File tree Expand file tree Collapse file tree 2 files changed +24
-4
lines changed
DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src Expand file tree Collapse file tree 2 files changed +24
-4
lines changed Original file line number Diff line number Diff line change @@ -10,7 +10,7 @@ module QueryTransform {
10
10
import DDB = ComAmazonawsDynamodbTypes
11
11
import opened AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes
12
12
import EncTypes = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes
13
- import Seq
13
+ import EncOps = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorOperations
14
14
15
15
method Input (config: Config , input: QueryInputTransformInput )
16
16
returns (output: Result< QueryInputTransformOutput, Error> )
@@ -92,7 +92,17 @@ module QueryTransform {
92
92
var decryptRes := tableConfig. itemEncryptor. DecryptItem (decryptInput);
93
93
var decrypted :- MapError (decryptRes);
94
94
95
- // No parsed header is ok, because it means ALLOW_PLAINTEXT_READ and a plain text item
95
+ if decrypted. parsedHeader. None? {
96
+ :- Need (
97
+ && EncOps.IsPlaintextItem(encryptedItems[x])
98
+ && (
99
+ || tableConfig. plaintextOverride. FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ?
100
+ || tableConfig. plaintextOverride. FORCE_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ?
101
+ ),
102
+ E ("Unexpected lack of parsed header.")
103
+ );
104
+ }
105
+
96
106
if keyId. KeyId? && decrypted. parsedHeader. Some? {
97
107
:- Need (|decrypted.parsedHeader.value.encryptedDataKeys| == 1, E("Query result has more than one Encrypted Data Key"));
98
108
if decrypted. parsedHeader. value. encryptedDataKeys[0]. keyProviderInfo == keyIdUtf8 {
Original file line number Diff line number Diff line change @@ -10,7 +10,7 @@ module ScanTransform {
10
10
import DDB = ComAmazonawsDynamodbTypes
11
11
import opened AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes
12
12
import EncTypes = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes
13
- import Seq
13
+ import EncOps = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorOperations
14
14
15
15
method Input (config: Config , input: ScanInputTransformInput )
16
16
returns (output: Result< ScanInputTransformOutput, Error> )
@@ -90,7 +90,17 @@ module ScanTransform {
90
90
var decryptRes := tableConfig. itemEncryptor. DecryptItem (decryptInput);
91
91
var decrypted :- MapError (decryptRes);
92
92
93
- // No parsed header is ok, because it means ALLOW_PLAINTEXT_READ and a plain text item
93
+ if decrypted. parsedHeader. None? {
94
+ :- Need (
95
+ && EncOps.IsPlaintextItem(encryptedItems[x])
96
+ && (
97
+ || tableConfig. plaintextOverride. FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ?
98
+ || tableConfig. plaintextOverride. FORCE_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ?
99
+ ),
100
+ E ("Unexpected lack of parsed header.")
101
+ );
102
+ }
103
+
94
104
if keyId. KeyId? && decrypted. parsedHeader. Some? {
95
105
:- Need (decrypted.parsedHeader.Some?, E("Decrypted scan result has no parsed header."));
96
106
:- Need (|decrypted.parsedHeader.value.encryptedDataKeys| == 1, E("Scan result has more than one Encrypted Data Key"));
You can’t perform that action at this time.
0 commit comments