WIP

Author: netf

example/main.go

@@ -31,7 +31,7 @@ func main() {
 	dynamoDBClient := dynamodb.NewFromConfig(cfg)
 
 	// Initialize the key material store
-	materialStore, err := store.NewKeyMaterialStore(dynamoDBClient, dynamoDBTableName)
+	materialStore, err := store.NewMetaStore(dynamoDBClient, dynamoDBTableName)
 	if err != nil {
 		log.Fatalf("Failed to create key material store: %v", err)
 	}
@@ -175,6 +175,24 @@ func main() {
 	}
 	fmt.Println("Encrypted item deleted successfully.")
 
+	// Paginate and decrypt items
+	paginator, err := ec.GetPaginator("Scan")
+	if err != nil {
+		log.Fatalf("Failed to get paginator: %v", err)
+	}
+
+	scanInput = &dynamodb.ScanInput{
+		TableName: aws.String(tableName),
+	}
+
+	err = paginator.Scan(ctx, scanInput, func(page *dynamodb.ScanOutput, lastPage bool) bool {
+		fmt.Printf("Decrypted page results: %v\n", page.Items)
+		return !lastPage // return false to stop paginating
+	})
+	if err != nil {
+		log.Fatalf("Failed during paginated scan: %v", err)
+	}
+
 }
 
 func createTableIfNotExists(ctx context.Context, client *dynamodb.Client, tableName string) error {

pkg/encrypted/client.go

@@ -30,6 +30,72 @@ type PrimaryKeyInfo struct {
 	SortKey      string
 }
 
+// EncryptedPaginator is a paginator for encrypted DynamoDB items.
+type EncryptedPaginator struct {
+	client    *EncryptedClient
+	nextToken map[string]types.AttributeValue
+}
+
+// NewEncryptedPaginator creates a new instance of EncryptedPaginator.
+func NewEncryptedPaginator(client *EncryptedClient) *EncryptedPaginator {
+	return &EncryptedPaginator{
+		client:    client,
+		nextToken: nil,
+	}
+}
+
+func (p *EncryptedPaginator) Query(ctx context.Context, input *dynamodb.QueryInput, fn func(*dynamodb.QueryOutput, bool) bool) error {
+	for {
+		if p.nextToken != nil {
+			input.ExclusiveStartKey = p.nextToken
+		}
+
+		output, err := p.client.Query(ctx, input)
+		if err != nil {
+			return err
+		}
+
+		lastPage := len(output.LastEvaluatedKey) == 0
+		if !fn(output, lastPage) {
+			break
+		}
+
+		if lastPage {
+			break
+		}
+
+		p.nextToken = output.LastEvaluatedKey
+	}
+
+	return nil
+}
+
+func (p *EncryptedPaginator) Scan(ctx context.Context, input *dynamodb.ScanInput, fn func(*dynamodb.ScanOutput, bool) bool) error {
+	for {
+		if p.nextToken != nil {
+			input.ExclusiveStartKey = p.nextToken
+		}
+
+		output, err := p.client.Scan(ctx, input)
+		if err != nil {
+			return err
+		}
+
+		lastPage := len(output.LastEvaluatedKey) == 0
+		if !fn(output, lastPage) {
+			break
+		}
+
+		if lastPage {
+			break
+		}
+
+		p.nextToken = output.LastEvaluatedKey
+	}
+
+	return nil
+}
+
 // EncryptedClient facilitates encrypted operations on DynamoDB items.
 type EncryptedClient struct {
 	client            DynamoDBClientInterface
@@ -51,6 +117,13 @@ func NewEncryptedClient(client DynamoDBClientInterface, materialsProvider provid
 	}
 }
 
+func (ec *EncryptedClient) GetPaginator(operationName string) (*EncryptedPaginator, error) {
+	if operationName != "Query" && operationName != "Scan" {
+		return nil, fmt.Errorf("unsupported operation for pagination: %s", operationName)
+	}
+	return NewEncryptedPaginator(ec), nil
+}
+
 // PutItem encrypts an item and puts it into a DynamoDB table.
 func (ec *EncryptedClient) PutItem(ctx context.Context, input *dynamodb.PutItemInput) (*dynamodb.PutItemOutput, error) {
 	// Encrypt the item, excluding primary keys

pkg/provider/kms.go

@@ -15,11 +15,11 @@ type AwsKmsCryptographicMaterialsProvider struct {
 	KeyID             string
 	EncryptionContext map[string]string
 	DelegatedKey      *delegatedkeys.TinkDelegatedKey
-	MaterialStore     *store.KeyMaterialStore
+	MaterialStore     *store.MetaStore
 }
 
