auto commit

Author: rishav-karanjit

Examples/runtimes/net/src/migration/PlaintextToAWSDBE/MigrationUtils.cs

@@ -0,0 +1,83 @@
+using System;
+using System.Collections.Generic;
+using Amazon.DynamoDBv2.Model;
+
+namespace Examples.migration.PlaintextToAWSDBE
+{
+    /*
+    Utility class for the PlaintextToAWSDBE migration examples.
+    This class contains shared functionality used by all migration steps.
+    */
+    public class MigrationUtils
+    {
+        // Verify that a returned item matches the expected values
+        public static bool VerifyReturnedItem(GetItemResponse response, string partitionKeyValue, string sortKeyValue, 
+                                             string encryptedAndSignedValue, string signOnlyValue, string doNothingValue)
+        {
+            var item = response.Item;
+            
+            // Verify partition key
+            if (!item.ContainsKey("partition_key") || item["partition_key"].S != partitionKeyValue)
+            {
+                throw new Exception($"partition_key mismatch: expected {partitionKeyValue}, got {(item.ContainsKey("partition_key") ? item["partition_key"].S : "null")}");
+            }
+            
+            // Verify sort key
+            if (!item.ContainsKey("sort_key") || item["sort_key"].N != sortKeyValue)
+            {
+                throw new Exception($"sort_key mismatch: expected {sortKeyValue}, got {(item.ContainsKey("sort_key") ? item["sort_key"].N : "null")}");
+            }
+            
+            // Verify attribute1 (will be encrypted and signed in future steps)
+            if (!item.ContainsKey("attribute1") || item["attribute1"].S != encryptedAndSignedValue)
+            {
+                throw new Exception($"attribute1 mismatch: expected {encryptedAndSignedValue}, got {(item.ContainsKey("attribute1") ? item["attribute1"].S : "null")}");
+            }
+            
+            // Verify attribute2 (will be signed but not encrypted in future steps)
+            if (!item.ContainsKey("attribute2") || item["attribute2"].S != signOnlyValue)
+            {
+                throw new Exception($"attribute2 mismatch: expected {signOnlyValue}, got {(item.ContainsKey("attribute2") ? item["attribute2"].S : "null")}");
+            }
+            
+            // Verify attribute3 (will neither be encrypted nor signed in future steps)
+            if (!item.ContainsKey("attribute3") || item["attribute3"].S != doNothingValue)
+            {
+                throw new Exception($"attribute3 mismatch: expected {doNothingValue}, got {(item.ContainsKey("attribute3") ? item["attribute3"].S : "null")}");
+            }
+            
+            return true;
+        }
+
+        // Helper method to clean up test items
+        public static async System.Threading.Tasks.Task CleanupItems(string tableName, string partitionKey, string[] sortKeys)
+        {
+            var ddb = new Amazon.DynamoDBv2.AmazonDynamoDBClient();
+            
+            foreach (var sortKey in sortKeys)
+            {
+                try
+                {
+                    var key = new Dictionary<string, AttributeValue>
+                    {
+                        ["partition_key"] = new AttributeValue { S = partitionKey },
+                        ["sort_key"] = new AttributeValue { N = sortKey }
+                    };
+
+                    var deleteRequest = new DeleteItemRequest
+                    {
+                        TableName = tableName,
+                        Key = key
+                    };
+
+                    await ddb.DeleteItemAsync(deleteRequest);
+                }
+                catch (Exception e)
+                {
+                    // Log but don't fail if cleanup fails
+                    Console.WriteLine($"Warning: Failed to clean up test item with sort key {sortKey}: {e.Message}");
+                }
+            }
+        }
+    }
+}

