m

Author: ajewellamz

DynamoDbEncryption/runtimes/rust/src/bin/example/basic_get_put_example.rs

@@ -1,20 +1,16 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-#![deny(warnings, unconditional_panic)]
-#![deny(nonstandard_style)]
-#![deny(clippy::all)]
-
 use std::collections::HashMap;
 use crate::test_utils;
 use aws_sdk_dynamodb::types::AttributeValue;
 
-use db_esdk::deps::aws_cryptography_materialProviders::types::material_providers_config::MaterialProvidersConfig;
-use db_esdk::deps::aws_cryptography_materialProviders::client;
-use db_esdk::deps::aws_cryptography_dbEncryptionSdk_structuredEncryption::types::CryptoAction;
+use db_esdk::aws_cryptography_materialProviders::types::material_providers_config::MaterialProvidersConfig;
+use db_esdk::aws_cryptography_materialProviders::client;
+use db_esdk::aws_cryptography_dbEncryptionSdk_structuredEncryption::types::CryptoAction;
 
-use db_esdk::deps::aws_cryptography_dbEncryptionSdk_dynamoDb::types::DynamoDbTableEncryptionConfig;
-use db_esdk::deps::aws_cryptography_materialProviders::types::DbeAlgorithmSuiteId;
+use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::DynamoDbTableEncryptionConfig;
+use db_esdk::aws_cryptography_materialProviders::types::DbeAlgorithmSuiteId;
 use db_esdk::intercept::DbEsdkInterceptor;
 use db_esdk::types::dynamo_db_tables_encryption_config::DynamoDbTablesEncryptionConfig;
 

DynamoDbEncryption/runtimes/rust/src/bin/example/create_keystore_key.rs

@@ -0,0 +1,52 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use crate::test_utils;
+use db_esdk::aws_cryptography_keyStore::types::key_store_config::KeyStoreConfig;
+use db_esdk::aws_cryptography_keyStore::types::KmsConfiguration;
+use db_esdk::aws_cryptography_keyStore::client as keystore_client;
+
+/*
+  The Hierarchical Keyring Example and Searchable Encryption Examples
+  rely on the existence of a DDB-backed key store with pre-existing
+  branch key material or beacon key material.
+
+  See the "Create KeyStore Table Example" for how to first set up
+  the DDB Table that will back this KeyStore.
+
+  This example demonstrates configuring a KeyStore and then
+  using a helper method to create a branch key and beacon key
+  that share the same Id, then return that Id.
+  We will always create a new beacon key alongside a new branch key,
+  even if you are not using searchable encryption.
+
+  This key creation should occur within your control plane.
+ */
+    pub async fn keystore_create_key() -> String
+    {
+      let key_store_table_name = test_utils::TEST_KEYSTORE_NAME;
+      let logical_key_store_name = test_utils::TEST_LOGICAL_KEYSTORE_NAME;
+      let kms_key_arn = test_utils::TEST_KEYSTORE_KMS_KEY_ID;
+
+      // 1. Configure your KeyStore resource.
+      //    This SHOULD be the same configuration that was used to create the DDB table
+      //    in the "Create KeyStore Table Example".
+      let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
+      let key_store_config = KeyStoreConfig::builder()
+          .kms_client(aws_sdk_kms::Client::new(&sdk_config))
+          .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
+          .ddb_table_name(key_store_table_name)
+          .logical_key_store_name(logical_key_store_name)
+          .kms_configuration(KmsConfiguration::KmsKeyArn(kms_key_arn.to_string()))
+          .build()
+          .unwrap();
+        
+        let keystore = keystore_client::Client::from_conf(key_store_config).unwrap();
+
+      // 2. Create a new branch key and beacon key in our KeyStore.
+      //    Both the branch key and the beacon key will share an Id.
+      //    This creation is eventually consistent.
+
+      let new_key = keystore.create_key().send().await.unwrap();
+      return new_key.branch_key_identifier.unwrap();
+  }

