m

Author: lucasmcdonald3

DynamoDbEncryption/dafny/DynamoDbEncryption/Model/DynamoDbEncryption.smithy

@@ -26,6 +26,7 @@ use com.amazonaws.dynamodb#AttributeName
 use com.amazonaws.dynamodb#Key
 use com.amazonaws.dynamodb#AttributeNameList
 use com.amazonaws.dynamodb#KeySchemaAttributeName
+use com.amazonaws.dynamodb#ExpressionAttributeNameMap
 
 use aws.cryptography.primitives#AwsCryptographicPrimitives
 use aws.cryptography.dbEncryptionSdk.structuredEncryption#StructuredEncryption
@@ -881,3 +882,15 @@ structure DynamoDbEncryptionException {
   @required
   message: String,
 }
+
+structure ExtractAttrtibutesInput {
+  @required
+  s: string
+  ex: ExpressionAttributeNameMap
+}
+
+structure ExtractAttrtibutesOutput {
+  @required
+  s: string
+  ex: ExpressionAttributeNameMap
+}

DynamoDbEncryption/runtimes/python/src/aws_database_encryption_sdk/__init__.py

@@ -6,3 +6,32 @@
 
 # Initialize externs
 from .internaldafny import extern
+
+"""
+boto3 uses Python's decimal library to deserialize numbers retrieved by resources
+    (Tables, etc.) from strings to `decimal.Decimal`s.
+boto3 deserializes strings to Decimals according to its DYNAMODB_CONTEXT:
+https://github.com/boto/boto3/blob/develop/boto3/dynamodb/types.py#L37-L42
+
+boto3 is configured to raise an exception if the deserialization is "Rounded": (`traps: [.. Rounded]`)
+https://docs.python.org/3/library/decimal.html#decimal.Rounded
+"Rounded" means some digits were discarded.
+However, those digits may have been 0, and no information is lost.
+
+boto3 is also configured to raise an exception if the deserialization is "Inexact":
+https://docs.python.org/3/library/decimal.html#decimal.Inexact
+"Inexact" means non-zero digits are discarded, and the result is inexact.
+
+Other DBESDK DynamoDB runtimes treat "Rounded" as acceptable, but "Inexact" as unacceptable.
+By default, boto3 will treat both "Rounded" and "Inexact" as unacceptable.
+
+For DBESDK DynamoDB, change the DynamoDB context to treat "Rounded" as acceptable.
+"""
+import boto3.dynamodb.types
+from decimal import Rounded
+
+old_context = boto3.dynamodb.types.DYNAMODB_CONTEXT
+old_traps = old_context.__getattribute__("traps")
+# traps structure: {k (trap class) : v (True if trap should raise Exception; False otherwise)}
+old_traps[Rounded] = False
+boto3.dynamodb.types.DYNAMODB_CONTEXT.__setattr__("traps", old_traps)

DynamoDbEncryption/runtimes/python/src/aws_database_encryption_sdk/encryptor/client.py

@@ -44,12 +44,14 @@ class EncryptedClient:
     _client: botocore.client.BaseClient
     _encryption_config: DynamoDbTablesEncryptionConfig
     _transformer: DynamoDbEncryptionTransforms
+    _expect_standard_dictionaries: bool
 
