wip

Author: lucasmcdonald3

DynamoDbEncryption/runtimes/python/src/aws_database_encryption_sdk/encryptor/client.py

@@ -54,56 +54,70 @@ def __init__(
             config = encryption_config
         )
 
-    def put_item(self, **kwargs):
-        # TODO: refactor shared logic (DDB/Python conversions, client/table)
+    def _maybe_transform_request_to_dynamodb_item(self, item_key, **kwargs):
         if self._expect_standard_dictionaries:
-            dynamodb_item = dict_to_ddb(kwargs["Item"])
+            dynamodb_item = dict_to_ddb(kwargs[item_key])
             dynamodb_input = kwargs
-            dynamodb_input["Item"] = dynamodb_item
+            dynamodb_input[item_key] = dynamodb_item
         else:
             dynamodb_input = kwargs
+        return dynamodb_input
+
+    def _maybe_transform_response_item_to_python_dict(self, response):
+        if self._expect_standard_dictionaries:
+            if hasattr(response, "Item"):
+                response["Item"] = ddb_to_dict(response["Item"])
+
+    def _copy_sdk_response_to_dbesdk_response(self, sdk_response, dbesdk_response):
+        for sdk_response_key, sdk_response_value in sdk_response.items():
+            if sdk_response_key not in dbesdk_response:
+                dbesdk_response[sdk_response_key] = sdk_response_value
+
+    def put_item(self, **kwargs):
+        # TODO: refactor shared logic (DDB/Python conversions, client/table)
+        dynamodb_input = self._maybe_transform_request_to_dynamodb_item(item_key = "Item", **kwargs)
+        # if self._expect_standard_dictionaries:
+        #     dynamodb_item = dict_to_ddb(kwargs["Item"])
+        #     dynamodb_input = kwargs
+        #     dynamodb_input["Item"] = dynamodb_item
+        # else:
+        #     dynamodb_input = kwargs
         transformed_request = self._transformer.put_item_input_transform(
             PutItemInputTransformInput(
                 sdk_input = dynamodb_input
             )
         ).transformed_input
-        sdk_output = self._client.put_item(**transformed_request)
-        transformed_response = self._transformer.put_item_output_transform(
+        sdk_response = self._client.put_item(**transformed_request)
+        dbesdk_response = self._transformer.put_item_output_transform(
             PutItemOutputTransformInput(
                 original_input = dynamodb_input,
-                sdk_output = sdk_output,
+                sdk_output = sdk_response,
             )
         ).transformed_output
-        response = transformed_response
-        for sdk_output_key, sdk_output_value in sdk_output.items():
-            if sdk_output_key not in transformed_response:
-                response[sdk_output_key] = sdk_output_value
-        # TODO: standard dicts transform output
+        self._copy_sdk_response_to_dbesdk_response(sdk_response, dbesdk_response)
+        self._maybe_transform_response_to_python_dict(dbesdk_response)
         return response
 
     def get_item(self, **kwargs):
-        if self._expect_standard_dictionaries:
-            dynamodb_item = dict_to_ddb(kwargs["Key"])
-            dynamodb_input = kwargs
-            dynamodb_input["Key"] = dynamodb_item
-        else:
-            dynamodb_input = kwargs
+        dynamodb_input = self._maybe_transform_request_to_dynamodb_item(item_key = "Key", **kwargs)
         transformed_request = self._transformer.get_item_input_transform(
             GetItemInputTransformInput(
                 sdk_input = dynamodb_input
             )
         ).transformed_input
-        sdk_output = self._client.get_item(**transformed_request)
-        transformed_response = self._transformer.get_item_output_transform(
+        sdk_response = self._client.get_item(**transformed_request)
+        dbesdk_response = self._transformer.get_item_output_transform(
             GetItemOutputTransformInput(
                 original_input = dynamodb_input,
-                sdk_output = sdk_output,
+                sdk_output = sdk_response,
             )
         ).transformed_output
-        response = transformed_response
-        for sdk_output_key, sdk_output_value in sdk_output.items():
-            if sdk_output_key not in transformed_response:
-                response[sdk_output_key] = sdk_output_value
-        if self._expect_standard_dictionaries:
-            response["Item"] = ddb_to_dict(response["Item"])
+        self._copy_sdk_response_to_dbesdk_response(sdk_response, dbesdk_response)
+        self._maybe_transform_response_to_python_dict(dbesdk_response)
         return response
+        
+    def __getattr__(self, name):
+        if hasattr(self._client, name):
+            print(f'calling underlyign client {name=}')
+            return getattr(self._client, name)
+        raise KeyError("idk")

Examples/runtimes/python/DynamoDBEncryption/.gitignore

@@ -0,0 +1,17 @@
+# Python build artifacts
+__pycache__
+**/__pycache__
+*.pyc
+src/**.egg-info/
+build
+poetry.lock
+**/poetry.lock
+dist
+
+# Dafny-generated Python
+**/internaldafny/generated/*.py
+
+# Python test artifacts
+.tox
+.pytest_cache
+

Examples/runtimes/python/DynamoDBEncryption/__init__.py

@@ -0,0 +1,3 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Stub to allow relative imports of examples from tests."""

