WIP

Author: netf

example/main.go

@@ -54,6 +54,9 @@ func main() {
 	// Initialize EncryptedClient
 	ec := encrypted.NewEncryptedClient(dynamoDBClient, cmp, clientConfig)
 
+	// Create an EncryptedTable instance
+	et := encrypted.NewEncryptedTable(ec)
+
 	// User credentials to encrypt and store
 	userID := "user1"
 	credentials := map[string]types.AttributeValue{
@@ -193,6 +196,21 @@ func main() {
 		log.Fatalf("Failed during paginated scan: %v", err)
 	}
 
+	// Put encrypted item using EncryptedTable
+	if err := et.PutItem(ctx, tableName, credentials); err != nil {
+		log.Fatalf("Failed to put encrypted item: %v", err)
+	}
+	fmt.Println("Encrypted item put successfully.")
+
+	// Get and decrypt item using EncryptedTable
+	decryptedItem, err := et.GetItem(ctx, tableName, map[string]types.AttributeValue{
+		"UserID": &types.AttributeValueMemberS{Value: userID},
+	})
+	if err != nil {
+		log.Fatalf("Failed to get and decrypt item: %v", err)
+	}
+	fmt.Printf("Decrypted item: %v\n", decryptedItem)
+
 }
 
 func createTableIfNotExists(ctx context.Context, client *dynamodb.Client, tableName string) error {

go.mod

@@ -3,21 +3,23 @@ module github.com/cloudopsy/dynamodb-encryption-go
 go 1.21.7
 
 require (
-	github.com/aws/aws-sdk-go v1.51.4
+	github.com/aws/aws-sdk-go v1.51.6
 	github.com/aws/aws-sdk-go-v2 v1.26.0
-	github.com/aws/aws-sdk-go-v2/config v1.27.8
+	github.com/aws/aws-sdk-go-v2/config v1.27.9
+	github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.13.11
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.31.0
 	github.com/stretchr/testify v1.9.0
 	github.com/tink-crypto/tink-go-awskms v0.0.0-20230616072154-ba4f9f22c3e9
 	github.com/tink-crypto/tink-go/v2 v2.1.0
 )
 
 require (
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.8 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.4 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.9 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.20.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 // indirect

go.sum

@@ -1,13 +1,23 @@
 github.com/aws/aws-sdk-go v1.51.4 h1:yOVfGhRJyReBrACK0alLosJl8iXhWkNY1vrePYmhHdw=
 github.com/aws/aws-sdk-go v1.51.4/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go v1.51.6 h1:Ld36dn9r7P9IjU8WZSaswQ8Y/XUCRpewim5980DwYiU=
+github.com/aws/aws-sdk-go v1.51.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA=
 github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I=
 github.com/aws/aws-sdk-go-v2/config v1.27.8 h1:0r8epOsiJ7YJz65MGcb8i91ehFp4kvvFe2qkq5oYeRI=
 github.com/aws/aws-sdk-go-v2/config v1.27.8/go.mod h1:XsmYKxYNuIhLsFddpNds+j9H5XKzjWDdg/SZngiwFio=
+github.com/aws/aws-sdk-go-v2/config v1.27.9 h1:gRx/NwpNEFSk+yQlgmk1bmxxvQ5TyJ76CWXs9XScTqg=
+github.com/aws/aws-sdk-go-v2/config v1.27.9/go.mod h1:dK1FQfpwpql83kbD873E9vz4FyAxuJtR22wzoXn3qq0=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.8 h1:WUdNLXbyNbU07V/WFrSOBXqZTDgmmMNMgUFzpYOKJhw=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.8/go.mod h1:iPZzLpaBIfhyvVS/XGD3JvR1GP3YdHTqpySKDlqkfs8=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.9 h1:N8s0/7yW+h8qR8WaRlPQeJ6czVMNQVNtNdUqf6cItao=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.9/go.mod h1:446YhIdmSV0Jf/SLafGZalQo+xr2iw7/fzXGDPTU1yQ=
+github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.13.11 h1:nyWawIVs7Y75DuNhh6vao/qmKKWS56zUuWt/+dOE5iI=
+github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.13.11/go.mod h1:5WPGXfp9+ss7gYsZ5QjJeY16qTpCLaIcQItE7Yw7ld4=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.4 h1:S+L2QSKhUuShih3aq9P/mkzDBiOO5tTyVg+vXREfsfg=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.4/go.mod h1:nQ3how7DMnFMWiU1SpECohgC82fpn4cKZ875NDMmwtA=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 h1:af5YzcLf80tv4Em4jWVD75lpnOHSBkPUZxZfGkrI3HI=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0/go.mod h1:nQ3how7DMnFMWiU1SpECohgC82fpn4cKZ875NDMmwtA=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 h1:0ScVK/4qZ8CIW0k8jOeFVsyS/sAiXpYxRBLolMkuLQM=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4/go.mod h1:84KyjNZdHC6QZW08nfHI6yZgPd+qRgaWcYsyLUo3QY8=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 h1:sHmMWWX5E7guWEFQ9SVo6A3S4xpPrWnd77a6y4WM6PU=
@@ -16,6 +26,8 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.31.0 h1:LtsNRZ6+ZYIbJcPiLHcefXeWkw2DZT9iJyXJJQvhvXw=
 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.31.0/go.mod h1:ua1eYOCxAAT0PUY3LAi9bUFuKJHC/iAksBLqR1Et7aU=
+github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.20.3 h1:KOjg2W7v3tAU8ASDWw26os1OywstODoZdIh9b/Wwlm4=
+github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.20.3/go.mod h1:fw1lVv+e9z9UIaVsVjBXoC8QxZ+ibOtRtzfELRJZWs8=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8=
 github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.5 h1:4vkDuYdXXD2xLgWmNalqH3q4u/d1XnaBMBXdVdZXVp0=

