Struct DbEsdkInterceptor

Source
pub struct DbEsdkInterceptor { /* private fields */ }

Implementations§

Source§

impl DbEsdkInterceptor

Source

pub fn new(config: DynamoDbTablesEncryptionConfig) -> Result<Self, Error>

Examples found in repository?
examples/keyring/raw_aes_keyring.rs (line 116)
40pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
41    let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
42    let aes_key_bytes = generate_aes_key_bytes();
43
44    // 1. Create the keyring.
45    //    The DynamoDb encryption client uses this to encrypt and decrypt items.
46    let mpl_config = MaterialProvidersConfig::builder().build()?;
47    let mpl = mpl_client::Client::from_conf(mpl_config)?;
48    let raw_aes_keyring = mpl
49        .create_raw_aes_keyring()
50        .key_name("my-aes-key-name")
51        .key_namespace("my-key-namespace")
52        .wrapping_key(aes_key_bytes)
53        .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
54        .send()
55        .await?;
56
57    // 2. Configure which attributes are encrypted and/or signed when writing new items.
58    //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
59    //    we must explicitly configure how they should be treated during item encryption:
60    //      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
61    //      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
62    //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
63    let attribute_actions_on_encrypt = HashMap::from([
64        ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
65        ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
66        ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
67    ]);
68
69    // 3. Configure which attributes we expect to be included in the signature
70    //    when reading items. There are two options for configuring this:
71    //
72    //    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
73    //      When defining your DynamoDb schema and deciding on attribute names,
74    //      choose a distinguishing prefix (such as ":") for all attributes that
75    //      you do not want to include in the signature.
76    //      This has two main benefits:
77    //      - It is easier to reason about the security and authenticity of data within your item
78    //        when all unauthenticated data is easily distinguishable by their attribute name.
79    //      - If you need to add new unauthenticated attributes in the future,
80    //        you can easily make the corresponding update to your `attributeActionsOnEncrypt`
81    //        and immediately start writing to that new attribute, without
82    //        any other configuration update needed.
83    //      Once you configure this field, it is not safe to update it.
84    //
85    //    - Configure `allowedUnsignedAttributes`: You may also explicitly list
86    //      a set of attributes that should be considered unauthenticated when encountered
87    //      on read. Be careful if you use this configuration. Do not remove an attribute
88    //      name from this configuration, even if you are no longer writing with that attribute,
89    //      as old items may still include this attribute, and our configuration needs to know
90    //      to continue to exclude this attribute from the signature scope.
91    //      If you add new attribute names to this field, you must first deploy the update to this
92    //      field to all readers in your host fleet before deploying the update to start writing
93    //      with that new attribute.
94    //
95    //   For this example, we currently authenticate all attributes. To make it easier to
96    //   add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
97    const UNSIGNED_ATTR_PREFIX: &str = ":";
98
99    // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
100    let table_config = DynamoDbTableEncryptionConfig::builder()
101        .logical_table_name(ddb_table_name)
102        .partition_key_name("partition_key")
103        .sort_key_name("sort_key")
104        .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
105        .keyring(raw_aes_keyring)
106        .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
107        .build()?;
108
109    let table_configs = DynamoDbTablesEncryptionConfig::builder()
110        .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
111        .build()?;
112
113    // 5. Create a new AWS SDK DynamoDb client using the Config above
114    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
115    let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
116        .interceptor(DbEsdkInterceptor::new(table_configs)?)
117        .build();
118    let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
119
120    // 6. Put an item into our table using the above client.
121    //    Before the item gets sent to DynamoDb, it will be encrypted
122    //    client-side, according to our configuration.
123    let item = HashMap::from([
124        (
125            "partition_key".to_string(),
126            AttributeValue::S("rawAesKeyringItem".to_string()),
127        ),
128        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
129        (
130            "sensitive_data".to_string(),
131            AttributeValue::S("encrypt and sign me!".to_string()),
132        ),
133    ]);
134
135    ddb.put_item()
136        .table_name(ddb_table_name)
137        .set_item(Some(item.clone()))
138        .send()
139        .await?;
140
141    // 7. Get the item back from our table using the same client.
142    //    The client will decrypt the item client-side, and return
143    //    back the original item.
144    let key_to_get = HashMap::from([
145        (
146            "partition_key".to_string(),
147            AttributeValue::S("rawAesKeyringItem".to_string()),
148        ),
149        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
150    ]);
151
152    let resp = ddb
153        .get_item()
154        .table_name(ddb_table_name)
155        .set_key(Some(key_to_get))
156        // In this example we configure a strongly consistent read
157        // because we perform a read immediately after a write (for demonstrative purposes).
158        // By default, reads are only eventually consistent.
159        // Read our docs to determine which read consistency to use for your application:
160        // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html
161        .consistent_read(true)
162        .send()
163        .await?;
164
165    assert_eq!(resp.item, Some(item));
166
167    println!("raw_aes_keyring successful.");
168    Ok(())
169}
More examples
Hide additional examples
examples/keyring/raw_rsa_keyring.rs (line 154)
57pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
