WIP

Author: coderdan

Cargo.lock

@@ -1,6 +1,6 @@
 use crate::{
     crypto::{attrs::flattened_protected_attributes::FlattenedAttrName, SealError},
-    encrypted_table::{ScopedCipher, TableAttributes},
+    encrypted_table::{ScopedCipherWithCreds, TableAttributes},
     traits::TableAttribute,
 };
 use cipherstash_client::{
@@ -34,7 +34,7 @@ impl FlattenedEncryptedAttributes {
     /// Decrypt self, returning a [FlattenedProtectedAttributes].
     pub(crate) async fn decrypt_all(
         self,
-        cipher: &ScopedCipher,
+        cipher: &ScopedCipherWithCreds,
     ) -> Result<FlattenedProtectedAttributes, SealError> {
         let descriptors = self
             .attrs

src/crypto/attrs/flattened_encrypted_attributes.rs

@@ -2,7 +2,7 @@ use super::{
     flattened_encrypted_attributes::FlattenedEncryptedAttributes,
     normalized_protected_attributes::NormalizedKey,
 };
-use crate::{crypto::SealError, encrypted_table::{AttributeName, ScopedCipher}};
+use crate::{crypto::SealError, encrypted_table::{AttributeName, ScopedCipherWithCreds}};
 use cipherstash_client::{
     encryption::{BytesWithDescriptor, Plaintext}, zerokms::EncryptPayload,
 };
@@ -31,7 +31,7 @@ impl FlattenedProtectedAttributes {
     /// The output is a vec of `chunk_into` [FlattenedEncryptedAttributes] objects.
     pub(crate) async fn encrypt_all(
         self,
-        cipher: &ScopedCipher,
+        cipher: &ScopedCipherWithCreds,
         chunk_into: usize,
     ) -> Result<Vec<FlattenedEncryptedAttributes>, SealError> {
         let chunk_size = self.0.len() / chunk_into;

src/crypto/attrs/flattened_protected_attributes.rs

@@ -1,6 +1,6 @@
 use crate::{
     crypto::attrs::FlattenedEncryptedAttributes,
-    encrypted_table::{ScopedCipher, TableEntry},
+    encrypted_table::{ScopedCipherWithCreds, TableEntry},
     traits::{ReadConversionError, WriteConversionError},
     Decryptable, Identifiable,
 };
@@ -68,7 +68,7 @@ impl SealedTableEntry {
     pub(crate) async fn unseal_all(
         items: Vec<Self>,
         spec: UnsealSpec<'_>,
-        cipher: &ScopedCipher,
+        cipher: &ScopedCipherWithCreds,
     ) -> Result<Vec<Unsealed>, SealError> {
         let UnsealSpec {
             protected_attributes,
@@ -130,7 +130,7 @@ impl SealedTableEntry {
     pub(crate) async fn unseal(
         self,
         spec: UnsealSpec<'_>,
-        cipher: &ScopedCipher,
+        cipher: &ScopedCipherWithCreds,
     ) -> Result<Unsealed, SealError> {
         let mut vec = Self::unseal_all(vec![self], spec, cipher).await?;
 
@@ -203,7 +203,7 @@ impl TryFrom<SealedTableEntry> for HashMap<String, AttributeValue> {
 
 #[cfg(test)]
 mod tests {
-    use crate::encrypted_table::{Cipher, ScopedCipher};
+    use crate::encrypted_table::{Cipher, ScopedCipherWithCreds};
 
     use super::SealedTableEntry;
     use cipherstash_client::{
@@ -242,7 +242,7 @@ mod tests {
         let cipher = get_cipher().await?;
         // TODO: Temporary obvs
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let scoped_cipher = ScopedCipher::init(cipher, dataset_id).await;
+        let scoped_cipher = ScopedCipherWithCreds::init(cipher, dataset_id).await;
 
         let results = SealedTableEntry::unseal_all(vec![], spec, &scoped_cipher)
             .await

