WIP

coderdan · coderdan · commit d7da4e2ae708 · 2024-10-30T17:02:59.000+11:00
diff --git a/src/crypto/attrs/flattened_encrypted_attributes.rs b/src/crypto/attrs/flattened_encrypted_attributes.rs
@@ -1,6 +1,6 @@
 use crate::{
     crypto::{attrs::flattened_protected_attributes::FlattenedAttrName, SealError},
-    encrypted_table::{ScopedCipherWithCreds, TableAttributes},
+    encrypted_table::{ScopedZeroKmsCipher, TableAttributes},
     traits::TableAttribute,
 };
 use cipherstash_client::{
@@ -34,7 +34,7 @@ impl FlattenedEncryptedAttributes {
     /// Decrypt self, returning a [FlattenedProtectedAttributes].
     pub(crate) async fn decrypt_all(
         self,
-        cipher: &ScopedCipherWithCreds,
+        cipher: &ScopedZeroKmsCipher,
     ) -> Result<FlattenedProtectedAttributes, SealError> {
         let descriptors = self
             .attrs
diff --git a/src/crypto/attrs/flattened_protected_attributes.rs b/src/crypto/attrs/flattened_protected_attributes.rs
@@ -2,7 +2,7 @@ use super::{
     flattened_encrypted_attributes::FlattenedEncryptedAttributes,
     normalized_protected_attributes::NormalizedKey,
 };
-use crate::{crypto::SealError, encrypted_table::{AttributeName, ScopedCipherWithCreds}};
+use crate::{crypto::SealError, encrypted_table::{AttributeName, ScopedZeroKmsCipher}};
 use cipherstash_client::{
     encryption::{BytesWithDescriptor, Plaintext}, zerokms::EncryptPayload,
 };
@@ -31,7 +31,7 @@ impl FlattenedProtectedAttributes {
     /// The output is a vec of `chunk_into` [FlattenedEncryptedAttributes] objects.
     pub(crate) async fn encrypt_all(
         self,
-        cipher: &ScopedCipherWithCreds,
+        cipher: &ScopedZeroKmsCipher,
         chunk_into: usize,
     ) -> Result<Vec<FlattenedEncryptedAttributes>, SealError> {
         let chunk_size = self.0.len() / chunk_into;
diff --git a/src/crypto/sealed.rs b/src/crypto/sealed.rs
@@ -1,6 +1,6 @@
 use crate::{
     crypto::attrs::FlattenedEncryptedAttributes,
-    encrypted_table::{ScopedCipherWithCreds, TableEntry},
+    encrypted_table::{ScopedZeroKmsCipher, TableEntry},
     traits::{ReadConversionError, WriteConversionError},
     Decryptable, Identifiable,
 };
@@ -68,7 +68,7 @@ impl SealedTableEntry {
     pub(crate) async fn unseal_all(
         items: Vec<Self>,
         spec: UnsealSpec<'_>,
-        cipher: &ScopedCipherWithCreds,
+        cipher: &ScopedZeroKmsCipher,
     ) -> Result<Vec<Unsealed>, SealError> {
         let UnsealSpec {
             protected_attributes,
@@ -130,7 +130,7 @@ impl SealedTableEntry {
     pub(crate) async fn unseal(
         self,
         spec: UnsealSpec<'_>,
-        cipher: &ScopedCipherWithCreds,
+        cipher: &ScopedZeroKmsCipher,
     ) -> Result<Unsealed, SealError> {
         let mut vec = Self::unseal_all(vec![self], spec, cipher).await?;
 
@@ -203,7 +203,7 @@ impl TryFrom<SealedTableEntry> for HashMap<String, AttributeValue> {
 
 #[cfg(test)]
 mod tests {
-    use crate::encrypted_table::{Cipher, ScopedCipherWithCreds};
+    use crate::encrypted_table::{ZeroKmsCipher, ScopedZeroKmsCipher};
 
     use super::SealedTableEntry;
     use cipherstash_client::{
@@ -214,7 +214,7 @@ mod tests {
     use std::{borrow::Cow, sync::Arc};
 