58    let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
59
60    // You may provide your own RSA key pair in the files located at
61    //  - EXAMPLE_RSA_PRIVATE_KEY_FILENAME
62    //  - EXAMPLE_RSA_PUBLIC_KEY_FILENAME
63    // If these files are not present, this will generate a pair for you
64    if should_generate_new_rsa_key_pair()? {
65        generate_rsa_key_pair()?;
66    }
67
68    // 1. Load key pair from UTF-8 encoded PEM files.
69    //    You may provide your own PEM files to use here.
70    //    If you do not, the main method in this class will generate PEM
71    //    files for example use. Do not use these files for any other purpose.
72
73    let mut file = File::open(Path::new(EXAMPLE_RSA_PUBLIC_KEY_FILENAME))?;
74    let mut public_key_utf8_bytes = Vec::new();
75    file.read_to_end(&mut public_key_utf8_bytes)?;
76
77    let mut file = File::open(Path::new(EXAMPLE_RSA_PRIVATE_KEY_FILENAME))?;
78    let mut private_key_utf8_bytes = Vec::new();
79    file.read_to_end(&mut private_key_utf8_bytes)?;
80
81    // 2. Create the keyring.
82    //    The DynamoDb encryption client uses this to encrypt and decrypt items.
83    let mpl_config = MaterialProvidersConfig::builder().build()?;
84    let mpl = mpl_client::Client::from_conf(mpl_config)?;
85    let raw_rsa_keyring = mpl
86        .create_raw_rsa_keyring()
87        .key_name("my-rsa-key-name")
88        .key_namespace("my-key-namespace")
89        .padding_scheme(PaddingScheme::OaepSha256Mgf1)
90        .public_key(public_key_utf8_bytes)
91        .private_key(private_key_utf8_bytes)
92        .send()
93        .await?;
94
95    // 3. Configure which attributes are encrypted and/or signed when writing new items.
96    //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
97    //    we must explicitly configure how they should be treated during item encryption:
98    //      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
99    //      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
100    //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
101    let attribute_actions_on_encrypt = HashMap::from([
102        ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
103        ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
104        ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
105    ]);
106
107    // 4. Configure which attributes we expect to be included in the signature
108    //    when reading items. There are two options for configuring this:
109    //
110    //    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
111    //      When defining your DynamoDb schema and deciding on attribute names,
112    //      choose a distinguishing prefix (such as ":") for all attributes that
113    //      you do not want to include in the signature.
114    //      This has two main benefits:
115    //      - It is easier to reason about the security and authenticity of data within your item
116    //        when all unauthenticated data is easily distinguishable by their attribute name.
117    //      - If you need to add new unauthenticated attributes in the future,
118    //        you can easily make the corresponding update to your `attributeActionsOnEncrypt`
119    //        and immediately start writing to that new attribute, without
120    //        any other configuration update needed.
121    //      Once you configure this field, it is not safe to update it.
122    //
123    //    - Configure `allowedUnsignedAttributes`: You may also explicitly list
124    //      a set of attributes that should be considered unauthenticated when encountered
125    //      on read. Be careful if you use this configuration. Do not remove an attribute
126    //      name from this configuration, even if you are no longer writing with that attribute,
127    //      as old items may still include this attribute, and our configuration needs to know
128    //      to continue to exclude this attribute from the signature scope.
129    //      If you add new attribute names to this field, you must first deploy the update to this
130    //      field to all readers in your host fleet before deploying the update to start writing
131    //      with that new attribute.
132    //
133    //   For this example, we currently authenticate all attributes. To make it easier to
134    //   add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
135    const UNSIGNED_ATTR_PREFIX: &str = ":";
136
137    // 5. Create the DynamoDb Encryption configuration for the table we will be writing to.
138    let table_config = DynamoDbTableEncryptionConfig::builder()
139        .logical_table_name(ddb_table_name)
140        .partition_key_name("partition_key")
141        .sort_key_name("sort_key")
142        .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
143        .keyring(raw_rsa_keyring)
144        .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
145        .build()?;
146
147    let table_configs = DynamoDbTablesEncryptionConfig::builder()
148        .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
149        .build()?;
150
151    // 6. Create a new AWS SDK DynamoDb client using the config above
152    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
153    let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
154        .interceptor(DbEsdkInterceptor::new(table_configs)?)
155        .build();
156    let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
157
158    // 7. Put an item into our table using the above client.
159    //    Before the item gets sent to DynamoDb, it will be encrypted
160    //    client-side, according to our configuration.
161    let item = HashMap::from([
162        (
163            "partition_key".to_string(),
164            AttributeValue::S("rawRsaKeyringItem".to_string()),
165        ),
166        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
167        (
168            "sensitive_data".to_string(),
169            AttributeValue::S("encrypt and sign me!".to_string()),
170        ),
171    ]);
172
173    ddb.put_item()
174        .table_name(ddb_table_name)
175        .set_item(Some(item.clone()))
176        .send()
177        .await?;
178
179    // 8. Get the item back from our table using the same client.
180    //    The client will decrypt the item client-side, and return
181    //    back the original item.
182
183    let key_to_get = HashMap::from([
184        (
185            "partition_key".to_string(),
186            AttributeValue::S("rawRsaKeyringItem".to_string()),
187        ),
188        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
189    ]);
190
191    let resp = ddb
192        .get_item()
193        .table_name(ddb_table_name)
194        .set_key(Some(key_to_get))
195        // In this example we configure a strongly consistent read
