localstack-core 4.10.1.dev7__py3-none-any.whl → 4.10.1.dev42__py3-none-any.whl

localstack/services/sns/v2/provider.py

@@ -10,8 +10,11 @@ from localstack.aws.api import CommonServiceException, RequestContext
 from localstack.aws.api.sns import (
     AmazonResourceName,
     ConfirmSubscriptionResponse,
+    CreateEndpointResponse,
     CreatePlatformApplicationResponse,
     CreateTopicResponse,
+    Endpoint,
+    GetEndpointAttributesResponse,
     GetPlatformApplicationAttributesResponse,
     GetSMSAttributesResponse,
     GetSubscriptionAttributesResponse,
@@ -60,6 +63,9 @@ from localstack.services.sns.v2.models import (
     SMS_ATTRIBUTE_NAMES,
     SMS_DEFAULT_SENDER_REGEX,
     SMS_TYPES,
+    EndpointAttributeNames,
+    PlatformApplicationDetails,
+    PlatformEndpoint,
     SnsMessage,
     SnsMessageType,
     SnsStore,
@@ -68,6 +74,7 @@ from localstack.services.sns.v2.models import (
     sns_stores,
 )
 from localstack.services.sns.v2.utils import (
+    create_platform_endpoint_arn,
     create_subscription_arn,
     encode_subscription_token_with_region,
     get_next_page_token_from_arn,
@@ -237,10 +244,11 @@ class SnsProvider(SnsApi):
                 raise InvalidParameterException("Invalid parameter: SQS endpoint ARN")
 
         elif protocol == "application":
-            # TODO: This needs to be implemented once applications are ported from moto to the new provider
-            raise NotImplementedError(
-                "This functionality needs yet to be ported to the new SNS provider"
-            )
+            # TODO: Validate exact behaviour
+            try:
+                parse_arn(endpoint)
+            except InvalidArnException:
+                raise InvalidParameterException("Invalid parameter: ApplicationEndpoint ARN")
 
         if ".fifo" in endpoint and ".fifo" not in topic_arn:
             # TODO: move to sqs protocol block if possible
@@ -591,17 +599,24 @@ class SnsProvider(SnsApi):
             account_id=context.account_id,
             region_name=context.region,
         )
-        platform_application = PlatformApplication(
-            PlatformApplicationArn=application_arn, Attributes=_attributes
+        platform_application_details = PlatformApplicationDetails(
+            platform_application=PlatformApplication(
+                PlatformApplicationArn=application_arn,
+                Attributes=_attributes,
+            ),
+            platform_endpoints={},
         )
-        store.platform_applications[application_arn] = platform_application
-        return CreatePlatformApplicationResponse(**platform_application)
+        store.platform_applications[application_arn] = platform_application_details
+
+        return platform_application_details.platform_application
 
     def delete_platform_application(
         self, context: RequestContext, platform_application_arn: String, **kwargs
     ) -> None:
         store = self.get_store(context.account_id, context.region)
         store.platform_applications.pop(platform_application_arn, None)
+        # TODO: if the platform had endpoints, should we remove them from the store? There is no way to list
+        #   endpoints without an application, so this is impossible to check the state of AWS here
 
     def list_platform_applications(
         self, context: RequestContext, next_token: String | None = None, **kwargs
@@ -615,7 +630,9 @@ class SnsProvider(SnsApi):
             next_token=next_token,
         )
 
-        response = ListPlatformApplicationsResponse(PlatformApplications=page)
+        response = ListPlatformApplicationsResponse(
+            PlatformApplications=[platform_app.platform_application for platform_app in page]
+        )
         if token:
             response["NextToken"] = token
         return response
@@ -644,6 +661,62 @@ class SnsProvider(SnsApi):
     # Platform Endpoints
     #
 
