sync

Lucas McDonald · Lucas McDonald · commit 28e03f332967 · 2025-05-19T15:23:01.000-07:00
diff --git a/DynamoDbEncryption/runtimes/python/src/aws_dbesdk_dynamodb/encrypted/table.py b/DynamoDbEncryption/runtimes/python/src/aws_dbesdk_dynamodb/encrypted/table.py
@@ -19,6 +19,8 @@
     DynamoDbEncryptionTransforms,
 )
 from aws_dbesdk_dynamodb.smithygenerated.aws_cryptography_dbencryptionsdk_dynamodb_transforms.models import (
+    DeleteItemInputTransformInput,
+    DeleteItemOutputTransformInput,
     GetItemInputTransformInput,
     GetItemOutputTransformInput,
     PutItemInputTransformInput,
@@ -27,6 +29,8 @@
     QueryOutputTransformInput,
     ScanInputTransformInput,
     ScanOutputTransformInput,
+    UpdateItemInputTransformInput,
+    UpdateItemOutputTransformInput,
 )
 
 
@@ -47,8 +51,10 @@ class EncryptedTable(EncryptedBotoInterface):
         * ``get_item``
         * ``query``
         * ``scan``
+        * ``delete_item``
 
-    The ``update_item`` operation is not currently supported. Calling this operation will raise ``NotImplementedError``.
+    Any calls to ``update_item`` can only update unsigned attributes. If an attribute to be updated is marked as signed,
+    this operation will raise a ``DynamoDbEncryptionTransformsException``.
 
     Calling ``batch_writer()`` will return a ``BatchWriter`` that transparently encrypts batch write requests.
 
@@ -197,18 +203,69 @@ def scan(self, **kwargs) -> dict[str, Any]:
             table_method=self._table.scan,
         )
 
+    def delete_item(self, **kwargs) -> dict[str, Any]:
+        """
+        Delete an item from the table.
+
+        The input and output syntaxes match those for the boto3 DynamoDB table ``delete_item`` API:
+
+        https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/table/delete_item.html
+
+        Args:
+            **kwargs: Keyword arguments to pass to the operation. This matches the boto3 Table ``delete_item`` request
+                syntax.
+
+        Returns:
+            dict: The response from DynamoDB. This matches the boto3 Table ``delete_item`` response syntax.
+            Any values in ``"Attributes"`` will be decrypted locally after being read from DynamoDB.
+
+        """
+        return self._table_operation_logic(
+            operation_input=kwargs,
+            input_encryption_transform_method=self._transformer.delete_item_input_transform,
+            input_encryption_transform_shape=DeleteItemInputTransformInput,
+            input_resource_to_client_shape_transform_method=self._resource_shape_to_client_shape_converter.delete_item_request,
+            input_client_to_resource_shape_transform_method=self._client_shape_to_resource_shape_converter.delete_item_request,
+            output_encryption_transform_method=self._transformer.delete_item_output_transform,
+            output_encryption_transform_shape=DeleteItemOutputTransformInput,
+            output_resource_to_client_shape_transform_method=self._resource_shape_to_client_shape_converter.delete_item_response,
+            output_client_to_resource_shape_transform_method=self._client_shape_to_resource_shape_converter.delete_item_response,
+            table_method=self._table.delete_item,
+        )
+
     def update_item(self, **kwargs):
         """
-        Not implemented. Raises ``NotImplementedError``.
+        Update an unsigned attribute in the table.
+
+        If the attribute is signed, this operation will raise DynamoDbEncryptionTransformsException.
+
+        The input and output syntaxes match those for the boto3 DynamoDB table ``update_item`` API:
+
+        https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/table/update_item.html
 
         Args:
-            **kwargs: Any arguments passed to this method
+            **kwargs: Keyword arguments to pass to the operation. This matches the boto3 Table ``update_item`` request
+                syntax.
+
+        Returns:
+            dict: The response from DynamoDB. This matches the boto3 Table ``update_item`` response syntax.
 
         Raises:
-            NotImplementedError: This operation is not yet implemented
+            DynamoDbEncryptionTransformsException: If an attribute specified in the ``UpdateExpression`` is signed.
 