196        // because we perform a read immediately after a write (for demonstrative purposes).
197        // By default, reads are only eventually consistent.
198        // Read our docs to determine which read consistency to use for your application:
199        // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html
200        .consistent_read(true)
201        .send()
202        .await?;
203
204    assert_eq!(resp.item, Some(item));
205    println!("raw_rsa_keyring successful.");
206    Ok(())
207}
examples/basic_get_put_example.rs (line 119)
31pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
32    let kms_key_id = test_utils::TEST_KMS_KEY_ID;
33    let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
34
35    // 1. Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data.
36    //    For this example, we will create a AWS KMS Keyring with the AWS KMS Key we want to use.
37    //    We will use the `CreateMrkMultiKeyring` method to create this keyring,
38    //    as it will correctly handle both single region and Multi-Region KMS Keys.
39    let provider_config = MaterialProvidersConfig::builder().build()?;
40    let mat_prov = client::Client::from_conf(provider_config)?;
41    let kms_keyring = mat_prov
42        .create_aws_kms_mrk_multi_keyring()
43        .generator(kms_key_id)
44        .send()
45        .await?;
46
47    // 2. Configure which attributes are encrypted and/or signed when writing new items.
48    //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
49    //    we must explicitly configure how they should be treated during item encryption:
50    //      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
51    //      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
52    //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
53    let attribute_actions_on_encrypt = HashMap::from([
54        ("partition_key".to_string(), CryptoAction::SignOnly),
55        ("sort_key".to_string(), CryptoAction::SignOnly),
56        ("attribute1".to_string(), CryptoAction::EncryptAndSign),
57        ("attribute2".to_string(), CryptoAction::SignOnly),
58        (":attribute3".to_string(), CryptoAction::DoNothing),
59    ]);
60
61    // 3. Configure which attributes we expect to be included in the signature
62    //    when reading items. There are two options for configuring this:
63    //
64    //    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
65    //      When defining your DynamoDb schema and deciding on attribute names,
66    //      choose a distinguishing prefix (such as ":") for all attributes that
67    //      you do not want to include in the signature.
68    //      This has two main benefits:
69    //      - It is easier to reason about the security and authenticity of data within your item
70    //        when all unauthenticated data is easily distinguishable by their attribute name.
71    //      - If you need to add new unauthenticated attributes in the future,
72    //        you can easily make the corresponding update to your `attributeActionsOnEncrypt`
73    //        and immediately start writing to that new attribute, without
74    //        any other configuration update needed.
75    //      Once you configure this field, it is not safe to update it.
76    //
77    //    - Configure `allowedUnsignedAttributes`: You may also explicitly list
78    //      a set of attributes that should be considered unauthenticated when encountered
79    //      on read. Be careful if you use this configuration. Do not remove an attribute
80    //      name from this configuration, even if you are no longer writing with that attribute,
81    //      as old items may still include this attribute, and our configuration needs to know
82    //      to continue to exclude this attribute from the signature scope.
83    //      If you add new attribute names to this field, you must first deploy the update to this
84    //      field to all readers in your host fleet before deploying the update to start writing
85    //      with that new attribute.
86    //
87    //   For this example, we have designed our DynamoDb table such that any attribute name with
88    //   the ":" prefix should be considered unauthenticated.
89    const UNSIGNED_ATTR_PREFIX: &str = ":";
90
91    // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
92    let table_config = DynamoDbTableEncryptionConfig::builder()
93        .logical_table_name(ddb_table_name)
94        .partition_key_name("partition_key")
95        .sort_key_name("sort_key")
96        .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
97        .keyring(kms_keyring)
98        .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
99        // Specifying an algorithm suite is not required,
100        // but is done here to demonstrate how to do so.
101        // We suggest using the
102        // `ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384_SYMSIG_HMAC_SHA384` suite,
103        // which includes AES-GCM with key derivation, signing, and key commitment.
104        // This is also the default algorithm suite if one is not specified in this config.
105        // For more information on supported algorithm suites, see:
106        //   https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/supported-algorithms.html
107        .algorithm_suite_id(
108            DbeAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKeyEcdsaP384SymsigHmacSha384,
109        )
110        .build()?;
111
112    let table_configs = DynamoDbTablesEncryptionConfig::builder()
113        .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
114        .build()?;
115
116    // 5. Create a new AWS SDK DynamoDb client using the TableEncryptionConfigs
117    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
118    let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
119        .interceptor(DbEsdkInterceptor::new(table_configs)?)
120        .build();
121    let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
122
123    // 6. Put an item into our table using the above client.
124    //    Before the item gets sent to DynamoDb, it will be encrypted
125    //    client-side, according to our configuration.
126    let item = HashMap::from([
127        (
128            "partition_key".to_string(),
129            AttributeValue::S("BasicPutGetExample".to_string()),
130        ),
131        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
132        (
133            "attribute1".to_string(),
134            AttributeValue::S("encrypt and sign me!".to_string()),
135        ),
136        (
137            "attribute2".to_string(),
138            AttributeValue::S("sign me!".to_string()),
139        ),
140        (
141            ":attribute3".to_string(),
142            AttributeValue::S("ignore me!".to_string()),
