chore(python): DDBEC Legacy Extern

Author: imabhichow

.github/workflows/ci_examples_python.yml

@@ -95,4 +95,4 @@ jobs:
           # Run simple examples
           tox -e dynamodbencryption
           # Run migration examples
-          # tox -e migration
+          tox -e migration

DynamoDbEncryption/runtimes/python/pyproject.toml

@@ -13,6 +13,7 @@ include = ["**/internaldafny/generated/*.py"]
 [tool.poetry.dependencies]
 python = "^3.11.0"
 aws-cryptographic-material-providers = { path = "../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/runtimes/python", develop = false}
+dynamodb_encryption_sdk = "^3.3.0"
 
 # Package testing
 

DynamoDbEncryption/runtimes/python/src/aws_dbesdk_dynamodb/internaldafny/extern/InternalLegacyOverride.py

@@ -2,15 +2,38 @@
 # SPDX-License-Identifier: Apache-2.0
 from aws_dbesdk_dynamodb.internaldafny.generated.AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes import (
     DynamoDbItemEncryptorConfig_DynamoDbItemEncryptorConfig,
+    Error_DynamoDbItemEncryptorException,
+    EncryptItemOutput_EncryptItemOutput,
+    DecryptItemOutput_DecryptItemOutput,
+    DecryptItemInput_DecryptItemInput,
+    EncryptItemInput_EncryptItemInput,
+)
+from aws_dbesdk_dynamodb.internaldafny.generated.AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes import (
+    CryptoAction_ENCRYPT__AND__SIGN,
+    CryptoAction_SIGN__ONLY,
+    CryptoAction_DO__NOTHING,
+)
+from aws_dbesdk_dynamodb.smithygenerated.aws_cryptography_dbencryptionsdk_dynamodb.references import (
+    ILegacyDynamoDbEncryptor,
 )
 import smithy_dafny_standard_library.internaldafny.generated.Wrappers as Wrappers
 import _dafny
 
 import aws_dbesdk_dynamodb.internaldafny.generated.InternalLegacyOverride
+from aws_dbesdk_dynamodb.smithygenerated.aws_cryptography_dbencryptionsdk_dynamodb_itemencryptor.models import (
+    EncryptItemInput,
+    EncryptItemOutput,
+    DecryptItemOutput,
+    DecryptItemInput,
+)
+
 
 try:
     from dynamodb_encryption_sdk.encrypted.client import EncryptedClient
-    from dynamodb_encryption_sdk.structures import EncryptionContext
+    from dynamodb_encryption_sdk.structures import EncryptionContext, AttributeActions
+    from dynamodb_encryption_sdk.identifiers import CryptoAction
+    from dynamodb_encryption_sdk.encrypted import CryptoConfig
+    from dynamodb_encryption_sdk.internal.identifiers import ReservedAttributes
 
     _HAS_LEGACY_DDBEC = True
 except ImportError:
@@ -25,16 +48,12 @@ def Build(config: DynamoDbItemEncryptorConfig_DynamoDbItemEncryptorConfig):
 
         legacy_override = config.legacyOverride.value
 
-        maybe_encryptor = aws_dbesdk_dynamodb.smithygenerated.aws_cryptography_dbencryptionsdk_dynamodb.dafny_to_smithy.aws_cryptography_dbencryptionsdk_dynamodb_LegacyDynamoDbEncryptorReference(
-            legacy_override.encryptor
-        )
-
         # Precondition: The encryptor MUST be a DynamoDBEncryptor
         if not _HAS_LEGACY_DDBEC:
             return InternalLegacyOverride.CreateBuildFailure(
                 InternalLegacyOverride.CreateError("Could not find aws-dynamodb-encryption-python installation")
             )
-        if not isinstance(maybe_encryptor, EncryptedClient):
+        if not isinstance(legacy_override.encryptor, EncryptedClient):
             return InternalLegacyOverride.CreateBuildFailure(
                 InternalLegacyOverride.CreateError("Legacy encryptor is not supported")
             )
@@ -49,14 +68,35 @@ def Build(config: DynamoDbItemEncryptorConfig_DynamoDbItemEncryptorConfig):
         if maybe_actions.is_Failure:
             return InternalLegacyOverride.CreateBuildFailure(maybe_actions.error())
 
