wip

Author: lucasmcdonald3

DynamoDbEncryption/runtimes/python/src/aws_database_encryption_sdk/encryptor/client.py

@@ -4,12 +4,15 @@
 from botocore.paginate import Paginator
 import botocore.client
 from typing import Callable, Optional
+import inspect
 
 from aws_database_encryption_sdk.smithygenerated.aws_cryptography_dbencryptionsdk_dynamodb_transforms.models import (
     GetItemInputTransformInput,
     GetItemOutputTransformInput,
     PutItemInputTransformInput,
     PutItemOutputTransformInput,
+    BatchWriteItemInputTransformInput,
+    BatchWriteItemOutputTransformInput,
 )
 from aws_database_encryption_sdk.transform import (
     dict_to_ddb,
@@ -73,6 +76,13 @@ def _copy_sdk_response_to_dbesdk_response(self, sdk_response, dbesdk_response):
             if sdk_response_key not in dbesdk_response:
                 dbesdk_response[sdk_response_key] = sdk_response_value
 
+    def _get_protected_methods(self):
+        """Return a list of all protected methods in the given object."""
+        return [
+            name for name, member in inspect.getmembers(self, predicate=inspect.ismethod)
+            if name.startswith('_') and not name.startswith('__')
+        ]
+
     def put_item(self, **kwargs):
         # TODO: refactor shared logic (DDB/Python conversions, client/table)
         dynamodb_input = self._maybe_transform_request_to_dynamodb_item(item_key = "Item", **kwargs)
@@ -95,8 +105,8 @@ def put_item(self, **kwargs):
             )
         ).transformed_output
         self._copy_sdk_response_to_dbesdk_response(sdk_response, dbesdk_response)
-        self._maybe_transform_response_to_python_dict(dbesdk_response)
-        return response
+        self._maybe_transform_response_item_to_python_dict(dbesdk_response)
+        return dbesdk_response
 
     def get_item(self, **kwargs):
         dynamodb_input = self._maybe_transform_request_to_dynamodb_item(item_key = "Key", **kwargs)
@@ -113,11 +123,34 @@ def get_item(self, **kwargs):
             )
         ).transformed_output
         self._copy_sdk_response_to_dbesdk_response(sdk_response, dbesdk_response)
-        self._maybe_transform_response_to_python_dict(dbesdk_response)
-        return response
+        self._maybe_transform_response_item_to_python_dict(dbesdk_response)
+        return dbesdk_response
+
+    def batch_write_item(self, **kwargs):
+        # dynamodb_input = self._maybe_transform_request_to_dynamodb_item(item_key = "Key", **kwargs)
+        dynamodb_input = kwargs
+        transformed_request = self._transformer.batch_write_item_input_transform(
+            BatchWriteItemInputTransformInput(
+                sdk_input = dynamodb_input
+            )
+        ).transformed_input
+        sdk_response = self._client.batch_write_item(**transformed_request)
+        dbesdk_response = self._transformer.batch_write_item_output_transform(
+            BatchWriteItemOutputTransformInput(
+                original_input = dynamodb_input,
+                sdk_output = sdk_response,
+            )
+        ).transformed_output
+        self._copy_sdk_response_to_dbesdk_response(sdk_response, dbesdk_response)
+        # self._maybe_transform_response_to_python_dict(dbesdk_response)
+        return dbesdk_response
 
     def __getattr__(self, name):
         if hasattr(self._client, name):
             print(f'calling underlyign client {name=}')
             return getattr(self._client, name)
-        raise KeyError("idk")
+        # __getattr__ doesn't find protected methods by default.
+        elif name in self._get_protected_methods():
+            return getattr(self, name)
+        else:
+            raise KeyError("idk still")

TestVectors/dafny/DDBEncryption/src/DecryptManifest.dfy

@@ -20,12 +20,17 @@ module {:options "-functionSyntax:4"} DecryptManifest {
   import opened JSONHelpers
   import JsonConfig
   import ENC = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes
+  import KeyVectors
 
-  method OnePositiveTest(name : string, config : JSON, encrypted : JSON, plaintext : JSON) returns (output : Result<bool, string>)
+  method OnePositiveTest(name : string, config : JSON, encrypted : JSON, plaintext : JSON, keys : KeyVectors.KeyVectorsClient)
+    returns (output : Result<bool, string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     var enc :- JsonConfig.GetRecord(encrypted);
     var plain :- JsonConfig.GetRecord(plaintext);
-    var encryptor :- JsonConfig.GetItemEncryptor(name, config);
+    var encryptor :- JsonConfig.GetItemEncryptor(name, config, keys);
     var decrypted :- expect encryptor.DecryptItem(
       ENC.DecryptItemInput(
         encryptedItem:=enc.item
@@ -36,10 +41,14 @@ module {:options "-functionSyntax:4"} DecryptManifest {
     return Success(true);
   }
 
