add vice versa test

josecorella · josecorella · commit 2c6bd076976d · 2026-03-31T13:19:46.000-07:00
diff --git a/test/functional/test_f_commitment.py b/test/functional/test_f_commitment.py
@@ -227,9 +227,9 @@ def test_encrypt_with_uncommitting_algorithm_require_decrypt():
     excinfo.match("Configuration conflict. Cannot decrypt due to .* requiring only committed messages")
 
 
-def test_encrypt_with_different_kc_clients_sharing_materials_yield_error():
-    """Tests that when two different client configured with CommitmentPolicy REQUIRE_ENCRYPT_REQUIRE_DECRYPT
-    and FORBID_ENCRYPT_ALLOW_DECRYPT share encryption materials client errors out due to conflicting commitment policies."""
+def test_encrypt_with_require_policy_fail_when_retrieving_invalid_cmm_materials():
+    """Tests that when a client with a require policy shares a cache with a client with a forbid policy
+    an error gets thrown due to invalid materials retrieved from cmm"""
     forbid_encrypting_client = aws_encryption_sdk.EncryptionSDKClient(
         commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
     )
@@ -254,3 +254,30 @@ def test_encrypt_with_different_kc_clients_sharing_materials_yield_error():
         required_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm)
     excinfo.match("Configuration conflict. Cannot encrypt due to .* requiring only committed messages")
 
+
+def test_encrypt_with_forbid_policy_fail_when_retrieving_invalid_cmm_materials():
+    """Tests that when a client with a forbid policy shares a cache with a client with a require policy
+    an error gets thrown due to invalid materials retrieved from cmm"""
+    forbid_encrypting_client = aws_encryption_sdk.EncryptionSDKClient(
+        commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
+    )
+    required_encrypting_client = aws_encryption_sdk.EncryptionSDKClient(
+        commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
+    )
+    
+    provider = StaticRawMasterKeyProvider(
+        wrapping_algorithm=WrappingAlgorithm.AES_256_GCM_IV12_TAG16_NO_PADDING,
+        encryption_key_type=EncryptionKeyType.SYMMETRIC,
+        key_bytes=b"\00" * 32,
+    )
+    provider.add_master_key("KeyId")
+    cache = aws_encryption_sdk.LocalCryptoMaterialsCache(capacity=10)
+    ccmm = aws_encryption_sdk.CachingCryptoMaterialsManager(
+        master_key_provider=provider, cache=cache, max_age=3600.0, max_messages_encrypted=5
+    )
+    plaintext = b"Yellow Submarine"
+
+    ciphertext, _ = required_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm)
+    with pytest.raises(ActionNotAllowedError) as excinfo:
+        forbid_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm)
+    excinfo.match("Configuration conflict. Cannot encrypt due to .* requiring only non-committed messages.")
