pub struct DbEsdkInterceptor { /* private fields */ }Implementations§
Source§impl DbEsdkInterceptor
impl DbEsdkInterceptor
Sourcepub fn new(config: DynamoDbTablesEncryptionConfig) -> Result<Self, Error>
pub fn new(config: DynamoDbTablesEncryptionConfig) -> Result<Self, Error>
Examples found in repository?
examples/keyring/raw_aes_keyring.rs (line 116)
40pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
41 let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
42 let aes_key_bytes = generate_aes_key_bytes();
43
44 // 1. Create the keyring.
45 // The DynamoDb encryption client uses this to encrypt and decrypt items.
46 let mpl_config = MaterialProvidersConfig::builder().build()?;
47 let mpl = mpl_client::Client::from_conf(mpl_config)?;
48 let raw_aes_keyring = mpl
49 .create_raw_aes_keyring()
50 .key_name("my-aes-key-name")
51 .key_namespace("my-key-namespace")
52 .wrapping_key(aes_key_bytes)
53 .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16)
54 .send()
55 .await?;
56
57 // 2. Configure which attributes are encrypted and/or signed when writing new items.
58 // For each attribute that may exist on the items we plan to write to our DynamoDbTable,
59 // we must explicitly configure how they should be treated during item encryption:
60 // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
61 // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
62 // - DO_NOTHING: The attribute is not encrypted and not included in the signature
63 let attribute_actions_on_encrypt = HashMap::from([
64 ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
65 ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
66 ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
67 ]);
68
69 // 3. Configure which attributes we expect to be included in the signature
70 // when reading items. There are two options for configuring this:
71 //
72 // - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
73 // When defining your DynamoDb schema and deciding on attribute names,
74 // choose a distinguishing prefix (such as ":") for all attributes that
75 // you do not want to include in the signature.
76 // This has two main benefits:
77 // - It is easier to reason about the security and authenticity of data within your item
78 // when all unauthenticated data is easily distinguishable by their attribute name.
79 // - If you need to add new unauthenticated attributes in the future,
80 // you can easily make the corresponding update to your `attributeActionsOnEncrypt`
81 // and immediately start writing to that new attribute, without
82 // any other configuration update needed.
83 // Once you configure this field, it is not safe to update it.
84 //
85 // - Configure `allowedUnsignedAttributes`: You may also explicitly list
86 // a set of attributes that should be considered unauthenticated when encountered
87 // on read. Be careful if you use this configuration. Do not remove an attribute
88 // name from this configuration, even if you are no longer writing with that attribute,
89 // as old items may still include this attribute, and our configuration needs to know
90 // to continue to exclude this attribute from the signature scope.
91 // If you add new attribute names to this field, you must first deploy the update to this
92 // field to all readers in your host fleet before deploying the update to start writing
93 // with that new attribute.
94 //
95 // For this example, we currently authenticate all attributes. To make it easier to
96 // add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
97 const UNSIGNED_ATTR_PREFIX: &str = ":";
98
99 // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
100 let table_config = DynamoDbTableEncryptionConfig::builder()
101 .logical_table_name(ddb_table_name)
102 .partition_key_name("partition_key")
103 .sort_key_name("sort_key")
104 .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
105 .keyring(raw_aes_keyring)
106 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
107 .build()?;
108
109 let table_configs = DynamoDbTablesEncryptionConfig::builder()
110 .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
111 .build()?;
112
113 // 5. Create a new AWS SDK DynamoDb client using the Config above
114 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
115 let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
116 .interceptor(DbEsdkInterceptor::new(table_configs)?)
117 .build();
118 let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
119
120 // 6. Put an item into our table using the above client.
121 // Before the item gets sent to DynamoDb, it will be encrypted
122 // client-side, according to our configuration.
123 let item = HashMap::from([
124 (
125 "partition_key".to_string(),
126 AttributeValue::S("rawAesKeyringItem".to_string()),
127 ),
128 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
129 (
130 "sensitive_data".to_string(),
131 AttributeValue::S("encrypt and sign me!".to_string()),
132 ),
133 ]);
134
135 ddb.put_item()
136 .table_name(ddb_table_name)
137 .set_item(Some(item.clone()))
138 .send()
139 .await?;
140
141 // 7. Get the item back from our table using the same client.
142 // The client will decrypt the item client-side, and return
143 // back the original item.
144 let key_to_get = HashMap::from([
145 (
146 "partition_key".to_string(),
147 AttributeValue::S("rawAesKeyringItem".to_string()),
148 ),
149 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
150 ]);
151
152 let resp = ddb
153 .get_item()
154 .table_name(ddb_table_name)
155 .set_key(Some(key_to_get))
156 // In this example we configure a strongly consistent read
157 // because we perform a read immediately after a write (for demonstrative purposes).
158 // By default, reads are only eventually consistent.
159 // Read our docs to determine which read consistency to use for your application:
160 // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html
161 .consistent_read(true)
162 .send()
163 .await?;
164
165 assert_eq!(resp.item, Some(item));
166
167 println!("raw_aes_keyring successful.");
168 Ok(())
169}More examples
examples/keyring/raw_rsa_keyring.rs (line 154)
57pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
58 let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
59
60 // You may provide your own RSA key pair in the files located at
61 // - EXAMPLE_RSA_PRIVATE_KEY_FILENAME
62 // - EXAMPLE_RSA_PUBLIC_KEY_FILENAME
63 // If these files are not present, this will generate a pair for you
64 if should_generate_new_rsa_key_pair()? {
65 generate_rsa_key_pair()?;
66 }
67
68 // 1. Load key pair from UTF-8 encoded PEM files.
69 // You may provide your own PEM files to use here.
