Skip to content

Helper client code consolidation #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Apr 28, 2018
Merged

Helper client code consolidation #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
63a3128
consolidate encrypt/decrypt layers across encrypted Client/Resource/T…
mattsb42-aws Mar 29, 2018
cc06c2c
consolidate crypto config building logic across encrypted Client/Reso…
mattsb42-aws Mar 29, 2018
34eaec6
only use positional arguments when preparing partially curried functi…
mattsb42-aws Apr 11, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 0 additions & 14 deletions src/dynamodb_encryption_sdk/encrypted/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,17 +87,3 @@ def copy(self):
encryption_context=copy.copy(self.encryption_context),
attribute_actions=self.attribute_actions
)


def validate_get_arguments(kwargs):
# type: (Dict[Text, Any]) -> None
"""Verify that attribute filtering parameters are not found in the request.

:raises InvalidArgumentError: if banned parameters are found
"""
for arg in ('AttributesToGet', 'ProjectionExpression'):
if arg in kwargs:
raise InvalidArgumentError('"{}" is not supported for this operation'.format(arg))

if kwargs.get('Select', None) in ('SPECIFIC_ATTRIBUTES', 'ALL_PROJECTED_ATTRIBUTES', 'SPECIFIC_ATTRIBUTES'):
raise InvalidArgumentError('Scan "Select" value of "{}" is not supported'.format(kwargs['Select']))
189 changes: 57 additions & 132 deletions src/dynamodb_encryption_sdk/encrypted/client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,20 +11,26 @@
# ANY KIND, either express or implied. See the License for the specific
# language governing permissions and limitations under the License.
"""High-level helper class to provide a familiar interface to encrypted tables."""
from functools import partial

import attr
import botocore.client

from dynamodb_encryption_sdk.internal.utils import TableInfoCache
from dynamodb_encryption_sdk.internal.utils import (
crypto_config_from_cache, crypto_config_from_kwargs,
decrypt_batch_get_item, decrypt_get_item, decrypt_multi_get,
encrypt_batch_write_item, encrypt_put_item, TableInfoCache
)
from dynamodb_encryption_sdk.material_providers import CryptographicMaterialsProvider
from dynamodb_encryption_sdk.structures import AttributeActions, EncryptionContext
from . import CryptoConfig, validate_get_arguments
from dynamodb_encryption_sdk.structures import AttributeActions
from .item import decrypt_dynamodb_item, encrypt_dynamodb_item

__all__ = ('EncryptedClient',)


@attr.s
class EncryptedClient(object):
# pylint: disable=too-few-public-methods,too-many-instance-attributes
"""High-level helper class to provide a familiar interface to encrypted tables.

.. note::
Expand Down Expand Up @@ -57,11 +63,57 @@ class EncryptedClient(object):
)

def __attrs_post_init__(self):
"""Set up the table info cache."""
self._table_info_cache = TableInfoCache(
"""Set up the table info cache and translation methods."""
self._table_info_cache = TableInfoCache( # attrs confuses pylint: disable=attribute-defined-outside-init
client=self._client,
auto_refresh_table_indexes=self._auto_refresh_table_indexes
)
self._table_crypto_config = partial( # attrs confuses pylint: disable=attribute-defined-outside-init
crypto_config_from_cache,
self._materials_provider,
self._attribute_actions,
self._table_info_cache
)
self._item_crypto_config = partial( # attrs confuses pylint: disable=attribute-defined-outside-init
crypto_config_from_kwargs,
self._table_crypto_config
)
self.get_item = partial( # attrs confuses pylint: disable=attribute-defined-outside-init
decrypt_get_item,
decrypt_dynamodb_item,
self._item_crypto_config,
self._client.get_item
)
self.put_item = partial( # attrs confuses pylint: disable=attribute-defined-outside-init
encrypt_put_item,
encrypt_dynamodb_item,
self._item_crypto_config,
self._client.put_item
)
self.query = partial( # attrs confuses pylint: disable=attribute-defined-outside-init
decrypt_multi_get,
decrypt_dynamodb_item,
self._item_crypto_config,
self._client.query
)
self.scan = partial( # attrs confuses pylint: disable=attribute-defined-outside-init
decrypt_multi_get,
decrypt_dynamodb_item,
self._item_crypto_config,
self._client.scan
)
self.batch_get_item = partial( # attrs confuses pylint: disable=attribute-defined-outside-init
decrypt_batch_get_item,
decrypt_dynamodb_item,
self._table_crypto_config,
self._client.batch_get_item
)
self.batch_write_item = partial( # attrs confuses pylint: disable=attribute-defined-outside-init
encrypt_batch_write_item,
encrypt_dynamodb_item,
self._table_crypto_config,
self._client.batch_write_item
)

def __getattr__(self, name):
"""Catch any method/attribute lookups that are not defined in this class and try
Expand All @@ -73,133 +125,6 @@ def __getattr__(self, name):
"""
return getattr(self._client, name)

def _crypto_config(self, table_name, **kwargs):
"""Pull all encryption-specific parameters from the request and use them to build a crypto config.

