auto commit

Author: rishav-karanjit

Examples/runtimes/net/src/migration/PlaintextToAWSDBE/awsdbe/MigrationStep1.cs

@@ -37,86 +37,13 @@ public class MigrationStep1
     {
         public static async Task<bool> MigrationStep1Example(string kmsKeyId, string ddbTableName, string partitionKeyValue, string sortKeyWriteValue, string sortKeyReadValue)
         {
-            // 1. Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data.
-            //    For this example, we will create a AWS KMS Keyring with the AWS KMS Key we want to use.
-            //    We will use the `CreateMrkMultiKeyring` method to create this keyring,
-            //    as it will correctly handle both single region and Multi-Region KMS Keys.
-            var matProv = new MaterialProviders(new MaterialProvidersConfig());
-            var keyringInput = new CreateAwsKmsMrkMultiKeyringInput { Generator = kmsKeyId };
-            var kmsKeyring = matProv.CreateAwsKmsMrkMultiKeyring(keyringInput);
+            var tableConfigs = Common.CreateTableConfigs(kmsKeyId, ddbTableName, PlaintextOverride.FORCE_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ);
 
-            // 2. Configure which attributes are encrypted and/or signed when writing new items.
-            //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
-            //    we must explicitly configure how they should be treated during item encryption:
-            //      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
-            //      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
-            //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
-            var attributeActionsOnEncrypt = new Dictionary<string, CryptoAction>
-            {
-                ["partition_key"] = CryptoAction.SIGN_ONLY, // Our partition attribute must be SIGN_ONLY
-                ["sort_key"] = CryptoAction.SIGN_ONLY, // Our sort attribute must be SIGN_ONLY
-                ["attribute1"] = CryptoAction.ENCRYPT_AND_SIGN,
-                ["attribute2"] = CryptoAction.SIGN_ONLY,
-                ["attribute3"] = CryptoAction.DO_NOTHING
-            };
-
-            // 3. Configure which attributes we expect to be excluded in the signature
-            //    when reading items. There are two options for configuring this:
-            //
-            //    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
-            //      When defining your DynamoDb schema and deciding on attribute names,
-            //      choose a distinguishing prefix (such as ":") for all attributes that
-            //      you do not want to include in the signature.
-            //      This has two main benefits:
-            //      - It is easier to reason about the security and authenticity of data within your item
-            //        when all unauthenticated data is easily distinguishable by their attribute name.
-            //      - If you need to add new unauthenticated attributes in the future,
-            //        you can easily make the corresponding update to your `attributeActionsOnEncrypt`
-            //        and immediately start writing to that new attribute, without
-            //        any other configuration update needed.
-            //      Once you configure this field, it is not safe to update it.
-            //
-            //    - Configure `allowedUnsignedAttributes`: You may also explicitly list
-            //      a set of attributes that should be considered unauthenticated when encountered
-            //      on read. Be careful if you use this configuration. Do not remove an attribute
-            //      name from this configuration, even if you are no longer writing with that attribute,
-            //      as old items may still include this attribute, and our configuration needs to know
-            //      to continue to exclude this attribute from the signature scope.
-            //      If you add new attribute names to this field, you must first deploy the update to this
-            //      field to all readers in your host fleet before deploying the update to start writing
-            //      with that new attribute.
-            //
-            //   For this example, we will explicitly list the attributes that are not signed.
-            var unsignedAttributes = new List<string> { "attribute3" };
-
-            // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
-            //    This configuration uses PlaintextOverride.FORCE_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ
-            //    which means:
-            //    - Write: Items are forced to be written as plaintext.
-            //             Items may not be written as encrypted items.
-            //    - Read: Items are allowed to be read as plaintext.
-            //            Items are allowed to be read as encrypted items.
-            var tableConfig = new DynamoDbTableEncryptionConfig
-            {
-                LogicalTableName = ddbTableName,
-                PartitionKeyName = "partition_key",
-                SortKeyName = "sort_key",
-                AttributeActionsOnEncrypt = attributeActionsOnEncrypt,
-                Keyring = kmsKeyring,
-                AllowedUnsignedAttributes = unsignedAttributes,
-                PlaintextOverride = PlaintextOverride.FORCE_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ
-            };
-
-            var tableConfigs = new Dictionary<string, DynamoDbTableEncryptionConfig>
-            {
-                [ddbTableName] = tableConfig
-            };
-
-            // 5. Create a new AWS SDK DynamoDb client using the TableEncryptionConfigs
+            // 1. Create a new AWS SDK DynamoDb client using the TableEncryptionConfigs
             var ddb = new Client.DynamoDbClient(
                 new DynamoDbTablesEncryptionConfig { TableEncryptionConfigs = tableConfigs });
 