src/crypto/sealed.rs

@@ -2,7 +2,7 @@ use super::{
     attrs::FlattenedProtectedAttributes, b64_encode, format_term_key, SealError, SealedTableEntry, Unsealed, MAX_TERMS_PER_INDEX
 };
 use crate::{
-    encrypted_table::{AttributeName, ScopedCipher, TableAttribute, TableAttributes, TableEntry},
+    encrypted_table::{AttributeName, ScopedCipherWithCreds, TableAttribute, TableAttributes, TableEntry},
     traits::PrimaryKeyParts,
     IndexType,
 };
@@ -53,7 +53,7 @@ impl RecordsWithTerms {
 
     async fn encrypt(
         self,
-        cipher: &ScopedCipher,
+        cipher: &ScopedCipherWithCreds,
     ) -> Result<Vec<Sealed>, SealError> {
         let num_records = self.records.len();
         let mut pksks = Vec::with_capacity(num_records);
@@ -134,7 +134,7 @@ impl Sealer {
     fn index_all_terms<'a>(
         records: impl IntoIterator<Item = Sealer>,
         protected_attributes: impl AsRef<[Cow<'a, str>]>,
-        cipher: &ScopedCipher,
+        cipher: &ScopedCipherWithCreds,
         // FIXME: This might need to be a const generic
         term_length: usize,
     ) -> Result<RecordsWithTerms, SealError> {
@@ -210,7 +210,7 @@ impl Sealer {
     pub(crate) async fn seal_all<'a>(
         records: impl IntoIterator<Item = Sealer>,
         protected_attributes: impl AsRef<[Cow<'a, str>]>,
-        cipher: &ScopedCipher,
+        cipher: &ScopedCipherWithCreds,
         term_length: usize,
     ) -> Result<Vec<Sealed>, SealError> {
         Self::index_all_terms(records, protected_attributes, &cipher, term_length)?
@@ -221,7 +221,7 @@ impl Sealer {
     pub(crate) async fn seal<'a>(
         self,
         protected_attributes: impl AsRef<[Cow<'a, str>]>,
-        cipher: &ScopedCipher,
+        cipher: &ScopedCipherWithCreds,
         term_length: usize,
     ) -> Result<Sealed, SealError> {
         let mut vec = Self::seal_all([self], protected_attributes, cipher, term_length).await?;

src/crypto/sealer.rs

@@ -21,7 +21,7 @@ use cipherstash_client::{
     config::{console_config::ConsoleConfig, cts_config::CtsConfig, zero_kms_config::ZeroKMSConfig}, credentials::{
         auto_refresh::AutoRefresh,
         service_credentials::ServiceCredentials,
-    }, encryption::ScopedZeroKMSCipher, zerokms::{ZeroKMS, ZeroKMSWithClientKey}
+    }, encryption::ScopedCipher, zerokms::{ZeroKMS, ZeroKMSWithClientKey}
 };
 use log::info;
 use uuid::Uuid;
@@ -50,13 +50,11 @@ impl Deref for Dynamo {
 }
 
 pub type Cipher = ZeroKMSWithClientKey<AutoRefresh<ServiceCredentials>>;
-pub type ScopedCipher = ScopedZeroKMSCipher<AutoRefresh<ServiceCredentials>>;
+pub type ScopedCipherWithCreds = ScopedCipher<AutoRefresh<ServiceCredentials>>;
 
 pub struct EncryptedTable<D = Dynamo> {
     db: D,
     cipher: Arc<Cipher>,
-    // FIXME: This is temporary
-    dataset_root_key: [u8; 32],
 }
 
 impl<D> EncryptedTable<D> {
@@ -92,7 +90,6 @@ impl EncryptedTable<Headless> {
         Ok(Self {
             db: Headless,
             cipher: Arc::new(cipher),
-            dataset_root_key: [0; 32], // TODO
         })
     }
 }
@@ -284,7 +281,7 @@ impl<D> EncryptedTable<D> {
     {
          // TODO: Temporary obvs
          let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-         let scoped_cipher = ScopedCipher::init(self.cipher.clone(), dataset_id).await;
+         let scoped_cipher = ScopedCipherWithCreds::init(self.cipher.clone(), dataset_id).await?;
 
         decrypt_all(&scoped_cipher, items).await
     }
@@ -295,7 +292,7 @@ impl<D> EncryptedTable<D> {
     ) -> Result<DynamoRecordPatch, DeleteError> {
         // TODO: Temporary obvs
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let scoped_cipher = ScopedCipher::init(self.cipher.clone(), dataset_id).await;
+        let scoped_cipher = ScopedCipherWithCreds::init(self.cipher.clone(), dataset_id).await;
 
         let PrimaryKeyParts { pk, sk } = encrypt_primary_key_parts(&scoped_cipher, delete.primary_key)?;
 
@@ -333,7 +330,7 @@ impl<D> EncryptedTable<D> {
 
         // TODO: Temporary obvs
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let indexable_cipher = ScopedCipher::init(self.cipher.clone(), dataset_id).await;
+        let indexable_cipher = ScopedCipherWithCreds::init(self.cipher.clone(), dataset_id).await;
 
         let PreparedRecord {
             protected_attributes,
@@ -354,8 +351,6 @@ impl<D> EncryptedTable<D> {
 
         let PrimaryKeyParts { pk, sk } = sealed.primary_key();
 
-        println!("IN CREATE_PUT_PATCH {:?} {:?}", pk, sk);
-
         let (root, index_entries) = sealed.into_table_entries(index_predicate);
 
         seen_sk.insert(root.inner().sk.clone());
@@ -401,8 +396,6 @@ impl EncryptedTable<Dynamo> {
                 db,
             },
             cipher: table.cipher,
-            // FIXME: This is temporary
-            dataset_root_key: table.dataset_root_key,
         })
     }
 
@@ -412,14 +405,12 @@ impl EncryptedTable<Dynamo> {
     {
         // TODO: Temporary obvs
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let scoped_cipher = ScopedCipher::init(self.cipher.clone(), dataset_id).await;
+        let scoped_cipher = ScopedCipherWithCreds::init(self.cipher.clone(), dataset_id).await;
 
         let PrimaryKeyParts { pk, sk } =
             encrypt_primary_key_parts(&scoped_cipher, PreparedPrimaryKey::new::<T>(k))?;
 
 
-        println!("IN GET {:?} {:?}", pk, sk);
-
         let result = self
             .db
             .get_item()
@@ -493,7 +484,7 @@ impl EncryptedTable<Dynamo> {
 /// Take a prepared primary key and encrypt it to get the [`PrimaryKeyParts`] which can be used
 /// for retrieval.
 fn encrypt_primary_key_parts(
-    scoped_cipher: &ScopedCipher,
+    scoped_cipher: &ScopedCipherWithCreds,
     prepared_primary_key: PreparedPrimaryKey,
 ) -> Result<PrimaryKeyParts, PrimaryKeyError> {
     let PrimaryKeyParts { mut pk, mut sk } = prepared_primary_key.primary_key_parts;
@@ -509,7 +500,7 @@ fn encrypt_primary_key_parts(
     Ok(PrimaryKeyParts { pk, sk })
 }
 
-async fn decrypt<T>(scoped_cipher: &ScopedCipher, item: HashMap<String, AttributeValue>) -> Result<T, DecryptError>
+async fn decrypt<T>(scoped_cipher: &ScopedCipherWithCreds, item: HashMap<String, AttributeValue>) -> Result<T, DecryptError>
 where
     T: Decryptable + Identifiable,
 {
@@ -521,7 +512,7 @@ where
 }
 
 async fn decrypt_all<T>(
-    scoped_cipher: &ScopedCipher,
+    scoped_cipher: &ScopedCipherWithCreds,
     items: impl IntoIterator<Item = HashMap<String, AttributeValue>>,
 ) -> Result<Vec<T>, DecryptError>
 where

src/encrypted_table/mod.rs

@@ -15,7 +15,7 @@ use crate::{
 };
 use cipherstash_client::encryption::IndexTerm;
 
-use super::{Dynamo, EncryptedTable, ScopedCipher, QueryError, SealError};
+use super::{Dynamo, EncryptedTable, ScopedCipherWithCreds, QueryError, SealError};
 
 /// A builder for a query operation which returns records of type `S`.
 /// `B` is the storage backend used to store the data.
@@ -35,7 +35,7 @@ pub struct PreparedQuery {
 impl PreparedQuery {
     pub async fn encrypt(
         self,
-        scoped_cipher: &ScopedCipher,
+        scoped_cipher: &ScopedCipherWithCreds,
     ) -> Result<AttributeValue, QueryError> {
         let PreparedQuery {
             index_name,
@@ -62,7 +62,7 @@ impl PreparedQuery {
     pub async fn send(
         self,
         table: &EncryptedTable<Dynamo>,
-        scoped_cipher: &ScopedCipher,
+        scoped_cipher: &ScopedCipherWithCreds,
     ) -> Result<Vec<HashMap<String, AttributeValue>>, QueryError> {
         let term = self.encrypt(scoped_cipher).await?;
 
@@ -134,7 +134,7 @@ where
     {
         // TODO: Temporary obvs
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let scoped_cipher = ScopedCipher::init(self.storage.cipher.clone(), dataset_id).await;
+        let scoped_cipher = ScopedCipherWithCreds::init(self.storage.cipher.clone(), dataset_id).await;
 
         let storage = self.storage;
         let query = self.build()?;

src/encrypted_table/query.rs

@@ -6,6 +6,7 @@
 pub mod crypto;
 pub mod encrypted_table;
 pub mod traits;
+use encrypted_table::DynamoRecordPatch;
 pub use encrypted_table::{EncryptedTable, QueryBuilder};
 pub use traits::{
     Decryptable, Encryptable, Identifiable, IndexType, Pk, PkSk, PrimaryKey, Searchable,
@@ -22,3 +23,29 @@ pub use cipherstash_dynamodb_derive::{Decryptable, Encryptable, Identifiable, Se
 pub use cipherstash_client::encryption;
 
 pub type Key = [u8; 32];
+
+
+pub struct Put<T> {
+    record: T,
+}
+
+impl<T> Put<T> where T: Encryptable + Identifiable {
+    pub fn new(record: T) -> Self {
+        Self { record }
+    }
+}
+
+pub struct Cipher {}
+
+impl Cipher {
+}
+
+pub trait IntoPatch<Op> {
+    fn seal(&self, op: Op) -> Result<DynamoRecordPatch, Error>;
+}
+
+impl<T> IntoPatch<Put<T>> for Cipher {
+    fn seal(&self, op: Put<T>) -> Result<DynamoRecordPatch, Error> {
+        unimplemented!()
+    }
+}

src/lib.rs

@@ -1,5 +1,5 @@
 use cipherstash_dynamodb::{
-    encrypted_table::ScopedCipher, Decryptable, Encryptable, EncryptedTable, Identifiable, QueryBuilder, Searchable
+    encrypted_table::ScopedCipherWithCreds, Decryptable, Encryptable, EncryptedTable, Identifiable, QueryBuilder, Searchable
 };
 use itertools::Itertools;
 use serial_test::serial;
@@ -90,7 +90,7 @@ async fn test_query_single_exact() {
             .expect("failed to build query");
 
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let scoped_cipher = ScopedCipher::init(table.cipher(), dataset_id).await;
+        let scoped_cipher = ScopedCipherWithCreds::init(table.cipher(), dataset_id).await;
 
         let term = query
             .encrypt(&scoped_cipher)
@@ -133,7 +133,7 @@ async fn test_query_single_prefix() {
             .expect("failed to init table");
 
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let scoped_cipher = ScopedCipher::init(table.cipher(), dataset_id).await;
+        let scoped_cipher = ScopedCipherWithCreds::init(table.cipher(), dataset_id).await;
 
         let query = QueryBuilder::<User>::new()
             .starts_with("name", "Dan")
@@ -190,7 +190,7 @@ async fn test_query_compound() {
             .expect("failed to build query");
 
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let scoped_cipher = ScopedCipher::init(table.cipher(), dataset_id).await;
+        let scoped_cipher = ScopedCipherWithCreds::init(table.cipher(), dataset_id).await;
 
         let term = query
             .encrypt(&scoped_cipher)