Added dataset aware Put and Get for EncryptedTable

Author: coderdan

src/crypto/sealer.rs

@@ -135,8 +135,6 @@ impl Sealer {
         records: impl IntoIterator<Item = Sealer>,
         protected_attributes: impl AsRef<[Cow<'a, str>]>,
         cipher: &ScopedZeroKmsCipher,
-        // FIXME: This might need to be a const generic
-        term_length: usize,
     ) -> Result<RecordsWithTerms, SealError> {
         let protected_attributes = protected_attributes.as_ref();
         let num_protected_attributes = protected_attributes.len();
@@ -211,9 +209,8 @@ impl Sealer {
         records: impl IntoIterator<Item = Sealer>,
         protected_attributes: impl AsRef<[Cow<'a, str>]>,
         cipher: &ScopedZeroKmsCipher,
-        term_length: usize,
     ) -> Result<Vec<Sealed>, SealError> {
-        Self::index_all_terms(records, protected_attributes, &cipher, term_length)?
+        Self::index_all_terms(records, protected_attributes, &cipher)?
             .encrypt(cipher)
             .await
     }
@@ -222,9 +219,8 @@ impl Sealer {
         self,
         protected_attributes: impl AsRef<[Cow<'a, str>]>,
         cipher: &ScopedZeroKmsCipher,
-        term_length: usize,
     ) -> Result<Sealed, SealError> {
-        let mut vec = Self::seal_all([self], protected_attributes, cipher, term_length).await?;
+        let mut vec = Self::seal_all([self], protected_attributes, cipher).await?;
 
         if vec.len() != 1 {
             let actual = vec.len();

src/encrypted_table/mod.rs

@@ -31,9 +31,6 @@ use std::{
     ops::Deref, sync::Arc,
 };
 
-/// Index terms are truncated to this length
-const DEFAULT_TERM_SIZE: usize = 12;
-
 pub struct Headless;
 
 pub struct Dynamo {
@@ -324,7 +321,7 @@ impl<D> EncryptedTable<D> {
     ) -> Result<DynamoRecordPatch, PutError> {
         let mut seen_sk = HashSet::new();
 
-        let indexable_cipher = ScopedZeroKmsCipher::init(self.cipher.clone(), dataset_id).await.unwrap();
+        let indexable_cipher = ScopedZeroKmsCipher::init(self.cipher.clone(), dataset_id).await?;
 
         let PreparedRecord {
             protected_attributes,
@@ -334,7 +331,7 @@ impl<D> EncryptedTable<D> {
 
         // Do the encryption
         let sealed = sealer
-            .seal(protected_attributes, &indexable_cipher, DEFAULT_TERM_SIZE)
+            .seal(protected_attributes, &indexable_cipher)
             .await?;
 
         let mut put_records = Vec::with_capacity(sealed.len());

src/errors/mod.rs

@@ -34,6 +34,9 @@ pub enum PutError {
 
     #[error(transparent)]
     DynamoError(#[from] SdkError<operation::transact_write_items::TransactWriteItemsError>),
+
+    #[error("ZeroKMS Error: {0}")]
+    ZeroKMS(#[from] zerokms::Error),
 }
 
 /// Error returned by `EncryptedTable::get` when retrieving and decrypting records from DynamoDB

tests/common.rs

@@ -83,3 +83,51 @@ pub async fn create_table(client: &Client, table_name: &str) {
         .await
         .expect("Failed to create table");
 }
+
+
+
+#[macro_export]
+macro_rules! assert_err {
+    ($cond:expr,) => {
+        $crate::assert_err!($cond);
+    };
+    ($cond:expr) => {
+        match $cond {
+            Ok(t) => {
+                panic!("assertion failed, expected Err(..), got Ok({:?})", t);
+            },
+            Err(e) => e,
+        }
+    };
+    ($cond:expr, $($arg:tt)+) => {
+        match $cond {
+            Ok(t) => {
+                panic!("assertion failed, expected Err(..), got Ok({:?}): {}", t, format_args!($($arg)+));
+            },
+            Err(e) => e,
+        }
+    };
+}
+
+#[macro_export]
+macro_rules! assert_none {
+    ($cond:expr,) => {
+        $crate::assert_none!($cond);
+    };
+    ($cond:expr) => {
+        match $cond {
+            Some(t) => {
+                panic!("assertion failed, expected Err(..), got Ok({:?})", t);
+            },
+            None => (),
+        }
+    };
+    ($cond:expr, $($arg:tt)+) => {
+        match $cond {
+            Ok(t) => {
+                panic!("assertion failed, expected None, got Some({:?}): {}", t, format_args!($($arg)+));
+            },
+            Err(e) => (),
+        }
+    };
+}

