feat: Adds the CachingMostRecentProvider. Deprecates MostRecentProvider.

Time-based key re-authorization logic in MostRecentProvider did not re-authorize the use of the key after key usage permissions were changed at the key provider (for example AWS Key Management Service). This created the potential for keys to be used in the DynamoDB Encryption Client after permissions to do so were revoked. The MostRecentProvider is deprecated. It is removed in 2.0.0. New deployments should use the CachingMostRecentProvider, and existing deployments should upgrade as soon as possible. See https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/most-recent-provider.html#mrp-versions for more details.
aws · Feb 4, 2021 · 90606ec · 90606ec
1 parent f133fc2
commit 90606ec
Show file tree

Hide file tree

Showing 47 changed files with 5,307 additions and 170 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,6 +2,23 @@
 Changelog
 *********
 
+1.3.0 -- 2021-02-04
+===================
+Adds the CachingMostRecentProvider and deprecates MostRecentProvider.
+
+Time-based key reauthorization logic in MostRecentProvider did not reauthorize
+the use of the key after key usage permissions were changed at the key provider
+(for example AWS Key Management Service). This created the potential for keys
+to be used in the DynamoDB Encryption Client after permissions to do so were revoked.
+
+CachingMostRecentProvider replaces MostRecentProvider and provides a cache entry
+TTL to reauthorize the key with the key provider.
+
+MostRecentProvider is now deprecated, and is removed in 2.0.0. See
+https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/most-recent-provider.html
+for more details.
+
+
 1.2.0 -- 2019-10-10
 ===================
 

diff --git a/examples/src/most_recent_provider_encrypted_table.py b/examples/src/most_recent_provider_encrypted_table.py
@@ -10,14 +10,14 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
-"""Example showing use of MostRecentProvider backed by a MetaStore using an AWS KMS CMP, with EncryptedTable."""
+"""Example showing use of CachingMostRecentProvider backed by a MetaStore using an AWS KMS CMP, with EncryptedTable."""
 import boto3
 from boto3.dynamodb.types import Binary
 
 from dynamodb_encryption_sdk.encrypted.table import EncryptedTable
 from dynamodb_encryption_sdk.identifiers import CryptoAction
 from dynamodb_encryption_sdk.material_providers.aws_kms import AwsKmsCryptographicMaterialsProvider
-from dynamodb_encryption_sdk.material_providers.most_recent import MostRecentProvider
+from dynamodb_encryption_sdk.material_providers.most_recent import CachingMostRecentProvider
 from dynamodb_encryption_sdk.material_providers.store.meta import MetaStore
 from dynamodb_encryption_sdk.structures import AttributeActions
 
@@ -47,7 +47,7 @@ def encrypt_item(table_name, aws_cmk_id, meta_table_name, material_name):
     # Create a meta store using the AWS KMS crypto materials provider.
     meta_store = MetaStore(table=meta_table, materials_provider=aws_kms_cmp)
     # Create a most recent provider using the meta store.
-    most_recent_cmp = MostRecentProvider(
+    most_recent_cmp = CachingMostRecentProvider(
         provider_store=meta_store,
         material_name=material_name,
         version_ttl=600.0,  # Check for a new material version every five minutes.

diff --git a/setup.cfg b/setup.cfg
@@ -21,6 +21,7 @@ markers =
     integ: mark a test as an integration test (requires network access)
     ddb_integ: mark a test as an integration test that requires a real DynamoDB table (requires network access and not used in CI)
     accept: mark a test as an acceptance test (requires network access)
+    generate: mark a test as a generator of test vectors (requires network access)
     examples: mark a test as an examples test (requires network access)
     hypothesis: mark a test as using hypothesis (will run many times for each pytest call)
     hypothesis_strategy: mark a test as testing a hypothesis strategy

diff --git a/src/dynamodb_encryption_sdk/identifiers.py b/src/dynamodb_encryption_sdk/identifiers.py
@@ -14,7 +14,7 @@
 from enum import Enum
 
 __all__ = ("LOGGER_NAME", "CryptoAction", "EncryptionKeyType", "KeyEncodingType")
-__version__ = "1.2.0"
+__version__ = "1.3.0"
 
 LOGGER_NAME = "dynamodb_encryption_sdk"
 USER_AGENT_SUFFIX = "DynamodbEncryptionSdkPython/{}".format(__version__)