feat(protect-dynamodb): support protect nested schemas

Author: calvinbrewer

.changeset/eighty-items-smile.md

@@ -0,0 +1,5 @@
+---
+"@cipherstash/protect-dynamodb": minor
+---
+
+Support nested protect schema in dynamodb helper functions.

packages/protect-dynamodb/__tests__/dynamodb.test.ts

@@ -1,13 +1,19 @@
 import 'dotenv/config'
 import { describe, expect, it, beforeAll } from 'vitest'
 import { protectDynamoDB } from '../src'
-import { protect, csColumn, csTable } from '@cipherstash/protect'
+import { protect, csColumn, csTable, csValue } from '@cipherstash/protect'
 
 const schema = csTable('dynamo_cipherstash_test', {
   email: csColumn('email').equality(),
   firstName: csColumn('firstName').equality(),
   lastName: csColumn('lastName').equality(),
   phoneNumber: csColumn('phoneNumber'),
+  example: {
+    protected: csValue('example.protected'),
+    deep: {
+      protected: csValue('example.deep.protected'),
+    },
+  },
 })
 
 describe('protect dynamodb helpers', () => {
@@ -36,6 +42,14 @@ describe('protect dynamodb helpers', () => {
       companyName: 'Acme Corp',
       batteryBrands: ['Brand1', 'Brand2'],
       metadata: { role: 'admin' },
+      example: {
+        protected: 'hello world',
+        notProtected: 'I am not protected',
+        deep: {
+          protected: 'deep protected',
+          notProtected: 'deep not protected',
+        },
+      },
     }
 
     const result = await protectDynamo.encryptModel(testData, schema)
@@ -53,13 +67,18 @@ describe('protect dynamodb helpers', () => {
     expect(encryptedData).toHaveProperty('lastName__source')
     expect(encryptedData).toHaveProperty('lastName__hmac')
     expect(encryptedData).toHaveProperty('phoneNumber__source')
+    expect(encryptedData).not.toHaveProperty('phoneNumber__hmac')
+    expect(encryptedData.example).toHaveProperty('protected__source')
+    expect(encryptedData.example.deep).toHaveProperty('protected__source')
 
     // Verify other fields remain unchanged
     expect(encryptedData.id).toBe('01ABCDEFGHIJKLMNOPQRSTUVWX')
     expect(encryptedData.address).toBe('123 Main Street')
     expect(encryptedData.createdAt).toBe('2024-08-15T22:14:49.948Z')
     expect(encryptedData.companyName).toBe('Acme Corp')
     expect(encryptedData.batteryBrands).toEqual(['Brand1', 'Brand2'])
+    expect(encryptedData.example.notProtected).toBe('I am not protected')
+    expect(encryptedData.example.deep.notProtected).toBe('deep not protected')
     expect(encryptedData.metadata).toEqual({ role: 'admin' })
   })
 
@@ -71,6 +90,14 @@ describe('protect dynamodb helpers', () => {
       lastName: 'Smith',
       phoneNumber: null,
       metadata: { role: null },
+      example: {
+        protected: null,
+        notProtected: 'I am not protected',
+        deep: {
+          protected: undefined,
+          notProtected: 'deep not protected',
+        },
+      },
     }
 
     const result = await protectDynamo.encryptModel(testData, schema)
@@ -90,6 +117,9 @@ describe('protect dynamodb helpers', () => {
     expect(encryptedData.email).toBeNull()
     expect(encryptedData.firstName).toBeUndefined()
     expect(encryptedData.metadata).toEqual({ role: null })
+    expect(encryptedData.example.protected).toBeNull()
+    expect(encryptedData.example.deep.protected).toBeUndefined()
+    expect(encryptedData.example.deep.notProtected).toBe('deep not protected')
   })
 
   it('should handle empty strings and special characters', async () => {
@@ -117,6 +147,7 @@ describe('protect dynamodb helpers', () => {
     expect(encryptedData).toHaveProperty('lastName__source')
     expect(encryptedData).toHaveProperty('lastName__hmac')
     expect(encryptedData).toHaveProperty('phoneNumber__source')
+    expect(encryptedData).not.toHaveProperty('phoneNumber__hmac')
 
     // Verify other fields remain unchanged
     expect(encryptedData.id).toBe('01ABCDEFGHIJKLMNOPQRSTUVWX')
@@ -177,10 +208,19 @@ describe('protect dynamodb helpers', () => {
       firstName: 'John',
       lastName: 'Smith',
       phoneNumber: '555-555-5555',
+      example: {
+        protected: 'hello world',
+        notProtected: 'I am not protected',
+        deep: {
+          protected: 'deep protected',
+          notProtected: 'deep not protected',
+        },
+      },
     }
 