70 // If you do not, the main method in this class will generate PEM
71 // files for example use. Do not use these files for any other purpose.
72
73 let mut file = File::open(Path::new(EXAMPLE_RSA_PUBLIC_KEY_FILENAME))?;
74 let mut public_key_utf8_bytes = Vec::new();
75 file.read_to_end(&mut public_key_utf8_bytes)?;
76
77 let mut file = File::open(Path::new(EXAMPLE_RSA_PRIVATE_KEY_FILENAME))?;
78 let mut private_key_utf8_bytes = Vec::new();
79 file.read_to_end(&mut private_key_utf8_bytes)?;
80
81 // 2. Create the keyring.
82 // The DynamoDb encryption client uses this to encrypt and decrypt items.
83 let mpl_config = MaterialProvidersConfig::builder().build()?;
84 let mpl = mpl_client::Client::from_conf(mpl_config)?;
85 let raw_rsa_keyring = mpl
86 .create_raw_rsa_keyring()
87 .key_name("my-rsa-key-name")
88 .key_namespace("my-key-namespace")
89 .padding_scheme(PaddingScheme::OaepSha256Mgf1)
90 .public_key(public_key_utf8_bytes)
91 .private_key(private_key_utf8_bytes)
92 .send()
93 .await?;
94
95 // 3. Configure which attributes are encrypted and/or signed when writing new items.
96 // For each attribute that may exist on the items we plan to write to our DynamoDbTable,
97 // we must explicitly configure how they should be treated during item encryption:
98 // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
99 // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
100 // - DO_NOTHING: The attribute is not encrypted and not included in the signature
101 let attribute_actions_on_encrypt = HashMap::from([
102 ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
103 ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
104 ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
105 ]);
106
107 // 4. Configure which attributes we expect to be included in the signature
108 // when reading items. There are two options for configuring this:
109 //
110 // - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
111 // When defining your DynamoDb schema and deciding on attribute names,
112 // choose a distinguishing prefix (such as ":") for all attributes that
113 // you do not want to include in the signature.
114 // This has two main benefits:
115 // - It is easier to reason about the security and authenticity of data within your item
116 // when all unauthenticated data is easily distinguishable by their attribute name.
117 // - If you need to add new unauthenticated attributes in the future,
118 // you can easily make the corresponding update to your `attributeActionsOnEncrypt`
119 // and immediately start writing to that new attribute, without
120 // any other configuration update needed.
121 // Once you configure this field, it is not safe to update it.
122 //
123 // - Configure `allowedUnsignedAttributes`: You may also explicitly list
124 // a set of attributes that should be considered unauthenticated when encountered
125 // on read. Be careful if you use this configuration. Do not remove an attribute
126 // name from this configuration, even if you are no longer writing with that attribute,
127 // as old items may still include this attribute, and our configuration needs to know
128 // to continue to exclude this attribute from the signature scope.
129 // If you add new attribute names to this field, you must first deploy the update to this
130 // field to all readers in your host fleet before deploying the update to start writing
131 // with that new attribute.
132 //
133 // For this example, we currently authenticate all attributes. To make it easier to
134 // add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
135 const UNSIGNED_ATTR_PREFIX: &str = ":";
136
137 // 5. Create the DynamoDb Encryption configuration for the table we will be writing to.
138 let table_config = DynamoDbTableEncryptionConfig::builder()
139 .logical_table_name(ddb_table_name)
140 .partition_key_name("partition_key")
141 .sort_key_name("sort_key")
142 .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
143 .keyring(raw_rsa_keyring)
144 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
145 .build()?;
146
147 let table_configs = DynamoDbTablesEncryptionConfig::builder()
148 .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
149 .build()?;
150
151 // 6. Create a new AWS SDK DynamoDb client using the config above
152 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
153 let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
154 .interceptor(DbEsdkInterceptor::new(table_configs)?)
155 .build();
156 let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
157
158 // 7. Put an item into our table using the above client.
159 // Before the item gets sent to DynamoDb, it will be encrypted
160 // client-side, according to our configuration.
161 let item = HashMap::from([
162 (
163 "partition_key".to_string(),
164 AttributeValue::S("rawRsaKeyringItem".to_string()),
165 ),
166 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
167 (
168 "sensitive_data".to_string(),
169 AttributeValue::S("encrypt and sign me!".to_string()),
170 ),
171 ]);
172
173 ddb.put_item()
174 .table_name(ddb_table_name)
175 .set_item(Some(item.clone()))
176 .send()
177 .await?;
178
179 // 8. Get the item back from our table using the same client.
180 // The client will decrypt the item client-side, and return
181 // back the original item.
182
183 let key_to_get = HashMap::from([
184 (
185 "partition_key".to_string(),
186 AttributeValue::S("rawRsaKeyringItem".to_string()),
187 ),
188 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
189 ]);
190
191 let resp = ddb
192 .get_item()
193 .table_name(ddb_table_name)
194 .set_key(Some(key_to_get))
195 // In this example we configure a strongly consistent read
196 // because we perform a read immediately after a write (for demonstrative purposes).
197 // By default, reads are only eventually consistent.
198 // Read our docs to determine which read consistency to use for your application:
199 // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html
200 .consistent_read(true)
201 .send()
202 .await?;
203
204 assert_eq!(resp.item, Some(item));
205 println!("raw_rsa_keyring successful.");
206 Ok(())
207}examples/basic_get_put_example.rs (line 119)
31pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
32 let kms_key_id = test_utils::TEST_KMS_KEY_ID;
33 let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
34
35 // 1. Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data.
36 // For this example, we will create a AWS KMS Keyring with the AWS KMS Key we want to use.
