fix: validate encryption materials from cmm are compatible with commitment policy

josecorella · josecorella · commit 4734c5612ded · 2026-03-27T12:32:14.000-07:00
diff --git a/src/aws_encryption_sdk/streaming_client.py b/src/aws_encryption_sdk/streaming_client.py
@@ -553,6 +553,8 @@ def _prep_message(self):
             request=encryption_materials_request
         )
 
+        validate_commitment_policy_on_encrypt(self.config.commitment_policy, self._encryption_materials.algorithm)
+
         if self.config.algorithm is not None and self._encryption_materials.algorithm != self.config.algorithm:
             raise ActionNotAllowedError(
                 (
diff --git a/test/functional/test_f_commitment.py b/test/functional/test_f_commitment.py
@@ -234,7 +234,7 @@ def test_encrypt_with_different_kc_clients_sharing_materials_yield_error():
         commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
     )
     required_encrypting_client = aws_encryption_sdk.EncryptionSDKClient(
-        commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
+        commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
     )
     
     provider = StaticRawMasterKeyProvider(
@@ -250,7 +250,6 @@ def test_encrypt_with_different_kc_clients_sharing_materials_yield_error():
     plaintext = b"Yellow Submarine"
 
     ciphertext, _ = forbid_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm)
-    ciphertext2, _ = required_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm)
     with pytest.raises(ActionNotAllowedError) as excinfo:
         required_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm)
     excinfo.match("Configuration conflict. Cannot encrypt due to .* requiring only committed messages")

Original file line number	Diff line number	Diff line change
`@@ -553,6 +553,8 @@ def _prep_message(self):`
`553`	`553`	`request=encryption_materials_request`
`554`	`554`	`)`
`555`	`555`
	`556`	`+ validate_commitment_policy_on_encrypt(self.config.commitment_policy, self._encryption_materials.algorithm)`
	`557`	`+`
`556`	`558`	`if self.config.algorithm is not None and self._encryption_materials.algorithm != self.config.algorithm:`
`557`	`559`	`raise ActionNotAllowedError(`
`558`	`560`	`(`
Original file line number	Diff line number	Diff line change
`@@ -234,7 +234,7 @@ def test_encrypt_with_different_kc_clients_sharing_materials_yield_error():`
`234`	`234`	`commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT`
`235`	`235`	`)`
`236`	`236`	`required_encrypting_client = aws_encryption_sdk.EncryptionSDKClient(`
`237`		`- commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT`
	`237`	`+ commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT`
`238`	`238`	`)`
`239`	`239`
`240`	`240`	`provider = StaticRawMasterKeyProvider(`
`@@ -250,7 +250,6 @@ def test_encrypt_with_different_kc_clients_sharing_materials_yield_error():`
`250`	`250`	`plaintext = b"Yellow Submarine"`
`251`	`251`
`252`	`252`	`ciphertext, _ = forbid_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm)`
`253`		`- ciphertext2, _ = required_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm)`
`254`	`253`	`with pytest.raises(ActionNotAllowedError) as excinfo:`
`255`	`254`	`required_encrypting_client.encrypt(source=plaintext, materials_manager=ccmm)`
`256`	`255`	`excinfo.match("Configuration conflict. Cannot encrypt due to .* requiring only committed messages")`