From 1049f694564094b47ce9bb56b984650916392f81 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Thu, 31 Jul 2025 12:13:23 -0700 Subject: [PATCH 01/52] auto commit --- Examples/runtimes/go/main.go | 186 +++++++++--------- .../plaintext/createsimpletable.go | 39 ++++ .../plaintext/migrationexamplestep0.go | 66 +++++++ 3 files changed, 202 insertions(+), 89 deletions(-) create mode 100644 Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/createsimpletable.go create mode 100644 Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/migrationexamplestep0.go diff --git a/Examples/runtimes/go/main.go b/Examples/runtimes/go/main.go index 8be077479..ba5541881 100644 --- a/Examples/runtimes/go/main.go +++ b/Examples/runtimes/go/main.go @@ -4,100 +4,108 @@ package main import ( - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/clientsupplier" - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/itemencryptor" - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/keyring" - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/misc" - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/searchableencryption" - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/searchableencryption/complexexample" + "context" + + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/plaintext" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/dynamodb" ) func main() { - // clientsupplier example - clientsupplier.ClientSupplierExample( - utils.DdbTableName(), - utils.TestMrkReplicaKeyIdUsEast1(), - utils.DefaultKMSKeyAccountID(), - utils.AlternateRegionKmsKeyRegionAsAList()) - // misc examples - misc.BasicPutGetExample( - utils.KmsKeyID(), - utils.DdbTableName()) - misc.GetEncryptedDataKeyDescriptionExample( - utils.KmsKeyID(), - utils.DdbTableName()) - misc.MultiPutGetExample( - utils.KmsKeyID(), - utils.DdbTableName()) - branchKey1 := misc.CreateBranchKeyIDExample( - utils.TestKeystoreName(), - utils.TestLogicalKeystoreName(), - utils.TestKeystoreKmsKeyId()) - branchKey2 := misc.CreateBranchKeyIDExample( - utils.TestKeystoreName(), - utils.TestLogicalKeystoreName(), - utils.TestKeystoreKmsKeyId()) + // // clientsupplier example + // clientsupplier.ClientSupplierExample( + // utils.DdbTableName(), + // utils.TestMrkReplicaKeyIdUsEast1(), + // utils.DefaultKMSKeyAccountID(), + // utils.AlternateRegionKmsKeyRegionAsAList()) + // // misc examples + // misc.BasicPutGetExample( + // utils.KmsKeyID(), + // utils.DdbTableName()) + // misc.GetEncryptedDataKeyDescriptionExample( + // utils.KmsKeyID(), + // utils.DdbTableName()) + // misc.MultiPutGetExample( + // utils.KmsKeyID(), + // utils.DdbTableName()) + // branchKey1 := misc.CreateBranchKeyIDExample( + // utils.TestKeystoreName(), + // utils.TestLogicalKeystoreName(), + // utils.TestKeystoreKmsKeyId()) + // branchKey2 := misc.CreateBranchKeyIDExample( + // utils.TestKeystoreName(), + // utils.TestLogicalKeystoreName(), + // utils.TestKeystoreKmsKeyId()) + + // // keyring examples + // keyring.AwsKmsKeyringExample( + // utils.KmsKeyID(), + // utils.DdbTableName()) + // keyring.RawAesExample( + // utils.DdbTableName(), + // utils.KeyNamespace(), + // utils.KeyName(), + // utils.GenerateAes256KeyBytes()) + // keyring.HierarchicalKeyringExample( + // utils.DdbTableName(), + // branchKey1, + // branchKey2, + // utils.TestKeystoreName(), + // utils.TestLogicalKeystoreName(), + // utils.TestKeystoreKmsKeyId()) + // keyring.KmsRsaKeyringExample( + // utils.DdbTableName(), + // utils.TestKmsRsaKeyID(), + // utils.DefaultRsaPublicKeyFilename()) + // keyring.RawRsaKeyringExample( + // utils.DdbTableName(), + // utils.ExampleRsaPublicKeyFilename(), + // utils.ExampleRsaPrivateKeyFilename()) + // keyring.MrkDiscoveryMultiKeyringExample( + // utils.KmsKeyID(), + // utils.DdbTableName(), + // utils.DefaultKMSKeyAccountID(), + // utils.DefaultKmsKeyRegion()) + + // // item encryptor example + // itemencryptor.ItemEncryptDecryptExample( + // utils.KmsKeyID(), + // utils.DdbTableName()) + + // // searchable encryption example + // searchableencryption.BasicSearchableEncryptionExample( + // utils.UnitInspectionTestDdbTableName(), + // branchKey1, + // utils.TestKeystoreKmsKeyId(), + // utils.TestKeystoreName()) + // searchableencryption.BeaconStylesSearchableEncryptionExample( + // utils.UnitInspectionTestDdbTableName(), + // branchKey1, + // utils.TestKeystoreKmsKeyId(), + // utils.TestKeystoreName()) + // searchableencryption.CompoundBeaconSearchableEncryptionExample( + // utils.UnitInspectionTestDdbTableName(), + // branchKey2, + // utils.TestKeystoreKmsKeyId(), + // utils.TestKeystoreName()) + // searchableencryption.VirtualBeaconSearchableEncryptionExample( + // utils.SimpleBeaconTestDdbTableName(), + // branchKey2, + // utils.TestKeystoreKmsKeyId(), + // utils.TestKeystoreName()) + // complexexample.ComplexSearchableEncryptionExample( + // utils.TestComplexDdbTableName(), + // branchKey1, + // utils.TestKeystoreKmsKeyId(), + // utils.TestKeystoreName()) - // keyring examples - keyring.AwsKmsKeyringExample( - utils.KmsKeyID(), - utils.DdbTableName()) - keyring.RawAesExample( - utils.DdbTableName(), - utils.KeyNamespace(), - utils.KeyName(), - utils.GenerateAes256KeyBytes()) - keyring.HierarchicalKeyringExample( - utils.DdbTableName(), - branchKey1, - branchKey2, - utils.TestKeystoreName(), - utils.TestLogicalKeystoreName(), - utils.TestKeystoreKmsKeyId()) - keyring.KmsRsaKeyringExample( - utils.DdbTableName(), - utils.TestKmsRsaKeyID(), - utils.DefaultRsaPublicKeyFilename()) - keyring.RawRsaKeyringExample( - utils.DdbTableName(), - utils.ExampleRsaPublicKeyFilename(), - utils.ExampleRsaPrivateKeyFilename()) - keyring.MrkDiscoveryMultiKeyringExample( - utils.KmsKeyID(), - utils.DdbTableName(), - utils.DefaultKMSKeyAccountID(), - utils.DefaultKmsKeyRegion()) + // migration examples - // item encryptor example - itemencryptor.ItemEncryptDecryptExample( - utils.KmsKeyID(), - utils.DdbTableName()) + cfg, err := config.LoadDefaultConfig(context.TODO()) + utils.HandleError(err) + ddb := dynamodb.NewFromConfig(cfg) - // searchable encryption example - searchableencryption.BasicSearchableEncryptionExample( - utils.UnitInspectionTestDdbTableName(), - branchKey1, - utils.TestKeystoreKmsKeyId(), - utils.TestKeystoreName()) - searchableencryption.BeaconStylesSearchableEncryptionExample( - utils.UnitInspectionTestDdbTableName(), - branchKey1, - utils.TestKeystoreKmsKeyId(), - utils.TestKeystoreName()) - searchableencryption.CompoundBeaconSearchableEncryptionExample( - utils.UnitInspectionTestDdbTableName(), - branchKey2, - utils.TestKeystoreKmsKeyId(), - utils.TestKeystoreName()) - searchableencryption.VirtualBeaconSearchableEncryptionExample( - utils.SimpleBeaconTestDdbTableName(), - branchKey2, - utils.TestKeystoreKmsKeyId(), - utils.TestKeystoreName()) - complexexample.ComplexSearchableEncryptionExample( - utils.TestComplexDdbTableName(), - branchKey1, - utils.TestKeystoreKmsKeyId(), - utils.TestKeystoreName()) + plaintext.CreateSimpleTable(ddb, utils.DdbTableName()) + // plaintext.MigrationStep0(utils.DdbTableName(), "Migration", "0") } diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/createsimpletable.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/createsimpletable.go new file mode 100644 index 000000000..93e2eaa90 --- /dev/null +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/createsimpletable.go @@ -0,0 +1,39 @@ +package plaintext + +import ( + "context" + + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" + "github.com/aws/aws-sdk-go-v2/service/dynamodb" + "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" +) + +// CreateSimpleTable creates a DynamoDB table with partition_key (S) and sort_key (N) +func CreateSimpleTable(ddbClient *dynamodb.Client, ddbTableName string) { + input := &dynamodb.CreateTableInput{ + TableName: &ddbTableName, + KeySchema: []types.KeySchemaElement{ + { + AttributeName: &[]string{"partition_key"}[0], + KeyType: types.KeyTypeHash, + }, + { + AttributeName: &[]string{"sort_key"}[0], + KeyType: types.KeyTypeRange, + }, + }, + AttributeDefinitions: []types.AttributeDefinition{ + { + AttributeName: &[]string{"partition_key"}[0], + AttributeType: types.ScalarAttributeTypeS, + }, + { + AttributeName: &[]string{"sort_key"}[0], + AttributeType: types.ScalarAttributeTypeN, + }, + }, + } + + _, err := ddbClient.CreateTable(context.TODO(), input) + utils.HandleError(err) +} diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/migrationexamplestep0.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/migrationexamplestep0.go new file mode 100644 index 000000000..dbd0c8877 --- /dev/null +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/migrationexamplestep0.go @@ -0,0 +1,66 @@ +package plaintext + +import ( + "context" + "fmt" + + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/dynamodb" + "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" +) + +// MigrationStep0 demonstrates plaintext database operations before encryption migration +func MigrationStep0(ddbTableName, partitionKeyValue, sortKeyValue string) { + // 1. Create a standard DynamoDB client (no encryption) + cfg, err := config.LoadDefaultConfig(context.TODO()) + utils.HandleError(err) + ddb := dynamodb.NewFromConfig(cfg) + + // 2. Put an example item into our DynamoDB table in plaintext + item := map[string]types.AttributeValue{ + "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, + "attribute1": &types.AttributeValueMemberS{Value: "this will be encrypted and signed"}, + "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, + "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, + } + + putInput := &dynamodb.PutItemInput{ + TableName: aws.String(ddbTableName), + Item: item, + } + _, err = ddb.PutItem(context.TODO(), putInput) + utils.HandleError(err) + + // 3. Get an item back from the table as it was written + key := map[string]types.AttributeValue{ + "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, + } + + getInput := &dynamodb.GetItemInput{ + TableName: aws.String(ddbTableName), + Key: key, + } + result, err := ddb.GetItem(context.TODO(), getInput) + utils.HandleError(err) + + // 4. Verify we get the expected item back + if result.Item == nil { + panic("No item found") + } + + returnedPartitionKey := result.Item["partition_key"].(*types.AttributeValueMemberS).Value + returnedAttribute1 := result.Item["attribute1"].(*types.AttributeValueMemberS).Value + + if returnedPartitionKey != partitionKeyValue { + panic(fmt.Sprintf("Expected partition key %s, got %s", partitionKeyValue, returnedPartitionKey)) + } + if returnedAttribute1 != "this will be encrypted and signed" { + panic(fmt.Sprintf("Expected attribute1 value, got %s", returnedAttribute1)) + } + + fmt.Println("MigrationStep0 completed successfully") +} From 1c3a811a20d2e2c09d71b46d2a9681bb2c6cd52c Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Thu, 31 Jul 2025 14:44:56 -0700 Subject: [PATCH 02/52] auto commit --- .../migration/PlaintextToAWSDBE/plaintext/createsimpletable.go | 1 + 1 file changed, 1 insertion(+) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/createsimpletable.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/createsimpletable.go index 93e2eaa90..233cb6dd9 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/createsimpletable.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/createsimpletable.go @@ -32,6 +32,7 @@ func CreateSimpleTable(ddbClient *dynamodb.Client, ddbTableName string) { AttributeType: types.ScalarAttributeTypeN, }, }, + BillingMode: "PAY_PER_REQUEST", } _, err := ddbClient.CreateTable(context.TODO(), input) From 546e4df02b0ce9cae58d4882729314b1cb3450cb Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Thu, 31 Jul 2025 15:35:14 -0700 Subject: [PATCH 03/52] auto commit --- .../awsdbe/migrationexamplestep1.go | 164 ++++++++++++++++++ 1 file changed, 164 insertions(+) create mode 100644 Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go new file mode 100644 index 000000000..5d0a3d41d --- /dev/null +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go @@ -0,0 +1,164 @@ +package awsdbe + +import ( + // Standard imports + "context" + "reflect" + + // AWS SDK imports + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/dynamodb" + "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" + + mpl "github.com/aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygenerated" + mpltypes "github.com/aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygeneratedtypes" + dbesdkdynamodbencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkdynamodbsmithygeneratedtypes" + dbesdkstructuredencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkstructuredencryptionsmithygeneratedtypes" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/dbesdkmiddleware" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" +) + +/* +Migration Step 1: This is an example demonstrating how to start using the +AWS Database Encryption SDK with a pre-existing table with plaintext items. +In this example, we configure a DynamoDb Encryption Interceptor to do the following: + - Write items only in plaintext + - Read items in plaintext or, if the item is encrypted, decrypt with our encryption configuration + +While this step configures your client to be ready to start reading encrypted items, +we do not yet expect to be reading any encrypted items, +as our client still writes plaintext items. +Before you move on to step 2, ensure that these changes have successfully been deployed +to all of your readers. + +Running this example requires access to the DDB Table whose name +is provided in CLI arguments. +This table must be configured with the following +primary key configuration: + - Partition key is named "partition_key" with type (S) + - Sort key is named "sort_key" with type (S) +*/ +func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue string) { + cfg, err := config.LoadDefaultConfig(context.TODO()) + utils.HandleError(err) + + matProv, err := mpl.NewClient(mpltypes.MaterialProvidersConfig{}) + utils.HandleError(err) + + // 1. Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data. + // We will use the `CreateMrkMultiKeyring` method to create this keyring, + // as it will correctly handle both single region and Multi-Region KMS Keys. + // + // Note that while we still are not writing encrypted items, + // and our key will not be used to encrypt items in this example, + // our configuration specifies that we may read encrypted items, + // and we should expect to be able to decrypt and process any encrypted items. + // To that end, we must fully define our encryption configuration in + // this step. + keyringInput := mpltypes.CreateAwsKmsMrkMultiKeyringInput{ + Generator: &kmsKeyID, + } + kmsKeyring, err := matProv.CreateAwsKmsMrkMultiKeyring(context.Background(), keyringInput) + utils.HandleError(err) + + // 2. Configure which attributes are encrypted and/or signed when writing new items. + // For each attribute that may exist on the items we plan to write to our DynamoDbTable, + // we must explicitly configure how they should be treated during item encryption: + // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature + // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature + // - DO_NOTHING: The attribute is not encrypted and not included in the signature + attributeActions := map[string]dbesdkstructuredencryptiontypes.CryptoAction{ + "partition_key": dbesdkstructuredencryptiontypes.CryptoActionSignOnly, + "sort_key": dbesdkstructuredencryptiontypes.CryptoActionSignOnly, + "attribute1": dbesdkstructuredencryptiontypes.CryptoActionEncryptAndSign, + "attribute2": dbesdkstructuredencryptiontypes.CryptoActionSignOnly, + "attribute3": dbesdkstructuredencryptiontypes.CryptoActionDoNothing, + } + + // 3. Configure which attributes we expect to be excluded in the signature + // when reading items. This value represents all unsigned attributes + // across our entire dataset. If you ever want to add new unsigned attributes + // in the future, you must make an update to this field to all your readers + // before deploying any change to start writing that new data. It is not safe + // to remove attributes from this field. + unsignedAttributes := []string{"attribute3"} + + // 4. Create encryption configuration for table. + // Again, while we are not writing encrypted items, + // we should expect to be able to read encrypted items. + partitionKeyName := "partition_key" + sortKeyName := "sort_key" + // This `PlaintextOverrideForcePlaintextWriteAllowPlaintextRead` means: + // - Write: Items are forced to be written as plaintext. + // Items may not be written as encrypted items. + // - Read: Items are allowed to be read as plaintext. + // Items are allowed to be read as encrypted items. + plaintextOverride := dbesdkdynamodbencryptiontypes.PlaintextOverrideForcePlaintextWriteAllowPlaintextRead + tableConfig := dbesdkdynamodbencryptiontypes.DynamoDbTableEncryptionConfig{ + LogicalTableName: ddbTableName, + PartitionKeyName: partitionKeyName, + SortKeyName: &sortKeyName, + AttributeActionsOnEncrypt: attributeActions, + Keyring: kmsKeyring, + AllowedUnsignedAttributes: unsignedAttributes, + PlaintextOverride: &plaintextOverride, + } + + tableConfigsMap := make(map[string]dbesdkdynamodbencryptiontypes.DynamoDbTableEncryptionConfig) + tableConfigsMap[ddbTableName] = tableConfig + + listOfTableConfigs := dbesdkdynamodbencryptiontypes.DynamoDbTablesEncryptionConfig{ + TableEncryptionConfigs: tableConfigsMap, + } + + // 5. Create DynamoDB client with dbEsdkMiddleware + dbEsdkMiddleware, err := dbesdkmiddleware.NewDBEsdkMiddleware(listOfTableConfigs) + utils.HandleError(err) + + ddb := dynamodb.NewFromConfig(cfg, dbEsdkMiddleware.CreateMiddleware()) + + // 6. Put an item into your table. + // This item will be stored in plaintext. + item := map[string]types.AttributeValue{ + "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, + "attribute1": &types.AttributeValueMemberS{Value: "this will be encrypted and signed"}, + "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, + "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, + } + + putInput := dynamodb.PutItemInput{ + TableName: &ddbTableName, + Item: item, + } + + _, err = ddb.PutItem(context.TODO(), &putInput) + utils.HandleError(err) + + // 7. Get an item back from the table using the DynamoDb Client. + // If this is an item written in plaintext (i.e. any item written + // during Step 0 or 1), then the item will still be in plaintext. + // If this is an item that was encrypted client-side (i.e. any item written + // during Step 2 or after), then the item will be decrypted client-side + // and surfaced as a plaintext item. + key := map[string]types.AttributeValue{ + "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, + } + + getInput := &dynamodb.GetItemInput{ + TableName: aws.String(ddbTableName), + Key: key, + ConsistentRead: aws.Bool(true), + } + + result, err := ddb.GetItem(context.TODO(), getInput) + utils.HandleError(err) + + // Verify we got the expected item back + if !reflect.DeepEqual(item, result.Item) { + panic("Decrypted item does not match original item") + } +} From fc93915d229879013727083fb445a3e1ce20a7e2 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Thu, 31 Jul 2025 16:06:07 -0700 Subject: [PATCH 04/52] auto commit --- Examples/runtimes/go/main.go | 189 +++++++++++---------- Examples/runtimes/go/utils/exampleUtils.go | 35 ++++ 2 files changed, 131 insertions(+), 93 deletions(-) diff --git a/Examples/runtimes/go/main.go b/Examples/runtimes/go/main.go index ba5541881..729e3d323 100644 --- a/Examples/runtimes/go/main.go +++ b/Examples/runtimes/go/main.go @@ -4,108 +4,111 @@ package main import ( - "context" - + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/clientsupplier" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/itemencryptor" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/keyring" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/awsdbe" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/plaintext" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/misc" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/searchableencryption" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/searchableencryption/complexexample" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" - "github.com/aws/aws-sdk-go-v2/config" - "github.com/aws/aws-sdk-go-v2/service/dynamodb" + "github.com/google/uuid" ) func main() { - // // clientsupplier example - // clientsupplier.ClientSupplierExample( - // utils.DdbTableName(), - // utils.TestMrkReplicaKeyIdUsEast1(), - // utils.DefaultKMSKeyAccountID(), - // utils.AlternateRegionKmsKeyRegionAsAList()) - // // misc examples - // misc.BasicPutGetExample( - // utils.KmsKeyID(), - // utils.DdbTableName()) - // misc.GetEncryptedDataKeyDescriptionExample( - // utils.KmsKeyID(), - // utils.DdbTableName()) - // misc.MultiPutGetExample( - // utils.KmsKeyID(), - // utils.DdbTableName()) - // branchKey1 := misc.CreateBranchKeyIDExample( - // utils.TestKeystoreName(), - // utils.TestLogicalKeystoreName(), - // utils.TestKeystoreKmsKeyId()) - // branchKey2 := misc.CreateBranchKeyIDExample( - // utils.TestKeystoreName(), - // utils.TestLogicalKeystoreName(), - // utils.TestKeystoreKmsKeyId()) + // clientsupplier example + clientsupplier.ClientSupplierExample( + utils.DdbTableName(), + utils.TestMrkReplicaKeyIdUsEast1(), + utils.DefaultKMSKeyAccountID(), + utils.AlternateRegionKmsKeyRegionAsAList()) + // misc examples + misc.BasicPutGetExample( + utils.KmsKeyID(), + utils.DdbTableName()) + misc.GetEncryptedDataKeyDescriptionExample( + utils.KmsKeyID(), + utils.DdbTableName()) + misc.MultiPutGetExample( + utils.KmsKeyID(), + utils.DdbTableName()) + branchKey1 := misc.CreateBranchKeyIDExample( + utils.TestKeystoreName(), + utils.TestLogicalKeystoreName(), + utils.TestKeystoreKmsKeyId()) + branchKey2 := misc.CreateBranchKeyIDExample( + utils.TestKeystoreName(), + utils.TestLogicalKeystoreName(), + utils.TestKeystoreKmsKeyId()) - // // keyring examples - // keyring.AwsKmsKeyringExample( - // utils.KmsKeyID(), - // utils.DdbTableName()) - // keyring.RawAesExample( - // utils.DdbTableName(), - // utils.KeyNamespace(), - // utils.KeyName(), - // utils.GenerateAes256KeyBytes()) - // keyring.HierarchicalKeyringExample( - // utils.DdbTableName(), - // branchKey1, - // branchKey2, - // utils.TestKeystoreName(), - // utils.TestLogicalKeystoreName(), - // utils.TestKeystoreKmsKeyId()) - // keyring.KmsRsaKeyringExample( - // utils.DdbTableName(), - // utils.TestKmsRsaKeyID(), - // utils.DefaultRsaPublicKeyFilename()) - // keyring.RawRsaKeyringExample( - // utils.DdbTableName(), - // utils.ExampleRsaPublicKeyFilename(), - // utils.ExampleRsaPrivateKeyFilename()) - // keyring.MrkDiscoveryMultiKeyringExample( - // utils.KmsKeyID(), - // utils.DdbTableName(), - // utils.DefaultKMSKeyAccountID(), - // utils.DefaultKmsKeyRegion()) + // keyring examples + keyring.AwsKmsKeyringExample( + utils.KmsKeyID(), + utils.DdbTableName()) + keyring.RawAesExample( + utils.DdbTableName(), + utils.KeyNamespace(), + utils.KeyName(), + utils.GenerateAes256KeyBytes()) + keyring.HierarchicalKeyringExample( + utils.DdbTableName(), + branchKey1, + branchKey2, + utils.TestKeystoreName(), + utils.TestLogicalKeystoreName(), + utils.TestKeystoreKmsKeyId()) + keyring.KmsRsaKeyringExample( + utils.DdbTableName(), + utils.TestKmsRsaKeyID(), + utils.DefaultRsaPublicKeyFilename()) + keyring.RawRsaKeyringExample( + utils.DdbTableName(), + utils.ExampleRsaPublicKeyFilename(), + utils.ExampleRsaPrivateKeyFilename()) + keyring.MrkDiscoveryMultiKeyringExample( + utils.KmsKeyID(), + utils.DdbTableName(), + utils.DefaultKMSKeyAccountID(), + utils.DefaultKmsKeyRegion()) - // // item encryptor example - // itemencryptor.ItemEncryptDecryptExample( - // utils.KmsKeyID(), - // utils.DdbTableName()) + // item encryptor example + itemencryptor.ItemEncryptDecryptExample( + utils.KmsKeyID(), + utils.DdbTableName()) - // // searchable encryption example - // searchableencryption.BasicSearchableEncryptionExample( - // utils.UnitInspectionTestDdbTableName(), - // branchKey1, - // utils.TestKeystoreKmsKeyId(), - // utils.TestKeystoreName()) - // searchableencryption.BeaconStylesSearchableEncryptionExample( - // utils.UnitInspectionTestDdbTableName(), - // branchKey1, - // utils.TestKeystoreKmsKeyId(), - // utils.TestKeystoreName()) - // searchableencryption.CompoundBeaconSearchableEncryptionExample( - // utils.UnitInspectionTestDdbTableName(), - // branchKey2, - // utils.TestKeystoreKmsKeyId(), - // utils.TestKeystoreName()) - // searchableencryption.VirtualBeaconSearchableEncryptionExample( - // utils.SimpleBeaconTestDdbTableName(), - // branchKey2, - // utils.TestKeystoreKmsKeyId(), - // utils.TestKeystoreName()) - // complexexample.ComplexSearchableEncryptionExample( - // utils.TestComplexDdbTableName(), - // branchKey1, - // utils.TestKeystoreKmsKeyId(), - // utils.TestKeystoreName()) + // searchable encryption example + searchableencryption.BasicSearchableEncryptionExample( + utils.UnitInspectionTestDdbTableName(), + branchKey1, + utils.TestKeystoreKmsKeyId(), + utils.TestKeystoreName()) + searchableencryption.BeaconStylesSearchableEncryptionExample( + utils.UnitInspectionTestDdbTableName(), + branchKey1, + utils.TestKeystoreKmsKeyId(), + utils.TestKeystoreName()) + searchableencryption.CompoundBeaconSearchableEncryptionExample( + utils.UnitInspectionTestDdbTableName(), + branchKey2, + utils.TestKeystoreKmsKeyId(), + utils.TestKeystoreName()) + searchableencryption.VirtualBeaconSearchableEncryptionExample( + utils.SimpleBeaconTestDdbTableName(), + branchKey2, + utils.TestKeystoreKmsKeyId(), + utils.TestKeystoreName()) + complexexample.ComplexSearchableEncryptionExample( + utils.TestComplexDdbTableName(), + branchKey1, + utils.TestKeystoreKmsKeyId(), + utils.TestKeystoreName()) // migration examples + partitionKeyValue := uuid.New().String() + sortKeyValue := "0" - cfg, err := config.LoadDefaultConfig(context.TODO()) - utils.HandleError(err) - ddb := dynamodb.NewFromConfig(cfg) - - plaintext.CreateSimpleTable(ddb, utils.DdbTableName()) - // plaintext.MigrationStep0(utils.DdbTableName(), "Migration", "0") + plaintext.MigrationStep0(utils.DdbTableName(), partitionKeyValue, sortKeyValue) + awsdbe.MigrationStep1("arn:aws:kms:us-west-2:992382771485:key/ad1d7ff3-79f3-40f4-b31d-7be4d9c8b3ca", utils.DdbTableName(), partitionKeyValue, sortKeyValue) + // utils.DeleteItem(utils.DdbTableName(), "partition_key", partitionKeyValue, "sort_key", sortKeyValue) } diff --git a/Examples/runtimes/go/utils/exampleUtils.go b/Examples/runtimes/go/utils/exampleUtils.go index 34b5aa47a..62c369866 100644 --- a/Examples/runtimes/go/utils/exampleUtils.go +++ b/Examples/runtimes/go/utils/exampleUtils.go @@ -4,8 +4,14 @@ package utils import ( + "context" "crypto/rand" "os" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/dynamodb" + "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" ) const ( @@ -137,3 +143,32 @@ func FileExists(filename string) bool { _, err := os.Stat(filename) return !os.IsNotExist(err) } + +func DeleteItem( + tableName string, + partitionKeyName string, + partitionKeyValue string, + sortKeyName string, + sortKeyValue string, +) { + cfg, err := config.LoadDefaultConfig(context.TODO()) + HandleError(err) + + // Create DynamoDB client + client := dynamodb.NewFromConfig(cfg) + // Build the key attributes map with both partition and sort keys + key := map[string]types.AttributeValue{ + partitionKeyName: &types.AttributeValueMemberS{Value: partitionKeyValue}, + sortKeyName: &types.AttributeValueMemberN{Value: sortKeyValue}, + } + + // Create the DeleteItem input + input := &dynamodb.DeleteItemInput{ + TableName: aws.String(tableName), + Key: key, + } + + // Execute the DeleteItem operation + _, err = client.DeleteItem(context.TODO(), input) + HandleError(err) +} From db0060136f4d677ad84617e01d6694cf3582d97c Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Thu, 31 Jul 2025 16:06:12 -0700 Subject: [PATCH 05/52] auto commit --- Examples/runtimes/go/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Examples/runtimes/go/main.go b/Examples/runtimes/go/main.go index 729e3d323..6bbbff118 100644 --- a/Examples/runtimes/go/main.go +++ b/Examples/runtimes/go/main.go @@ -110,5 +110,5 @@ func main() { plaintext.MigrationStep0(utils.DdbTableName(), partitionKeyValue, sortKeyValue) awsdbe.MigrationStep1("arn:aws:kms:us-west-2:992382771485:key/ad1d7ff3-79f3-40f4-b31d-7be4d9c8b3ca", utils.DdbTableName(), partitionKeyValue, sortKeyValue) - // utils.DeleteItem(utils.DdbTableName(), "partition_key", partitionKeyValue, "sort_key", sortKeyValue) + utils.DeleteItem(utils.DdbTableName(), "partition_key", partitionKeyValue, "sort_key", sortKeyValue) } From 576086568ab278a06f06456667900b26cd651c5c Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Thu, 31 Jul 2025 17:00:49 -0700 Subject: [PATCH 06/52] auto commit --- .../PlaintextToAWSDBE/awsdbe/common.go | 88 +++++++++++++++++++ .../awsdbe/migrationexamplestep1.go | 83 ++--------------- 2 files changed, 96 insertions(+), 75 deletions(-) create mode 100644 Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go new file mode 100644 index 000000000..239a3f405 --- /dev/null +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go @@ -0,0 +1,88 @@ +package awsdbe + +import ( + "context" + + mpl "github.com/aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygenerated" + mpltypes "github.com/aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygeneratedtypes" + dbesdkdynamodbencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkdynamodbsmithygeneratedtypes" + dbesdkstructuredencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkstructuredencryptionsmithygeneratedtypes" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" +) + +func configureTable(kmsKeyID, ddbTableName string) dbesdkdynamodbencryptiontypes.DynamoDbTablesEncryptionConfig { + + // Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data. + // We will use the `CreateMrkMultiKeyring` method to create this keyring, + // as it will correctly handle both single region and Multi-Region KMS Keys. + // + // Note that while we still are not writing encrypted items, + // and our key will not be used to encrypt items in this example, + // our configuration specifies that we may read encrypted items, + // and we should expect to be able to decrypt and process any encrypted items. + // To that end, we must fully define our encryption configuration in + // this step. + + matProv, err := mpl.NewClient(mpltypes.MaterialProvidersConfig{}) + utils.HandleError(err) + + keyringInput := mpltypes.CreateAwsKmsMrkMultiKeyringInput{ + Generator: &kmsKeyID, + } + kmsKeyring, err := matProv.CreateAwsKmsMrkMultiKeyring(context.Background(), keyringInput) + utils.HandleError(err) + + // Configure which attributes are encrypted and/or signed when writing new items. + // For each attribute that may exist on the items we plan to write to our DynamoDbTable, + // we must explicitly configure how they should be treated during item encryption: + // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature + // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature + // - DO_NOTHING: The attribute is not encrypted and not included in the signature + partitionKeyName := "partition_key" + sortKeyName := "sort_key" + + attributeActions := map[string]dbesdkstructuredencryptiontypes.CryptoAction{ + partitionKeyName: dbesdkstructuredencryptiontypes.CryptoActionSignOnly, + sortKeyName: dbesdkstructuredencryptiontypes.CryptoActionSignOnly, + "attribute1": dbesdkstructuredencryptiontypes.CryptoActionEncryptAndSign, + "attribute2": dbesdkstructuredencryptiontypes.CryptoActionSignOnly, + "attribute3": dbesdkstructuredencryptiontypes.CryptoActionDoNothing, + } + + // Configure which attributes we expect to be excluded in the signature + // when reading items. This value represents all unsigned attributes + // across our entire dataset. If you ever want to add new unsigned attributes + // in the future, you must make an update to this field to all your readers + // before deploying any change to start writing that new data. It is not safe + // to remove attributes from this field. + unsignedAttributes := []string{"attribute3"} + + // Create encryption configuration for table. + // Again, while we are not writing encrypted items, + // we should expect to be able to read encrypted items. + + // This `PlaintextOverrideForcePlaintextWriteAllowPlaintextRead` means: + // - Write: Items are forced to be written as plaintext. + // Items may not be written as encrypted items. + // - Read: Items are allowed to be read as plaintext. + // Items are allowed to be read as encrypted items. + plaintextOverride := dbesdkdynamodbencryptiontypes.PlaintextOverrideForcePlaintextWriteAllowPlaintextRead + tableConfig := dbesdkdynamodbencryptiontypes.DynamoDbTableEncryptionConfig{ + LogicalTableName: ddbTableName, + PartitionKeyName: partitionKeyName, + SortKeyName: &sortKeyName, + AttributeActionsOnEncrypt: attributeActions, + Keyring: kmsKeyring, + AllowedUnsignedAttributes: unsignedAttributes, + PlaintextOverride: &plaintextOverride, + } + + tableConfigsMap := make(map[string]dbesdkdynamodbencryptiontypes.DynamoDbTableEncryptionConfig) + tableConfigsMap[ddbTableName] = tableConfig + + listOfTableConfigs := dbesdkdynamodbencryptiontypes.DynamoDbTablesEncryptionConfig{ + TableEncryptionConfigs: tableConfigsMap, + } + + return listOfTableConfigs +} diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go index 5d0a3d41d..98e59bb4b 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go @@ -12,10 +12,6 @@ import ( "github.com/aws/aws-sdk-go-v2/service/dynamodb" "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" - mpl "github.com/aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygenerated" - mpltypes "github.com/aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygeneratedtypes" - dbesdkdynamodbencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkdynamodbsmithygeneratedtypes" - dbesdkstructuredencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkstructuredencryptionsmithygeneratedtypes" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/dbesdkmiddleware" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" ) @@ -44,82 +40,18 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri cfg, err := config.LoadDefaultConfig(context.TODO()) utils.HandleError(err) - matProv, err := mpl.NewClient(mpltypes.MaterialProvidersConfig{}) - utils.HandleError(err) - - // 1. Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data. - // We will use the `CreateMrkMultiKeyring` method to create this keyring, - // as it will correctly handle both single region and Multi-Region KMS Keys. - // - // Note that while we still are not writing encrypted items, - // and our key will not be used to encrypt items in this example, - // our configuration specifies that we may read encrypted items, - // and we should expect to be able to decrypt and process any encrypted items. - // To that end, we must fully define our encryption configuration in - // this step. - keyringInput := mpltypes.CreateAwsKmsMrkMultiKeyringInput{ - Generator: &kmsKeyID, - } - kmsKeyring, err := matProv.CreateAwsKmsMrkMultiKeyring(context.Background(), keyringInput) - utils.HandleError(err) - - // 2. Configure which attributes are encrypted and/or signed when writing new items. - // For each attribute that may exist on the items we plan to write to our DynamoDbTable, - // we must explicitly configure how they should be treated during item encryption: - // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature - // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature - // - DO_NOTHING: The attribute is not encrypted and not included in the signature - attributeActions := map[string]dbesdkstructuredencryptiontypes.CryptoAction{ - "partition_key": dbesdkstructuredencryptiontypes.CryptoActionSignOnly, - "sort_key": dbesdkstructuredencryptiontypes.CryptoActionSignOnly, - "attribute1": dbesdkstructuredencryptiontypes.CryptoActionEncryptAndSign, - "attribute2": dbesdkstructuredencryptiontypes.CryptoActionSignOnly, - "attribute3": dbesdkstructuredencryptiontypes.CryptoActionDoNothing, - } + // 1. Configure your Keyring, attribute actions, + // allowedUnsignedAttributes, and encryption configuration for table. + // This is common across all the steps. + listOfTableConfigs := configureTable(kmsKeyID, ddbTableName) - // 3. Configure which attributes we expect to be excluded in the signature - // when reading items. This value represents all unsigned attributes - // across our entire dataset. If you ever want to add new unsigned attributes - // in the future, you must make an update to this field to all your readers - // before deploying any change to start writing that new data. It is not safe - // to remove attributes from this field. - unsignedAttributes := []string{"attribute3"} - - // 4. Create encryption configuration for table. - // Again, while we are not writing encrypted items, - // we should expect to be able to read encrypted items. - partitionKeyName := "partition_key" - sortKeyName := "sort_key" - // This `PlaintextOverrideForcePlaintextWriteAllowPlaintextRead` means: - // - Write: Items are forced to be written as plaintext. - // Items may not be written as encrypted items. - // - Read: Items are allowed to be read as plaintext. - // Items are allowed to be read as encrypted items. - plaintextOverride := dbesdkdynamodbencryptiontypes.PlaintextOverrideForcePlaintextWriteAllowPlaintextRead - tableConfig := dbesdkdynamodbencryptiontypes.DynamoDbTableEncryptionConfig{ - LogicalTableName: ddbTableName, - PartitionKeyName: partitionKeyName, - SortKeyName: &sortKeyName, - AttributeActionsOnEncrypt: attributeActions, - Keyring: kmsKeyring, - AllowedUnsignedAttributes: unsignedAttributes, - PlaintextOverride: &plaintextOverride, - } - - tableConfigsMap := make(map[string]dbesdkdynamodbencryptiontypes.DynamoDbTableEncryptionConfig) - tableConfigsMap[ddbTableName] = tableConfig - - listOfTableConfigs := dbesdkdynamodbencryptiontypes.DynamoDbTablesEncryptionConfig{ - TableEncryptionConfigs: tableConfigsMap, - } - - // 5. Create DynamoDB client with dbEsdkMiddleware + // 2. Create DynamoDB client with dbEsdkMiddleware dbEsdkMiddleware, err := dbesdkmiddleware.NewDBEsdkMiddleware(listOfTableConfigs) utils.HandleError(err) ddb := dynamodb.NewFromConfig(cfg, dbEsdkMiddleware.CreateMiddleware()) - // 6. Put an item into your table. + // 3. Put an item into your table. // This item will be stored in plaintext. item := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, @@ -137,7 +69,7 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri _, err = ddb.PutItem(context.TODO(), &putInput) utils.HandleError(err) - // 7. Get an item back from the table using the DynamoDb Client. + // 4. Get an item back from the table using the DynamoDb Client. // If this is an item written in plaintext (i.e. any item written // during Step 0 or 1), then the item will still be in plaintext. // If this is an item that was encrypted client-side (i.e. any item written @@ -161,4 +93,5 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri if !reflect.DeepEqual(item, result.Item) { panic("Decrypted item does not match original item") } + } From a369dcb1363c71c99508022255f288a2cb7878cf Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 10:11:51 -0700 Subject: [PATCH 07/52] auto commit --- .../go/migration/PlaintextToAWSDBE/awsdbe/common.go | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go index 239a3f405..6cca7fb2f 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go @@ -10,7 +10,7 @@ import ( "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" ) -func configureTable(kmsKeyID, ddbTableName string) dbesdkdynamodbencryptiontypes.DynamoDbTablesEncryptionConfig { +func configureTable(kmsKeyID, ddbTableName string, plaintextOverride dbesdkdynamodbencryptiontypes.PlaintextOverride) dbesdkdynamodbencryptiontypes.DynamoDbTablesEncryptionConfig { // Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data. // We will use the `CreateMrkMultiKeyring` method to create this keyring, @@ -61,12 +61,6 @@ func configureTable(kmsKeyID, ddbTableName string) dbesdkdynamodbencryptiontypes // Again, while we are not writing encrypted items, // we should expect to be able to read encrypted items. - // This `PlaintextOverrideForcePlaintextWriteAllowPlaintextRead` means: - // - Write: Items are forced to be written as plaintext. - // Items may not be written as encrypted items. - // - Read: Items are allowed to be read as plaintext. - // Items are allowed to be read as encrypted items. - plaintextOverride := dbesdkdynamodbencryptiontypes.PlaintextOverrideForcePlaintextWriteAllowPlaintextRead tableConfig := dbesdkdynamodbencryptiontypes.DynamoDbTableEncryptionConfig{ LogicalTableName: ddbTableName, PartitionKeyName: partitionKeyName, From 38befdda1e5a56c82d48f2089641af22672eedc0 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 10:14:55 -0700 Subject: [PATCH 08/52] auto commit --- .../go/migration/PlaintextToAWSDBE/awsdbe/common.go | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go index 6cca7fb2f..03130b79f 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go @@ -15,13 +15,6 @@ func configureTable(kmsKeyID, ddbTableName string, plaintextOverride dbesdkdynam // Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data. // We will use the `CreateMrkMultiKeyring` method to create this keyring, // as it will correctly handle both single region and Multi-Region KMS Keys. - // - // Note that while we still are not writing encrypted items, - // and our key will not be used to encrypt items in this example, - // our configuration specifies that we may read encrypted items, - // and we should expect to be able to decrypt and process any encrypted items. - // To that end, we must fully define our encryption configuration in - // this step. matProv, err := mpl.NewClient(mpltypes.MaterialProvidersConfig{}) utils.HandleError(err) @@ -58,9 +51,6 @@ func configureTable(kmsKeyID, ddbTableName string, plaintextOverride dbesdkdynam unsignedAttributes := []string{"attribute3"} // Create encryption configuration for table. - // Again, while we are not writing encrypted items, - // we should expect to be able to read encrypted items. - tableConfig := dbesdkdynamodbencryptiontypes.DynamoDbTableEncryptionConfig{ LogicalTableName: ddbTableName, PartitionKeyName: partitionKeyName, From 681dcb044405a00f60e8b677bfac50cdc5194353 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 10:15:04 -0700 Subject: [PATCH 09/52] auto commit --- .../awsdbe/migrationexamplestep1.go | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go index 98e59bb4b..7d39d17c0 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go @@ -1,12 +1,9 @@ package awsdbe import ( - // Standard imports "context" "reflect" - // AWS SDK imports - "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/dynamodb" @@ -14,6 +11,8 @@ import ( "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/dbesdkmiddleware" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" + + dbesdkdynamodbencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkdynamodbsmithygeneratedtypes" ) /* @@ -43,7 +42,20 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri // 1. Configure your Keyring, attribute actions, // allowedUnsignedAttributes, and encryption configuration for table. // This is common across all the steps. - listOfTableConfigs := configureTable(kmsKeyID, ddbTableName) + + // Note that while we still are not writing encrypted items, + // and our key will not be used to encrypt items in this example, + // our configuration specifies that we may read encrypted items, + // and we should expect to be able to decrypt and process any encrypted items. + // To that end, we must fully define our encryption configuration in + // this step. + + // This `PlaintextOverrideForcePlaintextWriteAllowPlaintextRead` means: + // - Write: Items are forced to be written as plaintext. + // Items may not be written as encrypted items. + // - Read: Items are allowed to be read as plaintext. + // Items are allowed to be read as encrypted items. + listOfTableConfigs := configureTable(kmsKeyID, ddbTableName, dbesdkdynamodbencryptiontypes.PlaintextOverrideForcePlaintextWriteAllowPlaintextRead) // 2. Create DynamoDB client with dbEsdkMiddleware dbEsdkMiddleware, err := dbesdkmiddleware.NewDBEsdkMiddleware(listOfTableConfigs) From 11cc9800a262b7e5f9d8fab9f55c5aeef03f3f56 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 10:19:09 -0700 Subject: [PATCH 10/52] auto commit --- .../awsdbe/migrationexamplestep2.go | 106 ++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go new file mode 100644 index 000000000..0149e5fd1 --- /dev/null +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go @@ -0,0 +1,106 @@ +package awsdbe + +import ( + // Standard imports + "context" + "reflect" + + // AWS SDK imports + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/dynamodb" + "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" + + dbesdkdynamodbencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkdynamodbsmithygeneratedtypes" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/dbesdkmiddleware" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" +) + +/* +Migration Step 2: This is an example demonstrating how to update your configuration +to start writing encrypted items, but still continue to read any plaintext or +encrypted items. + +Once you deploy this change to your system, you will have a dataset +containing both encrypted and plaintext items. +Because the changes in Step 1 have been deployed to all our readers, +we can be sure that our entire system is ready to read this new data. + +Before you move onto the next step, you will need to encrypt all plaintext items in your dataset. +How you will want to do this depends on your system. + +Running this example requires access to the DDB Table whose name +is provided in CLI arguments. +This table must be configured with the following +primary key configuration: + - Partition key is named "partition_key" with type (S) + - Sort key is named "sort_key" with type (S) +*/ +func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue string) { + cfg, err := config.LoadDefaultConfig(context.TODO()) + utils.HandleError(err) + + // 1. Configure your Keyring, attribute actions, + // allowedUnsignedAttributes, and encryption configuration for table. + // This is common across all the steps. + + // When creating encryption configuration for your table, + // you must use the plaintext override `FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ`. + // This plaintext override means: + // - Write: Items are forbidden to be written as plaintext. + // Items will be written as encrypted items. + // - Read: Items are allowed to be read as plaintext. + // Items are allowed to be read as encrypted items. + + listOfTableConfigs := configureTable(kmsKeyID, ddbTableName, dbesdkdynamodbencryptiontypes.PlaintextOverrideForbidPlaintextWriteAllowPlaintextRead) + + // 5. Create DynamoDB client with dbEsdkMiddleware + dbEsdkMiddleware, err := dbesdkmiddleware.NewDBEsdkMiddleware(listOfTableConfigs) + utils.HandleError(err) + + ddb := dynamodb.NewFromConfig(cfg, dbEsdkMiddleware.CreateMiddleware()) + + // 6. Put an item into your table. + // This item will be encrypted. + item := map[string]types.AttributeValue{ + "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, + "attribute1": &types.AttributeValueMemberS{Value: "this will be encrypted and signed"}, + "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, + "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, + } + + putInput := dynamodb.PutItemInput{ + TableName: &ddbTableName, + Item: item, + } + + _, err = ddb.PutItem(context.TODO(), &putInput) + utils.HandleError(err) + + // 7. Get an item back from the table. + // If this is an item written in plaintext (i.e. any item written + // during Step 0 or 1), then the item will still be in plaintext. + // If this is an item that was encrypted client-side (i.e. any item written + // during Step 2 or after), then the DDB enhanced client will decrypt the + // item client-sid and surface it in our code as a plaintext item. + key := map[string]types.AttributeValue{ + "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, + } + + getInput := &dynamodb.GetItemInput{ + TableName: aws.String(ddbTableName), + Key: key, + ConsistentRead: aws.Bool(true), + } + + result, err := ddb.GetItem(context.TODO(), getInput) + utils.HandleError(err) + + // Demonstrate we get the expected item back + if !reflect.DeepEqual(item, result.Item) { + panic("Decrypted item does not match original item") + } +} From 28394e8f4b48156bf0d4c7ea262be685137185fc Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 10:20:04 -0700 Subject: [PATCH 11/52] auto commit --- Examples/runtimes/go/main.go | 173 +++++++++++++++++------------------ 1 file changed, 84 insertions(+), 89 deletions(-) diff --git a/Examples/runtimes/go/main.go b/Examples/runtimes/go/main.go index 6bbbff118..aaa8498a6 100644 --- a/Examples/runtimes/go/main.go +++ b/Examples/runtimes/go/main.go @@ -4,105 +4,99 @@ package main import ( - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/clientsupplier" - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/itemencryptor" - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/keyring" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/awsdbe" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/plaintext" - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/misc" - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/searchableencryption" - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/searchableencryption/complexexample" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" "github.com/google/uuid" ) func main() { - // clientsupplier example - clientsupplier.ClientSupplierExample( - utils.DdbTableName(), - utils.TestMrkReplicaKeyIdUsEast1(), - utils.DefaultKMSKeyAccountID(), - utils.AlternateRegionKmsKeyRegionAsAList()) - // misc examples - misc.BasicPutGetExample( - utils.KmsKeyID(), - utils.DdbTableName()) - misc.GetEncryptedDataKeyDescriptionExample( - utils.KmsKeyID(), - utils.DdbTableName()) - misc.MultiPutGetExample( - utils.KmsKeyID(), - utils.DdbTableName()) - branchKey1 := misc.CreateBranchKeyIDExample( - utils.TestKeystoreName(), - utils.TestLogicalKeystoreName(), - utils.TestKeystoreKmsKeyId()) - branchKey2 := misc.CreateBranchKeyIDExample( - utils.TestKeystoreName(), - utils.TestLogicalKeystoreName(), - utils.TestKeystoreKmsKeyId()) + // // clientsupplier example + // clientsupplier.ClientSupplierExample( + // utils.DdbTableName(), + // utils.TestMrkReplicaKeyIdUsEast1(), + // utils.DefaultKMSKeyAccountID(), + // utils.AlternateRegionKmsKeyRegionAsAList()) + // // misc examples + // misc.BasicPutGetExample( + // utils.KmsKeyID(), + // utils.DdbTableName()) + // misc.GetEncryptedDataKeyDescriptionExample( + // utils.KmsKeyID(), + // utils.DdbTableName()) + // misc.MultiPutGetExample( + // utils.KmsKeyID(), + // utils.DdbTableName()) + // branchKey1 := misc.CreateBranchKeyIDExample( + // utils.TestKeystoreName(), + // utils.TestLogicalKeystoreName(), + // utils.TestKeystoreKmsKeyId()) + // branchKey2 := misc.CreateBranchKeyIDExample( + // utils.TestKeystoreName(), + // utils.TestLogicalKeystoreName(), + // utils.TestKeystoreKmsKeyId()) - // keyring examples - keyring.AwsKmsKeyringExample( - utils.KmsKeyID(), - utils.DdbTableName()) - keyring.RawAesExample( - utils.DdbTableName(), - utils.KeyNamespace(), - utils.KeyName(), - utils.GenerateAes256KeyBytes()) - keyring.HierarchicalKeyringExample( - utils.DdbTableName(), - branchKey1, - branchKey2, - utils.TestKeystoreName(), - utils.TestLogicalKeystoreName(), - utils.TestKeystoreKmsKeyId()) - keyring.KmsRsaKeyringExample( - utils.DdbTableName(), - utils.TestKmsRsaKeyID(), - utils.DefaultRsaPublicKeyFilename()) - keyring.RawRsaKeyringExample( - utils.DdbTableName(), - utils.ExampleRsaPublicKeyFilename(), - utils.ExampleRsaPrivateKeyFilename()) - keyring.MrkDiscoveryMultiKeyringExample( - utils.KmsKeyID(), - utils.DdbTableName(), - utils.DefaultKMSKeyAccountID(), - utils.DefaultKmsKeyRegion()) + // // keyring examples + // keyring.AwsKmsKeyringExample( + // utils.KmsKeyID(), + // utils.DdbTableName()) + // keyring.RawAesExample( + // utils.DdbTableName(), + // utils.KeyNamespace(), + // utils.KeyName(), + // utils.GenerateAes256KeyBytes()) + // keyring.HierarchicalKeyringExample( + // utils.DdbTableName(), + // branchKey1, + // branchKey2, + // utils.TestKeystoreName(), + // utils.TestLogicalKeystoreName(), + // utils.TestKeystoreKmsKeyId()) + // keyring.KmsRsaKeyringExample( + // utils.DdbTableName(), + // utils.TestKmsRsaKeyID(), + // utils.DefaultRsaPublicKeyFilename()) + // keyring.RawRsaKeyringExample( + // utils.DdbTableName(), + // utils.ExampleRsaPublicKeyFilename(), + // utils.ExampleRsaPrivateKeyFilename()) + // keyring.MrkDiscoveryMultiKeyringExample( + // utils.KmsKeyID(), + // utils.DdbTableName(), + // utils.DefaultKMSKeyAccountID(), + // utils.DefaultKmsKeyRegion()) - // item encryptor example - itemencryptor.ItemEncryptDecryptExample( - utils.KmsKeyID(), - utils.DdbTableName()) + // // item encryptor example + // itemencryptor.ItemEncryptDecryptExample( + // utils.KmsKeyID(), + // utils.DdbTableName()) - // searchable encryption example - searchableencryption.BasicSearchableEncryptionExample( - utils.UnitInspectionTestDdbTableName(), - branchKey1, - utils.TestKeystoreKmsKeyId(), - utils.TestKeystoreName()) - searchableencryption.BeaconStylesSearchableEncryptionExample( - utils.UnitInspectionTestDdbTableName(), - branchKey1, - utils.TestKeystoreKmsKeyId(), - utils.TestKeystoreName()) - searchableencryption.CompoundBeaconSearchableEncryptionExample( - utils.UnitInspectionTestDdbTableName(), - branchKey2, - utils.TestKeystoreKmsKeyId(), - utils.TestKeystoreName()) - searchableencryption.VirtualBeaconSearchableEncryptionExample( - utils.SimpleBeaconTestDdbTableName(), - branchKey2, - utils.TestKeystoreKmsKeyId(), - utils.TestKeystoreName()) - complexexample.ComplexSearchableEncryptionExample( - utils.TestComplexDdbTableName(), - branchKey1, - utils.TestKeystoreKmsKeyId(), - utils.TestKeystoreName()) + // // searchable encryption example + // searchableencryption.BasicSearchableEncryptionExample( + // utils.UnitInspectionTestDdbTableName(), + // branchKey1, + // utils.TestKeystoreKmsKeyId(), + // utils.TestKeystoreName()) + // searchableencryption.BeaconStylesSearchableEncryptionExample( + // utils.UnitInspectionTestDdbTableName(), + // branchKey1, + // utils.TestKeystoreKmsKeyId(), + // utils.TestKeystoreName()) + // searchableencryption.CompoundBeaconSearchableEncryptionExample( + // utils.UnitInspectionTestDdbTableName(), + // branchKey2, + // utils.TestKeystoreKmsKeyId(), + // utils.TestKeystoreName()) + // searchableencryption.VirtualBeaconSearchableEncryptionExample( + // utils.SimpleBeaconTestDdbTableName(), + // branchKey2, + // utils.TestKeystoreKmsKeyId(), + // utils.TestKeystoreName()) + // complexexample.ComplexSearchableEncryptionExample( + // utils.TestComplexDdbTableName(), + // branchKey1, + // utils.TestKeystoreKmsKeyId(), + // utils.TestKeystoreName()) // migration examples partitionKeyValue := uuid.New().String() @@ -110,5 +104,6 @@ func main() { plaintext.MigrationStep0(utils.DdbTableName(), partitionKeyValue, sortKeyValue) awsdbe.MigrationStep1("arn:aws:kms:us-west-2:992382771485:key/ad1d7ff3-79f3-40f4-b31d-7be4d9c8b3ca", utils.DdbTableName(), partitionKeyValue, sortKeyValue) + awsdbe.MigrationStep1("arn:aws:kms:us-west-2:992382771485:key/ad1d7ff3-79f3-40f4-b31d-7be4d9c8b3ca", utils.DdbTableName(), partitionKeyValue, sortKeyValue) utils.DeleteItem(utils.DdbTableName(), "partition_key", partitionKeyValue, "sort_key", sortKeyValue) } From 7d507eb2fcb925b748b59394d5db6ca358eea456 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 10:48:38 -0700 Subject: [PATCH 12/52] auto commit --- .../PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go | 3 ++- .../PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go index 7d39d17c0..6d15c72b1 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go @@ -2,6 +2,7 @@ package awsdbe import ( "context" + "fmt" "reflect" "github.com/aws/aws-sdk-go-v2/aws" @@ -105,5 +106,5 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri if !reflect.DeepEqual(item, result.Item) { panic("Decrypted item does not match original item") } - + fmt.Println("MigrationStep1 completed successfully") } diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go index 0149e5fd1..c528dfabe 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go @@ -3,6 +3,7 @@ package awsdbe import ( // Standard imports "context" + "fmt" "reflect" // AWS SDK imports @@ -103,4 +104,5 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri if !reflect.DeepEqual(item, result.Item) { panic("Decrypted item does not match original item") } + fmt.Println("MigrationStep2 completed successfully") } From 26701571c1e7c94301dfa6383430a660f4c37d24 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 11:35:44 -0700 Subject: [PATCH 13/52] auto commit --- .github/workflows/ci_test_go.yml | 8 ++++- .../awsdbe/migrationexamplestep1_test.go | 35 +++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1_test.go diff --git a/.github/workflows/ci_test_go.yml b/.github/workflows/ci_test_go.yml index 78b3b8abe..dd1b89a46 100644 --- a/.github/workflows/ci_test_go.yml +++ b/.github/workflows/ci_test_go.yml @@ -140,8 +140,14 @@ jobs: run: | make test_go - - name: Test Examples + - name: Run Examples (this panics when on error) if: matrix.library == 'DynamoDbEncryption' working-directory: ./Examples/runtimes/go run: | go run main.go + + - name: Test Examples + if: matrix.library == 'DynamoDbEncryption' + working-directory: ./Examples/runtimes/go + run: | + go test ./... diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1_test.go new file mode 100644 index 000000000..13140d213 --- /dev/null +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1_test.go @@ -0,0 +1,35 @@ +package awsdbe + +import ( + "testing" + + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/plaintext" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" + "github.com/google/uuid" +) + +func TestMigrationStep1(t *testing.T) { + kmsKeyID := utils.KmsKeyID() + tableName := utils.DdbTableName() + partitionKey := uuid.New().String() + sortKeys := []string{"0", "1", "2"} + + // Successfully executes Step 1 + MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) + + // Given: Step 0 has succeeded + plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0]) + // When: Execute Step 1 with sortReadValue=0, Then: Success (i.e. can read plaintext values) + MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[0]) + + // Given: Step 2 has succeeded + MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2]) + // When: Execute Step 1 with sortReadValue=2, Then: Success (i.e. can read encrypted values) + MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[2]) + + // Cleanup + for _, sortKey := range sortKeys { + utils.DeleteItem(tableName, "partition_key", partitionKey, "sort_key", sortKey) + } + +} From 654dceb6f5cd42a0cd2ba5bccf5377c1a9971a1b Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 11:35:59 -0700 Subject: [PATCH 14/52] auto commit --- Examples/runtimes/go/main.