37 // We will use the `CreateMrkMultiKeyring` method to create this keyring,
38 // as it will correctly handle both single region and Multi-Region KMS Keys.
39 let provider_config = MaterialProvidersConfig::builder().build()?;
40 let mat_prov = client::Client::from_conf(provider_config)?;
41 let kms_keyring = mat_prov
42 .create_aws_kms_mrk_multi_keyring()
43 .generator(kms_key_id)
44 .send()
45 .await?;
46
47 // 2. Configure which attributes are encrypted and/or signed when writing new items.
48 // For each attribute that may exist on the items we plan to write to our DynamoDbTable,
49 // we must explicitly configure how they should be treated during item encryption:
50 // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
51 // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
52 // - DO_NOTHING: The attribute is not encrypted and not included in the signature
53 let attribute_actions_on_encrypt = HashMap::from([
54 ("partition_key".to_string(), CryptoAction::SignOnly),
55 ("sort_key".to_string(), CryptoAction::SignOnly),
56 ("attribute1".to_string(), CryptoAction::EncryptAndSign),
57 ("attribute2".to_string(), CryptoAction::SignOnly),
58 (":attribute3".to_string(), CryptoAction::DoNothing),
59 ]);
60
61 // 3. Configure which attributes we expect to be included in the signature
62 // when reading items. There are two options for configuring this:
63 //
64 // - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
65 // When defining your DynamoDb schema and deciding on attribute names,
66 // choose a distinguishing prefix (such as ":") for all attributes that
67 // you do not want to include in the signature.
68 // This has two main benefits:
69 // - It is easier to reason about the security and authenticity of data within your item
70 // when all unauthenticated data is easily distinguishable by their attribute name.
71 // - If you need to add new unauthenticated attributes in the future,
72 // you can easily make the corresponding update to your `attributeActionsOnEncrypt`
73 // and immediately start writing to that new attribute, without
74 // any other configuration update needed.
75 // Once you configure this field, it is not safe to update it.
76 //
77 // - Configure `allowedUnsignedAttributes`: You may also explicitly list
78 // a set of attributes that should be considered unauthenticated when encountered
79 // on read. Be careful if you use this configuration. Do not remove an attribute
80 // name from this configuration, even if you are no longer writing with that attribute,
81 // as old items may still include this attribute, and our configuration needs to know
82 // to continue to exclude this attribute from the signature scope.
83 // If you add new attribute names to this field, you must first deploy the update to this
84 // field to all readers in your host fleet before deploying the update to start writing
85 // with that new attribute.
86 //
87 // For this example, we have designed our DynamoDb table such that any attribute name with
88 // the ":" prefix should be considered unauthenticated.
89 const UNSIGNED_ATTR_PREFIX: &str = ":";
90
91 // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
92 let table_config = DynamoDbTableEncryptionConfig::builder()
93 .logical_table_name(ddb_table_name)
94 .partition_key_name("partition_key")
95 .sort_key_name("sort_key")
96 .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
97 .keyring(kms_keyring)
98 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
99 // Specifying an algorithm suite is not required,
100 // but is done here to demonstrate how to do so.
101 // We suggest using the
102 // `ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384_SYMSIG_HMAC_SHA384` suite,
103 // which includes AES-GCM with key derivation, signing, and key commitment.
104 // This is also the default algorithm suite if one is not specified in this config.
105 // For more information on supported algorithm suites, see:
106 // https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/supported-algorithms.html
107 .algorithm_suite_id(
108 DbeAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKeyEcdsaP384SymsigHmacSha384,
109 )
110 .build()?;
111
112 let table_configs = DynamoDbTablesEncryptionConfig::builder()
113 .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
114 .build()?;
115
116 // 5. Create a new AWS SDK DynamoDb client using the TableEncryptionConfigs
117 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
118 let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
119 .interceptor(DbEsdkInterceptor::new(table_configs)?)
120 .build();
121 let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
122
123 // 6. Put an item into our table using the above client.
124 // Before the item gets sent to DynamoDb, it will be encrypted
125 // client-side, according to our configuration.
126 let item = HashMap::from([
127 (
128 "partition_key".to_string(),
129 AttributeValue::S("BasicPutGetExample".to_string()),
130 ),
131 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
132 (
133 "attribute1".to_string(),
134 AttributeValue::S("encrypt and sign me!".to_string()),
135 ),
136 (
137 "attribute2".to_string(),
138 AttributeValue::S("sign me!".to_string()),
139 ),
140 (
141 ":attribute3".to_string(),
142 AttributeValue::S("ignore me!".to_string()),
143 ),
144 ]);
145
146 ddb.put_item()
147 .table_name(ddb_table_name)
148 .set_item(Some(item.clone()))
149 .send()
150 .await?;
151
152 // 7. Get the item back from our table using the same client.
153 // The client will decrypt the item client-side, and return
154 // back the original item.
155 let key_to_get = HashMap::from([
156 (
157 "partition_key".to_string(),
158 AttributeValue::S("BasicPutGetExample".to_string()),
159 ),
160 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
161 ]);
162
163 let resp = ddb
164 .get_item()
165 .table_name(ddb_table_name)
166 .set_key(Some(key_to_get))
167 // In this example we configure a strongly consistent read
168 // because we perform a read immediately after a write (for demonstrative purposes).
169 // By default, reads are only eventually consistent.
170 // Read our docs to determine which read consistency to use for your application:
171 // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html
172 .consistent_read(true)
173 .send()
174 .await?;
175
176 assert_eq!(resp.item, Some(item));
177 println!("put_item_get_item successful.");
178 Ok(())
179}examples/keyring/kms_rsa_keyring.rs (line 154)
47pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
48 let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
49 let rsa_key_arn = test_utils::TEST_KMS_RSA_KEY_ID;
50
51 // You may provide your own RSA public key at EXAMPLE_RSA_PUBLIC_KEY_FILENAME.
