feat: allow condition expressions without encrypted attributes (#70)

* feat: allow condition expressions without encrypted attributes

* better error messages

Author: ajewellamz

DynamoDbEncryption/runtimes/java/src/test/java/software/aws/cryptography/dynamoDbEncryption/DynamoDbEncryptionInterceptorTest.java

@@ -39,6 +39,7 @@ public void TestPutItemEncryptsAccordingToAttributeActions() {
         PutItemRequest oldRequest = PutItemRequest.builder()
                 .tableName(TEST_TABLE_NAME)
                 .item(item)
+                .conditionExpression(TEST_ATTR2_NAME + " < :a")
                 .build();
 
         Context.ModifyRequest context = InterceptorContext.builder()
@@ -100,10 +101,10 @@ public void TestInterceptorBuilderAcceptsLegacyEncryptor() {
     }
 
     @Test
-    public void TestPutItemGetItemWithConditionExpression() {
+    public void TestPutItemGetItemWithConditionExpressionBad() {
         PutItemRequest oldRequest = PutItemRequest.builder()
                 .tableName(TEST_TABLE_NAME)
-                .conditionExpression("foo")
+                .conditionExpression(TEST_ATTR_NAME + " < :a")
                 .build();
 
         Context.ModifyRequest context = InterceptorContext.builder()
@@ -117,7 +118,7 @@ public void TestPutItemGetItemWithConditionExpression() {
         Exception exception = assertThrows(DynamoDbEncryptionException.class, () -> {
             interceptor.modifyRequest(context, attributes);
         });
-        assertTrue(exception.getMessage().contains("Condition Expressions forbidden on encrypted tables"));
+        assertTrue(exception.getMessage().contains("Condition Expressions forbidden on encrypted attributes : attr1"));
     }
 
     @Test
@@ -191,7 +192,7 @@ public void TestTransactWriteItemsWithConditionCheck() {
                                         .build())
                                 .conditionCheck(ConditionCheck.builder()
                                         .tableName(TEST_TABLE_NAME)
-                                        .conditionExpression("foo")
+                                        .conditionExpression(TEST_ATTR_NAME + " < :a")
                                         .build())
                                 .build())
                 .build();
@@ -207,7 +208,7 @@ public void TestTransactWriteItemsWithConditionCheck() {
         Exception exception = assertThrows(DynamoDbEncryptionException.class, () -> {
             interceptor.modifyRequest(context, attributes);
         });
-        assertTrue(exception.getMessage().contains("Condition Expressions forbidden on encrypted tables"));
+        assertTrue(exception.getMessage().contains("Condition Expressions forbidden on encrypted attributes : attr1"));
     }
 
     @Test
@@ -217,7 +218,7 @@ public void TestTransactWriteItemsWithPutConditionExpression() {
                         TransactWriteItem.builder()
                                 .put(Put.builder()
                                         .tableName(TEST_TABLE_NAME)
-                                        .conditionExpression("foo")
+                                        .conditionExpression(TEST_ATTR_NAME + " < :a")
                                         .build())
                                 .build())
                 .build();
@@ -233,7 +234,7 @@ public void TestTransactWriteItemsWithPutConditionExpression() {
         Exception exception = assertThrows(DynamoDbEncryptionException.class, () -> {
             interceptor.modifyRequest(context, attributes);
         });
-        assertTrue(exception.getMessage().contains("Condition Expressions forbidden on encrypted tables"));
+        assertTrue(exception.getMessage().contains("Condition Expressions forbidden on encrypted attributes : attr1"));
     }
 
     @Test
@@ -243,7 +244,7 @@ public void TestTransactWriteItemsWithDeleteConditionExpression() {
                         TransactWriteItem.builder()
                                 .delete(Delete.builder()
                                         .tableName(TEST_TABLE_NAME)
-                                        .conditionExpression("foo")
+                                        .conditionExpression(TEST_ATTR_NAME + " < :a")
                                         .build())
                                 .build())
                 .build();
@@ -259,7 +260,7 @@ public void TestTransactWriteItemsWithDeleteConditionExpression() {
         Exception exception = assertThrows(DynamoDbEncryptionException.class, () -> {
             interceptor.modifyRequest(context, attributes);
         });
-        assertTrue(exception.getMessage().contains("Condition Expressions forbidden on encrypted tables"));
+        assertTrue(exception.getMessage().contains("Condition Expressions forbidden on encrypted attributes : attr1"));
     }
 
     @Test
@@ -318,7 +319,7 @@ public void TestTransactWriteItemsWithUpdateOnEncryptedTableBad() {
     public void TestDeleteItemWithConditionExpression() {
         DeleteItemRequest oldRequest = DeleteItemRequest.builder()
                 .tableName(TEST_TABLE_NAME)
-                .conditionExpression("foo")
+                .conditionExpression(TEST_ATTR_NAME + " < :a")
                 .build();
 