     def __init__(
         self,
         *,
         client: botocore.client.BaseClient,
         encryption_config: DynamoDbTablesEncryptionConfig,
+        expect_standard_dictionaries: Optional[bool] = False,
     ):
         """
         Parameters:
@@ -61,6 +63,87 @@ def __init__(
         self._transformer = DynamoDbEncryptionTransforms(
             config = encryption_config
         )
+        self._expect_standard_dictionaries = expect_standard_dictionaries
+
+    def _maybe_transform_request_to_dynamodb_item(self, item_key, **kwargs):
+        if self._expect_standard_dictionaries:
+            dynamodb_item = dict_to_ddb(kwargs[item_key])
+            dynamodb_input = kwargs
+            dynamodb_input[item_key] = dynamodb_item
+        else:
+            dynamodb_input = kwargs
+        return dynamodb_input
+    
+    def _maybe_transform_batch_request_to_dynamodb_item(self, **kwargs):
+        if not self._expect_standard_dictionaries:
+            return kwargs
+        
+        output_requests = []
+
+        tables = kwargs["RequestItems"]
+        table_names = list(tables.keys())
+        if len(tables.keys()) > 1:
+            raise ValueError("Table batch_write_item only supports 1 table in a request.")
+        table_name = table_names[0]
+        requests = tables[table_names[0]]
+        for request in requests:
+            request_name_list = list(request.keys())
+            if len(request_name_list) > 1:
+                raise ValueError("Cannot send more than one request in a single request")
+            request_name = request_name_list[0]
+            if request_name == "PutRequest":
+                dict_request = dict_to_ddb(request[request_name]["Item"])
+                boto3_request = {"Item": dict_request}
+            elif request_name == "DeleteRequest":
+                dict_request = dict_to_ddb(request[request_name]["Key"])
+                boto3_request = {"Key": dict_request}
+                output_requests.append({request_name: boto3_request})
+            else:
+                raise ValueError(f"Unknown batch_write_items method key: {request_name}")
+            output_requests.append({request_name: boto3_request})
+        kwargs["RequestItems"][table_name] = output_requests
+        return kwargs
+    
+    def _maybe_transform_batch_request_to_dict_item(self, **kwargs):
+        # TODO separate standard dictionaries for this one (internal client expects dicts)
+        if not self._expect_standard_dictionaries:
+            return kwargs
+        
+        output_requests = []
+
+        tables = kwargs["RequestItems"]
+        table_names = list(tables.keys())
+        if len(tables.keys()) > 1:
+            raise ValueError("Table batch_write_item only supports 1 table in a request.")
+        table_name = table_names[0]
+        requests = tables[table_names[0]]
+        for request in requests:
+            request_name_list = list(request.keys())
+            if len(request_name_list) > 1:
+                raise ValueError("Cannot send more than one request in a single request")
+            request_name = request_name_list[0]
+            if request_name == "PutRequest":
+                dict_request = ddb_to_dict(request[request_name]["Item"])
+                boto3_request = {"Item": dict_request}
+            elif request_name == "DeleteRequest":
+                dict_request = ddb_to_dict(request[request_name]["Key"])
+                boto3_request = {"Key": dict_request}
+                output_requests.append({request_name: boto3_request})
+            else:
+                raise ValueError(f"Unknown batch_write_items method key: {request_name}")
+            output_requests.append({request_name: boto3_request})
+        kwargs["RequestItems"][table_name] = output_requests
+        return kwargs
+    
+    def _maybe_transform_response_to_python_dict(self, response):
+        if self._expect_standard_dictionaries:
+            if hasattr(response, "Item"):
+                response["Item"] = ddb_to_dict(response["Item"])
+
+    def _maybe_transform_batch_response_to_python_dict(self, response):
+        if self._expect_standard_dictionaries:
+            if hasattr(response, "Item"):
+                response["Item"] = ddb_to_dict(response["Item"])
 
     def _copy_sdk_response_to_dbesdk_response(self, sdk_response, dbesdk_response):
         for sdk_response_key, sdk_response_value in sdk_response.items():
@@ -75,131 +158,154 @@ def _get_protected_methods(self):
         ]
 
     def put_item(self, **kwargs):
+        sdk_input = self._maybe_transform_request_to_dynamodb_item(item_key = "Item", **kwargs)
         transformed_request = self._transformer.put_item_input_transform(
             PutItemInputTransformInput(
-                sdk_input = kwargs
+                sdk_input = sdk_input
             )
         ).transformed_input
         sdk_response = self._client.put_item(**transformed_request)
         dbesdk_response = self._transformer.put_item_output_transform(
             PutItemOutputTransformInput(
-                original_input = kwargs,
+                original_input = sdk_input,
                 sdk_output = sdk_response,
             )
         ).transformed_output
         self._copy_sdk_response_to_dbesdk_response(sdk_response, dbesdk_response)
+        self._maybe_transform_response_to_python_dict(dbesdk_response)
         return dbesdk_response
 
