fix(EnhancedClient): Recurse through entire table map (#260)

Author: texastony

DynamoDbEncryption/runtimes/java/build.gradle.kts

@@ -105,6 +105,9 @@ dependencies {
     testImplementation("junit:junit:4.13.2")
     // https://mvnrepository.com/artifact/edu.umd.cs.mtc/multithreadedtc
     testImplementation("edu.umd.cs.mtc:multithreadedtc:1.01")
+    // https://mvnrepository.com/artifact/org.projectlombok/lombok
+    testImplementation("org.projectlombok:lombok:1.18.28")
+    testAnnotationProcessor("org.projectlombok:lombok:1.18.28")
 }
 
 publishing {

DynamoDbEncryption/runtimes/java/src/main/java/software/amazon/cryptography/dbencryptionsdk/dynamodb/enhancedclient/DynamoDbEnhancedClientEncryption.java

@@ -1,7 +1,13 @@
 package software.amazon.cryptography.dbencryptionsdk.dynamodb.enhancedclient;
 
-import java.util.*;
-import java.util.stream.Collectors;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.Set;
 
 import software.amazon.awssdk.enhanced.dynamodb.IndexMetadata;
 import software.amazon.awssdk.enhanced.dynamodb.KeyAttributeMetadata;
@@ -23,9 +29,8 @@ public class DynamoDbEnhancedClientEncryption {
     public static DynamoDbEncryptionInterceptor CreateDynamoDbEncryptionInterceptor(
             CreateDynamoDbEncryptionInterceptorInput input) {
         Map<String, DynamoDbTableEncryptionConfig> tableConfigs = new HashMap<>();
-        for (String tableName : input.tableEncryptionConfigs().keySet()) {
-            tableConfigs.put(tableName, getTableConfig(input.tableEncryptionConfigs().get(tableName)));
-        }
+        input.tableEncryptionConfigs().forEach(
+            (name, config) -> tableConfigs.put(name, getTableConfig(config, name)));
 
         return DynamoDbEncryptionInterceptor.builder()
                 .config(DynamoDbTablesEncryptionConfig.builder()
@@ -37,42 +42,50 @@ public static DynamoDbEncryptionInterceptor CreateDynamoDbEncryptionInterceptor(
     private static Set<String> attributeNamesUsedInIndices(
         final TableMetadata tableMetadata
     ) {
-        Set<String> partitionAttributeNames = tableMetadata.indices().stream()
+        Set<String> allIndexAttributes = new HashSet<>();
+        tableMetadata.indices().stream()
             .map(IndexMetadata::partitionKey)
             .filter(Optional::isPresent)
             .map(Optional::get)
             .map(KeyAttributeMetadata::name)
-            .collect(Collectors.toSet());
-        Set<String> sortAttributeNames = tableMetadata.indices().stream()
+            .forEach(allIndexAttributes::add);
+        tableMetadata.indices().stream()
             .map(IndexMetadata::sortKey)
             .filter(Optional::isPresent)
             .map(Optional::get)
             .map(KeyAttributeMetadata::name)
-            .collect(Collectors.toSet());
-        Set<String> allIndexAttributes = new HashSet<>();
-        allIndexAttributes.addAll(partitionAttributeNames);
-        allIndexAttributes.addAll(sortAttributeNames);
+            .forEach(allIndexAttributes::add);
         return allIndexAttributes;
     }
 
-    private static DynamoDbTableEncryptionConfig getTableConfig(DynamoDbEnhancedTableEncryptionConfig configWithSchema) {
+    private static DynamoDbTableEncryptionConfig getTableConfig(
+        final DynamoDbEnhancedTableEncryptionConfig configWithSchema,
+        final String tableName
+    ) {
         Map<String, CryptoAction> actions = new HashMap<>();
 