:returns: crypto config and updated kwargs
:rtype: dynamodb_encryption_sdk.encrypted.CryptoConfig and dict
"""
crypto_config = kwargs.pop('crypto_config', None)

if crypto_config is not None:
return crypto_config, kwargs

table_info = self._table_info_cache.table_info(table_name)

attribute_actions = self._attribute_actions.copy()
attribute_actions.set_index_keys(*table_info.protected_index_keys())

crypto_config = CryptoConfig(
materials_provider=self._materials_provider,
encryption_context=EncryptionContext(**table_info.encryption_context_values),
attribute_actions=attribute_actions
)
return crypto_config, kwargs

def update_item(self, **kwargs):
"""Update item is not yet supported."""
raise NotImplementedError('"update_item" is not yet implemented')

def get_item(self, **kwargs):
"""Transparently decrypt an item after getting it from the table.

https://boto3.readthedocs.io/en/latest/reference/services/dynamodb.html#DynamoDB.Client.get_item
"""
validate_get_arguments(kwargs)
crypto_config, ddb_kwargs = self._crypto_config(kwargs['TableName'], **kwargs)
response = self._client.get_item(**ddb_kwargs)
if 'Item' in response:
response['Item'] = decrypt_dynamodb_item(
item=response['Item'],
crypto_config=crypto_config
)
return response

def put_item(self, **kwargs):
"""Transparently encrypt an item before putting it to the table.

https://boto3.readthedocs.io/en/latest/reference/services/dynamodb.html#DynamoDB.Client.put_item
"""
crypto_config, ddb_kwargs = self._crypto_config(kwargs['TableName'], **kwargs)
ddb_kwargs['Item'] = encrypt_dynamodb_item(
item=ddb_kwargs['Item'],
crypto_config=crypto_config
)
return self._client.put_item(**ddb_kwargs)

def _encrypted_multi_get_single_table(self, method, **kwargs):
"""Transparently decrypt multiple items after getting them from the table.

:param method: Method from underlying DynamoDB client object to use
:type method: callable
"""
validate_get_arguments(kwargs)
crypto_config, ddb_kwargs = self._crypto_config(kwargs['TableName'], **kwargs)
response = method(**ddb_kwargs)
for pos in range(len(response['Items'])):
response['Items'][pos] = decrypt_dynamodb_item(
item=response['Items'][pos],
crypto_config=crypto_config
)
return response

def query(self, **kwargs):
"""Transparently decrypt multiple items after getting them from a query request to the table.

https://boto3.readthedocs.io/en/latest/reference/services/dynamodb.html#DynamoDB.Client.query
"""
return self._encrypted_multi_get_single_table(self._client.query, **kwargs)

def scan(self, **kwargs):
"""Transparently decrypt multiple items after getting them from a scan request to the table.

https://boto3.readthedocs.io/en/latest/reference/services/dynamodb.html#DynamoDB.Client.scan
"""
return self._encrypted_multi_get_single_table(self._client.scan, **kwargs)

def batch_get_item(self, **kwargs):
"""Transparently decrypt multiple items after getting them from a batch get item request.

https://boto3.readthedocs.io/en/latest/reference/services/dynamodb.html#DynamoDB.Client.batch_get_item
"""
for _table_name, table_kwargs in kwargs['RequestItems'].items():
validate_get_arguments(table_kwargs)

request_crypto_config = kwargs.pop('crypto_config', None)

response = self._client.batch_get_item(**kwargs)
for table_name, items in response['Responses'].items():
if request_crypto_config is not None:
crypto_config = request_crypto_config
else:
crypto_config = self._crypto_config(table_name)[0]

for pos in range(len(items)):
items[pos] = decrypt_dynamodb_item(
item=items[pos],
crypto_config=crypto_config
)
return response

def batch_write_item(self, **kwargs):
"""Transparently encrypt multiple items before writing them with a batch write item request.

https://boto3.readthedocs.io/en/latest/reference/services/dynamodb.html#DynamoDB.Client.batch_write_item
"""
request_crypto_config = kwargs.pop('crypto_config', None)

for table_name, items in kwargs['RequestItems'].items():
if request_crypto_config is not None:
crypto_config = request_crypto_config
else:
crypto_config = self._crypto_config(table_name)[0]

for pos in range(len(items)):
for request_type, item in items[pos].items():
# We don't encrypt primary indexes, so we can ignore DeleteItem requests
if request_type == 'PutRequest':
items[pos][request_type]['Item'] = encrypt_dynamodb_item(
item=item['Item'],
crypto_config=crypto_config
)
return self._client.batch_write_item(**kwargs)
Loading