migration 2

Author: imabhichow

DynamoDbEncryption/runtimes/python/src/aws_dbesdk_dynamodb/internaldafny/extern/InternalLegacyOverride.py

@@ -158,7 +158,7 @@ def EncryptItem(self, input):
                 )
 
             # Use the encryptor to encrypt the item using the instance attributes
-            encrypted_item = self.encryptor.encrypt_item(
+            encrypted_item = self.encryptor._encrypt_item(
                 plaintext_item, actions=self.attribute_actions, encryption_context=self.encryption_context
             )
 
@@ -202,8 +202,8 @@ def DecryptItem(self, input):
                 )
 
             # Use the encryptor to decrypt the item using the instance attributes
-            decrypted_item = self.encryptor.decrypt_item(
-                encrypted_item, actions=self.attribute_actions, encryption_context=self.encryption_context
+            decrypted_item = self.encryptor._decrypt_item(
+                encrypted_item,
             )
 
             # Create the output with the decrypted item

Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/README.md

@@ -10,63 +10,46 @@ The migration process is demonstrated through a series of example steps that sho
 
 ### Step 0: Legacy DynamoDB Encryption Client
 
-[migration_step0.py](./migration_step0.py) demonstrates using the legacy DynamoDB Encryption Client to encrypt and decrypt items. This represents the starting point for migration.
+[migration_step_0.py](./ddbec/migration_step_0.py) demonstrates using the legacy DynamoDB Encryption Client to encrypt and decrypt items. This represents the starting point for migration.
 
 Key concepts:
+
 - Setting up the legacy client with an AWS KMS cryptographic materials provider
 - Defining attribute actions for encryption/signing
 - Storing and retrieving encrypted items
 
 ### Step 1: AWS Database Encryption SDK with Legacy Override
 
-[migration_step1.py](./migration_step1.py) demonstrates how to start using the AWS Database Encryption SDK with a pre-existing table used with the DynamoDB Encryption Client. 
+[migration_step_1.py](./awsdbe/migration_step_1.py) demonstrates how to start using the AWS Database Encryption SDK with a pre-existing table used with the DynamoDB Encryption Client.
 
 Key concepts:
+
 - Configure AWS DBESDK to read items encrypted in the legacy format
 - Continue to encrypt items in the legacy format (FORCE_LEGACY_ENCRYPT_ALLOW_DECRYPT policy)
 - Read items encrypted in the new format
 - Deploy this step to all readers before moving to step 2
 
 ### Step 2: Full Migration to AWS Database Encryption SDK
 
-[migration_step2.py](./migration_step2.py) demonstrates the next step in the migration process, using both the pure AWS DBESDK client and the legacy-override client side by side.
+[migration_step_2.py](./awsdbe/migration_step_2.py) demonstrates the next step in the migration process, using both the pure AWS DBESDK client and the legacy-override client side by side.
 
 Key concepts:
+
 - Create a pure AWS DBESDK client for new data
 - Keep using legacy-override client when needed for legacy data
 - Re-encrypt legacy data with the new client
 - Demonstrate that the legacy-override client can read both formats
 
 ### Step 3: Complete Migration - Using Only AWS DBESDK
 
-[migration_step3.py](./migration_step3.py) demonstrates the final state of the migration, where all data has been re-encrypted using the new format.
+[migration_step_3.py](./awsdbe/migration_step_3.py) demonstrates the final state of the migration, where all data has been re-encrypted using the new format.
 
 Key concepts:
+
 - Use only the pure AWS DBESDK client (no more legacy override)
 - Verify all previously re-encrypted data is readable
 - Add new data using the pure client
 
-### Run All Migration Steps
-
-[run_all.py](./run_all.py) runs all four migration steps in sequence, demonstrating the entire migration path.
-
-## How to Run
-
-To run an individual step:
-
-```bash
-python -m Examples.runtimes.python.DynamoDBEncryption.src.migration.ddbec_to_awsdbe.migration_step0
-python -m Examples.runtimes.python.DynamoDBEncryption.src.migration.ddbec_to_awsdbe.migration_step1
-python -m Examples.runtimes.python.DynamoDBEncryption.src.migration.ddbec_to_awsdbe.migration_step2
-python -m Examples.runtimes.python.DynamoDBEncryption.src.migration.ddbec_to_awsdbe.migration_step3
-```
-
-To run all steps in sequence:
-
-```bash
-python -m Examples.runtimes.python.DynamoDBEncryption.src.migration.ddbec_to_awsdbe.run_all
-```
-
 ## Prerequisites
 
 Before running these examples:

Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/common.py

@@ -129,7 +129,7 @@ def setup_pure_awsdbe_client(kms_key_id: str, ddb_table_name: str):
     )
 
 
-def setup_awsdbe_client_with_legacy_override(kms_key_id: str, ddb_table_name: str):
+def setup_awsdbe_client_with_legacy_override(kms_key_id: str, ddb_table_name: str, policy: str):
     """
     Set up a pure AWS Database Encryption SDK client without legacy override.
 