143        ),
144    ]);
145
146    ddb.put_item()
147        .table_name(ddb_table_name)
148        .set_item(Some(item.clone()))
149        .send()
150        .await?;
151
152    // 7. Get the item back from our table using the same client.
153    //    The client will decrypt the item client-side, and return
154    //    back the original item.
155    let key_to_get = HashMap::from([
156        (
157            "partition_key".to_string(),
158            AttributeValue::S("BasicPutGetExample".to_string()),
159        ),
160        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
161    ]);
162
163    let resp = ddb
164        .get_item()
165        .table_name(ddb_table_name)
166        .set_key(Some(key_to_get))
167        // In this example we configure a strongly consistent read
168        // because we perform a read immediately after a write (for demonstrative purposes).
169        // By default, reads are only eventually consistent.
170        // Read our docs to determine which read consistency to use for your application:
171        // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html
172        .consistent_read(true)
173        .send()
174        .await?;
175
176    assert_eq!(resp.item, Some(item));
177    println!("put_item_get_item successful.");
178    Ok(())
179}
examples/keyring/kms_rsa_keyring.rs (line 154)
47pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
48    let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
49    let rsa_key_arn = test_utils::TEST_KMS_RSA_KEY_ID;
50
51    // You may provide your own RSA public key at EXAMPLE_RSA_PUBLIC_KEY_FILENAME.
52    // This must be the public key for the RSA key represented at rsaKeyArn.
53    // If this file is not present, this will write a UTF-8 encoded PEM file for you.
54    if should_get_new_public_key(DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME) {
55        write_public_key_pem_for_rsa_key(
56            test_utils::TEST_KMS_RSA_KEY_ID,
57            DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME,
58        )
59        .await?;
60    }
61
62    // 1. Load UTF-8 encoded public key PEM file.
63    //    You may have an RSA public key file already defined.
64    //    If not, the main method in this class will call
65    //    the KMS RSA key, retrieve its public key, and store it
66    //    in a PEM file for example use.
67    let mut file = File::open(Path::new(DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME))?;
68    let mut public_key_utf8_bytes = Vec::new();
69    file.read_to_end(&mut public_key_utf8_bytes)?;
70
71    // 2. Create a KMS RSA keyring.
72    //    This keyring takes in:
73    //     - kmsClient
74    //     - kmsKeyId: Must be an ARN representing a KMS RSA key
75    //     - publicKey: A ByteBuffer of a UTF-8 encoded PEM file representing the public
76    //                  key for the key passed into kmsKeyId
77    //     - encryptionAlgorithm: Must be either RSAES_OAEP_SHA_256 or RSAES_OAEP_SHA_1
78    let mpl_config = MaterialProvidersConfig::builder().build()?;
79    let mpl = mpl_client::Client::from_conf(mpl_config)?;
80    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
81    let kms_rsa_keyring = mpl
82        .create_aws_kms_rsa_keyring()
83        .kms_key_id(rsa_key_arn)
84        .public_key(public_key_utf8_bytes)
85        .encryption_algorithm(aws_sdk_kms::types::EncryptionAlgorithmSpec::RsaesOaepSha256)
86        .kms_client(aws_sdk_kms::Client::new(&sdk_config))
87        .send()
88        .await?;
89
90    // 3. Configure which attributes are encrypted and/or signed when writing new items.
91    //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
92    //    we must explicitly configure how they should be treated during item encryption:
93    //      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
94    //      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
95    //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
96    let attribute_actions_on_encrypt = HashMap::from([
97        ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
98        ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
99        ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
100    ]);
101
102    // 4. Configure which attributes we expect to be included in the signature
103    //    when reading items. There are two options for configuring this:
104    //
105    //    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
106    //      When defining your DynamoDb schema and deciding on attribute names,
107    //      choose a distinguishing prefix (such as ":") for all attributes that
108    //      you do not want to include in the signature.
109    //      This has two main benefits:
110    //      - It is easier to reason about the security and authenticity of data within your item
111    //        when all unauthenticated data is easily distinguishable by their attribute name.
112    //      - If you need to add new unauthenticated attributes in the future,
113    //        you can easily make the corresponding update to your `attributeActions`
114    //        and immediately start writing to that new attribute, without
115    //        any other configuration update needed.
116    //      Once you configure this field, it is not safe to update it.
117    //
118    //    - Configure `allowedUnsignedAttributes`: You may also explicitly list
119    //      a set of attributes that should be considered unauthenticated when encountered
120    //      on read. Be careful if you use this configuration. Do not remove an attribute
121    //      name from this configuration, even if you are no longer writing with that attribute,
122    //      as old items may still include this attribute, and our configuration needs to know
123    //      to continue to exclude this attribute from the signature scope.
124    //      If you add new attribute names to this field, you must first deploy the update to this
125    //      field to all readers in your host fleet before deploying the update to start writing
126    //      with that new attribute.
127    //
128    //   For this example, we currently authenticate all attributes. To make it easier to
129    //   add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
130    const UNSIGNED_ATTR_PREFIX: &str = ":";
131
132    // 5. Create the DynamoDb Encryption configuration for the table we will be writing to.
133    //    Note: To use the KMS RSA keyring, your table config must specify an algorithmSuite
134    //    that does not use asymmetric signing.
135    let table_config = DynamoDbTableEncryptionConfig::builder()
136        .logical_table_name(ddb_table_name)
137        .partition_key_name("partition_key")
138        .sort_key_name("sort_key")
