How to use the bless.config.bless_config.KMSAUTH_SECTION function in bless

config = BlessConfig('us-east-1', config_file='')

    assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)
    assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
    assert 2 == config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION)
    assert 3 == config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION)
    assert 'DEBUG' == config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION)
    assert 'permit-X11-forwarding' == config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION)
    assert 'debian' == config.get(BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION)
    assert 'useradd' == config.get(BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_VALIDATION_OPTION)

    assert '' == config.getpassword()
    assert '' == config.get(BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION)
    assert b'' == config.getprivatekey()

    assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION)
    assert '' == config.get(KMSAUTH_SECTION, KMSAUTH_KEY_ID_OPTION)
    assert 'bless-test' == config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION)

    config.aws_region = 'invalid'
    assert '' == config.getpassword()

def test_kms_config_opts(monkeypatch):
    # Default option
    config = BlessConfig("us-east-1", config_file=os.path.join(os.path.dirname(__file__), 'full.cfg'))
    assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION) is False

    # Config file value
    config = BlessConfig("us-east-1", config_file=os.path.join(os.path.dirname(__file__), 'full-with-kmsauth.cfg'))
    assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION) is True
    assert config.getboolean(KMSAUTH_SECTION, VALIDATE_REMOTE_USERNAMES_AGAINST_IAM_GROUPS_OPTION) is False

bypass_time_validity_check = False

    # Authenticate the user with KMS, if key is setup
    if config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION):
        if request.kmsauth_token:
            # Allow bless to sign the cert for a different remote user than the name of the user who signed it
            allowed_remotes = config.get(KMSAUTH_SECTION, KMSAUTH_REMOTE_USERNAMES_ALLOWED_OPTION)
            if allowed_remotes:
                allowed_users = allowed_remotes.split(',')
                requested_remotes = request.remote_usernames.split(',')
                if allowed_users != ['*'] and not all([u in allowed_users for u in requested_remotes]):
                    return error_response('KMSAuthValidationError',
                                          'unallowed remote_usernames [{}]'.format(request.remote_usernames))

                # Check if the user is in the required IAM groups
                if config.getboolean(KMSAUTH_SECTION, VALIDATE_REMOTE_USERNAMES_AGAINST_IAM_GROUPS_OPTION):
                    iam = boto3.client('iam')
                    user_groups = iam.list_groups_for_user(UserName=request.bastion_user)

                    group_name_template = config.get(KMSAUTH_SECTION, IAM_GROUP_NAME_VALIDATION_FORMAT_OPTION)
                    for requested_remote in requested_remotes:
                        required_group_name = group_name_template.format(requested_remote)

                        user_is_in_group = any(
                            group
                            for group in user_groups['Groups']
                            if group['GroupName'] == required_group_name
                        )

                        if not user_is_in_group:
                            return error_response('KMSAuthValidationError',
                                                  'user {} is not in the {} iam group'.format(request.bastion_user,

# cert values determined only by lambda and its configs
    current_time = int(time.time())
    test_user = config.get(BLESS_OPTIONS_SECTION, TEST_USER_OPTION)
    if test_user and (request.bastion_user == test_user or request.remote_usernames == test_user):
        # This is a test call, the lambda will issue an invalid
        # certificate where valid_before < valid_after
        valid_before = current_time
        valid_after = current_time + 1
        bypass_time_validity_check = True
    else:
        valid_before = current_time + certificate_validity_after_seconds
        valid_after = current_time - certificate_validity_before_seconds
        bypass_time_validity_check = False

    # Authenticate the user with KMS, if key is setup
    if config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION):
        if request.kmsauth_token:
            # Allow bless to sign the cert for a different remote user than the name of the user who signed it
            allowed_remotes = config.get(KMSAUTH_SECTION, KMSAUTH_REMOTE_USERNAMES_ALLOWED_OPTION)
            if allowed_remotes:
                allowed_users = allowed_remotes.split(',')
                requested_remotes = request.remote_usernames.split(',')
                if allowed_users != ['*'] and not all([u in allowed_users for u in requested_remotes]):
                    return error_response('KMSAuthValidationError',
                                          'unallowed remote_usernames [{}]'.format(request.remote_usernames))

                # Check if the user is in the required IAM groups
                if config.getboolean(KMSAUTH_SECTION, VALIDATE_REMOTE_USERNAMES_AGAINST_IAM_GROUPS_OPTION):
                    iam = boto3.client('iam')
                    user_groups = iam.list_groups_for_user(UserName=request.bastion_user)

                    group_name_template = config.get(KMSAUTH_SECTION, IAM_GROUP_NAME_VALIDATION_FORMAT_OPTION)