diff --git a/examples/src/main/java/com/amazonaws/examples/EncryptionContextOverridesWithDynamoDBMapper.java b/examples/src/main/java/com/amazonaws/examples/EncryptionContextOverridesWithDynamoDBMapper.java index 07e4fcfa..37ffbf44 100644 --- a/examples/src/main/java/com/amazonaws/examples/EncryptionContextOverridesWithDynamoDBMapper.java +++ b/examples/src/main/java/com/amazonaws/examples/EncryptionContextOverridesWithDynamoDBMapper.java @@ -46,7 +46,7 @@ * "partition_attribute" for Strings and a sort (range) key named "sort_attribute" for numbers. */ public class EncryptionContextOverridesWithDynamoDBMapper { - public static final String TABLE_NAME_TO_OVERRIDE = "ExampleTableForEncryptionContextOverrides"; + public static final String ORIGINAL_TABLE_NAME_TO_OVERRIDE = "ExampleTableForEncryptionContextOverrides"; public static final String PARTITION_ATTRIBUTE = "partition_attribute"; public static final String SORT_ATTRIBUTE = "sort_attribute"; @@ -78,7 +78,7 @@ public static void main(String[] args) throws GeneralSecurityException { public static void encryptRecord( final String cmkArn, - final String newEncryptionContextTableName, + final String currentTableName, AmazonDynamoDB ddbClient, AWSKMS kmsClient) throws GeneralSecurityException { @@ -95,7 +95,7 @@ public static void encryptRecord( final DynamoDBEncryptor encryptor = DynamoDBEncryptor.getInstance(cmp); Map tableNameEncryptionContextOverrides = new HashMap<>(); - tableNameEncryptionContextOverrides.put(TABLE_NAME_TO_OVERRIDE, newEncryptionContextTableName); + tableNameEncryptionContextOverrides.put(ORIGINAL_TABLE_NAME_TO_OVERRIDE, currentTableName); tableNameEncryptionContextOverrides.put( "AnotherExampleTableForEncryptionContextOverrides", "this table doesn't exist"); @@ -133,7 +133,7 @@ public static void encryptRecord( final EnumSet encryptAndSign = EnumSet.of(EncryptionFlags.ENCRYPT, EncryptionFlags.SIGN); final Map encryptedItem = - ddbClient.getItem(TABLE_NAME_TO_OVERRIDE, itemKey).getItem(); + ddbClient.getItem(ORIGINAL_TABLE_NAME_TO_OVERRIDE, itemKey).getItem(); System.out.println("Encrypted Record: " + encryptedItem); Map> encryptionFlags = new HashMap<>(); @@ -151,11 +151,11 @@ public static void encryptRecord( new EncryptionContext.Builder() .withHashKeyName(PARTITION_ATTRIBUTE) .withRangeKeyName(SORT_ATTRIBUTE) - .withTableName(newEncryptionContextTableName) + .withTableName(currentTableName) .build()); System.out.printf( "The example item was encrypted using the table name '%s' in the EncryptionContext%n", - newEncryptionContextTableName); + currentTableName); // The decrypted field matches the original field before encryption assert record @@ -163,7 +163,7 @@ public static void encryptRecord( .equals(decrypted_without_override_record.get(STRING_FIELD_NAME).getS()); } - @DynamoDBTable(tableName = TABLE_NAME_TO_OVERRIDE) + @DynamoDBTable(tableName = ORIGINAL_TABLE_NAME_TO_OVERRIDE) public static final class ExampleItem { private String partitionAttribute; private int sortAttribute; diff --git a/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/utils/EncryptionContextOperators.java b/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/utils/EncryptionContextOperators.java index e9adbd28..a8edbb4f 100644 --- a/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/utils/EncryptionContextOperators.java +++ b/sdk1/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/utils/EncryptionContextOperators.java @@ -25,26 +25,33 @@ public class EncryptionContextOperators { private EncryptionContextOperators() {} /** - * An operator for overriding EncryptionContext's table name for a specific DynamoDBEncryptor. If - * any table names or the encryption context itself is null, then it returns the original - * EncryptionContext. + * An operator for overriding EncryptionContext's table name for a specific DynamoDBEncryptor. + * If any table names or the encryption context is null, it returns the original EncryptionContext. * - * @param originalTableName the name of the table that should be overridden in the Encryption - * Context - * @param newTableName the table name that should be used in the Encryption Context + * The client automatically adds the current table name to the encryption context + * so it's bound to the ciphertext. + * Use this method when the encryption context of encrypted table items includes a different table name, + * such as when a table is backed up, or table items are moved/copied to a different table. + * If you don't override the name of the current table + * with the table name in the encryption context, decrypt fails. + * This override affects the encryption context of all table items, + * including newly encrypted items. + * + * @param originalTableName Use this table name in the encryption context + * @param currentTableName Override this table name in the encryption context * @return A UnaryOperator that produces a new EncryptionContext with the supplied table name */ public static UnaryOperator overrideEncryptionContextTableName( - String originalTableName, String newTableName) { + String originalTableName, String currentTableName) { return encryptionContext -> { if (encryptionContext == null || encryptionContext.getTableName() == null || originalTableName == null - || newTableName == null) { + || currentTableName == null) { return encryptionContext; } if (originalTableName.equals(encryptionContext.getTableName())) { - return new EncryptionContext.Builder(encryptionContext).withTableName(newTableName).build(); + return new EncryptionContext.Builder(encryptionContext).withTableName(currentTableName).build(); } else { return encryptionContext; }