def _meta_table_prep(table_name, items_filename):
if table_name is None:
return None
client = boto3.client("dynamodb", region_name="us-west-2")
MetaStore.create_table(client, table_name, 100, 100)
table = boto3.resource("dynamodb",
region_name="us-west-2").Table(table_name)
table.wait_until_exists()
try:
with open(_filename_from_uri(items_filename), encoding="utf-8") as f:
table_data = json.load(f)
request_items = {}
for this_table_name, items in table_data.items():
requests = []
for item in items:
_decode_item(item)
requests.append({"PutRequest": {"Item": item}})
request_items[this_table_name] = requests
client.batch_write_item(RequestItems=request_items)
except Exception as e:
# If anything went wrong we want to clean up after ourselves
table.delete()
raise e
return table
def build_metastore():
client = boto3.client("dynamodb", region_name=TEST_REGION_NAME)
table_name = base64.urlsafe_b64encode(os.urandom(32)).decode("utf-8").replace("=", ".")
MetaStore.create_table(client, table_name, 1, 1)
waiter = client.get_waiter("table_exists")
waiter.wait(TableName=table_name)
table = boto3.resource("dynamodb", region_name=TEST_REGION_NAME).Table(table_name)
return MetaStore(table, build_static_jce_cmp("AES", 256, "HmacSHA256", 256)), table_name
def _create_meta_table(client, metastore_info):
"""Create DDB table for use with a MetaStore."""
if metastore_info is None:
return None
metatable_name = metastore_info["table_name"]
MetaStore.create_table(client, metatable_name, 5, 5)
metatable = boto3.resource("dynamodb", region_name="us-west-2").Table(
metastore_info["table_name"])
metatable.wait_until_exists()
return metatable
def test_create_table():
client = boto3.client('dynamodb', region_name='us-west-2')
table_name = base64.b64encode(os.urandom(32)).decode('utf-8')
MetaStore.create_table(client, table_name, 1, 1)
waiter = client.get_waiter('table_exists')
waiter.wait(TableName=table_name)
client.delete_table(TableName=table_name)
waiter = client.get_waiter('table_not_exists')
waiter.wait(TableName=table_name)
def test_create_table():
client = boto3.client("dynamodb", region_name="us-west-2")
table_name = base64.b64encode(os.urandom(32)).decode("utf-8")
MetaStore.create_table(client, table_name, 1, 1)
waiter = client.get_waiter("table_exists")
waiter.wait(TableName=table_name)
client.delete_table(TableName=table_name)
waiter = client.get_waiter("table_not_exists")
waiter.wait(TableName=table_name)
def encrypt_item(table_name, aws_cmk_id, meta_table_name, material_name):
"""Demonstrate use of EncryptedTable to transparently encrypt an item."""
index_key = {"partition_attribute": "is this", "sort_attribute": 55}
plaintext_item = {
"example": "data",
"some numbers": 99,
"and some binary": Binary(b"\x00\x01\x02"),
"leave me": "alone", # We want to ignore this attribute
}
# Collect all of the attributes that will be encrypted (used later).
encrypted_attributes = set(plaintext_item.keys())
encrypted_attributes.remove("leave me")
# Collect all of the attributes that will not be encrypted (used later).
unencrypted_attributes = set(index_key.keys())
unencrypted_attributes.add("leave me")
# Add the index pairs to the item.
plaintext_item.update(index_key)
# Create a normal table resource for the meta store.
meta_table = boto3.resource("dynamodb").Table(meta_table_name)
# Create a crypto materials provider for the meta store using the specified AWS KMS key.
aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(key_id=aws_cmk_id)
# Create a meta store using the AWS KMS crypto materials provider.
meta_store = MetaStore(table=meta_table, materials_provider=aws_kms_cmp)
# Create a most recent provider using the meta store.
most_recent_cmp = MostRecentProvider(
provider_store=meta_store,
material_name=material_name,
version_ttl=600.0, # Check for a new material version every five minutes.
)
# Create a normal table resource.
table = boto3.resource("dynamodb").Table(table_name)
# Create attribute actions that tells the encrypted table to encrypt all attributes except one.
actions = AttributeActions(
default_action=CryptoAction.ENCRYPT_AND_SIGN, attribute_actions={"leave me": CryptoAction.DO_NOTHING}
)
# Use these objects to create an encrypted table resource.
encrypted_table = EncryptedTable(table=table, materials_provider=most_recent_cmp, attribute_actions=actions)
# Put the item to the table, using the encrypted table resource to transparently encrypt it.
encrypted_table.put_item(Item=plaintext_item)
# Get the encrypted item using the standard table resource.
encrypted_item = table.get_item(Key=index_key)["Item"]
# Get the item using the encrypted table resource, transparently decyrpting it.
decrypted_item = encrypted_table.get_item(Key=index_key)["Item"]
# Verify that all of the attributes are different in the encrypted item
for name in encrypted_attributes:
assert encrypted_item[name] != plaintext_item[name]
assert decrypted_item[name] == plaintext_item[name]
# Verify that all of the attributes that should not be encrypted were not.
for name in unencrypted_attributes:
assert decrypted_item[name] == encrypted_item[name] == plaintext_item[name]
# Clean up the item
encrypted_table.delete_item(Key=index_key)
def test_most_recent_encrypted_table(ddb_table_name, cmk_arn):
# define random new names for material and metastore table
meta_table_name = 'meta-table-{}'.format(uuid.uuid4())
material_name = 'material-{}'.format(uuid.uuid4())
# create the metastore table
client = boto3.client('dynamodb')
MetaStore.create_table(client, meta_table_name, 10, 10)
waiter = client.get_waiter('table_exists')
waiter.wait(TableName=meta_table_name)
# run the actual test
most_recent_provider_encrypted_table.encrypt_item(ddb_table_name, cmk_arn, meta_table_name, material_name)
# clean up the meta store table
client.delete_table(TableName=meta_table_name)
waiter = client.get_waiter('table_not_exists')
waiter.wait(TableName=meta_table_name)
def _meta_table_prep(table_name, items_filename):
if table_name is None:
return
client = boto3.client("dynamodb", region_name="us-west-2")
MetaStore.create_table(client, table_name, 100, 100)
with open(_filename_from_uri(items_filename)) as f:
table_data = json.load(f)
request_items = {}
for this_table_name, items in table_data.items():
requests = []
for item in items:
_decode_item(item)
requests.append({"PutRequest": {"Item": item}})
request_items[this_table_name] = requests
client.batch_write_item(RequestItems=request_items)
def _build_most_recent_cmp(scenario, keys):
table = boto3.resource("dynamodb", region_name="us-west-2").Table(scenario["metastore"]["table_name"])
meta_cmp, _, _ = _build_cmp(scenario["metastore"], keys)
metastore = MetaStore(table=table, materials_provider=meta_cmp())
most_recent_cmp = CachingMostRecentProvider(
provider_store=metastore, material_name=scenario["material_name"], version_ttl=600.0
)
return most_recent_cmp
def _build_most_recent_cmp(scenario, keys):
table = boto3.resource('dynamodb', region_name='us-west-2').Table(
scenario['metastore']['table_name'])
meta_cmp, _, _ = _build_cmp(scenario['metastore'], keys)
metastore = MetaStore(table=table, materials_provider=meta_cmp())
most_recent_cmp = MostRecentProvider(
provider_store=metastore,
material_name=scenario['material_name'],
version_ttl=600.0)
return most_recent_cmp