-        Set<String> signOnlyAttributes = configWithSchema.schemaOnEncrypt().tableMetadata().customMetadataObject(CUSTOM_DDB_ENCRYPTION_SIGN_ONLY_PREFIX, Set.class).orElseGet(HashSet::new);
-        Set<String> doNothingAttributes = configWithSchema.schemaOnEncrypt().tableMetadata().customMetadataObject(CUSTOM_DDB_ENCRYPTION_DO_NOTHING_PREFIX, Set.class).orElseGet(HashSet::new);
-        Set<String> keyAttributes = attributeNamesUsedInIndices(configWithSchema.schemaOnEncrypt().tableMetadata());
+        TableSchema<?> topTableSchema = configWithSchema.schemaOnEncrypt();
+        Set<String> signOnlyAttributes = getSignOnlyAttributes(topTableSchema);
+        Set<String> doNothingAttributes = getDoNothingAttributes(topTableSchema);
+        Set<String> keyAttributes = attributeNamesUsedInIndices(topTableSchema.tableMetadata());
 
         if (!Collections.disjoint(keyAttributes, doNothingAttributes)) {
             throw DynamoDbEncryptionException.builder()
-                    .message("Cannot use @DynamoDbEncryptionDoNothing on primary key attributes.")
+                    .message(String.format(
+                        "Cannot use @DynamoDbEncryptionDoNothing on primary key attributes. Found on Table Name: %s",
+                        tableName))
                     .build();
         } else if (!Collections.disjoint(signOnlyAttributes, doNothingAttributes)) {
             throw DynamoDbEncryptionException.builder()
-                    .message("Cannot use @DynamoDbEncryptionDoNothing and @DynamoDbEncryptionSignOnly on same attribute.")
+                    .message(String.format(
+                        "Cannot use @DynamoDbEncryptionDoNothing and @DynamoDbEncryptionSignOnly on same attribute. Found on Table Name: %s",
+                        tableName))
                     .build();
         }
 
-        List<String> attributeNames = configWithSchema.schemaOnEncrypt().attributeNames();
+        List<String> attributeNames = topTableSchema.attributeNames();
+        StringBuilder path = new StringBuilder();
+        path.append(tableName).append(".");
         for (String attributeName : attributeNames) {
             if (keyAttributes.contains(attributeName)) {
                 // key attributes are always SIGN_ONLY
@@ -87,14 +100,14 @@ private static DynamoDbTableEncryptionConfig getTableConfig(DynamoDbEnhancedTabl
             }
 
             // Detect Encryption Flags that are Ignored b/c they are in a Nested Class
-            scanForIgnoredEncryptionTagsShallow(configWithSchema, attributeName);
+            scanForIgnoredEncryptionTags(topTableSchema, attributeName, path);
         }
 
         DynamoDbTableEncryptionConfig.Builder builder = DynamoDbTableEncryptionConfig.builder();
-        String partitionName = configWithSchema.schemaOnEncrypt().tableMetadata().primaryPartitionKey();
+        String partitionName = topTableSchema.tableMetadata().primaryPartitionKey();
         builder = builder.partitionKeyName(partitionName);
 
-        Optional<String> sortName = configWithSchema.schemaOnEncrypt().tableMetadata().primarySortKey();
+        Optional<String> sortName = topTableSchema.tableMetadata().primarySortKey();
         if (sortName.isPresent()) {
             builder = builder.sortKeyName(sortName.get());
         }
@@ -122,10 +135,22 @@ private static DynamoDbTableEncryptionConfig getTableConfig(DynamoDbEnhancedTabl
                 .build();
     }
 
