feat: support update expressions (#69)

* feat: support update expressions

Author: ajewellamz

DynamoDbEncryption/runtimes/java/src/test/java/software/aws/cryptography/dynamoDbEncryption/DynamoDbEncryptionInterceptorTest.java

@@ -121,10 +121,11 @@ public void TestPutItemGetItemWithConditionExpression() {
     }
 
     @Test
-    public void TestUpdateItemOnEncryptedTable() {
+    public void TestUpdateItemOnEncryptedTableGood() {
         UpdateItemRequest oldRequest = UpdateItemRequest.builder()
                 .tableName(TEST_TABLE_NAME)
-                .updateExpression("foo")
+                .key(Collections.EMPTY_MAP)
+                .updateExpression("SET " + TEST_ATTR2_NAME + " = :p")
                 .build();
 
         Context.ModifyRequest context = InterceptorContext.builder()
@@ -135,10 +136,30 @@ public void TestUpdateItemOnEncryptedTable() {
                 .put(SdkExecutionAttribute.SERVICE_NAME, "DynamoDb")
                 .build();
 
-        Exception exception = assertThrows(DynamoDbEncryptionException.class, () -> {
-            interceptor.modifyRequest(context, attributes);
-        });
-        assertTrue(exception.getMessage().contains("Update Expressions forbidden on encrypted tables"));
+        SdkRequest newRequest = interceptor.modifyRequest(context, attributes);
+        assertEquals(oldRequest, newRequest);
+    }
+
+    @Test
+    public void TestUpdateItemOnEncryptedTableBad() throws Exception {
+        UpdateItemRequest oldRequest = UpdateItemRequest.builder()
+                .tableName(TEST_TABLE_NAME)
+                .key(Collections.EMPTY_MAP)
+                .updateExpression("SET " + TEST_ATTR_NAME + " = :p")
+                .build();
+
+        Context.ModifyRequest context = InterceptorContext.builder()
+                .request(oldRequest)
+                .build();
+        ExecutionAttributes attributes = ExecutionAttributes.builder()
+                .put(SdkExecutionAttribute.OPERATION_NAME, "UpdateItem")
+                .put(SdkExecutionAttribute.SERVICE_NAME, "DynamoDb")
+                .build();
+
+	Exception exception = assertThrows(DynamoDbEncryptionException.class, () -> {
+		interceptor.modifyRequest(context, attributes);
+	    });
+	assertTrue(exception.getMessage().contains("Update Expressions forbidden on signed attributes : " + TEST_ATTR_NAME));
     }
 
     @Test
@@ -242,13 +263,39 @@ public void TestTransactWriteItemsWithDeleteConditionExpression() {
     }
 
     @Test
-    public void TestTransactWriteItemsWithUpdateOnEncryptedTable() {
+    public void TestTransactWriteItemsWithUpdateOnEncryptedTableGood() {
+        TransactWriteItemsRequest oldRequest = TransactWriteItemsRequest.builder()
+                .transactItems(
+                        TransactWriteItem.builder()
+                                .update(Update.builder()
+                                        .tableName(TEST_TABLE_NAME)
+                                        .key(Collections.EMPTY_MAP)
+                                        .updateExpression("SET " + TEST_ATTR2_NAME + " = :p")
+                                        .build())
+                                .build())
+                .build();
+
+        Context.ModifyRequest context = InterceptorContext.builder()
+                .request(oldRequest)
+                .build();
+        ExecutionAttributes attributes = ExecutionAttributes.builder()
+                .put(SdkExecutionAttribute.OPERATION_NAME, "TransactWriteItems")
+                .put(SdkExecutionAttribute.SERVICE_NAME, "DynamoDb")
+                .build();
+
+        SdkRequest newRequest = interceptor.modifyRequest(context, attributes);
+        assertEquals(oldRequest, newRequest);
+    }
+
+    @Test
+    public void TestTransactWriteItemsWithUpdateOnEncryptedTableBad() {
         TransactWriteItemsRequest oldRequest = TransactWriteItemsRequest.builder()
                 .transactItems(
                         TransactWriteItem.builder()
                                 .update(Update.builder()
                                         .tableName(TEST_TABLE_NAME)
-                                        .updateExpression("foo")
+                                        .key(Collections.EMPTY_MAP)
+					.updateExpression("SET " + TEST_ATTR_NAME + " = :p")
                                         .build())
                                 .build())
                 .build();
@@ -264,7 +311,7 @@ public void TestTransactWriteItemsWithUpdateOnEncryptedTable() {
         Exception exception = assertThrows(DynamoDbEncryptionException.class, () -> {
             interceptor.modifyRequest(context, attributes);
         });
-        assertTrue(exception.getMessage().contains("Update Expressions forbidden on encrypted tables"));
+	assertTrue(exception.getMessage().contains("Update Expressions forbidden on signed attributes : " + TEST_ATTR_NAME));
     }
 