     def get_item(self, **kwargs):
+        sdk_input = self._maybe_transform_request_to_dynamodb_item(item_key = "Key", **kwargs)
         transformed_request = self._transformer.get_item_input_transform(
             GetItemInputTransformInput(
-                sdk_input = kwargs
+                sdk_input = sdk_input
             )
         ).transformed_input
         sdk_response = self._client.get_item(**transformed_request)
         dbesdk_response = self._transformer.get_item_output_transform(
             GetItemOutputTransformInput(
-                original_input = kwargs,
+                original_input = sdk_input,
                 sdk_output = sdk_response,
             )
         ).transformed_output
         self._copy_sdk_response_to_dbesdk_response(sdk_response, dbesdk_response)
+        self._maybe_transform_response_to_python_dict(dbesdk_response)
         return dbesdk_response
 
     def batch_write_item(self, **kwargs):
+        # print(f"batch_write_item pre {kwargs=}")
+        sdk_input = self._maybe_transform_batch_request_to_dynamodb_item(**kwargs)
+        # print(f"batch_write_item post {kwargs=}")
         transformed_request = self._transformer.batch_write_item_input_transform(
             BatchWriteItemInputTransformInput(
-                sdk_input = kwargs
+                sdk_input = sdk_input
             )
         ).transformed_input
+        # print(f"{self._client=}")
+        # print(f"{transformed_request=}")
+        transformed_request = self._maybe_transform_batch_request_to_dict_item(**transformed_request)
         sdk_response = self._client.batch_write_item(**transformed_request)
         dbesdk_response = self._transformer.batch_write_item_output_transform(
             BatchWriteItemOutputTransformInput(
-                original_input = kwargs,
+                original_input = sdk_input,
                 sdk_output = sdk_response,
             )
         ).transformed_output
+        print(f'{sdk_response=}')
         self._copy_sdk_response_to_dbesdk_response(sdk_response, dbesdk_response)
+        self._maybe_transform_response_to_python_dict(dbesdk_response)
+        print(f'{dbesdk_response=}')
         return dbesdk_response
 
     def batch_get_item(self, **kwargs):
+        sdk_input = self._maybe_transform_request_to_dynamodb_item(item_key = None, **kwargs)
         transformed_request = self._transformer.batch_get_item_input_transform(
             BatchGetItemInputTransformInput(
-                sdk_input = kwargs
+                sdk_input = sdk_input
             )
         ).transformed_input
         sdk_response = self._client.batch_get_item(**transformed_request)
         dbesdk_response = self._transformer.batch_get_item_output_transform(
             BatchGetItemOutputTransformInput(
-                original_input = kwargs,
+                original_input = sdk_input,
                 sdk_output = sdk_response,
             )
         ).transformed_output
         self._copy_sdk_response_to_dbesdk_response(sdk_response, dbesdk_response)
+        self._maybe_transform_response_to_python_dict(dbesdk_response)
         return dbesdk_response
 
     def scan(self, **kwargs):
+        sdk_input = self._maybe_transform_request_to_dynamodb_item(item_key = "Key", **kwargs)
         transformed_request = self._transformer.scan_input_transform(
             ScanInputTransformInput(
-                sdk_input = kwargs
+                sdk_input = sdk_input
             )
         ).transformed_input
         sdk_response = self._client.scan(**transformed_request)
         dbesdk_response = self._transformer.scan_output_transform(
             ScanOutputTransformInput(
-                original_input = kwargs,
+                original_input = sdk_input,
                 sdk_output = sdk_response,
             )
         ).transformed_output
         self._copy_sdk_response_to_dbesdk_response(sdk_response, dbesdk_response)
+        self._maybe_transform_response_to_python_dict(dbesdk_response)
         return dbesdk_response
 
