WIP

Author: netf

example/main.go

@@ -162,7 +162,7 @@ func main() {
 	deleteItem := &dynamodb.DeleteItemInput{
 		TableName: &tableName,
 		Key: map[string]types.AttributeValue{
-			"UserID": &types.AttributeValueMemberS{Value: "user2"},
+			"UserID": &types.AttributeValueMemberS{Value: "user1"},
 		},
 	}
 

pkg/client/client.go

@@ -33,7 +33,7 @@ func NewEncryptedClient(client *dynamodb.Client, materialsProvider provider.Cryp
 // PutItem encrypts an item and puts it into a DynamoDB table.
 func (ec *EncryptedClient) PutItem(ctx context.Context, input *dynamodb.PutItemInput) (*dynamodb.PutItemOutput, error) {
 	// Encrypt the item, excluding primary keys
-	encryptedItem, err := ec.encryptItem(ctx, *input.TableName, input.Item)
+	encryptedItem, err := ec.encryptItem(ctx, aws.StringValue(input.TableName), input.Item)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt item: %v", err)
 	}
@@ -62,7 +62,7 @@ func (ec *EncryptedClient) GetItem(ctx context.Context, input *dynamodb.GetItemI
 	}
 
 	// Decrypt the item, excluding primary keys
-	decryptedItem, err := ec.decryptItem(ctx, *input.TableName, encryptedOutput.Item)
+	decryptedItem, err := ec.decryptItem(ctx, aws.StringValue(input.TableName), encryptedOutput.Item)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt item: %v", err)
 	}
@@ -84,7 +84,7 @@ func (ec *EncryptedClient) Query(ctx context.Context, input *dynamodb.QueryInput
 
 	// Decrypt the items in the response
 	for i, item := range encryptedOutput.Items {
-		decryptedItem, decryptErr := ec.decryptItem(ctx, *input.TableName, item)
+		decryptedItem, decryptErr := ec.decryptItem(ctx, aws.StringValue(input.TableName), item)
 		if decryptErr != nil {
 			return nil, decryptErr
 		}
@@ -103,7 +103,7 @@ func (ec *EncryptedClient) Scan(ctx context.Context, input *dynamodb.ScanInput)
 
 	// Decrypt the items in the response
 	for i, item := range encryptedOutput.Items {
-		decryptedItem, decryptErr := ec.decryptItem(ctx, *input.TableName, item)
+		decryptedItem, decryptErr := ec.decryptItem(ctx, aws.StringValue(input.TableName), item)
 		if decryptErr != nil {
 			return nil, decryptErr
 		}
@@ -168,7 +168,10 @@ func (ec *EncryptedClient) DeleteItem(ctx context.Context, input *dynamodb.Delet
 	}
 
 	// Construct material name based on the primary key of the item being deleted
-	materialName := ec.constructMaterialName(input.Key, pkInfo)
+	materialName, err := utils.ConstructMaterialName(input.Key, pkInfo)
+	if err != nil {
+		return nil, fmt.Errorf("error constructing material name: %v", err)
+	}
 
 	// Delete the associated metadata
 	tableName := ec.materialsProvider.TableName()
@@ -246,7 +249,10 @@ func (ec *EncryptedClient) encryptItem(ctx context.Context, tableName string, it
 	}
 
 	// Generate and fetch encryption materials
-	materialName := ec.constructMaterialName(item, pkInfo)
+	materialName, err := utils.ConstructMaterialName(item, pkInfo)
+	if err != nil {
+		return nil, fmt.Errorf("error constructing material name: %v", err)
+	}
 	encryptionMaterials, err := ec.materialsProvider.EncryptionMaterials(ctx, materialName)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch encryption materials: %v", err)
@@ -284,7 +290,10 @@ func (ec *EncryptedClient) decryptItem(ctx context.Context, tableName string, it
 	}
 