@@ -151,14 +151,12 @@ def setup_awsdbe_client_with_legacy_override(kms_key_id: str, ddb_table_name: st
         materials_provider=cmp,
     )
 
-    # 2. Configure our legacy behavior, inputting the DynamoDBEncryptor and attribute actions
-    #    created above. For Legacy Policy, use `FORCE_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT`.
-    #    With this policy, you will continue to read and write items using the old format,
-    #    but will be able to start reading new items in the new format as soon as they appear.
+    # 2. Configure our legacy behavior, inputting the DynamoDBEncryptor, attribute actions
+    #    created above, and  legacy pooicy. 
     legacy_override = LegacyOverride(
         encryptor=legacy_encrypted_client,
         attribute_actions_on_encrypt=ATTRIBUTE_ACTIONS_ON_ENCRYPT,
-        policy=LegacyPolicy.FORCE_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT,
+        policy=policy,
     )
 
     # 1. Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data.

Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/migration_step_1.py

@@ -22,6 +22,7 @@
   - Partition key is named "partition_key" with type (S)
   - Sort key is named "sort_key" with type (S)
 """
+from aws_dbesdk_dynamodb.structures.dynamodb import LegacyPolicy
 
 import boto3
 
@@ -30,7 +31,7 @@
 from .common import setup_awsdbe_client_with_legacy_override
 
 
-def migration_step_1(kms_key_id, ddb_table_name, sort_read_value=0):
+def migration_step_1(kms_key_id: str, ddb_table_name: str, sort_read_value: int=1):
     """
     Migration Step 1: Using the AWS Database Encryption SDK with Legacy Override.
 
@@ -40,13 +41,14 @@ def migration_step_1(kms_key_id, ddb_table_name, sort_read_value=0):
         sort_read_value: The sort key value to read
 
     """
-    # 1. Create AWS SDK DynamoDB Client
-    ddb_client = boto3.client("dynamodb")
-
-    # 2. Create a DynamoDB Encryption SDK client with legacy override
-    encrypted_client = setup_awsdbe_client_with_legacy_override(kms_key_id=kms_key_id, ddb_table_name=ddb_table_name)
-
-    # 3. Put an item in the old format since we are using a legacy override
+    # 1. Create a DynamoDB Encryption SDK client with legacy override.
+    #    For Legacy Policy, use `FORCE_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT`.
+    #    With this policy, you will continue to read and write items using the old format,
+    #    but will be able to start reading new items in the new format as soon as they appear
+    policy=LegacyPolicy.FORCE_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT
+    encrypted_client = setup_awsdbe_client_with_legacy_override(kms_key_id=kms_key_id, ddb_table_name=ddb_table_name, policy=policy)
+
+    # 2. Put an item in the old format since we are using a legacy override
     #    with FORCE_LEGACY_ENCRYPT_ALLOW_DECRYPT policy
     item_to_encrypt = {
         "partition_key": {"S": "MigrationExampleForPython"},
@@ -67,24 +69,24 @@ def migration_step_1(kms_key_id, ddb_table_name, sort_read_value=0):
     print("Put Item Response SHOULD have legacy attributes")
     print(f"Put Item Response: {put_item_response['Item']}")
 
-    # 4. Get the item back from DynamoDB directly and decrypt it with our client.
-    #    Because we used FORCE_LEGACY_ENCRYPT_ALLOW_DECRYPT, we expect the item to
-    #    be encrypted in the old format.
+    # 3. Get an item back from the table using the DynamoDb Enhanced Client.
+    #     If this is an item written in the old format (e.g. any item written
+    #     during Step 0 or 1), then we will attempt to decrypt the item
+    #     using the legacy behavior.
+    #     If this is an item written in the new format (e.g. any item written
+    #     during Step 2 or after), then we will attempt to decrypt the item using
+    #     the non-legacy behavior.
     key_to_get = {"partition_key": {"S": "MigrationExampleForPython"}, "sort_key": {"N": str(sort_read_value)}}
 
     get_item_request = {"TableName": ddb_table_name, "Key": key_to_get}
     get_item_response = encrypted_client.get_item(**get_item_request)
 