DynamoDbEncryption/runtimes/rust/src/bin/example/create_keystore_table.rs

@@ -0,0 +1,58 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use crate::test_utils;
+use db_esdk::aws_cryptography_keyStore::types::key_store_config::KeyStoreConfig;
+use db_esdk::aws_cryptography_keyStore::types::KmsConfiguration;
+use db_esdk::aws_cryptography_keyStore::client as keystore_client;
+
+/*
+  The Hierarchical Keyring Example and Searchable Encryption Examples
+  rely on the existence of a DDB-backed key store with pre-existing
+  branch key material or beacon key material.
+
+  This example demonstrates configuring a KeyStore and then
+  using a helper method to create the DDB table that will be
+  used to persist branch keys and beacons keys for this KeyStore.
+
+  This table creation should occur within your control plane. This
+  only needs to occur once. While not demonstrated in this example,
+  you should additionally use the `VersionKey` API on the KeyStore
+  to periodically rotate your branch key material.
+ */
+
+ pub async fn keystore_create_table() -> String
+    {
+      let key_store_table_name = test_utils::TEST_KEYSTORE_NAME;
+      let logical_key_store_name = test_utils::TEST_LOGICAL_KEYSTORE_NAME;
+      let kms_key_arn = test_utils::TEST_KEYSTORE_KMS_KEY_ID;
+
+        // 1. Configure your KeyStore resource.
+        //    `ddbTableName` is the name you want for the DDB table that
+        //    will back your keystore.
+        //    `kmsKeyArn` is the KMS Key that will protect your branch keys and beacon keys
+        //    when they are stored in your DDB table.
+        let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
+      let key_store_config = KeyStoreConfig::builder()
+          .kms_client(aws_sdk_kms::Client::new(&sdk_config))
+          .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
+          .ddb_table_name(key_store_table_name)
+          .logical_key_store_name(logical_key_store_name)
+          .kms_configuration(KmsConfiguration::KmsKeyArn(kms_key_arn.to_string()))
+          .build()
+          .unwrap();
+        
+        let keystore = keystore_client::Client::from_conf(key_store_config).unwrap();
+
+        // 2. Create the DynamoDb table that will store the branch keys and beacon keys.
+        //    This checks if the correct table already exists at `ddbTableName`
+        //    by using the DescribeTable API. If no table exists,
+        //    it will create one. If a table exists, it will verify
+        //    the table's configuration and will error if the configuration is incorrect.
+        keystore.create_keystore.send().await.unwrap();
+
+        // It may take a couple minutes for the table to become ACTIVE,
+        // at which point it is ready to store branch and beacon keys.
+        // See the create_keystore_key example for how to populate
+        // this table.
+  }

DynamoDbEncryption/runtimes/rust/src/bin/example/get_encrypted_data_key_description.rs

@@ -0,0 +1,53 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use crate::test_utils;
+use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::client as dbesdk_client;
+use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::dynamo_db_encryption_config::DynamoDbEncryptionConfig;
+use std::collections::HashMap;
+use aws_sdk_dynamodb::types::AttributeValue;
+use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::GetEncryptedDataKeyDescriptionUnion;
+
+pub async fn  get_encrypted_data_key_description()
+    {
+        let kms_key_id = test_utils::TEST_KMS_KEY_ID;
+        let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
+        let config = DynamoDbEncryptionConfig::builder().build().unwrap();
+        let ddb_enc = dbesdk_client::Client::from_conf(config).unwrap();
+
+        // 1. Define keys that will be used to retrieve item from the DynamoDB table.
+        let key_to_get = HashMap::from([
+          ("partition_key".to_string(), AttributeValue::S("BasicPutGetExample".to_string())),
+          ("sort_key".to_string(), AttributeValue::N("0".to_string())),
+        ]);
+
+
+        // 2. Create a Amazon DynamoDB Client and retrieve item from DynamoDB table
+        let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
+        let ddb = aws_sdk_dynamodb::Client::new(&sdk_config);
+        let get_item_response = ddb.get_item()
+          .set_key(Some(key_to_get))
+          .table_name(ddb_table_name)
+          .send().await.unwrap();
+
+
+        // 3. Extract the item from the dynamoDB table and prepare input for the GetEncryptedDataKeyDescription method.
+        // Here, we are sending dynamodb item but you can also input the header itself by extracting the header from 
+        // "aws_dbe_head" attribute in the dynamoDB item. The part of the code where we send input as the header is commented.
+        let returned_item = get_item_response.item.unwrap();
+        let input_union = GetEncryptedDataKeyDescriptionUnion::Item(returned_item);
+        let output = ddb_enc.get_encrypted_data_key_description()
+        .input(input_union)
+        .send().await.unwrap();
+
+        // The code below shows how we can send header as the input to the DynamoDB. This code is written to demo the 
+        // alternative approach. So, it is commented.
+        // let input_union = GetEncryptedDataKeyDescriptionUnion::Header(returned_item["aws_dbe_head"].as_b().unwrap().clone());
+
+        // 4. Get encrypted DataKey Descriptions from GetEncryptedDataKeyDescription method output and assert if its true.
+        let encrypted_data_key_descriptions = output.encrypted_data_key_description_output.unwrap();
+        assert_eq!(encrypted_data_key_descriptions[0].key_provider_id, Some("aws-kms".to_string()));
+        assert_eq!(encrypted_data_key_descriptions[0].key_provider_info, Some(kms_key_id.to_string()));
+
+        println!("get_encrypted_data_key_description successful.");
+      }