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Examples/runtimes/go/main.go b/Examples/runtimes/go/main.go index aaa8498a6..4b4bfd235 100644 --- a/Examples/runtimes/go/main.go +++ b/Examples/runtimes/go/main.go @@ -103,7 +103,7 @@ func main() { sortKeyValue := "0" plaintext.MigrationStep0(utils.DdbTableName(), partitionKeyValue, sortKeyValue) - awsdbe.MigrationStep1("arn:aws:kms:us-west-2:992382771485:key/ad1d7ff3-79f3-40f4-b31d-7be4d9c8b3ca", utils.DdbTableName(), partitionKeyValue, sortKeyValue) - awsdbe.MigrationStep1("arn:aws:kms:us-west-2:992382771485:key/ad1d7ff3-79f3-40f4-b31d-7be4d9c8b3ca", utils.DdbTableName(), partitionKeyValue, sortKeyValue) + awsdbe.MigrationStep1(utils.KmsKeyID(), utils.DdbTableName(), partitionKeyValue, sortKeyValue) + awsdbe.MigrationStep2(utils.KmsKeyID(), utils.DdbTableName(), partitionKeyValue, sortKeyValue) utils.DeleteItem(utils.DdbTableName(), "partition_key", partitionKeyValue, "sort_key", sortKeyValue) } From d5e36b8a584b703404f28fdefca37d3a7af9e89c Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 11:40:30 -0700 Subject: [PATCH 15/52] auto commit --- .../awsdbe/migrationexamplestep2.go | 4 +-- .../awsdbe/migrationexamplestep2_test.go | 34 +++++++++++++++++++ 2 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2_test.go diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go index c528dfabe..44b98be5d 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go @@ -50,9 +50,9 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri // you must use the plaintext override `FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ`. // This plaintext override means: // - Write: Items are forbidden to be written as plaintext. - // Items will be written as encrypted items. + // Items will be written as encrypted items. // - Read: Items are allowed to be read as plaintext. - // Items are allowed to be read as encrypted items. + // Items are allowed to be read as encrypted items. listOfTableConfigs := configureTable(kmsKeyID, ddbTableName, dbesdkdynamodbencryptiontypes.PlaintextOverrideForbidPlaintextWriteAllowPlaintextRead) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2_test.go new file mode 100644 index 000000000..c488992c1 --- /dev/null +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2_test.go @@ -0,0 +1,34 @@ +package awsdbe + +import ( + "testing" + + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/plaintext" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" + "github.com/google/uuid" +) + +func TestMigrationStep2(t *testing.T) { + kmsKeyID := utils.KmsKeyID() + tableName := utils.DdbTableName() + partitionKey := uuid.New().String() + sortKeys := []string{"0", "1", "2"} + + // Successfully executes Step 2 + MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2]) + + // Given: Step 0 has succeeded + plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0]) + // When: Execute Step 2 with sortReadValue=0, Then: Success (i.e. can read plaintext values) + MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[0]) + + // Given: Step 1 has succeeded + MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) + // When: Execute Step 2 with sortReadValue=1, Then: Success (i.e. can read encrypted values) + MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[1]) + + // Cleanup + for _, sortKey := range sortKeys { + utils.DeleteItem(tableName, "partition_key", partitionKey, "sort_key", sortKey) + } +} From 46c116b2cf7f40db0771c4063fb439d4c47b6a45 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 11:46:16 -0700 Subject: [PATCH 16/52] auto commit --- .../awsdbe/migrationexamplestep3.go | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go new file mode 100644 index 000000000..a41faa3d1 --- /dev/null +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go @@ -0,0 +1,100 @@ +package awsdbe + +import ( + // Standard imports + "context" + "fmt" + "reflect" + + // AWS SDK imports + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/dynamodb" + "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" + + dbesdkdynamodbencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkdynamodbsmithygeneratedtypes" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/dbesdkmiddleware" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" +) + +/* +Migration Step 3: This is an example demonstrating how to update your configuration +to stop accepting reading plaintext items. + +Once you complete Step 3, all items being read by your system are encrypted. + +Before you move onto this step, you will need to encrypt all plaintext items in your dataset. +How you will want to do this depends on your system. + +Running this example requires access to the DDB Table whose name +is provided in CLI arguments. +This table must be configured with the following +primary key configuration: + - Partition key is named "partition_key" with type (S) + - Sort key is named "sort_key" with type (S) +*/ +func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue string) { + cfg, err := config.LoadDefaultConfig(context.TODO()) + utils.HandleError(err) + + // 1. Configure your Keyring, attribute actions, + // allowedUnsignedAttributes, and encryption configuration for table. + // This is common across all the steps. + + // When creating encryption configuration for your table, + // you must use the plaintext override `PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead`. + // This plaintext override means: + + listOfTableConfigs := configureTable(kmsKeyID, ddbTableName, dbesdkdynamodbencryptiontypes.PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead) + + // 5. Create DynamoDB client with dbEsdkMiddleware + dbEsdkMiddleware, err := dbesdkmiddleware.NewDBEsdkMiddleware(listOfTableConfigs) + utils.HandleError(err) + + ddb := dynamodb.NewFromConfig(cfg, dbEsdkMiddleware.CreateMiddleware()) + + // 6. Put an item into your table. + // This item will be encrypted. + item := map[string]types.AttributeValue{ + "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, + "attribute1": &types.AttributeValueMemberS{Value: "this will be encrypted and signed"}, + "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, + "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, + } + + putInput := dynamodb.PutItemInput{ + TableName: &ddbTableName, + Item: item, + } + + _, err = ddb.PutItem(context.TODO(), &putInput) + utils.HandleError(err) + + // 7. Get an item back from the table. + // If this is an item written in plaintext (i.e. any item written + // during Step 0 or 1), then the item will still be in plaintext. + // If this is an item that was encrypted client-side (i.e. any item written + // during Step 2 or after), then the DDB enhanced client will decrypt the + // item client-sid and surface it in our code as a plaintext item. + key := map[string]types.AttributeValue{ + "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, + } + + getInput := &dynamodb.GetItemInput{ + TableName: aws.String(ddbTableName), + Key: key, + ConsistentRead: aws.Bool(true), + } + + result, err := ddb.GetItem(context.TODO(), getInput) + utils.HandleError(err) + + // Demonstrate we get the expected item back + if !reflect.DeepEqual(item, result.Item) { + panic("Decrypted item does not match original item") + } + fmt.Println("MigrationStep2 completed successfully") +} From e1e4664ba99fcc0c50035648674836aa91223d61 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 11:46:19 -0700 Subject: [PATCH 17/52] auto commit --- .../migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go index 44b98be5d..0a2403335 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go @@ -47,7 +47,7 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri // This is common across all the steps. // When creating encryption configuration for your table, - // you must use the plaintext override `FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ`. + // you must use the plaintext override `PlaintextOverrideForbidPlaintextWriteAllowPlaintextRead`. // This plaintext override means: // - Write: Items are forbidden to be written as plaintext. // Items will be written as encrypted items. From 14fdbc40c0d61418018172fc5e0b6614d9f61e28 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 15:32:30 -0700 Subject: [PATCH 18/52] auto commit --- Examples/runtimes/go/main.go | 1 + .../PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/Examples/runtimes/go/main.go b/Examples/runtimes/go/main.go index 4b4bfd235..d36e65b38 100644 --- a/Examples/runtimes/go/main.go +++ b/Examples/runtimes/go/main.go @@ -105,5 +105,6 @@ func main() { plaintext.MigrationStep0(utils.DdbTableName(), partitionKeyValue, sortKeyValue) awsdbe.MigrationStep1(utils.KmsKeyID(), utils.DdbTableName(), partitionKeyValue, sortKeyValue) awsdbe.MigrationStep2(utils.KmsKeyID(), utils.DdbTableName(), partitionKeyValue, sortKeyValue) + awsdbe.MigrationStep3(utils.KmsKeyID(), utils.DdbTableName(), partitionKeyValue, sortKeyValue) utils.DeleteItem(utils.DdbTableName(), "partition_key", partitionKeyValue, "sort_key", sortKeyValue) } diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go index a41faa3d1..b8444ae61 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go @@ -44,7 +44,14 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri // When creating encryption configuration for your table, // you must use the plaintext override `PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead`. + // If you do not specify `PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead` + // plaintext override defaults to `PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead`, + // which is the desired behavior for a client interacting with a fully encrypted database. // This plaintext override means: + // - Write: Items are forbidden to be written as plaintext. + // Items will be written as encrypted items. + // - Read: Items are forbidden to be read as plaintext. + // Items will be read as encrypted items. listOfTableConfigs := configureTable(kmsKeyID, ddbTableName, dbesdkdynamodbencryptiontypes.PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead) @@ -96,5 +103,5 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri if !reflect.DeepEqual(item, result.Item) { panic("Decrypted item does not match original item") } - fmt.Println("MigrationStep2 completed successfully") + fmt.Println("MigrationStep3 completed successfully") } From 02a895f409429705392a3b473608fe5ff1d6e29a Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 16:31:05 -0700 Subject: [PATCH 19/52] auto commit --- .../awsdbe/migrationexamplestep1.go | 29 +++++++--- .../awsdbe/migrationexamplestep2.go | 31 +++++++--- .../awsdbe/migrationexamplestep3.go | 31 +++++++--- .../awsdbe/migrationexamplestep3_test.go | 58 +++++++++++++++++++ 4 files changed, 123 insertions(+), 26 deletions(-) create mode 100644 Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3_test.go diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go index 6d15c72b1..e5df7e412 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go @@ -3,7 +3,6 @@ package awsdbe import ( "context" "fmt" - "reflect" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" @@ -36,7 +35,7 @@ primary key configuration: - Partition key is named "partition_key" with type (S) - Sort key is named "sort_key" with type (S) */ -func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue string) { +func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue string) error { cfg, err := config.LoadDefaultConfig(context.TODO()) utils.HandleError(err) @@ -66,10 +65,11 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri // 3. Put an item into your table. // This item will be stored in plaintext. + encryptedAndSignedValue := "this will be encrypted and signed" item := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, - "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, - "attribute1": &types.AttributeValueMemberS{Value: "this will be encrypted and signed"}, + "sort_key": &types.AttributeValueMemberN{Value: "1"}, + "attribute1": &types.AttributeValueMemberS{Value: encryptedAndSignedValue}, "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, } @@ -80,7 +80,12 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri } _, err = ddb.PutItem(context.TODO(), &putInput) - utils.HandleError(err) + + // We return this error because we run test against the error. + // When used in production code, you can decide how you can to handle errors. + if err != nil { + return err + } // 4. Get an item back from the table using the DynamoDb Client. // If this is an item written in plaintext (i.e. any item written @@ -90,7 +95,7 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri // and surfaced as a plaintext item. key := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, - "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyReadValue}, } getInput := &dynamodb.GetItemInput{ @@ -100,11 +105,19 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri } result, err := ddb.GetItem(context.TODO(), getInput) - utils.HandleError(err) + // We return this error because we run test against the error. + // When used in production code, you can decide how you can to handle errors. + if err != nil { + return err + } // Verify we got the expected item back - if !reflect.DeepEqual(item, result.Item) { + if partitionKeyValue != result.Item["partition_key"].(*types.AttributeValueMemberS).Value { + panic("Decrypted item does not match original item") + } + if encryptedAndSignedValue != result.Item["attribute1"].(*types.AttributeValueMemberS).Value { panic("Decrypted item does not match original item") } fmt.Println("MigrationStep1 completed successfully") + return nil } diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go index 0a2403335..762774682 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go @@ -4,7 +4,6 @@ import ( // Standard imports "context" "fmt" - "reflect" // AWS SDK imports @@ -38,7 +37,7 @@ primary key configuration: - Partition key is named "partition_key" with type (S) - Sort key is named "sort_key" with type (S) */ -func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue string) { +func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue string) error { cfg, err := config.LoadDefaultConfig(context.TODO()) utils.HandleError(err) @@ -64,10 +63,11 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri // 6. Put an item into your table. // This item will be encrypted. + encryptedAndSignedValue := "this will be encrypted and signed" item := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, - "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, - "attribute1": &types.AttributeValueMemberS{Value: "this will be encrypted and signed"}, + "sort_key": &types.AttributeValueMemberN{Value: "2"}, + "attribute1": &types.AttributeValueMemberS{Value: encryptedAndSignedValue}, "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, } @@ -78,7 +78,12 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri } _, err = ddb.PutItem(context.TODO(), &putInput) - utils.HandleError(err) + + // We return this error because we run test against the error. + // When used in production code, you can decide how you can to handle errors. + if err != nil { + return err + } // 7. Get an item back from the table. // If this is an item written in plaintext (i.e. any item written @@ -88,7 +93,7 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri // item client-sid and surface it in our code as a plaintext item. key := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, - "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyReadValue}, } getInput := &dynamodb.GetItemInput{ @@ -98,11 +103,19 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri } result, err := ddb.GetItem(context.TODO(), getInput) - utils.HandleError(err) + // We return this error because we run test against the error. + // When used in production code, you can decide how you can to handle errors. + if err != nil { + return err + } - // Demonstrate we get the expected item back - if !reflect.DeepEqual(item, result.Item) { + // Verify we got the expected item back + if partitionKeyValue != result.Item["partition_key"].(*types.AttributeValueMemberS).Value { + panic("Decrypted item does not match original item") + } + if encryptedAndSignedValue != result.Item["attribute1"].(*types.AttributeValueMemberS).Value { panic("Decrypted item does not match original item") } fmt.Println("MigrationStep2 completed successfully") + return nil } diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go index b8444ae61..4ab6972e9 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go @@ -4,7 +4,6 @@ import ( // Standard imports "context" "fmt" - "reflect" // AWS SDK imports @@ -34,7 +33,7 @@ primary key configuration: - Partition key is named "partition_key" with type (S) - Sort key is named "sort_key" with type (S) */ -func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue string) { +func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue string) error { cfg, err := config.LoadDefaultConfig(context.TODO()) utils.HandleError(err) @@ -63,10 +62,11 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri // 6. Put an item into your table. // This item will be encrypted. + encryptedAndSignedValue := "this will be encrypted and signed" item := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, - "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, - "attribute1": &types.AttributeValueMemberS{Value: "this will be encrypted and signed"}, + "sort_key": &types.AttributeValueMemberN{Value: "3"}, + "attribute1": &types.AttributeValueMemberS{Value: encryptedAndSignedValue}, "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, } @@ -77,7 +77,11 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri } _, err = ddb.PutItem(context.TODO(), &putInput) - utils.HandleError(err) + // We return this error because we run test against the error. + // When used in production code, you can decide how you can to handle errors. + if err != nil { + return err + } // 7. Get an item back from the table. // If this is an item written in plaintext (i.e. any item written @@ -87,7 +91,7 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri // item client-sid and surface it in our code as a plaintext item. key := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, - "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyReadValue}, } getInput := &dynamodb.GetItemInput{ @@ -97,11 +101,20 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyValue stri } result, err := ddb.GetItem(context.TODO(), getInput) - utils.HandleError(err) + // We return this error because we run test against the error. + // When used in production code, you can decide how you can to handle errors. + if err != nil { + return err + } - // Demonstrate we get the expected item back - if !reflect.DeepEqual(item, result.Item) { + // Verify we got the expected item back + if partitionKeyValue != result.Item["partition_key"].(*types.AttributeValueMemberS).Value { + panic("Decrypted item does not match original item") + } + if encryptedAndSignedValue != result.Item["attribute1"].(*types.AttributeValueMemberS).Value { panic("Decrypted item does not match original item") } fmt.Println("MigrationStep3 completed successfully") + + return nil } diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3_test.go new file mode 100644 index 000000000..8df8c274e --- /dev/null +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3_test.go @@ -0,0 +1,58 @@ +package awsdbe + +import ( + "errors" + "strings" + "testing" + + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/plaintext" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" + "github.com/aws/smithy-go" + "github.com/google/uuid" +) + +func TestMigrationStep3(t *testing.T) { + kmsKeyID := utils.KmsKeyID() + tableName := utils.DdbTableName() + partitionKey := uuid.New().String() + sortKeys := []string{"0", "1", "2", "3"} + + // Successfully executes Step 3 + MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3]) + + // Given: Step 0 has succeeded + plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0]) + // When: Execute Step 3 with sortReadValue=0, Then: should panic (cannot read plaintext values) + // MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0]) + assertError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0])) + + // Given: Step 1 has succeeded + MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) + // When: Execute Step 3 with sortReadValue=1, Then: should panic (cannot read plaintext values) + assertError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[1])) + + // Given: Step 2 has succeeded + MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2]) + // When: Execute Step 3 with sortReadValue=2, Then: Success (can read encrypted values) + MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[2]) + + // Cleanup + for _, sortKey := range sortKeys { + utils.DeleteItem(tableName, "partition_key", partitionKey, "sort_key", sortKey) + } +} + +func assertError(err error) { + var oe *smithy.OperationError + if errors.As(err, &oe) { + if oe.Service() != "DynamoDB" { + panic("Expected service to be DynamoDB") + } + if oe.Operation() != "GetItem" { + panic("Expected Operation to be GetItem") + } + if !strings.Contains(oe.Unwrap().Error(), "Encrypted item missing expected header and footer attributes") { + panic("Expected message to contain Encrypted item missing expected header and footer attributes") + } + } +} From 6320c71009cd988d6a40ca5a91b5f60de27de050 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 16:32:42 -0700 Subject: [PATCH 20/52] auto commit --- .../PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go | 6 +++--- .../PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go index 762774682..8b2b88bba 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go @@ -55,13 +55,13 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue listOfTableConfigs := configureTable(kmsKeyID, ddbTableName, dbesdkdynamodbencryptiontypes.PlaintextOverrideForbidPlaintextWriteAllowPlaintextRead) - // 5. Create DynamoDB client with dbEsdkMiddleware + // 2. Create DynamoDB client with dbEsdkMiddleware dbEsdkMiddleware, err := dbesdkmiddleware.NewDBEsdkMiddleware(listOfTableConfigs) utils.HandleError(err) ddb := dynamodb.NewFromConfig(cfg, dbEsdkMiddleware.CreateMiddleware()) - // 6. Put an item into your table. + // 3. Put an item into your table. // This item will be encrypted. encryptedAndSignedValue := "this will be encrypted and signed" item := map[string]types.AttributeValue{ @@ -85,7 +85,7 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue return err } - // 7. Get an item back from the table. + // 4. Get an item back from the table. // If this is an item written in