Creating a specific provider instead a client to avoid any http call from AWS SDK Encryption lib

Author: leandrodamascena

Makefile

@@ -7,13 +7,13 @@ target:
 dev:
 	pip install --upgrade pip pre-commit poetry
 	@$(MAKE) dev-version-plugin
-	poetry install --extras "all"
+	poetry install --extras "all datamasking-aws-sdk"
 	pre-commit install
 
 dev-gitpod:
 	pip install --upgrade pip poetry
 	@$(MAKE) dev-version-plugin
-	poetry install --extras "all"
+	poetry install --extras "all datamasking-aws-sdk"
 	pre-commit install
 
 format:

aws_lambda_powertools/utilities/data_masking/__init__.py

@@ -0,0 +1,5 @@
+from aws_lambda_powertools.utilities.data_masking.base import DataMasking
+
+__all__ = [
+    "DataMasking",
+]

aws_lambda_powertools/utilities/data_masking/base.py

@@ -5,6 +5,38 @@
 
 
 class DataMasking:
+    """
+    A utility class for masking sensitive data within various data types.
+
+    This class provides methods for masking sensitive information, such as personal
+    identifiers or confidential data, within different data types such as strings,
+    dictionaries, lists, and more. It helps protect sensitive information while
+    preserving the structure of the original data.
+
+    Usage:
+    Instantiate an object of this class and use its methods to mask sensitive data
+    based on the data type. Supported data types include strings, dictionaries,
+    and more.
+
+    Example:
+    ```
+    from aws_lambda_powertools.utilities.data_masking.base import DataMasking
+
+    def lambda_handler(event, context):
+        masker = DataMasking()
+
+        data = {
+            "project": "powertools",
+            "sensitive": "xxxxxxxxxx"
+        }
+
+        masked = masker.mask(data,fields=["sensitive"])
+
+        return masked
+
+    ```
+    """
+
     def __init__(self, provider: Optional[BaseProvider] = None):
         self.provider = provider or BaseProvider()
 

aws_lambda_powertools/utilities/data_masking/provider/__init__.py

@@ -0,0 +1,5 @@
+from aws_lambda_powertools.utilities.data_masking.provider.base import BaseProvider
+
+__all__ = [
+    "BaseProvider",
+]

aws_lambda_powertools/utilities/data_masking/provider.py renamed to aws_lambda_powertools/utilities/data_masking/provider/base.py

@@ -1,5 +1,5 @@
 import json
-from typing import Any, Union
+from typing import Any
 
 from aws_lambda_powertools.utilities.data_masking.constants import DATA_MASKING_STRING
 
@@ -20,7 +20,7 @@ def default_json_serializer(self, data):
     def default_json_deserializer(self, data):
         return json.loads(data.decode("utf-8"))
 
-    def encrypt(self, data) -> Union[bytes, str]:
+    def encrypt(self, data) -> str:
         raise NotImplementedError("Subclasses must implement encrypt()")
 
     def decrypt(self, data) -> Any:

aws_lambda_powertools/utilities/data_masking/provider/kms/__init__.py

@@ -0,0 +1,5 @@
+from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import AwsEncryptionSdkProvider
+
+__all__ = [
+    "AwsEncryptionSdkProvider",
+]

aws_lambda_powertools/utilities/data_masking/providers/aws_encryption_sdk.py renamed to aws_lambda_powertools/utilities/data_masking/provider/kms/aws_encryption_sdk.py

@@ -1,5 +1,7 @@
+from __future__ import annotations
+
 import base64
-from typing import Any, Callable, Dict, List, Optional, Union
+from typing import Any, Callable, Dict, List
 
 import botocore
 from aws_encryption_sdk import (
@@ -26,43 +28,97 @@ def __init__(self, key):
 
