From c7450c5e861d099a98a59825d0c7b45c6fd65116 Mon Sep 17 00:00:00 2001 From: seebees Date: Tue, 12 Dec 2023 10:54:05 -0800 Subject: [PATCH] feat: Update overrideEncryptionContextTableName (#1112) The names in `overrideEncryptionContextTableName` are relative to the code and not the customer using the code. This updates these names and docs to reflect the intuition customers have when dealing with two different table names. --------- Co-authored-by: texastony <5892063+texastony@users.noreply.github.com> --- ...ionContextOverridesWithDynamoDBMapper.java | 15 ++++++------ ...nContextOverridesWithDynamoDBMapperIT.java | 4 ++-- .../utils/EncryptionContextOperators.java | 23 ++++++++++++------- 3 files changed, 25 insertions(+), 17 deletions(-) diff --git a/examples/src/main/java/com/amazonaws/examples/EncryptionContextOverridesWithDynamoDBMapper.java b/examples/src/main/java/com/amazonaws/examples/EncryptionContextOverridesWithDynamoDBMapper.java index 07e4fcfa..c7a84302 100644 --- a/examples/src/main/java/com/amazonaws/examples/EncryptionContextOverridesWithDynamoDBMapper.java +++ b/examples/src/main/java/com/amazonaws/examples/EncryptionContextOverridesWithDynamoDBMapper.java @@ -46,7 +46,8 @@ * "partition_attribute" for Strings and a sort (range) key named "sort_attribute" for numbers. */ public class EncryptionContextOverridesWithDynamoDBMapper { - public static final String TABLE_NAME_TO_OVERRIDE = "ExampleTableForEncryptionContextOverrides"; + public static final String ORIGINAL_TABLE_NAME_TO_OVERRIDE = + "ExampleTableForEncryptionContextOverrides"; public static final String PARTITION_ATTRIBUTE = "partition_attribute"; public static final String SORT_ATTRIBUTE = "sort_attribute"; @@ -78,7 +79,7 @@ public static void main(String[] args) throws GeneralSecurityException { public static void encryptRecord( final String cmkArn, - final String newEncryptionContextTableName, + final String currentTableName, AmazonDynamoDB ddbClient, AWSKMS kmsClient) throws GeneralSecurityException { @@ -95,7 +96,7 @@ public static void encryptRecord( final DynamoDBEncryptor encryptor = DynamoDBEncryptor.getInstance(cmp); Map tableNameEncryptionContextOverrides = new HashMap<>(); - tableNameEncryptionContextOverrides.put(TABLE_NAME_TO_OVERRIDE, newEncryptionContextTableName); + tableNameEncryptionContextOverrides.put(ORIGINAL_TABLE_NAME_TO_OVERRIDE, currentTableName); tableNameEncryptionContextOverrides.put( "AnotherExampleTableForEncryptionContextOverrides", "this table doesn't exist"); @@ -133,7 +134,7 @@ public static void encryptRecord( final EnumSet encryptAndSign = EnumSet.of(EncryptionFlags.ENCRYPT, EncryptionFlags.SIGN); final Map encryptedItem = - ddbClient.getItem(TABLE_NAME_TO_OVERRIDE, itemKey).getItem(); + ddbClient.getItem(ORIGINAL_TABLE_NAME_TO_OVERRIDE, itemKey).getItem(); System.out.println("Encrypted Record: " + encryptedItem); Map> encryptionFlags = new HashMap<>(); @@ -151,11 +152,11 @@ public static void encryptRecord( new EncryptionContext.Builder() .withHashKeyName(PARTITION_ATTRIBUTE) .withRangeKeyName(SORT_ATTRIBUTE) - .withTableName(newEncryptionContextTableName) + .withTableName(currentTableName) .build()); System.out.printf( "The example item was encrypted using the table name '%s' in the EncryptionContext%n", - newEncryptionContextTableName); + currentTableName); // The decrypted field matches the original field before encryption assert record @@ -163,7 +164,7 @@ public static void encryptRecord( .equals(decrypted_without_override_record.get(STRING_FIELD_NAME).getS()); } - @DynamoDBTable(tableName = TABLE_NAME_TO_OVERRIDE) + @DynamoDBTable(tableName = ORIGINAL_TABLE_NAME_TO_OVERRIDE) public static final class ExampleItem { private String partitionAttribute; private int sortAttribute; diff --git a/examples/src/test/java/com/amazonaws/examples/EncryptionContextOverridesWithDynamoDBMapperIT.java