+    @SuppressWarnings("unchecked")
+    private static Set<String> getSignOnlyAttributes(TableSchema<?> tableSchema) {
+        return tableSchema.tableMetadata()
+            .customMetadataObject(CUSTOM_DDB_ENCRYPTION_SIGN_ONLY_PREFIX, Set.class)
+            .orElseGet(HashSet::new);
+    }
+
+    @SuppressWarnings("unchecked")
+    private static Set<String> getDoNothingAttributes(TableSchema<?> tableSchema) {
+        return tableSchema.tableMetadata()
+            .customMetadataObject(CUSTOM_DDB_ENCRYPTION_DO_NOTHING_PREFIX, Set.class)
+            .orElseGet(HashSet::new);
+    }
+
     /**
      * Detects DynamoDB Encryption Tags in Nested Enhanced Types.<p>
-     * This method ONLY parses ONE Layer of nesting.<p>
-     * It does NOT traverse further nested Enhanced Types.<p>
      * DynamoDB Encryption Tags in Nested Classes are IGNORED by the
      * Database Encryption SDK for DynamoDB.<p>
      * As such, Detection of a nested DynamoDB Encryption Tag on a Nested Type
@@ -138,30 +163,42 @@ private static DynamoDbTableEncryptionConfig getTableConfig(DynamoDbEnhancedTabl
      * as any Encryption Tag on the field that will be "flattened" is ignored.<p>
      * This method DOES NOT detect these "ignored-by-flattened" tags.
      */
-    private static void scanForIgnoredEncryptionTagsShallow(
-        final DynamoDbEnhancedTableEncryptionConfig configWithSchema,
-        final String attributeName
+    private static void scanForIgnoredEncryptionTags(
+        final TableSchema<?> tableSchema,
+        final String attributeName,
+        final StringBuilder path
     ) {
-        AttributeConverter attributeConverter = configWithSchema.schemaOnEncrypt().converterForAttribute(attributeName);
+        AttributeConverter<?> attributeConverter = tableSchema.converterForAttribute(attributeName);
+        StringBuilder attributePath = new StringBuilder(path).append(attributeName).append(".");
         if (
             Objects.nonNull(attributeConverter) &&
                 Objects.nonNull(attributeConverter.type()) &&
                 attributeConverter.type().tableSchema().isPresent()
         ) {
-            Object maybeTableSchema = attributeConverter.type().tableSchema().get();
-            if (maybeTableSchema instanceof TableSchema) {
-                TableSchema subTableSchema = (TableSchema) maybeTableSchema;
-                if (
-                    subTableSchema.tableMetadata().customMetadata().containsKey(CUSTOM_DDB_ENCRYPTION_SIGN_ONLY_PREFIX) ||
-                        subTableSchema.tableMetadata().customMetadata().containsKey(CUSTOM_DDB_ENCRYPTION_DO_NOTHING_PREFIX)
-                ) {
-                    throw DynamoDbEncryptionException.builder()
-                        .message(String.format(
-                            "Detected a DynamoDbEncryption Tag/Configuration on a nested attribute of %s. " +
-                                "This is NOT Supported at this time!",
-                            attributeName))
-                        .build();
-                }
+            TableSchema<?> subTableSchema = attributeConverter.type().tableSchema().get();
+            Set<String> signOnlyAttributes = getSignOnlyAttributes(subTableSchema);
+            if (signOnlyAttributes.size() > 0) {
+                throw DynamoDbEncryptionException.builder()
+                    .message(String.format(
+                        "Detected DynamoDbEncryption Tag %s on a nested attribute with Path %s. " +
+                            "This is NOT Supported at this time!",
+                        CUSTOM_DDB_ENCRYPTION_SIGN_ONLY_PREFIX,
+                        attributePath.append(signOnlyAttributes.toArray()[0])))
+                    .build();
+            }
+            Set<String> doNothingAttributes = getDoNothingAttributes(subTableSchema);
+            if (doNothingAttributes.size() > 0) {
+                throw DynamoDbEncryptionException.builder()
+                    .message(String.format(
+                        "Detected DynamoDbEncryption Tag %s on a nested attribute with Path %s. " +
+                            "This is NOT Supported at this time!",
+                        CUSTOM_DDB_ENCRYPTION_DO_NOTHING_PREFIX,
+                        attributePath.append(doNothingAttributes.toArray()[0])))
+                    .build();
+            }
+            List<String> subAttributeNames = subTableSchema.attributeNames();
+            for (String subAttributeName : subAttributeNames) {
+                scanForIgnoredEncryptionTags(subTableSchema, subAttributeName, attributePath);
             }
         }
     }

DynamoDbEncryption/runtimes/java/src/main/java/software/amazon/cryptography/dbencryptionsdk/dynamodb/enhancedclient/DynamoDbEnhancedTableEncryptionConfig.java

@@ -14,7 +14,7 @@
 
 public class DynamoDbEnhancedTableEncryptionConfig {
     private final String logicalTableName;
-    private final TableSchema schemaOnEncrypt;
+    private final TableSchema<?> schemaOnEncrypt;
     private final List<String> allowedUnsignedAttributes;
     private final String allowedUnsignedAttributePrefix;
     private final Keyring keyring;
@@ -39,7 +39,7 @@ protected DynamoDbEnhancedTableEncryptionConfig(BuilderImpl builder) {
 
     public String logicalTableName() { return this.logicalTableName; }
 
-    public TableSchema schemaOnEncrypt() {
+    public TableSchema<?> schemaOnEncrypt() {
         return this.schemaOnEncrypt;
     }
 
