WIP

Author: netf

example/main.go

@@ -9,7 +9,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/dynamodb"
 	"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
 	"github.com/aws/aws-sdk-go/aws"
-	"github.com/cloudopsy/dynamodb-encryption-go/pkg/client"
+	"github.com/cloudopsy/dynamodb-encryption-go/pkg/encrypted"
 	"github.com/cloudopsy/dynamodb-encryption-go/pkg/provider"
 	"github.com/cloudopsy/dynamodb-encryption-go/pkg/provider/store"
 )
@@ -47,8 +47,11 @@ func main() {
 		log.Fatalf("Failed to create cryptographic materials provider: %v", err)
 	}
 
+	attributeAction := encrypted.NewAttributeActions(encrypted.AttributeActionDoNothing)
+	attributeAction.SetAttributeAction("Password", encrypted.AttributeActionEncrypt)
+
 	// Initialize EncryptedClient
-	ec := client.NewEncryptedClient(dynamoDBClient, cmp)
+	ec := encrypted.NewEncryptedClient(dynamoDBClient, cmp, attributeAction)
 
 	// User credentials to encrypt and store
 	userID := "user1"
@@ -162,7 +165,7 @@ func main() {
 	deleteItem := &dynamodb.DeleteItemInput{
 		TableName: &tableName,
 		Key: map[string]types.AttributeValue{
-			"UserID": &types.AttributeValueMemberS{Value: "user1"},
+			"UserID": &types.AttributeValueMemberS{Value: "user2"},
 		},
 	}
 

pkg/delegatedkeys/delegated_keys.go

@@ -7,7 +7,6 @@ import (
 
 	"github.com/tink-crypto/tink-go-awskms/integration/awskms"
 	"github.com/tink-crypto/tink-go/v2/aead"
-	"github.com/tink-crypto/tink-go/v2/daead"
 	"github.com/tink-crypto/tink-go/v2/keyset"
 	"github.com/tink-crypto/tink-go/v2/signature"
 )
@@ -61,6 +60,7 @@ func (dk *TinkDelegatedKey) AllowedForRawMaterials() bool {
 }
 
 func (dk *TinkDelegatedKey) Encrypt(plaintext []byte, associatedData []byte) ([]byte, error) {
+	// TODO: Support AEAD and DAEAD primitives
 	a, err := aead.New(dk.keysetHandle)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get AEAD primitive: %v", err)
@@ -69,6 +69,7 @@ func (dk *TinkDelegatedKey) Encrypt(plaintext []byte, associatedData []byte) ([]
 }
 
 func (dk *TinkDelegatedKey) Decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) {
+	// TODO: Support AEAD and DAEAD primitives
 	a, err := aead.New(dk.keysetHandle)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get AEAD primitive: %v", err)
@@ -142,21 +143,11 @@ func UnwrapKeyset(encryptedKeyset []byte, kekUri string) (*TinkDelegatedKey, err
 	return NewTinkDelegatedKey(handle, kekUri), nil
 }
 
-func GenerateDataKey(keyURI, keyType string) (*TinkDelegatedKey, []byte, error) {
-	var kh *keyset.Handle
-	var err error
-
-	switch strings.ToLower(keyType) {
-	case "aead":
-		kh, err = keyset.NewHandle(aead.AES256GCMKeyTemplate())
-	case "daead":
-		kh, err = keyset.NewHandle(daead.AESSIVKeyTemplate())
-	default:
-		return nil, nil, fmt.Errorf("unsupported key type: %v", keyType)
-	}
+func GenerateDataKey(keyURI string) (*TinkDelegatedKey, []byte, error) {
+	kh, err := keyset.NewHandle(aead.AES256GCMKeyTemplate())
 