52 // This must be the public key for the RSA key represented at rsaKeyArn.
53 // If this file is not present, this will write a UTF-8 encoded PEM file for you.
54 if should_get_new_public_key(DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME) {
55 write_public_key_pem_for_rsa_key(
56 test_utils::TEST_KMS_RSA_KEY_ID,
57 DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME,
58 )
59 .await?;
60 }
61
62 // 1. Load UTF-8 encoded public key PEM file.
63 // You may have an RSA public key file already defined.
64 // If not, the main method in this class will call
65 // the KMS RSA key, retrieve its public key, and store it
66 // in a PEM file for example use.
67 let mut file = File::open(Path::new(DEFAULT_EXAMPLE_RSA_PUBLIC_KEY_FILENAME))?;
68 let mut public_key_utf8_bytes = Vec::new();
69 file.read_to_end(&mut public_key_utf8_bytes)?;
70
71 // 2. Create a KMS RSA keyring.
72 // This keyring takes in:
73 // - kmsClient
74 // - kmsKeyId: Must be an ARN representing a KMS RSA key
75 // - publicKey: A ByteBuffer of a UTF-8 encoded PEM file representing the public
76 // key for the key passed into kmsKeyId
77 // - encryptionAlgorithm: Must be either RSAES_OAEP_SHA_256 or RSAES_OAEP_SHA_1
78 let mpl_config = MaterialProvidersConfig::builder().build()?;
79 let mpl = mpl_client::Client::from_conf(mpl_config)?;
80 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
81 let kms_rsa_keyring = mpl
82 .create_aws_kms_rsa_keyring()
83 .kms_key_id(rsa_key_arn)
84 .public_key(public_key_utf8_bytes)
85 .encryption_algorithm(aws_sdk_kms::types::EncryptionAlgorithmSpec::RsaesOaepSha256)
86 .kms_client(aws_sdk_kms::Client::new(&sdk_config))
87 .send()
88 .await?;
89
90 // 3. Configure which attributes are encrypted and/or signed when writing new items.
91 // For each attribute that may exist on the items we plan to write to our DynamoDbTable,
92 // we must explicitly configure how they should be treated during item encryption:
93 // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
94 // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
95 // - DO_NOTHING: The attribute is not encrypted and not included in the signature
96 let attribute_actions_on_encrypt = HashMap::from([
97 ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
98 ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
99 ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
100 ]);
101
102 // 4. Configure which attributes we expect to be included in the signature
103 // when reading items. There are two options for configuring this:
104 //
105 // - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
106 // When defining your DynamoDb schema and deciding on attribute names,
107 // choose a distinguishing prefix (such as ":") for all attributes that
108 // you do not want to include in the signature.
109 // This has two main benefits:
110 // - It is easier to reason about the security and authenticity of data within your item
111 // when all unauthenticated data is easily distinguishable by their attribute name.
112 // - If you need to add new unauthenticated attributes in the future,
113 // you can easily make the corresponding update to your `attributeActions`
114 // and immediately start writing to that new attribute, without
115 // any other configuration update needed.
116 // Once you configure this field, it is not safe to update it.
117 //
118 // - Configure `allowedUnsignedAttributes`: You may also explicitly list
119 // a set of attributes that should be considered unauthenticated when encountered
120 // on read. Be careful if you use this configuration. Do not remove an attribute
121 // name from this configuration, even if you are no longer writing with that attribute,
122 // as old items may still include this attribute, and our configuration needs to know
123 // to continue to exclude this attribute from the signature scope.
124 // If you add new attribute names to this field, you must first deploy the update to this
125 // field to all readers in your host fleet before deploying the update to start writing
126 // with that new attribute.
127 //
128 // For this example, we currently authenticate all attributes. To make it easier to
129 // add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
130 const UNSIGNED_ATTR_PREFIX: &str = ":";
131
132 // 5. Create the DynamoDb Encryption configuration for the table we will be writing to.
133 // Note: To use the KMS RSA keyring, your table config must specify an algorithmSuite
134 // that does not use asymmetric signing.
135 let table_config = DynamoDbTableEncryptionConfig::builder()
136 .logical_table_name(ddb_table_name)
137 .partition_key_name("partition_key")
138 .sort_key_name("sort_key")
139 .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
140 .keyring(kms_rsa_keyring)
141 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
142 // Specify algorithmSuite without asymmetric signing here
143 // As of v3.0.0, the only supported algorithmSuite without asymmetric signing is
144 // ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_SYMSIG_HMAC_SHA384.
145 .algorithm_suite_id(DbeAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKeySymsigHmacSha384)
146 .build()?;
147
148 let table_configs = DynamoDbTablesEncryptionConfig::builder()
149 .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
150 .build()?;
151
152 // 6. Create a new AWS SDK DynamoDb client using the DynamoDb Encryption Interceptor above
153 let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
154 .interceptor(DbEsdkInterceptor::new(table_configs)?)
155 .build();
156 let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
157
158 // 7. Put an item into our table using the above client.
159 // Before the item gets sent to DynamoDb, it will be encrypted
160 // client-side, according to our configuration.
161 let item = HashMap::from([
162 (
163 "partition_key".to_string(),
164 AttributeValue::S("awsKmsRsaKeyringItem".to_string()),
165 ),
166 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
167 (
168 "sensitive_data".to_string(),
169 AttributeValue::S("encrypt and sign me!".to_string()),
170 ),
171 ]);
172
173 ddb.put_item()
174 .table_name(ddb_table_name)
175 .set_item(Some(item.clone()))
176 .send()
177 .await?;
178
179 // 8. Get the item back from our table using the client.
180 // The client will decrypt the item client-side using the RSA keyring
181 // and return the original item.
182 let key_to_get = HashMap::from([
183 (
184 "partition_key".to_string(),
185 AttributeValue::S("awsKmsRsaKeyringItem".to_string()),
186 ),
187 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
188 ]);
189
190 let resp = ddb
191 .get_item()
192 .table_name(ddb_table_name)
193 .set_key(Some(key_to_get))
194 .consistent_read(true)
195 .send()
196 .await?;
197
198 assert_eq!(resp.item, Some(item));
199 println!("kms_rsa_keyring successful.");
200 Ok(())
201}examples/keyring/hierarchical_keyring.rs (line 184)
63pub async fn put_item_get_item(
64 tenant1_branch_key_id: &str,
65 tenant2_branch_key_id: &str,
66) -> Result<(), crate::BoxError> {
67 let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
68
69 let keystore_table_name = test_utils::TEST_KEYSTORE_NAME;
70 let logical_keystore_name = test_utils::TEST_LOGICAL_KEYSTORE_NAME;
71 let kms_key_id = test_utils::TEST_KEYSTORE_KMS_KEY_ID;
72
73 // Initial KeyStore Setup: This example requires that you have already
74 // created your KeyStore, and have populated it with two new branch keys.
75 // See the "Create KeyStore Table Example" and "Create KeyStore Key Example"
76 // for an example of how to do this.
77
78 // 1. Configure your KeyStore resource.
79 // This SHOULD be the same configuration that you used
80 // to initially create and populate your KeyStore.
81 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
82 let key_store_config = KeyStoreConfig::builder()
83 .kms_client(aws_sdk_kms::Client::new(&sdk_config))
84 .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
85 .ddb_table_name(keystore_table_name)
86 .logical_key_store_name(logical_keystore_name)
87 .kms_configuration(KmsConfiguration::KmsKeyArn(kms_key_id.to_string()))
88 .build()?;
89
90 let key_store = keystore_client::Client::from_conf(key_store_config)?;
91
92 // 2. Create a Branch Key ID Supplier. See ExampleBranchKeyIdSupplier in this directory.
93 let dbesdk_config = DynamoDbEncryptionConfig::builder().build()?;
94 let dbesdk = dbesdk_client::Client::from_conf(dbesdk_config)?;
95 let supplier = ExampleBranchKeyIdSupplier::new(tenant1_branch_key_id, tenant2_branch_key_id);
96
97 let branch_key_id_supplier = dbesdk
98 .create_dynamo_db_encryption_branch_key_id_supplier()
99 .ddb_key_branch_key_id_supplier(supplier)
100 .send()
101 .await?
102 .branch_key_id_supplier
103 .unwrap();
104
105 // 3. Create the Hierarchical Keyring, using the Branch Key ID Supplier above.
106 // With this configuration, the AWS SDK Client ultimately configured will be capable
107 // of encrypting or decrypting items for either tenant (assuming correct KMS access).
108 // If you want to restrict the client to only encrypt or decrypt for a single tenant,
109 // configure this Hierarchical Keyring using `.branchKeyId(tenant1BranchKeyId)` instead
110 // of `.branchKeyIdSupplier(branchKeyIdSupplier)`.
111 let mpl_config = MaterialProvidersConfig::builder().build()?;
112 let mpl = mpl_client::Client::from_conf(mpl_config)?;
113
114 let hierarchical_keyring = mpl
115 .create_aws_kms_hierarchical_keyring()
116 .branch_key_id_supplier(branch_key_id_supplier)
117 .key_store(key_store)
118 .ttl_seconds(600)
119 .send()
120 .await?;
121
122 // 4. Configure which attributes are encrypted and/or signed when writing new items.
123 // For each attribute that may exist on the items we plan to write to our DynamoDbTable,
124 // we must explicitly configure how they should be treated during item encryption:
125 // - ENCRYPT_AND_SIGN: The attribute is encrypted and included in the signature
126 // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
127 // - DO_NOTHING: The attribute is not encrypted and not included in the signature
128 let attribute_actions_on_encrypt = HashMap::from([
129 ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
130 ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
131 (
132 "tenant_sensitive_data".to_string(),
133 CryptoAction::EncryptAndSign,
134 ),
135 ]);
136
137 // 5. Configure which attributes we expect to be included in the signature
138 // when reading items. There are two options for configuring this:
139 //
140 // - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
141 // When defining your DynamoDb schema and deciding on attribute names,
142 // choose a distinguishing prefix (such as ":") for all attributes that
143 // you do not want to include in the signature.
144 // This has two main benefits:
145 // - It is easier to reason about the security and authenticity of data within your item
146 // when all unauthenticated data is easily distinguishable by their attribute name.
147 // - If you need to add new unauthenticated attributes in the future,
148 // you can easily make the corresponding update to your `attributeActionsOnEncrypt`
149 // and immediately start writing to that new attribute, without
150 // any other configuration update needed.
151 // Once you configure this field, it is not safe to update it.
152 //
153 // - Configure `allowedUnsignedAttributes`: You may also explicitly list
154 // a set of attributes that should be considered unauthenticated when encountered
155 // on read. Be careful if you use this configuration. Do not remove an attribute
156 // name from this configuration, even if you are no longer writing with that attribute,
157 // as old items may still include this attribute, and our configuration needs to know
158 // to continue to exclude this attribute from the signature scope.
159 // If you add new attribute names to this field, you must first deploy the update to this
160 // field to all readers in your host fleet before deploying the update to start writing
161 // with that new attribute.
