def setUpClass(cls):
cls.session = boto3.session.Session(region_name='us-west-2')
cls.dynamodb = cls.session.resource('dynamodb')
cls.table_name = unique_id('boto3db')
cls.item_data = {
'MyHashKey': 'mykey',
'MyNull': None,
'MyBool': True,
'MyString': 'mystring',
'MyNumber': Decimal('1.25'),
'MyBinary': Binary(b'\x01'),
'MyStringSet': set(['foo']),
'MyNumberSet': set([Decimal('1.25')]),
'MyBinarySet': set([Binary(b'\x01')]),
'MyList': ['foo'],
'MyMap': {'foo': 'bar'}
}
cls.table = cls.dynamodb.create_table(
TableName=cls.table_name,
ProvisionedThroughput={"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5},
KeySchema=[{"AttributeName": "MyHashKey", "KeyType": "HASH"}],
AttributeDefinitions=[{"AttributeName": "MyHashKey",
"AttributeType": "S"}])
waiter = cls.dynamodb.meta.client.get_waiter('table_exists')
waiter.wait(TableName=cls.table_name)
def test_more_prewrite():
test_dict = dict(
k0={},
k1={"nonempty string"},
k2={"nonempty string", ""},
k3=tuple(),
k4=tuple([1, 2, 3]),
k5=tuple(["", "nonempty string", ""]),
k6=dict(k1=[dict(j1={"nonempty", "blah"})]), # nested set
k7=dict(k1=tuple([dict(
j1={"nonempty", "blah"})])), # nested tuple gets turned into list
k8={1, 2, 3, Decimal("3.1415926535")}, # NS
k9={Binary(b"123"), Binary(b"456")}, # BS
)
with pytest.raises(TypeError):
serialize_item(test_dict)
out = dynamodb_prewrite(test_dict)
out_ser = serialize_item(out) # doesn't raise
# assert out.keys() == test_dict.keys()
assert out["k2"] == test_dict["k2"]
assert "k3" not in out
assert out["k4"] == [1, 2, 3]
assert out["k5"] == ["", "nonempty string", ""]
assert out["k6"] == test_dict["k6"]
assert out["k7"] == test_dict[
"k6"] # tuple was transformed into list but otherwise same
assert out["k8"] == test_dict["k8"]
assert out["k9"] == test_dict["k9"]
out_deser = deserialize_item(out_ser)
assert out_deser == out
def __init__(self, args={}):
super(User, self).__init__()
if 'password' in args:
password = args['password']
password_fields = self.encode_password(password)
args['hash'] = password_fields['hash']
args['salt'] = Binary(password_fields['salt'])
args['rounds'] = password_fields['rounds']
args['hashed'] = Binary(password_fields['hashed'])
self.uid = args['uid'] if ('uid' in args) else str(uuid.uuid4())
self.profile_pic_url = args['profile_pic_url'] if ('profile_pic_url'
in args) else None
self.name = args['name'] if ('name' in args) else None
self.gender = args['gender'] if ('gender' in args) else None
self.club = args['club'] if ('club' in args) else None
self.is_coach = args['is_coach'] if ('is_coach' in args) else False
self.is_admin = args['is_admin'] if ('is_admin' in args) else False
self.username = args['username'] if ('username' in args) else None
self.hash = args['hash'] if (
'hash' in args) else None #password_fields['hash']
self.salt = args['salt'] if (
'salt' in args) else None #Binary(password_fields['salt'])
self.rounds = args['rounds'] if (
'rounds' in args) else None #password_fields['rounds']
self.hashed = args['hashed'] if (
'hashed' in args) else None #Binary(password_fields['hashed'])
self.confirmation_token = args['confirmation_token'] if (
'confirmation_token' in args) else str(uuid.uuid4())
self.confirmed_at = args['confirmed_at'] if ('confirmed_at'
in args) else None
self.reset_password_token = args['reset_password_token'] if (
'reset_password_token' in args) else None
self.reset_password_sent_at = args['reset_password_sent_at'] if (
'reset_password_sent_at' in args) else None
self.remember_created_at = args['remember_created_at'] if (
'remember_created_at' in args) else None
self.sign_in_count = args['sign_in_count'] if ('sign_in_count'
in args) else 0
self.current_sign_in_at = args['current_sign_in_at'] if (
'current_sign_in_at' in args) else None