 	// Construct the material name based on primary keys
-	materialName := ec.constructMaterialName(item, pkInfo)
+	materialName, err := utils.ConstructMaterialName(item, pkInfo)
+	if err != nil {
+		return nil, fmt.Errorf("error constructing material name: %v", err)
+	}
 	decryptionMaterials, err := ec.materialsProvider.DecryptionMaterials(ctx, materialName, 0)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch decryption materials: %v", err)
@@ -318,19 +327,3 @@ func (ec *EncryptedClient) decryptItem(ctx context.Context, tableName string, it
 
 	return decryptedItem, nil
 }
-
-// constructMaterialName constructs a material name based on an item's primary key.
-func (ec *EncryptedClient) constructMaterialName(item map[string]types.AttributeValue, pkInfo *utils.PrimaryKeyInfo) string {
-	partitionKeyValue := item[pkInfo.PartitionKey].(*types.AttributeValueMemberS).Value
-	sortKeyValue := ""
-	if pkInfo.SortKey != "" && item[pkInfo.SortKey] != nil {
-		sortKeyValue = item[pkInfo.SortKey].(*types.AttributeValueMemberS).Value
-	}
-
-	rawMaterialName := pkInfo.Table + "-" + partitionKeyValue
-	if sortKeyValue != "" {
-		rawMaterialName += "-" + sortKeyValue
-	}
-
-	return utils.HashString(rawMaterialName)
-}

pkg/utils/utils.go

@@ -3,9 +3,11 @@ package utils
 import (
 	"context"
 	"crypto/sha256"
+	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"strconv"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/dynamodb"
@@ -53,6 +55,52 @@ func HashString(input string) string {
 	return hex.EncodeToString(hasher.Sum(nil))
 }
 
+// AttributeValueToString converts a DynamoDB AttributeValue to a string representation.
+func AttributeValueToString(value types.AttributeValue) (string, error) {
+	switch v := value.(type) {
+	case *types.AttributeValueMemberS:
+		return v.Value, nil
+	case *types.AttributeValueMemberN:
+		return v.Value, nil
+	case *types.AttributeValueMemberB:
+		return base64.StdEncoding.EncodeToString(v.Value), nil
+	case *types.AttributeValueMemberBOOL:
+		return strconv.FormatBool(v.Value), nil
+	case *types.AttributeValueMemberNULL:
+		return "", nil
+	case *types.AttributeValueMemberM:
+		m := make(map[string]string)
+		for key, value := range v.Value {
+			convertedValue, err := AttributeValueToString(value)
+			if err != nil {
+				return "", err
+			}
+			m[key] = convertedValue
+		}
+		jsonStr, err := json.Marshal(m)
+		if err != nil {
+			return "", fmt.Errorf("failed to marshal map to JSON: %v", err)
+		}
+		return string(jsonStr), nil
+	case *types.AttributeValueMemberL:
+		var l []string
+		for _, listItem := range v.Value {
+			convertedItem, err := AttributeValueToString(listItem)
+			if err != nil {
+				return "", err
+			}
+			l = append(l, convertedItem)
+		}
+		jsonStr, err := json.Marshal(l)
+		if err != nil {
+			return "", fmt.Errorf("failed to marshal list to JSON: %v", err)
+		}
+		return string(jsonStr), nil
+	default:
+		return "", fmt.Errorf("unsupported AttributeValue type: %T", value)
+	}
+}
+
 // AttributeValueMapToBytes converts a map of DynamoDB attribute values to a JSON byte slice.
 func AttributeValueMapToBytes(attributes map[string]types.AttributeValue) ([]byte, error) {
 	// DynamoDB attribute values to a generic map interface{}
@@ -95,6 +143,29 @@ func BytesToAttributeValue(data []byte) (types.AttributeValue, error) {
 	return interfaceToAttributeValue(av)
 }
 
+// ConstructMaterialName constructs a material name based on an item's primary key.
+func ConstructMaterialName(item map[string]types.AttributeValue, pkInfo *PrimaryKeyInfo) (string, error) {
+	partitionKeyValue, err := AttributeValueToString(item[pkInfo.PartitionKey])
+	if err != nil {
+		return "", fmt.Errorf("invalid partition key attribute type: %v", err)
+	}
+
+	sortKeyValue := ""
+	if pkInfo.SortKey != "" {
+		sortKeyValue, err = AttributeValueToString(item[pkInfo.SortKey])
+		if err != nil {
+			return "", fmt.Errorf("invalid sort key attribute type: %v", err)
+		}
+	}
+
+	rawMaterialName := pkInfo.Table + "-" + partitionKeyValue
+	if sortKeyValue != "" {
+		rawMaterialName += "-" + sortKeyValue
+	}
+
+	return HashString(rawMaterialName), nil
+}
+
 // attributeValueToInterface converts DynamoDB's types.AttributeValue to a generic interface{}.
 func attributeValueToInterface(av types.AttributeValue) (interface{}, error) {
 	switch v := av.(type) {