DynamoDbEncryption/runtimes/rust/src/bin/example/itemencryptor/item_encrypt_decrypt.rs

@@ -1,21 +1,17 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-#![deny(warnings, unconditional_panic)]
-#![deny(nonstandard_style)]
-#![deny(clippy::all)]
-
 use std::collections::HashMap;
 use crate::test_utils;
 use aws_sdk_dynamodb::types::AttributeValue;
 
-use db_esdk::deps::aws_cryptography_materialProviders::types::material_providers_config::MaterialProvidersConfig;
-use db_esdk::deps::aws_cryptography_materialProviders::client as mpl_client;
-use db_esdk::deps::aws_cryptography_dbEncryptionSdk_structuredEncryption::types::CryptoAction;
+use db_esdk::aws_cryptography_materialProviders::types::material_providers_config::MaterialProvidersConfig;
+use db_esdk::aws_cryptography_materialProviders::client as mpl_client;
+use db_esdk::aws_cryptography_dbEncryptionSdk_structuredEncryption::types::CryptoAction;
 
-use db_esdk::deps::aws_cryptography_dbEncryptionSdk_dynamoDb_itemEncryptor::types::dynamo_db_item_encryptor_config::DynamoDbItemEncryptorConfig;
-use db_esdk::deps::aws_cryptography_dbEncryptionSdk_dynamoDb_itemEncryptor::client as enc_client;
-use db_esdk::deps::aws_cryptography_materialProviders::types::DbeAlgorithmSuiteId;
+use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb_itemEncryptor::types::dynamo_db_item_encryptor_config::DynamoDbItemEncryptorConfig;
+use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb_itemEncryptor::client as enc_client;
+use db_esdk::aws_cryptography_materialProviders::types::DbeAlgorithmSuiteId;
 
 /*
   This example sets up a DynamoDb Item Encryptor and uses

DynamoDbEncryption/runtimes/rust/src/bin/example/itemencryptor/mod.rs

@@ -1,8 +1,4 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-#![deny(warnings, unconditional_panic)]
-#![deny(nonstandard_style)]
-#![deny(clippy::all)]
-
 pub mod item_encrypt_decrypt;

DynamoDbEncryption/runtimes/rust/src/bin/example/main.rs

@@ -10,11 +10,13 @@ pub mod test_utils;
 pub mod itemencryptor;
 pub mod searchableencryption;
 pub mod create_keystore_key;
+pub mod get_encrypted_data_key_description;
 
 #[tokio::main]
 pub async fn main() {
     basic_get_put_example::put_item_get_item().await;
     itemencryptor::item_encrypt_decrypt::encrypt_decrypt().await;
+    get_encrypted_data_key_description::get_encrypted_data_key_description().await;
 
     let key_id = create_keystore_key::keystore_create_key().await;
     // let key_id2 = create_keystore_key::keystore_create_key().await;
@@ -23,10 +25,9 @@ pub async fn main() {
     std::thread::sleep(std::time::Duration::from_secs(5));
 
     searchableencryption::basic_searchable_encryption::put_and_query_with_beacon(&key_id).await;
-/*
+    // FIXME : ScanError will have to wait until we have a reasonable error message strategy
 
