aws · johnwalker · May 22, 2019 · May 21, 2019
@@ -8,6 +8,6 @@
     <property name="fileExtensions" value="java"/>
     <module name="RegexpHeader">
         <property name="header"
-                  value="^/*\n * Copyright \d{4} Amazon\.com, Inc\. or its affiliates\. All Rights Reserved\.$"/>
+                  value="^/*\n * Copyright \d{4}([-]\d{4})? Amazon\.com, Inc\. or its affiliates\. All Rights Reserved\.$"/>
     </module>
 </module>
@@ -22,7 +22,7 @@
             <dependency>
                 <groupId>software.amazon.awssdk</groupId>
                 <artifactId>bom</artifactId>
-                <version>2.4.11</version>
+                <version>2.5.47</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
@@ -44,5 +44,12 @@
             <artifactId>dynamodbencryptionclient-common</artifactId>
             <version>0.1.0-SNAPSHOT</version>
         </dependency>
+
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-junit-jupiter</artifactId>
+            <version>2.27.0</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>
@@ -0,0 +1,110 @@
+/*
+ * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+package software.amazon.cryptools.dynamodbencryptionclientsdk2;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionContext;
+
+public class BasicDynamoDbEncryptionConfiguration implements DynamoDbEncryptionConfiguration {
+    private final EncryptionAction defaultEncryptionAction;
+    private final Map<String, EncryptionAction> encryptionActionOverrides;
+    private final EncryptionContext encryptionContext;
+
+    private BasicDynamoDbEncryptionConfiguration(Builder builder) {
+        this.defaultEncryptionAction = builder.defaultEncryptionAction;
+        this.encryptionActionOverrides = Collections.unmodifiableMap(builder.encryptionActionOverrides);
+        this.encryptionContext = builder.encryptionContext;
+    }
+
+    @Override
+    public EncryptionAction getDefaultEncryptionAction() {
+        return this.defaultEncryptionAction;
+    }
+
+    @Override
+    public Map<String, EncryptionAction> getEncryptionActionOverrides() {
+        return this.encryptionActionOverrides;
+    }
+
+    @Override
+    public EncryptionContext getEncryptionContext() {
+        return this.encryptionContext;
+    }
+
+    /**
+     * Builder for an immutable implementation of {@link DynamoDbEncryptionConfiguration}.
+     */
+    public static class Builder {
+        private EncryptionAction defaultEncryptionAction;
+        private Map<String, EncryptionAction> encryptionActionOverrides = new HashMap<>();
+        private EncryptionContext encryptionContext;
+
+        /**
+         * Set the default {@link EncryptionAction} that should be applied to any attribute that is found in the
+         * record and does not have a specific override associated with it.
+         * @param defaultEncryptionAction The default encryption action that should be applied to attributes.
+         * @return a mutated instance of this builder.
+         */
+        public Builder defaultEncryptionAction(EncryptionAction defaultEncryptionAction) {
+            this.defaultEncryptionAction = defaultEncryptionAction;
+            return this;
+        }
+
+        /**
+         * Add a map of encryption action overrides for specific attributes. Will be merged into any existing overrides
+         * the builder already has and will overwrite existing values with the same key.
+         * @param encryptionActionOverrides A map of encryption action overrides.
+         * @return a mutated instance of this builder.
+         */
+        public Builder addEncryptionActionOverrides(Map<String, EncryptionAction> encryptionActionOverrides) {
+            this.encryptionActionOverrides.putAll(encryptionActionOverrides);
+            return this;
+        }
+
+        /**
+         * Add a single encryption action override for a specific attribute. Will be merged into any existing overrides
+         * ths builder already has and will overwrite existing values with the same key.
+         * @param attributeKey The name of the attribute.
+         * @param encryptionAction The encryption action to apply to that attribute.
+         * @return a mutated instance of this builder.
+         */
+        public Builder addEncryptionActionOverride(String attributeKey, EncryptionAction encryptionAction) {
+            this.encryptionActionOverrides.put(attributeKey, encryptionAction);
+            return this;
+        }
+
+        /**
+         * Sets the encryption context to be used by the encryption client when encrypting or decrypting records. At
+         * a minimum the following fields should be set on the context: tableName, hashKeyName, rangeKeyName.
+         * @param encryptionContext An {@link EncryptionContext} object to associate with this configuration.
+         * @return a mutated instance of this builder.
+         */
+        public Builder encryptionContext(EncryptionContext encryptionContext) {
+            this.encryptionContext = encryptionContext;
+            return this;
+        }
+
+        /**
+         * Construct an immutable {@link DynamoDbEncryptionConfiguration} from the information provided to the builder.