+    def create_platform_endpoint(
+        self,
+        context: RequestContext,
+        platform_application_arn: String,
+        token: String,
+        custom_user_data: String | None = None,
+        attributes: MapStringToString | None = None,
+        **kwargs,
+    ) -> CreateEndpointResponse:
+        store = self.get_store(context.account_id, context.region)
+        application = store.platform_applications.get(platform_application_arn)
+        if not application:
+            raise NotFoundException("PlatformApplication does not exist")
+        endpoint_arn = application.platform_endpoints.get(token, {})
+        attributes = attributes or {}
+        _validate_endpoint_attributes(attributes, allow_empty=True)
+        # CustomUserData can be specified both in attributes and as parameter. Attributes take precedence
+        attributes.setdefault(EndpointAttributeNames.CUSTOM_USER_DATA, custom_user_data)
+        _attributes = {"Enabled": "true", "Token": token, **attributes}
+        if endpoint_arn and (
+            platform_endpoint_details := store.platform_endpoints.get(endpoint_arn)
+        ):
+            # endpoint for that application with that particular token already exists
+            if not platform_endpoint_details.platform_endpoint["Attributes"] == _attributes:
+                raise InvalidParameterException(
+                    f"Invalid parameter: Token Reason: Endpoint {endpoint_arn} already exists with the same Token, but different attributes."
+                )
+            else:
+                return CreateEndpointResponse(EndpointArn=endpoint_arn)
+
+        endpoint_arn = create_platform_endpoint_arn(platform_application_arn)
+        platform_endpoint = PlatformEndpoint(
+            platform_application_arn=endpoint_arn,
+            platform_endpoint=Endpoint(
+                Attributes=_attributes,
+                EndpointArn=endpoint_arn,
+            ),
+        )
+        store.platform_endpoints[endpoint_arn] = platform_endpoint
+        application.platform_endpoints[token] = endpoint_arn
+
+        return CreateEndpointResponse(EndpointArn=endpoint_arn)
+
+    def delete_endpoint(self, context: RequestContext, endpoint_arn: String, **kwargs) -> None:
+        store = self.get_store(context.account_id, context.region)
+        platform_endpoint_details = store.platform_endpoints.pop(endpoint_arn, None)
+        if platform_endpoint_details:
+            platform_application = store.platform_applications.get(
+                platform_endpoint_details.platform_application_arn
+            )
+            if platform_application:
+                platform_endpoint = platform_endpoint_details.platform_endpoint
+                platform_application.platform_endpoints.pop(
+                    platform_endpoint["Attributes"]["Token"], None
+                )
+
     def list_endpoints_by_platform_application(
         self,
         context: RequestContext,
@@ -651,8 +724,49 @@ class SnsProvider(SnsApi):
         next_token: String | None = None,
         **kwargs,
     ) -> ListEndpointsByPlatformApplicationResponse:
-        # TODO: stub so cleanup fixture won't fail
-        return ListEndpointsByPlatformApplicationResponse(Endpoints=[])
+        store = self.get_store(context.account_id, context.region)
+        platform_application = store.platform_applications.get(platform_application_arn)
+        if not platform_application:
+            raise NotFoundException("PlatformApplication does not exist")
+        endpoint_arns = platform_application.platform_endpoints.values()
+        paginated_endpoint_arns = PaginatedList(endpoint_arns)
+        page, token = paginated_endpoint_arns.get_page(
+            token_generator=lambda x: get_next_page_token_from_arn(x),
+            page_size=100,
+            next_token=next_token,
+        )
+
+        response = ListEndpointsByPlatformApplicationResponse(
+            Endpoints=[
+                store.platform_endpoints[endpoint_arn].platform_endpoint
+                for endpoint_arn in page
+                if endpoint_arn in store.platform_endpoints
+            ]
+        )
+        if token:
+            response["NextToken"] = token
+        return response
+
+    def get_endpoint_attributes(
+        self, context: RequestContext, endpoint_arn: String, **kwargs
+    ) -> GetEndpointAttributesResponse:
+        store = self.get_store(context.account_id, context.region)
+        platform_endpoint_details = store.platform_endpoints.get(endpoint_arn)
+        if not platform_endpoint_details:
+            raise NotFoundException("Endpoint does not exist")
+        attributes = platform_endpoint_details.platform_endpoint["Attributes"]
+        return GetEndpointAttributesResponse(Attributes=attributes)
+
+    def set_endpoint_attributes(
+        self, context: RequestContext, endpoint_arn: String, attributes: MapStringToString, **kwargs
+    ) -> None:
+        store = self.get_store(context.account_id, context.region)
+        platform_endpoint_details = store.platform_endpoints.get(endpoint_arn)
+        if not platform_endpoint_details:
+            raise NotFoundException("Endpoint does not exist")
+        _validate_endpoint_attributes(attributes)
+        attributes = attributes or {}
+        platform_endpoint_details.platform_endpoint["Attributes"].update(attributes)
 
