diff --git a/.github/workflows/ci_decrypt-oracle.yaml b/.github/workflows/ci_decrypt-oracle.yaml index 2819ad646..baf01c571 100644 --- a/.github/workflows/ci_decrypt-oracle.yaml +++ b/.github/workflows/ci_decrypt-oracle.yaml @@ -11,11 +11,11 @@ jobs: tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v2 + - uses: actions/checkout@v4 + - uses: actions/setup-python@v4 with: - # The oracle runs in a Python 3.6 Lamba - python-version: 3.6 + # The oracle will run on a Python 3.9 Lamba + python-version: 3.9 - run: | python -m pip install --upgrade pip pip install --upgrade -r dev_requirements/ci-requirements.txt @@ -38,10 +38,10 @@ jobs: - flake8-tests - pylint-tests steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v1 + - uses: actions/checkout@v4 + - uses: actions/setup-python@v4 with: - python-version: 3.8 + python-version: 3.9 - run: | python -m pip install --upgrade pip pip install --upgrade -r dev_requirements/ci-requirements.txt diff --git a/.github/workflows/ci_static-analysis.yaml b/.github/workflows/ci_static-analysis.yaml index 3cdadf215..7f74e8fc3 100644 --- a/.github/workflows/ci_static-analysis.yaml +++ b/.github/workflows/ci_static-analysis.yaml @@ -27,8 +27,8 @@ jobs: - black-check - isort-check steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v2 + - uses: actions/checkout@v4 + - uses: actions/setup-python@v4 with: python-version: 3.8 - run: | diff --git a/.github/workflows/ci_test-vector-handler.yaml b/.github/workflows/ci_test-vector-handler.yaml index f5b42cf86..2fcd22fc9 100644 --- a/.github/workflows/ci_test-vector-handler.yaml +++ b/.github/workflows/ci_test-vector-handler.yaml @@ -21,9 +21,6 @@ jobs: - windows-latest - macos-latest python: - - 2.7 - - 3.6 - - 3.7 - 3.8 - 3.x architecture: @@ -40,13 +37,13 @@ jobs: - os: macos-latest architecture: x86 steps: - - uses: aws-actions/configure-aws-credentials@v1 + - uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.INTEG_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.INTEG_AWS_SECRET_ACCESS_KEY }} aws-region: us-west-2 - - uses: actions/checkout@v3 - - uses: actions/setup-python@v2 + - uses: actions/checkout@v4 + - uses: actions/setup-python@v4 with: python-version: ${{ matrix.python }} architecture: ${{ matrix.architecture }} @@ -72,10 +69,10 @@ jobs: - flake8-tests - pylint-tests steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v1 + - uses: actions/checkout@v4 + - uses: actions/setup-python@v4 with: - python-version: 3.8 + python-version: 3.9 - run: | python -m pip install --upgrade pip pip install --upgrade -r dev_requirements/ci-requirements.txt diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index f269246bc..cc5da2c09 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -28,10 +28,12 @@ jobs: - windows-latest - macos-latest python: - - 3.6 - 3.7 - 3.8 - 3.9 + - "3.10" + - "3.11" + - "3.12" - 3.x architecture: - x64 @@ -50,8 +52,8 @@ jobs: - os: macos-latest architecture: x86 steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v2 + - uses: actions/checkout@v4 + - uses: actions/setup-python@v4 with: python-version: ${{ matrix.python }} architecture: ${{ matrix.architecture }} @@ -62,19 +64,19 @@ jobs: env: TOXENV: ${{ matrix.category }} run: tox -- -vv - upstream-py3: + upstream-py311: runs-on: ubuntu-latest strategy: fail-fast: true matrix: category: - nocmk - - test-upstream-requirements-py37 + - test-upstream-requirements-py311 steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v1 + - uses: actions/checkout@v4 + - uses: actions/setup-python@v4 with: - python-version: 3.7 + python-version: "3.11" - run: | python -m pip install --upgrade pip pip install --upgrade -r dev_requirements/ci-requirements.txt diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index f0e8190e4..308bfbda2 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v1.3.0 + uses: dependabot/fetch-metadata@v1.3.6 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Enable auto-merge for Dependabot PRs diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml index 6b1c6be3e..e3776d399 100644 --- a/.github/workflows/repo-sync.yml +++ b/.github/workflows/repo-sync.yml @@ -9,7 +9,7 @@ jobs: environment: repo-sync runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: repo-sync/github-sync@v2 name: Sync repo to branch with: diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f53472963..b8b3d5992 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,58 @@ Changelog ********* +3.2.0 -- 2024-03-18 +=================== + +Features +----------- +* test Python 3.12 in CI (#623 (https://github.com/josecorella/aws-encryption-sdk-python/issues/623)) (93a67d8 (https://github.com/josecorella/aws-encryption-sdk-python/commit/93a67d8a3806f560ead950e6d8898e53c4c4f9df)) +* update requirements and README (#638 (https://github.com/josecorella/aws-encryption-sdk-python/issues/638)) (bcead77 (https://github.com/josecorella/aws-encryption-sdk-python/commit/bcead776b022566ad8211a08e1a458375b23a356)) + +Fixes +----------- +* CI for Decrypt Oracle (#558 (https://github.com/josecorella/aws-encryption-sdk-python/issues/558)) (6c6b732 (https://github.com/josecorella/aws-encryption-sdk-python/commit/6c6b732379197e91d2137af9f018f670a1ce500a)) +* deprecate python36 from chalice (#539 (https://github.com/josecorella/aws-encryption-sdk-python/issues/539)) (f8aa29f (https://github.com/josecorella/aws-encryption-sdk-python/commit/f8aa29fe98d419dac916846d7ff207685ea95307)) +* test: correctly invoke ec.generate_private_key (#585 (https://github.com/josecorella/aws-encryption-sdk-python/issues/585)) (560e714 (https://github.com/josecorella/aws-encryption-sdk-python/commit/560e7143ac7caf98e190b17ce2af97b7eea6be16)) +* update pyca range (#507 (https://github.com/josecorella/aws-encryption-sdk-python/issues/507)) (aced92c (https://github.com/josecorella/aws-encryption-sdk-python/commit/aced92c3d87dddf3e0920b9dfad4cedd2473604a)) +* Use FORBID_ENCRYPT_ALLOW_DECRYPT policy for decrypt oracle (#538 (https://github.com/josecorella/aws-encryption-sdk-python/issues/538)) (e91838f (https://github.com/josecorella/aws-encryption-sdk-python/commit/e91838f65705867fc95506a4323054bca24e9521)) +* wrong formatting python warning (#546 (https://github.com/josecorella/aws-encryption-sdk-python/issues/546)) (9b618d3 (https://github.com/josecorella/aws-encryption-sdk-python/commit/9b618d3a5e517435304a891393fefcbbd89faf65)) + +Maintenance +----------- +* Add example for custom KMS client config (#440 (https://github.com/josecorella/aws-encryption-sdk-python/issues/440)) (08f305a (https://github.com/josecorella/aws-encryption-sdk-python/commit/08f305a9b7b5fc897d9cafac55fb98f3f2a6fe13)) +* Add Thread safety section to README (#562 (https://github.com/josecorella/aws-encryption-sdk-python/issues/562)) (7a07b16 (https://github.com/josecorella/aws-encryption-sdk-python/commit/7a07b161d51900066c131627f9f7330acb926d3b)) +* bump deps & document upstream test (#646 (https://github.com/josecorella/aws-encryption-sdk-python/issues/646)) (a93ffe7 (https://github.com/josecorella/aws-encryption-sdk-python/commit/a93ffe7a98f8913040f6a693701ba287dd1570fb)) +* CFN: Commit existing CFN (#636 (https://github.com/josecorella/aws-encryption-sdk-python/issues/636)) (c122076 (https://github.com/josecorella/aws-encryption-sdk-python/commit/c12207621d295b335fdfb500c2b02694cc6786d8)) +* ci: skip pyenv installation if already exists (#627 (https://github.com/josecorella/aws-encryption-sdk-python/issues/627)) (1006758 (https://github.com/josecorella/aws-encryption-sdk-python/commit/10067581cd3316fbb379929806db6867e4cb0feb)) +* deps: bump actions/checkout from 3 to 4 (#607 (https://github.com/josecorella/aws-encryption-sdk-python/issues/607)) (e5c331b (https://github.com/josecorella/aws-encryption-sdk-python/commit/e5c331b68590825b55b5300ffab6dc80fbd20818)) +* deps: bump actions/setup-python from 2 to 4.2.0 (#491 (https://github.com/josecorella/aws-encryption-sdk-python/issues/491)) (d064bf8 (https://github.com/josecorella/aws-encryption-sdk-python/commit/d064bf8813d25e1ba4a8cce7269b8ee48acfd79a)) +* deps: bump cryptography from 39.0.0 to 39.0.1 in /test (#559 (https://github.com/josecorella/aws-encryption-sdk-python/issues/559)) (6468137 (https://github.com/josecorella/aws-encryption-sdk-python/commit/646813786c6250a525afb67bebc486eda206edd8)) +* deps: bump cryptography from 39.0.1 to 41.0.2 in /test (#592 (https://github.com/josecorella/aws-encryption-sdk-python/issues/592)) (3ba8019 (https://github.com/josecorella/aws-encryption-sdk-python/commit/3ba8019681ed95c41bb9448f0c3897d1aecc7559)) +* deps: bump cryptography from 41.0.2 to 41.0.6 in /test (#626 (https://github.com/josecorella/aws-encryption-sdk-python/issues/626)) (c67e6bd (https://github.com/josecorella/aws-encryption-sdk-python/commit/c67e6bd471b30e13cc7f1b724ce7d19df2380c22)) +* deps: bump dependabot/fetch-metadata from 1.3.0 to 1.3.6 (#549 (https://github.com/josecorella/aws-encryption-sdk-python/issues/549)) (2a6bd9d (https://github.com/josecorella/aws-encryption-sdk-python/commit/2a6bd9d70c779655077985c544df3db6a3518443)) +* deps: bump flake8-bugbear in /dev_requirements (#512 (https://github.com/josecorella/aws-encryption-sdk-python/issues/512)) (93f01d6 (https://github.com/josecorella/aws-encryption-sdk-python/commit/93f01d655d6bce704bd8779cc9c4acb5f96b980c)) +* deps: bump flake8-docstrings in /dev_requirements (#555 (https://github.com/josecorella/aws-encryption-sdk-python/issues/555)) (bd8f270 (https://github.com/josecorella/aws-encryption-sdk-python/commit/bd8f270c8717e5d4a787d33bcfda8b53bbe7751e)) +* deps: bump flake8-print from 4.0.0 to 5.0.0 in /dev_requirements (#554 (https://github.com/josecorella/aws-encryption-sdk-python/issues/554)) (2326531 (https://github.com/josecorella/aws-encryption-sdk-python/commit/232653188558379bceeb884b3f74b56b07560f62)) +* deps: bump isort from 5.10.1 to 5.11.4 in /dev_requirements (#551 (https://github.com/josecorella/aws-encryption-sdk-python/issues/551)) (36a0ea2 (https://github.com/josecorella/aws-encryption-sdk-python/commit/36a0ea2199872d6590691b53fbea7aee2236a99e)) +* deps: bump pytest from 7.0.1 to 7.2.0 in /dev_requirements (#524 (https://github.com/josecorella/aws-encryption-sdk-python/issues/524)) (af98302 (https://github.com/josecorella/aws-encryption-sdk-python/commit/af983024fdd800e6b2c4ae41cdf1617c982e4916)) +* deps: bump pytest from 7.2.0 to 7.2.1 in /dev_requirements (#553 (https://github.com/josecorella/aws-encryption-sdk-python/issues/553)) (48f96d5 (https://github.com/josecorella/aws-encryption-sdk-python/commit/48f96d58eeb712a5faa631ce4f4930d5d23bb649)) +* deps: bump pytest-cov from 3.0.0 to 4.0.0 in /dev_requirements (#550 (https://github.com/josecorella/aws-encryption-sdk-python/issues/550)) (6e436e1 (https://github.com/josecorella/aws-encryption-sdk-python/commit/6e436e13ce250759a499c3d9c820384cfc26283c)) +* deps: bump readme-renderer from 34.0 to 37.3 in /dev_requirements (#526 (https://github.com/josecorella/aws-encryption-sdk-python/issues/526)) (38aa063 (https://github.com/josecorella/aws-encryption-sdk-python/commit/38aa06309ad8ad709044c86ac6b4951739fbf996)) +* deps: bump setuptools from 62.0.0 to 66.1.1 in /dev_requirements (#547 (https://github.com/josecorella/aws-encryption-sdk-python/issues/547)) (04e8c16 (https://github.com/josecorella/aws-encryption-sdk-python/commit/04e8c167273357a9548ff474c527805d8764a661)) +* deps: bump sphinx from 4.4.0 to 5.3.0 in /dev_requirements (#523 (https://github.com/josecorella/aws-encryption-sdk-python/issues/523)) (51cb2ce (https://github.com/josecorella/aws-encryption-sdk-python/commit/51cb2ce148bc7e048587b013337f2440b53c1387)) +* deps: bump tox from 3.24.5 to 3.27.1 in /dev_requirements (#528 (https://github.com/josecorella/aws-encryption-sdk-python/issues/528)) (e2c834a (https://github.com/josecorella/aws-encryption-sdk-python/commit/e2c834ac5c4a9ca65db2b225e794f7ddf4d89cc4)) +* deps: bump urllib3 from 1.26.14 to 1.26.18 in /test (#618 (https://github.com/josecorella/aws-encryption-sdk-python/issues/618)) (bbb2281 (https://github.com/josecorella/aws-encryption-sdk-python/commit/bbb2281ed61f8fc8700e31d9828753531c8e586f)) +* deps: bump vulture from 2.3 to 2.6 in /dev_requirements (#533 (https://github.com/josecorella/aws-encryption-sdk-python/issues/533)) (2822364 (https://github.com/josecorella/aws-encryption-sdk-python/commit/28223646b4c48b2508ca46e3084689988abd2d27)) +* deps: bump wheel from 0.37.1 to 0.38.4 in /dev_requirements (#536 (https://github.com/josecorella/aws-encryption-sdk-python/issues/536)) (1922650 (https://github.com/josecorella/aws-encryption-sdk-python/commit/19226506ad33f5b964fe6632604425923f6ba8c1)) +* drop py3.6 from Oracle & Test Vectors (#529 (https://github.com/josecorella/aws-encryption-sdk-python/issues/529)) (8b6a493 (https://github.com/josecorella/aws-encryption-sdk-python/commit/8b6a49388c85785a22d59430007b7873ac8acf96)) +* drop py36 support (#530 (https://github.com/josecorella/aws-encryption-sdk-python/issues/530)) (a753ff8 (https://github.com/josecorella/aws-encryption-sdk-python/commit/a753ff884fe3000881c7d3a2392a0b5d65cfa138)) +* release: add api token to prod release process (#503 (https://github.com/josecorella/aws-encryption-sdk-python/issues/503)) (333c85b (https://github.com/josecorella/aws-encryption-sdk-python/commit/333c85b40b8ee20ed6303b9775e7fb9a6c6d2c63)) +* release: add api token to staging release process (#502 (https://github.com/josecorella/aws-encryption-sdk-python/issues/502)) (78e43b3 (https://github.com/josecorella/aws-encryption-sdk-python/commit/78e43b38a5b9df9a925084242a230fccf91476f2)) +* rm upstream-py27 (#564 (https://github.com/josecorella/aws-encryption-sdk-python/issues/564)) (b378508 (https://github.com/josecorella/aws-encryption-sdk-python/commit/b3785085b7c00fef27a250abf78549d6e7928802)) +* SupportPolicy: Mark 1.x & 2.x End-of-Support (#501 (https://github.com/josecorella/aws-encryption-sdk-python/issues/501)) (ca58e5e (https://github.com/josecorella/aws-encryption-sdk-python/commit/ca58e5e0ce373e9ae5132bb5ce95b6886a0a37d3)) + + 3.1.1 -- 2022-06-20 =================== diff --git a/README.rst b/README.rst index 7f1b22824..c21b7a0b3 100644 --- a/README.rst +++ b/README.rst @@ -34,8 +34,8 @@ Getting Started Required Prerequisites ====================== -* Python 3.6+ -* cryptography >= 2.5.0 +* Python 3.7+ +* cryptography >= 3.4.6 * boto3 >= 1.10.0 * attrs @@ -307,6 +307,21 @@ Processing each frame in a framed message involves a certain amount of overhead. increasing the frame size can offer potentially significant performance gains. We recommend that you tune these values to your use-case in order to obtain peak performance. +Thread safety +========================== +The ``EncryptionSDKClient`` and all provided ``CryptoMaterialsManager`` are thread safe. +But instances of ``BaseKMSMasterKeyProvider`` MUST not be shared between threads, +for the reasons outlined in `the boto3 docs `_. + +Because the ``BaseKMSMaterKeyProvider`` creates a `new boto3 sessions `_ per region, +users do not need to create a client for every region in every thread; +a new ``BaseKMSMasterKeyProvider`` per thread is sufficient. + +(The ``BaseKMSMasterKeyProvider`` is the internal parent class of all the KMS Providers.) + +Finally, while the ``CryptoMaterialsCache`` is thread safe, +sharing entries in that cache across threads needs to be done carefully +(see the !Note about partition name `in the API Docs `_). .. _AWS Encryption SDK: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html .. _cryptography: https://cryptography.io/en/latest/ diff --git a/SUPPORT_POLICY.rst b/SUPPORT_POLICY.rst index 9020b6a11..76cd580d4 100644 --- a/SUPPORT_POLICY.rst +++ b/SUPPORT_POLICY.rst @@ -22,13 +22,13 @@ This table describes the current support status of each major version of the AWS - Next status - Next status date * - 1.x - - Maintenance - End of Support - - 2022-06-30 + - + - * - 2.x - - Maintenance - End of Support - - 2022-07-01 + - + - * - 3.x - General Availability - diff --git a/buildspec.yml b/buildspec.yml index bb1e0cd97..f92d203a0 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -3,41 +3,83 @@ version: 0.2 batch: fast-fail: false build-list: - - identifier: py36_integ - buildspec: codebuild/py36/integ.yml - - identifier: py36_examples - buildspec: codebuild/py36/examples.yml - - identifier: py36_awses_local - buildspec: codebuild/py36/awses_local.yml - - identifier: py37_integ buildspec: codebuild/py37/integ.yml + env: + image: aws/codebuild/standard:5.0 - identifier: py37_examples buildspec: codebuild/py37/examples.yml + env: + image: aws/codebuild/standard:5.0 - identifier: py37_awses_local buildspec: codebuild/py37/awses_local.yml + env: + image: aws/codebuild/standard:5.0 - identifier: py38_integ buildspec: codebuild/py38/integ.yml + env: + image: aws/codebuild/standard:5.0 - identifier: py38_examples buildspec: codebuild/py38/examples.yml + env: + image: aws/codebuild/standard:5.0 - identifier: py38_awses_local buildspec: codebuild/py38/awses_local.yml + env: + image: aws/codebuild/standard:5.0 - identifier: py39_integ buildspec: codebuild/py39/integ.yml + env: + image: aws/codebuild/standard:5.0 - identifier: py39_examples buildspec: codebuild/py39/examples.yml + env: + image: aws/codebuild/standard:5.0 - identifier: py39_awses_latest + env: + image: aws/codebuild/standard:5.0 - identifier: py310_integ buildspec: codebuild/py310/integ.yml + env: + image: aws/codebuild/standard:6.0 - identifier: py310_examples buildspec: codebuild/py310/examples.yml + env: + image: aws/codebuild/standard:6.0 - identifier: py310_awses_latest buildspec: codebuild/py310/awses_local.yml + env: + image: aws/codebuild/standard:6.0 + - identifier: py311_integ + buildspec: codebuild/py311/integ.