plaintext (i.e. any item written // during Step 0 or 1), then the item will still be in plaintext. // If this is an item that was encrypted client-side (i.e. any item written diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go index 4ab6972e9..4a983da85 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go @@ -54,13 +54,13 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue listOfTableConfigs := configureTable(kmsKeyID, ddbTableName, dbesdkdynamodbencryptiontypes.PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead) - // 5. Create DynamoDB client with dbEsdkMiddleware + // 2. Create DynamoDB client with dbEsdkMiddleware dbEsdkMiddleware, err := dbesdkmiddleware.NewDBEsdkMiddleware(listOfTableConfigs) utils.HandleError(err) ddb := dynamodb.NewFromConfig(cfg, dbEsdkMiddleware.CreateMiddleware()) - // 6. Put an item into your table. + // 3. Put an item into your table. // This item will be encrypted. encryptedAndSignedValue := "this will be encrypted and signed" item := map[string]types.AttributeValue{ @@ -83,7 +83,7 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue return err } - // 7. Get an item back from the table. + // 4. Get an item back from the table. // If this is an item written in plaintext (i.e. any item written // during Step 0 or 1), then the item will still be in plaintext. // If this is an item that was encrypted client-side (i.e. any item written From 158077a0237cc8ec5da9474209eb6f360880abe6 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Fri, 1 Aug 2025 16:40:00 -0700 Subject: [PATCH 21/52] auto commit --- .../awsdbe/{migrationexamplestep1.go => step1.go} | 0 .../awsdbe/{migrationexamplestep1_test.go => step1_test.go} | 0 .../awsdbe/{migrationexamplestep2.go => step2.go} | 0 .../awsdbe/{migrationexamplestep2_test.go => step2_test.go} | 0 .../awsdbe/{migrationexamplestep3.go => step3.go} | 0 .../awsdbe/{migrationexamplestep3_test.go => step3_test.go} | 0 6 files changed, 0 insertions(+), 0 deletions(-) rename Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/{migrationexamplestep1.go => step1.go} (100%) rename Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/{migrationexamplestep1_test.go => step1_test.go} (100%) rename Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/{migrationexamplestep2.go => step2.go} (100%) rename Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/{migrationexamplestep2_test.go => step2_test.go} (100%) rename Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/{migrationexamplestep3.go => step3.go} (100%) rename Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/{migrationexamplestep3_test.go => step3_test.go} (100%) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go similarity index 100% rename from Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1.go rename to Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1_test.go similarity index 100% rename from Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep1_test.go rename to Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1_test.go diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go similarity index 100% rename from Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2.go rename to Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2_test.go similarity index 100% rename from Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep2_test.go rename to Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2_test.go diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go similarity index 100% rename from Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3.go rename to Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go similarity index 100% rename from Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/migrationexamplestep3_test.go rename to Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go From 2f82fff15b575a18eadd92d833ee34ceebfeccc6 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 10:29:14 -0700 Subject: [PATCH 22/52] auto commit --- .../plaintext/{migrationexamplestep0.go => step0.go} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/{migrationexamplestep0.go => step0.go} (100%) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/migrationexamplestep0.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go similarity index 100% rename from Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/migrationexamplestep0.go rename to Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go From 6f5bc227a8fc980352e149497728d7515243f571 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 10:37:39 -0700 Subject: [PATCH 23/52] auto commit --- .../go/migration/PlaintextToAWSDBE/README.md | 51 +++++++++++++++++++ .../Migration/PlaintextToAWSDBE/README.md | 2 +- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 Examples/runtimes/go/migration/PlaintextToAWSDBE/README.md diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/README.md b/Examples/runtimes/go/migration/PlaintextToAWSDBE/README.md new file mode 100644 index 000000000..31170c101 --- /dev/null +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/README.md @@ -0,0 +1,51 @@ +# Plaintext DynamoDB Table to AWS Database Encryption SDK Encrypted Table Migration + +This projects demonstrates the steps necessary +to migrate to the AWS Database Encryption SDK for DynamoDb +from a plaintext database. + +[Step 0](plaintext/step0.go) demonstrates the starting state for your system. + +## Step 1 + +In Step 1, you update your system to do the following: + +- continue to read plaintext items +- continue to write plaintext items +- prepare to read encrypted items + +When you deploy changes in Step 1, +you should not expect any behavior change in your system, +and your dataset still consists of plaintext data. + +You must ensure that the changes in Step 1 make it to all your readers before you proceed to Step 2. + +## Step 2 + +In Step 2, you update your system to do the following: + +- continue to read plaintext items +- start writing encrypted items +- continue to read encrypted items + +When you deploy changes in Step 2, +you are introducing encrypted items to your system, +and must make sure that all your readers are updated with the changes from Step 1. + +Before you move onto the next step, you will need to encrypt all plaintext items in your dataset. +Once you have completed this step, +while new items are being encrypted using the new format and will be authenticated on read, +your system will still accept reading plaintext, unauthenticated items. +In order to complete migration to a system where you always authenticate your items, +you should prioritize moving on to Step 3. + +## Step 3 + +Once all old items are encrypted, +update your system to do the following: + +- continue to write encrypted items +- continue to read encrypted items +- do not accept reading plaintext items + +Once you have deployed these changes to your system, you have completed migration. diff --git a/Examples/runtimes/java/Migration/PlaintextToAWSDBE/README.md b/Examples/runtimes/java/Migration/PlaintextToAWSDBE/README.md index e160362b8..d7c31c308 100644 --- a/Examples/runtimes/java/Migration/PlaintextToAWSDBE/README.md +++ b/Examples/runtimes/java/Migration/PlaintextToAWSDBE/README.md @@ -4,7 +4,7 @@ This projects demonstrates the steps necessary to migrate to the AWS Database Encryption SDK for DynamoDb from a plaintext database. -[Step 0](Desktop/workplace/aws-dynamodb-encryption-dafny/Examples/runtimes/java/Migration/PlaintextToAWSDBE/DDBEC/README.md) demonstrates the starting state for your system. +[Step 0](./src/main/java/software/amazon/cryptography/examples/plaintext/MigrationExampleStep0.java) demonstrates the starting state for your system. ## Step 1 From 8939baa89dc235f0ae12f881ace701c05ab00263 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 10:45:32 -0700 Subject: [PATCH 24/52] auto commit --- .../PlaintextToAWSDBE/plaintext/step0.go | 33 +++++++++++++++---- 1 file changed, 26 insertions(+), 7 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go index dbd0c8877..5dd13168c 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go @@ -5,30 +5,49 @@ import ( "fmt" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" - "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/dynamodb" "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" ) -// MigrationStep0 demonstrates plaintext database operations before encryption migration +/* +Migration Step 0: This is the pre-migration step for the +plaintext-to-encrypted database migration, and is the starting +state for our migration from a plaintext database to a +client-side encrypted database encrypted using the +AWS Database Encryption SDK for DynamoDb. + +In this example, we configure a DynamoDbClient to +write a plaintext record to a table and read that record. +This emulates the starting state of a plaintext-to-encrypted +database migration; i.e. a plaintext database you can +read and write to with the DynamoDbClient. + +Running this example requires access to the DDB Table whose name +is provided in the function parameter. +This table must be configured with the following +primary key configuration: + - Partition key is named "partition_key" with type (S) + - Sort key is named "sort_key" with type (S) +*/ func MigrationStep0(ddbTableName, partitionKeyValue, sortKeyValue string) { - // 1. Create a standard DynamoDB client (no encryption) + // 1. Create a standard DynamoDB client cfg, err := config.LoadDefaultConfig(context.TODO()) utils.HandleError(err) ddb := dynamodb.NewFromConfig(cfg) - // 2. Put an example item into our DynamoDB table in plaintext + // 2. Put an example item into DynamoDB table + // This item will be stored in plaintext. item := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, - "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, + "sort_key": &types.AttributeValueMemberN{Value: "0"}, "attribute1": &types.AttributeValueMemberS{Value: "this will be encrypted and signed"}, "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, } putInput := &dynamodb.PutItemInput{ - TableName: aws.String(ddbTableName), + TableName: &ddbTableName, Item: item, } _, err = ddb.PutItem(context.TODO(), putInput) @@ -41,7 +60,7 @@ func MigrationStep0(ddbTableName, partitionKeyValue, sortKeyValue string) { } getInput := &dynamodb.GetItemInput{ - TableName: aws.String(ddbTableName), + TableName: &ddbTableName, Key: key, } result, err := ddb.GetItem(context.TODO(), getInput) From 1cac0e9d6bf25aafce2eae9ec151567754d85074 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 10:55:56 -0700 Subject: [PATCH 25/52] auto commit --- .../go/migration/PlaintextToAWSDBE/plaintext/step0.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go index 5dd13168c..bc2c11e47 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go @@ -53,7 +53,15 @@ func MigrationStep0(ddbTableName, partitionKeyValue, sortKeyValue string) { _, err = ddb.PutItem(context.TODO(), putInput) utils.HandleError(err) - // 3. Get an item back from the table as it was written + // 3. Get an item back from the table as it was written. + // If this is an item written in plaintext (i.e. any item written + // during Step 0 or 1), then the item will still be in plaintext + // and will be able to be processed. + // If this is an item that was encrypted client-side (i.e. any item written + // during Step 2 or after), then the item will still be encrypted client-side + // and will be unable to be processed in your code. To decrypt and process + // client-side encrypted items, you will need to configure encrypted reads on + // your dynamodb client (this is configured from Step 1 onwards). key := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, From 21573ffe4abc3971c4ee38f64fd2bef49d75177f Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 10:58:31 -0700 Subject: [PATCH 26/52] auto commit --- .../runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go | 1 - 1 file changed, 1 deletion(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go index 03130b79f..6455427de 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go @@ -15,7 +15,6 @@ func configureTable(kmsKeyID, ddbTableName string, plaintextOverride dbesdkdynam // Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data. // We will use the `CreateMrkMultiKeyring` method to create this keyring, // as it will correctly handle both single region and Multi-Region KMS Keys. - matProv, err := mpl.NewClient(mpltypes.MaterialProvidersConfig{}) utils.HandleError(err) From 845d51f6ef21addbd1a7eb4af9ed9f913e097512 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 11:06:25 -0700 Subject: [PATCH 27/52] auto commit --- .../go/migration/PlaintextToAWSDBE/awsdbe/step1.go | 6 +++--- .../go/migration/PlaintextToAWSDBE/awsdbe/step2.go | 10 +++++----- .../go/migration/PlaintextToAWSDBE/awsdbe/step3.go | 2 +- .../examples/awsdbe/MigrationExampleStep2.java | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go index e5df7e412..9bdc38a50 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go @@ -29,7 +29,7 @@ Before you move on to step 2, ensure that these changes have successfully been d to all of your readers. Running this example requires access to the DDB Table whose name -is provided in CLI arguments. +is provided in the function parameter. This table must be configured with the following primary key configuration: - Partition key is named "partition_key" with type (S) @@ -82,7 +82,7 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue _, err = ddb.PutItem(context.TODO(), &putInput) // We return this error because we run test against the error. - // When used in production code, you can decide how you can to handle errors. + // When used in production code, you can decide how you want to handle errors. if err != nil { return err } @@ -106,7 +106,7 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue result, err := ddb.GetItem(context.TODO(), getInput) // We return this error because we run test against the error. - // When used in production code, you can decide how you can to handle errors. + // When used in production code, you can decide how you want to handle errors. if err != nil { return err } diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go index 8b2b88bba..fd1eeb3f6 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go @@ -31,7 +31,7 @@ Before you move onto the next step, you will need to encrypt all plaintext items How you will want to do this depends on your system. Running this example requires access to the DDB Table whose name -is provided in CLI arguments. +is provided in the function parameter. This table must be configured with the following primary key configuration: - Partition key is named "partition_key" with type (S) @@ -80,7 +80,7 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue _, err = ddb.PutItem(context.TODO(), &putInput) // We return this error because we run test against the error. - // When used in production code, you can decide how you can to handle errors. + // When used in production code, you can decide how you want to handle errors. if err != nil { return err } @@ -89,8 +89,8 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue // If this is an item written in plaintext (i.e. any item written // during Step 0 or 1), then the item will still be in plaintext. // If this is an item that was encrypted client-side (i.e. any item written - // during Step 2 or after), then the DDB enhanced client will decrypt the - // item client-sid and surface it in our code as a plaintext item. + // during Step 2 or after), then the DDB client will decrypt the + // item client-side and surface it in our code as a plaintext item. key := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, "sort_key": &types.AttributeValueMemberN{Value: sortKeyReadValue}, @@ -104,7 +104,7 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue result, err := ddb.GetItem(context.TODO(), getInput) // We return this error because we run test against the error. - // When used in production code, you can decide how you can to handle errors. + // When used in production code, you can decide how you want to handle errors. if err != nil { return err } diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go index 4a983da85..92cfd2d76 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go @@ -27,7 +27,7 @@ Before you move onto this step, you will need to encrypt all plaintext items in How you will want to do this depends on your system. Running this example requires access to the DDB Table whose name -is provided in CLI arguments. +is provided in the function parameter. This table must be configured with the following primary key configuration: - Partition key is named "partition_key" with type (S) diff --git a/Examples/runtimes/java/Migration/PlaintextToAWSDBE/src/main/java/software/amazon/cryptography/examples/awsdbe/MigrationExampleStep2.java b/Examples/runtimes/java/Migration/PlaintextToAWSDBE/src/main/java/software/amazon/cryptography/examples/awsdbe/MigrationExampleStep2.java index fda66dfc1..278cf6509 100644 --- a/Examples/runtimes/java/Migration/PlaintextToAWSDBE/src/main/java/software/amazon/cryptography/examples/awsdbe/MigrationExampleStep2.java +++ b/Examples/runtimes/java/Migration/PlaintextToAWSDBE/src/main/java/software/amazon/cryptography/examples/awsdbe/MigrationExampleStep2.java @@ -135,7 +135,7 @@ public static void MigrationStep2( // during Step 0 or 1), then the item will still be in plaintext. // If this is an item that was encrypted client-side (i.e. any item written // during Step 2 or after), then the DDB enhanced client will decrypt the - // item client-sid and surface it in our code as a plaintext item. + // item client-side and surface it in our code as a plaintext item. SimpleClass itemToGet = new SimpleClass(); itemToGet.setPartitionKey(partitionKey); itemToGet.setSortKey(sortReadValue); From be195f202bbffd17561ab8dc2c352662b2182ae9 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 11:06:37 -0700 Subject: [PATCH 28/52] auto commit --- .../runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go index 92cfd2d76..6b468cde9 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go @@ -78,7 +78,7 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue _, err = ddb.PutItem(context.TODO(), &putInput) // We return this error because we run test against the error. - // When used in production code, you can decide how you can to handle errors. + // When used in production code, you can decide how you want to handle errors. if err != nil { return err } @@ -88,7 +88,7 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue // during Step 0 or 1), then the item will still be in plaintext. // If this is an item that was encrypted client-side (i.e. any item written // during Step 2 or after), then the DDB enhanced client will decrypt the - // item client-sid and surface it in our code as a plaintext item. + // item client-side and surface it in our code as a plaintext item. key := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, "sort_key": &types.AttributeValueMemberN{Value: sortKeyReadValue}, @@ -102,7 +102,7 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue result, err := ddb.GetItem(context.TODO(), getInput) // We return this error because we run test against the error. - // When used in production code, you can decide how you can to handle errors. + // When used in production code, you can decide how you want to handle errors. if err != nil { return err } From ced6cbf15221bf6075dad6f5207f6bcf378a1311 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 11:10:22 -0700 Subject: [PATCH 29/52] auto commit --- .../go/migration/PlaintextToAWSDBE/awsdbe/step3.go | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go index 6b468cde9..9e83feb42 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go @@ -42,7 +42,8 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue // This is common across all the steps. // When creating encryption configuration for your table, - // you must use the plaintext override `PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead`. + // you can either not specify PlaintextOverride or use + // `PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead` as PlaintextOverride. // If you do not specify `PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead` // plaintext override defaults to `PlaintextOverrideForbidPlaintextWriteForbidPlaintextRead`, // which is the desired behavior for a client interacting with a fully encrypted database. @@ -83,19 +84,20 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue return err } - // 