From 85156f59396a85e83e83200c9df41b66d6f82b68 Mon Sep 17 00:00:00 2001 From: Bert Blommers Date: Fri, 8 Dec 2023 20:58:49 -0100 Subject: [PATCH] KMS: encrypt() now validates payloads that are too large (#7102) --- moto/kms/utils.py | 4 ++++ tests/test_kms/__init__.py | 29 ++++++++++++++++++++++++++++- tests/test_kms/test_kms_encrypt.py | 25 ++++++++++++++++++++++--- 3 files changed, 54 insertions(+), 4 deletions(-) diff --git a/moto/kms/utils.py b/moto/kms/utils.py index 4e75276115dd..0d63d052c38d 100644 --- a/moto/kms/utils.py +++ b/moto/kms/utils.py @@ -379,6 +379,10 @@ def encrypt( raise ValidationException( "1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length greater than or equal to 1" ) + if len(plaintext) > 4096: + raise ValidationException( + "1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length less than or equal to 4096" + ) iv = os.urandom(IV_LEN) aad = _serialize_encryption_context(encryption_context=encryption_context) diff --git a/tests/test_kms/__init__.py b/tests/test_kms/__init__.py index 08a1c1568c9c..b52dd9f4e683 100644 --- a/tests/test_kms/__init__.py +++ b/tests/test_kms/__init__.py @@ -1 +1,28 @@ -# This file is intentionally left blank. +import os +from functools import wraps + +from moto import mock_kms + + +def kms_aws_verified(func): + """ + Function that is verified to work against AWS. + Can be run against AWS at any time by setting: + MOTO_TEST_ALLOW_AWS_REQUEST=true + + If this environment variable is not set, the function runs in a `mock_kms` context. + """ + + @wraps(func) + def pagination_wrapper(): + allow_aws_request = ( + os.environ.get("MOTO_TEST_ALLOW_AWS_REQUEST", "false").lower() == "true" + ) + + if allow_aws_request: + return func() + else: + with mock_kms(): + return func() + + return pagination_wrapper diff --git a/tests/test_kms/test_kms_encrypt.py b/tests/test_kms/test_kms_encrypt.py index 4454330f4fbe..1ad83cffd896 100644 --- a/tests/test_kms/test_kms_encrypt.py +++ b/tests/test_kms/test_kms_encrypt.py @@ -6,13 +6,15 @@ from moto import mock_kms +from . import kms_aws_verified from .test_kms_boto3 import PLAINTEXT_VECTORS, _get_encoded_value -@mock_kms -def test_create_key_with_empty_content(): +@pytest.mark.aws_verified +@kms_aws_verified +def test_encrypt_key_with_empty_content(): client_kms = boto3.client("kms", region_name="ap-northeast-1") - metadata = client_kms.create_key(Policy="my policy")["KeyMetadata"] + metadata = client_kms.create_key()["KeyMetadata"] with pytest.raises(ClientError) as exc: client_kms.encrypt(KeyId=metadata["KeyId"], Plaintext="") err = exc.value.response["Error"] @@ -21,6 +23,23 @@ def test_create_key_with_empty_content(): err["Message"] == "1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length greater than or equal to 1" ) + client_kms.schedule_key_deletion(KeyId=metadata["KeyId"], PendingWindowInDays=7) + + +@pytest.mark.aws_verified +@kms_aws_verified +def test_encrypt_key_with_large_content(): + client_kms = boto3.client("kms", region_name="ap-northeast-1") + metadata = client_kms.create_key()["KeyMetadata"] + with pytest.raises(ClientError) as exc: + client_kms.encrypt(KeyId=metadata["KeyId"], Plaintext=b"x" * 4097) + err = exc.value.response["Error"] + assert err["Code"] == "ValidationException" + assert ( + err["Message"] + == "1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length less than or equal to 4096" + ) + client_kms.schedule_key_deletion(KeyId=metadata["KeyId"], PendingWindowInDays=7) @pytest.mark.parametrize("plaintext", PLAINTEXT_VECTORS)