139        .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
140        .keyring(kms_rsa_keyring)
141        .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
142        // Specify algorithmSuite without asymmetric signing here
143        // As of v3.0.0, the only supported algorithmSuite without asymmetric signing is
144        // ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_SYMSIG_HMAC_SHA384.
145        .algorithm_suite_id(DbeAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKeySymsigHmacSha384)
146        .build()?;
147
148    let table_configs = DynamoDbTablesEncryptionConfig::builder()
149        .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
150        .build()?;
151
152    // 6. Create a new AWS SDK DynamoDb client using the DynamoDb Encryption Interceptor above
153    let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
154        .interceptor(DbEsdkInterceptor::new(table_configs)?)
155        .build();
156    let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
157
158    // 7. Put an item into our table using the above client.
159    //    Before the item gets sent to DynamoDb, it will be encrypted
160    //    client-side, according to our configuration.
161    let item = HashMap::from([
162        (
163            "partition_key".to_string(),
164            AttributeValue::S("awsKmsRsaKeyringItem".to_string()),
165        ),
166        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
167        (
168            "sensitive_data".to_string(),
169            AttributeValue::S("encrypt and sign me!".to_string()),
170        ),
171    ]);
172
173    ddb.put_item()
174        .table_name(ddb_table_name)
175        .set_item(Some(item.clone()))
176        .send()
177        .await?;
178
179    // 8. Get the item back from our table using the client.
180    //    The client will decrypt the item client-side using the RSA keyring
181    //    and return the original item.
182    let key_to_get = HashMap::from([
183        (
184            "partition_key".to_string(),
185            AttributeValue::S("awsKmsRsaKeyringItem".to_string()),
186        ),
187        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
188    ]);
189
190    let resp = ddb
191        .get_item()
192        .table_name(ddb_table_name)
193        .set_key(Some(key_to_get))
194        .consistent_read(true)
195        .send()
196        .await?;
197
198    assert_eq!(resp.item, Some(item));
199    println!("kms_rsa_keyring successful.");
200    Ok(())
201}
examples/keyring/hierarchical_keyring.rs (line 184)
63pub async fn put_item_get_item(
64    tenant1_branch_key_id: &str,
65    tenant2_branch_key_id: &str,
66) -> Result<(), crate::BoxError> {
67    let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
68
69    let keystore_table_name = test_utils::TEST_KEYSTORE_NAME;
70    let logical_keystore_name = test_utils::TEST_LOGICAL_KEYSTORE_NAME;
71    let kms_key_id = test_utils::TEST_KEYSTORE_KMS_KEY_ID;
72
73    // Initial KeyStore Setup: This example requires that you have already
74    // created your KeyStore, and have populated it with two new branch keys.
75    // See the "Create KeyStore Table Example" and "Create KeyStore Key Example"
76    // for an example of how to do this.
77
78    // 1. Configure your KeyStore resource.
79    //    This SHOULD be the same configuration that you used
80    //    to initially create and populate your KeyStore.
81    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
82    let key_store_config = KeyStoreConfig::builder()
83        .kms_client(aws_sdk_kms::Client::new(&sdk_config))
84        .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
85        .ddb_table_name(keystore_table_name)
86        .logical_key_store_name(logical_keystore_name)
87        .kms_configuration(KmsConfiguration::KmsKeyArn(kms_key_id.to_string()))
88        .build()?;
89
90    let key_store = keystore_client::Client::from_conf(key_store_config)?;
91
92    // 2. Create a Branch Key ID Supplier. See ExampleBranchKeyIdSupplier in this directory.
93    let dbesdk_config = DynamoDbEncryptionConfig::builder().build()?;
94    let dbesdk = dbesdk_client::Client::from_conf(dbesdk_config)?;
95    let supplier = ExampleBranchKeyIdSupplier::new(tenant1_branch_key_id, tenant2_branch_key_id);
96
97    let branch_key_id_supplier = dbesdk
98        .create_dynamo_db_encryption_branch_key_id_supplier()
99        .ddb_key_branch_key_id_supplier(supplier)
100        .send()
101        .await?
102        .branch_key_id_supplier
103        .unwrap();
104
105    // 3. Create the Hierarchical Keyring, using the Branch Key ID Supplier above.
106    //    With this configuration, the AWS SDK Client ultimately configured will be capable
107    //    of encrypting or decrypting items for either tenant (assuming correct KMS access).
108    //    If you want to restrict the client to only encrypt or decrypt for a single tenant,
109    //    configure this Hierarchical Keyring using `.branchKeyId(tenant1BranchKeyId)` instead
110    //    of `.branchKeyIdSupplier(branchKeyIdSupplier)`.
111    let mpl_config = MaterialProvidersConfig::builder().build()?;
112    let mpl = mpl_client::Client::from_conf(mpl_config)?;
113
114    let hierarchical_keyring = mpl
115        .create_aws_kms_hierarchical_keyring()
116        .branch_key_id_supplier(branch_key_id_supplier)
117        .key_store(key_store)
118        .ttl_seconds(600)
119        .send()
120        .await?;
121
122    // 4. Configure which attributes are encrypted and/or signed when writing new items.
123    //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
124    //    we must explicitly configure how they should be treated during item encryption:
125    //      - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
126    //      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
127    //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
128    let attribute_actions_on_encrypt = HashMap::from([
129        ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
130        ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
131        (
132            "tenant_sensitive_data".to_string(),
133            CryptoAction::EncryptAndSign,
134        ),
135    ]);
136
137    // 5. Configure which attributes we expect to be included in the signature
138    //    when reading items. There are two options for configuring this:
139    //
140    //    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
141    //      When defining your DynamoDb schema and deciding on attribute names,
142    //      choose a distinguishing prefix (such as ":") for all attributes that
143    //      you do not want to include in the signature.
144    //      This has two main benefits:
145    //      - It is easier to reason about the security and authenticity of data within your item