162 //
163 // For this example, we currently authenticate all attributes. To make it easier to
164 // add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
165 const UNSIGNED_ATTR_PREFIX: &str = ":";
166
167 // 6. Create the DynamoDb Encryption configuration for the table we will be writing to.
168 let table_config = DynamoDbTableEncryptionConfig::builder()
169 .logical_table_name(ddb_table_name)
170 .partition_key_name("partition_key")
171 .sort_key_name("sort_key")
172 .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
173 .keyring(hierarchical_keyring)
174 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
175 .build()?;
176
177 let table_configs = DynamoDbTablesEncryptionConfig::builder()
178 .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
179 .build()?;
180
181 // 7. Create a new AWS SDK DynamoDb client using the DynamoDb Encryption Interceptor above
182 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
183 let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
184 .interceptor(DbEsdkInterceptor::new(table_configs)?)
185 .build();
186 let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
187
188 // 8. Put an item into our table using the above client.
189 // Before the item gets sent to DynamoDb, it will be encrypted
190 // client-side, according to our configuration.
191 // Because the item we are writing uses "tenantId1" as our partition value,
192 // based on the code we wrote in the ExampleBranchKeySupplier,
193 // `tenant1BranchKeyId` will be used to encrypt this item.
194 let item = HashMap::from([
195 (
196 "partition_key".to_string(),
197 AttributeValue::S("tenant1Id".to_string()),
198 ),
199 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
200 (
201 "tenant_sensitive_data".to_string(),
202 AttributeValue::S("encrypt and sign me!".to_string()),
203 ),
204 ]);
205
206 ddb.put_item()
207 .table_name(ddb_table_name)
208 .set_item(Some(item.clone()))
209 .send()
210 .await?;
211
212 // 9. Get the item back from our table using the same client.
213 // The client will decrypt the item client-side, and return
214 // back the original item.
215 // Because the returned item's partition value is "tenantId1",
216 // based on the code we wrote in the ExampleBranchKeySupplier,
217 // `tenant1BranchKeyId` will be used to decrypt this item.
218 let key_to_get = HashMap::from([
219 (
220 "partition_key".to_string(),
221 AttributeValue::S("tenant1Id".to_string()),
222 ),
223 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
224 ]);
225
226 let resp = ddb
227 .get_item()
228 .table_name(ddb_table_name)
229 .set_key(Some(key_to_get))
230 .consistent_read(true)
231 .send()
232 .await?;
233
234 assert_eq!(resp.item, Some(item));
235 println!("hierarchical_keyring successful.");
236 Ok(())
237}examples/keyring/mrk_discovery_multi_keyring.rs (line 118)
37pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
38 let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
39 let key_arn = test_utils::TEST_MRK_KEY_ID;
40 let account_ids = vec![test_utils::TEST_AWS_ACCOUNT_ID.to_string()];
41 let regions = vec![test_utils::TEST_AWS_REGION.to_string()];
42
43 // 1. Create a single MRK multi-keyring using the key arn.
44 // Although this example demonstrates use of the MRK discovery multi-keyring,
45 // a discovery keyring cannot be used to encrypt. So we will need to construct
46 // a non-discovery keyring for this example to encrypt. For more information on MRK
47 // multi-keyrings, see the MultiMrkKeyringExample in this directory.
48 // Though this is an "MRK multi-keyring", we do not need to provide multiple keys,
49 // and can use single-region KMS keys. We will provide a single key here; this
50 // can be either an MRK or a single-region key.
51 let mpl_config = MaterialProvidersConfig::builder().build()?;
52 let mpl = mpl_client::Client::from_conf(mpl_config)?;
53 let encrypt_keyring = mpl
54 .create_aws_kms_mrk_multi_keyring()
55 .generator(key_arn)
56 .send()
57 .await?;
58
59 // 2. Configure which attributes are encrypted and/or signed when writing new items.
60 // For each attribute that may exist on the items we plan to write to our DynamoDbTable,
61 // we must explicitly configure how they should be treated during item encryption:
62 // - ENCRYPT_AND_SIGN: The attribute is encrypted and icncluded in the signature
63 // - SIGN_ONLY: The attribute not encrypted, but is still included in the signature
64 // - DO_NOTHING: The attribute is not encrypted and not included in the signature
65 let attribute_actions_on_encrypt = HashMap::from([
66 ("partition_key".to_string(), CryptoAction::SignOnly), // Our partition attribute must be SIGN_ONLY
67 ("sort_key".to_string(), CryptoAction::SignOnly), // Our sort attribute must be SIGN_ONLY
68 ("sensitive_data".to_string(), CryptoAction::EncryptAndSign),
69 ]);
70
71 // 3. Configure which attributes we expect to be included in the signature
72 // when reading items. There are two options for configuring this:
73 //
74 // - (Recommended) Configure `allowedUnsignedAttributesPrefix`:
75 // When defining your DynamoDb schema and deciding on attribute names,
76 // choose a distinguishing prefix (such as ":") for all attributes that
77 // you do not want to include in the signature.
78 // This has two main benefits:
79 // - It is easier to reason about the security and authenticity of data within your item
80 // when all unauthenticated data is easily distinguishable by their attribute name.
81 // - If you need to add new unauthenticated attributes in the future,
82 // you can easily make the corresponding update to your `attributeActionsOnEncrypt`
83 // and immediately start writing to that new attribute, without
84 // any other configuration update needed.
85 // Once you configure this field, it is not safe to update it.
86 //
87 // - Configure `allowedUnsignedAttributes`: You may also explicitly list
88 // a set of attributes that should be considered unauthenticated when encountered
89 // on read. Be careful if you use this configuration. Do not remove an attribute
90 // name from this configuration, even if you are no longer writing with that attribute,
91 // as old items may still include this attribute, and our configuration needs to know
92 // to continue to exclude this attribute from the signature scope.
