add kms:ReEncrypt and tests

2019-08-27 20:24:57 -07:00 · 2019-08-27 20:24:57 -07:00 · 9ffb9d3d0a
commit 9ffb9d3d0a
parent d5ac5453b3
3 changed files with 79 additions and 0 deletions
--- a/moto/kms/models.py
+++ b/moto/kms/models.py
@ -214,6 +214,17 @@ class KmsBackend(BaseBackend):
        arn = self.keys[key_id].arn
        return plaintext, arn

+    def re_encrypt(
+        self, ciphertext_blob, source_encryption_context, destination_key_id, destination_encryption_context
+    ):
+        plaintext, decrypting_arn = self.decrypt(
+            ciphertext_blob=ciphertext_blob, encryption_context=source_encryption_context
+        )
+        new_ciphertext_blob, encrypting_arn = self.encrypt(
+            key_id=destination_key_id, plaintext=plaintext, encryption_context=destination_encryption_context
+        )
+        return new_ciphertext_blob, decrypting_arn, encrypting_arn
+
    def generate_data_key(self, key_id, encryption_context, number_of_bytes, key_spec, grant_tokens):
        key_id = self.any_id_to_key_id(key_id)

--- a/moto/kms/responses.py
+++ b/moto/kms/responses.py
@ -260,6 +260,25 @@ class KmsResponse(BaseResponse):

        return json.dumps({"Plaintext": plaintext_response, 'KeyId': arn})

+    def re_encrypt(self):
+        ciphertext_blob = self.parameters.get("CiphertextBlob")
+        source_encryption_context = self.parameters.get("SourceEncryptionContext", {})
+        destination_key_id = self.parameters.get("DestinationKeyId")
+        destination_encryption_context = self.parameters.get("DestinationEncryptionContext", {})
+
+        new_ciphertext_blob, decrypting_arn, encrypting_arn = self.kms_backend.re_encrypt(
+            ciphertext_blob=ciphertext_blob,
+            source_encryption_context=source_encryption_context,
+            destination_key_id=destination_key_id,
+            destination_encryption_context=destination_encryption_context,
+        )
+
+        response_ciphertext_blob = base64.b64encode(new_ciphertext_blob).decode("utf-8")
+
+        return json.dumps(
+            {"CiphertextBlob": response_ciphertext_blob, "KeyId": encrypting_arn, "SourceKeyId": decrypting_arn}
+        )
+
    def disable_key(self):
        key_id = self.parameters.get('KeyId')
        _assert_valid_key_id(self.kms_backend.get_key_id(key_id))