         """
-        raise NotImplementedError('"update_item" is not yet implemented')
+        return self._table_operation_logic(
+            operation_input=kwargs,
+            input_encryption_transform_method=self._transformer.update_item_input_transform,
+            input_encryption_transform_shape=UpdateItemInputTransformInput,
+            input_resource_to_client_shape_transform_method=self._resource_shape_to_client_shape_converter.update_item_request,
+            input_client_to_resource_shape_transform_method=self._client_shape_to_resource_shape_converter.update_item_request,
+            output_encryption_transform_method=self._transformer.update_item_output_transform,
+            output_encryption_transform_shape=UpdateItemOutputTransformInput,
+            output_resource_to_client_shape_transform_method=self._resource_shape_to_client_shape_converter.update_item_response,
+            output_client_to_resource_shape_transform_method=self._client_shape_to_resource_shape_converter.update_item_response,
+            table_method=self._table.update_item,
+        )
 
     def batch_writer(self, overwrite_by_pkeys: list[str] | None = None) -> BatchWriter:
         """
diff --git a/DynamoDbEncryption/runtimes/python/test/integ/encrypted/test_table.py b/DynamoDbEncryption/runtimes/python/test/integ/encrypted/test_table.py
@@ -2,17 +2,23 @@
 import pytest
 
 from aws_dbesdk_dynamodb.encrypted.table import EncryptedTable
+from aws_dbesdk_dynamodb.smithygenerated.aws_cryptography_dbencryptionsdk_dynamodb_transforms.errors import (
+    DynamoDbEncryptionTransformsException,
+)
 
 from ...constants import (
     INTEG_TEST_DEFAULT_DYNAMODB_TABLE_NAME,
     INTEG_TEST_DEFAULT_TABLE_CONFIGS,
 )
 from ...items import complex_item_dict, simple_item_dict
 from ...requests import (
+    basic_delete_item_request_dict,
     basic_get_item_request_dict,
     basic_put_item_request_dict,
     basic_query_request_dict,
     basic_scan_request_dict,
+    basic_update_item_request_dict_signed_attribute,
+    basic_update_item_request_dict_unsigned_attribute,
 )
 
 
@@ -61,21 +67,37 @@ def test_item(request):
     return request.param
 
 
-def test_GIVEN_item_WHEN_basic_put_and_basic_get_THEN_round_trip_passes(table, test_item):
-    """Test put_item and get_item operations."""
-    # Given: Simple and complex items in appropriate format for client
+def test_GIVEN_item_WHEN_basic_put_AND_basic_get_AND_basic_delete_THEN_round_trip_passes(table, test_item):
+    """Test put_item, get_item, and delete_item operations."""
+    # Given: Valid put_item request
     put_item_request_dict = basic_put_item_request_dict(test_item)
-
-    # When: Putting and getting item
+    # When: put_item
     put_response = table.put_item(**put_item_request_dict)
+    # Then: put_item succeeds
     assert put_response["ResponseMetadata"]["HTTPStatusCode"] == 200
 
+    # Given: Valid get_item request for the same item
     get_item_request_dict = basic_get_item_request_dict(test_item)
+    # When: get_item
     get_response = table.get_item(**get_item_request_dict)
     # Then: Simple item is encrypted and decrypted correctly
     assert get_response["ResponseMetadata"]["HTTPStatusCode"] == 200
     assert get_response["Item"] == put_item_request_dict["Item"]
 
+    # Given: Valid delete_item request for the same item
+    delete_item_request_dict = basic_delete_item_request_dict(test_item)
+    # When: delete_item
+    delete_response = table.delete_item(**delete_item_request_dict)
+    # Then: delete_item succeeds
+    assert delete_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+
+    # Given: Valid get_item request for the same item
+    get_item_request_dict = basic_get_item_request_dict(test_item)
+    # When: get_item
+    get_response = table.get_item(**get_item_request_dict)
+    # Then: get_item is empty (i.e. the item was deleted)
+    assert "Item" not in get_response
+
 
 def test_GIVEN_items_WHEN_batch_write_and_get_THEN_round_trip_passes(
     table,
@@ -154,7 +176,6 @@ def scan_request(encrypted, test_item):
 
 
 def test_GIVEN_valid_put_and_scan_requests_WHEN_put_and_scan_THEN_round_trip_passes(table, test_item, scan_request):
-    """Test put_item and scan operations."""
     # Given: Simple and complex items in appropriate format for client
     put_item_request_dict = basic_put_item_request_dict(test_item)
     table.put_item(**put_item_request_dict)
@@ -166,24 +187,44 @@ def test_GIVEN_valid_put_and_scan_requests_WHEN_put_and_scan_THEN_round_trip_pas
     assert scan_response["ResponseMetadata"]["HTTPStatusCode"] == 200
 