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to generate new keyset handle for %v: %v", keyType, err)
+		return nil, nil, fmt.Errorf("failed to generate new keyset handle: %v", err)
 	}
 
 	delegatedKey := NewTinkDelegatedKey(kh, keyURI)

pkg/encrypted/action.go

@@ -0,0 +1,38 @@
+package encrypted
+
+type AttributeAction int
+
+const (
+	AttributeActionDoNothing AttributeAction = iota
+	AttributeActionEncrypt
+	AttributeActionEncryptDeterministically
+	AttributeActionSign
+)
+
+type AttributeActions struct {
+	defaultAction    AttributeAction
+	attributeActions map[string]AttributeAction
+}
+
+func NewAttributeActions(defaultAction AttributeAction) *AttributeActions {
+	return &AttributeActions{
+		defaultAction:    defaultAction,
+		attributeActions: make(map[string]AttributeAction),
+	}
+}
+
+func (aa *AttributeActions) SetDefaultAction(action AttributeAction) {
+	aa.defaultAction = action
+}
+
+func (aa *AttributeActions) SetAttributeAction(attributeName string, action AttributeAction) {
+	aa.attributeActions[attributeName] = action
+}
+
+func (aa *AttributeActions) GetAttributeAction(attributeName string) AttributeAction {
+	action, ok := aa.attributeActions[attributeName]
+	if !ok {
+		return aa.defaultAction
+	}
+	return action
+}

pkg/client/client.go renamed to pkg/encrypted/client.go

@@ -1,4 +1,4 @@
-package client
+package encrypted
 
 import (
 	"context"
@@ -35,15 +35,18 @@ type EncryptedClient struct {
 	client            DynamoDBClientInterface
 	materialsProvider provider.CryptographicMaterialsProvider
 	primaryKeyCache   map[string]*PrimaryKeyInfo
-	lock              sync.RWMutex
+	attributeActions  *AttributeActions
+
+	lock sync.RWMutex
 }
 
 // NewEncryptedClient creates a new instance of EncryptedClient.
-func NewEncryptedClient(client DynamoDBClientInterface, materialsProvider provider.CryptographicMaterialsProvider) *EncryptedClient {
+func NewEncryptedClient(client DynamoDBClientInterface, materialsProvider provider.CryptographicMaterialsProvider, attributeActions *AttributeActions) *EncryptedClient {
 	return &EncryptedClient{
 		client:            client,
 		materialsProvider: materialsProvider,
 		primaryKeyCache:   make(map[string]*PrimaryKeyInfo),
+		attributeActions:  attributeActions,
 		lock:              sync.RWMutex{},
 	}
 }
@@ -289,12 +292,18 @@ func (ec *EncryptedClient) encryptItem(ctx context.Context, tableName string, it
 			return nil, fmt.Errorf("error converting attribute value to bytes: %v", err)
 		}
 
-		encryptedData, err := encryptionMaterials.EncryptionKey().Encrypt(rawData, []byte(key))
-		if err != nil {
-			return nil, fmt.Errorf("error encrypting attribute value: %v", err)
+		action := ec.attributeActions.GetAttributeAction(key)
+		switch action {
+		case AttributeActionEncrypt, AttributeActionEncryptDeterministically:
+			// TODO: Implement deterministic encryption
+			encryptedData, err := encryptionMaterials.EncryptionKey().Encrypt(rawData, []byte(key))
+			if err != nil {
+				return nil, fmt.Errorf("error encrypting attribute value: %v", err)
+			}
+			encryptedItem[key] = &types.AttributeValueMemberB{Value: encryptedData}
+		case AttributeActionDoNothing:
+			encryptedItem[key] = value
 		}
-
-		encryptedItem[key] = &types.AttributeValueMemberB{Value: encryptedData}
 	}
 
 	return encryptedItem, nil
@@ -327,20 +336,29 @@ func (ec *EncryptedClient) decryptItem(ctx context.Context, tableName string, it
 
 		encryptedData, ok := value.(*types.AttributeValueMemberB)
 		if !ok {
-			return nil, fmt.Errorf("expected binary data for encrypted attribute value")
+			// If the attribute is not encrypted, copy it as is
+			decryptedItem[key] = value
+			continue
 		}
 
