m

Author: ajewellamz

releases/rust/db_esdk/Cargo.toml

@@ -24,3 +24,6 @@ uuid = { version = "1.10.0", features = ["v4"] }
 
 [lib]
 path = "src/implementation_from_dafny.rs"
+
+[dev-dependencies]
+aws-sdk-sts = "1.43.0"

releases/rust/db_esdk/src/bin/example/basic_get_put_example.rs renamed to releases/rust/db_esdk/examples/basic_get_put_example.rs

@@ -0,0 +1,257 @@
+use super::regional_role_client_supplier::RegionalRoleClientSupplier;
+use crate::test_utils;
+use aws_db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::DynamoDbTableEncryptionConfig;
+use aws_db_esdk::aws_cryptography_dbEncryptionSdk_structuredEncryption::types::CryptoAction;
+use aws_db_esdk::aws_cryptography_materialProviders::client as mpl_client;
+use aws_db_esdk::aws_cryptography_materialProviders::types::client_supplier::ClientSupplierRef;
+use aws_db_esdk::aws_cryptography_materialProviders::types::material_providers_config::MaterialProvidersConfig;
+use aws_db_esdk::aws_cryptography_materialProviders::types::DiscoveryFilter;
+use aws_db_esdk::intercept::DbEsdkInterceptor;
+use aws_db_esdk::DynamoDbTablesEncryptionConfig;
+use aws_sdk_dynamodb::types::AttributeValue;
+use std::collections::HashMap;
+
+/*
+ This example sets up an MRK multi-keyring and an MRK discovery
+ multi-keyring using a custom client supplier.
+ A custom client supplier grants users access to more granular
+ configuration aspects of their authentication details and KMS
+ client. In this example, we create a simple custom client supplier
+ that authenticates with a different IAM role based on the
+ region of the KMS key.
+
+ This example creates a MRK multi-keyring configured with a custom
+ client supplier using a single MRK and puts an encrypted item to the
+ table. Then, it creates a MRK discovery multi-keyring to decrypt the item
+ and retrieves the item from the table.
+
+ Running this example requires access to the DDB Table whose name
+ is provided in CLI arguments.
+ This table must be configured with the following
+ primary key configuration:
+   - Partition key is named "partition_key" with type (S)
+   - Sort key is named "sort_key" with type (S)
+*/
+pub async fn put_item_get_item() {
+    let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
+    // Note that we pass in an MRK in us-east-1...
+    let key_arn = test_utils::TEST_MRK_REPLICA_KEY_ID_US_EAST_1.to_string();
+    let account_ids = vec![test_utils::TEST_AWS_ACCOUNT_ID.to_string()];
+    // ...and access its replica in eu-west-1
+    let regions = vec!["eu-west-1".to_string()];
+
+    // 1. Create a single MRK multi-keyring.
+    //    This can be either a single-region KMS key or an MRK.
+    //    For this example to succeed, the key's region must either
+    //    1) be in the regions list, or
+    //    2) the key must be an MRK with a replica defined
+    //    in a region in the regions list, and the client
+    //    must have the correct permissions to access the replica.
+    let mpl_config = MaterialProvidersConfig::builder().build().unwrap();
+    let mpl = mpl_client::Client::from_conf(mpl_config).unwrap();
+
+    // Create the multi-keyring using our custom client supplier
+    // defined in the RegionalRoleClientSupplier class in this directory.
+    // Note: RegionalRoleClientSupplier will internally use the key_arn's region
+    // to retrieve the correct IAM role.
+    let supplier_ref = ClientSupplierRef {
+        inner: std::rc::Rc::new(std::cell::RefCell::new(RegionalRoleClientSupplier::new())),
+    };
+
+    let mrk_keyring_with_client_supplier = mpl
+        .create_aws_kms_mrk_multi_keyring()
+        .client_supplier(supplier_ref.clone())
+        .generator(key_arn)
+        .send()
+        .await
+        .unwrap();
+
+    // 2. Configure which attributes are encrypted and/or signed when writing new items.
+    //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
+    //    we must explicitly configure how they should be treated during item encryption:
+    //      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
+    //      - SIGN_ONLY: The attribute is not encrypted, but is still included in the signature
