def table_cycle_check(materials_provider, initial_actions, initial_item, table_name, region_name=None): check_attribute_actions = initial_actions.copy() check_attribute_actions.set_index_keys(*list(TEST_KEY.keys())) item = initial_item.copy() item.update(TEST_KEY) kwargs = {} if region_name is not None: kwargs["region_name"] = region_name table = boto3.resource("dynamodb", **kwargs).Table(table_name) e_table = EncryptedTable(table=table, materials_provider=materials_provider, attribute_actions=initial_actions) _put_result = e_table.put_item(Item=item) # noqa encrypted_result = table.get_item(Key=TEST_KEY, ConsistentRead=True) check_encrypted_item(item, encrypted_result["Item"], check_attribute_actions) decrypted_result = e_table.get_item(Key=TEST_KEY, ConsistentRead=True) assert decrypted_result["Item"] == item e_table.delete_item(Key=TEST_KEY) del item del check_attribute_actions
def encrypt_item(table_name, aws_cmk_id, meta_table_name, material_name): """Demonstrate use of EncryptedTable to transparently encrypt an item.""" index_key = {"partition_attribute": "is this", "sort_attribute": 55} plaintext_item = { "example": "data", "some numbers": 99, "and some binary": Binary(b"\x00\x01\x02"), "leave me": "alone", # We want to ignore this attribute } # Collect all of the attributes that will be encrypted (used later). encrypted_attributes = set(plaintext_item.keys()) encrypted_attributes.remove("leave me") # Collect all of the attributes that will not be encrypted (used later). unencrypted_attributes = set(index_key.keys()) unencrypted_attributes.add("leave me") # Add the index pairs to the item. plaintext_item.update(index_key) # Create a normal table resource for the meta store. meta_table = boto3.resource("dynamodb").Table(meta_table_name) # Create a crypto materials provider for the meta store using the specified AWS KMS key. aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(key_id=aws_cmk_id) # Create a meta store using the AWS KMS crypto materials provider. meta_store = MetaStore(table=meta_table, materials_provider=aws_kms_cmp) # Create a most recent provider using the meta store. most_recent_cmp = MostRecentProvider( provider_store=meta_store, material_name=material_name, version_ttl=600.0, # Check for a new material version every five minutes. ) # Create a normal table resource. table = boto3.resource("dynamodb").Table(table_name) # Create attribute actions that tells the encrypted table to encrypt all attributes except one. actions = AttributeActions( default_action=CryptoAction.ENCRYPT_AND_SIGN, attribute_actions={"leave me": CryptoAction.DO_NOTHING} ) # Use these objects to create an encrypted table resource. encrypted_table = EncryptedTable(table=table, materials_provider=most_recent_cmp, attribute_actions=actions) # Put the item to the table, using the encrypted table resource to transparently encrypt it. encrypted_table.put_item(Item=plaintext_item) # Get the encrypted item using the standard table resource. encrypted_item = table.get_item(Key=index_key)["Item"] # Get the item using the encrypted table resource, transparently decyrpting it. decrypted_item = encrypted_table.get_item(Key=index_key)["Item"] # Verify that all of the attributes are different in the encrypted item for name in encrypted_attributes: assert encrypted_item[name] != plaintext_item[name] assert decrypted_item[name] == plaintext_item[name] # Verify that all of the attributes that should not be encrypted were not. for name in unencrypted_attributes: assert decrypted_item[name] == encrypted_item[name] == plaintext_item[name] # Clean up the item encrypted_table.delete_item(Key=index_key)
def check_metastore_cache_use_encrypt(metastore, table_name, log_capture): try: table = boto3.resource("dynamodb").Table(table_name) except NoRegionError: table = boto3.resource("dynamodb", region_name=TEST_REGION_NAME).Table(table_name) most_recent_provider = MostRecentProvider(provider_store=metastore, material_name="test", version_ttl=600.0) e_table = EncryptedTable(table=table, materials_provider=most_recent_provider) item = diverse_item() item.update(TEST_KEY) e_table.put_item(Item=item) e_table.put_item(Item=item) e_table.put_item(Item=item) e_table.put_item(Item=item) try: primary_puts = _count_puts(log_capture.records, e_table.name) metastore_puts = _count_puts(log_capture.records, metastore._table.name) assert primary_puts == 4 assert metastore_puts == 1 e_table.get_item(Key=TEST_KEY) e_table.get_item(Key=TEST_KEY) e_table.get_item(Key=TEST_KEY) primary_gets = _count_gets(log_capture.records, e_table.name) metastore_gets = _count_gets(log_capture.records, metastore._table.name) metastore_puts = _count_puts(log_capture.records, metastore._table.name) assert primary_gets == 3 assert metastore_gets == 0 assert metastore_puts == 1 most_recent_provider.refresh() e_table.get_item(Key=TEST_KEY) e_table.get_item(Key=TEST_KEY) e_table.get_item(Key=TEST_KEY) primary_gets = _count_gets(log_capture.records, e_table.name) metastore_gets = _count_gets(log_capture.records, metastore._table.name) assert primary_gets == 6 assert metastore_gets == 1 finally: e_table.delete_item(Key=TEST_KEY)