 // NewAwsKmsCryptographicMaterialsProvider initializes a provider with the specified AWS KMS key ID, encryption context, and material store.
-func NewAwsKmsCryptographicMaterialsProvider(keyID string, encryptionContext map[string]string, materialStore *store.KeyMaterialStore) (CryptographicMaterialsProvider, error) {
+func NewAwsKmsCryptographicMaterialsProvider(keyID string, encryptionContext map[string]string, materialStore *store.MetaStore) (CryptographicMaterialsProvider, error) {
 
 	return &AwsKmsCryptographicMaterialsProvider{
 		KeyID:             keyID,

pkg/provider/store/store.go

@@ -12,21 +12,21 @@ import (
 	"github.com/cloudopsy/dynamodb-encryption-go/pkg/materials"
 )
 
-type KeyMaterialStore struct {
+type MetaStore struct {
 	DynamoDBClient *dynamodb.Client
 	TableName      string
 }
 
-// NewKeyMaterialStore creates a new instance of KeyMaterialStore.
-func NewKeyMaterialStore(dynamoDBClient *dynamodb.Client, tableName string) (*KeyMaterialStore, error) {
-	return &KeyMaterialStore{
+// NewMetaStore creates a new instance of MetaStore.
+func NewMetaStore(dynamoDBClient *dynamodb.Client, tableName string) (*MetaStore, error) {
+	return &MetaStore{
 		DynamoDBClient: dynamoDBClient,
 		TableName:      tableName,
 	}, nil
 }
 
 // StoreNewMaterial stores a new material along with its encryption context serialized as JSON.
-func (s *KeyMaterialStore) StoreNewMaterial(ctx context.Context, materialName string, material materials.CryptographicMaterials) error {
+func (s *MetaStore) StoreNewMaterial(ctx context.Context, materialName string, material materials.CryptographicMaterials) error {
 	// Serialize the material description to a JSON string.
 	materialDescriptionJSON, err := json.Marshal(material.MaterialDescription())
 	if err != nil {
@@ -83,7 +83,7 @@ func (s *KeyMaterialStore) StoreNewMaterial(ctx context.Context, materialName st
 }
 
 // RetrieveMaterial retrieves a material and its encryption context by materialName and version.
-func (s *KeyMaterialStore) RetrieveMaterial(ctx context.Context, materialName string, version int64) (map[string]string, string, error) {
+func (s *MetaStore) RetrieveMaterial(ctx context.Context, materialName string, version int64) (map[string]string, string, error) {
 	// If version is less than 1, retrieve the latest version
 	if version < 1 {
 		var err error
@@ -135,7 +135,7 @@ func (s *KeyMaterialStore) RetrieveMaterial(ctx context.Context, materialName st
 	return materialDescMap, wrappedKeysetBase64, nil
 }
 
-func (s *KeyMaterialStore) getLastVersion(ctx context.Context, materialName string) (int64, error) {
+func (s *MetaStore) getLastVersion(ctx context.Context, materialName string) (int64, error) {
 	input := &dynamodb.QueryInput{
 		TableName:              aws.String(s.TableName),
 		KeyConditionExpression: aws.String("MaterialName = :materialName"),
@@ -172,7 +172,7 @@ func (s *KeyMaterialStore) getLastVersion(ctx context.Context, materialName stri
 }
 
 // CreateTableIfNotExists checks if a DynamoDB table exists, and if not, creates it.
-func (s *KeyMaterialStore) CreateTableIfNotExists(ctx context.Context) error {
+func (s *MetaStore) CreateTableIfNotExists(ctx context.Context) error {
 	_, err := s.DynamoDBClient.DescribeTable(ctx, &dynamodb.DescribeTableInput{
 		TableName: aws.String(s.TableName),
 	})