     #
     # Sms operations
@@ -736,7 +850,7 @@ class SnsProvider(SnsApi):
         parse_and_validate_platform_application_arn(platform_application_arn)
         try:
             store = SnsProvider.get_store(context.account_id, context.region)
-            return store.platform_applications[platform_application_arn]
+            return store.platform_applications[platform_application_arn].platform_application
         except KeyError:
             raise NotFoundException("PlatformApplication does not exist")
 
@@ -821,6 +935,10 @@ def _validate_platform_application_name(name: str) -> None:
 
 
 def _validate_platform_application_attributes(attributes: dict) -> None:
+    _check_empty_attributes(attributes)
+
+
+def _check_empty_attributes(attributes: dict) -> None:
     if not attributes:
         raise CommonServiceException(
             code="ValidationError",
@@ -829,6 +947,20 @@ def _validate_platform_application_attributes(attributes: dict) -> None:
         )
 
 
+def _validate_endpoint_attributes(attributes: dict, allow_empty: bool = False) -> None:
+    if not allow_empty:
+        _check_empty_attributes(attributes)
+    for key in attributes:
+        if key not in EndpointAttributeNames:
+            raise InvalidParameterException(
+                f"Invalid parameter: Attributes Reason: Invalid attribute name: {key}"
+            )
+    if len(attributes.get(EndpointAttributeNames.CUSTOM_USER_DATA, "")) > 2048:
+        raise InvalidParameterException(
+            "Invalid parameter: Attributes Reason: Invalid value for attribute: CustomUserData: must be at most 2048 bytes long in UTF-8 encoding"
+        )
+
+
 def _validate_sms_attributes(attributes: dict) -> None:
     for k, v in attributes.items():
         if k not in SMS_ATTRIBUTE_NAMES:

localstack/services/sns/v2/utils.py

@@ -103,6 +103,14 @@ def create_subscription_arn(topic_arn: str) -> str:
     return f"{topic_arn}:{uuid4()}"
 
 
+def create_platform_endpoint_arn(
+    platform_application_arn: str,
+) -> str:
+    # This is the format of an Endpoint Arn
+    # arn:aws:sns:us-west-2:1234567890:endpoint/GCM/MyApplication/12345678-abcd-9012-efgh-345678901234
+    return f"{platform_application_arn.replace('app', 'endpoint', 1)}/{uuid4()}"
+
+
 def encode_subscription_token_with_region(region: str) -> str:
     """
     Create a 64 characters Subscription Token with the region encoded

localstack/services/sqs/models.py

@@ -314,7 +314,8 @@ class SqsQueue:
     purge_timestamp: float | None
 
     delayed: set[SqsMessage]
-    inflight: set[SqsMessage]
+    # Simulating an ordered set in python. Only the keys are used and of interest.
+    inflight: dict[SqsMessage, None]
     receipts: dict[str, SqsMessage]
 
     def __init__(self, name: str, region: str, account_id: str, attributes=None, tags=None) -> None:
@@ -326,7 +327,7 @@ class SqsQueue:
         self.tags = tags or {}
 
         self.delayed = set()
-        self.inflight = set()
+        self.inflight = {}
         self.receipts = {}
 
         self.attributes = self.default_attributes()
@@ -513,7 +514,7 @@ class SqsQueue:
                 )
                 # Terminating the visibility timeout for a message
                 # https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html#terminating-message-visibility-timeout
-                self.inflight.remove(standard_message)
+                del self.inflight[standard_message]
                 self._put_message(standard_message)
 
     def remove(self, receipt_handle: str):
@@ -606,9 +607,17 @@ class SqsQueue:
                     standard_message,
                     self.arn,
                 )
-                self.inflight.remove(standard_message)
+                del self.inflight[standard_message]
                 self._put_message(standard_message)
 