@@ -82,8 +82,8 @@ public static Builder builder() {
     public interface Builder {
         String logicalTableName();
         Builder logicalTableName(String logicalTableName);
-        Builder schemaOnEncrypt(TableSchema schemaOnEncrypt);
-        TableSchema schemaOnEncrypt();
+        Builder schemaOnEncrypt(TableSchema<?> schemaOnEncrypt);
+        TableSchema<?> schemaOnEncrypt();
         Builder allowedUnsignedAttributes(List<String> allowedUnsignedAttributes);
         List<String> allowedUnsignedAttributes();
         Builder allowedUnsignedAttributePrefix(String allowedUnsignedAttributePrefix);
@@ -101,7 +101,7 @@ public interface Builder {
 
     protected static class BuilderImpl implements Builder {
         protected String logicalTableName;
-        protected TableSchema schemaOnEncrypt;
+        protected TableSchema<?> schemaOnEncrypt;
         protected List<String> allowedUnsignedAttributes;
         protected String allowedUnsignedAttributePrefix;
         protected Keyring keyring;
@@ -131,12 +131,12 @@ public Builder logicalTableName(String logicalTableName) {
 
         public String logicalTableName() { return this.logicalTableName; }
 
-        public Builder schemaOnEncrypt(TableSchema schemaOnEncrypt) {
+        public Builder schemaOnEncrypt(TableSchema<?> schemaOnEncrypt) {
             this.schemaOnEncrypt = schemaOnEncrypt;
             return this;
         }
 
-        public TableSchema schemaOnEncrypt() {
+        public TableSchema<?> schemaOnEncrypt() {
             return this.schemaOnEncrypt;
         }
 

DynamoDbEncryption/runtimes/java/src/test/java/software/amazon/cryptography/dbencryptionsdk/dynamodb/enhancedclient/DynamoDbEncryptionEnhancedClientIntegrationTests.java

@@ -19,9 +19,7 @@
 import software.amazon.awssdk.services.dynamodb.model.DynamoDbException;
 import software.amazon.awssdk.services.kms.model.KmsException;
 
-import software.amazon.cryptography.dbencryptionsdk.dynamodb.enhancedclient.AnnotatedConvertedBy.ConvertedByNestedBean;
-import software.amazon.cryptography.dbencryptionsdk.dynamodb.enhancedclient.AnnotatedFlattenedBean.FlattenedNestedBean;
-import software.amazon.cryptography.dbencryptionsdk.dynamodb.model.DynamoDbEncryptionException;
+import software.amazon.cryptography.dbencryptionsdk.dynamodb.enhancedclient.validdatamodels.*;
 import software.amazon.cryptography.dbencryptionsdk.dynamodb.model.LegacyOverride;
 import software.amazon.cryptography.dbencryptionsdk.dynamodb.model.LegacyPolicy;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.CryptoAction;
@@ -127,7 +125,7 @@ public void TestPutAndGetAnnotatedFlattenedBean() {
         AnnotatedFlattenedBean record = new AnnotatedFlattenedBean();
         record.setPartitionKey(PARTITION);
         record.setSortKey(SORT);
-        FlattenedNestedBean nestedBean = new FlattenedNestedBean(
+        AnnotatedFlattenedBean.FlattenedNestedBean nestedBean = new AnnotatedFlattenedBean.FlattenedNestedBean(
             "9305B367-C477-4A58-9E6C-BF7D59D17C8A", "James", "Bond"
         );
         record.setNestedBeanClass(nestedBean);
@@ -163,7 +161,7 @@ public void TestPutAndGetAnnotatedConvertedBy() {
         AnnotatedConvertedBy record = new AnnotatedConvertedBy();
         record.setPartitionKey(PARTITION);
         record.setSortKey(SORT);
-        ConvertedByNestedBean nestedBean = new ConvertedByNestedBean(
+        AnnotatedConvertedBy.ConvertedByNestedBean nestedBean = new AnnotatedConvertedBy.ConvertedByNestedBean(
             "9305B367-C477-4A58-9E6C-BF7D59D17C8A", "Winnie", "the-Pooh"
         );
         record.setNestedEncrypted(nestedBean);