4. Get an item back from the table. + // 4. Get an item back from the table using the DynamoDb Client. // If this is an item written in plaintext (i.e. any item written - // during Step 0 or 1), then the item will still be in plaintext. + // during Step 0 or 1), then the read will fail, as we have + // configured our client to forbid reading plaintext items. // If this is an item that was encrypted client-side (i.e. any item written - // during Step 2 or after), then the DDB enhanced client will decrypt the - // item client-side and surface it in our code as a plaintext item. + // during Step 2 or after), then the item will be decrypted client-side + // and surfaced as a plaintext item. key := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, "sort_key": &types.AttributeValueMemberN{Value: sortKeyReadValue}, } getInput := &dynamodb.GetItemInput{ - TableName: aws.String(ddbTableName), + TableName: &ddbTableName, Key: key, ConsistentRead: aws.Bool(true), } From 6c3971ba1855ca5166942c1eb0849b5779d12c21 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 11:10:31 -0700 Subject: [PATCH 30/52] auto commit --- .../runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go index fd1eeb3f6..c77365f05 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go @@ -97,7 +97,7 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue } getInput := &dynamodb.GetItemInput{ - TableName: aws.String(ddbTableName), + TableName: &ddbTableName, Key: key, ConsistentRead: aws.Bool(true), } From 83f4bb3ef642a43b72899b9c05f2f1e022b67874 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 11:59:31 -0700 Subject: [PATCH 31/52] auto commit --- .../PlaintextToAWSDBE/awsdbe/step1.go | 2 +- .../PlaintextToAWSDBE/awsdbe/step3_test.go | 32 ++++--------------- 2 files changed, 8 insertions(+), 26 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go index 9bdc38a50..61272e350 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go @@ -99,7 +99,7 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue } getInput := &dynamodb.GetItemInput{ - TableName: aws.String(ddbTableName), + TableName: &ddbTableName, Key: key, ConsistentRead: aws.Bool(true), } diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go index 8df8c274e..ab42ba379 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go @@ -1,13 +1,10 @@ package awsdbe import ( - "errors" - "strings" "testing" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/plaintext" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" - "github.com/aws/smithy-go" "github.com/google/uuid" ) @@ -18,41 +15,26 @@ func TestMigrationStep3(t *testing.T) { sortKeys := []string{"0", "1", "2", "3"} // Successfully executes Step 3 - MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3]) + utils.HandleError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3])) // Given: Step 0 has succeeded - plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0]) + utils.HandleError(plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0])) // When: Execute Step 3 with sortReadValue=0, Then: should panic (cannot read plaintext values) // MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0]) - assertError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0])) + utils.AssertServiceError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0]), "DynamoDB", "GetItem", "Encrypted item missing expected header and footer attributes") // Given: Step 1 has succeeded - MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) + utils.HandleError(MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1])) // When: Execute Step 3 with sortReadValue=1, Then: should panic (cannot read plaintext values) - assertError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[1])) + utils.AssertServiceError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[1]), "DynamoDB", "GetItem", "Encrypted item missing expected header and footer attributes") // Given: Step 2 has succeeded - MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2]) + utils.HandleError(MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2])) // When: Execute Step 3 with sortReadValue=2, Then: Success (can read encrypted values) - MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[2]) + utils.HandleError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[2])) // Cleanup for _, sortKey := range sortKeys { utils.DeleteItem(tableName, "partition_key", partitionKey, "sort_key", sortKey) } } - -func assertError(err error) { - var oe *smithy.OperationError - if errors.As(err, &oe) { - if oe.Service() != "DynamoDB" { - panic("Expected service to be DynamoDB") - } - if oe.Operation() != "GetItem" { - panic("Expected Operation to be GetItem") - } - if !strings.Contains(oe.Unwrap().Error(), "Encrypted item missing expected header and footer attributes") { - panic("Expected message to contain Encrypted item missing expected header and footer attributes") - } - } -} From 1d943e1f039c6701f2e7896d685f612cd9048df4 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 12:05:34 -0700 Subject: [PATCH 32/52] auto commit --- .../PlaintextToAWSDBE/awsdbe/step3_test.go | 23 +++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go index ab42ba379..98c4b48aa 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go @@ -15,23 +15,32 @@ func TestMigrationStep3(t *testing.T) { sortKeys := []string{"0", "1", "2", "3"} // Successfully executes Step 3 - utils.HandleError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3])) + err := MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3]) + utils.HandleError(err) // Given: Step 0 has succeeded - utils.HandleError(plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0])) + err = plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0]) + utils.HandleError(err) + // When: Execute Step 3 with sortReadValue=0, Then: should panic (cannot read plaintext values) // MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0]) utils.AssertServiceError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0]), "DynamoDB", "GetItem", "Encrypted item missing expected header and footer attributes") // Given: Step 1 has succeeded - utils.HandleError(MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1])) - // When: Execute Step 3 with sortReadValue=1, Then: should panic (cannot read plaintext values) - utils.AssertServiceError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[1]), "DynamoDB", "GetItem", "Encrypted item missing expected header and footer attributes") + err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) + utils.HandleError(err) + + // When: Execute Step 3 with sortReadValue=1, Then: should error out (cannot read plaintext values) + err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[1]) + utils.AssertServiceError(err, "DynamoDB", "GetItem", "Encrypted item missing expected header and footer attributes") // Given: Step 2 has succeeded - utils.HandleError(MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2])) + err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2]) + utils.HandleError(err) + // When: Execute Step 3 with sortReadValue=2, Then: Success (can read encrypted values) - utils.HandleError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[2])) + err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[2]) + utils.HandleError(err) // Cleanup for _, sortKey := range sortKeys { From 041e19f6d7b07e518fca5f1f43841a99e71949f2 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 12:09:08 -0700 Subject: [PATCH 33/52] auto commit --- .../PlaintextToAWSDBE/plaintext/step0_test.go | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go new file mode 100644 index 000000000..e4608eb3f --- /dev/null +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go @@ -0,0 +1,47 @@ +package plaintext + +import ( + "testing" + + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/awsdbe" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" + "github.com/google/uuid" +) + +func TestMigrationStep0(t *testing.T) { + kmsKeyID := utils.KmsKeyID() + tableName := utils.DdbTableName() + partitionKey := uuid.New().String() + sortKeys := []string{"0", "1", "2", "3"} + + // Successfully executes step 0 + err := MigrationStep0(tableName, partitionKey, sortKeys[0]) + utils.HandleError(err) + + // Given: Step 1 has succeeded + err = awsdbe.MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) + utils.HandleError(err) + + // When: Execute Step 0 with sortReadValue=1, Then: Success (i.e. can read plaintext values) + err = MigrationStep0(tableName, partitionKey, sortKeys[1]) + utils.HandleError(err) + + // Given: Step 2 has succeeded + err = awsdbe.MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2]) + utils.HandleError(err) + + // When: Execute Step 0 with sortReadValue=2, Then: should error out when reading encrypted items. + err = MigrationStep0(tableName, partitionKey, sortKeys[2]) + utils.AssertErrorMessage(err, "partition_key is not a string attribute") + + // Given: Step 3 has succeeded (if it exists) + awsdbe.MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3]) + // When: Execute Step 0 with sortReadValue=3, Then: should error out + err = MigrationStep0(tableName, partitionKey, sortKeys[3]) + utils.AssertErrorMessage(err, "partition_key is not a string attribute") + + // Cleanup + for _, sortKey := range sortKeys[:3] { // Only clean up items we created + utils.DeleteItem(tableName, "partition_key", partitionKey, "sort_key", sortKey) + } +} From 6098aa9b183121110d97838631ae5afe329b8af3 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 12:09:13 -0700 Subject: [PATCH 34/52] auto commit --- .../PlaintextToAWSDBE/plaintext/step0.go | 21 ++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go index bc2c11e47..64785f2f5 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go @@ -30,7 +30,7 @@ primary key configuration: - Partition key is named "partition_key" with type (S) - Sort key is named "sort_key" with type (S) */ -func MigrationStep0(ddbTableName, partitionKeyValue, sortKeyValue string) { +func MigrationStep0(ddbTableName, partitionKeyValue, sortKeyValue string) error { // 1. Create a standard DynamoDB client cfg, err := config.LoadDefaultConfig(context.TODO()) utils.HandleError(err) @@ -79,15 +79,26 @@ func MigrationStep0(ddbTableName, partitionKeyValue, sortKeyValue string) { panic("No item found") } - returnedPartitionKey := result.Item["partition_key"].(*types.AttributeValueMemberS).Value - returnedAttribute1 := result.Item["attribute1"].(*types.AttributeValueMemberS).Value + returnedPartitionKey, ok := result.Item["partition_key"].(*types.AttributeValueMemberS) + if !ok { + // We return this error because we run test against the error. + // When used in production code, you can decide how you want to handle errors. + return fmt.Errorf("partition_key is not a string attribute") + } + returnedAttribute1, ok := result.Item["attribute1"].(*types.AttributeValueMemberS) + if !ok { + // We return this error because we run test against the error. + // When used in production code, you can decide how you want to handle errors. + return fmt.Errorf("partition_key is not a string attribute") + } - if returnedPartitionKey != partitionKeyValue { + if returnedPartitionKey.Value != partitionKeyValue { panic(fmt.Sprintf("Expected partition key %s, got %s", partitionKeyValue, returnedPartitionKey)) } - if returnedAttribute1 != "this will be encrypted and signed" { + if returnedAttribute1.Value != "this will be encrypted and signed" { panic(fmt.Sprintf("Expected attribute1 value, got %s", returnedAttribute1)) } fmt.Println("MigrationStep0 completed successfully") + return nil } From 475d77e13e1414944abe922ae9ccb1cc8bfa23b9 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 12:09:24 -0700 Subject: [PATCH 35/52] auto commit --- Examples/runtimes/go/utils/exampleUtils.go | 30 ++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/Examples/runtimes/go/utils/exampleUtils.go b/Examples/runtimes/go/utils/exampleUtils.go index 62c369866..763d2cfe6 100644 --- a/Examples/runtimes/go/utils/exampleUtils.go +++ b/Examples/runtimes/go/utils/exampleUtils.go @@ -6,12 +6,15 @@ package utils import ( "context" "crypto/rand" + "errors" "os" + "strings" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/dynamodb" "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" + "github.com/aws/smithy-go" ) const ( @@ -130,6 +133,33 @@ func HandleError(err error) { } } +func AssertServiceError(err error, service string, operation string, errorMessage string) { + if err == nil { + panic("Expected error but got no error") + } + var oe *smithy.OperationError + if errors.As(err, &oe) { + if oe.Service() != service { + panic("Expected service to be: " + service + " but got: " + oe.Service()) + } + if oe.Operation() != operation { + panic("Expected Operation to be: " + operation + " but got: " + oe.Operation()) + } + if !strings.Contains(oe.Unwrap().Error(), errorMessage) { + panic("Expected message to contain: " + errorMessage + " but got: " + oe.Unwrap().Error()) + } + } +} + +func AssertErrorMessage(err error, expectedMessage string) { + if err == nil { + panic("Expected error but got no error") + } + if !strings.Contains(err.Error(), expectedMessage) { + panic("Expected error containing: `" + expectedMessage + "` but got:" + err.Error()) + } +} + func GenerateAes256KeyBytes() []byte { key := make([]byte, aesKeyBytes) // crypto/rand is used here for demonstration. From 08fc555e676433cdcd2661352029bbefc2495c2a Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 13:02:26 -0700 Subject: [PATCH 36/52] auto commit --- .github/workflows/ci_test_go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci_test_go.yml b/.github/workflows/ci_test_go.yml index dd1b89a46..5f353fce8 100644 --- a/.github/workflows/ci_test_go.yml +++ b/.github/workflows/ci_test_go.yml @@ -145,7 +145,7 @@ jobs: working-directory: ./Examples/runtimes/go run: | go run main.go - + - name: Test Examples if: matrix.library == 'DynamoDbEncryption' working-directory: ./Examples/runtimes/go From 6f5f836f3352ce116b06c740e0ac0fd7f104907a Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 13:21:37 -0700 Subject: [PATCH 37/52] auto commit --- Examples/runtimes/go/main.go | 172 ++++++++++++++++++----------------- 1 file changed, 89 insertions(+), 83 deletions(-) diff --git a/Examples/runtimes/go/main.go b/Examples/runtimes/go/main.go index d36e65b38..a59789ea7 100644 --- a/Examples/runtimes/go/main.go +++ b/Examples/runtimes/go/main.go @@ -4,99 +4,105 @@ package main import ( + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/clientsupplier" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/itemencryptor" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/keyring" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/awsdbe" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/plaintext" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/misc" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/searchableencryption" + "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/searchableencryption/complexexample" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" "github.com/google/uuid" ) func main() { - // // clientsupplier example - // clientsupplier.ClientSupplierExample( - // utils.DdbTableName(), - // utils.TestMrkReplicaKeyIdUsEast1(), - // utils.DefaultKMSKeyAccountID(), - // utils.AlternateRegionKmsKeyRegionAsAList()) - // // misc examples - // misc.BasicPutGetExample( - // utils.KmsKeyID(), - // utils.DdbTableName()) - // misc.GetEncryptedDataKeyDescriptionExample( - // utils.KmsKeyID(), - // utils.DdbTableName()) - // misc.MultiPutGetExample( - // utils.KmsKeyID(), - // utils.DdbTableName()) - // branchKey1 := misc.CreateBranchKeyIDExample( - // utils.TestKeystoreName(), - // utils.TestLogicalKeystoreName(), - // utils.TestKeystoreKmsKeyId()) - // branchKey2 := misc.CreateBranchKeyIDExample( - // utils.TestKeystoreName(), - // utils.TestLogicalKeystoreName(), - // utils.TestKeystoreKmsKeyId()) + // clientsupplier example + clientsupplier.ClientSupplierExample( + utils.DdbTableName(), + utils.TestMrkReplicaKeyIdUsEast1(), + utils.DefaultKMSKeyAccountID(), + utils.AlternateRegionKmsKeyRegionAsAList()) + // misc examples + misc.BasicPutGetExample( + utils.KmsKeyID(), + utils.DdbTableName()) + misc.GetEncryptedDataKeyDescriptionExample( + utils.KmsKeyID(), + utils.DdbTableName()) + misc.MultiPutGetExample( + utils.KmsKeyID(), + utils.DdbTableName()) + branchKey1 := misc.CreateBranchKeyIDExample( + utils.TestKeystoreName(), + utils.TestLogicalKeystoreName(), + utils.TestKeystoreKmsKeyId()) + branchKey2 := misc.CreateBranchKeyIDExample( + utils.TestKeystoreName(), + utils.TestLogicalKeystoreName(), + utils.TestKeystoreKmsKeyId()) - // // keyring examples - // keyring.AwsKmsKeyringExample( - // utils.KmsKeyID(), - // utils.DdbTableName()) - // keyring.RawAesExample( - // utils.DdbTableName(), - // utils.KeyNamespace(), - // utils.KeyName(), - // utils.GenerateAes256KeyBytes()) - // keyring.HierarchicalKeyringExample( - // utils.DdbTableName(), - // branchKey1, - // branchKey2, - // utils.TestKeystoreName(), - // utils.TestLogicalKeystoreName(), - // utils.TestKeystoreKmsKeyId()) - // keyring.KmsRsaKeyringExample( - // utils.DdbTableName(), - // utils.TestKmsRsaKeyID(), - // utils.DefaultRsaPublicKeyFilename()) - // keyring.RawRsaKeyringExample( - // utils.DdbTableName(), - // utils.ExampleRsaPublicKeyFilename(), - // utils.ExampleRsaPrivateKeyFilename()) - // keyring.MrkDiscoveryMultiKeyringExample( - // utils.KmsKeyID(), - // utils.DdbTableName(), - // utils.DefaultKMSKeyAccountID(), - // utils.DefaultKmsKeyRegion()) + // keyring examples + keyring.AwsKmsKeyringExample( + utils.KmsKeyID(), + utils.DdbTableName()) + keyring.RawAesExample( + utils.DdbTableName(), + utils.KeyNamespace(), + utils.KeyName(), + utils.GenerateAes256KeyBytes()) + keyring.HierarchicalKeyringExample( + utils.DdbTableName(), + branchKey1, + branchKey2, + utils.TestKeystoreName(), + utils.TestLogicalKeystoreName(), + utils.TestKeystoreKmsKeyId()) + keyring.KmsRsaKeyringExample( + utils.DdbTableName(), + utils.TestKmsRsaKeyID(), + utils.DefaultRsaPublicKeyFilename()) + keyring.RawRsaKeyringExample( + utils.DdbTableName(), + utils.ExampleRsaPublicKeyFilename(), + utils.ExampleRsaPrivateKeyFilename()) + keyring.MrkDiscoveryMultiKeyringExample( + utils.KmsKeyID(), + utils.DdbTableName(), + utils.DefaultKMSKeyAccountID(), + utils.DefaultKmsKeyRegion()) - // // item encryptor example - // itemencryptor.ItemEncryptDecryptExample( - // utils.KmsKeyID(), - // utils.DdbTableName()) + // item encryptor example + itemencryptor.ItemEncryptDecryptExample( + utils.KmsKeyID(), + utils.DdbTableName()) - // // searchable encryption example - // searchableencryption.BasicSearchableEncryptionExample( - // utils.UnitInspectionTestDdbTableName(), - // branchKey1, - // utils.TestKeystoreKmsKeyId(), - // utils.TestKeystoreName()) - // searchableencryption.BeaconStylesSearchableEncryptionExample( - // utils.UnitInspectionTestDdbTableName(), - // branchKey1, - // utils.TestKeystoreKmsKeyId(), - // utils.TestKeystoreName()) - // searchableencryption.CompoundBeaconSearchableEncryptionExample( - // utils.UnitInspectionTestDdbTableName(), - // branchKey2, - // utils.TestKeystoreKmsKeyId(), - // utils.TestKeystoreName()) - // searchableencryption.VirtualBeaconSearchableEncryptionExample( - // utils.SimpleBeaconTestDdbTableName(), - // branchKey2, - // utils.TestKeystoreKmsKeyId(), - // utils.TestKeystoreName()) - // complexexample.ComplexSearchableEncryptionExample( - // utils.TestComplexDdbTableName(), - // branchKey1, - // utils.TestKeystoreKmsKeyId(), - // utils.TestKeystoreName()) + // searchable encryption example + searchableencryption.BasicSearchableEncryptionExample( + utils.UnitInspectionTestDdbTableName(), + branchKey1, + utils.TestKeystoreKmsKeyId(), + utils.TestKeystoreName()) + searchableencryption.BeaconStylesSearchableEncryptionExample( + utils.UnitInspectionTestDdbTableName(), + branchKey1, + utils.TestKeystoreKmsKeyId(), + utils.TestKeystoreName()) + searchableencryption.CompoundBeaconSearchableEncryptionExample( + utils.UnitInspectionTestDdbTableName(), + branchKey2, + utils.TestKeystoreKmsKeyId(), + utils.TestKeystoreName()) + searchableencryption.VirtualBeaconSearchableEncryptionExample( + utils.SimpleBeaconTestDdbTableName(), + branchKey2, + utils.TestKeystoreKmsKeyId(), + utils.TestKeystoreName()) + complexexample.ComplexSearchableEncryptionExample( + utils.TestComplexDdbTableName(), + branchKey1, + utils.TestKeystoreKmsKeyId(), + utils.TestKeystoreName()) // migration