initial draft of ProviderStore, MetaStore, and MostRecentProvider

Author: mattsb42-aws

doc/index.rst

@@ -21,8 +21,11 @@ Modules
     dynamodb_encryption_sdk.encrypted.table
     dynamodb_encryption_sdk.material_providers
     dynamodb_encryption_sdk.material_providers.aws_kms
+    dynamodb_encryption_sdk.material_providers.most_recent
     dynamodb_encryption_sdk.material_providers.static
     dynamodb_encryption_sdk.material_providers.wrapped
+    dynamodb_encryption_sdk.material_providers.store
+    dynamodb_encryption_sdk.material_providers.store.meta
     dynamodb_encryption_sdk.materials
     dynamodb_encryption_sdk.materials.raw
     dynamodb_encryption_sdk.materials.wrapped

src/dynamodb_encryption_sdk/exceptions.py

@@ -87,3 +87,19 @@ class SigningError(DynamodbEncryptionSdkError):
 
 class SignatureVerificationError(DynamodbEncryptionSdkError):
     """Otherwise undifferentiated error encountered while verifying a signature."""
+
+
+class ProviderStoreError(DynamodbEncryptionSdkError):
+    """Otherwise undifferentiated error encountered by a provider store."""
+
+
+class NoKnownVersionError(ProviderStoreError):
+    """Raised if a provider store cannot locate any version of the requested material."""
+
+
+class InvalidVersionError(ProviderStoreError):
+    """Raised if an invalid version of a material is requested."""
+
+
+class VersionAlreadyExistsError(ProviderStoreError):
+    """Raised if a version that is being added to a provider store already exists."""