     def transact_get_items(self, **kwargs):
+        sdk_input = self._maybe_transform_request_to_dynamodb_item(item_key = "Key", **kwargs)
         transformed_request = self._transformer.transact_get_items_input_transform(
             TransactGetItemsInputTransformInput(
-                sdk_input = kwargs
+                sdk_input = sdk_input
             )
         ).transformed_input
         sdk_response = self._client.transact_get_items(**transformed_request)
         dbesdk_response = self._transformer.transact_get_items_output_transform(
             TransactGetItemsOutputTransformInput(
-                original_input = kwargs,
+                original_input = sdk_input,
                 sdk_output = sdk_response,
             )
         ).transformed_output
         self._copy_sdk_response_to_dbesdk_response(sdk_response, dbesdk_response)
+        self._maybe_transform_response_to_python_dict(dbesdk_response)
         return dbesdk_response
 
     def transact_write_items(self, **kwargs):
+        sdk_input = self._maybe_transform_request_to_dynamodb_item(item_key = "Key", **kwargs)
         transformed_request = self._transformer.transact_write_items_input_transform(
             TransactWriteItemsInputTransformInput(
-                sdk_input = kwargs
+                sdk_input = sdk_input
             )
         ).transformed_input
         sdk_response = self._client.transact_write_items(**transformed_request)
         dbesdk_response = self._transformer.transact_write_items_output_transform(
             TransactWriteItemsOutputTransformInput(
-                original_input = kwargs,
+                original_input = sdk_input,
                 sdk_output = sdk_response,
             )
         ).transformed_output
         self._copy_sdk_response_to_dbesdk_response(sdk_response, dbesdk_response)
+        self._maybe_transform_response_to_python_dict(dbesdk_response)
         return dbesdk_response
 
     def query(self, **kwargs):
+        sdk_input = self._maybe_transform_request_to_dynamodb_item(item_key = "Key", **kwargs)
         transformed_request = self._transformer.query_input_transform(
             QueryInputTransformInput(
-                sdk_input = kwargs
+                sdk_input = sdk_input
             )
         ).transformed_input
         sdk_response = self._client.query(**transformed_request)
         dbesdk_response = self._transformer.query_output_transform(
             QueryOutputTransformInput(
-                original_input = kwargs,
+                original_input = sdk_input,
                 sdk_output = sdk_response,
             )
         ).transformed_output
         self._copy_sdk_response_to_dbesdk_response(sdk_response, dbesdk_response)
+        self._maybe_transform_response_to_python_dict(dbesdk_response)
         return dbesdk_response
 
     def __getattr__(self, name):

DynamoDbEncryption/runtimes/python/src/aws_database_encryption_sdk/encryptor/item.py

@@ -27,17 +27,13 @@ class ItemEncryptor:
 
     def __init__(
         self,
-        *,
-        item_encryptor_config: DynamoDbItemEncryptorConfig | None,
+        item_encryptor_config: DynamoDbItemEncryptorConfig,
     ):
         """
         Create an ItemEncryptor.
-        Must provide exactly one of `item_encryptor_config` or `initialized_client`.
 
         Parameters:
-        item_encryptor_config (Optional[DynamoDbItemEncryptorConfig]): Encryption configuration object.
-        initialized_client (Optional[DynamoDbItemEncryptor]): Initialized DynamoDbItemEncryptor.
-
+        item_encryptor_config (DynamoDbItemEncryptorConfig): Encryption configuration object.
         """
         self._internal_client = DynamoDbItemEncryptor(config = item_encryptor_config)
 
@@ -109,7 +105,7 @@ def encrypt_dynamodb_item(
         """
         return self.encrypt_item(
             EncryptItemInput(
-                plaintext_item = plaintext_ddb_item
+                plaintext_item = plaintext_dynamodb_item
             )
         )