+    //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
+    let attribute_actions_on_encrypt = HashMap::from([
+        ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
+        ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
+        ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
+    ]);
+
+    // 3. Configure which attributes we expect to be included in the signature
+    //    when reading items. There are two options for configuring this:
+    //
+    //    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
+    //      When defining your DynamoDb schema and deciding on attribute names,
+    //      choose a distinguishing prefix (such as ":") for all attributes that
+    //      you do not want to include in the signature.
+    //      This has two main benefits:
+    //      - It is easier to reason about the security and authenticity of data within your item
+    //        when all unauthenticated data is easily distinguishable by their attribute name.
+    //      - If you need to add new unauthenticated attributes in the future,
+    //        you can easily make the corresponding update to your `attributeActionsOnEncrypt`
+    //        and immediately start writing to that new attribute, without
+    //        any other configuration update needed.
+    //      Once you configure this field, it is not safe to update it.
+    //
+    //    - Configure `allowedUnsignedAttributes`: You may also explicitly list
+    //      a set of attributes that should be considered unauthenticated when encountered
+    //      on read. Be careful if you use this configuration. Do not remove an attribute
+    //      name from this configuration, even if you are no longer writing with that attribute,
+    //      as old items may still include this attribute, and our configuration needs to know
+    //      to continue to exclude this attribute from the signature scope.
+    //      If you add new attribute names to this field, you must first deploy the update to this
+    //      field to all readers in your host fleet before deploying the update to start writing
+    //      with that new attribute.
+    //
+    //   For this example, we currently authenticate all attributes. To make it easier to
+    //   add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
+    const UNSIGNED_ATTR_PREFIX: &str = ":";
+
+    // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
+    let table_config = DynamoDbTableEncryptionConfig::builder()
+        .logical_table_name(ddb_table_name)
+        .partition_key_name("partition_key")
+        .sort_key_name("sort_key")
+        .attribute_actions_on_encrypt(attribute_actions_on_encrypt.clone())
+        .keyring(mrk_keyring_with_client_supplier)
+        .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
+        .build()
+        .unwrap();
+
+    let table_configs = DynamoDbTablesEncryptionConfig::builder()
+        .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
+        .build()
+        .unwrap();
+
+    // 5. Create a new AWS SDK DynamoDb client using the DynamoDb Config above
+    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
+    let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
+        .interceptor(DbEsdkInterceptor::new(table_configs))
+        .build();
+    let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
+
+    // 6. Put an item into our table using the above client.
+    //    Before the item gets sent to DynamoDb, it will be encrypted
+    //    client-side using the MRK multi-keyring.
+    //    The data key protecting this item will be encrypted
+    //    with all the KMS Keys in this keyring, so that it can be
+    //    decrypted with any one of those KMS Keys.
+    let item = HashMap::from([
+        (
+            "partition_key".to_string(),
+            AttributeValue::S("clientSupplierItem".to_string()),
+        ),
+        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
+        (
+            "sensitive_data".to_string(),
+            AttributeValue::S("encrypt and sign me!".to_string()),