-		rawData, err := decryptionMaterials.DecryptionKey().Decrypt(encryptedData.Value, []byte(key))
-		if err != nil {
-			return nil, fmt.Errorf("error decrypting attribute value: %v", err)
-		}
+		action := ec.attributeActions.GetAttributeAction(key)
+		switch action {
+		case AttributeActionEncrypt, AttributeActionEncryptDeterministically:
+			// TODO: Implement deterministic encryption
+			rawData, err := decryptionMaterials.DecryptionKey().Decrypt(encryptedData.Value, []byte(key))
+			if err != nil {
+				return nil, fmt.Errorf("error decrypting attribute value: %v", err)
+			}
+			decryptedValue, err := utils.BytesToAttributeValue(rawData)
+			if err != nil {
+				return nil, fmt.Errorf("error converting bytes to attribute value: %v", err)
+			}
 
-		decryptedValue, err := utils.BytesToAttributeValue(rawData)
-		if err != nil {
-			return nil, fmt.Errorf("error converting bytes to attribute value: %v", err)
+			decryptedItem[key] = decryptedValue
+		case AttributeActionDoNothing:
+			decryptedItem[key] = value
 		}
 
-		decryptedItem[key] = decryptedValue
 	}
 
 	return decryptedItem, nil

pkg/client/client_test.go renamed to pkg/encrypted/client_test.go

@@ -1,4 +1,4 @@
-package client
+package encrypted
 
 import (
 	"context"
@@ -162,7 +162,10 @@ func TestEncryptedClient_PutItem(t *testing.T) {
 		nil,
 	), nil)
 
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider)
+	attributeActions := NewAttributeActions(AttributeActionDoNothing)
+	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
+
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
 
 	item := map[string]types.AttributeValue{
 		"PK":         &types.AttributeValueMemberS{Value: "123"},
@@ -186,7 +189,10 @@ func TestEncryptedClient_PutItem(t *testing.T) {
 func TestEncryptedClient_PutItem_Failure(t *testing.T) {
 	mockDynamoDBClient := new(MockDynamoDBClient)
 	mockCMProvider := new(MockCryptographicMaterialsProvider)
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider)
+	attributeActions := NewAttributeActions(AttributeActionDoNothing)
+	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
+
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
 
 	// Mock the DescribeTable call to simulate fetching table primary key schema.
 	mockDynamoDBClient.On("DescribeTable", mock.Anything, mock.AnythingOfType("*dynamodb.DescribeTableInput"), mock.Anything).Return(&dynamodb.DescribeTableOutput{
@@ -229,7 +235,10 @@ func TestEncryptedClient_PutItem_Failure(t *testing.T) {
 func TestEncryptedClient_GetItem_Success(t *testing.T) {
 	mockDynamoDBClient := new(MockDynamoDBClient)
 	mockCMProvider := new(MockCryptographicMaterialsProvider)
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider)
+	attributeActions := NewAttributeActions(AttributeActionDoNothing)
+	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
+
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
 
 	// Mock DescribeTable call to simulate fetching table primary key schema.
 	mockDynamoDBClient.On("DescribeTable", mock.Anything, mock.AnythingOfType("*dynamodb.DescribeTableInput"), mock.Anything).Return(&dynamodb.DescribeTableOutput{
@@ -277,7 +286,9 @@ func TestEncryptedClient_GetItem_Success(t *testing.T) {
 func TestEncryptedClient_Query(t *testing.T) {
 	mockDynamoDBClient := new(MockDynamoDBClient)
 	mockCMProvider := new(MockCryptographicMaterialsProvider)
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider)
+	attributeActions := NewAttributeActions(AttributeActionDoNothing)
+	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
 