Examples/runtimes/net/src/migration/PlaintextToAWSDBE/awsdbe/MigrationStep1.cs

@@ -0,0 +1,40 @@
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Amazon.DynamoDBv2;
+using Amazon.DynamoDBv2.Model;
+using System.Diagnostics;
+using System.Net;
+using AWS.Cryptography.DbEncryptionSDK.DynamoDb;
+using AWS.Cryptography.DbEncryptionSDK.StructuredEncryption;
+using AWS.Cryptography.MaterialProviders;
+using Examples.migration.PlaintextToAWSDBE;
+
+namespace Examples.migration.PlaintextToAWSDBE.awsdbe
+{
+    /*
+    Migration Step 1: This is the first step in the migration process from
+    plaintext to encrypted DynamoDB using the AWS Database Encryption SDK.
+    
+    This step will be implemented in the future. It will demonstrate how to:
+    1. Configure a DynamoDB client with encryption capabilities
+    2. Write items that can still be read by plaintext clients (Step 0)
+    3. Read both plaintext items and items written by this step
+    
+    Running this example requires access to the DDB Table whose name
+    is provided in the function parameter.
+    This table must be configured with the following
+    primary key configuration:
+      - Partition key is named "partition_key" with type (S)
+      - Sort key is named "sort_key" with type (S)
+    */
+    public class MigrationStep1
+    {
+        // This method will be implemented in the future
+        public static async Task<bool> MigrationStep1Example(string kmsKeyId, string ddbTableName, string partitionKeyValue, string sortKeyWriteValue, string sortKeyReadValue)
+        {
+            // TODO: Implement MigrationStep1
+            throw new NotImplementedException("MigrationStep1 is not yet implemented");
+        }
+    }
+}

Examples/runtimes/net/src/migration/PlaintextToAWSDBE/awsdbe/MigrationStep2.cs

@@ -0,0 +1,40 @@
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Amazon.DynamoDBv2;
+using Amazon.DynamoDBv2.Model;
+using System.Diagnostics;
+using System.Net;
+using AWS.Cryptography.DbEncryptionSDK.DynamoDb;
+using AWS.Cryptography.DbEncryptionSDK.StructuredEncryption;
+using AWS.Cryptography.MaterialProviders;
+using Examples.migration.PlaintextToAWSDBE;
+
+namespace Examples.migration.PlaintextToAWSDBE.awsdbe
+{
+    /*
+    Migration Step 2: This is the second step in the migration process from
+    plaintext to encrypted DynamoDB using the AWS Database Encryption SDK.
+    
+    This step will be implemented in the future. It will demonstrate how to:
+    1. Configure a DynamoDB client with full encryption capabilities
+    2. Write fully encrypted items that cannot be read by plaintext clients (Step 0)
+    3. Read both plaintext items and fully encrypted items
+    
+    Running this example requires access to the DDB Table whose name
+    is provided in the function parameter.
+    This table must be configured with the following
+    primary key configuration:
+      - Partition key is named "partition_key" with type (S)
+      - Sort key is named "sort_key" with type (S)
+    */
+    public class MigrationStep2
+    {
+        // This method will be implemented in the future
+        public static async Task<bool> MigrationStep2Example(string kmsKeyId, string ddbTableName, string partitionKeyValue, string sortKeyWriteValue, string sortKeyReadValue)
+        {
+            // TODO: Implement MigrationStep2
+            throw new NotImplementedException("MigrationStep2 is not yet implemented");
+        }
+    }
+}

Examples/runtimes/net/src/migration/PlaintextToAWSDBE/awsdbe/MigrationStep3.cs

@@ -0,0 +1,40 @@
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Amazon.DynamoDBv2;
+using Amazon.DynamoDBv2.Model;
+using System.Diagnostics;
+using System.Net;
+using AWS.Cryptography.DbEncryptionSDK.DynamoDb;
+using AWS.Cryptography.DbEncryptionSDK.StructuredEncryption;
+using AWS.Cryptography.MaterialProviders;
+using Examples.migration.PlaintextToAWSDBE;
+
+namespace Examples.migration.PlaintextToAWSDBE.awsdbe
+{
+    /*
+    Migration Step 3: This is the final step in the migration process from
+    plaintext to encrypted DynamoDB using the AWS Database Encryption SDK.
+    
+    This step will be implemented in the future. It will demonstrate how to:
+    1. Configure a DynamoDB client with full encryption capabilities
+    2. Write fully encrypted items with additional security features
+    3. Read both plaintext items and fully encrypted items
+    
+    Running this example requires access to the DDB Table whose name
+    is provided in the function parameter.
+    This table must be configured with the following
+    primary key configuration:
+      - Partition key is named "partition_key" with type (S)
+      - Sort key is named "sort_key" with type (S)
+    */
+    public class MigrationStep3
+    {
+        // This method will be implemented in the future
+        public static async Task<bool> MigrationStep3Example(string kmsKeyId, string ddbTableName, string partitionKeyValue, string sortKeyWriteValue, string sortKeyReadValue)
+        {
+            // TODO: Implement MigrationStep3
+            throw new NotImplementedException("MigrationStep3 is not yet implemented");
+        }
+    }
+}