+        ),
+    ]);
+
+    let _resp = ddb
+        .put_item()
+        .table_name(ddb_table_name)
+        .set_item(Some(item.clone()))
+        .send()
+        .await
+        .unwrap();
+
+    // 7. Get the item back from our table using the same keyring.
+    //    The client will decrypt the item client-side using the MRK
+    //    and return the original item.
+    let key_to_get = HashMap::from([
+        (
+            "partition_key".to_string(),
+            AttributeValue::S("clientSupplierItem".to_string()),
+        ),
+        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
+    ]);
+
+    let resp = ddb
+        .get_item()
+        .table_name(ddb_table_name)
+        .set_key(Some(key_to_get.clone()))
+        .consistent_read(true)
+        .send()
+        .await
+        .unwrap();
+
+    assert_eq!(
+        resp.item.unwrap()["sensitive_data"],
+        AttributeValue::S("encrypt and sign me!".to_string())
+    );
+
+    // 7. Create a MRK discovery multi-keyring with a custom client supplier.
+    //    A discovery MRK multi-keyring will be composed of
+    //    multiple discovery MRK keyrings, one for each region.
+    //    Each component keyring has its own KMS client in a particular region.
+    //    When we provide a client supplier to the multi-keyring, all component
+    //    keyrings will use that client supplier configuration.
+    //    In our tests, we make `key_arn` an MRK with a replica, and
+    //    provide only the replica region in our discovery filter.
+    let discovery_filter = DiscoveryFilter::builder()
+        .partition("aws")
+        .account_ids(account_ids)
+        .build()
+        .unwrap();
+
+    let mrk_discovery_client_supplier_keyring = mpl
+        .create_aws_kms_mrk_discovery_multi_keyring()
+        .client_supplier(supplier_ref.clone())
+        .discovery_filter(discovery_filter)
+        .regions(regions)
+        .send()
+        .await
+        .unwrap();
+
+    // 9. Create a new config and client using the discovery keyring.
+    //     This is the same setup as above, except we provide the discovery keyring to the config.
+    let only_replica_table_config = DynamoDbTableEncryptionConfig::builder()
+        .logical_table_name(ddb_table_name)
+        .partition_key_name("partition_key")
+        .sort_key_name("sort_key")
+        .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
+        .keyring(mrk_discovery_client_supplier_keyring)
+        .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
+        .build()
+        .unwrap();
+
+    let only_replica_table_configs = DynamoDbTablesEncryptionConfig::builder()
+        .table_encryption_configs(HashMap::from([(
+            ddb_table_name.to_string(),
+            only_replica_table_config,
+        )]))
+        .build()
+        .unwrap();
+
+    let only_replica_dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
+        .interceptor(DbEsdkInterceptor::new(only_replica_table_configs))
+        .build();
+    let only_replica_ddb = aws_sdk_dynamodb::Client::from_conf(only_replica_dynamo_config);
+
+    // 10. Get the item back from our table using the discovery keyring client.
+    //     The client will decrypt the item client-side using the keyring,
+    //     and return the original item.
+    //     The discovery keyring will only use KMS keys in the provided regions and
+    //     AWS accounts. Since we have provided it with a custom client supplier
+    //     which uses different IAM roles based on the key region,
+    //     the discovery keyring will use a particular IAM role to decrypt
+    //     based on the region of the KMS key it uses to decrypt.
+
+    let resp = only_replica_ddb
+        .get_item()
+        .table_name(ddb_table_name)
+        .set_key(Some(key_to_get))
+        .consistent_read(true)
+        .send()
+        .await
+        .unwrap();
+
+    assert_eq!(
+        resp.item.unwrap()["sensitive_data"],
+        AttributeValue::S("encrypt and sign me!".to_string())
+    );
+
+    println!("client_supplier_example successful.");
+}

