Skip to content

Upgrading "Do Nothing" model to one with a single action fails to decrypt old items #177

New issue
New issue
Open
Open
Upgrading "Do Nothing" model to one with a single action fails to decrypt old items#177
Labels
bug
@lavaleri

Description

@lavaleri
lavaleri
opened on Jul 17, 2021

Problem:

According to our documentation it should always be possible to add new attributes to our model without issue: https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/data-model.html#add-attribute

However, if you start with data encrypted using

    actions = AttributeActions(
        default_action=CryptoAction.DO_NOTHING
    )

And update to using

    actions = AttributeActions(
        default_action=CryptoAction.DO_NOTHING, attribute_actions={"someNewField": CryptoAction.ENCRYPT_AND_SIGN}
    )

You run into issues. This is because data under the first model doesn't have a material description or signature written with it. Once the model is updated to include an action other than DO_NOTHING, it always expects there to be a material description and signature, even if the record it's attempting to decrypt doesn't include someNewField yet.

Solution:

We should probably update the logic here to also pass through if the item under decrypt specifically doesn't have attributes where encryption or signing is needed, even if the attributeActions includes an encrypt or sign action for a non-present field.

aws-dynamodb-encryption-python/src/dynamodb_encryption_sdk/encrypted/item.py

Lines 176 to 178 in 25c7c3d

if crypto_config.attribute_actions.take_no_actions:
# If we explicitly have been told not to do anything to this item, just copy it.
return item.copy()

aws-dynamodb-encryption-python/src/dynamodb_encryption_sdk/structures.py

Lines 137 to 148 in 25c7c3d

def __attrs_post_init__(self):
# () -> None
"""Determine if any actions should ever be taken with this configuration and record that for reference."""
for attribute in ReservedAttributes:
if attribute.value in self.attribute_actions:
raise ValueError('No override behavior can be set for reserved attribute "{}"'.format(attribute.value))
# Enums are not hashable, but their names are unique
_unique_actions = {self.default_action.name}
_unique_actions.update({action.name for action in self.attribute_actions.values()})
no_actions = _unique_actions == {CryptoAction.DO_NOTHING.name}
self.take_no_actions = no_actions # attrs confuses pylint: disable=attribute-defined-outside-init

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions