Introducing replication feature for Intermediate Keys

SalusaSecondus · SalusaSecondus · commit 6c23b31d88b2 · 2018-08-13T09:57:44.000-07:00
diff --git a/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/store/MetaStore.java b/src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/store/MetaStore.java
@@ -142,6 +142,32 @@ public long getVersionFromMaterialDescription(final Map<String, String> descript
             throw new IllegalArgumentException("No meta id found");
         }
     }
+
+    /**
+     * This API retrieves the intermediate keys from the source region and replicates it in the target region.
+     * @param materialName
+     * @param version
+     * @param targetMetaStore
+     */
+    public void replicate(final String materialName, final long version, final MetaStore targetMetaStore) {
+        try {
+            final Map<String, AttributeValue> ddbKey = new HashMap<String, AttributeValue>();
+            ddbKey.put(DEFAULT_HASH_KEY, new AttributeValue().withS(materialName));
+            ddbKey.put(DEFAULT_RANGE_KEY, new AttributeValue().withN(Long.toString(version)));
+            final Map<String, AttributeValue> item = ddbGet(ddbKey);
+            if (item == null || item.isEmpty()) {
+                throw new IndexOutOfBoundsException("No material found: " + materialName + "#" + version);
+            }
+
+            final Map<String, AttributeValue> plainText = getPlainText(item);
+            final Map<String, AttributeValue> encryptedText = targetMetaStore.getEncryptedText(plainText);
+            final PutItemRequest put = new PutItemRequest().withTableName(targetMetaStore.tableName).withItem(encryptedText)
+                    .withExpected(doesNotExist);
+            targetMetaStore.ddb.putItem(put);
+        } catch (ConditionalCheckFailedException e) {
+            //Item already present.
+        }
+    }
     /**
      * Creates a DynamoDB Table with the correct properties to be used with a ProviderStore.
      */
@@ -187,36 +213,43 @@ private Map<String, AttributeValue> encryptKeys(final String name, final long ve
         plaintext
         .put(INTEGRITY_KEY_FIELD, new AttributeValue().withB(ByteBuffer.wrap(integrityKey.getEncoded())));
         plaintext.put(INTEGRITY_ALGORITHM_FIELD, new AttributeValue().withS(integrityKey.getAlgorithm()));
+        return getEncryptedText(plaintext);
+    }
+
+    private EncryptionMaterialsProvider decryptProvider(final Map<String, AttributeValue> item) {
+        final Map<String, AttributeValue> plaintext = getPlainText(item);
 
+        final String type = plaintext.get(MATERIAL_TYPE_VERSION).getS();
+        final SecretKey encryptionKey;
+        final SecretKey integrityKey;
+        // This switch statement is to make future extensibility easier and more obvious
+        switch (type) {
+            case "0": // Only currently supported type
+                encryptionKey = new SecretKeySpec(plaintext.get(ENCRYPTION_KEY_FIELD).getB().array(),
+                        plaintext.get(ENCRYPTION_ALGORITHM_FIELD).getS());
+                integrityKey = new SecretKeySpec(plaintext.get(INTEGRITY_KEY_FIELD).getB().array(), plaintext
+                        .get(INTEGRITY_ALGORITHM_FIELD).getS());
+                break;
+            default:
+                throw new IllegalStateException("Unsupported material type: " + type);
+        }
+        return new WrappedMaterialsProvider(encryptionKey, encryptionKey, integrityKey,
+                buildDescription(plaintext));
+    }
+
+    private Map<String, AttributeValue> getPlainText(Map<String, AttributeValue> item) {
         try {
-            return encryptor.encryptAllFieldsExcept(plaintext, ddbCtx, DEFAULT_HASH_KEY,
-                    DEFAULT_RANGE_KEY);
+            return encryptor.decryptAllFieldsExcept(item,
+                    ddbCtx, DEFAULT_HASH_KEY, DEFAULT_RANGE_KEY);
         } catch (final GeneralSecurityException e) {
             throw new AmazonClientException(e);
         }
     }
 
-    private EncryptionMaterialsProvider decryptProvider(final Map<String, AttributeValue> item) {
+    private Map<String, AttributeValue> getEncryptedText(Map<String, AttributeValue> plaintext) {
         try {
-            final Map<String, AttributeValue> plaintext = encryptor.decryptAllFieldsExcept(item,
-                    ddbCtx, DEFAULT_HASH_KEY, DEFAULT_RANGE_KEY);
-
-            final String type = plaintext.get(MATERIAL_TYPE_VERSION).getS();
-            final SecretKey encryptionKey;
-            final SecretKey integrityKey;
-            // This switch statement is to make future extensibility easier and more obvious
-            switch (type) {
-                case "0": // Only currently supported type
-                    encryptionKey = new SecretKeySpec(plaintext.get(ENCRYPTION_KEY_FIELD).getB().array(),
-                            plaintext.get(ENCRYPTION_ALGORITHM_FIELD).getS());
-                    integrityKey = new SecretKeySpec(plaintext.get(INTEGRITY_KEY_FIELD).getB().array(), plaintext
-                            .get(INTEGRITY_ALGORITHM_FIELD).getS());
-                    break;
-                default:
-                    throw new IllegalStateException("Unsupported material type: " + type);
-            }
-            return new WrappedMaterialsProvider(encryptionKey, encryptionKey, integrityKey,
-                    buildDescription(plaintext));
+            return encryptor.encryptAllFieldsExcept(plaintext, ddbCtx, DEFAULT_HASH_KEY,
+                    DEFAULT_RANGE_KEY);
         } catch (final GeneralSecurityException e) {
             throw new AmazonClientException(e);
         }
diff --git a/src/test/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/store/MetaStoreTests.java b/src/test/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/store/MetaStoreTests.java
@@ -36,29 +36,40 @@
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.EncryptionMaterials;
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.EncryptionMaterialsProvider;
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.SymmetricStaticProvider;
-import com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.store.MetaStore;
-import com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.store.ProviderStore;
 import com.amazonaws.services.dynamodbv2.model.ProvisionedThroughput;
 