93 // If you add new attribute names to this field, you must first deploy the update to this
94 // field to all readers in your host fleet before deploying the update to start writing
95 // with that new attribute.
96 //
97 // For this example, we currently authenticate all attributes. To make it easier to
98 // add unauthenticated attributes in the future, we define a prefix ":" for such attributes.
99 const UNSIGNED_ATTR_PREFIX: &str = ":";
100
101 // 4. Create the DynamoDb Encryption configuration for the table we will be writing to.
102 let table_config = DynamoDbTableEncryptionConfig::builder()
103 .logical_table_name(ddb_table_name)
104 .partition_key_name("partition_key")
105 .sort_key_name("sort_key")
106 .attribute_actions_on_encrypt(attribute_actions_on_encrypt.clone())
107 .keyring(encrypt_keyring)
108 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
109 .build()?;
110
111 let table_configs = DynamoDbTablesEncryptionConfig::builder()
112 .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
113 .build()?;
114
115 // 5. Create a new AWS SDK DynamoDb client using the config above
116 let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
117 let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
118 .interceptor(DbEsdkInterceptor::new(table_configs)?)
119 .build();
120 let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
121
122 // 6. Put an item into our table using the above client.
123 // Before the item gets sent to DynamoDb, it will be encrypted
124 // client-side using the MRK multi-keyring.
125 let item = HashMap::from([
126 (
127 "partition_key".to_string(),
128 AttributeValue::S("awsKmsMrkDiscoveryMultiKeyringItem".to_string()),
129 ),
130 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
131 (
132 "sensitive_data".to_string(),
133 AttributeValue::S("encrypt and sign me!".to_string()),
134 ),
135 ]);
136
137 ddb.put_item()
138 .table_name(ddb_table_name)
139 .set_item(Some(item.clone()))
140 .send()
141 .await?;
142
143 // 7. Construct a discovery filter.
144 // A discovery filter limits the set of encrypted data keys
145 // the keyring can use to decrypt data.
146 // We will only let the keyring use keys in the selected AWS accounts
147 // and in the `aws` partition.
148 // This is the suggested config for most users; for more detailed config, see
149 // https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-keyring.html#kms-keyring-discovery
150 let discovery_filter = DiscoveryFilter::builder()
151 .partition("aws")
152 .account_ids(account_ids)
153 .build()?;
154
155 // 8. Construct a discovery keyring.
156 // Note that we choose to use the MRK discovery multi-keyring, even though
157 // our original keyring used a single KMS key.
158
159 let decrypt_keyring = mpl
160 .create_aws_kms_mrk_discovery_multi_keyring()
161 .discovery_filter(discovery_filter)
162 .regions(regions)
163 .send()
164 .await?;
165
166 // 9. Create new DDB config and client using the decrypt discovery keyring.
167 // This is the same as the above config, except we pass in the decrypt keyring.
168 let table_config_for_decrypt = DynamoDbTableEncryptionConfig::builder()
169 .logical_table_name(ddb_table_name)
170 .partition_key_name("partition_key")
171 .sort_key_name("sort_key")
172 .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
173 .keyring(decrypt_keyring)
174 .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
175 .build()?;
176
177 let table_configs_for_decrypt = DynamoDbTablesEncryptionConfig::builder()
178 .table_encryption_configs(HashMap::from([(
179 ddb_table_name.to_string(),
180 table_config_for_decrypt,
181 )]))
182 .build()?;
183
184 let dynamo_config_for_decrypt = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
185 .interceptor(DbEsdkInterceptor::new(table_configs_for_decrypt)?)
186 .build();
187 let ddb_for_decrypt = aws_sdk_dynamodb::Client::from_conf(dynamo_config_for_decrypt);
188
189 // 10. Get the item back from our table using the client.
190 // The client will retrieve encrypted items from the DDB table, then
191 // detect the KMS key that was used to encrypt their data keys.
192 // The client will make a request to KMS to decrypt with the encrypting KMS key.
193 // If the client has permission to decrypt with the KMS key,
194 // the client will decrypt the item client-side using the keyring
195 // and return the original item.
196 let key_to_get = HashMap::from([
197 (
198 "partition_key".to_string(),
199 AttributeValue::S("awsKmsMrkDiscoveryMultiKeyringItem".to_string()),
200 ),
201 ("sort_key".to_string(), AttributeValue::N("0".to_string())),
202 ]);
203
204 let resp = ddb_for_decrypt
205 .get_item()
206 .table_name(ddb_table_name)
207 .set_key(Some(key_to_get))
208 .consistent_read(true)
209 .send()
210 .await?;
211
212 assert_eq!(resp.item, Some(item));
213
214 println!("mrk_discovery_multi_keyring successful.");
215 Ok(())
216}Additional examples can be found in:
- examples/keyring/multi_keyring.rs
- examples/multi_get_put_example.rs
- examples/clientsupplier/client_supplier_example.rs
- examples/keyring/multi_mrk_keyring.rs
- examples/searchableencryption/compound_beacon_searchable_encryption.rs
- examples/searchableencryption/beacon_styles_searchable_encryption.rs
- examples/searchableencryption/virtual_beacon_searchable_encryption.rs
- examples/searchableencryption/basic_searchable_encryption.rs
- examples/searchableencryption/complexexample/beacon_config.rs
Trait Implementations§
Source§impl Debug for DbEsdkInterceptor
impl Debug for DbEsdkInterceptor
Source§impl Intercept for DbEsdkInterceptor
impl Intercept for DbEsdkInterceptor
Source§fn name(&self) -> &'static str
fn name(&self) -> &'static str
The name of this interceptor, used in error messages for debugging.
