Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrading "Do Nothing" model to one with a single action fails to decrypt old items #177

Open
lavaleri opened this issue Jul 17, 2021 · 0 comments
Open

Upgrading "Do Nothing" model to one with a single action fails to decrypt old items #177

lavaleri opened this issue Jul 17, 2021 · 0 comments
Labels
bug

Comments

@lavaleri
Copy link
Contributor

Problem:

According to our documentation it should always be possible to add new attributes to our model without issue: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/data-model.html#add-attribute

However, if you start with data encrypted using

    actions = AttributeActions(
        default_action=CryptoAction.DO_NOTHING
    )

And update to using

    actions = AttributeActions(
        default_action=CryptoAction.DO_NOTHING, attribute_actions={"someNewField": CryptoAction.ENCRYPT_AND_SIGN}
    )

You run into issues. This is because data under the first model doesn't have a material description or signature written with it. Once the model is updated to include an action other than DO_NOTHING, it always expects there to be a material description and signature, even if the record it's attempting to decrypt doesn't include someNewField yet.

Solution:

We should probably update the logic here to also pass through if the item under decrypt specifically doesn't have attributes where encryption or signing is needed, even if the attributeActions includes an encrypt or sign action for a non-present field.

aws-dynamodb-encryption-python/src/dynamodb_encryption_sdk/encrypted/item.py

Lines 176 to 178 in 25c7c3d

if crypto_config.attribute_actions.take_no_actions:
# If we explicitly have been told not to do anything to this item, just copy it.
return item.copy()

aws-dynamodb-encryption-python/src/dynamodb_encryption_sdk/structures.py

Lines 137 to 148 in 25c7c3d

def __attrs_post_init__(self):
# () -> None
"""Determine if any actions should ever be taken with this configuration and record that for reference."""
for attribute in ReservedAttributes:
if attribute.value in self.attribute_actions:
raise ValueError('No override behavior can be set for reserved attribute "{}"'.format(attribute.value))
# Enums are not hashable, but their names are unique
_unique_actions = {self.default_action.name}
_unique_actions.update({action.name for action in self.attribute_actions.values()})
no_actions = _unique_actions == {CryptoAction.DO_NOTHING.name}
self.take_no_actions = no_actions # attrs confuses pylint: disable=attribute-defined-outside-init

@lavaleri lavaleri added the bug label Jul 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lavaleri