146    //        when all unauthenticated data is easily distinguishable by their attribute name.
147    //      - If you need to add new unauthenticated attributes in the future,
148    //        you can easily make the corresponding update to your `attributeActionsOnEncrypt`
149    //        and immediately start writing to that new attribute, without
150    //        any other configuration update needed.
151    //      Once you configure this field, it is not safe to update it.
152    //
153    //    - Configure `allowedUnsignedAttributes`: You may also explicitly list
154    //      a set of attributes that should be considered unauthenticated when encountered
155    //      on read. Be careful if you use this configuration. Do not remove an attribute
156    //      name from this configuration, even if you are no longer writing with that attribute,
157    //      as old items may still include this attribute, and our configuration needs to know
158    //      to continue to exclude this attribute from the signature scope.
159    //      If you add new attribute names to this field, you must first deploy the update to this
160    //      field to all readers in your host fleet before deploying the update to start writing
161    //      with that new attribute.
162    //
163    //   For this example, we currently authenticate all attributes. To make it easier to
164    //   add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
165    const UNSIGNED_ATTR_PREFIX: &str = ":";
166
167    // 6. Create the DynamoDb Encryption configuration for the table we will be writing to.
168    let table_config = DynamoDbTableEncryptionConfig::builder()
169        .logical_table_name(ddb_table_name)
170        .partition_key_name("partition_key")
171        .sort_key_name("sort_key")
172        .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
173        .keyring(hierarchical_keyring)
174        .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
175        .build()?;
176
177    let table_configs = DynamoDbTablesEncryptionConfig::builder()
178        .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
179        .build()?;
180
181    // 7. Create a new AWS SDK DynamoDb client using the DynamoDb Encryption Interceptor above
182    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
183    let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
184        .interceptor(DbEsdkInterceptor::new(table_configs)?)
185        .build();
186    let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
187
188    // 8. Put an item into our table using the above client.
189    //    Before the item gets sent to DynamoDb, it will be encrypted
190    //    client-side, according to our configuration.
191    //    Because the item we are writing uses "tenantId1" as our partition value,
192    //    based on the code we wrote in the ExampleBranchKeySupplier,
193    //    `tenant1BranchKeyId` will be used to encrypt this item.
194    let item = HashMap::from([
195        (
196            "partition_key".to_string(),
197            AttributeValue::S("tenant1Id".to_string()),
198        ),
199        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
200        (
201            "tenant_sensitive_data".to_string(),
202            AttributeValue::S("encrypt and sign me!".to_string()),
203        ),
204    ]);
205
206    ddb.put_item()
207        .table_name(ddb_table_name)
208        .set_item(Some(item.clone()))
209        .send()
210        .await?;
211
212    // 9. Get the item back from our table using the same client.
213    //     The client will decrypt the item client-side, and return
214    //     back the original item.
215    //     Because the returned item's partition value is "tenantId1",
216    //     based on the code we wrote in the ExampleBranchKeySupplier,
217    //     `tenant1BranchKeyId` will be used to decrypt this item.
218    let key_to_get = HashMap::from([
219        (
220            "partition_key".to_string(),
221            AttributeValue::S("tenant1Id".to_string()),
222        ),
223        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
224    ]);
225
226    let resp = ddb
227        .get_item()
228        .table_name(ddb_table_name)
229        .set_key(Some(key_to_get))
230        .consistent_read(true)
231        .send()
232        .await?;
233
234    assert_eq!(resp.item, Some(item));
235    println!("hierarchical_keyring successful.");
236    Ok(())
237}
examples/keyring/mrk_discovery_multi_keyring.rs (line 118)
37pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
38    let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
39    let key_arn = test_utils::TEST_MRK_KEY_ID;
40    let account_ids = vec![test_utils::TEST_AWS_ACCOUNT_ID.to_string()];
41    let regions = vec![test_utils::TEST_AWS_REGION.to_string()];
42
43    // 1. Create a single MRK multi-keyring using the key arn.
44    //    Although this example demonstrates use of the MRK discovery multi-keyring,
45    //    a discovery keyring cannot be used to encrypt. So we will need to construct
46    //    a non-discovery keyring for this example to encrypt. For more information on MRK
47    //    multi-keyrings, see the MultiMrkKeyringExample in this directory.
48    //    Though this is an "MRK multi-keyring", we do not need to provide multiple keys,
49    //    and can use single-region KMS keys. We will provide a single key here; this
50    //    can be either an MRK or a single-region key.
51    let mpl_config = MaterialProvidersConfig::builder().build()?;
52    let mpl = mpl_client::Client::from_conf(mpl_config)?;
53    let encrypt_keyring = mpl
54        .create_aws_kms_mrk_multi_keyring()
55        .generator(key_arn)
56        .send()
57        .await?;
58
59    // 2. Configure which attributes are encrypted and/or signed when writing new items.
60    //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
61    //    we must explicitly configure how they should be treated during item encryption:
62    //      - ENCRYPT_AND_SIGN: The attribute is encrypted and icncluded in the signature
63    //      - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
64    //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
65    let attribute_actions_on_encrypt = HashMap::from([
66        ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
67        ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
68        ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
69    ]);
70
71    // 3. Configure which attributes we expect to be included in the signature
72    //    when reading items. There are two options for configuring this:
73    //
74    //    - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
75    //      When defining your DynamoDb schema and deciding on attribute names,