Examples/runtimes/python/DynamoDBEncryption/src/__init__.py

@@ -0,0 +1,3 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Stub to allow relative imports of examples from tests."""

Examples/runtimes/python/DynamoDBEncryption/src/encrypted_client.py

@@ -1,3 +1,20 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""
+This example sets up an EncryptedClient wrapper for the AWS SDK client
+and uses the PutItem and GetItem DDB APIs to demonstrate
+putting a client-side encrypted item into DynamoDb
+and then retrieving and decrypting that item from DynamoDb.
+
+Running this example requires access to the DDB Table whose name
+is provided in the function arguments.
+This table must be configured with the following
+primary key configuration:
+- Partition key is named "partition_key" with type (S)
+- Sort key is named "sort_key" with type (N)
+
+This example also requires access to the KMS key ARN with permissions: (TODO)
+"""
 import boto3
 from boto3.dynamodb.types import Binary
 from decimal import Decimal
@@ -13,111 +30,141 @@
 from aws_database_encryption_sdk.smithygenerated.aws_cryptography_dbencryptionsdk_structuredencryption.models import (
     CryptoAction,
 )
-
-mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders(
-    config=MaterialProvidersConfig()
-)
-
-kms_key_id = "arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f"
-mrk_key_id = "arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7"
-
-kms_mrk_multi_keyring_input: CreateAwsKmsMrkMultiKeyringInput =\
-    CreateAwsKmsMrkMultiKeyringInput(
-        generator=mrk_key_id,
-        kms_key_ids=[kms_key_id]
-    )
-
-kms_mrk_multi_keyring: IKeyring = mat_prov.create_aws_kms_mrk_multi_keyring(
-    input=kms_mrk_multi_keyring_input
-)
-
-attribute_actions_on_encrypt = {
-    "partition_key": CryptoAction.SIGN_ONLY,
-    "sort_key": CryptoAction.SIGN_ONLY,
-    "attribute1": CryptoAction.ENCRYPT_AND_SIGN,
-    "attribute2": CryptoAction.SIGN_ONLY,
-    ":attribute3": CryptoAction.DO_NOTHING,
-}
-
-# 2. Create encryption context.
-# Remember that your encryption context is NOT SECRET.
-# For more information, see
-# https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
-encryption_context = {
-    "encryption": "context",
-    "is not": "secret",
-    "but adds": "useful metadata",
-    "that can help you": "be confident that",
-    "the data you are handling": "is what you think it is",
-}
-
-unsignAttrPrefix: str = ":"
-
 from aws_database_encryption_sdk.smithygenerated.aws_cryptography_dbencryptionsdk_dynamodb.models import (
     DynamoDbTableEncryptionConfig,
     DynamoDbTablesEncryptionConfig,
 )
-
-ddb_table_name = "DynamoDbEncryptionInterceptorTestTable"
-
-table_configs = {}
-
-table_config = DynamoDbTableEncryptionConfig(
-    logical_table_name = ddb_table_name,
-    partition_key_name = "partition_key",
-    sort_key_name = "sort_key",
-    attribute_actions_on_encrypt = attribute_actions_on_encrypt,
-    keyring = kms_mrk_multi_keyring,
-    allowed_unsigned_attribute_prefix = unsignAttrPrefix,
-    algorithm_suite_id = DBEAlgorithmSuiteId.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384_SYMSIG_HMAC_SHA384,
-)
-
-table_configs[ddb_table_name] = table_config
-
-tables_config = DynamoDbTablesEncryptionConfig(
-    table_encryption_configs = table_configs
-)
-
 from aws_database_encryption_sdk.smithygenerated.aws_cryptography_dbencryptionsdk_dynamodb_transforms.models import (
     GetItemOutputTransformInput,
     PutItemInputTransformInput
 )
-
-# "Main"
-
 from aws_database_encryption_sdk.encryptor.client import (
     EncryptedClient
 )
 
-item_to_encrypt = {
-    "partition_key": "LucasPythonTesting",
-    "sort_key": 1234,
-    "attribute1": "abc"
-}
-
-encrypted_client = EncryptedClient(
-    client = boto3.client("dynamodb"),
-    encryption_config = tables_config,
-    expect_standard_dictionaries = True,
-)
-
-put_item = {
-    "TableName": ddb_table_name,
-    "Item": item_to_encrypt,
-}
-
-put_item_output = encrypted_client.put_item(**put_item)
-
-item_to_get = {
-    "partition_key": "LucasPythonTesting",
-    "sort_key": 1234,
-}
+def encrypted_client_put_get_example(
+    kms_key_id: str,
+    dynamodb_table_name: str,
+):
+    # 1. Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data.
+    #    For this example, we will create a AWS KMS Keyring with the AWS KMS Key we want to use.
+    #    We will use the `CreateMrkMultiKeyring` method to create this keyring,
+    #    as it will correctly handle both single region and Multi-Region KMS Keys.
+    mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders(
+        config=MaterialProvidersConfig()
+    )
+    kms_mrk_multi_keyring_input: CreateAwsKmsMrkMultiKeyringInput =\
+        CreateAwsKmsMrkMultiKeyringInput(
+            generator=kms_key_id,
+        )
+    kms_mrk_multi_keyring: IKeyring = mat_prov.create_aws_kms_mrk_multi_keyring(
+        input=kms_mrk_multi_keyring_input
+    )
 