 class AwsEncryptionSdkProvider(BaseProvider):
     """
-    The AwsEncryptionSdkProvider is to be used as a Provider for the Datamasking class.
-
-    Example
-    -------
-        >>> data_masker = DataMasking(provider=AwsEncryptionSdkProvider(keys=[keyARN1, keyARN2,...,]))
-        >>> encrypted_data = data_masker.encrypt("a string")
-        "encrptedBase64String"
-        >>> decrypted_data = data_masker.decrypt(encrypted_data)
-        "a string"
-    """
+    The AwsEncryptionSdkProvider is used as a provider for the DataMasking class.
+
+    This provider allows you to perform data masking using the AWS Encryption SDK
+    for encryption and decryption. It integrates with the DataMasking class to
+    securely encrypt and decrypt sensitive data.
+
+    Usage Example:
+    ```
+    from aws_lambda_powertools.utilities.data_masking import DataMasking
+    from aws_lambda_powertools.utilities.data_masking.providers.kms.aws_encryption_sdk import (
+        AwsEncryptionSdkProvider,
+    )
+
+
+    def lambda_handler(event, context):
+        provider = AwsEncryptionSdkProvider(["arn:aws:kms:us-east-1:0123456789012:key/key-id"])
+        masker = DataMasking(provider=provider)
+
+        data = {
+            "project": "powertools",
+            "sensitive": "xxxxxxxxxx"
+        }
+
+        masked = masker.encrypt(data,fields=["sensitive"])
 
-    session = botocore.session.Session()
-    register_feature_to_botocore_session(session, "data-masking")
+        return masked
+
+    ```
+    """
 
     def __init__(
         self,
         keys: List[str],
-        client: Optional[EncryptionSDKClient] = None,
+        key_provider=None,
         local_cache_capacity: int = CACHE_CAPACITY,
         max_cache_age_seconds: float = MAX_CACHE_AGE_SECONDS,
         max_messages_encrypted: int = MAX_MESSAGES_ENCRYPTED,
-        json_serializer: Optional[Callable[[Dict], str]] = None,
-        json_deserializer: Optional[Callable[[Union[Dict, str, bool, int, float]], str]] = None,
+        json_serializer: Callable | None = None,
+        json_deserializer: Callable | None = None,
     ):
         super().__init__(json_serializer=json_serializer, json_deserializer=json_deserializer)
-        self.client = client or EncryptionSDKClient()
+
+        self._key_provider = key_provider or KMSKeyProvider(
+            keys=keys,
+            local_cache_capacity=local_cache_capacity,
+            max_cache_age_seconds=max_cache_age_seconds,
+            max_messages_encrypted=max_messages_encrypted,
+            json_serializer=self.json_serializer,
+            json_deserializer=self.json_deserializer,
+        )
+
+    def encrypt(self, data: bytes | str | Dict | int, **provider_options) -> str:
+        return self._key_provider.encrypt(data=data, **provider_options)
+
+    def decrypt(self, data: str, **provider_options) -> Any:
+        return self._key_provider.decrypt(data=data, **provider_options)
+
+
+class KMSKeyProvider:
+
+    """
+    The KMSKeyProvider is responsible for assembling an AWS Key Management Service (KMS)
+    client, a caching mechanism, and a keyring for secure key management and data encryption.
+    """
+
+    def __init__(
+        self,
+        keys: List[str],
+        json_serializer: Callable,
+        json_deserializer: Callable,
+        local_cache_capacity: int = CACHE_CAPACITY,
+        max_cache_age_seconds: float = MAX_CACHE_AGE_SECONDS,
+        max_messages_encrypted: int = MAX_MESSAGES_ENCRYPTED,
+    ):
+        session = botocore.session.Session()
+        register_feature_to_botocore_session(session, "data-masking")
+
+        self.json_serializer = json_serializer
+        self.json_deserializer = json_deserializer
+        self.client = EncryptionSDKClient()
         self.keys = keys
         self.cache = LocalCryptoMaterialsCache(local_cache_capacity)
-        self.key_provider = StrictAwsKmsMasterKeyProvider(key_ids=self.keys, botocore_session=self.session)
+        self.key_provider = StrictAwsKmsMasterKeyProvider(key_ids=self.keys, botocore_session=session)
         self.cache_cmm = CachingCryptoMaterialsManager(
             master_key_provider=self.key_provider,
             cache=self.cache,
             max_age=max_cache_age_seconds,
             max_messages_encrypted=max_messages_encrypted,
         )
 
-    def encrypt(self, data: Union[bytes, str], **provider_options) -> bytes:
+    def encrypt(self, data: bytes | str | Dict | float, **provider_options) -> str:
         """
         Encrypt data using the AwsEncryptionSdkProvider.
 
