Skip to content

Commit 99f9561

Browse files
seebeesseebees
committed
what about this?
1 parent 46b0aaf commit 99f9561

File tree

2 files changed

+10
-13
lines changed

2 files changed

+10
-13
lines changed

DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/QueryTransform.dfy

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -92,16 +92,15 @@ module QueryTransform {
9292
var decryptRes := tableConfig.itemEncryptor.DecryptItem(decryptInput);
9393
var decrypted :- MapError(decryptRes);
9494

95-
if decrypted.parsedHeader.None? {
96-
:- Need(
95+
// If the decrypted result was plaintext, i.e. has no parsedHeader
96+
// then this is expected IFF the table config allows plaintext read
97+
assert decrypted.parsedHeader.None? ==>
9798
&& EncOps.IsPlaintextItem(encryptedItems[x])
99+
&& !tableConfig.plaintextOverride.FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ?
98100
&& (
99101
|| tableConfig.plaintextOverride.FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ?
100102
|| tableConfig.plaintextOverride.FORCE_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ?
101-
),
102-
E("Unexpected lack of parsed header.")
103-
);
104-
}
103+
);
105104

106105
if keyId.KeyId? && decrypted.parsedHeader.Some? {
107106
:- Need(|decrypted.parsedHeader.value.encryptedDataKeys| == 1, E("Query result has more than one Encrypted Data Key"));

DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/ScanTransform.dfy

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -90,19 +90,17 @@ module ScanTransform {
9090
var decryptRes := tableConfig.itemEncryptor.DecryptItem(decryptInput);
9191
var decrypted :- MapError(decryptRes);
9292

93-
if decrypted.parsedHeader.None? {
94-
:- Need(
93+
// If the decrypted result was plaintext, i.e. has no parsedHeader
94+
// then this is expected IFF the table config allows plaintext read
95+
assert decrypted.parsedHeader.None? ==>
9596
&& EncOps.IsPlaintextItem(encryptedItems[x])
97+
&& !tableConfig.plaintextOverride.FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ?
9698
&& (
9799
|| tableConfig.plaintextOverride.FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ?
98100
|| tableConfig.plaintextOverride.FORCE_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ?
99-
),
100-
E("Unexpected lack of parsed header.")
101-
);
102-
}
101+
);
103102

104103
if keyId.KeyId? && decrypted.parsedHeader.Some? {
105-
:- Need(decrypted.parsedHeader.Some?, E("Decrypted scan result has no parsed header."));
106104
:- Need(|decrypted.parsedHeader.value.encryptedDataKeys| == 1, E("Scan result has more than one Encrypted Data Key"));
107105
if decrypted.parsedHeader.value.encryptedDataKeys[0].keyProviderInfo == keyIdUtf8 {
108106
decryptedItems := decryptedItems + [decrypted.plaintextItem];

0 commit comments

Comments
 (0)