 
-def test_WHEN_update_item_THEN_raises_not_implemented_error():
-    # Given: Encrypted client and update item parameters
+def test_GIVEN_update_for_unsigned_attribute_WHEN_update_item_THEN_passes(table, test_item):
+    # Given: some item is already in the table
+    put_response = table.put_item(**basic_put_item_request_dict(test_item))
+    assert put_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+
+    # Given: Valid update item request for unsigned attribute
+    update_item_request = basic_update_item_request_dict_unsigned_attribute(test_item)
+
     # When: Calling update_item
-    with pytest.raises(NotImplementedError):
-        encrypted_table().update_item(
-            TableName=INTEG_TEST_DEFAULT_DYNAMODB_TABLE_NAME,
-            Key={"partition_key": "test-key", "sort_key": 1},
-            UpdateExpression="SET attribute1 = :val",
-            ExpressionAttributeValues={":val": {"S": "new value"}},
-        )
-    # Then: NotImplementedError is raised
+    update_response = table.update_item(**update_item_request)
+    # Then: update_item succeeds
+    assert update_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+
+
+def test_GIVEN_update_for_signed_attribute_WHEN_update_item_THEN_raises_DynamoDbEncryptionTransformsException(
+    table, test_item, encrypted
+):
+    if not encrypted:
+        pytest.skip("Skipping negative test for plaintext client")
+
+    # Given: some item is already in the table
+    put_response = table.put_item(**basic_put_item_request_dict(test_item))
+    assert put_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+
+    # Given: Valid update item request for signed attribute
+    update_item_request = basic_update_item_request_dict_signed_attribute(test_item)
+
+    # Then: raises DynamoDbEncryptionTransformsException
+    with pytest.raises(DynamoDbEncryptionTransformsException):
+        # When: Calling update_item
+        table.update_item(**update_item_request)
 
 
 def test_WHEN_call_passthrough_method_THEN_correct_response_is_returned():
     """Test that calling a passthrough method returns the correct response."""
-    # Given: Encrypted client
-    # When: Calling some passthrough method that does not explicitly exist on EncryptedClient,
-    # but exists on the underlying boto3 client
-    response = encrypted_table().meta.client.list_backups()
-    # Then: Correct response is returned, i.e. EncryptedClient forwards the call to the underlying boto3 client
-    assert response["ResponseMetadata"]["HTTPStatusCode"] == 200
+    # Given: Encrypted or plaintext table
+    # When: Calling some passthrough method that does not explicitly exist on EncryptedTable,
+    # but exists on the underlying boto3 table
+    response = encrypted_table().table_name
+    # Then: Correct response is returned, i.e. EncryptedTable forwards the call to the underlying boto3 table
+    assert response == INTEG_TEST_DEFAULT_DYNAMODB_TABLE_NAME
diff --git a/Examples/runtimes/python/DynamoDBEncryption/src/basic_put_get_example/with_encrypted_table.py b/Examples/runtimes/python/DynamoDBEncryption/src/basic_put_get_example/with_encrypted_table.py
@@ -110,7 +110,7 @@ def encrypted_table_put_get_example(
     table_configs[dynamodb_table_name] = table_config
     tables_config = DynamoDbTablesEncryptionConfig(table_encryption_configs=table_configs)
 
-    # 5. Create the EncryptedClient
+    # 5. Create the EncryptedTable
     encrypted_table = EncryptedTable(
         table=boto3.resource("dynamodb").Table(dynamodb_table_name),
         encryption_config=tables_config,
@@ -128,7 +128,6 @@ def encrypted_table_put_get_example(
     }
 
     put_item_request = {
-        "TableName": dynamodb_table_name,
         "Item": item_to_encrypt,
     }
 
@@ -142,7 +141,7 @@ def encrypted_table_put_get_example(
     #    back the original item.
     key_to_get = {"partition_key": "BasicPutGetExample", "sort_key": 0}
 
-    get_item_request = {"TableName": dynamodb_table_name, "Key": key_to_get}
+    get_item_request = {"Key": key_to_get}
 
     get_item_response = encrypted_table.get_item(**get_item_request)
 
diff --git a/Examples/runtimes/python/DynamoDBEncryption/test/basic_put_get_example/test_with_encrypted_table.py b/Examples/runtimes/python/DynamoDBEncryption/test/basic_put_get_example/test_with_encrypted_table.py
@@ -1,6 +1,6 @@
 # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
-"""Test suite for the EncryptedClient example."""
+"""Test suite for the EncryptedTable example."""
 import pytest
 
 from ...src.basic_put_get_example.with_encrypted_table import encrypted_table_put_get_example
@@ -9,7 +9,7 @@
 
 
 def test_encrypted_table_put_get_example():
-    """Test function for encrypt and decrypt using the EncryptedClient example."""
+    """Test function for encrypt and decrypt using the EncryptedTable example."""
     test_kms_key_id = "arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f"
     test_dynamodb_table_name = "DynamoDbEncryptionInterceptorTestTable"
     encrypted_table_put_get_example(test_kms_key_id, test_dynamodb_table_name)
