Skip to content

Commit 46b0aaf

Browse files
committed
m
1 parent a5a4aca commit 46b0aaf

File tree

2 files changed

+24
-4
lines changed

2 files changed

+24
-4
lines changed

DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/QueryTransform.dfy

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ module QueryTransform {
1010
import DDB = ComAmazonawsDynamodbTypes
1111
import opened AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes
1212
import EncTypes = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes
13-
import Seq
13+
import EncOps = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorOperations
1414

1515
method Input(config: Config, input: QueryInputTransformInput)
1616
returns (output: Result<QueryInputTransformOutput, Error>)
@@ -92,7 +92,17 @@ module QueryTransform {
9292
var decryptRes := tableConfig.itemEncryptor.DecryptItem(decryptInput);
9393
var decrypted :- MapError(decryptRes);
9494

95-
// No parsed header is ok, because it means ALLOW_PLAINTEXT_READ and a plain text item
95+
if decrypted.parsedHeader.None? {
96+
:- Need(
97+
&& EncOps.IsPlaintextItem(encryptedItems[x])
98+
&& (
99+
|| tableConfig.plaintextOverride.FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ?
100+
|| tableConfig.plaintextOverride.FORCE_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ?
101+
),
102+
E("Unexpected lack of parsed header.")
103+
);
104+
}
105+
96106
if keyId.KeyId? && decrypted.parsedHeader.Some? {
97107
:- Need(|decrypted.parsedHeader.value.encryptedDataKeys| == 1, E("Query result has more than one Encrypted Data Key"));
98108
if decrypted.parsedHeader.value.encryptedDataKeys[0].keyProviderInfo == keyIdUtf8 {

DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/ScanTransform.dfy

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ module ScanTransform {
1010
import DDB = ComAmazonawsDynamodbTypes
1111
import opened AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes
1212
import EncTypes = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes
13-
import Seq
13+
import EncOps = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorOperations
1414

1515
method Input(config: Config, input: ScanInputTransformInput)
1616
returns (output: Result<ScanInputTransformOutput, Error>)
@@ -90,7 +90,17 @@ module ScanTransform {
9090
var decryptRes := tableConfig.itemEncryptor.DecryptItem(decryptInput);
9191
var decrypted :- MapError(decryptRes);
9292

93-
// No parsed header is ok, because it means ALLOW_PLAINTEXT_READ and a plain text item
93+
if decrypted.parsedHeader.None? {
94+
:- Need(
95+
&& EncOps.IsPlaintextItem(encryptedItems[x])
96+
&& (
97+
|| tableConfig.plaintextOverride.FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ?
98+
|| tableConfig.plaintextOverride.FORCE_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ?
99+
),
100+
E("Unexpected lack of parsed header.")
101+
);
102+
}
103+
94104
if keyId.KeyId? && decrypted.parsedHeader.Some? {
95105
:- Need(decrypted.parsedHeader.Some?, E("Decrypted scan result has no parsed header."));
96106
:- Need(|decrypted.parsedHeader.value.encryptedDataKeys| == 1, E("Scan result has more than one Encrypted Data Key"));

0 commit comments

Comments
 (0)