     # Demonstrate that GetItem succeeded and returned the decrypted item
     assert get_item_response["ResponseMetadata"]["HTTPStatusCode"] == 200
-    assert get_item_response["Item"] == item_to_encrypt
-
     decrypted_item = get_item_response["Item"]
     # Demonstrate we get the expected item back
     assert decrypted_item["partition_key"]["S"] == "MigrationExampleForPython"
-    if sort_read_value == 0:
-        assert decrypted_item["attribute1"]["S"] == "encrypt and sign me!"
-    elif sort_read_value == 1:
-        assert decrypted_item["attribute1"]["S"] == "encrypt and sign me!"
+    assert decrypted_item["sort_key"]["N"] == str(sort_read_value)
+    assert decrypted_item["attribute1"]["S"] == "encrypt and sign me!"
     assert decrypted_item["attribute2"]["S"] == "sign me!"
     assert decrypted_item["attribute3"]["S"] == "ignore me!"

Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/migration_step_2.py

@@ -25,130 +25,69 @@
 """
 
 import boto3
+from aws_dbesdk_dynamodb.structures.dynamodb import LegacyPolicy
 
 # Import from new AWS Database Encryption SDK
 from .common import setup_awsdbe_client_with_legacy_override, setup_pure_awsdbe_client
 
 
-def migration_step_2(kms_key_id, ddb_table_name):
+def migration_step_2(kms_key_id: str, ddb_table_name: str, sort_read_value: int=2):
     """
     Migration Step 2: Using pure AWS DBESDK and legacy override together.
 
     Args:
         kms_key_id: The ARN of the KMS key to use for encryption
         ddb_table_name: The name of the DynamoDB table
+        sort_read_value: The sort key value to read
 
     """
-    ddb_client = boto3.client("dynamodb")
-
-    # 1. Create two AWS DBESDK clients:
-    #    - A pure client that can only read items encrypted with AWS DBESDK
-    #    - A client with legacy override that can read legacy items
-    pure_client = setup_pure_awsdbe_client(kms_key_id, ddb_table_name)
-    legacy_override_client = setup_awsdbe_client_with_legacy_override(kms_key_id, ddb_table_name)
-
-    # 2. Write a new item using the pure client (it will use the new encryption format)
-    item = {
+    # 1. Create a DynamoDB Encryption SDK client with legacy override.
+    #    When configuring our legacy behavior, use `FORBID_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT`.
+    #    With this policy, you will continue to read items in both formats,
+    #    but will only write new items using the new format.
+    encrypted_client = setup_awsdbe_client_with_legacy_override(kms_key_id, ddb_table_name, policy=LegacyPolicy.FORBID_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT)
+
+    # 2. Put an item into your table using the DB ESDK Client.
+    #    This item will be encrypted in the latest format, using the
+    #    configuration from your modelled class to decide
+    #    which attribute to encrypt and/or sign.
+    item_to_encrypt = {
         "partition_key": {"S": "MigrationExampleForPython"},
         "sort_key": {"N": str(2)},
         "attribute1": {"S": "encrypt and sign me!"},
         "attribute2": {"S": "sign me!"},
         "attribute3": {"S": "ignore me!"},
     }
 
