Add KMS ReEncrypt Operation #12637
Add KMS ReEncrypt Operation #12637
Conversation
test: first re-encrypt integration test
|
All contributors have signed the CLA ✍️ ✅ |
There was a problem hiding this comment.
Welcome to LocalStack! Thanks for raising your first Pull Request and landing in your contributions. Our team will reach out with any reviews or feedbacks that we have shortly. We recommend joining our Slack Community and share your PR on the #community channel to share your contributions with us. Please make sure you are following our contributing guidelines and our Code of Conduct.
|
I have read the CLA Document and I hereby sign the CLA |
|
recheck |
| @@ -954,8 +954,29 @@ def re_encrypt( | |||
| dry_run: NullableBooleanType = None, | |||
| **kwargs, | |||
| ) -> ReEncryptResponse: | |||
| # TODO: when implementing, ensure cross-account support for source_key_id and destination_key_id | |||
There was a problem hiding this comment.
Please leave this TODO comment, it will help future multi-accounts work
tests/aws/services/kms/test_kms.py
Outdated
| ], | ||
| ) | ||
| @markers.aws.validated | ||
| def test_re_encript(self, kms_create_key, key_spec, algo, aws_client): |
There was a problem hiding this comment.
Nitpick: typo
| def test_re_encript(self, kms_create_key, key_spec, algo, aws_client): | |
| def test_re_encrypt(self, kms_create_key, key_spec, algo, aws_client): |
| "HTTPStatusCode": 200 | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
This file is generated by the snapshot fixture, but it's not used in the test.
Could you have mistakenly removed it?
There was a problem hiding this comment.
Yes, I removed the snapshot check by mistake during one of my tests. It's been restored.
There was a problem hiding this comment.
Great work on implementing the ReEncrypt operation for KMS! 🚀
I just have few suggestions to further enhance the parity with AWS by adding a check for verifying the KeyUsage. Once that’s in place, we can do a quick re-review and move forward with merging the PR 🎉 Thank you 🙌
| "tests/aws/services/kms/test_kms.py::TestKMS::test_re_encript[RSA_2048-RSAES_OAEP_SHA_256]": { | ||
| "last_validated_date": "2025-05-19T07:54:40+00:00" | ||
| }, | ||
| "tests/aws/services/kms/test_kms.py::TestKMS::test_re_encript[SYMMETRIC_DEFAULT-SYMMETRIC_DEFAULT]": { | ||
| "last_validated_date": "2025-05-19T07:54:39+00:00" | ||
| }, |
There was a problem hiding this comment.
comment: Probably a leftover from testing, we should remove this.
There was a problem hiding this comment.
You are right, it's been removed.
| account_id, region_name, source_key_id = self._parse_key_id(source_key_id, context) | ||
| source_key = self._get_kms_key(account_id, region_name, source_key_id) | ||
| # Decrypt using source key | ||
| decrypt_response = self.decrypt( |
There was a problem hiding this comment.
suggestion: It would be great to add a check to ensure that both the source and destination keys have KeyUsage set to ENCRYPT_DECRYPT.
This aligns with AWS KMS behaviour, which restricts ReEncrypt, Encrypt, and Decrypt operations to keys explicitly configured for encryption and decryption. Attempting to use invalid keys with other usages should raise an exception similar to AWS.
Adding this validation would improve spec compliance and provide clearer feedback to users if they accidentally use a key with an incompatible purpose.
Let me know if you'd like help drafting the validation logic or a corresponding test case!
There was a problem hiding this comment.
Thank you for your review @sannya-singal. That sounds like a good idea 😁. I'll get that pushed throughout the day.
There was a problem hiding this comment.
Regarding the validation @sannya-singal
When looking at the code again, I realised the KeyUsage check already happens in both the Encrypt and Decrypt operations. So I think adding the check again before the invocation would be redundant.
On the other hand, I've added tests for these two scenarios as I didn't find any for the already existing Encrypt and Decrypt operations. However, two remarks:
test_re_encrypt_incorrect_source_key: Since thecipher text's keyis verified before validating the key usage, I could only test forIncorrectKeyException. Unsure if there's another way to test forInvalidKeyUsageException.test_re_encrypt_invalid_destination_key: I had to disable the snapshot check as I'm not quite sure where theReEncryptTooperation name is coming from.
Thank you!
Motivation
I'm creating this PR to add the implementation for the KMS ReEncrypt operation.
Changes
Adds an implementation for KMS ReEncrypt operation, based on the already existing Encrypt and Decrypt operations,
Testing
The changes have been covered by integration & AWS parity tests.
Optionally, the ReEncrypt operation can be tested using the below aws cli command