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py311_examples + buildspec: codebuild/py311/examples.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py311_awses_latest + buildspec: codebuild/py311/awses_local.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_integ + buildspec: codebuild/py312/integ.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_examples + buildspec: codebuild/py312/examples.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: py312_awses_latest + buildspec: codebuild/py312/awses_local.yml + env: + image: aws/codebuild/standard:7.0 + - identifier: code_coverage buildspec: codebuild/coverage/coverage.yml diff --git a/cfn/ESDK-Python.yml b/cfn/ESDK-Python.yml new file mode 100644 index 000000000..7a605f8c8 --- /dev/null +++ b/cfn/ESDK-Python.yml @@ -0,0 +1,360 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: "Template to build a CodeBuild Project, assumes that GitHub credentials are already set up." +Parameters: + ProjectName: + Type: String + Description: The name of the CodeBuild Project + ProjectDescription: + Type: String + Description: The description for the CodeBuild Project + SourceLocation: + Type: String + Description: The https GitHub URL for the project + NumberOfBuildsInBatch: + Type: Number + MaxValue: 100 + MinValue: 1 + Default: 4 + Description: The number of builds you expect to run in a batch + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - + Label: + default: "Crypto Tools CodeBuild Project Template" + Parameters: + - ProjectName + - ProjectDescription + - SourceLocation + +Resources: + CodeBuildProject: + Type: "AWS::CodeBuild::Project" + Properties: + Name: !Ref ProjectName + Description: !Ref ProjectDescription + Source: + Location: !Ref SourceLocation + GitCloneDepth: 1 + GitSubmodulesConfig: + FetchSubmodules: true + InsecureSsl: false + ReportBuildStatus: false + Type: "GITHUB" + Artifacts: + Type: "NO_ARTIFACTS" + Cache: + Type: "NO_CACHE" + Environment: + ComputeType: "BUILD_GENERAL1_MEDIUM" + Image: "aws/codebuild/standard:3.0" + ImagePullCredentialsType: "CODEBUILD" + PrivilegedMode: false + Type: "LINUX_CONTAINER" + ServiceRole: !GetAtt CodeBuildCIServiceRole.Arn + TimeoutInMinutes: 60 + QueuedTimeoutInMinutes: 480 + EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" + BadgeEnabled: false + BuildBatchConfig: + ServiceRole: !GetAtt CodeBuildCIServiceRole.Arn + Restrictions: + MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch + ComputeTypesAllowed: + - BUILD_GENERAL1_SMALL + - BUILD_GENERAL1_MEDIUM + TimeoutInMins: 480 + LogsConfig: + CloudWatchLogs: + Status: "ENABLED" + S3Logs: + Status: "DISABLED" + EncryptionDisabled: false + + CodeBuildProjectTestRelease: + Type: "AWS::CodeBuild::Project" + Properties: + Name: !Sub "${ProjectName}-test-release" + Description: !Sub "CodeBuild project for ${ProjectName} to release to test PyPi." + Source: + Location: !Ref SourceLocation + BuildSpec: "codebuild/release/test-release.yml" + GitCloneDepth: 1 + GitSubmodulesConfig: + FetchSubmodules: false + InsecureSsl: false + ReportBuildStatus: false + Type: "GITHUB" + Artifacts: + Type: "NO_ARTIFACTS" + Cache: + Type: "NO_CACHE" + Environment: + ComputeType: "BUILD_GENERAL1_SMALL" + Image: "aws/codebuild/standard:3.0" + ImagePullCredentialsType: "CODEBUILD" + PrivilegedMode: false + Type: "LINUX_CONTAINER" + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + TimeoutInMinutes: 60 + QueuedTimeoutInMinutes: 480 + EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" + BadgeEnabled: false + BuildBatchConfig: + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + Restrictions: + MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch + ComputeTypesAllowed: + - BUILD_GENERAL1_SMALL + - BUILD_GENERAL1_MEDIUM + TimeoutInMins: 480 + LogsConfig: + CloudWatchLogs: + Status: "ENABLED" + S3Logs: + Status: "DISABLED" + EncryptionDisabled: false + + CodeBuildProjectProdRelease: + Type: "AWS::CodeBuild::Project" + Properties: + Name: !Sub "${ProjectName}-prod-release" + Description: !Sub "CodeBuild project for ${ProjectName} to release to prod PyPi." + Source: + Location: !Ref SourceLocation + BuildSpec: "codebuild/release/prod-release.yml" + GitCloneDepth: 1 + GitSubmodulesConfig: + FetchSubmodules: false + InsecureSsl: false + ReportBuildStatus: false + Type: "GITHUB" + Artifacts: + Type: "NO_ARTIFACTS" + Cache: + Type: "NO_CACHE" + Environment: + ComputeType: "BUILD_GENERAL1_SMALL" + Image: "aws/codebuild/standard:3.0" + ImagePullCredentialsType: "CODEBUILD" + PrivilegedMode: false + Type: "LINUX_CONTAINER" + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + TimeoutInMinutes: 60 + QueuedTimeoutInMinutes: 480 + EncryptionKey: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/s3" + BadgeEnabled: false + BuildBatchConfig: + ServiceRole: !GetAtt CodeBuildServiceRole.Arn + Restrictions: + MaximumBuildsAllowed: !Ref NumberOfBuildsInBatch + ComputeTypesAllowed: + - BUILD_GENERAL1_SMALL + - BUILD_GENERAL1_MEDIUM + TimeoutInMins: 480 + LogsConfig: + CloudWatchLogs: + Status: "ENABLED" + S3Logs: + Status: "DISABLED" + EncryptionDisabled: false + + + + CodeBuildServiceRole: + Type: "AWS::IAM::Role" + Properties: + Path: "/service-role/" + RoleName: !Sub "codebuild-${ProjectName}-service-role" + AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}" + MaxSessionDuration: 3600 + ManagedPolicyArns: + - !Ref CryptoToolsKMS + - !Ref CodeBuildBatchPolicy + - !Ref CodeBuildBasePolicy + - !Ref SecretsManagerPolicy + - !Ref CodeBuildCISTSAllow + + CodeBuildCIServiceRole: + Type: "AWS::IAM::Role" + Properties: + Path: "/service-role/" + RoleName: !Sub "codebuild-${ProjectName}-CI-service-role" + AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}" + MaxSessionDuration: 3600 + ManagedPolicyArns: + - !Ref CryptoToolsKMS + - !Ref CodeBuildCIBatchPolicy + - !Ref CodeBuildBasePolicy + - !Ref CodeBuildCISTSAllow + + CodeBuildBatchPolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}", + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-test-release", + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}-prod-release" + ], + "Action": [ + "codebuild:StartBuild", + "codebuild:StopBuild", + "codebuild:RetryBuild" + ] + } + ] + } + + CodeBuildCIBatchPolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeBuildBuildBatchPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-CI-service-role" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/${ProjectName}" + ], + "Action": [ + "codebuild:StartBuild", + "codebuild:StopBuild", + "codebuild:RetryBuild" + ] + } + ] + } + + CodeBuildBasePolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-${AWS::Region}" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}:*", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-test-release:*", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release", + "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ProjectName}-prod-release:*" + ], + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ] + }, + { + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::codepipeline-${AWS::Region}-*" + ], + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:GetObjectVersion", + "s3:GetBucketAcl", + "s3:GetBucketLocation" + ] + }, + { + "Effect": "Allow", + "Action": [ + "codebuild:CreateReportGroup", + "codebuild:CreateReport", + "codebuild:UpdateReport", + "codebuild:BatchPutTestCases", + "codebuild:BatchPutCodeCoverages" + ], + "Resource": [ + "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/${ProjectName}-*" + ] + } + ] + } + + SecretsManagerPolicy: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CryptoTools-SecretsManager-${ProjectName}-release" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:secretsmanager:us-west-2:587316601012:secret:TestPyPiCryptoTools-SxeLBh", + "arn:aws:secretsmanager:us-west-2:587316601012:secret:PyPiAdmin-ZWyd1T" + ], + "Action": "secretsmanager:GetSecretValue" + } + ] + } + + # There exist public AWS KMS CMKs that are used for testing + # Take care with these CMKs they are **ONLY** for testing!!! + CryptoToolsKMS: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CrypotToolsKMSPolicy-${ProjectName}-${AWS::Region}-codebuild-${ProjectName}-service-role" + Path: "/service-role/" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:kms:*:658956600833:key/*", + "arn:aws:kms:*:658956600833:alias/*", + "arn:aws:kms:*:370957321024:key/*", + "arn:aws:kms:*:370957321024:alias/*" + ], + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:Generate*", + "kms:GetPublicKey", + "kms:DescribeKey" + ] + } + ] + } + + CodeBuildCISTSAllow: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub CodeBuildCISTSAllow-${ProjectName} + Path: /service-role/ + PolicyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Python-Role-us-west-2" + } + ] + } diff --git a/cfn/Public-ESDK-Python-CI.yml b/cfn/Public-ESDK-Python-CI.yml new file mode 100644 index 000000000..6d40b8274 --- /dev/null +++ b/cfn/Public-ESDK-Python-CI.yml @@ -0,0 +1,59 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: "IAM Managed Policies/Role for AWS KMS Hierarchical Keyring Testing" + +Parameters: + ProjectName: + Type: String + Description: A prefix that will be applied to any resource names + Default: Public-ESDK-Python + GitHubRepo: + Type: String + Description: GitHub Repo that invokes CI + Default: aws/aws-encryption-sdk-python + +Resources: + GitHubCIRole: + Type: 'AWS::IAM::Role' + Properties: + RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}" + Description: "Access DDB, KMS, Resources for CI from GitHub" + ManagedPolicyArns: + - "arn:aws:iam::370957321024:policy/ESDK-Dafny-DDB-ReadWriteDelete-us-west-2" + - "arn:aws:iam::370957321024:policy/Hierarchical-GitHub-KMS-Key-Policy" + - "arn:aws:iam::370957321024:policy/KMS-Public-CMK-EncryptDecrypt-Key-Access" + - "arn:aws:iam::370957321024:policy/RSA-GitHub-KMS-Key-Policy" + AssumeRolePolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com" }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" + }, + "StringLike": { + "token.actions.githubusercontent.com:sub": "repo:${GitHubRepo}:*" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::587316601012:role/service-role/codebuild-python-esdk-CI-service-role", + "arn:aws:iam::587316601012:role/service-role/codebuild-python-esdk-service-role", + "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" + ] + } + } + } + ] + } \ No newline at end of file diff --git a/codebuild/coverage/coverage.yml b/codebuild/coverage/coverage.yml index f82a3a982..51d8b0a6f 100644 --- a/codebuild/coverage/coverage.yml +++ b/codebuild/coverage/coverage.yml @@ -10,5 +10,5 @@ phases: python: latest build: commands: - - pip install tox + - pip install "tox < 4.0" - tox diff --git a/codebuild/py310/awses_local.yml b/codebuild/py310/awses_local.yml index a60eba6d2..df2fcf318 100644 --- a/codebuild/py310/awses_local.yml +++ b/codebuild/py310/awses_local.yml @@ -17,11 +17,9 @@ env: phases: install: runtime-versions: - python: latest + python: 3.10 build: commands: - - pyenv install 3.10.0 - - pyenv local 3.10.0 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - cd test_vector_handlers - tox diff --git a/codebuild/py310/examples.yml b/codebuild/py310/examples.yml index 59bb42499..b495a327c 100644 --- a/codebuild/py310/examples.yml +++ b/codebuild/py310/examples.yml @@ -15,10 +15,8 @@ env: phases: install: runtime-versions: - python: latest + python: 3.10 build: commands: - - pyenv install 3.10.0 - - pyenv local 3.10.0 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - tox diff --git a/codebuild/py310/integ.yml b/codebuild/py310/integ.yml index 3346a06a2..6b557e709 100644 --- a/codebuild/py310/integ.yml +++ b/codebuild/py310/integ.yml @@ -15,10 +15,8 @@ env: phases: install: runtime-versions: - python: latest + python: 3.10 build: commands: - - pyenv install 3.10.0 - - pyenv local 3.10.0 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - tox diff --git a/codebuild/py36/awses_local.yml b/codebuild/py311/awses_local.yml similarity index 86% rename from codebuild/py36/awses_local.yml rename to codebuild/py311/awses_local.yml index b68a7e434..1b00712d5 100644 --- a/codebuild/py36/awses_local.yml +++ b/codebuild/py311/awses_local.yml @@ -2,7 +2,7 @@ version: 0.2 env: variables: - TOXENV: "py36-awses_local" + TOXENV: "py311-awses_local" AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- @@ -17,11 +17,9 @@ env: phases: install: runtime-versions: - python: latest + python: 3.11 build: commands: - - pyenv install 3.6.15 - - pyenv local 3.6.15 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - cd test_vector_handlers - tox diff --git a/codebuild/py36/examples.yml b/codebuild/py311/examples.yml similarity index 83% rename from codebuild/py36/examples.yml rename to codebuild/py311/examples.yml index 46af14902..6efcd26d2 100644 --- a/codebuild/py36/examples.yml +++ b/codebuild/py311/examples.yml @@ -2,7 +2,7 @@ version: 0.2 env: variables: - TOXENV: "py36-examples" + TOXENV: "py311-examples" AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- @@ -15,10 +15,8 @@ env: phases: install: runtime-versions: - python: latest + python: 3.11 build: commands: - - pyenv install 3.6.15 - - pyenv local 3.6.15 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - tox diff --git a/codebuild/py36/integ.yml b/codebuild/py311/integ.yml similarity index 84% rename from codebuild/py36/integ.yml rename to codebuild/py311/integ.yml index d55581c43..9606bee12 100644 --- a/codebuild/py36/integ.yml +++ b/codebuild/py311/integ.yml @@ -2,7 +2,7 @@ version: 0.2 env: variables: - TOXENV: "py36-integ" + TOXENV: "py311-integ" AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- @@ -15,10 +15,8 @@ env: phases: install: runtime-versions: - python: latest + python: 3.11 build: commands: - - pyenv install 3.6.15 - - pyenv local 3.6.15 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - tox diff --git a/codebuild/py312/awses_local.yml b/codebuild/py312/awses_local.yml new file mode 100644 index 000000000..0a81984ee --- /dev/null +++ b/codebuild/py312/awses_local.yml @@ -0,0 +1,30 @@ +version: 0.2 + +env: + variables: + TOXENV: "py312-awses_local" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_API_DEPLOYMENT_ID: "xi1mwx3ttb" + AWS_ENCRYPTION_SDK_PYTHON_DECRYPT_ORACLE_REGION: "us-west-2" + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - cd /root/.pyenv/plugins/python-build/../.. && git pull && cd - + - pyenv install --skip-existing 3.12.0 + - pyenv local 3.12.0 + - pip install --upgrade pip + - pip install setuptools + - pip install "tox < 4.0" + - cd test_vector_handlers + - tox diff --git a/codebuild/py312/examples.yml b/codebuild/py312/examples.yml new file mode 100644 index 000000000..691ea0e60 --- /dev/null +++ b/codebuild/py312/examples.yml @@ -0,0 +1,27 @@ +version: 0.2 + +env: + variables: + TOXENV: "py312-examples" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - cd /root/.pyenv/plugins/python-build/../.. && git pull && cd - + - pyenv install --skip-existing 3.12.0 + - pyenv local 3.12.0 + - pip install --upgrade pip + - pip install setuptools + - pip install "tox < 4.0" + - tox diff --git a/codebuild/py312/integ.yml b/codebuild/py312/integ.yml new file mode 100644 index 000000000..10899f1df --- /dev/null +++ b/codebuild/py312/integ.yml @@ -0,0 +1,27 @@ +version: 0.2 + +env: + variables: + TOXENV: "py312-integ" + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >- + arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >- + arn:aws:kms:eu-central-1:658956600833:key/75414c93-5285-4b57-99c9-30c1cf0a22c2 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_1: >- + arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_MRK_KEY_ID_2: >- + arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7 + +phases: + install: + runtime-versions: + python: latest + build: + commands: + - cd /root/.pyenv/plugins/python-build/../.. && git pull && cd - + - pyenv install --skip-existing 3.12.0 + - pyenv local 3.12.0 + - pip install --upgrade pip + - pip install setuptools + - pip install "tox < 4.0" + - tox diff --git a/codebuild/py37/awses_local.yml b/codebuild/py37/awses_local.yml index 9e77d43f7..02dfe5d0b 100644 --- a/codebuild/py37/awses_local.yml +++ b/codebuild/py37/awses_local.yml @@ -17,11 +17,9 @@ env: phases: install: runtime-versions: - python: latest + python: 3.7 build: commands: - - pyenv install 3.7.12 - - pyenv local 3.7.12 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - cd test_vector_handlers - tox diff --git a/codebuild/py37/examples.yml b/codebuild/py37/examples.yml index 57d1626df..0b240c768 100644 --- a/codebuild/py37/examples.yml +++ b/codebuild/py37/examples.yml @@ -15,10 +15,8 @@ env: phases: install: runtime-versions: - python: latest + python: 3.7 build: commands: - - pyenv install 3.7.12 - - pyenv local 3.7.12 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - tox diff --git a/codebuild/py37/integ.yml