@@ -78,8 +134,12 @@ def encrypt(self, data: Union[bytes, str], **provider_options) -> bytes:
             ciphertext : str
                 The encrypted data, as a base64-encoded string.
         """
-        data = self.json_serializer(data)
-        ciphertext, _ = self.client.encrypt(source=data, materials_manager=self.cache_cmm, **provider_options)
+        data_encoded = self.json_serializer(data)
+        ciphertext, _ = self.client.encrypt(
+            source=data_encoded,
+            materials_manager=self.cache_cmm,
+            **provider_options,
+        )
         ciphertext = base64.b64encode(ciphertext).decode()
         return ciphertext
 

aws_lambda_powertools/utilities/data_masking/providers/__init__.py

@@ -92,14 +92,13 @@ datadog-lambda = "^4.77.0"
 
 [tool.poetry.extras]
 parser = ["pydantic"]
-datamasking-aws-sdk= ["aws-encryption-sdk"]
-datamasking-all = ["aws-encryption-sdk"]
 validation = ["fastjsonschema"]
 tracer = ["aws-xray-sdk"]
-all = ["pydantic", "aws-xray-sdk", "fastjsonschema", "aws-encryption-sdk"]
+all = ["pydantic", "aws-xray-sdk", "fastjsonschema"]
 # allow customers to run code locally without emulators (SAM CLI, etc.)
 aws-sdk = ["boto3"]
 datadog = ["datadog-lambda"]
+datamasking-aws-sdk = ["aws-encryption-sdk"]
 
 [tool.poetry.group.dev.dependencies]
 cfn-lint = "0.80.3"

pyproject.toml

@@ -1,6 +1,6 @@
 from aws_lambda_powertools import Logger
-from aws_lambda_powertools.utilities.data_masking.base import DataMasking
-from aws_lambda_powertools.utilities.data_masking.providers.aws_encryption_sdk import AwsEncryptionSdkProvider
+from aws_lambda_powertools.utilities.data_masking import DataMasking
+from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import AwsEncryptionSdkProvider
 
 logger = Logger()
 

tests/e2e/data_masking/handlers/basic_handler.py

@@ -4,8 +4,8 @@
 import pytest
 from aws_encryption_sdk.exceptions import DecryptKeyError
 
-from aws_lambda_powertools.utilities.data_masking.base import DataMasking
-from aws_lambda_powertools.utilities.data_masking.providers.aws_encryption_sdk import (
+from aws_lambda_powertools.utilities.data_masking import DataMasking
+from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import (
     AwsEncryptionSdkProvider,
     ContextMismatchError,
 )

tests/e2e/data_masking/test_e2e_data_masking.py

@@ -1,23 +1,6 @@
-from __future__ import annotations
-
-from typing import Tuple
-
 from pytest_socket import disable_socket
 
 
 def pytest_runtest_setup():
     """Disable Unix and TCP sockets for Data masking tests"""
     disable_socket()
-
-
-class FakeEncryptionClient:
-    ENCRYPTION_HEADER = "test"
-
-    def encrypt(self, source: bytes | str, **kwargs) -> Tuple[bytes, str]:
-        if isinstance(source, str):
-            return source.encode(), self.ENCRYPTION_HEADER
-
-        return source, self.ENCRYPTION_HEADER
-
-    def decrypt(self, source: bytes, **kwargs) -> Tuple[bytes, str]:
-        return source, "dummy_decryption_header"