src/dynamodb_encryption_sdk/material_providers/most_recent.py

@@ -0,0 +1,225 @@
+# Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""Meta cryptographic provider store."""
+from collections import OrderedDict
+import logging
+from threading import RLock
+import time
+
+import attr
+import six
+
+try:  # Python 3.5.0 and 3.5.1 have incompatible typing modules
+    from typing import Any, Text  # noqa pylint: disable=unused-import
+except ImportError:  # pragma: no cover
+    # We only actually need these imports when running the mypy checks
+    pass
+
+from dynamodb_encryption_sdk.exceptions import InvalidVersionError, NoKnownVersionError
+from dynamodb_encryption_sdk.identifiers import LOGGER_NAME
+from dynamodb_encryption_sdk.materials import CryptographicMaterials  # noqa pylint: disable=unused-import
+from dynamodb_encryption_sdk.structures import EncryptionContext  # noqa pylint: disable=unused-import
+from . import CryptographicMaterialsProvider
+from .store import ProviderStore
+
+__all__ = ('MostRecentProvider',)
+_LOGGER = logging.getLogger(LOGGER_NAME)
+
+
+def _min_capacity_validator(instance, attribute, value):
+    """Attrs validator to require that value is at least 1."""
+    if value < 1:
+        raise ValueError('Cache capacity must be at least 1')
+
+
+@attr.s(init=False)
+class BasicCache(object):
+    """Most basic LRU cache."""
+
+    capacity = attr.ib(validator=(
+        attr.validators.instance_of(int),
+        _min_capacity_validator
+    ))
+
+    def __init__(self, capacity):
+        # type: (int) -> None
+        """Workaround pending resolution of attrs/mypy interaction.
+        https://github.com/python/mypy/issues/2088
+        https://github.com/python-attrs/attrs/issues/215
+        """
+        self.capacity = capacity
+        attr.validate(self)
+        self.__attrs_post_init__()
+
+    def __attrs_post_init__(self):
+        # type; () -> None
+        """Initialize the internal cache."""
+        self._cache_lock = RLock()  # attrs confuses pylint: disable=attribute-defined-outside-init
+        self.clear()
+
+    def _prune(self):
+        # type: () -> None
+        """Prunes internal cache until internal cache is within the defined limit."""
+        with self._cache_lock:
+            while len(self._cache) > self.capacity:
+                self._cache.popitem(last=False)
+
+    def put(self, name, value):
+        # type: (Any, Any) -> None
+        """Add a value to the cache.
+
+        :param name: Hashable object to identify the value in the cache
+        :param value: Value to add to cache
+        """
+        with self._cache_lock:
+            self._cache[name] = value
+            self._prune()
+
+    def get(self, name):
+        # type: (Any) -> Any
+        """Get a value from the cache."""
+        with self._cache_lock:
+            value = self._cache.pop(name)
+            self.put(name, value)  # bump to the from of the LRU
+            return value
+
+    def clear(self):
+        # type: () -> None
+        """Clear the cache."""
+        with self._cache_lock:
+            self._cache = OrderedDict()  # type: OrderedDict[Any, Any]
+
+
+@attr.s(init=False)
+class MostRecentProvider(CryptographicMaterialsProvider):
+    """Cryptographic materials provider that uses a provider store to obtain cryptography
+    materials.
+
+    When encrypting, the most recent provider that the provider store knows about will always
+    be used.
+
+    :param provider_store: Provider store to use
+    :type provider_store: dynamodb_encryption_sdk.material_providers.store.ProviderStore
+    :param str material_name: Name of materials for which to ask the provider store
+    :param float version_ttl: Max time in seconds to go until checking with provider store
+        for a more recent version
+    """
+
+    _provider_store = attr.ib(validator=attr.validators.instance_of(ProviderStore))
+    _material_name = attr.ib(validator=attr.validators.instance_of(six.string_types))
+    _version_ttl = attr.ib(validator=attr.validators.instance_of(float))
+
+    def __init__(
+            self,
+            provider_store,  # type: ProviderStore
+            material_name,  # type: Text
+            version_ttl  # type: float
+    ):
+        # type: (...) -> None
+        """Workaround pending resolution of attrs/mypy interaction.
+        https://github.com/python/mypy/issues/2088
+        https://github.com/python-attrs/attrs/issues/215
+        """
+        self._provider_store = provider_store
+        self._material_name = material_name
+        self._version_ttl = version_ttl
+        attr.validate(self)
+        self.__attrs_post_init__()
+
+    def __attrs_post_init__(self):
+        # type: () -> None
+        """Initialize the cache."""
+        self._lock = RLock()
+        self._cache = BasicCache(1000)
+        self.refresh()
+
+    def decryption_materials(self, encryption_context):
+        # type: (EncryptionContext) -> CryptographicMaterials
+        """Return decryption materials.
+
+        :param encryption_context: Encryption context for request
+        :type encryption_context: dynamodb_encryption_sdk.structures.EncryptionContext
+        :raises AttributeError: if no decryption materials are available
+        """
+        version = self._provider_store.version_from_material_description(encryption_context.material_description)
+        try:
+            provider = self._cache.get(version)
+        except KeyError:
+            try:
+                provider = self._provider_store.provider(self._material_name, version)
+            except InvalidVersionError:
+                _LOGGER.exception('Unable to get decryption materials from provider store.')
+                raise AttributeError('No decryption materials available')
+
+        self._cache.put(version, provider)
+
+        return provider.decryption_materials(encryption_context)
+
+    def _can_use_current(self):
+        # type: () -> bool
+        """Determine if we can use the current known max version without asking the provider store.
+
+        :returns: decision
+        :rtype: bool
+        """
+        if self._version is None:
+            return False
+
+        return time.time() - self._last_updated < self._version_ttl
+
+    def _set_most_recent_version(self, version):
+        # type: (int) -> None
+        """Set the most recent version and update the last updated time.
+
+        :param int version: Version to set
+        """
+        with self._lock:
+            self._version = version
+            self._last_updated = time.time()
+
+    def encryption_materials(self, encryption_context):
+        # type: (EncryptionContext) -> CryptographicMaterials
+        """Return encryption materials.
+
+        :param encryption_context: Encryption context for request
+        :type encryption_context: dynamodb_encryption_sdk.structures.EncryptionContext
+        :raises AttributeError: if no encryption materials are available
+        """
+        if self._can_use_current():
+            return self._cache.get(self._version)
+
+        try:
+            version = self._provider_store.max_version(self._material_name)
+        except NoKnownVersionError:
+            version = 0
+
+        try:
+            provider = self._provider_store.get_or_create_provider(self._material_name, version)
+        except InvalidVersionError:
+            _LOGGER.exception('Unable to get encryption materials from provider store.')
+            raise AttributeError('No encryption materials available')
+        actual_version = self._provider_store.version_from_material_description(provider._material_description)
+        # TODO: ^ should we promote material description from hidden?
+
+        self._cache.put(actual_version, provider)
+        self._set_most_recent_version(actual_version)
+
+        return provider.encryption_materials(encryption_context)
+
+    def refresh(self):
+        # type: () -> None
+        """Clear all local caches for this provider."""
+        with self._lock:
+            self._cache.clear()
+            self._version = None  # type: int
+            self._last_updated = None  # type: CryptographicMaterialsProvider