76    //      choose a distinguishing prefix (such as ":") for all attributes that
77    //      you do not want to include in the signature.
78    //      This has two main benefits:
79    //      - It is easier to reason about the security and authenticity of data within your item
80    //        when all unauthenticated data is easily distinguishable by their attribute name.
81    //      - If you need to add new unauthenticated attributes in the future,
82    //        you can easily make the corresponding update to your `attributeActionsOnEncrypt`
83    //        and immediately start writing to that new attribute, without
84    //        any other configuration update needed.
85    //      Once you configure this field, it is not safe to update it.
86    //
87    //    - Configure `allowedUnsignedAttributes`: You may also explicitly list
88    //      a set of attributes that should be considered unauthenticated when encountered
89    //      on read. Be careful if you use this configuration. Do not remove an attribute
90    //      name from this configuration, even if you are no longer writing with that attribute,
91    //      as old items may still include this attribute, and our configuration needs to know
92    //      to continue to exclude this attribute from the signature scope.
93    //      If you add new attribute names to this field, you must first deploy the update to this
94    //      field to all readers in your host fleet before deploying the update to start writing
95    //      with that new attribute.
96    //
97    //   For this example, we currently authenticate all attributes. To make it easier to
98    //   add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
99    const UNSIGNED_ATTR_PREFIX: &str = ":";
100
101    // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
102    let table_config = DynamoDbTableEncryptionConfig::builder()
103        .logical_table_name(ddb_table_name)
104        .partition_key_name("partition_key")
105        .sort_key_name("sort_key")
106        .attribute_actions_on_encrypt(attribute_actions_on_encrypt.clone())
107        .keyring(encrypt_keyring)
108        .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
109        .build()?;
110
111    let table_configs = DynamoDbTablesEncryptionConfig::builder()
112        .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
113        .build()?;
114
115    // 5. Create a new AWS SDK DynamoDb client using the config above
116    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
117    let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
118        .interceptor(DbEsdkInterceptor::new(table_configs)?)
119        .build();
120    let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
121
122    // 6. Put an item into our table using the above client.
123    //    Before the item gets sent to DynamoDb, it will be encrypted
124    //    client-side using the MRK multi-keyring.
125    let item = HashMap::from([
126        (
127            "partition_key".to_string(),
128            AttributeValue::S("awsKmsMrkDiscoveryMultiKeyringItem".to_string()),
129        ),
130        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
131        (
132            "sensitive_data".to_string(),
133            AttributeValue::S("encrypt and sign me!".to_string()),
134        ),
135    ]);
136
137    ddb.put_item()
138        .table_name(ddb_table_name)
139        .set_item(Some(item.clone()))
140        .send()
141        .await?;
142
143    // 7. Construct a discovery filter.
144    //    A discovery filter limits the set of encrypted data keys
145    //    the keyring can use to decrypt data.
146    //    We will only let the keyring use keys in the selected AWS accounts
147    //    and in the `aws` partition.
148    //    This is the suggested config for most users; for more detailed config, see
149    //      https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-keyring.html#kms-keyring-discovery
150    let discovery_filter = DiscoveryFilter::builder()
151        .partition("aws")
152        .account_ids(account_ids)
153        .build()?;
154
155    // 8. Construct a discovery keyring.
156    //    Note that we choose to use the MRK discovery multi-keyring, even though
157    //    our original keyring used a single KMS key.
158
159    let decrypt_keyring = mpl
160        .create_aws_kms_mrk_discovery_multi_keyring()
161        .discovery_filter(discovery_filter)
162        .regions(regions)
163        .send()
164        .await?;
165
166    // 9. Create new DDB config and client using the decrypt discovery keyring.
167    //     This is the same as the above config, except we pass in the decrypt keyring.
168    let table_config_for_decrypt = DynamoDbTableEncryptionConfig::builder()
169        .logical_table_name(ddb_table_name)
170        .partition_key_name("partition_key")
171        .sort_key_name("sort_key")
172        .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
173        .keyring(decrypt_keyring)
174        .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
175        .build()?;
176
177    let table_configs_for_decrypt = DynamoDbTablesEncryptionConfig::builder()
178        .table_encryption_configs(HashMap::from([(
179            ddb_table_name.to_string(),
180            table_config_for_decrypt,
181        )]))
182        .build()?;
183
184    let dynamo_config_for_decrypt = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
185        .interceptor(DbEsdkInterceptor::new(table_configs_for_decrypt)?)
186        .build();
187    let ddb_for_decrypt = aws_sdk_dynamodb::Client::from_conf(dynamo_config_for_decrypt);
188
189    // 10. Get the item back from our table using the client.
190    //     The client will retrieve encrypted items from the DDB table, then
191    //     detect the KMS key that was used to encrypt their data keys.
192    //     The client will make a request to KMS to decrypt with the encrypting KMS key.
193    //     If the client has permission to decrypt with the KMS key,
194    //     the client will decrypt the item client-side using the keyring
195    //     and return the original item.
196    let key_to_get = HashMap::from([
197        (
198            "partition_key".to_string(),
199            AttributeValue::S("awsKmsMrkDiscoveryMultiKeyringItem".to_string()),
200        ),
201        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
202    ]);
203
204    let resp = ddb_for_decrypt
205        .get_item()
206        .table_name(ddb_table_name)
207        .set_key(Some(key_to_get))
208        .consistent_read(true)
209        .send()
210        .await?;
211
212    assert_eq!(resp.item, Some(item));
213
214    println!("mrk_discovery_multi_keyring successful.");
215    Ok(())
216}