tests/functional/data_masking/conftest.py

@@ -1,25 +1,46 @@
 from __future__ import annotations
 
+import base64
 import json
+from typing import Any, Callable, Dict, Union
 
 import pytest
 
-from aws_lambda_powertools.utilities.data_masking.base import DataMasking
+from aws_lambda_powertools.utilities.data_masking import DataMasking
 from aws_lambda_powertools.utilities.data_masking.constants import DATA_MASKING_STRING
-from aws_lambda_powertools.utilities.data_masking.providers.aws_encryption_sdk import (
+from aws_lambda_powertools.utilities.data_masking.provider import BaseProvider
+from aws_lambda_powertools.utilities.data_masking.provider.kms import (
     AwsEncryptionSdkProvider,
 )
-from tests.functional.data_masking.conftest import FakeEncryptionClient
+
+
+class FakeEncryptionKeyProvider(BaseProvider):
+    def __init__(
+        self,
+        json_serializer: Callable[[Dict], str] | None = None,
+        json_deserializer: Callable[[Union[Dict, str, bool, int, float]], str] | None = None,
+    ):
+        super().__init__(json_serializer=json_serializer, json_deserializer=json_deserializer)
+
+    def encrypt(self, data: bytes | str, **kwargs) -> str:
+        data = self.json_serializer(data)
+        ciphertext = base64.b64encode(data).decode()
+        return ciphertext
+
+    def decrypt(self, data: bytes, **kwargs) -> Any:
+        ciphertext_decoded = base64.b64decode(data)
+        ciphertext = self.json_deserializer(ciphertext_decoded)
+        return ciphertext
 
 
 @pytest.fixture
 def data_masker(monkeypatch) -> DataMasking:
-    # Setting a default region
-    monkeypatch.setenv("AWS_DEFAULT_REGION", "us-east-1")
-
     """DataMasking using AWS Encryption SDK Provider with a fake client"""
-    fake_client = FakeEncryptionClient()
-    provider = AwsEncryptionSdkProvider(keys=["dummy"], client=fake_client)
+    fake_key_provider = FakeEncryptionKeyProvider()
+    provider = AwsEncryptionSdkProvider(
+        keys=["dummy"],
+        key_provider=fake_key_provider,
+    )
     return DataMasking(provider=provider)
 
 

tests/functional/data_masking/test_aws_encryption_sdk.py

@@ -3,8 +3,8 @@
 from aws_lambda_powertools import Logger, Tracer
 from aws_lambda_powertools.event_handler import APIGatewayRestResolver
 from aws_lambda_powertools.logging import correlation_paths
-from aws_lambda_powertools.utilities.data_masking.base import DataMasking
-from aws_lambda_powertools.utilities.data_masking.providers.aws_encryption_sdk import AwsEncryptionSdkProvider
+from aws_lambda_powertools.utilities.data_masking import DataMasking
+from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import AwsEncryptionSdkProvider
 from aws_lambda_powertools.utilities.typing import LambdaContext
 
 KMS_KEY_ARN = os.environ["KMS_KEY_ARN"]

tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_1024/app.py

@@ -3,8 +3,8 @@
 from aws_lambda_powertools import Logger, Tracer
 from aws_lambda_powertools.event_handler import APIGatewayRestResolver
 from aws_lambda_powertools.logging import correlation_paths
-from aws_lambda_powertools.utilities.data_masking.base import DataMasking
-from aws_lambda_powertools.utilities.data_masking.providers.aws_encryption_sdk import AwsEncryptionSdkProvider
+from aws_lambda_powertools.utilities.data_masking import DataMasking
+from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import AwsEncryptionSdkProvider
 from aws_lambda_powertools.utilities.typing import LambdaContext
 
 KMS_KEY_ARN = os.environ["KMS_KEY_ARN"]

tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_128/app.py

@@ -3,8 +3,8 @@
 from aws_lambda_powertools import Logger, Tracer
 from aws_lambda_powertools.event_handler import APIGatewayRestResolver
 from aws_lambda_powertools.logging import correlation_paths
-from aws_lambda_powertools.utilities.data_masking.base import DataMasking
-from aws_lambda_powertools.utilities.data_masking.providers.aws_encryption_sdk import AwsEncryptionSdkProvider
+from aws_lambda_powertools.utilities.data_masking import DataMasking
+from aws_lambda_powertools.utilities.data_masking.provider.kms.aws_encryption_sdk import AwsEncryptionSdkProvider
 from aws_lambda_powertools.utilities.typing import LambdaContext
 
 KMS_KEY_ARN = os.environ["KMS_KEY_ARN"]