m

Author: lucasmcdonald3

DynamoDbEncryption/runtimes/python/src/aws_database_encryption_sdk/internal/boto3_conversions.py

@@ -1,4 +1,7 @@
 from abc import ABC, abstractmethod
+from boto3.dynamodb.conditions import (
+    BuiltConditionExpression,
+)
 
 class BotoInterfaceShapeConverter(ABC):
     """

DynamoDbEncryption/runtimes/python/src/aws_database_encryption_sdk/internal/condition_expression_builder.py

@@ -1,14 +1,32 @@
 from aws_database_encryption_sdk.transform import dict_to_ddb
 from .boto3_conversions import BotoInterfaceShapeConverter
 from aws_database_encryption_sdk.internal.condition_expression_builder import InternalDBESDKDynamoDBConditionExpressionBuilder
-from boto3.dynamodb.conditions import ConditionBase
+from boto3.dynamodb.conditions import ConditionBase, BuiltConditionExpression
 
 class ResourceShapeToClientShapeConverter(BotoInterfaceShapeConverter):
 
     def __init__(self, table_name = None):
         self.table_name = table_name
         self.expression_builder = InternalDBESDKDynamoDBConditionExpressionBuilder()
 
+    def _unpack_built_condition_expression(self, request_to_update, expression_key):
+        built_condition_expression = request_to_update[expression_key]
+        request_to_update[expression_key] = built_condition_expression.condition_expression
+        attribute_names_from_built_expression = built_condition_expression.attribute_name_placeholders
+        # Join any placeholder ExpressionAttributeNames with any other ExpressionAttributeNames
+        try:
+            request_to_update["ExpressionAttributeNames"] = request_to_update["ExpressionAttributeNames"] | attribute_names_from_built_expression
+        except KeyError:
+            request_to_update["ExpressionAttributeNames"] = attribute_names_from_built_expression
+        # BuiltConditionExpression stores values in resource format; convert to client format before joining
+        attribute_values_from_built_expression = super().expression_attribute_values(
+            built_condition_expression.attribute_value_placeholders
+        )
+        try:
+            request_to_update["ExpressionAttributeValues"] = request_to_update["ExpressionAttributeValues"] | attribute_values_from_built_expression
+        except KeyError:
+            request_to_update["ExpressionAttributeValues"] = attribute_values_from_built_expression
+
     def item(self, item):
         return dict_to_ddb(item)
 
@@ -23,7 +41,10 @@ def put_item_request(self, put_item_request):
         if not self.table_name:
             raise ValueError("Table name must be provided to ResourceShapeToClientShapeConverter to use put_item")
         put_item_request["TableName"] = self.table_name
-        return super().put_item_request(put_item_request)
+        super_conversion = super().put_item_request(put_item_request)
+        if "ConditionExpression" in super_conversion and isinstance(super_conversion["ConditionExpression"], BuiltConditionExpression):
+            self._unpack_built_condition_expression(super_conversion, "ConditionExpression")
+        return super_conversion
 
     def get_item_request(self, get_item_request):
         if not self.table_name:
@@ -35,18 +56,30 @@ def query_request(self, query_request):
         if not self.table_name:
             raise ValueError("Table name must be provided to ResourceShapeToClientShapeConverter to use query")
         query_request["TableName"] = self.table_name
-        return super().query_request(query_request)
+        super_conversion = super().query_request(query_request)
+        if "KeyConditionExpression" in super_conversion and isinstance(super_conversion["KeyConditionExpression"], BuiltConditionExpression):
+            self._unpack_built_condition_expression(super_conversion, "KeyConditionExpression")
+        if "FilterExpression" in super_conversion and isinstance(super_conversion["FilterExpression"], BuiltConditionExpression):
+            self._unpack_built_condition_expression(super_conversion, "FilterExpression")
+        return super_conversion
 
     def scan_request(self, scan_request):
         if not self.table_name:
             raise ValueError("Table name must be provided to ResourceShapeToClientShapeConverter to use scan")
         scan_request["TableName"] = self.table_name
-        return super().scan_request(scan_request)
+        super_conversion = super().scan_request(scan_request)
+        if "FilterExpression" in super_conversion and isinstance(super_conversion["FilterExpression"], BuiltConditionExpression):
+            self._unpack_built_condition_expression(super_conversion, "FilterExpression")
+        return super_conversion
 
     def expression(self, condition_expression):
         # Expressions provided to tables can be Condition objects, which need to be converted to strings.
-        if isinstance(condition_expression, ConditionBase):
-            return self.expression_builder.build_expression(condition_expression, "placeholder", "placeholder")
+        if condition_expression.__module__ == "boto3.dynamodb.conditions":
+            out = self.expression_builder.build_expression(condition_expression, {}, {})
+            print(f"{condition_expression=}")
+            print(f"{out=}")
+            return out
         # Expressions provided to tables can also already be string-like.
         # Assume the user has provided something string-like, and let Smithy-Python/DBESDK internals raise exceptions if not.
+        print(f"probably a string: {condition_expression=}")
         return condition_expression

DynamoDbEncryption/runtimes/python/src/aws_database_encryption_sdk/internal/resource_to_client.py

@@ -0,0 +1,53 @@
+from aws_cryptographic_material_providers.keystore.models import (
+    KMSConfigurationKmsKeyArn,
+    CreateKeyInput,
+)
+import boto3
+from aws_cryptographic_material_providers.keystore.client import KeyStore
+from aws_cryptographic_material_providers.keystore.config import KeyStoreConfig
+
+"""
+The Hierarchical Keyring Example and Searchable Encryption Examples
+rely on the existence of a DDB-backed key store with pre-existing
+branch key material or beacon key material.
+
+See the "Create KeyStore Table Example" for how to first set up
+the DDB Table that will back this KeyStore.
+
+This example demonstrates configuring a KeyStore and then
+using a helper method to create a branch key and beacon key 
+that share the same Id, then return that Id.
+We will always create a new beacon key alongside a new branch key,
+even if you are not using searchable encryption.
+
+This key creation should occur within your control plane.
+"""
+
+def keystore_create_key(key_store_table_name: str,
+                        logical_key_store_name: str,
+                        kms_key_arn: str) -> str:
+    # 1. Configure your KeyStore resource.
+    #    This SHOULD be the same configuration that was used to create the DDB table
+    #    in the "Create KeyStore Table Example".   
+    keystore: KeyStore = KeyStore(
+        KeyStoreConfig(
+            ddb_table_name = key_store_table_name,
+            kms_configuration=KMSConfigurationKmsKeyArn(
+                kms_key_arn
+            ),
+            logical_key_store_name=logical_key_store_name,
+            kms_client=boto3.client("kms"),
+            ddb_client=boto3.client("dynamodb")
+        )
+    )
+
+    # 2. Create a new branch key and beacon key in our KeyStore.
+    #    Both the branch key and the beacon key will share an Id.
+    #    This creation is eventually consistent.
+    branch_key_id = keystore.create_key(
+        CreateKeyInput()
+    ).branch_key_identifier
+
+    print(f"{branch_key_id=}")
+
+    return branch_key_id

Examples/runtimes/python/DynamoDBEncryption/src/create_keystore_key_example.py

@@ -0,0 +1,2 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0

Examples/runtimes/python/DynamoDBEncryption/src/searchable_encryption/__init__.py

@@ -0,0 +1,2 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0