m

Author: ajewellamz

DynamoDbEncryption/runtimes/rust/Cargo.toml

@@ -21,5 +21,6 @@ dashmap = "6.1.0"
 pem = "3.0.4"
 tokio = {version = "1.40.0", features = ["full"] }
 uuid = { version = "1.10.0", features = ["v4"] }
+
 [lib]
 path = "src/implementation_from_dafny.rs"

DynamoDbEncryption/runtimes/rust/src/bin/example/basic_get_put_example.rs

@@ -0,0 +1,163 @@
+
+
+use std::collections::HashMap;
+use crate::test_utils;
+use aws_sdk_dynamodb::types::AttributeValue;
+
+use db_esdk::deps::aws_cryptography_materialProviders::types::material_providers_config::MaterialProvidersConfig;
+use db_esdk::deps::aws_cryptography_materialProviders::client;
+use db_esdk::deps::aws_cryptography_dbEncryptionSdk_structuredEncryption::types::CryptoAction;
+
+use db_esdk::deps::aws_cryptography_dbEncryptionSdk_dynamoDb::types::DynamoDbTableEncryptionConfig;
+use db_esdk::deps::aws_cryptography_materialProviders::types::DbeAlgorithmSuiteId;
+use db_esdk::intercept::DbEsdkInterceptor;
+use db_esdk::types::dynamo_db_tables_encryption_config::DynamoDbTablesEncryptionConfig;
+
+/*
+  This example sets up DynamoDb Encryption for the AWS SDK client
+  and uses the low level PutItem and GetItem DDB APIs to demonstrate
+  putting a client-side encrypted item into DynamoDb
+  and then retrieving and decrypting that item from DynamoDb.
+
+  Running this example requires access to the DDB Table whose name
+  is provided in CLI arguments.
+  This table must be configured with the following
+  primary key configuration:
+    - Partition key is named "partition_key" with type (S)
+    - Sort key is named "sort_key" with type (N)
+ */
+
+pub async fn put_item_get_item()
+{
+  let kms_key_id = test_utils::TEST_KMS_KEY_ID;
+  let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
+
+  // 1. Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data.
+  //    For this example, we will create a AWS KMS Keyring with the AWS KMS Key we want to use.
+  //    We will use the `CreateMrkMultiKeyring` method to create this keyring,
+  //    as it will correctly handle both single region and Multi-Region KMS Keys.
+  let provider_config = MaterialProvidersConfig::builder().build().unwrap();
+  let mat_prov = client::Client::from_conf(provider_config).unwrap();
+  let kms_keyring = mat_prov.create_aws_kms_mrk_multi_keyring().generator(kms_key_id).send().await.unwrap();
+
+
+  // 2. Configure which attributes are encrypted and/or signed when writing new items.
+  //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
+  //    we must explicitly configure how they should be treated during item encryption:
+  //      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
+  //      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
+  //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
+  let attribute_actions_on_encrypt = HashMap::from([
+    ("partition_key".to_string(), CryptoAction::SignOnly),
+    ("sort_key".to_string(), CryptoAction::SignOnly),
+    ("attribute1".to_string(), CryptoAction::EncryptAndSign),
+    ("attribute2".to_string(), CryptoAction::SignOnly),
+    (":attribute3".to_string(), CryptoAction::DoNothing),
+  ]);
+
+  // 3. Configure which attributes we expect to be included in the signature
+  //    when reading items. There are two options for configuring this:
+  //
+  //    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
+  //      When defining your DynamoDb schema and deciding on attribute names,
+  //      choose a distinguishing prefix (such as ":") for all attributes that
+  //      you do not want to include in the signature.
+  //      This has two main benefits:
+  //      - It is easier to reason about the security and authenticity of data within your item
+  //        when all unauthenticated data is easily distinguishable by their attribute name.
+  //      - If you need to add new unauthenticated attributes in the future,
+  //        you can easily make the corresponding update to your `attributeActionsOnEncrypt`
+  //        and immediately start writing to that new attribute, without
+  //        any other configuration update needed.
+  //      Once you configure this field, it is not safe to update it.
+  //
+  //    - Configure `allowedUnsignedAttributes`: You may also explicitly list