+    def add_inflight_message(self, message: SqsMessage):
+        """
+        We are simulating an ordered set with a dict. When a value is added, it is added as key to the dict, which
+        is all we need. Hence all "values" in this ordered set are None
+        :param message: The message to put in flight
+        """
+        self.inflight[message] = None
+
     def enqueue_delayed_messages(self):
         if not self.delayed:
             return
@@ -779,7 +788,6 @@ class SqsQueue:
 
 class StandardQueue(SqsQueue):
     visible: InterruptiblePriorityQueue[SqsMessage]
-    inflight: set[SqsMessage]
 
     def __init__(self, name: str, region: str, account_id: str, attributes=None, tags=None) -> None:
         super().__init__(name, region, account_id, attributes, tags)
@@ -923,13 +931,13 @@ class StandardQueue(SqsQueue):
             if message.visibility_timeout == 0:
                 self.visible.put_nowait(message)
             else:
-                self.inflight.add(message)
+                self.add_inflight_message(message)
 
         return result
 
     def _on_remove_message(self, message: SqsMessage):
         try:
-            self.inflight.remove(message)
+            del self.inflight[message]
         except KeyError:
             # this likely means the message was removed with an expired receipt handle unfortunately this
             # means we need to scan the queue for the element and remove it from there, and then re-heapify
@@ -1149,6 +1157,26 @@ class FifoQueue(SqsQueue):
             elif previously_empty:
                 self.message_group_queue.put_nowait(message_group)
 
+    def requeue_inflight_messages(self):
+        if not self.inflight:
+            return
+
+        with self.mutex:
+            messages = list(self.inflight)
+            for standard_message in messages:
+                # in fifo, an invisible message blocks potentially visible messages afterwards
+                # this can happen for example if multiple message of the same group are received at once, then one
+                # message of this batch has its visibility timeout extended
+                if not standard_message.is_visible:
+                    return
+                LOG.debug(
+                    "re-queueing inflight messages %s into queue %s",
+                    standard_message,
+                    self.arn,
+                )
+                del self.inflight[standard_message]
+                self._put_message(standard_message)
+
     def remove_expired_messages(self):
         with self.mutex:
             retention_period = self.message_retention_period
@@ -1278,8 +1306,7 @@ class FifoQueue(SqsQueue):
                 if message.visibility_timeout == 0:
                     self._put_message(message)
                 else:
-                    self.inflight.add(message)
-
+                    self.add_inflight_message(message)
         return result
 
     def _on_remove_message(self, message: SqsMessage):
@@ -1288,7 +1315,7 @@ class FifoQueue(SqsQueue):
 
         with self.mutex:
             try:
-                self.inflight.remove(message)
+                del self.inflight[message]
             except KeyError:
                 # in FIFO queues, this should not happen, as expired receipt handles cannot be used to
                 # delete a message.

localstack/testing/snapshots/transformer_utility.py

@@ -566,6 +566,8 @@ class TransformerUtility:
         """
         return [
             TransformerUtility.key_value("KeyId"),
+            TransformerUtility.key_value("KeyMaterialId"),
+            TransformerUtility.key_value("CurrentKeyMaterialId"),
             TransformerUtility.jsonpath(
                 jsonpath="$..Signature",
                 value_replacement="<signature>",

localstack/testing/testselection/matching.py

@@ -181,7 +181,6 @@ MATCHING_RULES: list[MatchingRule] = [
     ).passthrough(),  # changes in a test file should always at least test that file
     # CI
     Matchers.glob(".github/**").full_suite(),
-    Matchers.glob(".circleci/**").full_suite(),
     # dependencies / project setup
     Matchers.glob("requirements*.txt").full_suite(),
     Matchers.glob("setup.cfg").full_suite(),