     // First encrypt
     const encryptResult = await protectDynamo.encryptModel(originalData, schema)
+
     if (encryptResult.failure) {
       throw new Error(`Encryption failed: ${encryptResult.failure.message}`)
     }
@@ -215,6 +255,14 @@ describe('protect dynamodb helpers', () => {
         firstName: 'Jane',
         lastName: 'Doe',
         phoneNumber: '555-555-5556',
+        example: {
+          protected: 'hello world',
+          notProtected: 'I am not protected',
+          deep: {
+            protected: 'deep protected',
+            notProtected: 'deep not protected',
+          },
+        },
       },
     ]
 

packages/protect-dynamodb/src/index.ts

@@ -21,28 +21,78 @@ class ProtectDynamoDBErrorImpl extends Error implements ProtectDynamoDBError {
   }
 }
 
+function deepClone<T>(obj: T): T {
+  if (obj === null || typeof obj !== 'object') {
+    return obj
+  }
+
+  if (Array.isArray(obj)) {
+    return obj.map((item) => deepClone(item)) as unknown as T
+  }
+
+  return Object.entries(obj as Record<string, unknown>).reduce(
+    (acc, [key, value]) => ({
+      // biome-ignore lint/performance/noAccumulatingSpread: TODO later
+      ...acc,
+      [key]: deepClone(value),
+    }),
+    {} as T,
+  )
+}
+
 function toEncryptedDynamoItem(
   encrypted: Record<string, unknown>,
   encryptedAttrs: string[],
 ): Record<string, unknown> {
-  return Object.entries(encrypted).reduce(
-    (putItem, [attrName, attrValue]) => {
-      if (encryptedAttrs.includes(attrName)) {
-        if (attrValue === null || attrValue === undefined) {
-          putItem[attrName] = attrValue
-        } else {
-          const encryptPayload = attrValue as EncryptedPayload
-          if (encryptPayload?.c) {
-            if (encryptPayload.hm) {
-              putItem[`${attrName}${searchTermAttrSuffix}`] = encryptPayload.hm
-            }
-            putItem[`${attrName}${ciphertextAttrSuffix}`] = encryptPayload.c
-          }
+  function processValue(
+    attrName: string,
+    attrValue: unknown,
+    isNested: boolean,
+  ): Record<string, unknown> {
+    if (attrValue === null || attrValue === undefined) {
+      return { [attrName]: attrValue }
+    }
+
+    // Handle encrypted payload
+    if (
+      encryptedAttrs.includes(attrName) ||
+      (isNested &&
+        typeof attrValue === 'object' &&
+        'c' in (attrValue as object))
+    ) {
+      const encryptPayload = attrValue as EncryptedPayload
+      if (encryptPayload?.c) {
+        const result: Record<string, unknown> = {}
+        if (encryptPayload.hm) {
+          result[`${attrName}${searchTermAttrSuffix}`] = encryptPayload.hm
         }
-      } else {
-        putItem[attrName] = attrValue
+        result[`${attrName}${ciphertextAttrSuffix}`] = encryptPayload.c
+        return result
       }
-      return putItem
+    }
+
+    // Handle nested objects recursively
+    if (typeof attrValue === 'object' && !Array.isArray(attrValue)) {
+      const nestedResult = Object.entries(
+        attrValue as Record<string, unknown>,
+      ).reduce(
+        (acc, [key, val]) => {
+          const processed = processValue(key, val, true)
+          return Object.assign({}, acc, processed)
+        },
+        {} as Record<string, unknown>,
+      )
+      return { [attrName]: nestedResult }
+    }
+
+    // Handle non-encrypted values
+    return { [attrName]: attrValue }
+  }
+
+  return Object.entries(encrypted).reduce(
+    (putItem, [attrName, attrValue]) => {
+      const processed = processValue(attrName, attrValue, false)
+      return Object.assign({}, putItem, processed)
     },
     {} as Record<string, unknown>,
   )
@@ -52,27 +102,64 @@ function toItemWithEqlPayloads(
   decrypted: Record<string, EncryptedPayload | unknown>,
   encryptedAttrs: string[],
 ): Record<string, unknown> {
-  return Object.entries(decrypted).reduce(
-    (formattedItem, [attrName, attrValue]) => {
-      if (
-        attrName.endsWith(ciphertextAttrSuffix) &&
-        encryptedAttrs.includes(attrName.slice(0, -ciphertextAttrSuffix.length))
-      ) {
-        formattedItem[attrName.slice(0, -ciphertextAttrSuffix.length)] = {
+  function processValue(
+    attrName: string,
+    attrValue: unknown,
+    isNested: boolean,
+  ): Record<string, unknown> {
+    if (attrValue === null || attrValue === undefined) {
+      return { [attrName]: attrValue }
+    }
+
+    // Skip HMAC fields
+    if (attrName.endsWith(searchTermAttrSuffix)) {
+      return {}
+    }
+
+    // Handle encrypted payload
+    if (
+      attrName.endsWith(ciphertextAttrSuffix) &&
+      (encryptedAttrs.includes(
+        attrName.slice(0, -ciphertextAttrSuffix.length),
+      ) ||
+        isNested)
+    ) {
+      const baseName = attrName.slice(0, -ciphertextAttrSuffix.length)
+      return {
+        [baseName]: {
           c: attrValue,
           bf: null,
           hm: null,
           i: { c: 'notUsed', t: 'notUsed' },
           k: 'notUsed',
           ob: null,
           v: 2,
-        }
-      } else if (attrName.endsWith(searchTermAttrSuffix)) {
-        // skip HMAC attrs since we don't need those for decryption
-      } else {
-        formattedItem[attrName] = attrValue
+        },
       }
-      return formattedItem
+    }
+
+    // Handle nested objects recursively
+    if (typeof attrValue === 'object' && !Array.isArray(attrValue)) {
+      const nestedResult = Object.entries(
+        attrValue as Record<string, unknown>,
+      ).reduce(
+        (acc, [key, val]) => {
+          const processed = processValue(key, val, true)
+          return Object.assign({}, acc, processed)
+        },
+        {} as Record<string, unknown>,
+      )
+      return { [attrName]: nestedResult }
+    }
+
+    // Handle non-encrypted values
+    return { [attrName]: attrValue }
+  }
+
+  return Object.entries(decrypted).reduce(
+    (formattedItem, [attrName, attrValue]) => {
+      const processed = processValue(attrName, attrValue, false)
+      return Object.assign({}, formattedItem, processed)
     },
     {} as Record<string, unknown>,
   )
@@ -110,7 +197,7 @@ export function protectDynamoDB(
       return await withResult(
         async () => {
           const encryptResult = await protectClient.encryptModel(
-            item,
+            deepClone(item),
             protectTable,
           )
 
