = {}
+            if self.discovery_filter.partition is not None:
+                input_kwargs["aws-kms-discovery-filter"]["partition"] = self.discovery_filter.partition
+            if self.discovery_filter.account_ids is not None:
+                input_kwargs["aws-kms-discovery-filter"]["account-ids"] = self.discovery_filter.account_ids
 
         if input_kwargs["type"] == "raw" \
                 and input_kwargs["encryption-algorithm"] == "rsa":