-        # TODO: Implement this
+        # Create and return the legacy override instance
+        legacy_instance = InternalLegacyOverride()
+        legacy_instance.encryptor = legacy_override.encryptor
+        legacy_instance.policy = legacy_override.policy
+        # # Access the value property, not calling it as a function
+        # legacy_instance.encryption_context = maybe_encryption_context.value
+        # # Access the value property, not calling it as a function
+        # legacy_instance.attribute_actions = maybe_actions.value
+        legacy_instance.crypto_config = CryptoConfig(
+            materials_provider=legacy_override.encryptor._materials_provider,
+            encryption_context=maybe_encryption_context.value,
+            attribute_actions=maybe_actions.value,
+        )
+        return InternalLegacyOverride.CreateBuildSuccess(
+            InternalLegacyOverride.CreateInternalLegacyOverrideSome(legacy_instance)
+        )
+
+    def __init__(self):
+        super().__init__()
+        self.encryptor = None
+        self.crypto_config = None
+        self.policy = None
 
     @staticmethod
     def legacyEncryptionContext(config: DynamoDbItemEncryptorConfig_DynamoDbItemEncryptorConfig):
         try:
             encryption_context_kwargs = {
                 "table_name": _dafny.string_of(config.logicalTableName),
-                "hash_key_name": _dafny.string_of(config.partitionKeyName),
+                "partition_key_name": _dafny.string_of(config.partitionKeyName),
             }
             if config.sortKeyName.is_Some:
                 encryption_context_kwargs["sort_key_name"] = _dafny.string_of(config.sortKeyName.value)
@@ -67,23 +107,143 @@ def legacyEncryptionContext(config: DynamoDbItemEncryptorConfig_DynamoDbItemEncr
 
     @staticmethod
     def legacyActions(attribute_actions_on_encrypt):
-        # TODO: Implement this
-        pass
+        try:
+            # Create a new AttributeActions with default ENCRYPT_AND_SIGN
+            legacy_actions = AttributeActions(default_action=CryptoAction.ENCRYPT_AND_SIGN)
+
+            # Map the action from the config to legacy actions
+            attribute_actions = {}
+            for key, action in attribute_actions_on_encrypt.items:
+                # Convert the string key to Python string
+                key_str = _dafny.string_of(key)
+
+                # Map the action type to the appropriate CryptoAction
+                if action == CryptoAction_ENCRYPT__AND__SIGN():
+                    attribute_actions[key_str] = CryptoAction.ENCRYPT_AND_SIGN
+                elif action == CryptoAction_SIGN__ONLY():
+                    attribute_actions[key_str] = CryptoAction.SIGN_ONLY
+                elif action == CryptoAction_DO__NOTHING():
+                    attribute_actions[key_str] = CryptoAction.DO_NOTHING
+                else:
+                    return InternalLegacyOverride.CreateBuildFailure(
+                        InternalLegacyOverride.CreateError(f"Unknown action type: {action}")
+                    )
+
+            # Update the attribute_actions dictionary
+            legacy_actions.attribute_actions = attribute_actions
+            return InternalLegacyOverride.CreateBuildSuccess(legacy_actions)
+        except Exception as e:
+            return InternalLegacyOverride.CreateBuildFailure(InternalLegacyOverride.CreateError(str(e)))
 
-    @staticmethod
-    def EncryptItem(input):
-        # TODO: Implement this
-        return Wrappers.Result_Failure("TODO-legacy-Encryptitem")
+    def EncryptItem(self, input: EncryptItemInput_EncryptItemInput):
+        """Encrypt an item using the legacy DynamoDB encryptor.
 
