in src/aws_encryption_sdk/key_providers/kms.py [0:0]
def _check_mrk_arns_equal(key1, key2):
"""Given two KMS key arns, determines whether they refer to related KMS MRKs.
Returns an error if inputs are not equal and either input cannot be parsed as an ARN.
"""
# //= compliance/framework/aws-kms/aws-kms-mrk-match-for-decrypt.txt#2.5
# //# The caller MUST provide:
if key1 == key2:
# //= compliance/framework/aws-kms/aws-kms-mrk-match-for-decrypt.txt#2.5
# //# If both identifiers are identical, this function MUST return "true".
return True
# Note that we will fail here if the input keys are not ARNs at this point
arn1 = arn_from_str(key1)
arn2 = arn_from_str(key2)
if not arn1.indicates_multi_region_key() or not arn2.indicates_multi_region_key():
# //= compliance/framework/aws-kms/aws-kms-mrk-match-for-decrypt.txt#2.5
# //# Otherwise if either input is not identified as a multi-Region key
# //# (aws-kms-key-arn.md#identifying-an-aws-kms-multi-region-key), then
# //# this function MUST return "false".
return False
# //= compliance/framework/aws-kms/aws-kms-mrk-match-for-decrypt.txt#2.5
# //# Otherwise if both inputs are
# //# identified as a multi-Region keys (aws-kms-key-arn.md#identifying-an-
# //# aws-kms-multi-region-key), this function MUST return the result of
# //# comparing the "partition", "service", "accountId", "resourceType",
# //# and "resource" parts of both ARN inputs.
return (
arn1.partition == arn2.partition
and arn1.service == arn2.service
and arn1.account_id == arn2.account_id
and arn1.resource_type == arn2.resource_type
and arn1.resource_id == arn2.resource_id
)