     // FIXME: Use the test cipher from CipherStash Client when that's ready
-    async fn get_cipher() -> Result<Arc<Cipher>, Box<dyn std::error::Error>> {
+    async fn get_cipher() -> Result<Arc<ZeroKmsCipher>, Box<dyn std::error::Error>> {
         let console_config = ConsoleConfig::builder().with_env().build().into_diagnostic()?;
         let zero_kms_config = ZeroKMSConfig::builder()
             .decryption_log(true)
@@ -242,7 +242,7 @@ mod tests {
         let cipher = get_cipher().await?;
         // TODO: Temporary obvs
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let scoped_cipher = ScopedCipherWithCreds::init(cipher, dataset_id).await.unwrap();
+        let scoped_cipher = ScopedZeroKmsCipher::init(cipher, dataset_id).await.unwrap();
 
         let results = SealedTableEntry::unseal_all(vec![], spec, &scoped_cipher)
             .await
diff --git a/src/crypto/sealer.rs b/src/crypto/sealer.rs
@@ -2,7 +2,7 @@ use super::{
     attrs::FlattenedProtectedAttributes, b64_encode, format_term_key, SealError, SealedTableEntry, Unsealed, MAX_TERMS_PER_INDEX
 };
 use crate::{
-    encrypted_table::{AttributeName, ScopedCipherWithCreds, TableAttribute, TableAttributes, TableEntry},
+    encrypted_table::{AttributeName, ScopedZeroKmsCipher, TableAttribute, TableAttributes, TableEntry},
     traits::PrimaryKeyParts,
     IndexType,
 };
@@ -53,7 +53,7 @@ impl RecordsWithTerms {
 
     async fn encrypt(
         self,
-        cipher: &ScopedCipherWithCreds,
+        cipher: &ScopedZeroKmsCipher,
     ) -> Result<Vec<Sealed>, SealError> {
         let num_records = self.records.len();
         let mut pksks = Vec::with_capacity(num_records);
@@ -134,7 +134,7 @@ impl Sealer {
     fn index_all_terms<'a>(
         records: impl IntoIterator<Item = Sealer>,
         protected_attributes: impl AsRef<[Cow<'a, str>]>,
-        cipher: &ScopedCipherWithCreds,
+        cipher: &ScopedZeroKmsCipher,
         // FIXME: This might need to be a const generic
         term_length: usize,
     ) -> Result<RecordsWithTerms, SealError> {
@@ -210,7 +210,7 @@ impl Sealer {
     pub(crate) async fn seal_all<'a>(
         records: impl IntoIterator<Item = Sealer>,
         protected_attributes: impl AsRef<[Cow<'a, str>]>,
-        cipher: &ScopedCipherWithCreds,
+        cipher: &ScopedZeroKmsCipher,
         term_length: usize,
     ) -> Result<Vec<Sealed>, SealError> {
         Self::index_all_terms(records, protected_attributes, &cipher, term_length)?
@@ -221,7 +221,7 @@ impl Sealer {
     pub(crate) async fn seal<'a>(
         self,
         protected_attributes: impl AsRef<[Cow<'a, str>]>,
-        cipher: &ScopedCipherWithCreds,
+        cipher: &ScopedZeroKmsCipher,
         term_length: usize,
     ) -> Result<Sealed, SealError> {
         let mut vec = Self::seal_all([self], protected_attributes, cipher, term_length).await?;
diff --git a/src/encrypted_table/mod.rs b/src/encrypted_table/mod.rs
@@ -49,16 +49,16 @@ impl Deref for Dynamo {
     }
 }
 