-  method OneNegativeTest(name : string, config : JSON, encrypted : JSON) returns (output : Result<bool, string>)
+  method OneNegativeTest(name : string, config : JSON, encrypted : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<bool, string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     var enc :- JsonConfig.GetRecord(encrypted);
-    var encryptor :- JsonConfig.GetItemEncryptor(name, config);
+    var encryptor :- JsonConfig.GetItemEncryptor(name, config, keys);
     var decrypted := encryptor.DecryptItem(
       ENC.DecryptItemInput(
         encryptedItem:=enc.item
@@ -51,7 +60,11 @@ module {:options "-functionSyntax:4"} DecryptManifest {
     return Success(true);
   }
 
-  method OneTest(name : string, value : JSON) returns (output : Result<bool, string>)
+  method OneTest(name : string, value : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<bool, string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     :- Need(value.Object?, "Test must be an object");
 
@@ -89,15 +102,19 @@ module {:options "-functionSyntax:4"} DecryptManifest {
 
     if types.value == "positive-decrypt" {
       :- Need(plaintext.Some?, "positive-decrypt Test requires a 'plaintext' member.");
-      output := OnePositiveTest(name, config.value, encrypted.value, plaintext.value);
+      output := OnePositiveTest(name, config.value, encrypted.value, plaintext.value, keys);
     } else if types.value == "negative-decrypt" {
-      output := OneNegativeTest(name, config.value, encrypted.value);
+      output := OneNegativeTest(name, config.value, encrypted.value, keys);
     } else {
       return Failure("Invalid encrypt type : '" + types.value + "'.");
     }
   }
 
-  method Decrypt(inFile : string) returns (output : Result<bool, string>)
+  method Decrypt(inFile : string, keyVectors: KeyVectors.KeyVectorsClient)
+    returns (output : Result<bool, string>)
+    requires keyVectors.ValidState()
+    modifies keyVectors.Modifies
+    ensures keyVectors.ValidState()
   {
     var timeStamp :- expect Time.GetCurrentTimeStamp();
     print timeStamp + " Decrypt : ", inFile, "\n";
@@ -154,7 +171,7 @@ module {:options "-functionSyntax:4"} DecryptManifest {
     for i := 0 to |tests.value| {
       var obj := tests.value[i];
       :- Need(obj.1.Object?, "Value of test '" + obj.0 + "' must be an Object.");
-      var _ :- OneTest(obj.0, obj.1);
+      var _ :- OneTest(obj.0, obj.1, keyVectors);
     }
 
     timeStamp :- expect Time.GetCurrentTimeStamp();

TestVectors/dafny/DDBEncryption/src/EncryptManifest.dfy

@@ -21,6 +21,9 @@ module {:options "-functionSyntax:4"} EncryptManifest {
   import opened JSONHelpers
   import JsonConfig
   import ENC = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes
+  import KeyVectors
+
+  const DEFAULT_KEYS : string := "../../../submodules/MaterialProviders/TestVectorsAwsCryptographicMaterialProviders/dafny/TestVectorsAwsCryptographicMaterialProviders/test/keys.json"
 
   function Manifest() : (string, JSON)
   {
@@ -42,10 +45,14 @@ module {:options "-functionSyntax:4"} EncryptManifest {
     ("client", Object(result))
   }
 
-  method OnePositiveTest(name : string, theType : string, desc : string, config : JSON, decryptConfig : Option<JSON>, record : JSON) returns (output : Result<(string, JSON), string>)
+  method OnePositiveTest(name : string, theType : string, desc : string, config : JSON, decryptConfig : Option<JSON>, record : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<(string, JSON), string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     var rec :- JsonConfig.GetRecord(record);
-    var encryptor :- JsonConfig.GetItemEncryptor(name, config);
+    var encryptor :- JsonConfig.GetItemEncryptor(name, config, keys);
     var encrypted :- expect encryptor.EncryptItem(
       ENC.EncryptItemInput(
         plaintextItem:=rec.item
@@ -64,10 +71,14 @@ module {:options "-functionSyntax:4"} EncryptManifest {
     return Success((name, Object(result)));
   }
 
-  method OneNegativeTest(name : string, config : JSON, record : JSON) returns (output : Result<bool, string>)
+  method OneNegativeTest(name : string, config : JSON, record : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<bool, string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     var rec :- JsonConfig.GetRecord(record);
-    var encryptor :- JsonConfig.GetItemEncryptor(name, config);
+    var encryptor :- JsonConfig.GetItemEncryptor(name, config, keys);
     var encrypted := encryptor.EncryptItem(
       ENC.EncryptItemInput(
         plaintextItem:=rec.item
@@ -80,7 +91,11 @@ module {:options "-functionSyntax:4"} EncryptManifest {
   }
 
