feat(xtest): add extended crypto mechanism tests and key fixtures

[dmihalcik-virtru]

Summary

• Add key fixtures for EC secp384r1, EC secp521r1, and RSA 4096
• Add attribute_allof_with_extended_mechanisms and related fixtures
• Add test_key_mapping_extended_mechanisms and related ABAC tests for multi-mechanism encryption

Parent PRs

• chore(xtest): update pyright and reorder dev dependencies #405 (chore/xtest-dev-deps)

Test plan

• cd xtest && uv run ruff check . && uv run pyright
• With platform: uv run pytest test_abac.py --sdks go -v --no-audit-logs

🤖 Generated with Claude Code

Part of stacked PR series decomposing chore/the-claudiest-day-tmux

[gemini-code-assist]

Summary of Changes

Hello @dmihalcik-virtru, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the xtest suite by introducing comprehensive testing for extended cryptographic mechanisms. It provides new key fixtures for various EC and RSA algorithms, along with an attribute fixture to manage these keys. The core impact is the addition of new ABAC tests that validate multi-mechanism encryption and decryption, ensuring the platform's robustness and compatibility with a broader range of cryptographic standards.

Highlights

• New Key Fixtures: Added pytest fixtures for creating and managing EC secp256r1, EC secp384r1, EC secp521r1, and RSA 4096 cryptographic keys within the test environment.
• Extended Mechanism Attribute Fixture: Introduced a new pytest fixture, attribute_allof_with_extended_mechanisms, which creates an ABAC attribute and assigns the newly added extended mechanism keys to its values, facilitating multi-mechanism encryption testing.
• New ABAC Tests: Implemented test_key_mapping_extended_mechanisms and related tests to verify encryption and decryption functionality using a combination of EC secp384r1, EC secp521r1, and RSA 4096 key types, ensuring support for these extended cryptographic mechanisms.
• Dependency Update: Updated the pyright development dependency to a newer version (>=1.1.408) in pyproject.toml and uv.lock.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• xtest/fixtures/keys.py
  • Added key_e256 fixture for EC secp256r1 managed keys.
  • Added key_e384 fixture for EC secp384r1 managed keys.
  • Added key_e521 fixture for EC secp521r1 managed keys.
  • Added key_r2048 fixture for RSA 2048 managed keys.
  • Added key_r4096 fixture for RSA 4096 managed keys.
  • Added attribute_allof_with_extended_mechanisms fixture to create an attribute with values assigned to extended mechanism keys.
• xtest/pyproject.toml
  • Updated the pyright development dependency version from >=1.1.380 to >=1.1.408.
• xtest/test_abac.py
  • Added test_key_mapping_extended_mechanisms to test encryption/decryption with multiple extended cryptographic mechanisms.
  • Added test_key_mapping_extended_ec_mechanisms to specifically test extended EC mechanisms.
  • Added test_key_mapping_extended_rsa_mechanisms to specifically test extended RSA mechanisms.
• xtest/uv.lock
  • Updated the locked version of pyright to reflect the new dependency requirement.

Activity

• The pull request was created by dmihalcik-virtru.
• The pull request is part of a stacked PR series decomposing chore/the-claudiest-day-tmux.
• The pull request depends on #405 (chore/xtest-dev-deps).
• The author provided a test plan including ruff check, pyright, and pytest commands.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces new tests for extended cryptographic mechanisms and adds corresponding key fixtures. The changes are well-structured, but there are opportunities to improve code maintainability by reducing duplication in both the new fixtures and tests. I've also identified a bug in one of the new tests where the filtering logic is incorrect, and some docstrings that need correction to accurately reflect the test's purpose. My review includes suggestions to address these points.