self.last_sign_in_at = args['last_sign_in_at'] if ('last_sign_in_at'
in args) else None
self.current_sign_in_ip = args['current_sign_in_ip'] if (
'current_sign_in_ip' in args) else None
self.last_sign_in_ip = args['last_sign_in_ip'] if ('last_sign_in_ip'
in args) else None
self.confirmation_sent_at = args['confirmation_sent_at'] if (
'confirmation_sent_at' in args) else None
self.unconfirmed_email = args['unconfirmed_email'] if (
'unconfirmed_email' in args) else None
self.failed_attempts = args['failed_attempts'] if ('failed_attempts'
in args) else 0
self.unlock_token = args['unlock_token'] if ('unlock_token'
in args) else None
self.locked_at = args['locked_at'] if ('locked_at' in args) else None
self.created_at = args['created_at'] if (
'created_at' in args) else str(datetime.datetime.now())
self.update_at = args['update_at'] if ('update_at' in args) else str(
datetime.datetime.now())
def _get_item(self, key_id: str):
response = self._collection.find_one({"key_id": key_id})
response["*amzn-ddb-map-desc*"] = Binary(
response["*amzn-ddb-map-desc*"])
response["*amzn-ddb-map-sig*"] = Binary(response["*amzn-ddb-map-sig*"])
response["key"] = Binary(response["key"])
del response["_id"]
return response
def create_user():
body = app.current_request.json_body
warning_messages = []
try:
body['email']
if len(body['email']) > 200:
warning_messages.append('Email is too long.')
if '@' not in body['email']:
warning_messages.append('Email is not formated correctly.')
# Add check for valid .edu email
# And add college
except KeyError:
warning_messages.append('Email is required.')
try:
body['password']
if len(body['password']) <= 10:
warning_messages.append('Password must be 10 or more characters.')
if len(body['password']) > 40:
warning_messages.append('Password is too long.')
except:
warning_messages.append('Password is required.')
if warning_messages:
return {'warning_messages': warning_messages}
try:
body['first_name']
except KeyError:
body['first_name'] = 'default'
try:
body['last_name']
except KeyError:
body['last_name'] = 'default'
password_fields = auth.encode_password(body['password'])
item = {
'email': body['email'],
'first_name': body['first_name'],
'last_name': body['last_name'],
'college': 'default',
'hash': password_fields['hash'],
'salt': Binary(password_fields['salt']),
'rounds': password_fields['rounds'],
'hashed': Binary(password_fields['hashed'])
}
try:
log.debug(get_users_db())
get_users_db().put_item(
Item=item, ConditionExpression='attribute_not_exists(email)')
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'ConditionalCheckFailedException':
return {'warning_messages': 'Email is already registered.'}
return {'message': 'success'}
def create_user(stage):
table_name = get_table_name(stage)
table = boto3.resource('dynamodb').Table(table_name)
username = input('Username: '******'Password: '******'username': username,
'hash': password_fields['hash'],
'salt': Binary(password_fields['salt']),
'rounds': password_fields['rounds'],
'hashed': Binary(password_fields['hashed']),
}
table.put_item(Item=item)
def load_dynamodb(depth: pd.Series, img: np.ndarray, well: str, table: str):
"""
Load image data into DynamoDB table
Parameters
----------
depth : pd.Series
depth measurements
img : np.ndarray
imager
well : str
well id
table : str
DynamoDB table name
"""
dynamodb = boto3.resource('dynamodb')
table = dynamodb.Table(table)
with table.batch_writer() as batch:
for i, (depth_val, image_row) in enumerate(zip(depth, img)):
if i % 100 == 0:
print(f"Processed {i} items")
batch.put_item(
Item={
'well': well,
'depth': depth_val,
'image': Binary(image_row.tostring())
})
def put_item(key, data):
print(key, data)
table.put_item(Item={
'Id': key,
'Data': Binary(data),
})
return 0
def _many_items():
values = ("a string", 1234, Binary(b"binary \x00\x88 value"))