-            // 6. Put an item into our table using the above client.
+            // 2. Put an item into our table using the above client.
             //    This item will be stored in plaintext due to our PlaintextOverride configuration.
             string encryptedAndSignedValue = MigrationUtils.ENCRYPTED_AND_SIGNED_VALUE;
             string signOnlyValue = MigrationUtils.SIGN_ONLY_VALUE;
@@ -139,7 +66,7 @@ public static async Task<bool> MigrationStep1Example(string kmsKeyId, string ddb
             var putResponse = await ddb.PutItemAsync(putRequest);
             Debug.Assert(putResponse.HttpStatusCode == HttpStatusCode.OK);
 
-            // 7. Get an item back from the table using the same client.
+            // 3. Get an item back from the table using the same client.
             //    If this is an item written in plaintext (i.e. any item written
             //    during Step 0 or 1), then the item will still be in plaintext.
             //    If this is an item that was encrypted client-side (i.e. any item written
@@ -164,7 +91,7 @@ public static async Task<bool> MigrationStep1Example(string kmsKeyId, string ddb
             var getResponse = await ddb.GetItemAsync(getRequest);
             Debug.Assert(getResponse.HttpStatusCode == HttpStatusCode.OK);
 
-            // 8. Verify we get the expected item back
+            // 4. Verify we get the expected item back
             if (getResponse.Item == null)
             {
                 throw new Exception("No item found");

Examples/runtimes/net/src/migration/PlaintextToAWSDBE/awsdbe/MigrationStep2.cs

@@ -39,62 +39,20 @@ public class MigrationStep2
     {
         public static async Task<bool> MigrationStep2Example(string kmsKeyId, string ddbTableName, string partitionKeyValue, string sortKeyWriteValue, string sortKeyReadValue)
         {
-            // 1. Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data.
-            //    For this example, we will create a AWS KMS Keyring with the AWS KMS Key we want to use.
-            //    We will use the `CreateMrkMultiKeyring` method to create this keyring,
-            //    as it will correctly handle both single region and Multi-Region KMS Keys.
-            var matProv = new MaterialProviders(new MaterialProvidersConfig());
-            var keyringInput = new CreateAwsKmsMrkMultiKeyringInput { Generator = kmsKeyId };
-            var kmsKeyring = matProv.CreateAwsKmsMrkMultiKeyring(keyringInput);
+            // 1. Create table configurations
+            // In this of migration we will use PlaintextOverride.FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ
+            // which means:
+            // - Write: Items are forbidden to be written as plaintext.
+            //         Items will be written as encrypted items.
+            // - Read: Items are allowed to be read as plaintext.
+            //         Items are allowed to be read as encrypted items.
+            var tableConfigs = Common.CreateTableConfigs(kmsKeyId, ddbTableName, PlaintextOverride.FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ);
 