localstack/utils/aws/client_types.py

@@ -65,7 +65,6 @@ if TYPE_CHECKING:
     from mypy_boto3_iotwireless import IoTWirelessClient
     from mypy_boto3_kafka import KafkaClient
     from mypy_boto3_kinesis import KinesisClient
-    from mypy_boto3_kinesisanalytics import KinesisAnalyticsClient
     from mypy_boto3_kinesisanalyticsv2 import KinesisAnalyticsV2Client
     from mypy_boto3_kms import KMSClient
     from mypy_boto3_lakeformation import LakeFormationClient
@@ -82,8 +81,6 @@ if TYPE_CHECKING:
     from mypy_boto3_pi import PIClient
     from mypy_boto3_pinpoint import PinpointClient
     from mypy_boto3_pipes import EventBridgePipesClient
-    from mypy_boto3_qldb import QLDBClient
-    from mypy_boto3_qldb_session import QLDBSessionClient
     from mypy_boto3_rds import RDSClient
     from mypy_boto3_rds_data import RDSDataServiceClient
     from mypy_boto3_redshift import RedshiftClient
@@ -191,9 +188,6 @@ class TypedServiceClientFactory(abc.ABC):
     iotwireless: Union["IoTWirelessClient", "MetadataRequestInjector[IoTWirelessClient]"]
     kafka: Union["KafkaClient", "MetadataRequestInjector[KafkaClient]"]
     kinesis: Union["KinesisClient", "MetadataRequestInjector[KinesisClient]"]
-    kinesisanalytics: Union[
-        "KinesisAnalyticsClient", "MetadataRequestInjector[KinesisAnalyticsClient]"
-    ]
     kinesisanalyticsv2: Union[
         "KinesisAnalyticsV2Client", "MetadataRequestInjector[KinesisAnalyticsV2Client]"
     ]
@@ -214,8 +208,6 @@ class TypedServiceClientFactory(abc.ABC):
     pi: Union["PIClient", "MetadataRequestInjector[PIClient]"]
     pinpoint: Union["PinpointClient", "MetadataRequestInjector[PinpointClient]"]
     pipes: Union["EventBridgePipesClient", "MetadataRequestInjector[EventBridgePipesClient]"]
-    qldb: Union["QLDBClient", "MetadataRequestInjector[QLDBClient]"]
-    qldb_session: Union["QLDBSessionClient", "MetadataRequestInjector[QLDBSessionClient]"]
     rds: Union["RDSClient", "MetadataRequestInjector[RDSClient]"]
     rds_data: Union["RDSDataServiceClient", "MetadataRequestInjector[RDSDataServiceClient]"]
     redshift: Union["RedshiftClient", "MetadataRequestInjector[RedshiftClient]"]

localstack/utils/catalog/catalog_loader.py

@@ -1,11 +1,119 @@
 import json
+import logging
+from json import JSONDecodeError
+from pathlib import Path
 
+import requests
+from pydantic import BaseModel
+
+from localstack import config, constants
 from localstack.utils.catalog.common import AwsRemoteCatalog
+from localstack.utils.http import get_proxies
+from localstack.utils.json import FileMappedDocument
+
+LOG = logging.getLogger(__name__)
+
+AWS_CATALOG_FILE_NAME = "aws_catalog.json"
+
 
-LICENSE_CATALOG_PATH = ""
+class RemoteCatalogVersionResponse(BaseModel):
+    emulator_type: str
+    version: str
+
+
+class AwsCatalogLoaderException(Exception):
+    def __init__(self, msg: str, *args):
+        super().__init__(msg, *args)
 