+  //      a set of attributes that should be considered unauthenticated when encountered
+  //      on read. Be careful if you use this configuration. Do not remove an attribute
+  //      name from this configuration, even if you are no longer writing with that attribute,
+  //      as old items may still include this attribute, and our configuration needs to know
+  //      to continue to exclude this attribute from the signature scope.
+  //      If you add new attribute names to this field, you must first deploy the update to this
+  //      field to all readers in your host fleet before deploying the update to start writing
+  //      with that new attribute.
+  //
+  //   For this example, we have designed our DynamoDb table such that any attribute name with
+  //   the ":" prefix should be considered unauthenticated.
+  const UNSIGNED_ATTR_PREFIX : &str = ":";
+
+  // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
+  let table_config = DynamoDbTableEncryptionConfig::builder()
+    .logical_table_name(ddb_table_name)
+    .partition_key_name("partition_key")
+    .sort_key_name("sort_key")
+    .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
+    .keyring(kms_keyring)
+    .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
+      // Specifying an algorithm suite is not required,
+      // but is done here to demonstrate how to do so.
+      // We suggest using the
+      // `ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384_SYMSIG_HMAC_SHA384` suite,
+      // which includes AES-GCM with key derivation, signing, and key commitment.
+      // This is also the default algorithm suite if one is not specified in this config.
+      // For more information on supported algorithm suites, see:
+      //   https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/supported-algorithms.html
+    .algorithm_suite_id(DbeAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKeyEcdsaP384SymsigHmacSha384)
+    .build().unwrap();
+
+  let table_configs = DynamoDbTablesEncryptionConfig::builder()
+    .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
+    .build()
+    .unwrap();
+
+    // 5. Create a new AWS SDK DynamoDb client using the TableEncryptionConfigs
+  let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
+  let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
+      .interceptor(DbEsdkInterceptor::new(table_configs))
+      .build();
+  let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
+
+  // 6. Put an item into our table using the above client.
+  //    Before the item gets sent to DynamoDb, it will be encrypted
+  //    client-side, according to our configuration.
+  let item = HashMap::from([
+    ("partition_key".to_string(), AttributeValue::S("BasicPutGetExample".to_string())),
+    ("sort_key".to_string(), AttributeValue::N("0".to_string())),
+    ("attribute1".to_string(), AttributeValue::S("encrypt and sign me!".to_string())),
+    ("attribute2".to_string(), AttributeValue::S("sign me!".to_string())),
+    (":attribute3".to_string(), AttributeValue::S("ignore me!".to_string())),
+  ]);
+
+  let _resp = ddb
+    .put_item()
+    .table_name(ddb_table_name)
+    .set_item(Some(item.clone()))
+    .send()
+    .await
+    .unwrap();
+
+    // 7. Get the item back from our table using the same client.
+    //    The client will decrypt the item client-side, and return
+    //    back the original item.
+    let key_to_get = HashMap::from([
+      ("partition_key".to_string(), AttributeValue::S("BasicPutGetExample".to_string())),
+      ("sort_key".to_string(), AttributeValue::N("0".to_string())),
+    ]);
+
+    let resp = ddb
+      .get_item()
+      .table_name(ddb_table_name)
+      .set_key(Some(key_to_get))
+        // In this example we configure a strongly consistent read
+        // because we perform a read immediately after a write (for demonstrative purposes).
+        // By default, reads are only eventually consistent.
+        // Read our docs to determine which read consistency to use for your application:
+        // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html
+      .consistent_read(true)
+      .send()
+      .await
+      .unwrap();
+
+      assert_eq!(resp.item, Some(item));
+      println!("put_item_get_item Successful.");
+  }
+  