+         * @return an initialized {@link BasicDynamoDbEncryptionConfiguration} object.
+         */
+        public BasicDynamoDbEncryptionConfiguration build() {
+            return new BasicDynamoDbEncryptionConfiguration(this);
+        }
+    }
+}
@@ -0,0 +1,55 @@
+/*
+ * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+package software.amazon.cryptools.dynamodbencryptionclientsdk2;
+
+import java.util.Map;
+
+import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
+import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.DynamoDbEncryptor;
+
+/**
+ * General interface for a class that is capable of encrypting and decrypting DynamoDB records as well as signing and
+ * verifying signatures.
+ */
+public interface DynamoDbEncryptionClient {
+    /**
+     * Encrypt and sign a record.
+     * @param itemAttributes The map of AttributeValues that make up the record.
+     * @param configuration A {@link DynamoDbEncryptionConfiguration} object that configures the behavior and scope
+     *                      of encryption and signing on the record.
+     * @return A map of AttributeValues that has been encrypted and signed as directed.
+     */
+    Map<String, AttributeValue> encryptRecord(Map<String, AttributeValue> itemAttributes,
+                                              DynamoDbEncryptionConfiguration configuration);
+
+    /**
+     * Decrypt and verify signature on a record.
+     * @param itemAttributes The map of AttributeValues that make up the encrypted/signed record.
+     * @param configuration A {@link DynamoDbEncryptionConfiguration} object that configures the behavior and scope
+     *                      of decryption and signature verification on the record.
+     * @return A map of AttributeValues that have been decrypted and verified as directed.
+     */
+    Map<String, AttributeValue> decryptRecord(Map<String, AttributeValue> itemAttributes,
+                                              DynamoDbEncryptionConfiguration configuration);
+
+    /**
+     * Convenience method to return a builder for the default approved implementation of this interface, a
+     * {@link DynamoDbEncryptor}.
+     * @return A builder object for the default implementation of this interface.
+     */
+    static DynamoDbEncryptor.Builder builder() {
+        return DynamoDbEncryptor.builder();
+    }
+}
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+package software.amazon.cryptools.dynamodbencryptionclientsdk2;
+
+import java.util.Map;
+
+import software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption.EncryptionContext;
+
+/**
+ * An interface to an object that supplies configuration and context to the {@link DynamoDbEncryptionClient}.
+ */
+public interface DynamoDbEncryptionConfiguration {
+    /**
+     * Get the default {@link EncryptionAction} that should be applied to any attribute that is found in the record and
+     * does not have a specific override associated with it.
+     * @return The default {@link EncryptionAction}.
+     */
+    EncryptionAction getDefaultEncryptionAction();
+
+    /**
+     * Gets a map of specific attribute {@link EncryptionAction} overrides.
+     * @return A map of {@link EncryptionAction} overrides, keyed by attribute name.
+     */
+    Map<String, EncryptionAction> getEncryptionActionOverrides();
+
+    /**
+     * Returns an {@link EncryptionContext} to be used by the encryption client. Has information about the table
+     * name, the names of the primary indices etc.
+     * @return An {@link EncryptionContext} object.
+     */
+    EncryptionContext getEncryptionContext();
+
+    /**
+     * Default builder for an immutable implementation of {@link DynamoDbEncryptionConfiguration}.
+     * @return A newly initialized {@link BasicDynamoDbEncryptionConfiguration.Builder}.
+     */
+    static BasicDynamoDbEncryptionConfiguration.Builder builder() {
+        return new BasicDynamoDbEncryptionConfiguration.Builder();
+    }
+}
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+package software.amazon.cryptools.dynamodbencryptionclientsdk2;
+
+/**
+ * When configuring the {@link DynamoDbEncryptionClient} you may specify a default behavior for how attributes should
+ * be treated when encrypting and decrypting, and also you may include overrides to change the behavior for specific
+ * attributes. The following enumeration are the different valid behaviors for how a single attribute should be treated.
+ */
+public enum EncryptionAction {
+    /**
+     * DO_NOTHING : This instructs the encryption client to completely ignore the attribute. The attribute will not be
+     *              encrypted and it will not be included in the signature calculation of the record.
+     */
+    DO_NOTHING,
+
+    /**
+     * SIGN_ONLY : This instructs the encryption client to include the attribute in the signature calculation of the
+     *             record, but not to encrypt its value.
+     */
+    SIGN_ONLY,
+
+    /**
+     * ENCRYPT_AND_SIGN : This instructs the encryption client to include the attribute in the signature calculation of
+     *                    the record and to encrypt its value.
+     */
+    ENCRYPT_AND_SIGN
+}