feat!: Support AWS Cryptographic Material Providers Library (MPL)

.coveragerc

@@ -0,0 +1,7 @@
+# .coveragerc file when running coverage WITHOUT coverage for the MPL
+# This prevents the ESDK without the MPL from considering the MPL-specific modules as "missed" coverage
+[run]
+omit = */aws_encryption_sdk/materials_managers/mpl/*
+
+[report]
+omit = */aws_encryption_sdk/materials_managers/mpl/*

.coveragercmpl

@@ -0,0 +1 @@
+# .coveragerc file when running coverage WITH coverage for the MPL

.github/workflows/ci_codebuild-tests.yml

@@ -38,10 +38,10 @@ jobs:
         with:
           role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
           aws-region: us-west-2
-          role-duration-seconds: 3600
+          role-duration-seconds: 4200
       - name: Run python-${{ matrix.python.python_version }} ${{ matrix.codebuild_file_name }}
         uses: aws-actions/aws-codebuild-run-build@v1
-        timeout-minutes: 60
+        timeout-minutes: 70
         with:
           project-name: python-esdk
           buildspec-override: codebuild/py${{ matrix.python.python_version }}/${{ matrix.codebuild_file_name }}

.github/workflows/ci_tests.yaml

@@ -40,17 +40,40 @@ jobs:
         category:
           - local
           - accept
+          - mpllocal
 # These require credentials.
 # Enable them once we sort how to provide them.
 #          - integ
 #          - examples
+        # Append '-mpl' to some test environments.
+        # This suffix signals to tox to install the MPL in the test environment. 
+        optional_mpl_dependency:
+          - ""
+          - -mpl
         exclude:
           # x86 builds are only meaningful for Windows
           - os: ubuntu-latest
             architecture: x86
           - os: macos-13
             architecture: x86
+          # MPL is not supported on <3.11
+          - python: 3.7
+            optional_mpl_dependency: -mpl
+          - python: 3.8
+            optional_mpl_dependency: -mpl
+          - python: 3.9
+            optional_mpl_dependency: -mpl
+          - python: 3.10
+            optional_mpl_dependency: -mpl
+          # mpllocal requires the MPL to be installed
+          - category: mpllocal
+            optional_mpl_dependency: ""
     steps:
+      # Support long Dafny filenames (used in MPL and DBESDK repos)
+      - name: Support longpaths
+        run: |
+          git config --global core.longpaths true
+
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v4
         with:
@@ -61,7 +84,7 @@ jobs:
           pip install --upgrade -r dev_requirements/ci-requirements.txt
       - name: run test
         env:
-          TOXENV: ${{ matrix.category }}
+          TOXENV: ${{ matrix.category }}${{ matrix.optional_mpl_dependency }}
         run: tox -- -vv
   upstream-py311:
     runs-on: ubuntu-latest
@@ -81,5 +104,5 @@ jobs:
             pip install --upgrade -r dev_requirements/ci-requirements.txt
         - name: run test
           env:
-            TOXENV: ${{ matrix.category }}
+            TOXENV: ${{ matrix.category }}${{ matrix.optional_mpl_dependency }}
           run: tox -- -vv

.gitignore

@@ -19,8 +19,9 @@ docs/build
 __pycache__
 *.egg-info
 
-# Coverage.py
-.coverage*
+# Coverage.py, NOT .coveragerc nor .coveragercmpl
+.coverage
+.coverage.py
 
 # MyPy
 .mypy_cache
@@ -30,6 +31,14 @@ __pycache__
 
 # PyTest
 .pytest_cache
+# Ignore key materials generated by examples or tests
+test_keyrings/
+# Ignore results of performance test
+performance_tests/results/*.csv
+performance_tests/results/*.pstats
+performance_tests/results/*.png
+# Ignore the memory profile logs
+mprofile_*
 
 # PyCharm
 .idea/

CHANGELOG.rst

@@ -2,6 +2,33 @@
 Changelog
 *********
 
+4.0.0 -- 2024-10-29
+===================
+
+Features
+--------
+* Add support for constructs from the `AWS Cryptographic Material Providers Library (MPL) <https://github.com/aws/aws-cryptographic-material-providers-library>`_.
+  The MPL contains new constructs for encrypting and decrypting your data.
+  We highly recommend installing the MPL. See `Installing <https://github.com/aws/aws-encryption-sdk-python/tree/master?tab=readme-ov-file#installation>`_ for instructions.
+
+Breaking Changes
+^^^^^^^^^^^^^^^^
+* The MPL introduces the Required Encryption Context Cryptographic Materials Manager
+  ("required EC CMM") as a new construct for protecting your data.
+  On encrypt, the required EC CMM will use specific configured
+  encryption context key-value pairs to calculate the message signature,
+  but will not store those pairs in the ESDK message.
+  On decrypt, decryptors must supply these same pairs that were used when encrypting the message.
+  All messages that have been encrypted with versions of the ESDK <4.0.0 are forward compatible with this change.
+  However, messages that are constructed with the required EC CMM are not backward compatible with ESDK <4.0.0,
+  as no version of ESDK <4.0.0 supports reading messages encrypted with the required EC CMM.
+  A message that is encrypted with the required EC CMM from the MPL must be decrypted with a CMM from the MPL.
+
+Fixes
+-----------
+* fix: MKPs attempt to decrypt with remaining keys if a preceding raw RSA key failed to decrypt
+  `#707 <https://github.com/aws/aws-encryption-sdk-python/pull/707>`_
+
 3.3.0 -- 2024-05-20
 ===================