-            await ScanErrorExample.ScanError();
-            await GetEncryptedDataKeyDescriptionExample.GetEncryptedDataKeyDescription();
+/*
             await MultiPutGetExample.MultiPutGet();
             await ClientSupplierExample.ClientSupplierPutItemGetItem();
             await MultiMrkKeyringExample.MultiMrkKeyringGetItemPutItem();
@@ -42,6 +43,6 @@ pub async fn main() {
             await VirtualBeaconSearchableEncryptionExample.PutItemQueryItemWithVirtualBeacon(keyId);
             await BeaconStylesSearchableEncryptionExample.PutItemQueryItemWithBeaconStyles(keyId);
             await ComplexSearchableEncryptionExample.RunExample(keyId);
-            Console.Write("All examples completed successfully.\n");
 */
+    println!("All examples completed successfully.\n");
 }

DynamoDbEncryption/runtimes/rust/src/bin/example/searchableencryption/basic_searchable_encryption.rs

@@ -1,29 +1,25 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-#![deny(warnings, unconditional_panic)]
-#![deny(nonstandard_style)]
-#![deny(clippy::all)]
-
 use std::collections::HashMap;
 use crate::test_utils;
 use aws_sdk_dynamodb::types::AttributeValue;
 
-use db_esdk::deps::aws_cryptography_materialProviders::types::material_providers_config::MaterialProvidersConfig;
-use db_esdk::deps::aws_cryptography_materialProviders::client;
-use db_esdk::deps::aws_cryptography_dbEncryptionSdk_structuredEncryption::types::CryptoAction;
+use db_esdk::aws_cryptography_materialProviders::types::material_providers_config::MaterialProvidersConfig;
+use db_esdk::aws_cryptography_materialProviders::client;
+use db_esdk::aws_cryptography_dbEncryptionSdk_structuredEncryption::types::CryptoAction;
 
-use db_esdk::deps::aws_cryptography_dbEncryptionSdk_dynamoDb::types::DynamoDbTableEncryptionConfig;
-use db_esdk::deps::aws_cryptography_dbEncryptionSdk_dynamoDb::types::StandardBeacon;
+use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::DynamoDbTableEncryptionConfig;
+use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::StandardBeacon;
 use db_esdk::intercept::DbEsdkInterceptor;
 use db_esdk::types::dynamo_db_tables_encryption_config::DynamoDbTablesEncryptionConfig;
-use db_esdk::deps::aws_cryptography_keyStore::client as keystore_client;
-use db_esdk::deps::aws_cryptography_keyStore::types::key_store_config::KeyStoreConfig;
-use db_esdk::deps::aws_cryptography_keyStore::types::KmsConfiguration;
-use db_esdk::deps::aws_cryptography_dbEncryptionSdk_dynamoDb::types::BeaconVersion;
-use db_esdk::deps::aws_cryptography_dbEncryptionSdk_dynamoDb::types::SingleKeyStore;
-use db_esdk::deps::aws_cryptography_dbEncryptionSdk_dynamoDb::types::BeaconKeySource;
-use db_esdk::deps::aws_cryptography_dbEncryptionSdk_dynamoDb::types::SearchConfig;
+use db_esdk::aws_cryptography_keyStore::client as keystore_client;
+use db_esdk::aws_cryptography_keyStore::types::key_store_config::KeyStoreConfig;
+use db_esdk::aws_cryptography_keyStore::types::KmsConfiguration;
+use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::BeaconVersion;
+use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::SingleKeyStore;
+use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::BeaconKeySource;
+use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::SearchConfig;
 
 /*
   This example demonstrates how to set up a beacon on an encrypted attribute,

DynamoDbEncryption/runtimes/rust/src/bin/example/searchableencryption/mod.rs

@@ -1,8 +1,4 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-#![deny(warnings, unconditional_panic)]
-#![deny(nonstandard_style)]
-#![deny(clippy::all)]
-
 pub mod basic_searchable_encryption;

DynamoDbEncryption/runtimes/rust/src/bin/example/test_utils.rs

@@ -1,10 +1,6 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-#![deny(warnings, unconditional_panic)]
-#![deny(nonstandard_style)]
-#![deny(clippy::all)]
-
 pub const TEST_KEYSTORE_NAME : &str = "KeyStoreDdbTable";
 pub const TEST_LOGICAL_KEYSTORE_NAME : &str = "KeyStoreDdbTable";