 
-  method OneTest(name : string, value : JSON) returns (output : Result<Option<(string, JSON)>, string>)
+  method OneTest(name : string, value : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<Option<(string, JSON)>, string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     :- Need(value.Object?, "Test must be an object");
 
@@ -117,20 +132,24 @@ module {:options "-functionSyntax:4"} EncryptManifest {
     :- Need(record.Some?, "Test requires a 'record' member.");
 
     if types.value == "positive-encrypt" {
-      var x :- OnePositiveTest(name, "positive-decrypt", description.value, config.value, decryptConfig, record.value);
+      var x :- OnePositiveTest(name, "positive-decrypt", description.value, config.value, decryptConfig, record.value, keys);
       return Success(Some(x));
     } else if types.value == "negative-decrypt" {
-      var x :- OnePositiveTest(name, "negative-decrypt", description.value, config.value, decryptConfig, record.value);
+      var x :- OnePositiveTest(name, "negative-decrypt", description.value, config.value, decryptConfig, record.value, keys);
       return Success(Some(x));
     } else if types.value == "negative-encrypt" {
-      var _ := OneNegativeTest(name, config.value, record.value);
+      var _ := OneNegativeTest(name, config.value, record.value, keys);
       return Success(None);
     } else {
       return Failure("Invalid encrypt type : '" + types.value + "'.");
     }
   }
 
-  method Encrypt(inFile : string, outFile : string, lang : string, version : string) returns (output : Result<bool, string>)
+  method Encrypt(inFile : string, outFile : string, lang : string, version : string, keyVectors: KeyVectors.KeyVectorsClient)
+    returns (output : Result<bool, string>)
+    requires keyVectors.ValidState()
+    modifies keyVectors.Modifies
+    ensures keyVectors.ValidState()
   {
     var timeStamp :- expect Time.GetCurrentTimeStamp();
     print timeStamp + " Encrypt : ", inFile, "\n";
@@ -187,7 +206,7 @@ module {:options "-functionSyntax:4"} EncryptManifest {
     for i := 0 to |tests.value| {
       var obj := tests.value[i];
       :- Need(obj.1.Object?, "Value of test '" + obj.0 + "' must be an Object.");
-      var newTest :- OneTest(obj.0, obj.1);
+      var newTest :- OneTest(obj.0, obj.1, keyVectors);
       if newTest.Some? {
         test := test + [newTest.value];
       }

TestVectors/dafny/DDBEncryption/src/Index.dfy

@@ -14,8 +14,14 @@ module WrappedDDBEncryptionMain {
   import FileIO
   import JSON.API
   import opened JSONHelpers
+  import KeyVectors
+  import KeyVectorsTypes = AwsCryptographyMaterialProvidersTestVectorKeysTypes
 
-  method AddJson(prev : TestVectorConfig, file : string) returns (output : Result<TestVectorConfig, string>)
+  method AddJson(prev : TestVectorConfig, file : string, keyVectors: KeyVectors.KeyVectorsClient)
+    returns (output : Result<TestVectorConfig, string>)
+    requires keyVectors.ValidState()
+    modifies keyVectors.Modifies
+    ensures keyVectors.ValidState()
   {
     var configBv := FileIO.ReadBytesFromFile(file);
     if configBv.Failure? {
@@ -24,20 +30,31 @@ module WrappedDDBEncryptionMain {
     }
     var configBytes := BvToBytes(configBv.value);
     var json :- expect API.Deserialize(configBytes);
-    output := ParseTestVector(json, prev);
+    output := ParseTestVector(json, prev, keyVectors);
     if output.Failure? {
       print output.error, "\n";
     }
   }
 
-  method ASDF() {
+  method ASDF() 
+  {
+    // Create a singleton keyVectors client used in every test.
+    // Right now, all test vectors use the same keys manifest, located at DEFAULT_KEYS.
+    // Parsing JSON is expensive in some languages.
+    // 
+    var keyVectors :- expect KeyVectors.KeyVectors(
+      KeyVectorsTypes.KeyVectorsConfig(
+        keyManifestPath := DEFAULT_KEYS
+      )
+    );
+
     WriteSetPermutations.WriteSetPermutations();
     var config := MakeEmptyTestVector();
-    config :- expect AddJson(config, "records.json");
-    config :- expect AddJson(config, "configs.json");
-    config :- expect AddJson(config, "data.json");
-    config :- expect AddJson(config, "iotest.json");
-    config :- expect AddJson(config, "PermTest.json");
-    config.RunAllTests();
+    config :- expect AddJson(config, "records.json", keyVectors);
+    config :- expect AddJson(config, "configs.json", keyVectors);
+    config :- expect AddJson(config, "data.json", keyVectors);
+    config :- expect AddJson(config, "iotest.json", keyVectors);
+    config :- expect AddJson(config, "PermTest.json", keyVectors);
+    config.RunAllTests(keyVectors);
   }
 }