examples partitionKeyValue := uuid.New().String() From e0a2c7ea076de9f490bb81f1469aaf10e6a35dfb Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 13:25:29 -0700 Subject: [PATCH 38/52] auto commit --- .github/workflows/ci_test_go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci_test_go.yml b/.github/workflows/ci_test_go.yml index 5f353fce8..2f2abc5d5 100644 --- a/.github/workflows/ci_test_go.yml +++ b/.github/workflows/ci_test_go.yml @@ -140,7 +140,7 @@ jobs: run: | make test_go - - name: Run Examples (this panics when on error) + - name: Run Examples if: matrix.library == 'DynamoDbEncryption' working-directory: ./Examples/runtimes/go run: | From 13cf62ce955c0a93ea51075d26af6c6df38f1011 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 13:25:52 -0700 Subject: [PATCH 39/52] auto commit --- .github/workflows/ci_test_go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci_test_go.yml b/.github/workflows/ci_test_go.yml index 2f2abc5d5..c7ac36faf 100644 --- a/.github/workflows/ci_test_go.yml +++ b/.github/workflows/ci_test_go.yml @@ -140,7 +140,7 @@ jobs: run: | make test_go - - name: Run Examples + - name: Run Examples if: matrix.library == 'DynamoDbEncryption' working-directory: ./Examples/runtimes/go run: | From cde39893f052b7d1c32674b400d3dda957fdd321 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 13:47:41 -0700 Subject: [PATCH 40/52] auto commit --- .../go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go index 98c4b48aa..bad5ebbc9 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go @@ -24,7 +24,8 @@ func TestMigrationStep3(t *testing.T) { // When: Execute Step 3 with sortReadValue=0, Then: should panic (cannot read plaintext values) // MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0]) - utils.AssertServiceError(MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0]), "DynamoDB", "GetItem", "Encrypted item missing expected header and footer attributes") + err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0]) + utils.AssertServiceError(err, "DynamoDB", "GetItem", "Encrypted item missing expected header and footer attributes") // Given: Step 1 has succeeded err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) From e952d00e98202c32cfb5e8910226c727d62a703b Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 13:47:52 -0700 Subject: [PATCH 41/52] auto commit --- .../runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go index bad5ebbc9..3efa33279 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go @@ -23,7 +23,6 @@ func TestMigrationStep3(t *testing.T) { utils.HandleError(err) // When: Execute Step 3 with sortReadValue=0, Then: should panic (cannot read plaintext values) - // MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0]) err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0]) utils.AssertServiceError(err, "DynamoDB", "GetItem", "Encrypted item missing expected header and footer attributes") From debaf5aef6e10b5735e6ac7c07b90e9b45e4e588 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 13:49:31 -0700 Subject: [PATCH 42/52] auto commit --- .../plaintext/createsimpletable.go | 40 ------------------- .../PlaintextToAWSDBE/plaintext/step0_test.go | 2 +- 2 files changed, 1 insertion(+), 41 deletions(-) delete mode 100644 Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/createsimpletable.go diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/createsimpletable.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/createsimpletable.go deleted file mode 100644 index 233cb6dd9..000000000 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/createsimpletable.go +++ /dev/null @@ -1,40 +0,0 @@ -package plaintext - -import ( - "context" - - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" - "github.com/aws/aws-sdk-go-v2/service/dynamodb" - "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" -) - -// CreateSimpleTable creates a DynamoDB table with partition_key (S) and sort_key (N) -func CreateSimpleTable(ddbClient *dynamodb.Client, ddbTableName string) { - input := &dynamodb.CreateTableInput{ - TableName: &ddbTableName, - KeySchema: []types.KeySchemaElement{ - { - AttributeName: &[]string{"partition_key"}[0], - KeyType: types.KeyTypeHash, - }, - { - AttributeName: &[]string{"sort_key"}[0], - KeyType: types.KeyTypeRange, - }, - }, - AttributeDefinitions: []types.AttributeDefinition{ - { - AttributeName: &[]string{"partition_key"}[0], - AttributeType: types.ScalarAttributeTypeS, - }, - { - AttributeName: &[]string{"sort_key"}[0], - AttributeType: types.ScalarAttributeTypeN, - }, - }, - BillingMode: "PAY_PER_REQUEST", - } - - _, err := ddbClient.CreateTable(context.TODO(), input) - utils.HandleError(err) -} diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go index e4608eb3f..20900562f 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go @@ -41,7 +41,7 @@ func TestMigrationStep0(t *testing.T) { utils.AssertErrorMessage(err, "partition_key is not a string attribute") // Cleanup - for _, sortKey := range sortKeys[:3] { // Only clean up items we created + for _, sortKey := range sortKeys { // Only clean up items we created utils.DeleteItem(tableName, "partition_key", partitionKey, "sort_key", sortKey) } } From b478e988ab04a5f6196dae7c766b12662237e6a9 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 14:06:44 -0700 Subject: [PATCH 43/52] auto commit --- Examples/runtimes/go/main.go | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/Examples/runtimes/go/main.go b/Examples/runtimes/go/main.go index a59789ea7..8be077479 100644 --- a/Examples/runtimes/go/main.go +++ b/Examples/runtimes/go/main.go @@ -7,13 +7,10 @@ import ( "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/clientsupplier" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/itemencryptor" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/keyring" - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/awsdbe" - "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE/plaintext" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/misc" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/searchableencryption" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/searchableencryption/complexexample" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" - "github.com/google/uuid" ) func main() { @@ -103,14 +100,4 @@ func main() { branchKey1, utils.TestKeystoreKmsKeyId(), utils.TestKeystoreName()) - - // migration examples - partitionKeyValue := uuid.New().String() - sortKeyValue := "0" - - plaintext.MigrationStep0(utils.DdbTableName(), partitionKeyValue, sortKeyValue) - awsdbe.MigrationStep1(utils.KmsKeyID(), utils.DdbTableName(), partitionKeyValue, sortKeyValue) - awsdbe.MigrationStep2(utils.KmsKeyID(), utils.DdbTableName(), partitionKeyValue, sortKeyValue) - awsdbe.MigrationStep3(utils.KmsKeyID(), utils.DdbTableName(), partitionKeyValue, sortKeyValue) - utils.DeleteItem(utils.DdbTableName(), "partition_key", partitionKeyValue, "sort_key", sortKeyValue) } From 9b51cb28ee1b452578e6e091cf2a66160502663e Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 14:12:11 -0700 Subject: [PATCH 44/52] auto commit --- Examples/runtimes/java/Migration/PlaintextToAWSDBE/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Examples/runtimes/java/Migration/PlaintextToAWSDBE/README.md b/Examples/runtimes/java/Migration/PlaintextToAWSDBE/README.md index d7c31c308..869549e47 100644 --- a/Examples/runtimes/java/Migration/PlaintextToAWSDBE/README.md +++ b/Examples/runtimes/java/Migration/PlaintextToAWSDBE/README.md @@ -1,4 +1,4 @@ -# DyanmoDb Encryption Client to AWS Database Encryption SDK for DynamoDb Migration +# Plaintext DynamoDB Table to AWS Database Encryption SDK Encrypted Table Migration This projects demonstrates the steps necessary to migrate to the AWS Database Encryption SDK for DynamoDb From 8412c88772e20201f5530b18b4317cf72a9d0cb1 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 14:13:33 -0700 Subject: [PATCH 45/52] auto commit --- .github/workflows/ci_test_go.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/ci_test_go.yml b/.github/workflows/ci_test_go.yml index c7ac36faf..d29337eb3 100644 --- a/.github/workflows/ci_test_go.yml +++ b/.github/workflows/ci_test_go.yml @@ -140,14 +140,9 @@ jobs: run: | make test_go - - name: Run Examples + - name: Run and Test Examples if: matrix.library == 'DynamoDbEncryption' working-directory: ./Examples/runtimes/go run: | go run main.go - - - name: Test Examples - if: matrix.library == 'DynamoDbEncryption' - working-directory: ./Examples/runtimes/go - run: | go test ./... From 14a3eba9973ab76ae9177ab9176f5243ee11079e Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 14:16:10 -0700 Subject: [PATCH 46/52] auto commit --- .../runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go index 6455427de..4e51f6d98 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/common.go @@ -27,7 +27,7 @@ func configureTable(kmsKeyID, ddbTableName string, plaintextOverride dbesdkdynam // Configure which attributes are encrypted and/or signed when writing new items. // For each attribute that may exist on the items we plan to write to our DynamoDbTable, // we must explicitly configure how they should be treated during item encryption: - // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature + // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature // - DO_NOTHING: The attribute is not encrypted and not included in the signature partitionKeyName := "partition_key" From 4eb1d8a27e8a15dfbefe4948c055b05279de9a7b Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 4 Aug 2025 16:56:38 -0700 Subject: [PATCH 47/52] add step 3 -> step 1/2 --- .../PlaintextToAWSDBE/awsdbe/step1_test.go | 27 ++++++++++++++----- .../PlaintextToAWSDBE/awsdbe/step2_test.go | 27 ++++++++++++++----- 2 files changed, 42 insertions(+), 12 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1_test.go index 13140d213..0221d453f 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1_test.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1_test.go @@ -12,20 +12,35 @@ func TestMigrationStep1(t *testing.T) { kmsKeyID := utils.KmsKeyID() tableName := utils.DdbTableName() partitionKey := uuid.New().String() - sortKeys := []string{"0", "1", "2"} + sortKeys := []string{"0", "1", "2", "3"} // Successfully executes Step 1 - MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) + err := MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) + utils.HandleError(err) // Given: Step 0 has succeeded - plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0]) + err = plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0]) + utils.HandleError(err) + // When: Execute Step 1 with sortReadValue=0, Then: Success (i.e. can read plaintext values) - MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[0]) + err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[0]) + utils.HandleError(err) // Given: Step 2 has succeeded - MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2]) + err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2]) + utils.HandleError(err) + // When: Execute Step 1 with sortReadValue=2, Then: Success (i.e. can read encrypted values) - MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[2]) + err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[2]) + utils.HandleError(err) + + // Given: Step 3 has succeeded + err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3]) + utils.HandleError(err) + + // When: Execute Step 1 with sortReadValue=3, Then: Success (i.e. can read encrypted values) + err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[3]) + utils.HandleError(err) // Cleanup for _, sortKey := range sortKeys { diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2_test.go index c488992c1..db01f7dd2 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2_test.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2_test.go @@ -12,20 +12,35 @@ func TestMigrationStep2(t *testing.T) { kmsKeyID := utils.KmsKeyID() tableName := utils.DdbTableName() partitionKey := uuid.New().String() - sortKeys := []string{"0", "1", "2"} + sortKeys := []string{"0", "1", "2", "3"} // Successfully executes Step 2 - MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2]) + err := MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2]) + utils.HandleError(err) // Given: Step 0 has succeeded - plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0]) + err = plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0]) + utils.HandleError(err) + // When: Execute Step 2 with sortReadValue=0, Then: Success (i.e. can read plaintext values) - MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[0]) + err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[0]) + utils.HandleError(err) // Given: Step 1 has succeeded - MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) + err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) + utils.HandleError(err) + // When: Execute Step 2 with sortReadValue=1, Then: Success (i.e. can read encrypted values) - MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[1]) + err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[1]) + utils.HandleError(err) + + // Given: Step 3 has succeeded + err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3]) + utils.HandleError(err) + + // When: Execute Step 2 with sortReadValue=3, Then: Success (i.e. can read encrypted values) + err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[3]) + utils.HandleError(err) // Cleanup for _, sortKey := range sortKeys { From ea9b4807bd81bd0c4b05d3fc6b318d951a0ee7cd Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Wed, 6 Aug 2025 15:58:07 -0700 Subject: [PATCH 48/52] sortkeywritevalue --- .../PlaintextToAWSDBE/awsdbe/step1_test.go | 14 +++++++------- .../go/migration/PlaintextToAWSDBE/awsdbe/step2.go | 4 ++-- .../PlaintextToAWSDBE/awsdbe/step2_test.go | 14 +++++++------- .../go/migration/PlaintextToAWSDBE/awsdbe/step3.go | 4 ++-- .../PlaintextToAWSDBE/awsdbe/step3_test.go | 14 +++++++------- .../migration/PlaintextToAWSDBE/plaintext/step0.go | 6 +++--- .../PlaintextToAWSDBE/plaintext/step0_test.go | 14 +++++++------- 7 files changed, 35 insertions(+), 35 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1_test.go index 0221d453f..43eaf7f86 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1_test.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1_test.go @@ -15,31 +15,31 @@ func TestMigrationStep1(t *testing.T) { sortKeys := []string{"0", "1", "2", "3"} // Successfully executes Step 1 - err := MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) + err := MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1], sortKeys[1]) utils.HandleError(err) // Given: Step 0 has succeeded - err = plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0]) + err = plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0], sortKeys[0]) utils.HandleError(err) // When: Execute Step 1 with sortReadValue=0, Then: Success (i.e. can read plaintext values) - err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[0]) + err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1], sortKeys[0]) utils.HandleError(err) // Given: Step 2 has succeeded - err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2]) + err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2], sortKeys[2]) utils.HandleError(err) // When: Execute Step 1 with sortReadValue=2, Then: Success (i.e. can read encrypted values) - err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[2]) + err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1], sortKeys[2]) utils.HandleError(err) // Given: Step 3 has succeeded - err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3]) + err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3], sortKeys[3]) utils.HandleError(err) // When: Execute Step 1 with sortReadValue=3, Then: Success (i.e. can read encrypted values) - err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[3]) + err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1], sortKeys[3]) utils.HandleError(err) // Cleanup diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go index c77365f05..a2b2961a2 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go @@ -37,7 +37,7 @@ primary key configuration: - Partition key is named "partition_key" with type (S) - Sort key is named "sort_key" with type (S) */ -func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue string) error { +func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyWriteValue, sortKeyReadValue string) error { cfg, err := config.LoadDefaultConfig(context.TODO()) utils.HandleError(err) @@ -66,7 +66,7 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue encryptedAndSignedValue := "this will be encrypted and signed" item := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, - "sort_key": &types.AttributeValueMemberN{Value: "2"}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyWriteValue}, "attribute1": &types.AttributeValueMemberS{Value: encryptedAndSignedValue}, "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2_test.go index db01f7dd2..e202cd6e8 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2_test.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2_test.go @@ -15,31 +15,31 @@ func TestMigrationStep2(t *testing.T) { sortKeys := []string{"0", "1", "2", "3"} // Successfully executes Step 2 - err := MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2]) + err := MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2], sortKeys[2]) utils.HandleError(err) // Given: Step 0 has succeeded - err = plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0]) + err = plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0], sortKeys[0]) utils.HandleError(err) // When: Execute Step 2 with sortReadValue=0, Then: Success (i.e. can read plaintext values) - err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[0]) + err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2], sortKeys[0]) utils.HandleError(err) // Given: Step 1 has succeeded - err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) + err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1], sortKeys[1]) utils.HandleError(err) // When: Execute Step 2 with sortReadValue=1, Then: Success (i.e. can read encrypted values) - err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[1]) + err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2], sortKeys[1]) utils.HandleError(err) // Given: Step 3 has succeeded - err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3]) + err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3], sortKeys[3]) utils.HandleError(err) // When: Execute Step 2 with sortReadValue=3, Then: Success (i.e. can read encrypted values) - err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[3]) + err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2], sortKeys[3]) utils.HandleError(err) // Cleanup diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go index 9e83feb42..2de91dba7 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go @@ -33,7 +33,7 @@ primary key configuration: - Partition key is named "partition_key" with type (S) - Sort key is named "sort_key" with type (S) */ -func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue string) error { +func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyWriteValue, sortKeyReadValue string) error { cfg, err := config.LoadDefaultConfig(context.TODO()) utils.HandleError(err) @@ -66,7 +66,7 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue encryptedAndSignedValue := "this will be encrypted and signed" item := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, - "sort_key": &types.AttributeValueMemberN{Value: "3"}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyWriteValue}, "attribute1": &types.AttributeValueMemberS{Value: encryptedAndSignedValue}, "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go index 3efa33279..276b23214 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3_test.go @@ -15,31 +15,31 @@ func TestMigrationStep3(t *testing.T) { sortKeys := []string{"0", "1", "2", "3"} // Successfully executes Step 3 - err := MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3]) + err := MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3], sortKeys[3]) utils.HandleError(err) // Given: Step 0 has succeeded - err = plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0]) + err = plaintext.MigrationStep0(tableName, partitionKey, sortKeys[0], sortKeys[0]) utils.HandleError(err) // When: Execute Step 3 with sortReadValue=0, Then: should panic (cannot read plaintext