feat: Updates to the AWS Encryption SDK.

This change includes fixes for issues that were reported by Thai Duong from Google's Security team, and for issues that were identified by AWS Cryptography.

See: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/migration.html

Author: scottarc

README.rst

@@ -47,7 +47,7 @@ Required Prerequisites
 ======================
 
 * Python 2.7+ or 3.4+
-* aws-encryption-sdk >= 1.3.2
+* aws-encryption-sdk >= 1.7.0
 
 Installation
 ============
@@ -215,40 +215,40 @@ must accept all arguments as prepared. See `Advanced Configuration`_ for more in
 
 Multiple master keys can be defined using multiple instances of the ``key`` argument.
 
-Multiple master key providers can be defined using multiple ``--master-keys`` groups.
+Multiple master key providers can be defined using multiple ``--wrapping-keys`` groups.
 
 If multiple master key providers are defined, the first one is treated as the primary.
 
 If multiple master keys are defined in the primary master key provider, the first one is treated
 as the primary. The primary master key is used to generate the data key.
 
-The below logic is used to construct all master key providers. We use ``KMSMasterKeyProvider``
-as an example.
+The below logic is used to construct all master key providers. We use
+``DiscoveryAwsKmsMasterKeyProvider`` as an example.
 
 .. code-block:: python
 
    # With parameters:
-   --master-keys provider=aws-kms key=$KEY_1 key=$KEY_2
+   --wrapping-keys provider=aws-kms key=$KEY_1 key=$KEY_2
 
    # KMSMasterKeyProvider is called as:
-   key_provider = KMSMasterKeyProvider()
+   key_provider = DiscoveryAwsKmsMasterKeyProvider()
    key_provider.add_master_key($KEY_1)
    key_provider.add_master_key($KEY_2)
 
 .. code-block:: sh
 
    # Single KMS CMK
-   --master-keys provider=aws-kms key=$KEY_ARN_1
+   --wrapping-keys provider=aws-kms key=$KEY_ARN_1
 
    # Two KMS CMKs
-   --master-keys provider=aws-kms key=$KEY_ARN_1 key=$KEY_ARN_2
+   --wrapping-keys provider=aws-kms key=$KEY_ARN_1 key=$KEY_ARN_2
 
    # KMS Alias by name in default region
-   --master-keys provider=aws-kms key=$ALIAS_NAME
+   --wrapping-keys provider=aws-kms key=$ALIAS_NAME
 
    # KMS Alias by name in two specific regions
-   --master-keys provider=aws-kms key=$ALIAS_NAME region=us-west-2
-   --master-keys provider=aws-kms key=$ALIAS_NAME region=eu-central-1
+   --wrapping-keys provider=aws-kms key=$ALIAS_NAME region=us-west-2
+   --wrapping-keys provider=aws-kms key=$ALIAS_NAME region=eu-central-1
 
 AWS KMS
 ```````
@@ -518,6 +518,12 @@ Execution
                            provider identifier and identifiers for one or more
                            master key supplied by that provider. ex: --master-
                            keys provider=aws-kms key=$AWS_KMS_KEY_ARN
+     -w WRAPPING_KEYS [WRAPPING_KEYS ...], --wrapping-keys WRAPPING_KEYS [WRAPPING_KEYS ...]
+                           Identifying information for a master key provider and
+                           master keys. Each instance must include a master key
+                           provider identifier and identifiers for one or more
+                           master key supplied by that provider. ex: --wrapping-
+                           keys provider=aws-kms key=$AWS_KMS_KEY_ARN
      --caching CACHING [CACHING ...]
                            Configuration options for a caching cryptographic
                            materials manager and local cryptographic materials

requirements.txt

@@ -1,4 +1,4 @@
 base64io>=1.0.1
-aws-encryption-sdk>=1.3.2
+aws-encryption-sdk>=1.7.0
 setuptools
 attrs>=17.1.0

src/aws_encryption_sdk_cli/__init__.py

@@ -19,10 +19,11 @@
 from argparse import Namespace  # noqa pylint: disable=unused-import
 
 import aws_encryption_sdk
+from aws_encryption_sdk.materials_managers import CommitmentPolicy
 from aws_encryption_sdk.materials_managers.base import CryptoMaterialsManager  # noqa pylint: disable=unused-import
 
 from aws_encryption_sdk_cli.exceptions import AWSEncryptionSDKCLIError, BadUserArgumentError
-from aws_encryption_sdk_cli.internal.arg_parsing import parse_args
+from aws_encryption_sdk_cli.internal.arg_parsing import CommitmentPolicyArgs, parse_args
 from aws_encryption_sdk_cli.internal.identifiers import __version__  # noqa
 from aws_encryption_sdk_cli.internal.io_handling import IOHandler, output_filename
 from aws_encryption_sdk_cli.internal.logging_utils import LOGGER_NAME, setup_logger
@@ -164,6 +165,14 @@ def process_cli_request(stream_args, parsed_args):
     )
     _catch_bad_stdin_stdout_requests(parsed_args.input, parsed_args.output)
 
+    if not parsed_args.commitment_policy:
+        commitment_policy = CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
+    elif parsed_args.commitment_policy == CommitmentPolicyArgs.forbid_encrypt_allow_decrypt:
+        commitment_policy = CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
+    else:
+        _LOGGER.warning("Invalid commitment policy: %s", parsed_args.commitment_policy)
+        commitment_policy = CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
+
     handler = IOHandler(
         metadata_writer=parsed_args.metadata_output,
         interactive=parsed_args.interactive,
@@ -172,6 +181,7 @@ def process_cli_request(stream_args, parsed_args):
         encode_output=parsed_args.encode,
         required_encryption_context=parsed_args.encryption_context,
         required_encryption_context_keys=parsed_args.required_encryption_context_keys,
+        commitment_policy=commitment_policy,
     )
 
     if parsed_args.input == "-":
@@ -230,6 +240,11 @@ def stream_kwargs_from_args(args, crypto_materials_manager):
         if args.frame_length is not None:
             stream_args["frame_length"] = args.frame_length
 
+    if not args.commitment_policy:
+        stream_args["commitment_policy"] = CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
+    elif args.commitment_policy == CommitmentPolicyArgs.forbid_encrypt_allow_decrypt:
+        stream_args["commitment_policy"] = CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
+
     if args.max_length is not None:
         stream_args["max_body_length"] = args.max_length
     return stream_args
@@ -250,11 +265,17 @@ def cli(raw_args=None):
         _LOGGER.debug("Encryption source: %s", args.input)
         _LOGGER.debug("Encryption destination: %s", args.output)
         _LOGGER.debug("Master key provider configuration: %s", args.master_keys)
+        _LOGGER.debug("Discovery mode: %r", args.discovery)
         _LOGGER.debug("Suffix requested: %s", args.suffix)
 
-        crypto_materials_manager = build_crypto_materials_manager_from_args(
-            key_providers_config=args.master_keys, caching_config=args.caching
-        )
+        if args.wrapping_keys is not None:
+            crypto_materials_manager = build_crypto_materials_manager_from_args(
+                key_providers_config=args.wrapping_keys, caching_config=args.caching
+            )
+        else:
+            crypto_materials_manager = build_crypto_materials_manager_from_args(
+                key_providers_config=args.master_keys, caching_config=args.caching
+            )
 
         stream_args = stream_kwargs_from_args(args, crypto_materials_manager)