-    encrypted_item = pure_client.EncryptItem(item)
-    ddb_client.put_item(TableName=ddb_table_name, Item=encrypted_item)
-    print("Put item with sort_key=2 using pure AWS DBESDK client")
-
-    # 3. Attempt to read a legacy-encrypted item (sort_key=0) with the pure client
-    #    This should fail as the pure client doesn't understand the legacy format
-    key = {"partition_key": {"S": "MigrationExampleForPython"}, "sort_key": {"N": str(0)}}
-
-    response = ddb_client.get_item(TableName=ddb_table_name, Key=key)
-
-    if "Item" in response:
-        legacy_item = response["Item"]
-        try:
-            pure_client.DecryptItem(legacy_item)
-            print("Unexpectedly succeeded in decrypting legacy item with pure client!")
-        except Exception as e:
-            print(f"Expected failure: Pure client can't decrypt legacy item: {type(e).__name__}")
-
-    # 4. Read the same legacy item using the client with legacy override
-    #    This should succeed as this client understands both legacy and new formats
-    if "Item" in response:
-        legacy_item = response["Item"]
-        legacy_override_client.DecryptItem(legacy_item)
-        print("Successfully decrypted legacy item (sort_key=0) using client with legacy override")
-
-    # 5. Read the new item (sort_key=2) with both clients
-    #    Both should be able to read the new format
-    key = {"partition_key": {"S": "MigrationExampleForPython"}, "sort_key": {"N": str(2)}}
-
-    response = ddb_client.get_item(TableName=ddb_table_name, Key=key)
-
-    if "Item" in response:
-        new_item = response["Item"]
-        pure_client.DecryptItem(new_item)
-        print("Successfully decrypted new item (sort_key=2) using pure client")
-
-        legacy_override_client.DecryptItem(new_item)
-        print("Successfully decrypted new item (sort_key=2) using client with legacy override")
-
-    # 6. Re-encrypt a legacy item with the new format
-    #    This is how you migrate your data from the legacy format to the new format
-    key = {"partition_key": {"S": "MigrationExampleForPython"}, "sort_key": {"N": str(0)}}
-
-    response = ddb_client.get_item(TableName=ddb_table_name, Key=key)
-
-    if "Item" in response:
-        # Get the legacy encrypted item
-        legacy_item = response["Item"]
-
-        # Decrypt it with the client that has legacy override
-        decrypted_item = legacy_override_client.DecryptItem(legacy_item)
-        print("Successfully decrypted legacy item for re-encryption")
-
-        # Re-encrypt with the pure client (new format)
-        new_encrypted_item = pure_client.EncryptItem(decrypted_item)
-        print("Successfully re-encrypted item in new format")
-
-        # Store the re-encrypted item back in DynamoDB
-        ddb_client.put_item(TableName=ddb_table_name, Item=new_encrypted_item)
-        print("Successfully stored re-encrypted item")
-
-        # Verify we can now read it with the pure client
-        verify_response = ddb_client.get_item(TableName=ddb_table_name, Key=key)
-
-        if "Item" in verify_response:
-            re_encrypted_item = verify_response["Item"]
-            pure_client.DecryptItem(re_encrypted_item)
-            print("Successfully verified re-encrypted item can be read with pure client")
-
-
-# def run_example():
-#     """Run the full migration example."""
-
-#     print("\n=== Migration Example Step 2: Using Pure AWS DBESDK and Legacy Override Together ===")
-
-#     try:
-#         # Ensure we have items from previous steps
-#         # First run migration step 0 to have legacy items
-#         migration_step0.migration_step0(
-#             kms_key_id=common.KMS_KEY_ID,
-#             ddb_table_name=common.TABLE_NAME
-#         )
-
-#         # Now run migration step 2
-#         migration_step2(
-#             kms_key_id=common.KMS_KEY_ID,
-#             ddb_table_name=common.TABLE_NAME
-#         )
-
-#         print("\nMigration Step 2 completed successfully!")
-#         print("This demonstrates how to use both clients side-by-side and")
-#         print("how to re-encrypt legacy data to the new format.")
+    put_item_request = {
+        "TableName": ddb_table_name,
+        "Item": item_to_encrypt,
+    }
 
-#     except Exception as e:
-#         print(f"Error in Migration Step 2: {e}")
-#         raise
+    put_item_response = encrypted_client.put_item(**put_item_request)
+    # Demonstrate that PutItem succeeded
+    assert put_item_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+    print("Put Item Response SHOULD have legacy attributes")
+    print(f"Put Item Response: {put_item_response['Item']}")
+
+    # 3. Get an item back from the table using the Client.
+    #    If this is an item written in the old format (e.g. any item written
+    #    during Step 0 or 1), then we will attempt to decrypt the item
+    #    using the legacy behavior.
+    #    If this is an item written in the new format (e.g. any item written
+    #    during Step 2 or after), then we will attempt to decrypt the item using
+    #    the non-legacy behavior.
+    key_to_get = {"partition_key": {"S": "MigrationExampleForPython"}, "sort_key": {"N": str(sort_read_value)}}
+
+    get_item_request = {"TableName": ddb_table_name, "Key": key_to_get}
+    get_item_response = encrypted_client.get_item(**get_item_request)
+
+    # Demonstrate that GetItem succeeded and returned the decrypted item
+    assert get_item_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+    decrypted_item = get_item_response["Item"]
+    # Demonstrate we get the expected item back
+    assert decrypted_item["partition_key"]["S"] == "MigrationExampleForPython"
+    assert decrypted_item["sort_key"]["N"] == str(sort_read_value)
+    assert decrypted_item["attribute1"]["S"] == "encrypt and sign me!"
+    assert decrypted_item["attribute2"]["S"] == "sign me!"
+    assert decrypted_item["attribute3"]["S"] == "ignore me!"