1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
"""Unit tests for kms-supported APIs."""
import base64
import boto3
import pytest
from moto import mock_aws
# See our Development Tips on writing tests for hints on how to write good tests:
# http://docs.getmoto.org/en/latest/docs/contributing/development_tips/tests.html
def create_hmac_key() -> str:
client = boto3.client("kms", region_name="eu-central-1")
key_id = client.create_key(
KeyUsage="GENERATE_VERIFY_MAC", KeySpec="HMAC_512", Policy="My Policy"
)["KeyMetadata"]["KeyId"]
return key_id
@mock_aws
def test_generate_mac():
# Arrange
key_id = create_hmac_key()
client = boto3.client("kms", region_name="eu-central-1")
# Act
resp = client.generate_mac(
KeyId=key_id,
MacAlgorithm="HMAC_SHA_512",
Message=base64.b64encode(b"Hello World"),
)
# Assert
assert "Mac" in resp
assert resp["KeyId"] == key_id
assert resp["MacAlgorithm"] == "HMAC_SHA_512"
@mock_aws
def test_generate_fails_for_non_existent_key():
# Arrange
client = boto3.client("kms", region_name="eu-central-1")
# Act + Assert
with pytest.raises(client.exceptions.NotFoundException):
client.generate_mac(
KeyId="some-key",
MacAlgorithm="HMAC_SHA_512",
Message=base64.b64encode(b"Hello World"),
)
@mock_aws
def test_generate_fails_for_invalid_key_usage():
# Arrange
client = boto3.client("kms", region_name="eu-central-1")
key_id = client.create_key(
KeyUsage="ENCRYPT_DECRYPT", KeySpec="HMAC_512", Policy="My Policy"
)["KeyMetadata"]["KeyId"]
# Act + Assert
with pytest.raises(client.exceptions.InvalidKeyUsageException):
client.generate_mac(
KeyId=key_id,
MacAlgorithm="HMAC_SHA_512",
Message=base64.b64encode(b"Hello World"),
)
@mock_aws
def test_generate_fails_for_invalid_key_spec():
# Arrange
client = boto3.client("kms", region_name="eu-central-1")
key_id = client.create_key(
KeyUsage="GENERATE_VERIFY_MAC", KeySpec="RSA_2048", Policy="My Policy"
)["KeyMetadata"]["KeyId"]
# Act + Assert
with pytest.raises(client.exceptions.InvalidKeyUsageException):
client.generate_mac(
KeyId=key_id,
MacAlgorithm="HMAC_SHA_512",
Message=base64.b64encode(b"Hello World"),
)
@mock_aws
def test_verify_mac():
# Arrange
key_id = create_hmac_key()
client = boto3.client("kms", region_name="eu-central-1")
mac = client.generate_mac(
KeyId=key_id,
MacAlgorithm="HMAC_SHA_512",
Message=base64.b64encode(b"Hello World"),
)["Mac"]
# Act
resp = client.verify_mac(
KeyId=key_id,
MacAlgorithm="HMAC_SHA_512",
Message=base64.b64encode(b"Hello World"),
Mac=mac,
)
# Assert
assert resp["KeyId"] == key_id
assert resp["MacAlgorithm"] == "HMAC_SHA_512"
assert resp["MacValid"] is True
@mock_aws
def test_verify_mac_fails_for_another_key_id():
# Arrange
key_id = create_hmac_key()
other_key_id = create_hmac_key()
client = boto3.client("kms", region_name="eu-central-1")
mac = client.generate_mac(
KeyId=key_id,
MacAlgorithm="HMAC_SHA_512",
Message=base64.b64encode(b"Hello World"),
)["Mac"]
# Act + Assert
with pytest.raises(client.exceptions.KMSInvalidMacException):
client.verify_mac(
KeyId=other_key_id,
MacAlgorithm="HMAC_SHA_512",
Message=base64.b64encode(b"Hello World"),
Mac=mac,
)
|