         Context.ModifyRequest context = InterceptorContext.builder()
@@ -332,7 +333,7 @@ public void TestDeleteItemWithConditionExpression() {
         Exception exception = assertThrows(DynamoDbEncryptionException.class, () -> {
             interceptor.modifyRequest(context, attributes);
         });
-        assertTrue(exception.getMessage().contains("Condition Expressions forbidden on encrypted tables"));
+        assertTrue(exception.getMessage().contains("Condition Expressions forbidden on encrypted attributes : attr1"));
     }
 
     @Test

DynamoDbItemEncryptor/src/AwsCryptographyDynamoDbItemEncryptorOperations.dfy

@@ -80,6 +80,37 @@ module AwsCryptographyDynamoDbItemEncryptorOperations refines AbstractAwsCryptog
       !AllowedUnauthenticated(unauthenticatedAttributes, unauthenticatedPrefix, attribute)
   }
 
+  function method CryptoActionString(action: CSE.CryptoAction) : string
+  {
+    match action {
+      case DO_NOTHING => "DO_NOTHING"
+      case SIGN_ONLY => "SIGN_ONLY"
+      case ENCRYPT_AND_SIGN => "ENCRYPT_AND_SIGN"
+    }
+  }
+
+  function method ExplainNotForwardCompatible(
+    attr: string,
+    action: CSE.CryptoAction,
+    unauthenticatedAttributes: Option<ComAmazonawsDynamodbTypes.AttributeNameList>,
+    unauthenticatedPrefix: Option<string>
+  )
+    : string
+    requires !ForwardCompatibleAttributeAction(attr, action, unauthenticatedAttributes, unauthenticatedPrefix)
+  {
+    "Attribute " + attr + " is configured as " + CryptoActionString(action) + " but " +
+    if action == CSE.DO_NOTHING then
+      "it must also be in unauthenticatedAttributes or begin with the unauthenticatedPrefix."
+    else if unauthenticatedAttributes.Some? && attr in unauthenticatedAttributes.value then
+      "it is also in unauthenticatedAttributes."
+    else if unauthenticatedPrefix.Some? && unauthenticatedPrefix.value <= attr then
+      "it also begins with the unauthenticatedPrefix."
+    else
+      assert SE.ReservedPrefix <= attr;
+      "it also begins with the reserved prefix."
+  }
+
+
   // Is this attribute unknown to the config?
   predicate method UnknownAttribute(config : InternalConfig, attr : ComAmazonawsDynamodbTypes.AttributeName)
   {

DynamoDbItemEncryptor/src/DDBSupport.dfy

@@ -13,6 +13,7 @@ include "AwsCryptographyDynamoDbItemEncryptorOperations.dfy"
 include "Util.dfy"
 include "VirtualDDB.dfy"
 include "UpdateExpr.dfy"
+include "FilterExpr.dfy"
 
 module DynamoDBSupport { 
 
@@ -30,6 +31,7 @@ module DynamoDBSupport {
   import SE = StructuredEncryptionUtil
   import Update = DynamoDbUpdateExpr
   import SET = AwsCryptographyStructuredEncryptionTypes
+  import Filter = DynamoDBFilterExpr
 
   // IsWritable examines an AttributeMap and fails if it is unsuitable for writing.
   // At the moment, this means that no attribute names starts with "aws_dbe_",
@@ -49,6 +51,20 @@ module DynamoDBSupport {
         Failure("Writing reserved attributes not allowed : " + Join(badSeq, "\n"))
   }
 
+  function method GetEncryptedAttributes(
+    config : Config,
+    expr : Option<string>,
+    attrNames : Option<DDB.ExpressionAttributeNameMap> )
+    : seq<string>
+  {
+    if expr.None? then
+      []
+    else
+      var attrs := Filter.ExtractAttributes(expr.value, attrNames);
+      Seq.Filter((attr : string) => IsEncrypted(config, attr), attrs)
+  }
+
+
   // TestConditionExpression fails if a condition expression is not suitable for the
   // given encryption schema.
   // Generally this means no encrypted attribute is referenced.
@@ -61,7 +77,11 @@ module DynamoDBSupport {
     : Result<bool, string>
   {
     if expr.Some? then
-      Failure("Condition Expressions forbidden on encrypted tables")
+      var attrs := GetEncryptedAttributes(config, expr, attrNames);
+      if |attrs| == 0 then
+        Success(true)
+      else
+        Failure("Condition Expressions forbidden on encrypted attributes : " + Join(attrs, ","))
     else
       Success(true)
   }