src/dynamodb_encryption_sdk/material_providers/store/__init__.py

@@ -0,0 +1,101 @@
+# Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""Cryptographic materials provider stores."""
+import abc
+
+import six
+
+try:  # Python 3.5.0 and 3.5.1 have incompatible typing modules
+    from typing import Dict, Text, Optional  # noqa pylint: disable=unused-import
+except ImportError:  # pragma: no cover
+    # We only actually need these imports when running the mypy checks
+    pass
+
+from dynamodb_encryption_sdk.exceptions import InvalidVersionError, NoKnownVersionError
+from dynamodb_encryption_sdk.material_providers import CryptographicMaterialsProvider
+
+__all__ = ('ProviderStore',)
+
+
+@six.add_metaclass(abc.ABCMeta)
+class ProviderStore(object):
+    """Provide a standard way to retrieve and/or create cryptographic materials providers."""
+
+    @abc.abstractmethod
+    def get_or_create_provider(self, material_name, version):
+        # type: (Text, int) -> CryptographicMaterialsProvider
+        """Obtain a cryptographic materials provider identified by a name and version.
+
+        If the requested version does not exist, a new one might be created.
+
+        :param str material_name: Material to locate
+        :param int version: Version of material to locate (optional)
+        :returns: cryptographic materials provider
+        :rtype: dynamodb_encryption_sdk.material_providers.CryptographicMaterialsProvider
+        :raises InvalidVersionError: if the requested version is not available and cannot be created
+        """
+
+    @abc.abstractmethod
+    def version_from_material_description(self, material_description):
+        # (Dict[Text, Text]) -> int
+        """Determine the version from the provided material description.
+
+        :param dict material_description: Material description to use with this request
+        :returns: version to use
+        :rtype: int
+        """
+
+    def max_version(self, material_name):
+        # (Text) -> int
+        """Find the maximum known version of the specified material.
+
+        .. note::
+
+            Child classes should usually override this method.
+
+        :param str material_name: Material to locate
+        :returns: Maximum known version
+        :rtype: int
+        :raises NoKnownVersion: if no version can be found
+        """
+        raise NoKnownVersionError('No known version for name: "{}"'.format(material_name))
+
+    def provider(self, material_name, version=None):
+        # type: (Text, Optional[int]) -> CryptographicMaterialsProvider
+        """Obtain a cryptographic materials provider identified by a name and version.
+
+        If the version is not provided, the maximum version will be used.
+
+        :param str material_name: Material to locate
+        :param int version: Version of material to locate (optional)
+        :returns: cryptographic materials provider
+        :rtype: dynamodb_encryption_sdk.material_providers.CryptographicMaterialsProvider
+        :raises InvalidVersionError: if the requested version is not found
+        """
+        if version is None:
+            try:
+                version = self.max_version(material_name)
+            except NoKnownVersionError:
+                version = 0
+        return self.get_or_create_provider(material_name, version)
+
+    def new_provider(self, material_name):
+        # type: (Text) -> CryptographicMaterialsProvider
+        """Create a new provider with a version one greater than the current known maximum.
+
+        :param str material_name: Material to locate
+        :returns: cryptographic materials provider
+        :rtype: dynamodb_encryption_sdk.material_providers.CryptographicMaterialsProvider
+        """
+        version = self.max_version(material_name) + 1
+        return self.get_or_create_provider(material_name, version)