Examples/runtimes/net/src/migration/PlaintextToAWSDBE/plaintext/MigrationStep0.cs

@@ -0,0 +1,109 @@
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Amazon.DynamoDBv2;
+using Amazon.DynamoDBv2.Model;
+using System.Diagnostics;
+using System.Net;
+using Examples.migration.PlaintextToAWSDBE;
+
+namespace Examples.migration.PlaintextToAWSDBE.plaintext
+{
+    /*
+    Migration Step 0: This is the pre-migration step for the
+    plaintext-to-encrypted database migration, and is the starting
+    state for our migration from a plaintext database to a
+    client-side encrypted database encrypted using the
+    AWS Database Encryption SDK for DynamoDb.
+
+    In this example, we configure a DynamoDbClient to
+    write a plaintext record to a table and read that record.
+    This emulates the starting state of a plaintext-to-encrypted
+    database migration; i.e. a plaintext database you can
+    read and write to with the DynamoDbClient.
+
+    Running this example requires access to the DDB Table whose name
+    is provided in the function parameter.
+    This table must be configured with the following
+    primary key configuration:
+      - Partition key is named "partition_key" with type (S)
+      - Sort key is named "sort_key" with type (S)
+    */
+    public class MigrationStep0
+    {
+        public static async Task<bool> MigrationStep0Example(string ddbTableName, string partitionKeyValue, string sortKeyWriteValue, string sortKeyReadValue)
+        {
+            try
+            {
+                // 1. Create a standard DynamoDB client
+                var ddb = new AmazonDynamoDBClient();
+
+                // 2. Put an example item into DynamoDB table
+                //    This item will be stored in plaintext.
+                string encryptedAndSignedValue = "this will be encrypted and signed";
+                string signOnlyValue = "this will never be encrypted, but it will be signed";
+                string doNothingValue = "this will never be encrypted nor signed";
+                var item = new Dictionary<string, AttributeValue>
+                {
+                    ["partition_key"] = new AttributeValue { S = partitionKeyValue },
+                    ["sort_key"] = new AttributeValue { N = sortKeyWriteValue },
+                    ["attribute1"] = new AttributeValue { S = encryptedAndSignedValue },
+                    ["attribute2"] = new AttributeValue { S = signOnlyValue },
+                    ["attribute3"] = new AttributeValue { S = doNothingValue }
+                };
+
+                var putRequest = new PutItemRequest
+                {
+                    TableName = ddbTableName,
+                    Item = item
+                };
+
+                var putResponse = await ddb.PutItemAsync(putRequest);
+                Debug.Assert(putResponse.HttpStatusCode == HttpStatusCode.OK);
+
+                // 3. Get an item back from the table as it was written.
+                //    If this is an item written in plaintext (i.e. any item written
+                //    during Step 0 or 1), then the item will still be in plaintext
+                //    and will be able to be processed.
+                //    If this is an item that was encrypted client-side (i.e. any item written
+                //    during Step 2 or after), then the item will still be encrypted client-side
+                //    and will be unable to be processed in your code. To decrypt and process
+                //    client-side encrypted items, you will need to configure encrypted reads on
+                //    your dynamodb client (this is configured from Step 1 onwards).
+                var key = new Dictionary<string, AttributeValue>
+                {
+                    ["partition_key"] = new AttributeValue { S = partitionKeyValue },
+                    ["sort_key"] = new AttributeValue { N = sortKeyReadValue }
+                };
+
+                var getRequest = new GetItemRequest
+                {
+                    TableName = ddbTableName,
+                    Key = key
+                };
+
+                var getResponse = await ddb.GetItemAsync(getRequest);
+                Debug.Assert(getResponse.HttpStatusCode == HttpStatusCode.OK);
+
+                // 4. Verify we get the expected item back
+                if (getResponse.Item == null)
+                {
+                    throw new Exception("No item found");
+                }
+
+                bool success = MigrationUtils.VerifyReturnedItem(getResponse, partitionKeyValue, sortKeyReadValue, encryptedAndSignedValue, signOnlyValue, doNothingValue);
+                if (success)
+                {
+                    Console.WriteLine("MigrationStep0 completed successfully");
+                }
+                return success;
+            }
+            catch (Exception e)
+            {
+                Console.WriteLine($"Error in MigrationStep0: {e.Message}");
+                throw;
+            }
+        }
+
+    }
+}