@@ -120,10 +207,10 @@ export function protectDynamoDB(
             )
           }
 
-          const data = encryptResult.data
+          const data = deepClone(encryptResult.data)
           const encryptedAttrs = Object.keys(protectTable.build().columns)
 
-          return toEncryptedDynamoItem(data, encryptedAttrs)
+          return toEncryptedDynamoItem(data, encryptedAttrs) as T
         },
         (error) => handleError(error, 'encryptModel'),
       )
@@ -136,7 +223,7 @@ export function protectDynamoDB(
       return await withResult(
         async () => {
           const encryptResult = await protectClient.bulkEncryptModels(
-            items,
+            items.map((item) => deepClone(item)),
             protectTable,
           )
 
@@ -146,11 +233,12 @@ export function protectDynamoDB(
             )
           }
 
-          const data = encryptResult.data
+          const data = encryptResult.data.map((item) => deepClone(item))
           const encryptedAttrs = Object.keys(protectTable.build().columns)
 
-          return data.map((encrypted) =>
-            toEncryptedDynamoItem(encrypted, encryptedAttrs),
+          return data.map(
+            (encrypted) =>
+              toEncryptedDynamoItem(encrypted, encryptedAttrs) as T,
           )
         },
         (error) => handleError(error, 'bulkEncryptModels'),

packages/protect-dynamodb/src/types.ts

@@ -27,20 +27,20 @@ export interface ProtectDynamoDBInstance {
   encryptModel<T extends Record<string, unknown>>(
     item: T,
     protectTable: ProtectTable<ProtectTableColumn>,
-  ): Promise<Result<Record<string, unknown>, ProtectDynamoDBError>>
+  ): Promise<Result<T, ProtectDynamoDBError>>
 
   bulkEncryptModels<T extends Record<string, unknown>>(
     items: T[],
     protectTable: ProtectTable<ProtectTableColumn>,
-  ): Promise<Result<Record<string, unknown>[], ProtectDynamoDBError>>
+  ): Promise<Result<T[], ProtectDynamoDBError>>
 
   decryptModel<T extends Record<string, unknown>>(
-    item: Record<string, EncryptedPayload | unknown>,
+    item: T,
     protectTable: ProtectTable<ProtectTableColumn>,
   ): Promise<Result<Decrypted<T>, ProtectDynamoDBError>>
 
   bulkDecryptModels<T extends Record<string, unknown>>(
-    items: Record<string, EncryptedPayload | unknown>[],
+    items: T[],
     protectTable: ProtectTable<ProtectTableColumn>,
   ): Promise<Result<Decrypted<T>[], ProtectDynamoDBError>>