add kms:ReEncrypt and tests

2019-08-27 20:24:57 -07:00 · 2019-08-27 20:24:57 -07:00 · 9ffb9d3d0a
commit 9ffb9d3d0a
parent d5ac5453b3
3 changed files with 79 additions and 0 deletions
--- a/tests/test_kms/test_kms.py
+++ b/tests/test_kms/test_kms.py
@ -840,6 +840,55 @@ def test_generate_data_key_without_plaintext_decrypt():
    assert "Plaintext" not in resp1


+@parameterized(PLAINTEXT_VECTORS)
+@mock_kms
+def test_re_encrypt_decrypt(plaintext):
+    client = boto3.client("kms", region_name="us-west-2")
+
+    key_1 = client.create_key(Description="key 1")
+    key_1_id = key_1["KeyMetadata"]["KeyId"]
+    key_1_arn = key_1["KeyMetadata"]["Arn"]
+    key_2 = client.create_key(Description="key 2")
+    key_2_id = key_2["KeyMetadata"]["KeyId"]
+    key_2_arn = key_2["KeyMetadata"]["Arn"]
+
+    encrypt_response = client.encrypt(
+        KeyId=key_1_id,
+        Plaintext=plaintext,
+        EncryptionContext={"encryption": "context"},
+    )
+
+    re_encrypt_response = client.re_encrypt(
+        CiphertextBlob=encrypt_response["CiphertextBlob"],
+        SourceEncryptionContext={"encryption": "context"},
+        DestinationKeyId=key_2_id,
+        DestinationEncryptionContext={"another": "context"},
+    )
+
+    # CiphertextBlob must NOT be base64-encoded
+    with assert_raises(Exception):
+        base64.b64decode(re_encrypt_response["CiphertextBlob"], validate=True)
+
+    re_encrypt_response["SourceKeyId"].should.equal(key_1_arn)
+    re_encrypt_response["KeyId"].should.equal(key_2_arn)
+
+    decrypt_response_1 = client.decrypt(
+        CiphertextBlob=encrypt_response["CiphertextBlob"],
+        EncryptionContext={"encryption": "context"},
+    )
+    decrypt_response_1["Plaintext"].should.equal(plaintext)
+    decrypt_response_1["KeyId"].should.equal(key_1_arn)
+
+    decrypt_response_2 = client.decrypt(
+        CiphertextBlob=re_encrypt_response["CiphertextBlob"],
+        EncryptionContext={"another": "context"},
+    )
+    decrypt_response_2["Plaintext"].should.equal(plaintext)
+    decrypt_response_2["KeyId"].should.equal(key_2_arn)
+
+    decrypt_response_1["Plaintext"].should.equal(decrypt_response_2["Plaintext"])
+
+
@mock_kms
 def test_enable_key_rotation_key_not_found():
    client = boto3.client("kms", region_name="us-east-1")