partition_keys = (("partition_key", value) for value in values)
sort_keys = (("sort_key", value) for value in values)
for pairs in itertools.product(partition_keys, sort_keys):
item = dict(pairs)
yield pytest.param(item, id=str(item))
def _many_items():
values = ('a string', 1234, Binary(b'binary \x00\x88 value'))
partition_keys = (('partition_key', value) for value in values)
sort_keys = (('sort_key', value) for value in values)
for pairs in itertools.product(partition_keys, sort_keys):
item = dict(pairs)
yield pytest.param(item, id=str(item))
def purge_sample(sample, vote_table, samples_batch, votes_batch):
samples_batch.delete_item(Key={
'event': sample['event'],
'id': sample['id']
})
sample_identity = Binary(sample['id'].value +
bytearray(sample['event'], "utf_8"))
sample_key = Key('sample').eq(sample_identity)
response = vote_table.query(KeyConditionExpression=sample_key)
for item in response['Items']:
votes_batch.delete_item(Key={
'sample': item['sample'],
'user': item['user']
})
while 'LastEvaluatedKey' in response:
response = query(KeyConditionExpression=sample_key,
ExclusiveStartKey=response['LastEvaluatedKey'])
for item in response['Items']:
votes_batch.delete_item(Key={
'sample': item['sample'],
'user': item['user']
})
def encrypt_item(table_name, aws_cmk_id, meta_table_name, material_name):
"""Demonstrate use of EncryptedTable to transparently encrypt an item."""
index_key = {"partition_attribute": "is this", "sort_attribute": 55}
plaintext_item = {
"example": "data",
"some numbers": 99,
"and some binary": Binary(b"\x00\x01\x02"),
"leave me": "alone", # We want to ignore this attribute
}
# Collect all of the attributes that will be encrypted (used later).
encrypted_attributes = set(plaintext_item.keys())
encrypted_attributes.remove("leave me")
# Collect all of the attributes that will not be encrypted (used later).
unencrypted_attributes = set(index_key.keys())
unencrypted_attributes.add("leave me")
# Add the index pairs to the item.
plaintext_item.update(index_key)
# Create a normal table resource for the meta store.
meta_table = boto3.resource("dynamodb").Table(meta_table_name)
# Create a crypto materials provider for the meta store using the specified AWS KMS key.
aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(key_id=aws_cmk_id)
# Create a meta store using the AWS KMS crypto materials provider.
meta_store = MetaStore(table=meta_table, materials_provider=aws_kms_cmp)
# Create a most recent provider using the meta store.
most_recent_cmp = MostRecentProvider(
provider_store=meta_store,
material_name=material_name,
version_ttl=600.0, # Check for a new material version every five minutes.
)
# Create a normal table resource.
table = boto3.resource("dynamodb").Table(table_name)
# Create attribute actions that tells the encrypted table to encrypt all attributes except one.
actions = AttributeActions(
default_action=CryptoAction.ENCRYPT_AND_SIGN, attribute_actions={"leave me": CryptoAction.DO_NOTHING}
)
# Use these objects to create an encrypted table resource.
encrypted_table = EncryptedTable(table=table, materials_provider=most_recent_cmp, attribute_actions=actions)
# Put the item to the table, using the encrypted table resource to transparently encrypt it.
encrypted_table.put_item(Item=plaintext_item)
# Get the encrypted item using the standard table resource.
encrypted_item = table.get_item(Key=index_key)["Item"]
# Get the item using the encrypted table resource, transparently decyrpting it.
decrypted_item = encrypted_table.get_item(Key=index_key)["Item"]
# Verify that all of the attributes are different in the encrypted item
for name in encrypted_attributes:
assert encrypted_item[name] != plaintext_item[name]
assert decrypted_item[name] == plaintext_item[name]