pkg/encrypted/client.go

@@ -107,15 +107,23 @@ type EncryptedClient struct {
 }
 
 // NewEncryptedClient creates a new instance of EncryptedClient.
-func NewEncryptedClient(client DynamoDBClientInterface, materialsProvider provider.CryptographicMaterialsProvider, config *ClientConfig) *EncryptedClient {
-	return &EncryptedClient{
+func NewEncryptedClient(client DynamoDBClientInterface, materialsProvider provider.CryptographicMaterialsProvider, opts ...EncryptedClientOption) *EncryptedClient {
+
+	ec := &EncryptedClient{
 		Client:            client,
 		MaterialsProvider: materialsProvider,
 		PrimaryKeyCache:   make(map[string]*PrimaryKeyInfo),
-		ClientConfig:      config,
+		ClientConfig:      NewClientConfig(WithDefaultEncryption(EncryptStandard)),
+		lock:              sync.RWMutex{},
+	}
 
-		lock: sync.RWMutex{},
+	// Apply each option to the instance
+	for _, opt := range opts {
+		opt(ec)
 	}
+
+	return ec
+
 }
 
 // CreateTable creates a new DynamoDB table with the specified name, attribute definitions, and key schema.

pkg/encrypted/config.go

@@ -4,66 +4,41 @@ package encrypted
 type EncryptionAction int
 
 const (
-	// EncryptNone indicates that no encryption should be applied.
-	EncryptNone EncryptionAction = iota
-	// EncryptStandard indicates the attribute should be encrypted using a standard algorithm.
-	EncryptStandard
-	// EncryptDeterministic indicates the attribute should be encrypted deterministically for consistent outcomes.
-	EncryptDeterministic
+	EncryptNone          EncryptionAction = iota // No encryption should be applied.
+	EncryptStandard                              // The attribute should be encrypted using a standard algorithm.
+	EncryptDeterministic                         // The attribute should be encrypted deterministically for consistent outcomes.
 	// Additional encryption actions can be defined here.
 )
 
-// CompressionAction represents the compression action to be taken on a specific attribute.
-type CompressionAction int
-
-const (
-	// CompressNone indicates no compression should be applied.
-	CompressNone CompressionAction = iota
-	// CompressGzip indicates the attribute should be compressed using GZip.
-	CompressGzip
-	// CompressZstd indicates the attribute should be compressed using Zstd.
-	CompressZstd
-)
-
-// ClientConfig holds the configuration for client operations like encryption and compression.
+// ClientConfig holds the configuration for client operations, focusing on encryption.
 type ClientConfig struct {
-	Encryption  EncryptionConfig
-	Compression CompressionConfig
+	Encryption EncryptionConfig
 }
 
-// EncryptionConfig holds encryption-specific settings.
+// EncryptionConfig holds encryption-specific settings, including a default action and specific actions for named attributes.
 type EncryptionConfig struct {
-	DefaultAction   EncryptionAction
-	SpecificActions map[string]EncryptionAction
-}
-
-// CompressionConfig holds compression-specific settings.
-type CompressionConfig struct {
-	DefaultAction   CompressionAction
-	SpecificActions map[string]CompressionAction
+	DefaultAction   EncryptionAction            // The default encryption action if no specific action is provided.
+	SpecificActions map[string]EncryptionAction // Map of attribute names to their specific encryption actions.
 }
 
-// NewClientConfig creates a new ClientConfig with provided options.
+// NewClientConfig initializes a new ClientConfig, applying any provided functional options.
 func NewClientConfig(options ...Option) *ClientConfig {
 	config := &ClientConfig{
 		Encryption: EncryptionConfig{
-			DefaultAction:   EncryptNone,
+			DefaultAction:   EncryptNone, // Default to no encryption unless specified.
 			SpecificActions: make(map[string]EncryptionAction),
 		},
-		Compression: CompressionConfig{
-			DefaultAction:   CompressNone,
-			SpecificActions: make(map[string]CompressionAction),
-		},
 	}
 
+	// Apply each provided option to the ClientConfig.
 	for _, option := range options {
 		option(config)
 	}
 
 	return config
 }
 
-// Option applies a configuration to a ClientConfig.
+// Option defines a function signature for options that modify ClientConfig.
 type Option func(*ClientConfig)
 
 // WithDefaultEncryptionAction sets the default encryption action for the client.
@@ -73,12 +48,19 @@ func WithDefaultEncryption(action EncryptionAction) Option {
 	}
 }
 
-// WithEncryption sets an encryption action for a specific attribute.
+// WithEncryption sets a specific encryption action for a named attribute.
 func WithEncryption(attributeName string, action EncryptionAction) Option {
 	return func(c *ClientConfig) {
-		if c.Encryption.SpecificActions == nil {
-			c.Encryption.SpecificActions = make(map[string]EncryptionAction)
-		}
 		c.Encryption.SpecificActions[attributeName] = action
 	}
 }
+
+// EncryptedClientOption defines a function signature for options that modify an EncryptedClient.
+type EncryptedClientOption func(*EncryptedClient)
+
+// WithClientConfig sets the EncryptedClient's configuration.
+func WithClientConfig(config *ClientConfig) EncryptedClientOption {
+	return func(ec *EncryptedClient) {
+		ec.ClientConfig = config
+	}
+}