Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Can't effectively test code that uses `aws-encryption-sdk` with stubs

See original GitHub issue

I’m trying to write some code that consumes aws-encryption-sdk, specifically KMSMasterKeyProvider. Everything works fine but I would like to add tests with stubbed out KMS requests+responses (using botocore.stub.Stubber’ed boto3 clients).

My test setup creates a botocore session with fake credentials, e.g.

@pytest.fixture
def botocore_session():
    session = botocore.session.get_session()
    session.set_credentials("invalid-access-key", "invalid-secret-key")
    session.set_stream_logger('', 'DEBUG')
    return session

and then passes that session down into the KMSMasterKeyProvider constructor. However, I can’t also pass in a boto3 KMS client object for it to use. It creates its own clients here https://github.com/aws/aws-encryption-sdk-python/blob/0f4dc6e7f695191daf3d8ceeef8786a93388259d/src/aws_encryption_sdk/key_providers/kms.py#L163-L167

I could create a KMSMasterKeyProvider object in my test setup, reach into its ._regional_clients and add my stubbed KMS client, and inject that into my code. Is that the best approach for now? Is there some other approach to stubbing that I should try?

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
mattsb42-awscommented, Nov 19, 2019

I’m personally not a fan of the stubber for reasons I explain here[1], but if you prefer to use them, be aware that the _register_client method and _regional_clients attribute are not part of our supported public API. They are probably unlikely to change because we are not going to do any further feature development on master key providers, but be aware that we do not guarantee that those APIs will continue to exist and do the same things.

Once we finish adding keyring support[2], the AWS KMS keyring[3] will expose an interface in the form of client suppliers that, while not designed to work with stubs, will give you a supported API that you can use to inject stubs.

[1] https://github.com/boto/boto3/issues/2123#issuecomment-535624360 [2] #146 [3] https://github.com/awslabs/aws-encryption-sdk-specification/blob/master/framework/kms-keyring.md

0reactions
mattsb42-awscommented, Nov 19, 2019

moto does support CreateAlias

import aws_encryption_sdk
import boto3
import pytest
from aws_encryption_sdk.key_providers.kms import KMSMasterKey, KMSMasterKeyProvider
from moto import mock_kms

MY_ALIAS_NAME = "alias/awesome"
REGION = "us-west-2"


@pytest.fixture
def fake_cmk():
    with mock_kms():
        kms = boto3.client("kms", region_name=REGION)
        response = kms.create_key()
        cmk_arn = response["KeyMetadata"]["Arn"]
        kms.create_alias(
            AliasName=MY_ALIAS_NAME, TargetKeyId=cmk_arn,
        )
        yield


def test_with_master_key_provider(fake_cmk):
    kms_master_key = KMSMasterKeyProvider(key_ids=[MY_ALIAS_NAME], region_names=[REGION])
    ciphertext, header = aws_encryption_sdk.encrypt(
        source=b"my plaintext data!", key_provider=kms_master_key,
    )


def test_with_master_key(fake_cmk):
    kms_master_key = KMSMasterKey(
        key_id=MY_ALIAS_NAME, client=boto3.client("kms", region_name=REGION)
    )
    ciphertext, header = aws_encryption_sdk.encrypt(
        source=b"my plaintext data!", key_provider=kms_master_key,
    )
Read more comments on GitHub >

github_iconTop Results From Across the Web

AWS Encryption SDK - AWS Documentation
The AWS Encryption SDK is a client-side encryption library designed to make it easy for everyone to encrypt and decrypt data using industry...
Read more >
Configuring the AWS Encryption SDK
To decrypt the data, the AWS Encryption SDK must first use one of your wrapping keys to decrypt an encrypted data key. To...
Read more >
Concepts in the AWS Encryption SDK
This section introduces the concepts used in the AWS Encryption SDK, and provides a glossary and reference. It's designed to help you understand...
Read more >
Best practices for the AWS Encryption SDK
Use AWS KMS keyrings that specify wrapping keys. When encrypting and decrypting, these keyrings use only the specified wrapping keys you specify. ·...
Read more >
AWS Encryption SDK for Java example code
In this case, because the keyArn parameter is used for encrypting and decrypting, its value must be a key ARN. For information about...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

CryptographyDeprecationWarning with latest version of cryptography and aws-encryption-sdk

Next page

Convert all tests to pytest