# Verify that all of the attributes that should not be encrypted were not.
for name in unencrypted_attributes:
assert decrypted_item[name] == encrypted_item[name] == plaintext_item[name]
# Clean up the item
encrypted_table.delete_item(Key=index_key)
def save(self, key, value, ts, filename):
if len(value) > self.db_max_size:
self._upload_to_s3(filename, value)
val = filename
else:
val = Binary(value)
self.table.put_item(Item={"key": key, "ts": ts, "val": val})
def validate_reset_password_token(self, params):
user = User()
print(params)
token, password, confirm_password = params['token'], params[
'password'], params['confirm_password']
print(token, password, confirm_password)
print('-----------------------')
key = {'reset_password_token': token}
table_name = user.get_table_name()
fe = Key('reset_password_token').eq(token)
pe = "#reset_password_token, username"
# Expression Attribute Names for Projection Expression only.
ean = {
"#reset_password_token": "reset_password_token",
}
esk = None
table = boto3.resource('dynamodb').Table(table_name)
user_detail = table.scan(FilterExpression=fe,
ProjectionExpression=pe,
ExpressionAttributeNames=ean)
if 'Items' in user_detail:
print('-----------------------')
print(user_detail['Items'])
user.assign_attributes(user_detail['Items'][0])
else:
return {'error': 'Token is not valid or has expired.'}
if password == confirm_password:
password_fields = user.encode_password(password)
response = table.update_item(
Key={'username': user.username},
UpdateExpression=
"set salt=:salt, rounds=:rounds, hashed=:hashed, update_at=:update_at",
ExpressionAttributeValues={
':salt': Binary(password_fields['salt']),
':rounds': password_fields['rounds'],
':hashed': Binary(password_fields['hashed']),
':update_at': str(datetime.datetime.now())
},
ReturnValues="UPDATED_NEW")
return {'success': 'Password has been changed.'}
else:
return {'error': 'Password and Confirm Password is not same.'}
def create_user(stage):
table_name = get_table_name(stage)
## Get the name of the table from the command line and asks Boto to create the table
table = boto3.resource('dynamodb').Table(table_name)
username = raw_input('Username: '******'Password: '******'username': username,
'hash': password_fields['hash'],
## Binary type attributes can store any binary data,
## such as compressed text, encrypted data, or images.
'salt': Binary(password_fields['salt']),
'rounds': password_fields['rounds'],
'hashed': Binary(password_fields['hashed']),
}
## Insert username and password into table
table.put_item(Item=item)
def _save_materials(self, material_name, version, encryption_key,
signing_key):
# type: (Text, int, JceNameLocalDelegatedKey, JceNameLocalDelegatedKey) -> None
"""Save materials to the table, raising an error if the version already exists.
:param str material_name: Material to locate
:param int version: Version of material to locate
:raises VersionAlreadyExistsError: if the specified version already exists
"""
_LOGGER.debug('Saving material "%s" version %d to MetaStore table',
material_name, version)
item = {
MetaStoreAttributeNames.PARTITION.value:
material_name,
MetaStoreAttributeNames.SORT.value:
version,
MetaStoreAttributeNames.MATERIAL_TYPE_VERSION.value:
MetaStoreValues.MATERIAL_TYPE_VERSION.value,
MetaStoreAttributeNames.ENCRYPTION_ALGORITHM.value:
encryption_key.algorithm,
MetaStoreAttributeNames.ENCRYPTION_KEY.value:
Binary(encryption_key.key),
MetaStoreAttributeNames.INTEGRITY_ALGORITHM.value:
signing_key.algorithm,
MetaStoreAttributeNames.INTEGRITY_KEY.value:
Binary(signing_key.key),
}
try:
self._encrypted_table.put_item(
Item=item,
ConditionExpression=(
Attr(MetaStoreAttributeNames.PARTITION.value).not_exists()
& Attr(MetaStoreAttributeNames.SORT.value).not_exists()),
)
except botocore.exceptions.ClientError as error:
if error.response["Error"][
"Code"] == "ConditionalCheckFailedException":
raise VersionAlreadyExistsError(
'Version already exists: "{}#{}"'.format(
material_name, version))
def register():
body = app.current_request.json_body
username = body['username'].lower()
password = body['password']
first_name = body['first_name']
last_name = body['last_name']
email = body['email']
try:
password_fields = UserAuthUtility.encode_password(str.encode(password))
user = User(
username = username,
first_name = first_name,
last_name = last_name,
email = email,
hash = password_fields['hash'],
salt = Binary(password_fields['salt']),
rounds = password_fields['rounds'],
hashed = Binary(password_fields['hashed'])
)
user.save()
except botocore.exceptions.ClientError as e:
raise e
if e.response['Error']['Code'] == 'ConditionalCheckFailedException':
return Response(
body='Username already exists',
status_code=STATUS_CODES['ConditionalCheckFailedException']
)
else:
return Response(
body='Unknown error occurred',
status_code=STATUS_CODES['Unknown']
)
except Exception as e:
raise e
return Response(
body='Unknown error occurred',
status_code=STATUS_CODES['Unknown']
)
else:
return f"User username successfully registered"
def encrypt_item(table_name, aws_cmk_id):
"""Demonstrate use of EncryptedTable to transparently encrypt an item."""
index_key = {'partition_attribute': 'is this', 'sort_attribute': 55}
plaintext_item = {
'example': 'data',
'some numbers': 99,
'and some binary': Binary(b'\x00\x01\x02'),
'leave me': 'alone' # We want to ignore this attribute
}
# Collect all of the attributes that will be encrypted (used later).
encrypted_attributes = set(plaintext_item.keys())
encrypted_attributes.remove('leave me')
# Collect all of the attributes that will not be encrypted (used later).
unencrypted_attributes = set(index_key.keys())
unencrypted_attributes.add('leave me')
# Add the index pairs to the item.
plaintext_item.update(index_key)
# Create a normal table resource.
table = boto3.resource('dynamodb').Table(table_name)
# Create a crypto materials provider using the specified AWS KMS key.
aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(key_id=aws_cmk_id)
# Create attribute actions that tells the encrypted table to encrypt all attributes except one.
actions = AttributeActions(
default_action=CryptoAction.ENCRYPT_AND_SIGN,
attribute_actions={'leave me': CryptoAction.DO_NOTHING})
# Use these objects to create an encrypted table resource.
encrypted_table = EncryptedTable(table=table,
materials_provider=aws_kms_cmp,
attribute_actions=actions)
# Put the item to the table, using the encrypted table resource to transparently encrypt it.
encrypted_table.put_item(Item=plaintext_item)
# Get the encrypted item using the standard table resource.
encrypted_item = table.get_item(Key=index_key)['Item']
# Get the item using the encrypted table resource, transparently decyrpting it.
decrypted_item = encrypted_table.get_item(Key=index_key)['Item']
# Verify that all of the attributes are different in the encrypted item
for name in encrypted_attributes:
assert encrypted_item[name] != plaintext_item[name]
assert decrypted_item[name] == plaintext_item[name]