[gemini-code-assist]

The new key fixtures (key_e256, key_e384, key_e521, key_r2048, key_r4096) contain a lot of duplicated code for getting or creating a key. To improve maintainability and reduce redundancy, this logic can be extracted into a single helper function. The fixtures can then call this helper with the specific parameters for each key type.

def _get_or_create_key(
    otdfctl: OpentdfCommandLineTool,
    kas_entry: abac.KasEntry,
    root_key: str,
    key_prefix: str,
    algorithm: str,
) -> abac.KasKey:
    """Helper to get or create a managed key.

    Key ID includes a hash of the root key to ensure that if the root key changes,
    a new key will be created instead of reusing an incompatible one.
    """
    pfs = tdfs.PlatformFeatureSet()
    if "key_management" not in pfs.features:
        pytest.skip("Key management feature is not enabled")

    key_id = f"{key_prefix}-{_key_id_suffix(root_key)}"
    existing_keys = otdfctl.kas_registry_keys_list(kas_entry)
    key = next((k for k in existing_keys if k.key.key_id == key_id), None)
    if key is None:
        key = otdfctl.kas_registry_create_key(
            kas_entry,
            key_id=key_id,
            mode="local",
            algorithm=algorithm,
            wrapping_key=root_key,
            wrapping_key_id="root",
        )
    return key


@pytest.fixture(scope="module")
def key_e256(
    otdfctl: OpentdfCommandLineTool,
    kas_entry_km2: abac.KasEntry,
    root_key: str,
) -> abac.KasKey:
    """Get or create EC secp256r1 managed key on km2.

    Key ID includes a hash of the root key to ensure that if the root key changes,
    a new key will be created instead of reusing an incompatible one.
    """
    return _get_or_create_key(
        otdfctl, kas_entry_km2, root_key, "e256", "ec:secp256r1"
    )


@pytest.fixture(scope="module")
def key_e384(
    otdfctl: OpentdfCommandLineTool,
    kas_entry_km2: abac.KasEntry,
    root_key: str,
) -> abac.KasKey:
    """Get or create EC secp384r1 managed key on km2.

    Key ID includes a hash of the root key to ensure that if the root key changes,
    a new key will be created instead of reusing an incompatible one.
    """
    return _get_or_create_key(
        otdfctl, kas_entry_km2, root_key, "e384", "ec:secp384r1"
    )


@pytest.fixture(scope="module")
def key_e521(
    otdfctl: OpentdfCommandLineTool,
    kas_entry_km2: abac.KasEntry,
    root_key: str,
) -> abac.KasKey:
    """Get or create EC secp521r1 managed key on km2.

    Key ID includes a hash of the root key to ensure that if the root key changes,
    a new key will be created instead of reusing an incompatible one.
    """
    return _get_or_create_key(
        otdfctl, kas_entry_km2, root_key, "e521", "ec:secp521r1"
    )


@pytest.fixture(scope="module")
def key_r2048(
    otdfctl: OpentdfCommandLineTool,
    kas_entry_km1: abac.KasEntry,
    root_key: str,
) -> abac.KasKey:
    """Get or create RSA 2048 managed key on km1.

    Key ID includes a hash of the root key to ensure that if the root key changes,
    a new key will be created instead of reusing an incompatible one.
    """
    return _get_or_create_key(otdfctl, kas_entry_km1, root_key, "r2048", "rsa:2048")


@pytest.fixture(scope="module")
def key_r4096(
    otdfctl: OpentdfCommandLineTool,
    kas_entry_km1: abac.KasEntry,
    root_key: str,
) -> abac.KasKey:
    """Get or create RSA 4096 managed key on km1.

    Key ID includes a hash of the root key to ensure that if the root key changes,
    a new key will be created instead of reusing an incompatible one.
    """
    return _get_or_create_key(otdfctl, kas_entry_km1, root_key, "r4096", "rsa:4096")

[gemini-code-assist]

This block of test setup code is repeated in test_key_mapping_extended_ec_mechanisms and test_key_mapping_extended_rsa_mechanisms. To improve maintainability and reduce code duplication, consider extracting this logic into a helper function that can be called from each test.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud