Move fn type_name and fn sort_key_prefix to trait Identifiable.

Before the functions `fn type_name` and `fn sort_key_prefix` existed on both the
trait `Encryptable` and `Decryptable`, which made it hard to make proper trait bounds.
This PR moves both functions to the trait `Identifiable`.

Author: Nicklas Warming Jacobsen

cipherstash-dynamodb-derive/src/decryptable.rs

@@ -12,25 +12,19 @@ pub(crate) fn derive_decryptable(input: DeriveInput) -> Result<TokenStream, syn:
     let protected_attributes = settings.protected_attributes();
     let plaintext_attributes = settings.plaintext_attributes();
 
-    let protected_attributes_cow = settings.protected_attributes()
+    let protected_attributes_cow = settings
+        .protected_attributes()
         .into_iter()
-        .map(|x| quote!{ std::borrow::Cow::Borrowed(#x) });
+        .map(|x| quote! { std::borrow::Cow::Borrowed(#x) });
 
-    let plaintext_attributes_cow = settings.plaintext_attributes()
+    let plaintext_attributes_cow = settings
+        .plaintext_attributes()
         .into_iter()
-        .map(|x| quote!{ std::borrow::Cow::Borrowed(#x) });
+        .map(|x| quote! { std::borrow::Cow::Borrowed(#x) });
 
     let skipped_attributes = settings.skipped_attributes();
     let ident = settings.ident();
 
-    let type_name = &settings.type_name;
-
-    let sort_key_prefix_impl = if let Some(prefix) = &settings.sort_key_prefix {
-        quote! { Some(std::borrow::Cow::Borrowed(#prefix)) }
-    } else {
-        quote! { None }
-    };
-
     let from_unsealed_impl = protected_attributes
         .iter()
         .map(|attr| {
@@ -58,16 +52,6 @@ pub(crate) fn derive_decryptable(input: DeriveInput) -> Result<TokenStream, syn:
     let expanded = quote! {
         #[automatically_derived]
         impl cipherstash_dynamodb::traits::Decryptable for #ident {
-            #[inline]
-            fn type_name() -> std::borrow::Cow<'static, str> {
-                std::borrow::Cow::Borrowed(#type_name)
-            }
-
-            #[inline]
-            fn sort_key_prefix() -> Option<std::borrow::Cow<'static, str>> {
-                #sort_key_prefix_impl
-            }
-
             fn protected_attributes() -> std::borrow::Cow<'static, [std::borrow::Cow<'static, str>]> {
                 std::borrow::Cow::Borrowed(&[#(#protected_attributes_cow,)*])
             }

cipherstash-dynamodb-derive/src/encryptable.rs

@@ -9,25 +9,18 @@ pub(crate) fn derive_encryptable(input: DeriveInput) -> Result<TokenStream, syn:
         .field_attributes(&input)?
         .build()?;
 
-    let type_name = settings.type_name.clone();
-
-    let sort_key_prefix_impl = if let Some(prefix) = &settings.sort_key_prefix {
-        quote! { Some(std::borrow::Cow::Borrowed(#prefix)) }
-    } else {
-        quote! { None }
-    };
-
     let protected_attributes = settings.protected_attributes();
     let plaintext_attributes = settings.plaintext_attributes();
 
-    let protected_attributes_cow = settings.protected_attributes()
+    let protected_attributes_cow = settings
+        .protected_attributes()
         .into_iter()
-        .map(|x| quote!{ std::borrow::Cow::Borrowed(#x) });
+        .map(|x| quote! { std::borrow::Cow::Borrowed(#x) });
 
-    let plaintext_attributes_cow = settings.plaintext_attributes()
+    let plaintext_attributes_cow = settings
+        .plaintext_attributes()
         .into_iter()
-        .map(|x| quote!{ std::borrow::Cow::Borrowed(#x) });
-
+        .map(|x| quote! { std::borrow::Cow::Borrowed(#x) });
 
     let ident = settings.ident();
 
@@ -51,16 +44,6 @@ pub(crate) fn derive_encryptable(input: DeriveInput) -> Result<TokenStream, syn:
     let expanded = quote! {
         #[automatically_derived]
         impl cipherstash_dynamodb::traits::Encryptable for #ident {
-            #[inline]
-            fn type_name() -> std::borrow::Cow<'static, str> {
-                std::borrow::Cow::Borrowed(#type_name)
-            }
-
-            #[inline]
-            fn sort_key_prefix() -> Option<std::borrow::Cow<'static, str>> {
-                #sort_key_prefix_impl
-            }
-
             fn protected_attributes() -> std::borrow::Cow<'static, [std::borrow::Cow<'static, str>]> {
                 std::borrow::Cow::Borrowed(&[#(#protected_attributes_cow,)*])
             }
@@ -71,7 +54,7 @@ pub(crate) fn derive_encryptable(input: DeriveInput) -> Result<TokenStream, syn:
 
             #[allow(clippy::needless_question_mark)]
             fn into_unsealed(self) -> cipherstash_dynamodb::crypto::Unsealed {
-                let mut unsealed = cipherstash_dynamodb::crypto::Unsealed::new_with_descriptor(<Self as cipherstash_dynamodb::traits::Encryptable>::type_name());
+                let mut unsealed = cipherstash_dynamodb::crypto::Unsealed::new_with_descriptor(<Self as cipherstash_dynamodb::traits::Identifiable>::type_name());
 