b/examples/src/test/java/com/amazonaws/examples/EncryptionContextOverridesWithDynamoDBMapperIT.java index 4dbc30b6..1b52ba3b 100644 --- a/examples/src/test/java/com/amazonaws/examples/EncryptionContextOverridesWithDynamoDBMapperIT.java +++ b/examples/src/test/java/com/amazonaws/examples/EncryptionContextOverridesWithDynamoDBMapperIT.java @@ -3,9 +3,9 @@ package com.amazonaws.examples; +import static com.amazonaws.examples.EncryptionContextOverridesWithDynamoDBMapper.ORIGINAL_TABLE_NAME_TO_OVERRIDE; import static com.amazonaws.examples.EncryptionContextOverridesWithDynamoDBMapper.PARTITION_ATTRIBUTE; import static com.amazonaws.examples.EncryptionContextOverridesWithDynamoDBMapper.SORT_ATTRIBUTE; -import static com.amazonaws.examples.EncryptionContextOverridesWithDynamoDBMapper.TABLE_NAME_TO_OVERRIDE; import static com.amazonaws.examples.TestUtils.US_WEST_2; import static com.amazonaws.examples.TestUtils.US_WEST_2_KEY_ID; import static com.amazonaws.examples.TestUtils.createDDBTable; @@ -26,7 +26,7 @@ public void testEncryptAndDecrypt() throws GeneralSecurityException { final AmazonDynamoDB ddb = DynamoDBEmbedded.create(); // Create the table under test - createDDBTable(ddb, TABLE_NAME_TO_OVERRIDE, PARTITION_ATTRIBUTE, SORT_ATTRIBUTE); + createDDBTable(ddb, ORIGINAL_TABLE_NAME_TO_OVERRIDE, PARTITION_ATTRIBUTE, SORT_ATTRIBUTE); EncryptionContextOverridesWithDynamoDBMapper.encryptRecord( US_WEST_2_KEY_ID, OVERRIDE_TABLE_NAME, ddb, kms); diff --git a/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/utils/EncryptionContextOperators.java b/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/utils/EncryptionContextOperators.java index e9adbd28..9fffa585 100644 --- a/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/utils/EncryptionContextOperators.java +++ b/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/utils/EncryptionContextOperators.java @@ -26,25 +26,32 @@ private EncryptionContextOperators() {} /** * An operator for overriding EncryptionContext's table name for a specific DynamoDBEncryptor. If - * any table names or the encryption context itself is null, then it returns the original - * EncryptionContext. + * any table names or the encryption context is null, it returns the original EncryptionContext. * - * @param originalTableName the name of the table that should be overridden in the Encryption - * Context - * @param newTableName the table name that should be used in the Encryption Context + *

The client automatically adds the current table name to the encryption context so it's bound + * to the ciphertext. Use this method when the encryption context of encrypted table items + * includes a different table name, such as when a table is backed up, or table items are + * moved/copied to a different table. If you don't override the name of the current table with the + * table name in the encryption context, decrypt fails. This override affects the encryption + * context of all table items, including newly encrypted items. + * + * @param originalTableName Use this table name in the encryption context + * @param currentTableName Override this table name in the encryption context * @return A UnaryOperator that produces a new EncryptionContext with the supplied table name */ public static UnaryOperator overrideEncryptionContextTableName( - String originalTableName, String newTableName) { + String originalTableName, String currentTableName) { return encryptionContext -> { if (encryptionContext == null || encryptionContext.getTableName() == null || originalTableName == null - || newTableName == null) { + || currentTableName == null) { return encryptionContext; } if (originalTableName.equals(encryptionContext.getTableName())) { - return new EncryptionContext.Builder(encryptionContext).withTableName(newTableName).build(); + return new EncryptionContext.Builder(encryptionContext) + .withTableName(currentTableName) + .build(); } else { return encryptionContext; }