# Verify that all of the attributes that should not be encrypted were not.
for name in unencrypted_attributes:
assert decrypted_item[name] == encrypted_item[name] == plaintext_item[
name]
# Clean up the item
encrypted_table.delete_item(Key=index_key)
def create_customer(self, customer, customer_password):
ctr = self._get_customer(customer)
if ('Item' in ctr):
#we already have a customer with that name and we can't re-create
return False
salt = os.urandom(32)
key = hashlib.pbkdf2_hmac('sha256',customer_password.encode('utf-8'),salt, 100000)
try:
customer_table = self.dynamodb.Table(config.CUSTOMER_TABLE_NAME)
response = customer_table.put_item(
Item={
"customer": customer,
"key": Binary(key),
"salt": Binary(salt)
})
except:
raise
else:
if (response['ResponseMetadata']['HTTPStatusCode'] == 200):
return True
else:
return False
def set_up_customer(addCustomer=False):
tbl_name = 'blogCustomer'
if dynamoLocation == 'Local':
dynamodb = boto3.resource('dynamodb',
endpoint_url="http://localhost:8000")
dynamodbclient = boto3.client('dynamodb',
endpoint_url="http://localhost:8000")
else:
dynamodb = boto3.resource('dynamodb')
dynamodbclient = boto3.client('dynamodb')
if (check_table(dynamodbclient, tbl_name) == False):
create_customer_table(dynamodb, tbl_name)
print("Table created")
else:
print("customer table already created")
clear_customers(dynamodb, tbl_name)
if addCustomer:
customer = testConfig.CUSTOMER
salt = os.urandom(32)
key = hashlib.pbkdf2_hmac('sha256',
testConfig.CUSTOMER_PW.encode('utf-8'), salt,
100000)
try:
customer_table = dynamodb.Table(tbl_name)
response = customer_table.put_item(Item={
"customer": customer,
"key": Binary(key),
"salt": Binary(salt)
})
except:
raise
return dynamodb
def lift_data(args: Namespace, region: str):
asgs = get_edda_data(args, region)
table = get_ddb_table(args, region)
for asg in asgs:
item = {
'name': asg['name'],
'active': True,
'data':
Binary(gzip.compress(bytes(json.dumps(asg), encoding='utf-8'))),
'timestamp': int(datetime.utcnow().timestamp() * 1000)
}
if args.dryrun:
print(f'DRYRUN: PUT {asg["name"]}')
else:
print(f'PUT {asg["name"]}')
table.put_item(Item=item)
def _encode(self, val):
"""
Handles all type changes to the data store
encodes the object if it's not a simple type, using its encode
simple: int/str/bytes
not simple: dict/list/tuple/float
if it's a float it returns a decimal.Decimal object
otherwise just returns the value
"""
if isinstance(val, list) or isinstance(val, tuple) or isinstance(
val, dict):
out = self.encoder.dumps(val)
out = Binary(out)
elif isinstance(val, float):
out = decimal.Decimal(val)
else:
out = val
def format_attribute(key, value):
if key == 'M':
return format_dict(value)
elif key == 'L':
res_array = []
for item in value:
first_item_key = item.items()[0][0]
first_item_value = item.items()[0][1]
res_array.append(format_attribute(first_item_key,
first_item_value))
return res_array
elif key in ['NS', 'SS', 'BS']:
res_array = []
for item in value:
res_array.append(format_attribute(key[0], item))
return res_array
# elif key == 'NS':
# # fix bug: can not invoke format_attribute() to generate the number set(NS)
# # eg: some_set = NS[123, 12.1, 456], generate a set mixed with int and decimal if invoke format_attribute()
# return get_number_set(value)
elif key == 'B':
return Binary(value)
elif key == 'S':
return value
elif key == 'N':
if value:
if is_integer(value):
return int(value)
else:
return Decimal(value)
else:
return None
elif key == 'NULL':
return None
else:
print("key is invalid: key=" + key)
traceback.print_exc()
return None
def store(self, machine, event_trigger, event, *args, **kwargs):
"""
Stores a machine into a dynamo table
:param machine:
:param event_trigger:
:param event:
:param args:
:param kwargs:
:return:
"""
new_id = uuid.uuid4().get_hex()
old_id = machine.persistent_id
utc_now = datetime.datetime.utcnow()
original_store = machine.persist_store
# We do not want to store all the underlying implementation of this object,
# so we'll remove the store attribute
delattr(machine, 'persist_store')
try:
pickled = self._to_pickle(machine, utc_now, event_trigger)
finally:
setattr(machine, 'persist_store', original_store)
binary_pickle = Binary(pickled)
self.log.debug("Pickle is %s long... Binary pickle ??", len(pickled))
result = self.table.put_item(
Item={
self.storage_details['persistent_id']: new_id,
self.storage_details['blob_field']: binary_pickle,
self.storage_details['previous_id']: old_id,
self.storage_details['persist_dt']: Decimal(time.mktime(utc_now.timetuple()))
}
)
if not result:
raise NotImplementedError()
return new_id
TEST_TABLE_NAME = "my_table"
TEST_REGION_NAME = "us-west-2"
TEST_INDEX = {
"partition_attribute": {
"type": "S",
"value": "test_value"
},
"sort_attribute": {
"type": "N",
"value": Decimal("99.233")
},
}
SECONDARY_INDEX = {
"secondary_index_1": {
"type": "B",
"value": Binary(b"\x00\x01\x02")
},
"secondary_index_2": {
"type": "S",
"value": "another_value"
},
}
TEST_KEY = {name: value["value"] for name, value in TEST_INDEX.items()}
TEST_BATCH_INDEXES = [
{
"partition_attribute": {
"type": "S",
"value": "test_value"
},
"sort_attribute": {
"type": "N",
def test_str(self):
self.assertEqual(Binary(b'\x01').__str__(), b'\x01')
def _dynamodb_binary_to_python(binary_data):
from boto3.dynamodb.types import Binary
return Binary(value=binary_data)
def test_repr(self):
self.assertIn('Binary', repr(Binary(b'1')))
def encrypt_item(table_name, aws_cmk_id):
"""Demonstrate use of EncryptedTable to transparently encrypt an item."""