                 #(#into_unsealed_impl)*
 

cipherstash-dynamodb-derive/src/identifiable.rs

@@ -53,11 +53,28 @@ pub(crate) fn derive_identifiable(input: DeriveInput) -> Result<TokenStream, syn
             }
         }
     };
+    let type_name = &settings.type_name;
+
+    let sort_key_prefix_impl = if let Some(prefix) = &settings.sort_key_prefix {
+        quote! { Some(std::borrow::Cow::Borrowed(#prefix)) }
+    } else {
+        quote! { None }
+    };
 
     let expanded = quote! {
         impl cipherstash_dynamodb::traits::Identifiable for #ident {
             #primary_key_impl
 
+            #[inline]
+            fn type_name() -> std::borrow::Cow<'static, str> {
+                std::borrow::Cow::Borrowed(#type_name)
+            }
+
+            #[inline]
+            fn sort_key_prefix() -> Option<std::borrow::Cow<'static, str>> {
+                #sort_key_prefix_impl
+            }
+
             fn is_pk_encrypted() -> bool {
                 #is_partition_key_encrypted
             }

src/crypto/mod.rs

@@ -106,6 +106,30 @@ where
         ))
 }
 
+// Contains all the necessary information to encrypt the primary key pair
+pub struct PreparedPrimaryKey {
+    pub primary_key_parts: PrimaryKeyParts,
+    pub is_pk_encrypted: bool,
+    pub is_sk_encrypted: bool,
+}
+
+impl PreparedPrimaryKey {
+    pub fn new<R>(k: impl Into<R::PrimaryKey>) -> Self
+    where
+        R: Identifiable,
+    {
+        let primary_key_parts = k
+            .into()
+            .into_parts(&R::type_name(), R::sort_key_prefix().as_deref());
+
+        Self {
+            primary_key_parts,
+            is_pk_encrypted: R::is_pk_encrypted(),
+            is_sk_encrypted: R::is_sk_encrypted(),
+        }
+    }
+}
+
 pub fn encrypt_primary_key<I: Identifiable>(
     k: impl Into<I::PrimaryKey>,
     type_name: &str,

src/encrypted_table/mod.rs

@@ -8,7 +8,7 @@ pub use self::{
 use crate::{
     crypto::*,
     errors::*,
-    traits::{Decryptable, PrimaryKey, PrimaryKeyParts, Searchable},
+    traits::{Decryptable, PrimaryKey, PrimaryKeyError, PrimaryKeyParts, Searchable},
     Identifiable, IndexType,
 };
 use aws_sdk_dynamodb::types::{AttributeValue, Delete, Put, TransactWriteItem};
@@ -264,12 +264,15 @@ impl<D> EncryptedTable<D> {
         &self,
         k: impl Into<E::PrimaryKey>,
     ) -> Result<DynamoRecordPatch, DeleteError> {
-        let PrimaryKeyParts { pk, sk } = encrypt_primary_key::<E>(
-            k,
-            &E::type_name(),
-            E::sort_key_prefix().as_deref(),
-            &self.cipher,
-        )?;
+        // let PrimaryKeyParts { pk, sk } = encrypt_primary_key::<E>(
+        //     k,
+        //     &E::type_name(),
+        //     E::sort_key_prefix().as_deref(),
+        //     &self.cipher,
+        // )?;
+
+        let PrimaryKeyParts { pk, sk } =
+            self.encrypt_primary_key_parts(PreparedPrimaryKey::new::<E>(k))?;
 
         let delete_records = all_index_keys(&sk, E::protected_indexes())
             .into_iter()
@@ -343,6 +346,23 @@ impl<D> EncryptedTable<D> {
             delete_records,
         })
     }
+
+    pub fn encrypt_primary_key_parts(
+        &self,
+        prepared_primary_key: PreparedPrimaryKey,
+    ) -> Result<PrimaryKeyParts, PrimaryKeyError> {
+        let PrimaryKeyParts { mut pk, mut sk } = prepared_primary_key.primary_key_parts;
+
+        if prepared_primary_key.is_pk_encrypted {
+            pk = b64_encode(hmac(&pk, None, &self.cipher)?);
+        }
+
+        if prepared_primary_key.is_sk_encrypted {
+            sk = b64_encode(hmac(&sk, Some(pk.as_str()), &self.cipher)?);
+        }
+
+        Ok(PrimaryKeyParts { pk, sk })
+    }
 }
 
 impl EncryptedTable<Dynamo> {
@@ -365,12 +385,8 @@ impl EncryptedTable<Dynamo> {
     where
         T: Decryptable + Identifiable,
     {
-        let PrimaryKeyParts { pk, sk } = encrypt_primary_key::<T>(
-            k,
-            &T::type_name(),
-            T::sort_key_prefix().as_deref(),
-            &self.cipher,
-        )?;
+        let PrimaryKeyParts { pk, sk } =
+            self.encrypt_primary_key_parts(PreparedPrimaryKey::new::<T>(k))?;
 
         let result = self
             .db

src/encrypted_table/query.rs

@@ -8,7 +8,7 @@ use std::marker::PhantomData;
 
 use crate::{
     traits::{Decryptable, Searchable},
-    IndexType, SingleIndex,
+    Identifiable, IndexType, SingleIndex,
 };
 use cipherstash_client::encryption::{compound_indexer::CompoundIndex, IndexTerm};
 
@@ -115,7 +115,7 @@ where
 
 impl<'t, S> QueryBuilder<'t, S, Dynamo>
 where
-    S: Searchable,
+    S: Searchable + Identifiable,
 {
     pub async fn load<T: Decryptable>(self) -> Result<Vec<T>, QueryError> {
         let (index_name, index, plaintext, builder) = self.build()?;
@@ -162,7 +162,7 @@ where
 
 impl<'t, S> QueryBuilder<'t, S, Dynamo>
 where
-    S: Searchable + Decryptable,
+    S: Searchable + Decryptable + Identifiable,
 {
     pub async fn send(self) -> Result<Vec<S>, QueryError> {
         self.load::<S>().await