releases/rust/db_esdk/examples/clientsupplier/client_supplier_example.rs

@@ -0,0 +1,3 @@
+pub mod client_supplier_example;
+pub mod regional_role_client_supplier;
+pub mod regional_role_client_supplier_config;

releases/rust/db_esdk/examples/clientsupplier/mod.rs

@@ -0,0 +1,90 @@
+use aws_config::Region;
+use aws_db_esdk::aws_cryptography_materialProviders::types::ClientSupplier;
+use aws_db_esdk::deps::aws_cryptography_materialProviders::operation::get_client::GetClientInput;
+use aws_db_esdk::deps::aws_cryptography_materialProviders::types::error::Error;
+use aws_db_esdk::deps::com_amazonaws_kms::client::Client as kms_client;
+use aws_sdk_sts::Client as sts_client;
+
+/*
+ Example class demonstrating an implementation of a custom client supplier.
+ This particular implementation will create KMS clients with different IAM roles,
+ depending on the region passed.
+*/
+
+pub struct RegionalRoleClientSupplier {
+    sts_client: sts_client, // private readonly AmazonSecurityTokenServiceClient _stsClient = new AmazonSecurityTokenServiceClient();
+}
+
+impl RegionalRoleClientSupplier {
+    pub fn new() -> Self {
+        let sdk_config = tokio::task::block_in_place(|| {
+            tokio::runtime::Handle::current().block_on(async {
+                aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()).await
+            })
+        });
+        Self {
+            sts_client: sts_client::new(&sdk_config),
+        }
+    }
+}
+
+impl ClientSupplier for RegionalRoleClientSupplier {
+    fn get_client(&mut self, input: GetClientInput) -> Result<kms_client, Error> {
+        let region = input.region.unwrap();
+        let arn =
+            super::regional_role_client_supplier_config::region_iam_role_map()[&region].clone();
+        let creds = tokio::task::block_in_place(|| {
+            tokio::runtime::Handle::current().block_on(async {
+                self.sts_client
+                    .assume_role()
+                    .role_arn(arn)
+                    .duration_seconds(900)
+                    .role_session_name("Rust-Client-Supplier-Example-Session")
+                    .send()
+                    .await
+            })
+        })
+        .unwrap();
+
+        let types_cred = creds.credentials.unwrap();
+        let config_creds = aws_sdk_sts::config::Credentials::new(
+            types_cred.access_key_id(),
+            types_cred.secret_access_key(),
+            Some(types_cred.session_token().to_string()),
+            Some(
+                std::time::SystemTime::UNIX_EPOCH
+                    + std::time::Duration::from_secs(types_cred.expiration().secs() as u64),
+            ),
+            "SomeProvider",
+        );
+        let cred_prov = aws_sdk_kms::config::SharedCredentialsProvider::new(config_creds);
+
+        let sdk_config = tokio::task::block_in_place(|| {
+            tokio::runtime::Handle::current().block_on(async {
+                aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()).await
+            })
+        });
+        let kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
+            .credentials_provider(cred_prov)
+            .region(Region::new(region))
+            .build();
+
+        let inner_client = aws_sdk_kms::Client::from_conf(kms_config);
+        Ok(aws_db_esdk::deps::com_amazonaws_kms::client::Client {
+            inner: inner_client,
+        })
+    }
+}
+// protected override IAmazonKeyManagementService _GetClient(GetClientInput getClientInput)
+// {
+//     String arn = _config.regionIamRoleMap[getClientInput.Region];
+//     Credentials creds = _stsClient.AssumeRoleAsync(new AssumeRoleRequest
+//     {
+//         RoleArn = arn,
+//         DurationSeconds = 900, // 15 minutes is the minimum value
+//         RoleSessionName = "Java-Client-Supplier-Example-Session"
+//     }
+//     ).Result.Credentials;
+
+//     return new AmazonKeyManagementServiceClient(creds, RegionEndpoint.GetBySystemName(getClientInput.Region));
+// }

releases/rust/db_esdk/examples/clientsupplier/regional_role_client_supplier.rs

@@ -0,0 +1,20 @@
+use std::collections::HashMap;
+
+/*
+ Class containing config for the RegionalRoleClientSupplier.
+ In your own code, this might be hardcoded, or reference
+ an external source, e.g. environment variables or AWS AppConfig.
+*/
+
+const US_EAST_1_IAM_ROLE: &str =
+    "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-only-us-east-1-KMS-keys";
+
+const EU_WEST_1_IAM_ROLE: &str =
+    "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-only-eu-west-1-KMS-keys";
+
+pub fn region_iam_role_map() -> HashMap<String, String> {
+    HashMap::from([
+        ("us-east-1".to_string(), US_EAST_1_IAM_ROLE.to_string()),
+        ("eu-west-1".to_string(), EU_WEST_1_IAM_ROLE.to_string()),
+    ])
+}