src/dynamodb_encryption_sdk/material_providers/store/meta.py

@@ -0,0 +1,343 @@
+# Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""Meta cryptographic provider store."""
+from enum import Enum
+
+import attr
+from boto3.dynamodb.conditions import Attr, Key
+from boto3.dynamodb.types import Binary
+import botocore
+
+try:  # Python 3.5.0 and 3.5.1 have incompatible typing modules
+    from typing import Dict, Optional, Text, Tuple  # noqa pylint: disable=unused-import
+except ImportError:  # pragma: no cover
+    # We only actually need these imports when running the mypy checks
+    pass
+
+from dynamodb_encryption_sdk.delegated_keys.jce import JceNameLocalDelegatedKey
+from dynamodb_encryption_sdk.encrypted.table import EncryptedTable
+from dynamodb_encryption_sdk.exceptions import InvalidVersionError, NoKnownVersionError, VersionAlreadyExistsError
+from dynamodb_encryption_sdk.identifiers import EncryptionKeyType, KeyEncodingType
+from dynamodb_encryption_sdk.material_providers import CryptographicMaterialsProvider
+from dynamodb_encryption_sdk.material_providers.wrapped import WrappedCryptographicMaterialsProvider
+from . import ProviderStore
+
+__all__ = ('MetaStore',)
+
+
+class MetaStoreAttributeNames(Enum):
+    """Names of attributes in the MetaStore table."""
+
+    PARTITION = 'N'
+    SORT = 'V'
+    INTEGRITY_ALGORITHM = 'intAlg'
+    INTEGRITY_KEY = 'int'
+    ENCRYPTION_ALGORITHM = 'encAlg'
+    ENCRYPTION_KEY = 'enc'
+    MATERIAL_TYPE_VERSION = 't'
+
+
+class MetaStoreValues(Enum):
+    """Static values for use by MetaStore."""
+
+    INTEGRITY_ALGORITHM = 'HmacSHA256'
+    ENCRYPTION_ALGORITHM = 'AES'
+    MATERIAL_TYPE_VERSION = '0'
+    KEY_BITS = 256
+
+
+#: Field in material description to use for the MetaStore material name and version.
+_MATERIAL_DESCRIPTION_META_FIELD = 'amzn-ddb-meta-id'
+
+
+@attr.s(init=False)
+class MetaStore(ProviderStore):
+    """Create and retrieve wrapped cryptographic materials providers, storing their cryptographic
+    materials using the provided encrypted table.
+
+    :param table: Pre-configured boto3 DynamoDB Table object
+    :type table: boto3.resources.base.ServiceResource
+    :param materials_provider: Cryptographic materials provider to use
+    :type materials_provider: dynamodb_encryption_sdk.material_providers.CryptographicMaterialsProvider
+    """
+
+    _table = attr.ib(validator=attr.validators.instance_of(botocore.client.BaseClient))
+    _materials_provider = attr.ib(validator=attr.validators.instance_of(CryptographicMaterialsProvider))
+
+    def __init__(self, table, materials_provider):
+        # type: (botocore.client.BaseClient, CryptographicMaterialsProvider) -> None
+        """Workaround pending resolution of attrs/mypy interaction.
+        https://github.com/python/mypy/issues/2088
+        https://github.com/python-attrs/attrs/issues/215
+        """
+        self._table = table
+        self._materials_provider = materials_provider
+        attr.validate(self)
+        self.__attrs_post_init__()
+
+    def __attrs_post_init__(self):
+        # type: () -> None
+        """Prepare the encrypted table resource from the provided table and materials provider."""
+        self._encrypted_table = EncryptedTable(  # attrs confuses pylint: disable=attribute-defined-outside-init
+            table=self._table,
+            materials_provider=self._materials_provider
+        )
+
+    def create_table(self, read_units, write_units):
+        # type: (int, int) -> None
+        """Create the table for this MetaStore.
+
+        :param int read_units: Read capacity units to provision
+        :param int write_units: Write capacity units to provision
+        """
+        try:
+            self._table.meta.client.create_table(
+                TableName=self._table.name,
+                AttributeDefinitions=[
+                    {
+                        'AttributeName': MetaStoreAttributeNames.PARTITION.value,
+                        'AttributeType': 'S'
+                    },
+                    {
+                        'AttributeName': MetaStoreAttributeNames.SORT.value,
+                        'AttributeName': 'N'
+                    }
+                ],
+                KeySchema=[
+                    {
+                        'AttributeName': MetaStoreAttributeNames.PARTITION.value,
+                        'KeyType': 'HASH'
+                    },
+                    {
+                        'AttributeName': MetaStoreAttributeNames.SORT.value,
+                        'KeyType': 'RANGE'
+                    }
+                ],
+                ProvisionedThroughput={
+                    'ReadCapacityUnits': read_units,
+                    'WriteCapacityUnits': write_units
+                }
+            )
+        except botocore.exceptions.ClientError:
+            raise Exception('TODO: Could not create table')
+