Source§fn modify_before_serialization(
&self,
context: &mut BeforeSerializationInterceptorContextMut<'_>,
_rc: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), BoxError>
fn modify_before_serialization( &self, context: &mut BeforeSerializationInterceptorContextMut<'_>, _rc: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), BoxError>
A hook called before the input message is marshalled into a
transport message.
This method has the ability to modify and return a new
request message of the same type. Read more
Source§fn modify_before_attempt_completion(
&self,
context: &mut FinalizerInterceptorContextMut<'_>,
_rc: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), BoxError>
fn modify_before_attempt_completion( &self, context: &mut FinalizerInterceptorContextMut<'_>, _rc: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), BoxError>
A hook called when an attempt is completed. This method has the
ability to modify and return a new output message or error
matching the currently-executing operation. Read more
Source§fn read_before_execution(
&self,
context: &BeforeSerializationInterceptorContextRef<'_>,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn read_before_execution( &self, context: &BeforeSerializationInterceptorContextRef<'_>, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called at the start of an execution, before the SDK
does anything else. Read more
Source§fn read_before_serialization(
&self,
context: &BeforeSerializationInterceptorContextRef<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn read_before_serialization( &self, context: &BeforeSerializationInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called before the input message is marshalled
into a transport
message. Read more
Source§fn read_after_serialization(
&self,
context: &BeforeTransmitInterceptorContextRef<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn read_after_serialization( &self, context: &BeforeTransmitInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called after the input message is marshalled into
a transport message. Read more
Source§fn modify_before_retry_loop(
&self,
context: &mut BeforeTransmitInterceptorContextMut<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn modify_before_retry_loop( &self, context: &mut BeforeTransmitInterceptorContextMut<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called before the retry loop is entered. This method
has the ability to modify and return a new transport request
message of the same type, except when a failure occurs earlier in the request pipeline. Read more
Source§fn read_before_attempt(
&self,
context: &BeforeTransmitInterceptorContextRef<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn read_before_attempt( &self, context: &BeforeTransmitInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called before each attempt at sending the transmission
request message to the service. Read more
Source§fn modify_before_signing(
&self,
context: &mut BeforeTransmitInterceptorContextMut<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn modify_before_signing( &self, context: &mut BeforeTransmitInterceptorContextMut<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called before the transport request message is signed.
This method has the ability to modify and return a new transport
request message of the same type. Read more
Source§fn read_before_signing(
&self,
context: &BeforeTransmitInterceptorContextRef<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn read_before_signing( &self, context: &BeforeTransmitInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called before the transport request message is signed. Read more
Source§fn read_after_signing(
&self,
context: &BeforeTransmitInterceptorContextRef<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn read_after_signing( &self, context: &BeforeTransmitInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called after the transport request message is signed. Read more
Source§fn modify_before_transmit(
&self,
context: &mut BeforeTransmitInterceptorContextMut<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn modify_before_transmit( &self, context: &mut BeforeTransmitInterceptorContextMut<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called before the transport request message is sent to the
service. This method has the ability to modify and return
a new transport request message of the same type. Read more
Source§fn read_before_transmit(
&self,
context: &BeforeTransmitInterceptorContextRef<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn read_before_transmit( &self, context: &BeforeTransmitInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called before the transport request message is sent to the
service. Read more
Source§fn read_after_transmit(
&self,
context: &BeforeDeserializationInterceptorContextRef<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn read_after_transmit( &self, context: &BeforeDeserializationInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called after the transport request message is sent to the
service and a transport response message is received. Read more
Source§fn modify_before_deserialization(
&self,
context: &mut BeforeDeserializationInterceptorContextMut<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn modify_before_deserialization( &self, context: &mut BeforeDeserializationInterceptorContextMut<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called before the transport response message is unmarshalled.
This method has the ability to modify and return a new transport
response message of the same type. Read more
Source§fn read_before_deserialization(
&self,
context: &BeforeDeserializationInterceptorContextRef<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn read_before_deserialization( &self, context: &BeforeDeserializationInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called before the transport response message is unmarshalled Read more
Source§fn read_after_deserialization(
&self,
context: &AfterDeserializationInterceptorContextRef<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn read_after_deserialization( &self, context: &AfterDeserializationInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called after the transport response message is unmarshalled. Read more
Source§fn read_after_attempt(
&self,
context: &FinalizerInterceptorContextRef<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn read_after_attempt( &self, context: &FinalizerInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called when an attempt is completed. Read more
Source§fn modify_before_completion(
&self,
context: &mut FinalizerInterceptorContextMut<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn modify_before_completion( &self, context: &mut FinalizerInterceptorContextMut<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called when an execution is completed.
This method has the ability to modify and return a new
output message or error matching the currently - executing
operation. Read more
Source§fn read_after_execution(
&self,
context: &FinalizerInterceptorContextRef<'_>,
runtime_components: &RuntimeComponents,
cfg: &mut ConfigBag,
) -> Result<(), Box<dyn Error + Send + Sync>>
fn read_after_execution( &self, context: &FinalizerInterceptorContextRef<'_>, runtime_components: &RuntimeComponents, cfg: &mut ConfigBag, ) -> Result<(), Box<dyn Error + Send + Sync>>
A hook called when an execution is completed. Read more
Auto Trait Implementations§
impl Freeze for DbEsdkInterceptor
impl !RefUnwindSafe for DbEsdkInterceptor
impl Send for DbEsdkInterceptor
impl Sync for DbEsdkInterceptor
impl Unpin for DbEsdkInterceptor
impl !UnwindSafe for DbEsdkInterceptor
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
Converts
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
Converts
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreCreates a shared type from an unshared type.