def encrypt_item(table_name, aws_cmk_id): """Demonstrate use of EncryptedTable to transparently encrypt an item.""" index_key = {'partition_attribute': 'is this', 'sort_attribute': 55} plaintext_item = { 'example': 'data', 'some numbers': 99, 'and some binary': Binary(b'\x00\x01\x02'), 'leave me': 'alone' # We want to ignore this attribute } # Collect all of the attributes that will be encrypted (used later). encrypted_attributes = set(plaintext_item.keys()) encrypted_attributes.remove('leave me') # Collect all of the attributes that will not be encrypted (used later). unencrypted_attributes = set(index_key.keys()) unencrypted_attributes.add('leave me') # Add the index pairs to the item. plaintext_item.update(index_key) # Create a normal table resource. table = boto3.resource('dynamodb').Table(table_name) # Create a crypto materials provider using the specified AWS KMS key. aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(key_id=aws_cmk_id) # Create attribute actions that tells the encrypted table to encrypt all attributes except one. actions = AttributeActions( default_action=CryptoAction.ENCRYPT_AND_SIGN, attribute_actions={'leave me': CryptoAction.DO_NOTHING}) # Use these objects to create an encrypted table resource. encrypted_table = EncryptedTable(table=table, materials_provider=aws_kms_cmp, attribute_actions=actions) # Put the item to the table, using the encrypted table resource to transparently encrypt it. encrypted_table.put_item(Item=plaintext_item) # Get the encrypted item using the standard table resource. encrypted_item = table.get_item(Key=index_key)['Item'] # Get the item using the encrypted table resource, transparently decyrpting it. decrypted_item = encrypted_table.get_item(Key=index_key)['Item'] # Verify that all of the attributes are different in the encrypted item for name in encrypted_attributes: assert encrypted_item[name] != plaintext_item[name] assert decrypted_item[name] == plaintext_item[name] # Verify that all of the attributes that should not be encrypted were not. for name in unencrypted_attributes: assert decrypted_item[name] == encrypted_item[name] == plaintext_item[ name] # Clean up the item encrypted_table.delete_item(Key=index_key)
def encrypt_item(table_name, aes_wrapping_key_bytes, hmac_signing_key_bytes): """Demonstrate use of EncryptedTable to transparently encrypt an item.""" index_key = {"partition_attribute": "is this", "sort_attribute": 55} plaintext_item = { "example": "data", "some numbers": 99, "and some binary": Binary(b"\x00\x01\x02"), "leave me": "alone", # We want to ignore this attribute } # Collect all of the attributes that will be encrypted (used later). encrypted_attributes = set(plaintext_item.keys()) encrypted_attributes.remove("leave me") # Collect all of the attributes that will not be encrypted (used later). unencrypted_attributes = set(index_key.keys()) unencrypted_attributes.add("leave me") # Add the index pairs to the item. plaintext_item.update(index_key) # Create a normal table resource. table = boto3.resource("dynamodb").Table(table_name) # generated code confuse pylint: disable=no-member # Create a crypto materials provider using the provided wrapping and signing keys. wrapping_key = JceNameLocalDelegatedKey( key=aes_wrapping_key_bytes, algorithm="AES", key_type=EncryptionKeyType.SYMMETRIC, key_encoding=KeyEncodingType.RAW, ) signing_key = JceNameLocalDelegatedKey( key=hmac_signing_key_bytes, algorithm="HmacSHA512", key_type=EncryptionKeyType.SYMMETRIC, key_encoding=KeyEncodingType.RAW, ) wrapped_cmp = WrappedCryptographicMaterialsProvider( wrapping_key=wrapping_key, unwrapping_key=wrapping_key, signing_key=signing_key) # Create attribute actions that tells the encrypted table to encrypt all attributes except one. actions = AttributeActions( default_action=CryptoAction.ENCRYPT_AND_SIGN, attribute_actions={"leave me": CryptoAction.DO_NOTHING}) # Use these objects to create an encrypted table resource. encrypted_table = EncryptedTable(table=table, materials_provider=wrapped_cmp, attribute_actions=actions) # Put the item to the table, using the encrypted table resource to transparently encrypt it. encrypted_table.put_item(Item=plaintext_item) # Get the encrypted item using the standard table resource. encrypted_item = table.get_item(Key=index_key)["Item"] # Get the item using the encrypted table resource, transparently decyrpting it. decrypted_item = encrypted_table.get_item(Key=index_key)["Item"] # Verify that all of the attributes are different in the encrypted item for name in encrypted_attributes: assert encrypted_item[name] != plaintext_item[name] assert decrypted_item[name] == plaintext_item[name] # Verify that all of the attributes that should not be encrypted were not. for name in unencrypted_attributes: assert decrypted_item[name] == encrypted_item[name] == plaintext_item[ name] # Clean up the item encrypted_table.delete_item(Key=index_key)