Examples/runtimes/net/src/migration/PlaintextToAWSDBE/plaintext/MigrationStep0Test.cs

@@ -0,0 +1,76 @@
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Amazon.DynamoDBv2;
+using Amazon.DynamoDBv2.Model;
+using System.Diagnostics;
+using Xunit;
+using Examples.migration.PlaintextToAWSDBE;
+
+namespace Examples.migration.PlaintextToAWSDBE.plaintext
+{
+    /*
+    Test for Migration Step 0: This tests the pre-migration step for the
+    plaintext-to-encrypted database migration.
+    
+    This test verifies that:
+    1. Step 0 can successfully write and read plaintext items
+    2. (Future) Step 0 can read items written by Step 1 (commented out until Step 1 is implemented)
+    3. (Future) Step 0 cannot read items written by Steps 2 and 3 (commented out until Steps 2 and 3 are implemented)
+    
+    Running this test requires access to the DDB Table whose name
+    is provided by TestUtils.TEST_DDB_TABLE_NAME.
+    This table must be configured with the following
+    primary key configuration:
+      - Partition key is named "partition_key" with type (S)
+      - Sort key is named "sort_key" with type (S)
+    */
+    public class MigrationStep0Test
+    {
+        [Fact]
+        public async Task TestMigrationStep0()
+        {
+            string kmsKeyID = TestUtils.TEST_KMS_KEY_ID;
+            string tableName = TestUtils.TEST_DDB_TABLE_NAME;
+            string partitionKey = Guid.NewGuid().ToString();
+            string[] sortKeys = { "0", "1", "2", "3" };
+
+            try
+            {
+                // Successfully executes step 0
+                bool success = await MigrationStep0.MigrationStep0Example(tableName, partitionKey, sortKeys[0], sortKeys[0]);
+                Assert.True(success, "MigrationStep0 should complete successfully");
+
+                // The following tests will be implemented once the other migration steps are created
+                
+                // Given: Step 1 has succeeded
+                // await awsdbe.MigrationStep1.MigrationStep1Example(kmsKeyID, tableName, partitionKey, sortKeys[1], sortKeys[1]);
+                
+                // When: Execute Step 0 with sortReadValue=1, Then: Success (i.e. can read plaintext values)
+                // success = await MigrationStep0.MigrationStep0Example(tableName, partitionKey, sortKeys[0], sortKeys[1]);
+                // Assert.True(success, "MigrationStep0 should be able to read items written by Step 1");
+                
+                // Given: Step 2 has succeeded
+                // await awsdbe.MigrationStep2.MigrationStep2Example(kmsKeyID, tableName, partitionKey, sortKeys[2], sortKeys[2]);
+                
+                // When: Execute Step 0 with sortReadValue=2, Then: should error out when reading encrypted items.
+                // var exception = await Assert.ThrowsAsync<Exception>(() => 
+                //     MigrationStep0.MigrationStep0Example(tableName, partitionKey, sortKeys[0], sortKeys[2]));
+                // Assert.Contains("attribute1 is not a string attribute", exception.Message);
+                
+                // Given: Step 3 has succeeded (if it exists)
+                // await awsdbe.MigrationStep3.MigrationStep3Example(kmsKeyID, tableName, partitionKey, sortKeys[3], sortKeys[3]);
+                
+                // When: Execute Step 0 with sortReadValue=3, Then: should error out
+                // exception = await Assert.ThrowsAsync<Exception>(() => 
+                //     MigrationStep0.MigrationStep0Example(tableName, partitionKey, sortKeys[0], sortKeys[3]));
+                // Assert.Contains("attribute1 is not a string attribute", exception.Message);
+            }
+            finally
+            {
+                // Cleanup
+                await MigrationUtils.CleanupItems(tableName, partitionKey, sortKeys);
+            }
+        }
+    }
+}