+    def _load_materials(self, material_name, version):
+        # type: (Text, int) -> Tuple[JceNameLocalDelegatedKey, JceNameLocalDelegatedKey]
+        """Load materials from table.
+
+        :returns: Materials loaded into delegated keys
+        :rtype: tuple of JceNameLocalDelegatedKey
+        """
+        key = {
+            MetaStoreAttributeNames.PARTITION.value: material_name,
+            MetaStoreAttributeNames.SORT.value: version
+        }
+        response = self._encrypted_table.get_item(Key=key)
+        try:
+            item = response['Item']
+        except KeyError:
+            raise InvalidVersionError('Version not found: "{}#{}"'.format(material_name, version))
+
+        try:
+            encryption_key_kwargs = dict(
+                key=item[MetaStoreAttributeNames.ENCRYPTION_KEY.value],
+                algorithm=item[MetaStoreAttributeNames.ENCRYPTION_ALGORITHM.value],
+                key_type=EncryptionKeyType.SYMMETRIC,
+                key_encoding=KeyEncodingType.RAW
+            )
+            signing_key_kwargs = dict(
+                key=item[MetaStoreAttributeNames.INTEGRITY_KEY.value],
+                algorithm=item[MetaStoreAttributeNames.INTEGRITY_ALGORITHM.value],
+                key_type=EncryptionKeyType.SYMMETRIC,
+                key_encoding=KeyEncodingType.RAW
+            )
+        except KeyError:
+            raise Exception('TODO: Invalid record')
+
+        if item[MetaStoreAttributeNames.MATERIAL_TYPE_VERSION] != MetaStoreValues.MATERIAL_TYPE_VERSION:
+            raise InvalidVersionError('Unsupported material type: "{}"'.format(
+                item[MetaStoreAttributeNames.MATERIAL_TYPE_VERSION]
+            ))
+
+        encryption_key = JceNameLocalDelegatedKey(**encryption_key_kwargs)
+        signing_key = JceNameLocalDelegatedKey(**signing_key_kwargs)
+        return encryption_key, signing_key
+
+    def _save_materials(self, material_name, version, encryption_key, signing_key):
+        # type: (Text, int, JceNameLocalDelegatedKey, JceNameLocalDelegatedKey) -> None
+        """Save materials to the table, raising an error if the version already exists.
+
+        :param str material_name: Material to locate
+        :param int version: Version of material to locate
+        :raises VersionAlreadyExistsError: if the specified version already exists
+        """
+        item = {
+            MetaStoreAttributeNames.PARTITION.value: material_name,
+            MetaStoreAttributeNames.SORT.value: version,
+            MetaStoreAttributeNames.MATERIAL_TYPE_VERSION.value: MetaStoreValues.MATERIAL_TYPE_VERSION.value,
+            MetaStoreAttributeNames.ENCRYPTION_ALGORITHM.value: encryption_key.algorithm,
+            MetaStoreAttributeNames.ENCRYPTION_KEY.value: Binary(encryption_key.key),
+            MetaStoreAttributeNames.INTEGRITY_ALGORITHM.value: signing_key.algorithm,
+            MetaStoreAttributeNames.INTEGRITY_KEY.value: Binary(signing_key.key)
+        }
+        try:
+            self._encrypted_table.put_item(
+                Item=item,
+                ConditionExpression=(
+                    Attr(MetaStoreAttributeNames.PARTITION.value).not_exists() &
+                    Attr(MetaStoreAttributeNames.SORT.value).not_exists()
+                )
+            )
+        except botocore.exceptions.ClientError as error:
+            if error.response['Error']['Code'] == 'ConditionalCheckFailedException':
+                raise VersionAlreadyExistsError('Version already exists: "{}#{}"'.format(material_name, version))
+
+    def _save_or_load_materials(
+            self,
+            material_name,  # type: Text
+            version,  # type: int
+            encryption_key,  # type: JceNameLocalDelegatedKey
+            signing_key  # type: JceNameLocalDelegatedKey
+    ):
+        # type: (...) -> Tuple[JceNameLocalDelegatedKey, JceNameLocalDelegatedKey]
+        """Attempt to save the materials to the table.
+
+        If the specified version already exists, the existing materials will be loaded from
+        the table and returned. Otherwise, the provided materials will be returned.
+
+        :param str material_name: Material to locate
+        :param int version: Version of material to locate
+        :param encryption_key: Loaded encryption key
+        :type encryption_key: dynamodb_encryption_sdk.delegated_keys.jce.JceNameLocalDelegatedKey
+        :param signing_key: Loaded signing key
+        :type signing_key: dynamodb_encryption_sdk.delegated_keys.jce.JceNameLocalDelegatedKey
+        """
+        try:
+            self._save_materials(material_name, version, encryption_key, signing_key)
+            return encryption_key, signing_key
+        except VersionAlreadyExistsError:
+            return self._load_materials(material_name, version)
+
+    @staticmethod
+    def _material_description(material_name, version):