tests/round_trip_tests.rs

@@ -1,5 +1,7 @@
-use cipherstash_dynamodb::{Decryptable, Encryptable, EncryptedTable, Identifiable, Searchable};
+use cipherstash_client::ZeroKMSConfig;
+use cipherstash_dynamodb::{encrypted_table::Dynamo, Decryptable, Encryptable, EncryptedTable, Identifiable, Searchable};
 use miette::IntoDiagnostic;
+use uuid::Uuid;
 mod common;
 
 #[derive(Debug, Clone, PartialEq, Identifiable, Encryptable, Decryptable, Searchable)]
@@ -123,26 +125,10 @@ struct Crazy {
     pt_k_none: Option<Vec<Vec<u8>>>,
 }
 
-#[tokio::test]
-async fn test_round_trip() -> Result<(), Box<dyn std::error::Error>> {
-    let config = aws_config::from_env()
-        .endpoint_url("http://localhost:8000")
-        .load()
-        .await;
-
-    let client = aws_sdk_dynamodb::Client::new(&config);
-
-    let table_name = "crazy-record";
-
-    common::create_table(&client, table_name).await;
-
-    let table = EncryptedTable::init(client, table_name)
-        .await
-        .expect("Failed to init table");
-
-    let r = Crazy {
-        email: "[email protected]".into(),
-        name: "Dan".into(),
+fn build_test_record(email: &str, name: &str) -> Crazy {
+    Crazy {
+        email: email.into(),
+        name: name.into(),
 
         ct_a: 123,
         ct_b: 321,
@@ -205,17 +191,91 @@ async fn test_round_trip() -> Result<(), Box<dyn std::error::Error>> {
         pt_i_none: None,
         pt_j_none: None,
         pt_k_none: None,
-    };
+    }
+}
+
+async fn init_table() -> EncryptedTable<Dynamo> {
+    let config = aws_config::from_env()
+        .endpoint_url("http://localhost:8000")
+        .load()
+        .await;
+
+    let client = aws_sdk_dynamodb::Client::new(&config);
+
+    let table_name = "crazy-record";
+
+    common::create_table(&client, table_name).await;
+
+    EncryptedTable::init(client, table_name)
+        .await
+        .expect("Failed to init table")
+}
 
-    table.put(r.clone()).await.into_diagnostic()?;
+#[tokio::test]
+async fn test_round_trip() -> Result<(), Box<dyn std::error::Error>> {
+    let table = init_table().await;
+    let record = build_test_record("[email protected]", "Dan");
+    table.put(record.clone()).await.into_diagnostic()?;
 
     let s: Crazy = table
         .get(("[email protected]", "Dan"))
         .await
         .into_diagnostic()?
         .unwrap();
 
-    assert_eq!(s, r);
+    assert_eq!(s, record);
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn test_invalid_dataset() -> Result<(), Box<dyn std::error::Error>> {
+    let table = init_table().await;
+    let record = build_test_record("[email protected]", "Dan");
+
+    // A random UUID doesn't exist
+    assert_err!(table.put_via(record.clone(), Uuid::new_v4()).await);
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn test_invalid_specific_dataset() -> miette::Result<()> {
+    // TODO: Load client ID from env
+    let client_id = Uuid::parse_str("b91e5b26-f21f-4694-8bce-c61c10e42301").into_diagnostic()?;
+    let client = ZeroKMSConfig::builder()
+        .with_env()
+        .build()
+        .into_diagnostic()?
+        .create_client();
+
+    let dataset = client
+        .create_dataset("test-dataset", "Test dataset")
+        .await
+        .into_diagnostic()?;
+
+    // Grant ourselves access to the dataset
+    client.grant_dataset(client_id, dataset.id)
+        .await
+        .into_diagnostic()?;
+
+    let table = init_table().await;
+    let record = build_test_record("[email protected]", "Person");
+
+    table.put_via(record.clone(), dataset.id).await?;
+
+    let s: Crazy = table
+        .get_via(("[email protected]", "Person"), dataset.id)
+        .await?
+        .unwrap();
+
+    assert_eq!(s, record);
+
+    // Test that we can't get the record via the default dataset
+    assert_none!(table
+        .get::<Crazy>(("[email protected]", "Person"))
+        .await?);
+
 
     Ok(())
 }