auto commit

Author: rishav-karanjit

Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go

@@ -3,7 +3,6 @@ package awsdbe
 import (
 	"context"
 	"fmt"
-	"reflect"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
@@ -36,7 +35,7 @@ primary key configuration:
   - Partition key is named "partition_key" with type (S)
   - Sort key is named "sort_key" with type (S)
 */
-func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue string) {
+func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue string) error {
 	cfg, err := config.LoadDefaultConfig(context.TODO())
 	utils.HandleError(err)
 
@@ -66,10 +65,11 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri
 
 	// 3. Put an item into your table.
 	//    This item will be stored in plaintext.
+	encryptedAndSignedValue := "this will be encrypted and signed"
 	item := map[string]types.AttributeValue{
 		"partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue},
-		"sort_key":      &types.AttributeValueMemberN{Value: sortKeyValue},
-		"attribute1":    &types.AttributeValueMemberS{Value: "this will be encrypted and signed"},
+		"sort_key":      &types.AttributeValueMemberN{Value: "1"},
+		"attribute1":    &types.AttributeValueMemberS{Value: encryptedAndSignedValue},
 		"attribute2":    &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"},
 		"attribute3":    &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"},
 	}
@@ -80,7 +80,12 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri
 	}
 
 	_, err = ddb.PutItem(context.TODO(), &putInput)
-	utils.HandleError(err)
+
+	// We return this error because we run test against the error.
+	// When used in production code, you can decide how you can to handle errors.
+	if err != nil {
+		return err
+	}
 
 	// 4. Get an item back from the table using the DynamoDb Client.
 	//    If this is an item written in plaintext (i.e. any item written
@@ -90,7 +95,7 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri
 	//    and surfaced as a plaintext item.
 	key := map[string]types.AttributeValue{
 		"partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue},
-		"sort_key":      &types.AttributeValueMemberN{Value: sortKeyValue},
+		"sort_key":      &types.AttributeValueMemberN{Value: sortKeyReadValue},
 	}
 
 	getInput := &dynamodb.GetItemInput{
@@ -100,11 +105,19 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri
 	}
 
 	result, err := ddb.GetItem(context.TODO(), getInput)
-	utils.HandleError(err)
+	// We return this error because we run test against the error.
+	// When used in production code, you can decide how you can to handle errors.
+	if err != nil {
+		return err
+	}
 
 	// Verify we got the expected item back
-	if !reflect.DeepEqual(item, result.Item) {
+	if partitionKeyValue != result.Item["partition_key"].(*types.AttributeValueMemberS).Value {
+		panic("Decrypted item does not match original item")
+	}
+	if encryptedAndSignedValue != result.Item["attribute1"].(*types.AttributeValueMemberS).Value {
 		panic("Decrypted item does not match original item")
 	}
 	fmt.Println("MigrationStep1 completed successfully")
+	return nil
 }

Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go

@@ -4,7 +4,6 @@ import (
 	// Standard imports
 	"context"
 	"fmt"
-	"reflect"
 
 	// AWS SDK imports
 
@@ -38,7 +37,7 @@ primary key configuration:
   - Partition key is named "partition_key" with type (S)
   - Sort key is named "sort_key" with type (S)
 */
-func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue string) {
+func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue string) error {
 	cfg, err := config.LoadDefaultConfig(context.TODO())
 	utils.HandleError(err)
 
@@ -64,10 +63,11 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri
 
 	// 6. Put an item into your table.
 	//    This item will be encrypted.
+	encryptedAndSignedValue := "this will be encrypted and signed"
 	item := map[string]types.AttributeValue{
 		"partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue},
-		"sort_key":      &types.AttributeValueMemberN{Value: sortKeyValue},
-		"attribute1":    &types.AttributeValueMemberS{Value: "this will be encrypted and signed"},
+		"sort_key":      &types.AttributeValueMemberN{Value: "2"},
+		"attribute1":    &types.AttributeValueMemberS{Value: encryptedAndSignedValue},
 		"attribute2":    &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"},
 		"attribute3":    &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"},
 	}
@@ -78,7 +78,12 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri
 	}
 
 	_, err = ddb.PutItem(context.TODO(), &putInput)
-	utils.HandleError(err)
+
+	// We return this error because we run test against the error.
+	// When used in production code, you can decide how you can to handle errors.
+	if err != nil {
+		return err
+	}
 
 	// 7. Get an item back from the table.
 	//    If this is an item written in plaintext (i.e. any item written
@@ -88,7 +93,7 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri
 	//    item client-sid and surface it in our code as a plaintext item.
 	key := map[string]types.AttributeValue{
 		"partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue},
-		"sort_key":      &types.AttributeValueMemberN{Value: sortKeyValue},
+		"sort_key":      &types.AttributeValueMemberN{Value: sortKeyReadValue},
 	}
 
 	getInput := &dynamodb.GetItemInput{
@@ -98,11 +103,19 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri
 	}
 
 	result, err := ddb.GetItem(context.TODO(), getInput)
-	utils.HandleError(err)
+	// We return this error because we run test against the error.
+	// When used in production code, you can decide how you can to handle errors.
+	if err != nil {
+		return err
+	}
 