-pub type Cipher = ZeroKMSWithClientKey<AutoRefresh<ServiceCredentials>>;
-pub type ScopedCipherWithCreds = ScopedCipher<AutoRefresh<ServiceCredentials>>;
+pub type ZeroKmsCipher = ZeroKMSWithClientKey<AutoRefresh<ServiceCredentials>>;
+pub type ScopedZeroKmsCipher = ScopedCipher<AutoRefresh<ServiceCredentials>>;
 
 pub struct EncryptedTable<D = Dynamo> {
     db: D,
-    cipher: Arc<Cipher>,
+    cipher: Arc<ZeroKmsCipher>,
 }
 
 impl<D> EncryptedTable<D> {
-    pub fn cipher(&self) -> Arc<Cipher> {
+    pub fn cipher(&self) -> Arc<ZeroKmsCipher> {
         self.cipher.clone()
     }
 }
@@ -279,9 +279,10 @@ impl<D> EncryptedTable<D> {
     ) -> Result<Vec<T>, DecryptError>
     where T: Decryptable + Identifiable,
     {
+        // TODO: Decryption _may_ not need to be scoped
          // TODO: Temporary obvs
          let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-         let scoped_cipher = ScopedCipherWithCreds::init(self.cipher.clone(), dataset_id).await.unwrap();
+         let scoped_cipher = ScopedZeroKmsCipher::init(self.cipher.clone(), dataset_id).await.unwrap();
 
         decrypt_all(&scoped_cipher, items).await
     }
@@ -292,7 +293,7 @@ impl<D> EncryptedTable<D> {
     ) -> Result<DynamoRecordPatch, DeleteError> {
         // TODO: Temporary obvs
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let scoped_cipher = ScopedCipherWithCreds::init(self.cipher.clone(), dataset_id).await.unwrap();
+        let scoped_cipher = ScopedZeroKmsCipher::init(self.cipher.clone(), dataset_id).await.unwrap();
 
         let PrimaryKeyParts { pk, sk } = encrypt_primary_key_parts(&scoped_cipher, delete.primary_key)?;
 
@@ -323,14 +324,15 @@ impl<D> EncryptedTable<D> {
     pub async fn create_put_patch(
         &self,
         record: PreparedRecord,
+        dataset_id: Uuid,
         // TODO: Make sure the index_predicate is used correctly
         index_predicate: impl FnMut(&AttributeName, &TableAttribute) -> bool,
     ) -> Result<DynamoRecordPatch, PutError> {
         let mut seen_sk = HashSet::new();
 
         // TODO: Temporary obvs
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let indexable_cipher = ScopedCipherWithCreds::init(self.cipher.clone(), dataset_id).await.unwrap();
+        let indexable_cipher = ScopedZeroKmsCipher::init(self.cipher.clone(), dataset_id).await.unwrap();
 
         let PreparedRecord {
             protected_attributes,
@@ -405,7 +407,7 @@ impl EncryptedTable<Dynamo> {
     {
         // TODO: Temporary obvs
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let scoped_cipher = ScopedCipherWithCreds::init(self.cipher.clone(), dataset_id).await.unwrap();
+        let scoped_cipher = ScopedZeroKmsCipher::init(self.cipher.clone(), dataset_id).await.unwrap();
 
         let PrimaryKeyParts { pk, sk } =
             encrypt_primary_key_parts(&scoped_cipher, PreparedPrimaryKey::new::<T>(k))?;
@@ -484,7 +486,7 @@ impl EncryptedTable<Dynamo> {
 /// Take a prepared primary key and encrypt it to get the [`PrimaryKeyParts`] which can be used
 /// for retrieval.
 fn encrypt_primary_key_parts(
-    scoped_cipher: &ScopedCipherWithCreds,
+    scoped_cipher: &ScopedZeroKmsCipher,
     prepared_primary_key: PreparedPrimaryKey,
 ) -> Result<PrimaryKeyParts, PrimaryKeyError> {
     let PrimaryKeyParts { mut pk, mut sk } = prepared_primary_key.primary_key_parts;
@@ -500,7 +502,7 @@ fn encrypt_primary_key_parts(
     Ok(PrimaryKeyParts { pk, sk })
 }
 