DynamoDbEncryption/runtimes/rust/src/bin/example/main.rs

@@ -0,0 +1,8 @@
+
+pub mod basic_get_put_example;
+pub mod test_utils;
+
+#[tokio::main]
+pub async fn main() {
+    basic_get_put_example::put_item_get_item().await;
+}

DynamoDbEncryption/runtimes/rust/src/bin/example/test_utils.rs

@@ -0,0 +1,42 @@
+pub const TEST_KEYSTORE_NAME : &str = "KeyStoreDdbTable";
+pub const TEST_LOGICAL_KEYSTORE_NAME : &str = "KeyStoreDdbTable";
+
+pub const TEST_KEYSTORE_KMS_KEY_ID : &str = "arn:aws:kms:us-west-2:370957321024:key/9d989aa2-2f9c-438c-a745-cc57d3ad0126";
+
+pub const TEST_AWS_ACCOUNT_ID : &str = "658956600833";
+
+pub const TEST_AWS_REGION : &str = "us-west-2";
+
+// These are public KMS Keys that MUST only be used for testing, and MUST NOT be used for any production data
+pub const TEST_KMS_KEY_ID : &str =
+    "arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f";
+
+pub const TEST_MRK_KEY_ID : &str =
+    "arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7";
+
+pub const TEST_KMS_RSA_KEY_ID : &str =
+    "arn:aws:kms:us-west-2:658956600833:key/8b432da4-dde4-4bc3-a794-c7d68cbab5a6";
+
+pub const TEST_MRK_REPLICA_KEY_ID_US_EAST_1 : &str =
+    "arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7";
+
+pub const TEST_MRK_REPLICA_KEY_ID_EU_WEST_1 : &str =
+    "arn:aws:kms:eu-west-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7";
+
+// Our tests require access to DDB Table with this name
+pub const TEST_DDB_TABLE_NAME : &str = "DynamoDbEncryptionInterceptorTestTableCS";
+pub const TEST_COMPLEX_TABLE_NAME : &str = "ComplexBeaconTestTableCS";
+
+// Our tests require access to DDB Tables with these name
+pub const SIMPLE_BEACON_TEST_DDB_TABLE_NAME : &str = "SimpleBeaconTestTable";
+pub const UNIT_INSPECTION_TEST_DDB_TABLE_NAME : &str = "UnitInspectionTestTableCS";
+
+// The branch key must have been created using this KMS key
+// Note: This is a public resource that anyone can access.
+// This MUST NOT be used to encrypt any production data.
+pub const TEST_BRANCH_KEY_WRAPPING_KMS_KEY_ARN : &str =
+    "arn:aws:kms:us-west-2:370957321024:key/9d989aa2-2f9c-438c-a745-cc57d3ad0126";
+
+// Our tests require access to DDB Table with this name configured as a branch keystore
+pub const TEST_BRANCH_KEYSTORE_DDB_TABLE_NAME : &str = "KeyStoreDdbTable";
+pub const TEST_COMPLEX_DDB_TABLE_NAME : &str = "ComplexBeaconTestTable";

DynamoDbEncryption/runtimes/rust/src/concurrent_call.rs

@@ -4,6 +4,7 @@
 #![deny(warnings, unconditional_panic)]
 #![deny(nonstandard_style)]
 #![deny(clippy::all)]
+#![allow(dead_code)]
 
 #[allow(non_snake_case)]
 pub mod ConcurrentCall {

DynamoDbEncryption/runtimes/rust/src/ecdh.rs

@@ -4,6 +4,7 @@
 #![deny(warnings, unconditional_panic)]
 #![deny(nonstandard_style)]
 #![deny(clippy::all)]
+#![allow(dead_code)]
 
 #[allow(non_snake_case)]
 pub mod ECDH {

DynamoDbEncryption/runtimes/rust/src/intercept.rs

@@ -18,6 +18,7 @@ static dafny_tokio_runtime: LazyLock<tokio::runtime::Runtime> = LazyLock::new(||
           .unwrap()
 });
 