-	// Demonstrate we get the expected item back
-	if !reflect.DeepEqual(item, result.Item) {
+	// Verify we got the expected item back
+	if partitionKeyValue != result.Item["partition_key"].(*types.AttributeValueMemberS).Value {
+		panic("Decrypted item does not match original item")
+	}
+	if encryptedAndSignedValue != result.Item["attribute1"].(*types.AttributeValueMemberS).Value {
 		panic("Decrypted item does not match original item")
 	}
 	fmt.Println("MigrationStep2 completed successfully")
+	return nil
 }

Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go

@@ -4,7 +4,6 @@ import (
 	// Standard imports
 	"context"
 	"fmt"
-	"reflect"
 
 	// AWS SDK imports
 
@@ -34,7 +33,7 @@ primary key configuration:
   - Partition key is named "partition_key" with type (S)
   - Sort key is named "sort_key" with type (S)
 */
-func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue string) {
+func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue string) error {
 	cfg, err := config.LoadDefaultConfig(context.TODO())
 	utils.HandleError(err)
 
@@ -63,10 +62,11 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri
 
 	// 6. Put an item into your table.
 	//    This item will be encrypted.
+	encryptedAndSignedValue := "this will be encrypted and signed"
 	item := map[string]types.AttributeValue{
 		"partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue},
-		"sort_key":      &types.AttributeValueMemberN{Value: sortKeyValue},
-		"attribute1":    &types.AttributeValueMemberS{Value: "this will be encrypted and signed"},
+		"sort_key":      &types.AttributeValueMemberN{Value: "3"},
+		"attribute1":    &types.AttributeValueMemberS{Value: encryptedAndSignedValue},
 		"attribute2":    &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"},
 		"attribute3":    &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"},
 	}
@@ -77,7 +77,11 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri
 	}
 
 	_, err = ddb.PutItem(context.TODO(), &putInput)
-	utils.HandleError(err)
+	// We return this error because we run test against the error.
+	// When used in production code, you can decide how you can to handle errors.
+	if err != nil {
+		return err
+	}
 
 	// 7. Get an item back from the table.
 	//    If this is an item written in plaintext (i.e. any item written
@@ -87,7 +91,7 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri
 	//    item client-sid and surface it in our code as a plaintext item.
 	key := map[string]types.AttributeValue{
 		"partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue},
-		"sort_key":      &types.AttributeValueMemberN{Value: sortKeyValue},
+		"sort_key":      &types.AttributeValueMemberN{Value: sortKeyReadValue},
 	}
 
 	getInput := &dynamodb.GetItemInput{
@@ -97,11 +101,20 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri
 	}
 
 	result, err := ddb.GetItem(context.TODO(), getInput)
-	utils.HandleError(err)
+	// We return this error because we run test against the error.
+	// When used in production code, you can decide how you can to handle errors.
+	if err != nil {
+		return err
+	}
 
-	// Demonstrate we get the expected item back
-	if !reflect.DeepEqual(item, result.Item) {
+	// Verify we got the expected item back
+	if partitionKeyValue != result.Item["partition_key"].(*types.AttributeValueMemberS).Value {
+		panic("Decrypted item does not match original item")
+	}
+	if encryptedAndSignedValue != result.Item["attribute1"].(*types.AttributeValueMemberS).Value {
 		panic("Decrypted item does not match original item")
 	}
 	fmt.Println("MigrationStep3 completed successfully")
+
+	return nil
 }

Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3_test.go

@@ -0,0 +1,58 @@
+package awsdbe
+
+import (
+	"errors"
+	"strings"
+	"testing"
+
+	"github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/plaintext"
+	"github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils"
+	"github.com/aws/smithy-go"
+	"github.com/google/uuid"
+)
+
+func TestMigrationStep3(t *testing.T) {
+	kmsKeyID := utils.KmsKeyID()
+	tableName := utils.DdbTableName()
+	partitionKey := uuid.New().String()
+	sortKeys := []string{"0", "1", "2", "3"}
+
+	// Successfully executes Step 3
+	MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3])
+
+	// Given: Step 0 has succeeded
+	plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0])
+	// When: Execute Step 3 with sortReadValue=0, Then: should panic (cannot read plaintext values)
+	// MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0])
+	assertError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0]))
+
+	// Given: Step 1 has succeeded
+	MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1])
+	// When: Execute Step 3 with sortReadValue=1, Then: should panic (cannot read plaintext values)
+	assertError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[1]))
+
+	// Given: Step 2 has succeeded
+	MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2])
+	// When: Execute Step 3 with sortReadValue=2, Then: Success (can read encrypted values)
+	MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[2])
+
+	// Cleanup
+	for _, sortKey := range sortKeys {
+		utils.DeleteItem(tableName, "partition_key", partitionKey, "sort_key", sortKey)
+	}
+}
+
+func assertError(err error) {
+	var oe *smithy.OperationError
+	if errors.As(err, &oe) {
+		if oe.Service() != "DynamoDB" {
+			panic("Expected service to be DynamoDB")
+		}
+		if oe.Operation() != "GetItem" {
+			panic("Expected Operation to be GetItem")
+		}
+		if !strings.Contains(oe.Unwrap().Error(), "Encrypted item missing expected header and footer attributes") {
+			panic("Expected message to contain Encrypted item missing expected header and footer attributes")
+		}
+	}
+}