cipherstash-dynamodb 0.8.3

CipherStash SDK for searchable, in-use encryption for DynamoDB
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

use crate::{
    crypto::{attrs::flattened_protected_attributes::FlattenedAttrName, SealError},
    encrypted_table::TableAttributes,
    traits::TableAttribute,
};
use cipherstash_client::{
    credentials::{service_credentials::ServiceToken, Credentials},
    encryption::Encryption,
    zerokms::EncryptedRecord,
};
use itertools::Itertools;

use super::FlattenedProtectedAttributes;

/// Represents a set of encrypted records that have not yet been normalized into an output type.
pub(crate) struct FlattenedEncryptedAttributes {
    attrs: Vec<EncryptedRecord>,
}

impl FlattenedEncryptedAttributes {
    pub(crate) fn with_capacity(capacity: usize) -> Self {
        Self {
            attrs: Vec::with_capacity(capacity),
        }
    }

    pub(crate) fn is_empty(&self) -> bool {
        self.attrs.is_empty()
    }

    pub(crate) fn len(&self) -> usize {
        self.attrs.len()
    }

    // TODO: Test this
    /// Decrypt self, returning a [FlattenedProtectedAttributes].
    pub(crate) async fn decrypt_all(
        self,
        cipher: &Encryption<impl Credentials<Token = ServiceToken>>,
    ) -> Result<FlattenedProtectedAttributes, SealError> {
        let descriptors = self
            .attrs
            .iter()
            .map(|record| record.descriptor.clone())
            .collect_vec();

        cipher
            .decrypt(self.attrs.into_iter())
            .await
            .map(|records| records.into_iter().zip(descriptors.into_iter()).collect())
            .map_err(SealError::from)
    }

    /// Denormalize the encrypted records into a TableAttributes.
    /// The descriptor is parsed into a [FlattenedKey] which is used to determine the key and subkey.
    /// If a subkey is present, the attribute is inserted to a map with the key and subkey.
    pub(crate) fn denormalize(self) -> Result<TableAttributes, SealError> {
        self.attrs
            .into_iter()
            .map(|record| {
                record
                    .to_vec()
                    .map(|data| (FlattenedAttrName::parse(&record.descriptor), data))
                    .map_err(|_| SealError::AssertionFailed("Decryption failed".to_string()))
            })
            .fold_ok(
                Ok(TableAttributes::new()),
                |acc, (flattened_attr_name, bytes)| {
                    let (name, subkey) = flattened_attr_name.into_parts();
                    if let Some(subkey) = subkey {
                        acc.and_then(|mut acc| acc.try_insert_map(name, subkey, bytes).map(|_| acc))
                    } else {
                        acc.map(|mut acc| {
                            acc.insert(name, bytes);
                            acc
                        })
                    }
                },
            )?
    }

    // TODO: Test this
    /// Normalize the TableAttributes into a set of encrypted records.
    /// An error will be returned if the TableAttributes contain an unsupported attribute type
    /// (only `Bytes` and `Map` are currently supported).
    ///
    /// Bytes data is converted to an [EncryptedRecord] using [TableAttribute::as_encrypted_record]
    /// which validates that the descriptor matches the key and subkey.
    ///
    /// This method is used during decrypt and load operations.
    pub(crate) fn try_extend(
        &mut self,
        attributes: TableAttributes,
        prefix: String,
    ) -> Result<(), SealError> {
        for (name, value) in attributes.into_iter() {
            match value {
                TableAttribute::Map(map) => {
                    for (subkey, value) in map.into_iter() {
                        let attr_key = FlattenedAttrName::new(Some(prefix.clone()), name.clone())
                            .with_subkey(subkey);
                        // Load the bytes and check for a confused deputy attack
                        let record = value.as_encrypted_record(&attr_key.descriptor())?;
                        self.attrs.push(record);
                    }
                }
                TableAttribute::Bytes(_) => {
                    let attr_key = FlattenedAttrName::new(Some(prefix.clone()), name);
                    // Load the bytes and check for a confused deputy attack
                    let record = value.as_encrypted_record(&attr_key.descriptor())?;
                    self.attrs.push(record);
                }
                _ => {
                    Err(SealError::AssertionFailed(
                        "Unsupported attribute type".to_string(),
                    ))?;
                }
            }
        }

        Ok(())
    }
}

impl From<Vec<EncryptedRecord>> for FlattenedEncryptedAttributes {
    fn from(attrs: Vec<EncryptedRecord>) -> Self {
        Self { attrs }
    }
}

impl FromIterator<EncryptedRecord> for FlattenedEncryptedAttributes {
    fn from_iter<T: IntoIterator<Item = EncryptedRecord>>(iter: T) -> Self {
        Self {
            attrs: iter.into_iter().collect(),
        }
    }
}