+        # type: (Text, int) -> Dict[Text, Text]
+        """Build a material description from a material name and version.
+
+        :param str material_name: Material to locate
+        :param int version: Version of material to locate
+        """
+        return {_MATERIAL_DESCRIPTION_META_FIELD: '{name}#{version}'.format(name=material_name, version=version)}
+
+    def _load_provider_from_table(self, material_name, version):
+        # type: (Text, int) -> CryptographicMaterialsProvider
+        """Load a provider from the table.
+
+        :param str material_name: Material to locate
+        :param int version: Version of material to locate
+        """
+        encryption_key, signing_key = self._load_materials(material_name, version)
+        return WrappedCryptographicMaterialsProvider(
+            signing_key=signing_key,
+            wrapping_key=encryption_key,
+            unwrapping_key=encryption_key,
+            material_description=self._material_description(material_name, version)
+        )
+
+    def get_or_create_provider(self, material_name, version):
+        # type: (Text, int) -> CryptographicMaterialsProvider
+        """Obtain a cryptographic materials provider identified by a name and version.
+
+        If the requested version does not exist, a new one will be created.
+
+        :param str material_name: Material to locate
+        :param int version: Version of material to locate
+        :returns: cryptographic materials provider
+        :rtype: dynamodb_encryption_sdk.material_providers.CryptographicMaterialsProvider
+        :raises InvalidVersionError: if the requested version is not available and cannot be created
+        """
+        encryption_key = JceNameLocalDelegatedKey.generate(
+            MetaStoreValues.ENCRYPTION_ALGORITHM.value,
+            MetaStoreValues.KEY_BITS.value
+        )
+        signing_key = JceNameLocalDelegatedKey.generate(
+            MetaStoreValues.INTEGRITY_ALGORITHM.value,
+            MetaStoreValues.KEY_BITS.value
+        )
+        encryption_key, signing_key = self._save_or_load_materials(material_name, version, encryption_key, signing_key)
+        return WrappedCryptographicMaterialsProvider(
+            signing_key=signing_key,
+            wrapping_key=encryption_key,
+            unwrapping_key=encryption_key,
+            material_description=self._material_description(material_name, version)
+        )
+
+    def provider(self, material_name, version=None):
+        # type: (Text, Optional[int]) -> CryptographicMaterialsProvider
+        """Obtain a cryptographic materials provider identified by a name and version.
+
+        If the version is provided, an error will be raised if that version is not found.
+
+        If the version is not provided, the maximum version will be used.
+
+        :param str material_name: Material to locate
+        :param int version: Version of material to locate (optional)
+        :returns: cryptographic materials provider
+        :rtype: dynamodb_encryption_sdk.material_providers.CryptographicMaterialsProvider
+        :raises InvalidVersionError: if the requested version is not found
+        """
+        if version is not None:
+            return self._load_materials(material_name, version)
+
+        return super(MetaStore, self).provider(material_name, version)
+
+    def version_from_material_description(self, material_description):
+        # (Dict[Text, Text]) -> int
+        """Determine the version from the provided material description.
+
+        :param dict material_description: Material description to use with this request
+        :returns: version to use
+        :rtype: int
+        """
+        try:
+            info = material_description[_MATERIAL_DESCRIPTION_META_FIELD]
+        except KeyError:
+            raise Exception('TODO: No info found')
+
+        try:
+            return int(info.split('#', 1)[1])
+        except (IndexError, ValueError):
+            raise Exception('TODO: Malformed info')
+
+    def max_version(self, material_name):
+        # (Text) -> int
+        """Find the maximum known version of the specified material.
+
+        :param str material_name: Material to locate
+        :returns: Maximum known version
+        :rtype: int
+        :raises NoKnownVersion: if no version can be found
+        """
+        response = self._encrypted_table.query(
+            KeyConditionExpression=Key(MetaStoreAttributeNames.PARTITION.value).eq(material_name),
+            ScanIndexForward=False,
+            Limit=1
+        )
+
+        if not response['Items']:
+            raise NoKnownVersionError('No known version for name: "{}"'.format(material_name))
+
+        return response['Items'][0][MetaStoreAttributeNames.SORT.value]
+
+    def replicate(self, material_name, version, target):
+        """"""
+        raise NotImplementedError('TODO: implement this')