-    @staticmethod
-    def DecryptItem(input):
-        # TODO: Implement this
-        return Wrappers.Result_Failure("TODO-legacy-Decryptitem")
+        Args:
+            input: EncryptItemInput containing the plaintext item to encrypt
+
+        Returns:
+            Result containing the encrypted item or an error
+        """
+        try:
+            # Check policy
+            if not self.policy.is_FORCE__LEGACY__ENCRYPT__ALLOW__LEGACY__DECRYPT:
+                return Wrappers.Result_Failure(
+                    InternalLegacyOverride.CreateError("Legacy policy does not support encrypt")
+                )
+
+            # Get the Native Plaintext Item
+            native_input = aws_dbesdk_dynamodb.smithygenerated.aws_cryptography_dbencryptionsdk_dynamodb_itemencryptor.dafny_to_smithy.aws_cryptography_dbencryptionsdk_dynamodb_itemencryptor_EncryptItemInput(
+                input
+            )
+
+            # Use the encryptor to encrypt the item using the instance attributes
+            encrypted_item = self.encryptor._encrypt_item(
+                item=native_input.plaintext_item, crypto_config=self.crypto_config
+            )
+
+            # Return the encrypted item
+            # The legacy encryption client returns items in the format that Dafny expects,
+            # so no additional conversion is needed here
+            native_output = EncryptItemOutput(encrypted_item=encrypted_item, parsed_header=None)
+            dafny_output = aws_dbesdk_dynamodb.smithygenerated.aws_cryptography_dbencryptionsdk_dynamodb_itemencryptor.smithy_to_dafny.aws_cryptography_dbencryptionsdk_dynamodb_itemencryptor_EncryptItemOutput(
+                native_output
+            )
+            return Wrappers.Result_Success(dafny_output)
+
+        except Exception as e:
+            # Return an appropriate error result with the exception details
+            return Wrappers.Result_Failure(InternalLegacyOverride.CreateError(f"Error during encryption: {str(e)}"))
+
+    def DecryptItem(self, input: DecryptItemInput_DecryptItemInput):
+        """Decrypt an item using the legacy DynamoDB encryptor.
+
+        Args:
+            input: DecryptItemInput containing the encrypted item to decrypt
+
+        Returns:
+            Result containing the decrypted item or an error
+        """
+        try:
+            # Check policy
+            if not (
+                self.policy.is_FORCE__LEGACY__ENCRYPT__ALLOW__LEGACY__DECRYPT
+                or self.policy.is_FORBID__LEGACY__ENCRYPT__ALLOW__LEGACY__DECRYPT
+            ):
+                return Wrappers.Result_Failure(
+                    InternalLegacyOverride.CreateError("Legacy policy does not support decrypt")
+                )
+
+            # Get the Native DecryptItemInput
+            native_input: DecryptItemInput = (
+                aws_dbesdk_dynamodb.smithygenerated.aws_cryptography_dbencryptionsdk_dynamodb_itemencryptor.dafny_to_smithy.aws_cryptography_dbencryptionsdk_dynamodb_itemencryptor_DecryptItemInput(
+                    input
+                )
+            )
+            # Use the encryptor to decrypt the item using the instance attributes
+            decrypted_item = self.encryptor._decrypt_item(
+                item=native_input.encrypted_item, crypto_config=self.crypto_config
+            )
+
+            native_output = DecryptItemOutput(plaintext_item=decrypted_item, parsed_header=None)
+            dafny_output = aws_dbesdk_dynamodb.smithygenerated.aws_cryptography_dbencryptionsdk_dynamodb_itemencryptor.smithy_to_dafny.aws_cryptography_dbencryptionsdk_dynamodb_itemencryptor_DecryptItemOutput(
+                native_output
+            )
+            return Wrappers.Result_Success(dafny_output)
+        except Exception as e:
+            # Return an appropriate error result with the exception details
+            return Wrappers.Result_Failure(InternalLegacyOverride.CreateError(f"Error during decryption: {str(e)}"))
+
+    def IsLegacyInput(self, input: DecryptItemInput_DecryptItemInput):
+        """Determine if the input is from a legacy client."""
+        try:
+            if not _HAS_LEGACY_DDBEC:
+                return False
+
+            if not input.is_DecryptItemInput:
+                return False
+
+            # Get the Native DecryptItemInput
+            native_input: DecryptItemInput = (
+                aws_dbesdk_dynamodb.smithygenerated.aws_cryptography_dbencryptionsdk_dynamodb_itemencryptor.dafny_to_smithy.aws_cryptography_dbencryptionsdk_dynamodb_itemencryptor_DecryptItemInput(
+                    input
+                )
+            )
+            # = specification/dynamodb-encryption-client/decrypt-item.md#determining-legacy-items
+            ## An item MUST be determined to be encrypted under the legacy format if it contains
+            ## attributes for the material description and the signature.
+            return (
+                "*amzn-ddb-map-desc*" in native_input.encrypted_item
+                and "*amzn-ddb-map-sig*" in native_input.encrypted_item
+            )
+
+        except Exception as e:
+            # If we encounter any error during detection, default to not using legacy
+            return Wrappers.Result_Failure(InternalLegacyOverride.CreateError(f"Error in IsLegacyInput: {e}"))
 
     @staticmethod
-    def IsLegacyinput(input):
-        # TODO: Implement this
-        return False
+    def CreateError(message):
+        """Create an Error with the given message."""
+        return Error_DynamoDbItemEncryptorException(message)
 
 
 aws_dbesdk_dynamodb.internaldafny.generated.InternalLegacyOverride.InternalLegacyOverride = InternalLegacyOverride

DynamoDbEncryption/runtimes/python/tox.ini

@@ -62,6 +62,7 @@ commands =
     ruff check \
         src/aws_dbesdk_dynamodb/ \
         ../../../Examples/runtimes/python/DynamoDBEncryption/ \
+        ../../../Examples/runtimes/python/Migration/ \
         test/ \
         {posargs}
 