index_key = {
'partition_attribute': 'is this',
'sort_attribute': 55
}
plaintext_item = {
'example': 'data',
'some numbers': 99,
'and some binary': Binary(b'\x00\x01\x02'),
'leave me': 'alone' # We want to ignore this attribute
}
# Collect all of the attributes that will be encrypted (used later).
encrypted_attributes = set(plaintext_item.keys())
encrypted_attributes.remove('leave me')
# Collect all of the attributes that will not be encrypted (used later).
unencrypted_attributes = set(index_key.keys())
unencrypted_attributes.add('leave me')
# Add the index pairs to the item.
plaintext_item.update(index_key)
# Create a normal table resource.
table = boto3.resource('dynamodb').Table(table_name)
# Use the TableInfo helper to collect information about the indexes.
table_info = TableInfo(name=table_name)
table_info.refresh_indexed_attributes(table.meta.client)
# Create a crypto materials provider using the specified AWS KMS key.
aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(key_id=aws_cmk_id)
encryption_context = EncryptionContext(
table_name=table_name,
partition_key_name=table_info.primary_index.partition,
sort_key_name=table_info.primary_index.sort,
# The only attributes that are used by the AWS KMS cryptographic materials providers
# are the primary index attributes.
# These attributes need to be in the form of a DynamoDB JSON structure, so first
# convert the standard dictionary.
attributes=dict_to_ddb(index_key)
)
# Create attribute actions that tells the encrypted table to encrypt all attributes,
# only sign the primary index attributes, and ignore the one identified attribute to
# ignore.
actions = AttributeActions(
default_action=CryptoAction.ENCRYPT_AND_SIGN,
attribute_actions={'leave me': CryptoAction.DO_NOTHING}
)
actions.set_index_keys(*table_info.protected_index_keys())
# Build the crypto config to use for this item.
# When using the higher-level helpers, this is handled for you.
crypto_config = CryptoConfig(
materials_provider=aws_kms_cmp,
encryption_context=encryption_context,
attribute_actions=actions
)
# Encrypt the plaintext item directly
encrypted_item = encrypt_python_item(plaintext_item, crypto_config)
# You could now put the encrypted item to DynamoDB just as you would any other item.
# table.put_item(Item=encrypted_item)
# We will skip this for the purposes of this example.
# Decrypt the encrypted item directly
decrypted_item = decrypt_python_item(encrypted_item, crypto_config)
# Verify that all of the attributes are different in the encrypted item
for name in encrypted_attributes:
assert encrypted_item[name] != plaintext_item[name]
assert decrypted_item[name] == plaintext_item[name]
# Verify that all of the attributes that should not be encrypted were not.
for name in unencrypted_attributes:
assert decrypted_item[name] == encrypted_item[name] == plaintext_item[name]
def test_serialize_binary(self):
self.assertEqual(self.serializer.serialize(
Binary(b'\x01')), {'B': b'\x01'})