 
 class RemoteCatalogLoader:
+    supported_schema_version = "v1"
+    api_endpoint_catalog = f"{constants.API_ENDPOINT}/license/catalog"
+    catalog_file_path = Path(config.dirs.cache) / AWS_CATALOG_FILE_NAME
+
     def get_remote_catalog(self) -> AwsRemoteCatalog:
-        with open(LICENSE_CATALOG_PATH) as f:
-            return AwsRemoteCatalog(**json.load(f))
+        catalog_doc = FileMappedDocument(self.catalog_file_path)
+        cached_catalog = AwsRemoteCatalog(**catalog_doc) if catalog_doc else None
+        if cached_catalog:
+            cached_catalog_version = cached_catalog.localstack.version
+            if not self._should_update_cached_catalog(cached_catalog_version):
+                return cached_catalog
+        catalog = self._get_catalog_from_platform()
+        self._save_catalog_to_cache(catalog_doc, catalog)
+        return catalog
+
+    def _get_latest_localstack_version(self) -> str:
+        try:
+            proxies = get_proxies()
+            response = requests.get(
+                f"{self.api_endpoint_catalog}/aws/version",
+                verify=not config.is_env_true("SSL_NO_VERIFY"),
+                proxies=proxies,
+            )
+            if response.ok:
+                return RemoteCatalogVersionResponse.model_validate(response.content).version
+            self._raise_server_error(response)
+        except requests.exceptions.RequestException as e:
+            raise AwsCatalogLoaderException(
+                f"An unexpected network error occurred when trying to fetch latest localstack version: {e}"
+            ) from e
+
+    def _should_update_cached_catalog(self, current_catalog_version: str) -> bool:
+        try:
+            latest_version = self._get_latest_localstack_version()
+            return latest_version != current_catalog_version
+        except Exception as e:
+            LOG.warning(
+                "Failed to retrieve the latest catalog version, cached catalog update skipped: %s",
+                e,
+            )
+            return False
+
+    def _save_catalog_to_cache(self, catalog_doc: FileMappedDocument, catalog: AwsRemoteCatalog):
+        catalog_doc.clear()
+        catalog_doc.update(catalog.model_dump())
+        catalog_doc.save()
+
+    def _get_catalog_from_platform(self) -> AwsRemoteCatalog:
+        try:
+            proxies = get_proxies()
+            response = requests.post(
+                self.api_endpoint_catalog,
+                verify=not config.is_env_true("SSL_NO_VERIFY"),
+                proxies=proxies,
+            )
+
+            if response.ok:
+                return self._parse_catalog(response.content)
+            self._raise_server_error(response)
+        except requests.exceptions.RequestException as e:
+            raise AwsCatalogLoaderException(
+                f"An unexpected network error occurred when trying to fetch remote catalog: {e}"
+            ) from e
+
+    def _parse_catalog(self, document: bytes) -> AwsRemoteCatalog | None:
+        try:
+            catalog_json = json.loads(document)
+        except JSONDecodeError as e:
+            raise AwsCatalogLoaderException(f"Could not de-serialize json catalog: {e}") from e
+        remote_catalog = AwsRemoteCatalog.model_validate(catalog_json)
+        if remote_catalog.schema_version != self.supported_schema_version:
+            raise AwsCatalogLoaderException(
+                f"Unsupported schema version: '{remote_catalog.schema_version}'. Only '{self.supported_schema_version}' is supported"
+            )
+        return remote_catalog
+
+    def _raise_server_error(self, response: requests.Response):
+        try:
+            server_error = response.json()
+            if error_message := server_error.get("message"):
+                raise AwsCatalogLoaderException(
+                    f"Unexpected AWS catalog server error: {response.text}"
+                )
+            raise AwsCatalogLoaderException(
+                f"A server error occurred while calling remote catalog API (HTTP {response.status_code}): {error_message}"
+            )
+        except Exception:
+            raise AwsCatalogLoaderException(
+                f"An unexpected server error occurred while calling remote catalog API (HTTP {response.status_code}): {response.text}"
+            )

localstack/utils/crypto.py

@@ -4,7 +4,13 @@ import os
 import re
 import threading
 
+from asn1crypto import algos, cms, core
+from asn1crypto import x509 as asn1_x509
 from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import padding as sym_padding
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
 
 from .files import TMP_FILES, file_exists_not_empty, load_file, new_tmp_file, save_file
@@ -26,6 +32,11 @@ PEM_CERT_END = "-----END CERTIFICATE-----"
 PEM_KEY_START_REGEX = r"-----BEGIN(.*)PRIVATE KEY-----"
 PEM_KEY_END_REGEX = r"-----END(.*)PRIVATE KEY-----"
 