-get_item = {
-    "TableName": ddb_table_name,
-    "Key": item_to_get
-}
+    # 2. Configure which attributes are encrypted and/or signed when writing new items.
+    #    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
+    #    we must explicitly configure how they should be treated during item encryption:
+    #      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
+    #      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
+    #      - DO_NOTHING: The attribute is not encrypted and not included in the signature
+    attribute_actions_on_encrypt = {
+        "partition_key": CryptoAction.SIGN_ONLY,
+        "sort_key": CryptoAction.SIGN_ONLY,
+        "attribute1": CryptoAction.ENCRYPT_AND_SIGN,
+        "attribute2": CryptoAction.SIGN_ONLY,
+        ":attribute3": CryptoAction.DO_NOTHING,
+    }
+
+    # 3. Configure which attributes we expect to be included in the signature
+    #    when reading items. There are two options for configuring this:
+    #
+    #    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
+    #      When defining your DynamoDb schema and deciding on attribute names,
+    #      choose a distinguishing prefix (such as ":") for all attributes that
+    #      you do not want to include in the signature.
+    #      This has two main benefits:
+    #      - It is easier to reason about the security and authenticity of data within your item
+    #        when all unauthenticated data is easily distinguishable by their attribute name.
+    #      - If you need to add new unauthenticated attributes in the future,
+    #        you can easily make the corresponding update to your `attributeActionsOnEncrypt`
+    #        and immediately start writing to that new attribute, without
+    #        any other configuration update needed.
+    #      Once you configure this field, it is not safe to update it.
+    #
+    #    - Configure `allowedUnsignedAttributes`: You may also explicitly list
+    #      a set of attributes that should be considered unauthenticated when encountered
+    #      on read. Be careful if you use this configuration. Do not remove an attribute
+    #      name from this configuration, even if you are no longer writing with that attribute,
+    #      as old items may still include this attribute, and our configuration needs to know
+    #      to continue to exclude this attribute from the signature scope.
+    #      If you add new attribute names to this field, you must first deploy the update to this
+    #      field to all readers in your host fleet before deploying the update to start writing
+    #      with that new attribute.
+    #
+    #   For this example, we have designed our DynamoDb table such that any attribute name with
+    #   the ":" prefix should be considered unauthenticated.
+    unsignAttrPrefix: str = ":"
+
+    # 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
+    table_configs = {}
+    table_config = DynamoDbTableEncryptionConfig(
+        logical_table_name = dynamodb_table_name,
+        partition_key_name = "partition_key",
+        sort_key_name = "sort_key",
+        attribute_actions_on_encrypt = attribute_actions_on_encrypt,
+        keyring = kms_mrk_multi_keyring,
+        allowed_unsigned_attribute_prefix = unsignAttrPrefix,
+        algorithm_suite_id = DBEAlgorithmSuiteId.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384_SYMSIG_HMAC_SHA384,
+    )
+    table_configs[dynamodb_table_name] = table_config
+    tables_config = DynamoDbTablesEncryptionConfig(
+        table_encryption_configs = table_configs
+    )
 
-get_item_output = encrypted_client.get_item(**get_item)
+    # 5. Create a new AWS SDK DynamoDb client using the TableEncryptionConfigs
+    encrypted_client = EncryptedClient(
+        client = boto3.client("dynamodb"),
+        encryption_config = tables_config,
+        expect_standard_dictionaries = True,
+    )
 
-assert get_item_output["Item"] == item_to_encrypt
+    # 6. Put an item into our table using the above client.
+    #    Before the item gets sent to DynamoDb, it will be encrypted
+    #    client-side, according to our configuration.
+    item_to_encrypt = {
+        "partition_key": "BasicPutGetExample",
+        "sort_key": 0,
+        "attribute1": "encrypt and sign me!",
+        "attribute2": "sign me!",
+        ":attribute3": "ignore me!",
+    }
+
+    put_item_request = {
+        "TableName": dynamodb_table_name,
+        "Item": item_to_encrypt,
+    }
+
+    put_item_response = encrypted_client.put_item(**put_item_request)
+
+    # Demonstrate that PutItem succeeded
+    assert put_item_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+
+    # 7. Get the item back from our table using the same client.
+    #    The client will decrypt the item client-side, and return
+    #    back the original item.
+    key_to_get = {
+        "partition_key": "BasicPutGetExample",
+        "sort_key": 0,
+    }
+
+    get_item_request = {
+        "TableName": dynamodb_table_name,
+        "Key": key_to_get
+    }
+
+    get_item_response = encrypted_client.get_item(**get_item_request)
+
+    # Demonstrate that GetItem succeeded
+    assert get_item_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+    assert get_item_response["Item"] == item_to_encrypt
+    assert get_item_response["Item"]["attribute1"] == "encrypt and sign me!"