values) - err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[0]) + err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3], sortKeys[0]) utils.AssertServiceError(err, "DynamoDB", "GetItem", "Encrypted item missing expected header and footer attributes") // Given: Step 1 has succeeded - err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) + err = MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1], sortKeys[1]) utils.HandleError(err) // When: Execute Step 3 with sortReadValue=1, Then: should error out (cannot read plaintext values) - err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[1]) + err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3], sortKeys[1]) utils.AssertServiceError(err, "DynamoDB", "GetItem", "Encrypted item missing expected header and footer attributes") // Given: Step 2 has succeeded - err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2]) + err = MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2], sortKeys[2]) utils.HandleError(err) // When: Execute Step 3 with sortReadValue=2, Then: Success (can read encrypted values) - err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[2]) + err = MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3], sortKeys[2]) utils.HandleError(err) // Cleanup diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go index 64785f2f5..35af3a94f 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go @@ -30,7 +30,7 @@ primary key configuration: - Partition key is named "partition_key" with type (S) - Sort key is named "sort_key" with type (S) */ -func MigrationStep0(ddbTableName, partitionKeyValue, sortKeyValue string) error { +func MigrationStep0(ddbTableName, partitionKeyValue, sortKeyWriteValue, sortKeyReadValue string) error { // 1. Create a standard DynamoDB client cfg, err := config.LoadDefaultConfig(context.TODO()) utils.HandleError(err) @@ -40,7 +40,7 @@ func MigrationStep0(ddbTableName, partitionKeyValue, sortKeyValue string) error // This item will be stored in plaintext. item := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, - "sort_key": &types.AttributeValueMemberN{Value: "0"}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyWriteValue}, "attribute1": &types.AttributeValueMemberS{Value: "this will be encrypted and signed"}, "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, @@ -64,7 +64,7 @@ func MigrationStep0(ddbTableName, partitionKeyValue, sortKeyValue string) error // your dynamodb client (this is configured from Step 1 onwards). key := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, - "sort_key": &types.AttributeValueMemberN{Value: sortKeyValue}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyReadValue}, } getInput := &dynamodb.GetItemInput{ diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go index 20900562f..dcc299d4c 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go @@ -15,29 +15,29 @@ func TestMigrationStep0(t *testing.T) { sortKeys := []string{"0", "1", "2", "3"} // Successfully executes step 0 - err := MigrationStep0(tableName, partitionKey, sortKeys[0]) + err := MigrationStep0(tableName, partitionKey, sortKeys[0], sortKeys[0]) utils.HandleError(err) // Given: Step 1 has succeeded - err = awsdbe.MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1]) + err = awsdbe.MigrationStep1(kmsKeyID, tableName, partitionKey, sortKeys[1], sortKeys[1]) utils.HandleError(err) // When: Execute Step 0 with sortReadValue=1, Then: Success (i.e. can read plaintext values) - err = MigrationStep0(tableName, partitionKey, sortKeys[1]) + err = MigrationStep0(tableName, partitionKey, sortKeys[0], sortKeys[1]) utils.HandleError(err) // Given: Step 2 has succeeded - err = awsdbe.MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2]) + err = awsdbe.MigrationStep2(kmsKeyID, tableName, partitionKey, sortKeys[2], sortKeys[2]) utils.HandleError(err) // When: Execute Step 0 with sortReadValue=2, Then: should error out when reading encrypted items. - err = MigrationStep0(tableName, partitionKey, sortKeys[2]) + err = MigrationStep0(tableName, partitionKey, sortKeys[0], sortKeys[2]) utils.AssertErrorMessage(err, "partition_key is not a string attribute") // Given: Step 3 has succeeded (if it exists) - awsdbe.MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3]) + awsdbe.MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3], sortKeys[3]) // When: Execute Step 0 with sortReadValue=3, Then: should error out - err = MigrationStep0(tableName, partitionKey, sortKeys[3]) + err = MigrationStep0(tableName, partitionKey, sortKeys[0], sortKeys[3]) utils.AssertErrorMessage(err, "partition_key is not a string attribute") // Cleanup From e2e45ebdf19aae7b5c87b4e32856cb95aa8d7aed Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Wed, 6 Aug 2025 15:58:34 -0700 Subject: [PATCH 49/52] sortkeywritevalue --- .../runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go index 61272e350..2750844d8 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go @@ -35,7 +35,7 @@ primary key configuration: - Partition key is named "partition_key" with type (S) - Sort key is named "sort_key" with type (S) */ -func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue string) error { +func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyWriteValue, sortKeyReadValue string) error { cfg, err := config.LoadDefaultConfig(context.TODO()) utils.HandleError(err) @@ -68,7 +68,7 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyReadValue encryptedAndSignedValue := "this will be encrypted and signed" item := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, - "sort_key": &types.AttributeValueMemberN{Value: "1"}, + "sort_key": &types.AttributeValueMemberN{Value: sortKeyWriteValue}, "attribute1": &types.AttributeValueMemberS{Value: encryptedAndSignedValue}, "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, From f31359921dbd186ff1f9dce6201b16eb823a5de6 Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 11 Aug 2025 10:21:58 -0700 Subject: [PATCH 50/52] Assert all values --- .../PlaintextToAWSDBE/awsdbe/step1.go | 15 ++--- .../PlaintextToAWSDBE/awsdbe/step2.go | 15 ++--- .../PlaintextToAWSDBE/migrationutils.go | 59 +++++++++++++++++++ .../PlaintextToAWSDBE/plaintext/step0.go | 31 ++++------ .../PlaintextToAWSDBE/plaintext/step0_test.go | 4 +- 5 files changed, 87 insertions(+), 37 deletions(-) create mode 100644 Examples/runtimes/go/migration/PlaintextToAWSDBE/migrationutils.go diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go index 2750844d8..44db5e18b 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step1.go @@ -10,6 +10,7 @@ import ( "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/dbesdkmiddleware" + plaintexttoawsdbe "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" dbesdkdynamodbencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkdynamodbsmithygeneratedtypes" @@ -66,12 +67,14 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyWriteValue // 3. Put an item into your table. // This item will be stored in plaintext. encryptedAndSignedValue := "this will be encrypted and signed" + signOnlyValue := "this will never be encrypted, but it will be signed" + doNothingValue := "this will never be encrypted nor signed" item := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, "sort_key": &types.AttributeValueMemberN{Value: sortKeyWriteValue}, "attribute1": &types.AttributeValueMemberS{Value: encryptedAndSignedValue}, - "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, - "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, + "attribute2": &types.AttributeValueMemberS{Value: signOnlyValue}, + "attribute3": &types.AttributeValueMemberS{Value: doNothingValue}, } putInput := dynamodb.PutItemInput{ @@ -112,11 +115,9 @@ func MigrationStep1(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyWriteValue } // Verify we got the expected item back - if partitionKeyValue != result.Item["partition_key"].(*types.AttributeValueMemberS).Value { - panic("Decrypted item does not match original item") - } - if encryptedAndSignedValue != result.Item["attribute1"].(*types.AttributeValueMemberS).Value { - panic("Decrypted item does not match original item") + err = plaintexttoawsdbe.VerifyReturnedItem(result, partitionKeyValue, sortKeyReadValue, encryptedAndSignedValue, signOnlyValue, doNothingValue) + if err != nil { + return err } fmt.Println("MigrationStep1 completed successfully") return nil diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go index a2b2961a2..1da1bcda3 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step2.go @@ -14,6 +14,7 @@ import ( dbesdkdynamodbencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkdynamodbsmithygeneratedtypes" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/dbesdkmiddleware" + plaintexttoawsdbe "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" ) @@ -64,12 +65,14 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyWriteValue // 3. Put an item into your table. // This item will be encrypted. encryptedAndSignedValue := "this will be encrypted and signed" + signOnlyValue := "this will never be encrypted, but it will be signed" + doNothingValue := "this will never be encrypted nor signed" item := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, "sort_key": &types.AttributeValueMemberN{Value: sortKeyWriteValue}, "attribute1": &types.AttributeValueMemberS{Value: encryptedAndSignedValue}, - "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, - "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, + "attribute2": &types.AttributeValueMemberS{Value: signOnlyValue}, + "attribute3": &types.AttributeValueMemberS{Value: doNothingValue}, } putInput := dynamodb.PutItemInput{ @@ -110,11 +113,9 @@ func MigrationStep2(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyWriteValue } // Verify we got the expected item back - if partitionKeyValue != result.Item["partition_key"].(*types.AttributeValueMemberS).Value { - panic("Decrypted item does not match original item") - } - if encryptedAndSignedValue != result.Item["attribute1"].(*types.AttributeValueMemberS).Value { - panic("Decrypted item does not match original item") + err = plaintexttoawsdbe.VerifyReturnedItem(result, partitionKeyValue, sortKeyReadValue, encryptedAndSignedValue, signOnlyValue, doNothingValue) + if err != nil { + return err } fmt.Println("MigrationStep2 completed successfully") return nil diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/migrationutils.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/migrationutils.go new file mode 100644 index 000000000..d9ab9f951 --- /dev/null +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/migrationutils.go @@ -0,0 +1,59 @@ +package plaintexttoawsdbe + +import ( + "fmt" + + "github.com/aws/aws-sdk-go-v2/service/dynamodb" + "github.com/aws/aws-sdk-go-v2/service/dynamodb/types" +) + +func VerifyReturnedItem(result *dynamodb.GetItemOutput, partitionKeyValue, sortKeyValue, encryptedAndSignedValue, signOnlyValue, doNothingValue string) error { + returnedPartitionKey, ok := result.Item["partition_key"].(*types.AttributeValueMemberS) + fmt.Println(returnedPartitionKey.Value) + if !ok { + // We return this error because we run test against the error. + // When used in production code, you can decide how you want to handle errors. + return fmt.Errorf("partition_key is not a string attribute") + } + returnedsortKey, ok := result.Item["sort_key"].(*types.AttributeValueMemberN) + if !ok { + // We return this error because we run test against the error. + // When used in production code, you can decide how you want to handle errors. + return fmt.Errorf("sort_key is not a number attribute") + } + returnedAttribute1, ok := result.Item["attribute1"].(*types.AttributeValueMemberS) + if !ok { + // We return this error because we run test against the error. + // When used in production code, you can decide how you want to handle errors. + return fmt.Errorf("attribute1 is not a string attribute") + } + returnedAttribute2, ok := result.Item["attribute2"].(*types.AttributeValueMemberS) + if !ok { + // We return this error because we run test against the error. + // When used in production code, you can decide how you want to handle errors. + return fmt.Errorf("attribute2 is not a string attribute") + } + returnedAttribute3, ok := result.Item["attribute3"].(*types.AttributeValueMemberS) + if !ok { + // We return this error because we run test against the error. + // When used in production code, you can decide how you want to handle errors. + return fmt.Errorf("attribute3 is not a string attribute") + } + + if returnedPartitionKey.Value != partitionKeyValue { + panic(fmt.Sprintf("Expected partition key %s, got %s", partitionKeyValue, returnedPartitionKey)) + } + if returnedsortKey.Value != sortKeyValue { + panic(fmt.Sprintf("Expected partition key %s, got %s", sortKeyValue, returnedsortKey)) + } + if returnedAttribute1.Value != encryptedAndSignedValue { + panic(fmt.Sprintf("Expected attribute1 value %s, got %s", encryptedAndSignedValue, returnedAttribute1.Value)) + } + if returnedAttribute2.Value != signOnlyValue { + panic(fmt.Sprintf("Expected attribute2 value %s, got %s", signOnlyValue, returnedAttribute2.Value)) + } + if returnedAttribute3.Value != doNothingValue { + panic(fmt.Sprintf("Expected attribute3 value %s, got %s", doNothingValue, returnedAttribute3.Value)) + } + return nil +} diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go index 35af3a94f..b2b57410c 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0.go @@ -4,6 +4,7 @@ import ( "context" "fmt" + plaintexttoawsdbe "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/dynamodb" @@ -38,12 +39,15 @@ func MigrationStep0(ddbTableName, partitionKeyValue, sortKeyWriteValue, sortKeyR // 2. Put an example item into DynamoDB table // This item will be stored in plaintext. + encryptedAndSignedValue := "this will be encrypted and signed" + signOnlyValue := "this will never be encrypted, but it will be signed" + doNothingValue := "this will never be encrypted nor signed" item := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, "sort_key": &types.AttributeValueMemberN{Value: sortKeyWriteValue}, - "attribute1": &types.AttributeValueMemberS{Value: "this will be encrypted and signed"}, - "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, - "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, + "attribute1": &types.AttributeValueMemberS{Value: encryptedAndSignedValue}, + "attribute2": &types.AttributeValueMemberS{Value: signOnlyValue}, + "attribute3": &types.AttributeValueMemberS{Value: doNothingValue}, } putInput := &dynamodb.PutItemInput{ @@ -79,24 +83,9 @@ func MigrationStep0(ddbTableName, partitionKeyValue, sortKeyWriteValue, sortKeyR panic("No item found") } - returnedPartitionKey, ok := result.Item["partition_key"].(*types.AttributeValueMemberS) - if !ok { - // We return this error because we run test against the error. - // When used in production code, you can decide how you want to handle errors. - return fmt.Errorf("partition_key is not a string attribute") - } - returnedAttribute1, ok := result.Item["attribute1"].(*types.AttributeValueMemberS) - if !ok { - // We return this error because we run test against the error. - // When used in production code, you can decide how you want to handle errors. - return fmt.Errorf("partition_key is not a string attribute") - } - - if returnedPartitionKey.Value != partitionKeyValue { - panic(fmt.Sprintf("Expected partition key %s, got %s", partitionKeyValue, returnedPartitionKey)) - } - if returnedAttribute1.Value != "this will be encrypted and signed" { - panic(fmt.Sprintf("Expected attribute1 value, got %s", returnedAttribute1)) + err = plaintexttoawsdbe.VerifyReturnedItem(result, partitionKeyValue, sortKeyReadValue, encryptedAndSignedValue, signOnlyValue, doNothingValue) + if err != nil { + return err } fmt.Println("MigrationStep0 completed successfully") diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go index dcc299d4c..b54382a81 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/plaintext/step0_test.go @@ -32,13 +32,13 @@ func TestMigrationStep0(t *testing.T) { // When: Execute Step 0 with sortReadValue=2, Then: should error out when reading encrypted items. err = MigrationStep0(tableName, partitionKey, sortKeys[0], sortKeys[2]) - utils.AssertErrorMessage(err, "partition_key is not a string attribute") + utils.AssertErrorMessage(err, "attribute1 is not a string attribute") // Given: Step 3 has succeeded (if it exists) awsdbe.MigrationStep3(kmsKeyID, tableName, partitionKey, sortKeys[3], sortKeys[3]) // When: Execute Step 0 with sortReadValue=3, Then: should error out err = MigrationStep0(tableName, partitionKey, sortKeys[0], sortKeys[3]) - utils.AssertErrorMessage(err, "partition_key is not a string attribute") + utils.AssertErrorMessage(err, "attribute1 is not a string attribute") // Cleanup for _, sortKey := range sortKeys { // Only clean up items we created From f882e00eb60dcbc6277a6c9e64a506cf5becc65d Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 11 Aug 2025 10:23:22 -0700 Subject: [PATCH 51/52] remove print --- .../runtimes/go/migration/PlaintextToAWSDBE/migrationutils.go | 1 - 1 file changed, 1 deletion(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/migrationutils.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/migrationutils.go index d9ab9f951..c060048f4 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/migrationutils.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/migrationutils.go @@ -9,7 +9,6 @@ import ( func VerifyReturnedItem(result *dynamodb.GetItemOutput, partitionKeyValue, sortKeyValue, encryptedAndSignedValue, signOnlyValue, doNothingValue string) error { returnedPartitionKey, ok := result.Item["partition_key"].(*types.AttributeValueMemberS) - fmt.Println(returnedPartitionKey.Value) if !ok { // We return this error because we run test against the error. // When used in production code, you can decide how you want to handle errors. From e5250e78bd33402bafff8b869cab857dd048c05e Mon Sep 17 00:00:00 2001 From: rishav-karanjit Date: Mon, 11 Aug 2025 10:23:54 -0700 Subject: [PATCH 52/52] auto commit --- .../PlaintextToAWSDBE/awsdbe/step3.go | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go index 2de91dba7..96304cdce 100644 --- a/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go +++ b/Examples/runtimes/go/migration/PlaintextToAWSDBE/awsdbe/step3.go @@ -1,12 +1,9 @@ package awsdbe import ( - // Standard imports "context" "fmt" - // AWS SDK imports - "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/dynamodb" @@ -14,6 +11,7 @@ import ( dbesdkdynamodbencryptiontypes "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/awscryptographydbencryptionsdkdynamodbsmithygeneratedtypes" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/dbesdkmiddleware" + plaintexttoawsdbe "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/migration/PlaintextToAWSDBE" "github.com/aws/aws-database-encryption-sdk-dynamodb/releases/go/dynamodb-esdk/examples/utils" ) @@ -64,12 +62,14 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyWriteValue // 3. Put an item into your table. // This item will be encrypted. encryptedAndSignedValue := "this will be encrypted and signed" + signOnlyValue := "this will never be encrypted, but it will be signed" + doNothingValue := "this will never be encrypted nor signed" item := map[string]types.AttributeValue{ "partition_key": &types.AttributeValueMemberS{Value: partitionKeyValue}, "sort_key": &types.AttributeValueMemberN{Value: sortKeyWriteValue}, "attribute1": &types.AttributeValueMemberS{Value: encryptedAndSignedValue}, - "attribute2": &types.AttributeValueMemberS{Value: "this will never be encrypted, but it will be signed"}, - "attribute3": &types.AttributeValueMemberS{Value: "this will never be encrypted nor signed"}, + "attribute2": &types.AttributeValueMemberS{Value: signOnlyValue}, + "attribute3": &types.AttributeValueMemberS{Value: doNothingValue}, } putInput := dynamodb.PutItemInput{ @@ -110,13 +110,10 @@ func MigrationStep3(kmsKeyID, ddbTableName, partitionKeyValue, sortKeyWriteValue } // Verify we got the expected item back - if partitionKeyValue != result.Item["partition_key"].(*types.AttributeValueMemberS).Value { - panic("Decrypted item does not match original item") - } - if encryptedAndSignedValue != result.Item["attribute1"].(*types.AttributeValueMemberS).Value { - panic("Decrypted item does not match original item") + err = plaintexttoawsdbe.VerifyReturnedItem(result, partitionKeyValue, sortKeyReadValue, encryptedAndSignedValue, signOnlyValue, doNothingValue) + if err != nil { + return err } fmt.Println("MigrationStep3 completed successfully") - return nil }