     @Test

DynamoDbEncryptionMiddlewareInternal/test/TestFixtures.dfy

@@ -94,8 +94,13 @@ module TestFixtures {
           "foo" := DynamoDbTableEncryptionConfig(
             partitionKeyName := "bar",
             sortKeyName := None(),
-            attributeActions := map["bar" := CSE.SIGN_ONLY],
-            allowedUnauthenticatedAttributes := None(),
+            attributeActions := map[
+              "bar" := CSE.SIGN_ONLY,
+              "sign" := CSE.SIGN_ONLY,
+              "encrypt" := CSE.ENCRYPT_AND_SIGN,
+              "plain" := CSE.DO_NOTHING
+              ],
+            allowedUnauthenticatedAttributes := Some(["plain"]),
             allowedUnauthenticatedAttributePrefix := None(),
             algorithmSuiteId := None(),
             keyring := Some(keyring),

DynamoDbEncryptionMiddlewareInternal/test/UpdateItemTransform.dfy

@@ -36,7 +36,7 @@ module UpdateItemTransformTest {
     expect_equal("UpdateItemInput", transformed.value.transformedInput, input);
   }
 
-    method {:test} TestUpdateItemInputUpdateExpression() {
+    method {:test} TestUpdateItemInputUpdateExpressionSigned() {
     var middlewareUnderTest := TestFixtures.GetDynamoDbEncryption();
     var input := DDB.UpdateItemInput(
       TableName := "foo",
@@ -47,7 +47,7 @@ module UpdateItemTransformTest {
       ReturnValues := None(),
       ReturnConsumedCapacity := None(),
       ReturnItemCollectionMetrics := None(),
-      UpdateExpression := Some("foo"),
+      UpdateExpression := Some("SET sign = :p"),
       ConditionExpression := None(),
       ExpressionAttributeNames := None(),
       ExpressionAttributeValues := None()
@@ -58,7 +58,60 @@ module UpdateItemTransformTest {
       )
     );
 
-    ExpectFailure(transformed, "Update Expressions forbidden on encrypted tables");
+    ExpectFailure(transformed, "Update Expressions forbidden on signed attributes : sign");
+  }
+
+
+    method {:test} TestUpdateItemInputUpdateExpressionEncrypted() {
+    var middlewareUnderTest := TestFixtures.GetDynamoDbEncryption();
+    var input := DDB.UpdateItemInput(
+      TableName := "foo",
+      Key := map[],
+      AttributeUpdates := None(),
+      Expected := None(),
+      ConditionalOperator := None(),
+      ReturnValues := None(),
+      ReturnConsumedCapacity := None(),
+      ReturnItemCollectionMetrics := None(),
+      UpdateExpression := Some("SET encrypt = :p"),
+      ConditionExpression := None(),
+      ExpressionAttributeNames := None(),
+      ExpressionAttributeValues := None()
+    );
+    var transformed := middlewareUnderTest.UpdateItemInputTransform(
+      AwsCryptographyDynamoDbEncryptionTypes.UpdateItemInputTransformInput(
+        sdkInput := input
+      )
+    );
+
+    ExpectFailure(transformed, "Update Expressions forbidden on signed attributes : encrypt");
+  }
+
+
+    method {:test} TestUpdateItemInputUpdateExpressionPlain() {
+    var middlewareUnderTest := TestFixtures.GetDynamoDbEncryption();
+    var input := DDB.UpdateItemInput(
+      TableName := "foo",
+      Key := map[],
+      AttributeUpdates := None(),
+      Expected := None(),
+      ConditionalOperator := None(),
+      ReturnValues := None(),
+      ReturnConsumedCapacity := None(),
+      ReturnItemCollectionMetrics := None(),
+      UpdateExpression := Some("SET plain = :p"),
+      ConditionExpression := None(),
+      ExpressionAttributeNames := None(),
+      ExpressionAttributeValues := None()
+    );
+    var transformed := middlewareUnderTest.UpdateItemInputTransform(
+      AwsCryptographyDynamoDbEncryptionTypes.UpdateItemInputTransformInput(
+        sdkInput := input
+      )
+    );
+
+    expect_ok("UpdateItemInput", transformed);
+    expect_equal("UpdateItemInput", transformed.value.transformedInput, input);
   }
 
   method {:test} TestUpdateItemOutputPassthrough() {

DynamoDbItemEncryptor/src/DDBSupport.dfy

@@ -90,18 +90,12 @@ module DynamoDBSupport {
     : Result<bool, string>
   {
     if expr.Some? then
-    // TODO
-    // removing this comment will provide correct behavior
-    // but requires changing many tests
-    /*
       var attrs := Update.ExtractAttributes(expr.value, attrNames);
       var encryptedAttrs := Seq.Filter(s => IsSigned(config, s), attrs);
       if |encryptedAttrs| == 0 then
         Success(true)
       else
         Failure("Update Expressions forbidden on signed attributes : " + Join(encryptedAttrs, ","))
-    */
-      Failure("Update Expressions forbidden on encrypted tables")
     else
       Success(true)
   }

DynamoDbItemEncryptor/src/Index.dfy

@@ -139,6 +139,7 @@ module
           config.allowedUnauthenticatedAttributePrefix
         ))
       {
+        // TODO - make an error message that a customer might understand
         return Failure(DynamoDbItemEncryptorException(
           message := "Attribute: " + attribute + " configuration not compatible with unauthenticated configuration."
         ));