@@ -75,6 +76,7 @@ commands =
     black --line-length 120 \
         src/aws_dbesdk_dynamodb/ \
         ../../../Examples/runtimes/python/DynamoDBEncryption/ \
+        ../../../Examples/runtimes/python/Migration/ \
         test/ \
         {posargs}
 

Examples/runtimes/python/Migration/.gitignore

@@ -0,0 +1,17 @@
+# Python build artifacts
+__pycache__
+**/__pycache__
+*.pyc
+src/**.egg-info/
+build
+poetry.lock
+**/poetry.lock
+dist
+
+# Dafny-generated Python
+**/internaldafny/generated/*.py
+
+# Python test artifacts
+.tox
+.pytest_cache
+

Examples/runtimes/python/Migration/__init__.py

@@ -0,0 +1,3 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Stub to allow relative imports of examples from tests."""

Examples/runtimes/python/Migration/src/__init__.py

@@ -0,0 +1,3 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Stub to allow relative imports of examples from tests."""

Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/README.md

@@ -0,0 +1,69 @@
+# Migration Examples: Legacy DynamoDB Encryption Client to AWS Database Encryption SDK
+
+These examples demonstrate a complete migration path from the legacy AWS DynamoDB Encryption Client Python library to the new AWS Database Encryption SDK for DynamoDB.
+
+## Overview
+
+The migration process is demonstrated through a series of example steps that show how to gradually transition from the legacy client to the new SDK while maintaining compatibility with previously encrypted data.
+
+## Migration Steps
+
+### Step 0: Legacy DynamoDB Encryption Client
+
+[migration_step_0.py](./ddbec/migration_step_0.py) demonstrates using the legacy DynamoDB Encryption Client to encrypt and decrypt items. This represents the starting point for migration.
+
+Key concepts:
+
+- Setting up the legacy client with an AWS KMS cryptographic materials provider
+- Defining attribute actions for encryption/signing
+- Storing and retrieving encrypted items
+
+### Step 1: AWS Database Encryption SDK with Legacy Override
+
+[migration_step_1.py](./awsdbe/migration_step_1.py) demonstrates how to start using the AWS Database Encryption SDK with a pre-existing table used with the DynamoDB Encryption Client.
+
+Key concepts:
+
+- Configure AWS DBESDK to read items encrypted in the legacy format
+- Continue to encrypt items in the legacy format (FORCE_LEGACY_ENCRYPT_ALLOW_DECRYPT policy)
+- Read items encrypted in the new format
+- Deploy this step to all readers before moving to step 2
+
+### Step 2: Full Migration to AWS Database Encryption SDK
+
+[migration_step_2.py](./awsdbe/migration_step_2.py) demonstrates the next step in the migration process, using both the pure AWS DBESDK client and the legacy-override client side by side.
+
+Key concepts:
+
+- Create a pure AWS DBESDK client for new data
+- Keep using legacy-override client when needed for legacy data
+- Re-encrypt legacy data with the new client
+- Demonstrate that the legacy-override client can read both formats
+
+### Step 3: Complete Migration - Using Only AWS DBESDK
+
+[migration_step_3.py](./awsdbe/migration_step_3.py) demonstrates the final state of the migration, where all data has been re-encrypted using the new format.
+
+Key concepts:
+
+- Use only the pure AWS DBESDK client (no more legacy override)
+- Verify all previously re-encrypted data is readable
+- Add new data using the pure client
+
+## Prerequisites
+
+Before running these examples:
+
+1. Replace `common.KMS_KEY_ID` with a valid AWS KMS key ID or alias
+2. Ensure you have AWS credentials configured with permissions for:
+   - DynamoDB (CreateTable, PutItem, GetItem, etc.)
+   - KMS (GenerateDataKey, Decrypt)
+3. Have both libraries installed:
+   - Legacy library: `pip install dynamodb-encryption-sdk`
+   - New SDK: `pip install aws-dbesdk-dynamodb`
+
+## Important Notes
+
+- These examples create a real DynamoDB table and perform actual AWS KMS operations, which may incur AWS charges
+- By default, the examples leave the created table intact when they finish - uncomment the table deletion code in the example scripts if you want to clean up resources
+- These examples are focused on demonstrating a migration path and are not production-ready code

Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/__init__.py

@@ -0,0 +1,3 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Stub to allow relative imports of examples from tests."""

Examples/runtimes/python/Migration/src/ddbec_to_awsdbe/awsdbe/__init__.py

@@ -0,0 +1,3 @@
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Stub to allow relative imports of examples from tests."""