 	// Mock DescribeTable call to simulate fetching table primary key schema.
 	mockDynamoDBClient.On("DescribeTable", mock.Anything, mock.AnythingOfType("*dynamodb.DescribeTableInput"), mock.Anything).Return(&dynamodb.DescribeTableOutput{
@@ -331,7 +342,9 @@ func TestEncryptedClient_Query(t *testing.T) {
 func TestEncryptedClient_Scan(t *testing.T) {
 	mockDynamoDBClient := new(MockDynamoDBClient)
 	mockCMProvider := new(MockCryptographicMaterialsProvider)
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider)
+	attributeActions := NewAttributeActions(AttributeActionDoNothing)
+	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
 
 	// Mock DescribeTable call to simulate fetching table primary key schema.
 	mockDynamoDBClient.On("DescribeTable", mock.Anything, mock.AnythingOfType("*dynamodb.DescribeTableInput"), mock.Anything).Return(&dynamodb.DescribeTableOutput{
@@ -381,7 +394,9 @@ func TestEncryptedClient_Scan(t *testing.T) {
 func TestEncryptedClient_BatchGetItem(t *testing.T) {
 	mockDynamoDBClient := new(MockDynamoDBClient)
 	mockCMProvider := new(MockCryptographicMaterialsProvider)
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider)
+	attributeActions := NewAttributeActions(AttributeActionDoNothing)
+	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
 
 	// Mock DescribeTable call to simulate fetching table primary key schema.
 	mockDynamoDBClient.On("DescribeTable", mock.Anything, mock.AnythingOfType("*dynamodb.DescribeTableInput"), mock.Anything).Return(&dynamodb.DescribeTableOutput{
@@ -446,7 +461,9 @@ func TestEncryptedClient_BatchGetItem(t *testing.T) {
 func TestEncryptedClient_BatchWriteItem(t *testing.T) {
 	mockDynamoDBClient := new(MockDynamoDBClient)
 	mockCMProvider := new(MockCryptographicMaterialsProvider)
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider)
+	attributeActions := NewAttributeActions(AttributeActionDoNothing)
+	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
 
 	// Mock DescribeTable call to simulate fetching table primary key schema.
 	mockDynamoDBClient.On("DescribeTable", mock.Anything, mock.AnythingOfType("*dynamodb.DescribeTableInput"), mock.Anything).Return(&dynamodb.DescribeTableOutput{
@@ -503,7 +520,9 @@ func TestEncryptedClient_BatchWriteItem(t *testing.T) {
 func TestEncryptedClient_DeleteItem(t *testing.T) {
 	mockDynamoDBClient := new(MockDynamoDBClient)
 	mockCMProvider := new(MockCryptographicMaterialsProvider)
-	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider)
+	attributeActions := NewAttributeActions(AttributeActionDoNothing)
+	attributeActions.SetAttributeAction("SensitiveAttribute", AttributeActionEncrypt)
+	encryptedClient := NewEncryptedClient(mockDynamoDBClient, mockCMProvider, attributeActions)
 
 	// Mock DescribeTable call to simulate fetching table primary key schema.
 	mockDynamoDBClient.On("DescribeTable", mock.Anything, mock.AnythingOfType("*dynamodb.DescribeTableInput"), mock.Anything).Return(&dynamodb.DescribeTableOutput{

pkg/provider/kms.go

@@ -30,7 +30,7 @@ func NewAwsKmsCryptographicMaterialsProvider(keyID string, encryptionContext map
 
 // GenerateDataKey generates a new data key using AWS KMS and wraps the Tink keyset.
 func (p *AwsKmsCryptographicMaterialsProvider) GenerateDataKey() (*delegatedkeys.TinkDelegatedKey, []byte, error) {
-	delegatedKey, wrappedKeyset, err := delegatedkeys.GenerateDataKey(p.KeyID, "aead")
+	delegatedKey, wrappedKeyset, err := delegatedkeys.GenerateDataKey(p.KeyID)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to generate data key: %v", err)
 	}