+
 #[macro_export]
 macro_rules! modify_request {
     ($cfg:ident,$request:ident,$self:ident,$transform:ident) => {
@@ -26,14 +27,23 @@ macro_rules! modify_request {
             $cfg.interceptor_state().store_put(OriginalRequest(Input::erase($request.clone())));
 
             // transform the request
-            *$request = dafny_tokio_runtime.block_on($self.client
-                .$transform()
-                .sdk_input($request.clone())
-                .send()).unwrap().transformed_input.unwrap();
+            *$request = tokio::task::block_in_place(|| {
+                tokio::runtime::Handle::current().block_on(async {
+                    $self.client
+                    .$transform()
+                    .sdk_input($request.clone())
+                    .send()
+                    .await
+                    .unwrap().transformed_input.unwrap()
+                })
+              })
         }
     };
 }
 
+
+
+
 #[macro_export]
 macro_rules! modify_response {
     ($cfg:ident,$type:ty,$response:ident,$self:ident,$transform:ident) => {
@@ -48,11 +58,17 @@ macro_rules! modify_response {
                 .expect("we know this type corresponds to the output type");
 
             // transform the response
-            *$response = dafny_tokio_runtime.block_on($self.client
-                .$transform()
-                .original_input(original.clone())
-                .sdk_output($response.clone())
-                .send()).unwrap().transformed_output.unwrap();
+            *$response = tokio::task::block_in_place(|| {
+                tokio::runtime::Handle::current().block_on(async {
+                    $self.client
+                    .$transform()
+                    .original_input(original.clone())
+                    .sdk_output($response.clone())
+                    .send()
+                    .await
+                    .unwrap().transformed_output.unwrap()
+                })
+              })
         }
     };
 }

DynamoDbEncryption/runtimes/rust/src/kms.rs

@@ -13,13 +13,28 @@ impl crate::r#software::amazon::cryptography::services::kms::internaldafny::_def
   #[allow(non_snake_case)]
   pub fn KMSClientForRegion(region: &::dafny_runtime::Sequence<::dafny_runtime::DafnyCharUTF16>) -> ::std::rc::Rc<crate::r#_Wrappers_Compile::Result<::dafny_runtime::Object<dyn crate::software::amazon::cryptography::services::kms::internaldafny::types::IKMSClient>, ::std::rc::Rc<crate::software::amazon::cryptography::services::kms::internaldafny::types::Error>>>{
     let region = dafny_runtime::dafny_runtime_conversions::unicode_chars_false::dafny_string_to_string(region);
-    let shared_config = dafny_tokio_runtime().block_on(aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()));
+    // let shared_config = dafny_tokio_runtime().block_on(aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()));
+    let shared_config = tokio::task::block_in_place(|| {
+      tokio::runtime::Handle::current().block_on(async {
+        aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()).await
+      })
+    });
+
     let shared_config = shared_config.to_builder().region(Region::new(region)).build();
     let inner = aws_sdk_kms::Client::new(&shared_config);
     let client = crate::deps::com_amazonaws_kms::client::Client { inner };
     let dafny_client = ::dafny_runtime::upcast_object()(::dafny_runtime::object::new(client));
     std::rc::Rc::new(crate::r#_Wrappers_Compile::Result::Success { value: dafny_client })
   }
+/*
+let res = task::spawn_blocking(move || {
+    // Stand-in for compute-heavy work or using synchronous APIs
+    v.push_str("world");
+    // Pass ownership of the value back to the asynchronous context
+    v
+}).await?;
+
+*/
 
   #[allow(non_snake_case)]
   pub fn KMSClient() -> ::std::rc::Rc<crate::r#_Wrappers_Compile::Result<::dafny_runtime::Object<dyn crate::software::amazon::cryptography::services::kms::internaldafny::types::IKMSClient>, ::std::rc::Rc<crate::software::amazon::cryptography::services::kms::internaldafny::types::Error>>>{