Trait Implementations§

Source§

impl Debug for DbEsdkInterceptor

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Intercept for DbEsdkInterceptor

Source§

fn name(&self) -> &'static str

The name of this interceptor, used in error messages for debugging.
Source§

fn modify_before_serialization( &self, context: &mut BeforeSerializationInterceptorContextMut<'_>, _rc: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), BoxError>

A hook called before the input message is marshalled into a transport message. This method has the ability to modify and return a new request message of the same type. Read more
Source§

fn modify_before_attempt_completion( &self, context: &mut FinalizerInterceptorContextMut<'_>, _rc: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), BoxError>

A hook called when an attempt is completed. This method has the ability to modify and return a new output message or error matching the currently-executing operation. Read more
Source§

fn read_before_execution( &self, context: &BeforeSerializationInterceptorContextRef<'_>, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called at the start of an execution, before the SDK does anything else. Read more
Source§

fn read_before_serialization( &self, context: &BeforeSerializationInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called before the input message is marshalled into a transport message. Read more
Source§

fn read_after_serialization( &self, context: &BeforeTransmitInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called after the input message is marshalled into a transport message. Read more
Source§

fn modify_before_retry_loop( &self, context: &mut BeforeTransmitInterceptorContextMut<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called before the retry loop is entered. This method has the ability to modify and return a new transport request message of the same type, except when a failure occurs earlier in the request pipeline. Read more
Source§

fn read_before_attempt( &self, context: &BeforeTransmitInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called before each attempt at sending the transmission request message to the service. Read more
Source§

fn modify_before_signing( &self, context: &mut BeforeTransmitInterceptorContextMut<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called before the transport request message is signed. This method has the ability to modify and return a new transport request message of the same type. Read more
Source§

fn read_before_signing( &self, context: &BeforeTransmitInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called before the transport request message is signed. Read more
Source§

fn read_after_signing( &self, context: &BeforeTransmitInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called after the transport request message is signed. Read more
Source§

fn modify_before_transmit( &self, context: &mut BeforeTransmitInterceptorContextMut<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called before the transport request message is sent to the service. This method has the ability to modify and return a new transport request message of the same type. Read more
Source§

fn read_before_transmit( &self, context: &BeforeTransmitInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called before the transport request message is sent to the service. Read more
Source§

fn read_after_transmit( &self, context: &BeforeDeserializationInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called after the transport request message is sent to the service and a transport response message is received. Read more
Source§

fn modify_before_deserialization( &self, context: &mut BeforeDeserializationInterceptorContextMut<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called before the transport response message is unmarshalled. This method has the ability to modify and return a new transport response message of the same type. Read more
Source§

fn read_before_deserialization( &self, context: &BeforeDeserializationInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called before the transport response message is unmarshalled Read more
Source§

fn read_after_deserialization( &self, context: &AfterDeserializationInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called after the transport response message is unmarshalled. Read more
Source§

fn read_after_attempt( &self, context: &FinalizerInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called when an attempt is completed. Read more
Source§

fn modify_before_completion( &self, context: &mut FinalizerInterceptorContextMut<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called when an execution is completed. This method has the ability to modify and return a new output message or error matching the currently - executing operation. Read more
Source§

fn read_after_execution( &self, context: &FinalizerInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Sync + Send>>

A hook called when an execution is completed. Read more
Source§

impl Send for DbEsdkInterceptor

Source§

impl Sync for DbEsdkInterceptor

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<Unshared, Shared> IntoShared<Shared> for Unshared
where Shared: FromUnshared<Unshared>,

Source§

fn into_shared(self) -> Shared

Creates a shared type from an unshared type.
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> Upcast<T> for T
where T: ?Sized,

Source§

fn upcast(&self) -> Ptr<T>

Source§

impl<T> UpcastObject<T> for T
where T: ?Sized,

Source§

fn upcast(&self) -> Object<T>

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> ErasedDestructor for T
where T: 'static,

Source§

impl<T> MaybeSendSync for T