b/codebuild/py37/integ.yml index 04d24c26d..b702d45cb 100644 --- a/codebuild/py37/integ.yml +++ b/codebuild/py37/integ.yml @@ -15,10 +15,8 @@ env: phases: install: runtime-versions: - python: latest + python: 3.7 build: commands: - - pyenv install 3.7.12 - - pyenv local 3.7.12 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - tox diff --git a/codebuild/py38/awses_local.yml b/codebuild/py38/awses_local.yml index 4e20973d4..9876de247 100644 --- a/codebuild/py38/awses_local.yml +++ b/codebuild/py38/awses_local.yml @@ -17,11 +17,9 @@ env: phases: install: runtime-versions: - python: latest + python: 3.8 build: commands: - - pyenv install 3.8.12 - - pyenv local 3.8.12 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - cd test_vector_handlers - tox diff --git a/codebuild/py38/examples.yml b/codebuild/py38/examples.yml index 1a8f4f826..4dff71d65 100644 --- a/codebuild/py38/examples.yml +++ b/codebuild/py38/examples.yml @@ -15,10 +15,8 @@ env: phases: install: runtime-versions: - python: latest + python: 3.8 build: commands: - - pyenv install 3.8.12 - - pyenv local 3.8.12 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - tox diff --git a/codebuild/py38/integ.yml b/codebuild/py38/integ.yml index 28eae25fc..8b7acafe1 100644 --- a/codebuild/py38/integ.yml +++ b/codebuild/py38/integ.yml @@ -15,10 +15,8 @@ env: phases: install: runtime-versions: - python: latest + python: 3.8 build: commands: - - pyenv install 3.8.12 - - pyenv local 3.8.12 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - tox diff --git a/codebuild/py39/awses_1.7.1.yml b/codebuild/py39/awses_1.7.1.yml index e261b5e4d..22267ad8f 100644 --- a/codebuild/py39/awses_1.7.1.yml +++ b/codebuild/py39/awses_1.7.1.yml @@ -17,11 +17,9 @@ env: phases: install: runtime-versions: - python: latest + python: 3.9 build: commands: - - pyenv install 3.9.7 - - pyenv local 3.9.7 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - cd test_vector_handlers - tox diff --git a/codebuild/py39/awses_2.0.0.yml b/codebuild/py39/awses_2.0.0.yml index b4a6654d5..d35e7e98c 100644 --- a/codebuild/py39/awses_2.0.0.yml +++ b/codebuild/py39/awses_2.0.0.yml @@ -17,11 +17,9 @@ env: phases: install: runtime-versions: - python: latest + python: 3.9 build: commands: - - pyenv install 3.9.7 - - pyenv local 3.9.7 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - cd test_vector_handlers - tox diff --git a/codebuild/py39/awses_latest.yml b/codebuild/py39/awses_latest.yml index ac70cede8..719ab2238 100644 --- a/codebuild/py39/awses_latest.yml +++ b/codebuild/py39/awses_latest.yml @@ -17,11 +17,9 @@ env: phases: install: runtime-versions: - python: latest + python: 3.9 build: commands: - - pyenv install 3.9.7 - - pyenv local 3.9.7 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - cd test_vector_handlers - tox diff --git a/codebuild/py39/examples.yml b/codebuild/py39/examples.yml index 9b1911024..3d1399251 100644 --- a/codebuild/py39/examples.yml +++ b/codebuild/py39/examples.yml @@ -15,10 +15,8 @@ env: phases: install: runtime-versions: - python: latest + python: 3.9 build: commands: - - pyenv install 3.9.7 - - pyenv local 3.9.7 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - tox diff --git a/codebuild/py39/integ.yml b/codebuild/py39/integ.yml index c7452e37e..6dec85b07 100644 --- a/codebuild/py39/integ.yml +++ b/codebuild/py39/integ.yml @@ -15,10 +15,8 @@ env: phases: install: runtime-versions: - python: latest + python: 3.9 build: commands: - - pyenv install 3.9.7 - - pyenv local 3.9.7 - - pip install tox tox-pyenv + - pip install "tox < 4.0" - tox diff --git a/codebuild/release/prod-release.yml b/codebuild/release/prod-release.yml index aa985e361..df5afb2fc 100644 --- a/codebuild/release/prod-release.yml +++ b/codebuild/release/prod-release.yml @@ -4,13 +4,13 @@ env: variables: BRANCH: "master" secrets-manager: - TWINE_USERNAME: PyPiAdmin:username - TWINE_PASSWORD: PyPiAdmin:password + TWINE_USERNAME: PyPiAPIToken:username + TWINE_PASSWORD: PyPiAPIToken:password phases: install: commands: - - pip install tox + - pip install "tox < 4.0" - pip install --upgrade pip runtime-versions: python: latest diff --git a/codebuild/release/test-release.yml b/codebuild/release/test-release.yml index 6c0ce85c9..cab56a9fd 100644 --- a/codebuild/release/test-release.yml +++ b/codebuild/release/test-release.yml @@ -4,13 +4,13 @@ env: variables: BRANCH: "master" secrets-manager: - TWINE_USERNAME: TestPyPiCryptoTools:username - TWINE_PASSWORD: TestPyPiCryptoTools:password + TWINE_USERNAME: TestPyPiAPIToken:username + TWINE_PASSWORD: TestPyPiAPIToken:password phases: install: commands: - - pip install tox + - pip install "tox < 4.0" - pip install --upgrade pip runtime-versions: python: latest diff --git a/codebuild/release/validate.yml b/codebuild/release/validate.yml index 95dfd5cb2..a929e9154 100644 --- a/codebuild/release/validate.yml +++ b/codebuild/release/validate.yml @@ -3,7 +3,7 @@ version: 0.2 phases: install: commands: - - pip install tox + - pip install "tox < 4.0" runtime-versions: python: latest pre_build: @@ -11,9 +11,9 @@ phases: - git clone https://github.com/aws-samples/busy-engineers-document-bucket.git - cd busy-engineers-document-bucket/exercises/python/encryption-context-complete - sed -i "s/aws_encryption_sdk/aws_encryption_sdk==$VERSION/" requirements-dev.txt - - pyenv install 3.8.12 + - pyenv install --skip-existing 3.8.12 - pyenv local 3.8.12 - - pip install tox tox-pyenv + - pip install "tox < 4.0" build: commands: - NUM_RETRIES=3 diff --git a/decrypt_oracle/.chalice/buildspec.yaml b/decrypt_oracle/.chalice/buildspec.yaml index 657c5a4be..d7c256698 100644 --- a/decrypt_oracle/.chalice/buildspec.yaml +++ b/decrypt_oracle/.chalice/buildspec.yaml @@ -2,7 +2,7 @@ version: 0.2 phases: install: commands: - - pip install tox + - pip install "tox < 4.0" build: commands: - cd decrypt_oracle diff --git a/decrypt_oracle/.chalice/pipeline.py b/decrypt_oracle/.chalice/pipeline.py index 45e050a2d..9d5573646 100644 --- a/decrypt_oracle/.chalice/pipeline.py +++ b/decrypt_oracle/.chalice/pipeline.py @@ -23,10 +23,10 @@ APPLICATION_NAME = "AwsEncryptionSdkDecryptOraclePython" PIPELINE_STACK_NAME = "{}DeployPipeline".format(APPLICATION_NAME) -CODEBUILD_IMAGE = "aws/codebuild/python:3.6.5" +CODEBUILD_IMAGE = "aws/codebuild/standard:5.0" BUILDSPEC = "decrypt_oracle/.chalice/buildspec.yaml" GITHUB_REPO = "aws-encryption-sdk-python" -WAITER_CONFIG = dict(Delay=10) +WAITER_CONFIG = {"Delay": 10} _LOGGER = logging.getLogger("Decrypt Oracle Build Pipeline Deployer") @@ -35,7 +35,7 @@ class AllowEverywhere(AWS.Statement): def __init__(self, *args, **kwargs): """Set up override values.""" - my_kwargs = dict(Effect=AWS.Allow, Resource=["*"]) + my_kwargs = {"Effect": AWS.Allow, "Resource": ["*"]} my_kwargs.update(kwargs) super().__init__(*args, **my_kwargs) @@ -167,13 +167,13 @@ def _pipeline( ActionTypeId=codepipeline.ActionTypeId( Category="Source", Owner="ThirdParty", Version="1", Provider="GitHub" ), - Configuration=dict( - Owner=github_owner, - Repo=GITHUB_REPO, - OAuthToken=Ref(github_access_token), - Branch=github_branch, - PollForSourceChanges=True, - ), + Configuration={ + "Owner": github_owner, + "Repo": GITHUB_REPO, + "OAuthToken": Ref(github_access_token), + "Branch": github_branch, + "PollForSourceChanges": True, + }, ) ], ) @@ -191,7 +191,7 @@ def _pipeline( ActionTypeId=codepipeline.ActionTypeId( Category="Build", Owner="AWS", Version="1", Provider="CodeBuild" ), - Configuration=dict(ProjectName=Ref(codebuild_builder)), + Configuration={"ProjectName": Ref(codebuild_builder)}, ) ], ) @@ -200,25 +200,25 @@ def _pipeline( RunOrder="1", ActionTypeId=codepipeline.ActionTypeId(Category="Deploy", Owner="AWS", Version="1", Provider="CloudFormation"), InputArtifacts=[codepipeline.InputArtifacts(Name=_compiled_cfn_template)], - Configuration=dict( - ActionMode="CHANGE_SET_REPLACE", - ChangeSetName=_changeset_name, - RoleArn=GetAtt(cfn_role, "Arn"), - Capabilities="CAPABILITY_IAM", - StackName=_stack_name, - TemplatePath="{}::decrypt_oracle/transformed.yaml".format(_compiled_cfn_template), - ), + Configuration={ + "ActionMode": "CHANGE_SET_REPLACE", + "ChangeSetName": _changeset_name, + "RoleArn": GetAtt(cfn_role, "Arn"), + "Capabilities": "CAPABILITY_IAM", + "StackName": _stack_name, + "TemplatePath": "{}::decrypt_oracle/transformed.yaml".format(_compiled_cfn_template), + }, ) deploy_changeset = codepipeline.Actions( Name="Deploy", RunOrder="2", ActionTypeId=codepipeline.ActionTypeId(Category="Deploy", Owner="AWS", Version="1", Provider="CloudFormation"), - Configuration=dict( - ActionMode="CHANGE_SET_EXECUTE", - ChangeSetName=_changeset_name, - StackName=_stack_name, - OutputFileName="StackOutputs.json", - ), + Configuration={ + "ActionMode": "CHANGE_SET_EXECUTE", + "ChangeSetName": _changeset_name, + "StackName": _stack_name, + "OutputFileName": "StackOutputs.json", + }, OutputArtifacts=[codepipeline.OutputArtifacts(Name="AppDeploymentValues")], ) deploy = codepipeline.Stages(Name="Deploy", Actions=[stage_changeset, deploy_changeset]) @@ -272,8 +272,7 @@ def _stack_exists(cloudformation) -> bool: return False raise - else: - return True + return True def _update_existing_stack(cloudformation, template: Template, github_token: str) -> None: @@ -284,7 +283,7 @@ def _update_existing_stack(cloudformation, template: Template, github_token: str cloudformation.update_stack( StackName=PIPELINE_STACK_NAME, TemplateBody=template.to_json(), - Parameters=[dict(ParameterKey="GithubPersonalToken", ParameterValue=github_token)], + Parameters=[{"ParameterKey": "GithubPersonalToken", "ParameterValue": github_token}], Capabilities=["CAPABILITY_IAM"], ) _LOGGER.info("Waiting for stack update to complete...") @@ -301,7 +300,7 @@ def _deploy_new_stack(cloudformation, template: Template, github_token: str) -> cloudformation.create_stack( StackName=PIPELINE_STACK_NAME, TemplateBody=template.to_json(), - Parameters=[dict(ParameterKey="GithubPersonalToken", ParameterValue=github_token)], + Parameters=[{"ParameterKey": "GithubPersonalToken", "ParameterValue": github_token}], Capabilities=["CAPABILITY_IAM"], ) _LOGGER.info("Waiting for stack to deploy...") diff --git a/decrypt_oracle/setup.py b/decrypt_oracle/setup.py index c56d64911..f68454392 100644 --- a/decrypt_oracle/setup.py +++ b/decrypt_oracle/setup.py @@ -45,7 +45,6 @@ def get_requirements(): "Natural Language :: English", "License :: OSI Approved :: Apache Software License", "Programming Language :: Python", - "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", diff --git a/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/app.py b/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/app.py index b0d8a8d48..820b9e015 100644 --- a/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/app.py +++ b/decrypt_oracle/src/aws_encryption_sdk_decrypt_oracle/app.py @@ -16,6 +16,7 @@ import os import aws_encryption_sdk +from aws_encryption_sdk.identifiers import CommitmentPolicy from aws_encryption_sdk.key_providers.kms import DiscoveryAwsKmsMasterKeyProvider from chalice import Chalice, Response @@ -59,7 +60,9 @@ def basic_decrypt() -> Response: APP.log.debug(APP.current_request.raw_body) try: - client = aws_encryption_sdk.EncryptionSDKClient() + # The decrypt oracle needs to be able to decrypt any message + # it does not encrypt messages for anyone. + client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT) ciphertext = APP.current_request.raw_body plaintext, _header = client.decrypt(source=ciphertext, key_provider=_master_key_provider()) APP.log.debug("Plaintext:") diff --git a/decrypt_oracle/src/pylintrc b/decrypt_oracle/src/pylintrc index 2e1e6336e..888ae1355 100644 --- a/decrypt_oracle/src/pylintrc +++ b/decrypt_oracle/src/pylintrc @@ -1,7 +1,6 @@ [MESSAGES CONTROL] # Disabling messages that we either don't care about for tests or are necessary to break for tests. disable = - bad-continuation, # we let black handle this ungrouped-imports, # we let isort handle this consider-using-f-string # disable until 2022-05-05; 6 months after 3.5 deprecation diff --git a/decrypt_oracle/test/pylintrc b/decrypt_oracle/test/pylintrc index 3d4a895b2..7cbbfc2ff 100644 --- a/decrypt_oracle/test/pylintrc +++ b/decrypt_oracle/test/pylintrc @@ -5,7 +5,8 @@ disable = missing-docstring, # we don't write docstrings for tests bad-continuation, # we let black handle this ungrouped-imports, # we let isort handle this - consider-using-f-string # disable until 2022-05-05; 6 months after 3.5 deprecation + consider-using-f-string, # disable until 2022-05-05; 6 months after 3.5 deprecation + missing-timeout # disabling until we come up with a reasonable number [FORMAT] max-line-length = 120 diff --git a/decrypt_oracle/tox.ini b/decrypt_oracle/tox.ini index b90d9f527..ce640bd32 100644 --- a/decrypt_oracle/tox.ini +++ b/decrypt_oracle/tox.ini @@ -1,6 +1,6 @@ [tox] envlist = - py{36,37,38,39}-{local,integ}, + py{39}-{local,integ}, bandit, doc8, readme, docs, {flake8,pylint}{,-tests}, # prone to false positives @@ -35,7 +35,7 @@ envlist = [testenv:generate-pipeline] -basepython = python3 +basepython = python3.9 skip_install = true deps = troposphere[policy] @@ -44,7 +44,7 @@ commands = python .chalice/pipeline.py {posargs} [testenv:chalice-prep] -basepython = python3.6 +basepython = python3.9 skip_install = true recreate = true deps = {[testenv:build]deps} @@ -59,7 +59,7 @@ commands = python {toxinidir}/.chalice/build-requirements.py [testenv:chalice] -basepython = python3.6 +basepython = python3.9 recreate = true deps = {[testenv:chalice-prep]deps} @@ -69,7 +69,7 @@ commands = chalice {posargs} [testenv:chalice-deploy] -basepython = python3.6 +basepython = python3.9 recreate = true deps = {[testenv:chalice]deps} @@ -141,17 +141,6 @@ commands = {posargs} {[testenv:mypy-coverage]commands} -[testenv:mypy-py2] -basepython = {[testenv:mypy-common]basepython} -deps = {[testenv:mypy-common]deps} -commands = - python -m mypy \ - --py2 \ - --linecoverage-report build \ - src/aws_encryption_sdk_decrypt_oracle/ \ - {posargs} - {[testenv:mypy-coverage]commands} - # Linters [testenv:flake8] basepython = python3 @@ -167,7 +156,6 @@ commands = app.py \ setup.py \ .chalice/pipeline.py \ - #doc/conf.py \ {posargs} [testenv:flake8-tests] @@ -218,7 +206,6 @@ commands = src/aws_encryption_sdk_decrypt_oracle/ \ setup.py \ app.py \ - #doc/conf.py \ test/ \ .chalice/pipeline.py \ {posargs} @@ -276,7 +263,7 @@ basepython = python3 deps = sphinx doc8 -commands = doc8 doc/index.rst README.rst CHANGELOG.rst +commands = doc8 README.rst [testenv:readme] basepython = python3 @@ -319,21 +306,6 @@ commands = {[testenv:flake8-tests]commands} {[testenv:pylint-tests]commands} -# Documentation -[testenv:docs] -basepython = python3 -deps = -rdoc/requirements.txt -commands = - sphinx-build -E -c doc/ -b html doc/ doc/build/html - -[testenv:serve-docs] -basepython = python3 -skip_install = true -changedir = doc/build/html -deps = -commands = - python -m http.server {posargs} - # Release tooling [testenv:park] basepython = python3 @@ -347,11 +319,9 @@ commands = python setup.py park basepython = python3 skip_install = true deps = - #{[testenv:docs]deps} wheel setuptools commands = - #{[testenv:docs]commands} python setup.py sdist bdist_wheel [testenv:test-release] diff --git a/dev_requirements/ci-requirements.txt b/dev_requirements/ci-requirements.txt index 9a41a70d3..4335988fd 100644 --- a/dev_requirements/ci-requirements.txt +++ b/dev_requirements/ci-requirements.txt @@ -1 +1,2 @@ -tox==3.24.5 +setuptools +tox==3.27.1 diff --git a/dev_requirements/doc-requirements.txt b/dev_requirements/doc-requirements.txt index 9364148e5..c1be99e9c 100644 --- a/dev_requirements/doc-requirements.txt +++ b/dev_requirements/doc-requirements.txt @@ -1,2 +1,2 @@ -sphinx==4.4.0 +sphinx==5.3.0 sphinx_rtd_theme==1.0.0 diff --git a/dev_requirements/linter-requirements.txt b/dev_requirements/linter-requirements.txt index 1ce748cb4..1295e522d 100644 --- a/dev_requirements/linter-requirements.txt +++ b/dev_requirements/linter-requirements.txt @@ -1,13 +1,13 @@ bandit==1.7.4 -black==22.3.0 +black==24.2.0 doc8==0.10.1 flake8==4.0.1 -flake8-bugbear==22.1.11 -flake8-docstrings==1.6.0 -flake8-print==4.0.0 -isort==5.10.1 +flake8-bugbear==22.9.11 +flake8-docstrings==1.7.0 +flake8-print==5.0.0 +isort==5.11.4 pyflakes==2.4.0 pylint==2.13.5 -readme_renderer==34.0 +readme_renderer==37.3 seed-isort-config==2.2.0 -vulture==2.3 +vulture==2.9.1 diff --git a/dev_requirements/release-requirements.txt b/dev_requirements/release-requirements.txt index 347169a9e..21fdc1520 100644 --- a/dev_requirements/release-requirements.txt +++ b/dev_requirements/release-requirements.txt @@ -1,4 +1,4 @@ pypi-parker==0.1.2 -setuptools==62.0.0 +setuptools==66.1.1 twine==4.0.1 -wheel==0.37.1 \ No newline at end of file +wheel==0.38.4 \ No newline at end of file diff --git a/dev_requirements/test-requirements.txt b/dev_requirements/test-requirements.txt index 0dbc5a42c..01d7a2e2b 100644 --- a/dev_requirements/test-requirements.txt +++ b/dev_requirements/test-requirements.txt @@ -1,4 +1,4 @@ mock==4.0.3 -pytest==7.0.1 -pytest-cov==3.0.0 +pytest==7.2.1 +pytest-cov==4.0.0 pytest-mock==3.6.1 diff --git a/examples/src/custom_kms_client_for_kms_provider.py b/examples/src/custom_kms_client_for_kms_provider.py new file mode 100644 index 000000000..d7658ffaa --- /dev/null +++ b/examples/src/custom_kms_client_for_kms_provider.py @@ -0,0 +1,77 @@ +# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). You +# may not use this file except in compliance with the License. A copy of +# the License is located at +# +# http://aws.amazon.com/apache2.0/ +# +# or in the "license" file accompanying this file. This file is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF +# ANY KIND, either express or implied. See the License for the specific +# language governing permissions and limitations under the License. +"""Example showing how to customize the AWS KMS Client.""" +import boto3 +from botocore.config import Config + +import aws_encryption_sdk +from aws_encryption_sdk import CommitmentPolicy + + +# Create a new class that extends the AWS KMS Provider you need to use +class CustomKMSClientMasterKeyProvider(aws_encryption_sdk.StrictAwsKmsMasterKeyProvider): + """Custom region-specific client which extends the StrictAwsKmsMasterKeyProvider""" + + # Override `add_regional_client` to use whatever configuration you need + def add_regional_client(self, region_name): + """Adds a regional client for the specified region if it does not already exist. + :param str region_name: AWS Region ID (ex: us-east-1) + """ + if region_name not in self._regional_clients: + session = boto3.session.Session(botocore_session=self.config.botocore_session) + client = session.client( + 'kms', + region_name=region_name, + # Add additional custom client configuration here + config=Config(connection_timeout=10).merge(self._user_agent_adding_config) + ) + self._register_client(client, region_name) + self._regional_clients[region_name] = client + + +# This is just an example of using the above master key provider +def encrypt_decrypt(key_arn, source_plaintext, botocore_session=None): + """Encrypts and then decrypts a string under one KMS customer master key (CMK). + + :param str key_arn: Amazon Resource Name (ARN) of the KMS CMK + :param bytes source_plaintext: Data to encrypt + :param botocore_session: existing botocore session instance + :type botocore_session: botocore.session.Session + """ + kwargs = dict(key_ids=[key_arn]) + + if botocore_session is not None: + kwargs["botocore_session"] = botocore_session + + # Set up an encryption client with an explicit commitment policy. Note that if you do not explicitly choose a + # commitment policy, REQUIRE_ENCRYPT_REQUIRE_DECRYPT is used by default. + client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) + + # Create the custom master key provider using the ARN of the key and the session (botocore_session) + kms_key_provider = CustomKMSClientMasterKeyProvider(**kwargs) + + # Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header. Note: in + # order for decrypt to succeed, the key_ids value must be the key ARN of the CMK. + ciphertext, encrypted_message_header = client.encrypt(source=source_plaintext, key_provider=kms_key_provider) + + # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header + plaintext, decrypted_message_header = client.decrypt(source=ciphertext, key_provider=kms_key_provider) + + # Check if the original message and the decrypted message are the same + assert source_plaintext == plaintext + + # Check if the headers of the encrypted message and decrypted message match + assert all( + pair in encrypted_message_header.encryption_context.items() + for pair in decrypted_message_header.encryption_context.items() + ) diff --git a/requirements.txt b/requirements.txt index fab293c05..506801993 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ boto3>=1.10.0 -cryptography>=2.5.0 +cryptography>=3.4.6 attrs>=17.4.0 wrapt>=1.10.11 diff --git a/setup.py b/setup.py index 2db856d89..7cc111bac 100644 --- a/setup.py +++ b/setup.py @@ -46,7 +46,6 @@ def get_requirements(): "License :: OSI Approved :: Apache Software License", "Programming Language :: Python", "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", diff --git a/src/aws_encryption_sdk/compatability.py b/src/aws_encryption_sdk/compatability.py index 4dbc022d0..eeac41a46 100644 --- a/src/aws_encryption_sdk/compatability.py +++ b/src/aws_encryption_sdk/compatability.py @@ -35,5 +35,5 @@ def _warn_deprecated_python(): "bug fixes, and security updates please upgrade to Python {}.{} or " "later. For more information, see SUPPORT_POLICY.rst: " "https://github.com/aws/aws-encryption-sdk-python/blob/master/SUPPORT_POLICY.rst" - ).format(py_version[0], py_version[1], minimum_version[0], minimum_version[1], params["date"]) + ).format(py_version[0], py_version[1], params["date"], minimum_version[0], minimum_version[1]) warnings.warn(warning, DeprecationWarning) diff --git a/src/aws_encryption_sdk/identifiers.py b/src/aws_encryption_sdk/identifiers.py index d4397335c..42cf45d82 100644 --- a/src/aws_encryption_sdk/identifiers.py +++ b/src/aws_encryption_sdk/identifiers.py @@ -27,7 +27,7 @@ # We only actually need these imports when running the mypy checks pass -__version__ = "3.1.1" +__version__ = "3.2.0" USER_AGENT_SUFFIX = "AwsEncryptionSdkPython/{}".format(__version__) diff --git a/src/aws_encryption_sdk/streaming_client.py b/src/aws_encryption_sdk/streaming_client.py index 54eb046d2..1119cb740 100644 --- a/src/aws_encryption_sdk/streaming_client.py +++ b/src/aws_encryption_sdk/streaming_client.py @@ -299,10 +299,10 @@ def seek(self, offset, whence=0): def readline(self): """Read a chunk of the output""" - _LOGGER.info("reading line") + _LOGGER.debug("reading line") line = self.read(self.line_length) if len(line) < self.line_length: - _LOGGER.info("all lines read") + _LOGGER.debug("all lines read") return line def readlines(self): diff --git a/test/functional/test_f_crypto.py b/test/functional/test_f_crypto.py index 9242deedd..e0deb04f0 100644 --- a/test/functional/test_f_crypto.py +++ b/test/functional/test_f_crypto.py @@ -43,7 +43,7 @@ def test_ecc_static_length_signature(algorithm): def test_signer_key_bytes_cycle(): - key = ec.generate_private_key(curve=ec.SECP384R1, backend=default_backend()) + key = ec.generate_private_key(curve=ec.SECP384R1(), backend=default_backend()) signer = Signer(algorithm=aws_encryption_sdk.Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, key=key) key_bytes = signer.key_bytes() new_signer = Signer.from_key_bytes( diff --git a/test/unit/test_caches_base.py b/test/unit/test_caches_base.py index c3aa2369b..c24b1b04c 100644 --- a/test/unit/test_caches_base.py +++ b/test/unit/test_caches_base.py @@ -19,18 +19,16 @@ def test_abstracts(): - with pytest.raises(TypeError) as excinfo: + with pytest.raises(TypeError, match='instantiate abstract class CryptoMaterialsCache') as excinfo: CryptoMaterialsCache() - excinfo.match( - r"Can't instantiate abstract class CryptoMaterialsCache with abstract methods {}".format( - ", ".join( - [ - "get_decryption_materials", - "get_encryption_materials", - "put_decryption_materials", - "put_encryption_materials", - ] - ) - ) - ) + exception = str(excinfo.value) + method_names = [ + "get_decryption_materials", + "get_encryption_materials", + "put_decryption_materials", + "put_encryption_materials" + ] + for name in method_names: + if exception.rfind(name) == -1: + raise AssertionError("{} missing from Exception Message".format(name)) diff --git a/test/unit/test_material_managers_base.py b/test/unit/test_material_managers_base.py index 792118979..34501e59a 100644 --- a/test/unit/test_material_managers_base.py +++ b/test/unit/test_material_managers_base.py @@ -19,11 +19,10 @@ def test_abstracts(): - with pytest.raises(TypeError) as excinfo: + with pytest.raises(TypeError, match='instantiate abstract class CryptoMaterialsManager') as excinfo: CryptoMaterialsManager() - - excinfo.match( - r"Can't instantiate abstract class CryptoMaterialsManager with abstract methods {}".format( - ", ".join(["decrypt_materials", "get_encryption_materials"]) - ) - ) + method_names = ["decrypt_materials", "get_encryption_materials"] + exception = str(excinfo.value) + for name in method_names: + if exception.rfind(name) == -1: + raise AssertionError("{} missing from Exception Message".format(name)) diff --git a/test/upstream-requirements-py27.txt b/test/upstream-requirements-py27.txt deleted file mode 100644 index a5a48c9ab..000000000 --- a/test/upstream-requirements-py27.txt +++ /dev/null @@ -1,36 +0,0 @@ -atomicwrites==1.4.0 -attrs==21.2.0 -backports.functools-lru-cache==1.6.4 -boto3==1.17.92 -botocore==1.20.92 -cffi==1.14.5 -configparser==4.0.2 -contextlib2==0.6.0.post1 -coverage==5.5 -cryptography==3.3.2 -enum34==1.1.10 -funcsigs==1.0.2 -futures==3.3.0 -importlib-metadata==2.1.1 -ipaddress==1.0.23 -jmespath==0.10.0 -mock==3.0.5 -more-itertools==5.0.0 -packaging==20.9 -pathlib2==2.3.5 -pluggy==0.13.1 -py==1.10.0 -pycparser==2.20 -pyparsing==2.4.7 -pytest==4.6.11 -pytest-cov==2.12.1 -pytest-mock==2.0.0 -python-dateutil==2.8.1 -s3transfer==0.4.2 -scandir==1.10.0 -six==1.16.0 -toml==0.10.2 -urllib3==1.26.5 -wcwidth==0.2.5 -wrapt==1.12.1 -zipp==1.2.0 diff --git a/test/upstream-requirements-py311.txt b/test/upstream-requirements-py311.txt new file mode 100644 index 000000000..16ae4654a --- /dev/null +++ b/test/upstream-requirements-py311.txt @@ -0,0 +1,20 @@ +attrs==22.2.0 +boto3==1.26.54 +botocore==1.29.54 +cffi==1.15.1 +coverage==7.0.5 +cryptography==42.0.4 +iniconfig==2.0.0 +jmespath==1.0.1 +mock==4.0.3 +packaging==23.0 +pluggy==1.0.0 +pycparser==2.21 +pytest==7.2.0 +pytest-cov==3.0.0 +pytest-mock==3.6.1 +python-dateutil==2.8.2 +s3transfer==0.6.0 +six==1.16.0 +urllib3==1.26.18 +wrapt==1.14.1 diff --git a/test/upstream-requirements-py37.txt b/test/upstream-requirements-py37.txt deleted file mode 100644 index a4603ddf8..000000000 --- a/test/upstream-requirements-py37.txt +++ /dev/null @@ -1,26 +0,0 @@ -attrs==21.2.0 -boto3==1.17.92 -botocore==1.20.92 -cffi==1.14.5 -coverage==5.5 -cryptography==3.4.7 -importlib-metadata==4.5.0 -iniconfig==1.1.1 -jmespath==0.10.0 -mock==4.0.3 -packaging==20.9 -pluggy==0.13.1 -py==1.10.0 -pycparser==2.20 -pyparsing==2.4.7 -pytest==6.2.4 -pytest-cov==2.12.1 -pytest-mock==3.6.1 -python-dateutil==2.8.1 -s3transfer==0.4.2 -six==1.16.0 -toml==0.10.2 -typing-extensions==3.10.0.0 -urllib3==1.26.5 -wrapt==1.12.1 -zipp==3.4.1 diff --git a/test/upstream.md b/test/upstream.md new file mode 100644 index 000000000..aeb3ed638 --- /dev/null +++ b/test/upstream.md @@ -0,0 +1,7 @@ +AWS Crypto Tools maintains `test/upstream-requirements-py.txt` in our Python products such that +our Cryptographic Primitive Provider for Python ([pyca/cryptography](https://github.com/pyca/cryptography)) +may execute downstream tests against AWS Crypto Tools Python products. +These files allow pyca to install and test the Crypto Tools products. +Additionally, Crypto Tools should maintain a test configuration that can be completed without using any AWS resources. +If Crypto Tools needs to contact pyca about this expectation, +they should cut a issue to the pyca/cryptography repo. diff --git a/test_vector_handlers/LICENSE b/test_vector_handlers/LICENSE new file mode 100644 index 000000000..8dada3eda --- /dev/null +++ b/test_vector_handlers/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/test_vector_handlers/MANIFEST.in b/test_vector_handlers/MANIFEST.in index 132bd9406..71b01728a 100644 --- a/test_vector_handlers/MANIFEST.in +++ b/test_vector_handlers/MANIFEST.in @@ -1,9 +1,5 @@ include README.rst -include CHANGELOG.rst -include CONTRIBUTING.rst include LICENSE include requirements.txt -recursive-include doc * recursive-include test *.py -recursive-include examples *.py \ No newline at end of file diff --git a/test_vector_handlers/README.rst b/test_vector_handlers/README.rst index 382352736..846400127 100644 --- a/test_vector_handlers/README.rst +++ b/test_vector_handlers/README.rst @@ -12,7 +12,7 @@ Getting Started Required Prerequisites ====================== -* Python 2.7 or 3.4+ +* Python 3.7+ * aws-encryption-sdk Use @@ -75,4 +75,4 @@ decrypt and verify all referenced ciphertexts. -h, --help show this help message and exit --input INPUT Existing full message decrypt manifest -.. _shared test vectors repository: https://github.com/awslabs/aws-encryption-sdk-test-vectors \ No newline at end of file +.. _shared test vectors repository: https://github.com/awslabs/aws-encryption-sdk-test-vectors diff --git a/test_vector_handlers/setup.py b/test_vector_handlers/setup.py index 9a89fb698..54d857db0 100644 --- a/test_vector_handlers/setup.py +++ b/test_vector_handlers/setup.py @@ -46,8 +46,6 @@ def get_requirements(): "License :: OSI Approved :: Apache Software License", "Programming Language :: Python", "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3.5", - "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", diff --git a/test_vector_handlers/test/aws-crypto-tools-test-vector-framework b/test_vector_handlers/test/aws-crypto-tools-test-vector-framework index 1779b438f..c3d73fae2 160000 --- a/test_vector_handlers/test/aws-crypto-tools-test-vector-framework +++ b/test_vector_handlers/test/aws-crypto-tools-test-vector-framework @@ -1 +1 @@ -Subproject commit 1779b438f23cb356d5cab7ca40068dcb827b4cb1 +Subproject commit c3d73fae260fd9e9cc9e746f09a7ffbab83576e2 diff --git a/test_vector_handlers/tox.ini b/test_vector_handlers/tox.ini index 10be9652d..643750cd2 100644 --- a/test_vector_handlers/tox.ini +++ b/test_vector_handlers/tox.ini @@ -2,9 +2,9 @@ envlist = # The test vectors depend on new features now, # so until release we can only effectively test the local version of the ESDK. - py{35,36,37,38,39,310}-awses_local, + py{37,38,39,310}-awses_local, # 1.2.0 and 1.2.max are being difficult because of attrs - bandit, doc8, readme, docs, + bandit, doc8, readme, {flake8,pylint}{,-tests}, # prone to false positives vulture @@ -30,8 +30,6 @@ envlist = # Operational helper environments: # -# docs :: Builds Sphinx documentation. -# serve-docs :: Starts local webserver to serve built documentation. # build :: Builds source and wheel dist files. # test-release :: Builds dist files and uploads to testpypi pypirc profile. # release :: Builds dist files and uploads to pypi pypirc profile. @@ -110,7 +108,6 @@ commands = flake8 \ src/awses_test_vectors/ \ setup.py \ - #doc/conf.py \ {posargs} [testenv:flake8-tests] @@ -152,7 +149,6 @@ commands = black --line-length 120 \ src/awses_test_vectors/ \ setup.py \ - #doc/conf.py \ test/ \ {posargs} @@ -182,7 +178,6 @@ deps = -r../dev_requirements/linter-requirements.txt commands = isort -rc \ src \ test \ - #doc \ setup.py \ {posargs} @@ -204,7 +199,7 @@ commands = [testenv:doc8] basepython = python3 deps = -r../dev_requirements/linter-requirements.txt -commands = doc8 doc/index.rst README.rst CHANGELOG.rst +commands = doc8 README.rst [testenv:readme] basepython = python3 @@ -246,21 +241,6 @@ commands = {[testenv:flake8-tests]commands} {[testenv:pylint-tests]commands} -# Documentation -[testenv:docs] -basepython = python3 -deps = -rdoc/requirements.txt -commands = - sphinx-build -E -c doc/ -b html doc/ doc/build/html - -[testenv:serve-docs] -basepython = python3 -skip_install = true -changedir = doc/build/html -deps = -commands = - python -m http.server {posargs} - # Release tooling [testenv:park] basepython = python3 @@ -272,10 +252,8 @@ commands = python setup.py park basepython = python3 skip_install = true deps = - {[testenv:docs]deps} -r../dev_requirements/release-requirements.txt commands = - {[testenv:docs]commands} python setup.py sdist bdist_wheel [testenv:test-release] diff --git a/tox.ini b/tox.ini index d234dcd1f..aa1ea5325 100644 --- a/tox.ini +++ b/tox.ini @@ -1,6 +1,6 @@ [tox] envlist = - py{36,37,38,39,310}-{local,integ,accept,examples}, nocmk, + py{37,38,39,310,311,312}-{local,integ,accept,examples}, nocmk, bandit, doc8, readme, docs, {flake8,pylint}{,-tests,-examples}, isort-check, black-check, @@ -94,14 +94,14 @@ recreate = True deps = commands = {toxinidir}/test/freeze-upstream-requirements.sh -# Freeze for Python 3.7 -[testenv:freeze-upstream-requirements-py37] -basepython = python3.7 +# Freeze for Python 3.11 +[testenv:freeze-upstream-requirements-py311] +basepython = python3.11 sitepackages = {[testenv:freeze-upstream-requirements-base]sitepackages} skip_install = {[testenv:freeze-upstream-requirements-base]skip_install} recreate = {[testenv:freeze-upstream-requirements-base]recreate} deps = {[testenv:freeze-upstream-requirements-base]deps} -commands = {[testenv:freeze-upstream-requirements-base]commands} test/upstream-requirements-py37.txt +commands = {[testenv:freeze-upstream-requirements-base]commands} test/upstream-requirements-py311.txt # Test frozen upstream requirements [testenv:test-upstream-requirements-base] @@ -109,10 +109,10 @@ sitepackages = False recreate = True commands = {[testenv:base-command]commands} test/ -m local -# Test frozen upstream requirements for Python 3.7 -[testenv:test-upstream-requirements-py37] -basepython = python3.7 -deps = -rtest/upstream-requirements-py37.txt +# Test frozen upstream requirements for Python 3.11 +[testenv:test-upstream-requirements-py311] +basepython = python3.11 +deps = -rtest/upstream-requirements-py311.txt sitepackages = {[testenv:test-upstream-requirements-base]sitepackages} recreate = {[testenv:test-upstream-requirements-base]recreate} commands = {[testenv:test-upstream-requirements-base]commands}