-            // 2. Configure which attributes are encrypted and/or signed when writing new items.
-            //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
-            //    we must explicitly configure how they should be treated during item encryption:
-            //      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
-            //      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
-            //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
-            var attributeActionsOnEncrypt = new Dictionary<string, CryptoAction>
-            {
-                ["partition_key"] = CryptoAction.SIGN_ONLY, // Our partition attribute must be SIGN_ONLY
-                ["sort_key"] = CryptoAction.SIGN_ONLY, // Our sort attribute must be SIGN_ONLY
-                ["attribute1"] = CryptoAction.ENCRYPT_AND_SIGN,
-                ["attribute2"] = CryptoAction.SIGN_ONLY,
-                ["attribute3"] = CryptoAction.DO_NOTHING
-            };
-
-            // 3. Configure which attributes we expect to be excluded in the signature
-            //    when reading items.
-            //    For this example, we will explicitly list the attributes that are not signed.
-            var unsignedAttributes = new List<string> { "attribute3" };
-
-            // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
-            //    This configuration uses PlaintextOverride.FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ
-            //    which means:
-            //    - Write: Items are forbidden to be written as plaintext.
-            //             Items will be written as encrypted items.
-            //    - Read: Items are allowed to be read as plaintext.
-            //            Items are allowed to be read as encrypted items.
-            var tableConfig = new DynamoDbTableEncryptionConfig
-            {
-                LogicalTableName = ddbTableName,
-                PartitionKeyName = "partition_key",
-                SortKeyName = "sort_key",
-                AttributeActionsOnEncrypt = attributeActionsOnEncrypt,
-                Keyring = kmsKeyring,
-                AllowedUnsignedAttributes = unsignedAttributes,
-                PlaintextOverride = PlaintextOverride.FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ
-            };
-
-            var tableConfigs = new Dictionary<string, DynamoDbTableEncryptionConfig>
-            {
-                [ddbTableName] = tableConfig
-            };
-
-            // 5. Create a new AWS SDK DynamoDb client using the TableEncryptionConfigs
+            // 2. Create a new AWS SDK DynamoDb client using the TableEncryptionConfigs
             var ddb = new Client.DynamoDbClient(
                 new DynamoDbTablesEncryptionConfig { TableEncryptionConfigs = tableConfigs });
 
-            // 6. Put an item into our table using the above client.
+            // 3. Put an item into our table using the above client.
             //    This item will be encrypted due to our PlaintextOverride configuration.
             string encryptedAndSignedValue = MigrationUtils.ENCRYPTED_AND_SIGNED_VALUE;
             string signOnlyValue = MigrationUtils.SIGN_ONLY_VALUE;
@@ -117,7 +75,7 @@ public static async Task<bool> MigrationStep2Example(string kmsKeyId, string ddb
             var putResponse = await ddb.PutItemAsync(putRequest);
             Debug.Assert(putResponse.HttpStatusCode == HttpStatusCode.OK);
 
-            // 7. Get an item back from the table using the same client.
+            // 4. Get an item back from the table using the same client.
             //    If this is an item written in plaintext (i.e. any item written
             //    during Step 0 or 1), then the item will still be in plaintext.
             //    If this is an item that was encrypted client-side (i.e. any item written
@@ -142,7 +100,7 @@ public static async Task<bool> MigrationStep2Example(string kmsKeyId, string ddb
             var getResponse = await ddb.GetItemAsync(getRequest);
             Debug.Assert(getResponse.HttpStatusCode == HttpStatusCode.OK);
 
-            // 8. Verify we get the expected item back
+            // 5. Verify we get the expected item back
             if (getResponse.Item == null)
             {
                 throw new Exception("No item found");