 public class MetaStoreTests {
-    private static final String TABLE_NAME = "keystoreTable";
+    private static final String SOURCE_TABLE_NAME = "keystoreTable";
+    private static final String DESTINATION_TABLE_NAME = "keystoreDestinationTable";
     private static final String MATERIAL_NAME = "material";
     private static final SecretKey AES_KEY = new SecretKeySpec(new byte[] { 0,
             1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, "AES");
+    private static final SecretKey TARGET_AES_KEY = new SecretKeySpec(new byte[] { 0,
+            2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30 }, "AES");
     private static final SecretKey HMAC_KEY = new SecretKeySpec(new byte[] { 0,
             1, 2, 3, 4, 5, 6, 7 }, "HmacSHA256");
+    private static final SecretKey TARGET_HMAC_KEY = new SecretKeySpec(new byte[] { 0,
+            2, 4, 6, 8, 10, 12, 14 }, "HmacSHA256");
     private static final EncryptionMaterialsProvider BASE_PROVIDER = new SymmetricStaticProvider(AES_KEY, HMAC_KEY);
+    private static final EncryptionMaterialsProvider TARGET_BASE_PROVIDER = new SymmetricStaticProvider(TARGET_AES_KEY, TARGET_HMAC_KEY);
     private static final DynamoDBEncryptor ENCRYPTOR = DynamoDBEncryptor.getInstance(BASE_PROVIDER);
+    private static final DynamoDBEncryptor TARGET_ENCRYPTOR = DynamoDBEncryptor.getInstance(TARGET_BASE_PROVIDER);
 
     private AmazonDynamoDB client;
-    private ProviderStore store;
+    private AmazonDynamoDB targetClient;
+    private MetaStore store;
+    private MetaStore targetStore;
     private EncryptionContext ctx;
 
     @Before
     public void setup() {
         client = synchronize(DynamoDBEmbedded.create(), AmazonDynamoDB.class);
-        MetaStore.createTable(client, TABLE_NAME, new ProvisionedThroughput(1L, 1L));
-        store = new MetaStore(client, TABLE_NAME, ENCRYPTOR);
+        targetClient = synchronize(DynamoDBEmbedded.create(), AmazonDynamoDB.class);
+        MetaStore.createTable(client, SOURCE_TABLE_NAME, new ProvisionedThroughput(1L, 1L));
+        //Creating Targeted DynamoDB Object
+        MetaStore.createTable(targetClient, DESTINATION_TABLE_NAME, new ProvisionedThroughput(1L, 1L));
+        store = new MetaStore(client, SOURCE_TABLE_NAME, ENCRYPTOR);
+        targetStore = new MetaStore(targetClient, DESTINATION_TABLE_NAME, TARGET_ENCRYPTOR);
         ctx = new EncryptionContext.Builder().build();
     }
 
@@ -172,6 +183,28 @@ public void getOrCreateCollision() {
         assertEquals(eMat.getSigningKey(), dMat.getVerificationKey());
     }
 
+    @Test
+    public void replicateIntermediateKeysTest() {
+        assertEquals(-1, store.getMaxVersion(MATERIAL_NAME));
+
+        final EncryptionMaterialsProvider prov1 = store.getOrCreate(MATERIAL_NAME, 0);
+        assertEquals(0, store.getMaxVersion(MATERIAL_NAME));
+
+        store.replicate(MATERIAL_NAME, 0, targetStore);
+        assertEquals(0, targetStore.getMaxVersion(MATERIAL_NAME));
+
+        final EncryptionMaterials eMat = prov1.getEncryptionMaterials(ctx);
+        final DecryptionMaterials dMat = targetStore.getProvider(MATERIAL_NAME, 0).getDecryptionMaterials(ctx(eMat));
+
+        assertEquals(eMat.getEncryptionKey(), dMat.getDecryptionKey());
+        assertEquals(eMat.getSigningKey(), dMat.getVerificationKey());
+    }
+
+    @Test(expected = IndexOutOfBoundsException.class)
+    public void replicateIntermediateKeysWhenMaterialNotFoundTest() {
+        store.replicate(MATERIAL_NAME, 0, targetStore);
+    }
+
     @Test
     public void newProviderCollision() throws InterruptedException {
         final SlowNewProvider slowProv = new SlowNewProvider();
@@ -207,7 +240,7 @@ private static EncryptionContext ctx(final EncryptionMaterials mat) {
 
     private class SlowNewProvider extends Thread {
         public volatile EncryptionMaterialsProvider result;
-        public ProviderStore slowStore = new MetaStore(client, TABLE_NAME, ENCRYPTOR) {
+        public ProviderStore slowStore = new MetaStore(client, SOURCE_TABLE_NAME, ENCRYPTOR) {
             @Override
             public EncryptionMaterialsProvider newProvider(final String materialName) {
                 final long nextId = getMaxVersion(materialName) + 1;