+OID_AES256_CBC = "2.16.840.1.101.3.4.1.42"
+OID_MGF1 = "1.2.840.113549.1.1.8"
+OID_RSAES_OAEP = "1.2.840.113549.1.1.7"
+OID_SHA256 = "2.16.840.1.101.3.4.2.1"
+
 
 @synchronized(lock=SSL_CERT_LOCK)
 def generate_ssl_cert(
@@ -183,3 +194,101 @@ def decrypt(
     decrypted = decryptor.update(encrypted) + decryptor.finalize()
     decrypted = unpad(decrypted)
     return decrypted
+
+
+def pkcs7_envelope_encrypt(plaintext: bytes, recipient_pubkey: RSAPublicKey) -> bytes:
+    """
+    Create a PKCS7 wrapper of some plaintext decryptable by recipient_pubkey.  Uses RSA-OAEP with SHA-256
+    to encrypt the AES-256-CBC content key.  Hazmat's PKCS7EnvelopeBuilder doesn't support RSA-OAEP with SHA-256,
+    so we need to build the pieces manually and then put them together in an envelope with asn1crypto.
+    """
+
+    # Encrypt the plaintext with an AES session key, then encrypt the session key to the recipient_pubkey
+    session_key = os.urandom(32)
+    iv = os.urandom(16)
+    encrypted_session_key = recipient_pubkey.encrypt(
+        session_key,
+        padding.OAEP(
+            mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None
+        ),
+    )
+    cipher = Cipher(algorithms.AES(session_key), modes.CBC(iv), backend=default_backend())
+    encryptor = cipher.encryptor()
+    padder = sym_padding.PKCS7(algorithms.AES.block_size).padder()
+    padded_plaintext = padder.update(plaintext) + padder.finalize()
+    encrypted_content = encryptor.update(padded_plaintext) + encryptor.finalize()
+
+    # Now put together the envelope.
+    # Add the recipient with their copy of the session key
+    recipient_identifier = cms.RecipientIdentifier(
+        name="issuer_and_serial_number",
+        value=cms.IssuerAndSerialNumber(
+            {
+                "issuer": asn1_x509.Name.build({"common_name": "recipient"}),
+                "serial_number": 1,
+            }
+        ),
+    )
+    key_enc_algorithm = cms.KeyEncryptionAlgorithm(
+        {
+            "algorithm": OID_RSAES_OAEP,
+            "parameters": algos.RSAESOAEPParams(
+                {
+                    "hash_algorithm": algos.DigestAlgorithm(
+                        {
+                            "algorithm": OID_SHA256,
+                        }
+                    ),
+                    "mask_gen_algorithm": algos.MaskGenAlgorithm(
+                        {
+                            "algorithm": OID_MGF1,
+                            "parameters": algos.DigestAlgorithm(
+                                {
+                                    "algorithm": OID_SHA256,
+                                }
+                            ),
+                        }
+                    ),
+                }
+            ),
+        }
+    )
+    recipient_info = cms.KeyTransRecipientInfo(
+        {
+            "version": "v0",
+            "rid": recipient_identifier,
+            "key_encryption_algorithm": key_enc_algorithm,
+            "encrypted_key": encrypted_session_key,
+        }
+    )
+
+    # Add the encrypted content
+    content_enc_algorithm = cms.EncryptionAlgorithm(
+        {
+            "algorithm": OID_AES256_CBC,
+            "parameters": core.OctetString(iv),
+        }
+    )
+    encrypted_content_info = cms.EncryptedContentInfo(
+        {
+            "content_type": "data",
+            "content_encryption_algorithm": content_enc_algorithm,
+            "encrypted_content": encrypted_content,
+        }
+    )
+    enveloped_data = cms.EnvelopedData(
+        {
+            "version": "v0",
+            "recipient_infos": [recipient_info],
+            "encrypted_content_info": encrypted_content_info,
+        }
+    )
+
+    # Finally add a wrapper and return its bytes
+    content_info = cms.ContentInfo(
+        {
+            "content_type": "enveloped_data",
+            "content": enveloped_data,
+        }
+    )
+    return content_info.dump()