src/dynamodb_encryption_sdk/material_providers/wrapped.py

@@ -12,15 +12,17 @@
 # language governing permissions and limitations under the License.
 """Cryptographic materials provider to use ephemeral content encryption keys wrapped by delegated keys."""
 import attr
+import six
 
 try:  # Python 3.5.0 and 3.5.1 have incompatible typing modules
-    from typing import Optional  # noqa pylint: disable=unused-import
+    from typing import Dict, Optional, Text  # noqa pylint: disable=unused-import
 except ImportError:  # pragma: no cover
     # We only actually need these imports when running the mypy checks
     pass
 
 from dynamodb_encryption_sdk.delegated_keys import DelegatedKey
 from dynamodb_encryption_sdk.exceptions import UnwrappingError, WrappingError
+from dynamodb_encryption_sdk.internal.validators import dictionary_validator
 from dynamodb_encryption_sdk.materials.wrapped import WrappedCryptographicMaterials
 from dynamodb_encryption_sdk.structures import EncryptionContext  # noqa pylint: disable=unused-import
 from . import CryptographicMaterialsProvider
@@ -59,21 +61,30 @@ class WrappedCryptographicMaterialsProvider(CryptographicMaterialsProvider):
         validator=attr.validators.optional(attr.validators.instance_of(DelegatedKey)),
         default=None
     )
+    _material_description = attr.ib(
+        validator=attr.validators.optional(dictionary_validator(six.string_types, six.string_types)),
+        default=attr.Factory(dict)
+    )
 
     def __init__(
             self,
             signing_key,  # type: DelegatedKey
             wrapping_key=None,  # type: Optional[DelegatedKey]
-            unwrapping_key=None  # type: Optional[DelegatedKey]
+            unwrapping_key=None,  # type: Optional[DelegatedKey]
+            material_description=None  # type: Optional[Dict[Text, Text]]
     ):
         # type: (...) -> None
         """Workaround pending resolution of attrs/mypy interaction.
         https://github.com/python/mypy/issues/2088
         https://github.com/python-attrs/attrs/issues/215
         """
+        if material_description is None:
+            material_description = {}
+
         self._signing_key = signing_key
         self._wrapping_key = wrapping_key
         self._unwrapping_key = unwrapping_key
+        self._material_description = material_description
         attr.validate(self)
 
     def _build_materials(self, encryption_context):
@@ -85,11 +96,13 @@ def _build_materials(self, encryption_context):
         :returns: Wrapped cryptographic materials
         :rtype: dynamodb_encryption_sdk.materials.wrapped.WrappedCryptographicMaterials
         """
+        material_description = self._material_description.copy()
+        material_description.update(encryption_context.material_description)
         return WrappedCryptographicMaterials(
             wrapping_key=self._wrapping_key,
             unwrapping_key=self._unwrapping_key,
             signing_key=self._signing_key,
-            material_description=encryption_context.material_description.copy()
+            material_description=material_description
         )
 
     def encryption_materials(self, encryption_context):