Examples/runtimes/net/src/migration/PlaintextToAWSDBE/awsdbe/MigrationStep3.cs

@@ -36,65 +36,23 @@ public class MigrationStep3
     {
         public static async Task<bool> MigrationStep3Example(string kmsKeyId, string ddbTableName, string partitionKeyValue, string sortKeyWriteValue, string sortKeyReadValue)
         {
-            // 1. Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data.
-            //    For this example, we will create a AWS KMS Keyring with the AWS KMS Key we want to use.
-            //    We will use the `CreateMrkMultiKeyring` method to create this keyring,
-            //    as it will correctly handle both single region and Multi-Region KMS Keys.
-            var matProv = new MaterialProviders(new MaterialProvidersConfig());
-            var keyringInput = new CreateAwsKmsMrkMultiKeyringInput { Generator = kmsKeyId };
-            var kmsKeyring = matProv.CreateAwsKmsMrkMultiKeyring(keyringInput);
-
-            // 2. Configure which attributes are encrypted and/or signed when writing new items.
-            //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
-            //    we must explicitly configure how they should be treated during item encryption:
-            //      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
-            //      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
-            //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
-            var attributeActionsOnEncrypt = new Dictionary<string, CryptoAction>
-            {
-                ["partition_key"] = CryptoAction.SIGN_ONLY, // Our partition attribute must be SIGN_ONLY
-                ["sort_key"] = CryptoAction.SIGN_ONLY, // Our sort attribute must be SIGN_ONLY
-                ["attribute1"] = CryptoAction.ENCRYPT_AND_SIGN,
-                ["attribute2"] = CryptoAction.SIGN_ONLY,
-                ["attribute3"] = CryptoAction.DO_NOTHING
-            };
-
-            // 3. Configure which attributes we expect to be excluded in the signature
-            //    when reading items.
-            //    For this example, we will explicitly list the attributes that are not signed.
-            var unsignedAttributes = new List<string> { "attribute3" };
-
-            // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
-            //    This configuration uses PlaintextOverride.FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ
-            //    which means:
-            //    - Write: Items are forbidden to be written as plaintext.
+            // 1. Create table configurations
+            // In this of migration we will use PlaintextOverride.FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ
+            // which means:
+            //     - Write: Items are forbidden to be written as plaintext.
             //             Items will be written as encrypted items.
-            //    - Read: Items are forbidden to be read as plaintext.
-            //            Items will be read as encrypted items.
-            //    Note: If you do not specify a PlaintextOverride, it defaults to
-            //          FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ, which is the desired
-            //          behavior for a client interacting with a fully encrypted database.
-            var tableConfig = new DynamoDbTableEncryptionConfig
-            {
-                LogicalTableName = ddbTableName,
-                PartitionKeyName = "partition_key",
-                SortKeyName = "sort_key",
-                AttributeActionsOnEncrypt = attributeActionsOnEncrypt,
-                Keyring = kmsKeyring,
-                AllowedUnsignedAttributes = unsignedAttributes,
-                PlaintextOverride = PlaintextOverride.FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ
-            };
-
-            var tableConfigs = new Dictionary<string, DynamoDbTableEncryptionConfig>
-            {
-                [ddbTableName] = tableConfig
-            };
+            //     - Read: Items are forbidden to be read as plaintext.
+            //             Items will be read as encrypted items.
+            // Note: If you do not specify a PlaintextOverride, it defaults to
+            //       FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ, which is the desired
+            //       behavior for a client interacting with a fully encrypted database.
+            var tableConfigs = Common.CreateTableConfigs(kmsKeyId, ddbTableName, PlaintextOverride.FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ);
 
-            // 5. Create a new AWS SDK DynamoDb client using the TableEncryptionConfigs
+            // 2. Create a new AWS SDK DynamoDb client using the TableEncryptionConfigs
             var ddb = new Client.DynamoDbClient(
                 new DynamoDbTablesEncryptionConfig { TableEncryptionConfigs = tableConfigs });
 
-            // 6. Put an item into our table using the above client.
+            // 3. Put an item into our table using the above client.
             //    This item will be encrypted due to our PlaintextOverride configuration.
             string encryptedAndSignedValue = MigrationUtils.ENCRYPTED_AND_SIGNED_VALUE;
             string signOnlyValue = MigrationUtils.SIGN_ONLY_VALUE;
@@ -117,7 +75,7 @@ public static async Task<bool> MigrationStep3Example(string kmsKeyId, string ddb
             var putResponse = await ddb.PutItemAsync(putRequest);
             Debug.Assert(putResponse.HttpStatusCode == HttpStatusCode.OK);
 
-            // 7. Get an item back from the table using the same client.
+            // 4. Get an item back from the table using the same client.
             //    If this is an item written in plaintext (i.e. any item written
             //    during Step 0 or 1), then the read will fail, as we have
             //    configured our client to forbid reading plaintext items.
@@ -143,7 +101,7 @@ public static async Task<bool> MigrationStep3Example(string kmsKeyId, string ddb
             var getResponse = await ddb.GetItemAsync(getRequest);
             Debug.Assert(getResponse.HttpStatusCode == HttpStatusCode.OK);
 
-            // 8. Verify we get the expected item back
+            // Verify we get the expected item back
             if (getResponse.Item == null)
             {
                 throw new Exception("No item found");