-async fn decrypt<T>(scoped_cipher: &ScopedCipherWithCreds, item: HashMap<String, AttributeValue>) -> Result<T, DecryptError>
+async fn decrypt<T>(scoped_cipher: &ScopedZeroKmsCipher, item: HashMap<String, AttributeValue>) -> Result<T, DecryptError>
 where
     T: Decryptable + Identifiable,
 {
@@ -512,7 +514,7 @@ where
 }
 
 async fn decrypt_all<T>(
-    scoped_cipher: &ScopedCipherWithCreds,
+    scoped_cipher: &ScopedZeroKmsCipher,
     items: impl IntoIterator<Item = HashMap<String, AttributeValue>>,
 ) -> Result<Vec<T>, DecryptError>
 where
diff --git a/src/encrypted_table/query.rs b/src/encrypted_table/query.rs
@@ -15,7 +15,7 @@ use crate::{
 };
 use cipherstash_client::encryption::IndexTerm;
 
-use super::{Dynamo, EncryptedTable, ScopedCipherWithCreds, QueryError, SealError};
+use super::{Dynamo, EncryptedTable, ScopedZeroKmsCipher, QueryError, SealError};
 
 /// A builder for a query operation which returns records of type `S`.
 /// `B` is the storage backend used to store the data.
@@ -35,7 +35,7 @@ pub struct PreparedQuery {
 impl PreparedQuery {
     pub async fn encrypt(
         self,
-        scoped_cipher: &ScopedCipherWithCreds,
+        scoped_cipher: &ScopedZeroKmsCipher,
     ) -> Result<AttributeValue, QueryError> {
         let PreparedQuery {
             index_name,
@@ -62,7 +62,7 @@ impl PreparedQuery {
     pub async fn send(
         self,
         table: &EncryptedTable<Dynamo>,
-        scoped_cipher: &ScopedCipherWithCreds,
+        scoped_cipher: &ScopedZeroKmsCipher,
     ) -> Result<Vec<HashMap<String, AttributeValue>>, QueryError> {
         let term = self.encrypt(scoped_cipher).await?;
 
@@ -134,7 +134,7 @@ where
     {
         // TODO: Temporary obvs
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let scoped_cipher = ScopedCipherWithCreds::init(self.storage.cipher.clone(), dataset_id).await.unwrap();
+        let scoped_cipher = ScopedZeroKmsCipher::init(self.storage.cipher.clone(), dataset_id).await.unwrap();
 
         let storage = self.storage;
         let query = self.build()?;
diff --git a/tests/query_builder_direct.rs b/tests/query_builder_direct.rs
@@ -1,5 +1,5 @@
 use cipherstash_dynamodb::{
-    encrypted_table::ScopedCipherWithCreds, Decryptable, Encryptable, EncryptedTable, Identifiable, QueryBuilder, Searchable
+    encrypted_table::ScopedZeroKmsCipher, Decryptable, Encryptable, EncryptedTable, Identifiable, QueryBuilder, Searchable
 };
 use itertools::Itertools;
 use serial_test::serial;
@@ -90,7 +90,7 @@ async fn test_query_single_exact() {
             .expect("failed to build query");
 
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let scoped_cipher = ScopedCipherWithCreds::init(table.cipher(), dataset_id).await.unwrap();
+        let scoped_cipher = ScopedZeroKmsCipher::init(table.cipher(), dataset_id).await.unwrap();
     
         let term = query
             .encrypt(&scoped_cipher)
@@ -133,7 +133,7 @@ async fn test_query_single_prefix() {
             .expect("failed to init table");
 
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let scoped_cipher = ScopedCipherWithCreds::init(table.cipher(), dataset_id).await.unwrap();
+        let scoped_cipher = ScopedZeroKmsCipher::init(table.cipher(), dataset_id).await.unwrap();
 
         let query = QueryBuilder::<User>::new()
             .starts_with("name", "Dan")
@@ -190,7 +190,7 @@ async fn test_query_compound() {
             .expect("failed to build query");
 
         let dataset_id = Uuid::parse_str("93e10481-2692-4d65-a619-37e36a496e64").unwrap();
-        let scoped_cipher = ScopedCipherWithCreds::init(table.cipher(), dataset_id).await.unwrap();
+        let scoped_cipher = ScopedZeroKmsCipher::init(table.cipher(), dataset_id).await.unwrap();
     
         let term = query
             .encrypt(&scoped_cipher)
