chore: add migration examples (#2057)

Author: rishav-karanjit

.github/workflows/ci_examples_java.yml

@@ -108,3 +108,4 @@ jobs:
           # Run migration examples
           gradle -p runtimes/java/Migration/PlaintextToAWSDBE test
           gradle -p runtimes/java/Migration/DDBECToAWSDBE test
+          gradle -p runtimes/java/Migration/DDBECv2ToAWSDBE test

DynamoDbEncryption/runtimes/java/src/main/sdkv2/software/amazon/cryptools/dynamodbencryptionclientsdk2/encryption/providers/DirectKmsMaterialsProvider.java

@@ -109,13 +109,24 @@ public DecryptionMaterials getDecryptionMaterials(EncryptionContext context) {
         final String providedEncAlg = materialDescription.get(CONTENT_KEY_ALGORITHM);
         final String providedSigAlg = materialDescription.get(SIGNING_KEY_ALGORITHM);
 
+        final String envelopeKey = materialDescription.get(ENVELOPE_KEY);
+
+        // DDBEC with SDK v1 does not do this check and returns NPE
+        // DDBEC with SDK v2 does not return NPE but return DynamoDbEncryptionException
+        if (envelopeKey == null) {
+            throw new DynamoDbEncryptionException(
+                "Missing " + ENVELOPE_KEY + " in material description. " +
+                "This item may have been encrypted with a different encryption format."
+            );
+        }
+
         ec.put("*" + CONTENT_KEY_ALGORITHM + "*", providedEncAlg);
         ec.put("*" + SIGNING_KEY_ALGORITHM + "*", providedSigAlg);
 
         populateKmsEcFromEc(context, ec);
 
         DecryptRequest.Builder request = DecryptRequest.builder();
-        request.ciphertextBlob(SdkBytes.fromByteArray(Base64.decode(materialDescription.get(ENVELOPE_KEY))));
+        request.ciphertextBlob(SdkBytes.fromByteArray(Base64.decode(envelopeKey)));
         request.encryptionContext(ec);
         final DecryptResponse decryptResponse = decrypt(request.build(), context);
         validateEncryptionKeyId(decryptResponse.keyId(), context);

Examples/runtimes/java/Migration/DDBECToAWSDBE/src/main/java/software/amazon/cryptography/examples/migration/awsdbe/MigrationExampleStep3.java

@@ -63,7 +63,7 @@ public static void MigrationStep3(
 
     final List<String> allowedUnsignedAttributes = Arrays.asList("attribute3");
 
-    // 3. Create the DynamoDb Encryption Interceptor with the above configuration.
+    // 2. Create the DynamoDb Encryption Interceptor with the above configuration.
     //    Do not configure any legacy behavior.
     final Map<String, DynamoDbEnhancedTableEncryptionConfig> tableConfigs =
       new HashMap<>();
@@ -85,7 +85,7 @@ public static void MigrationStep3(
           .build()
       );
 
-    // 4. Create a new AWS SDK DynamoDb client using the DynamoDb Encryption Interceptor above
+    // 3. Create a new AWS SDK DynamoDb client using the DynamoDb Encryption Interceptor above
     final DynamoDbClient ddb = DynamoDbClient
       .builder()
       .overrideConfiguration(
@@ -96,7 +96,7 @@ public static void MigrationStep3(
       )
       .build();
 
-    // 5. Create the DynamoDbEnhancedClient using the AWS SDK Client created above,
+    // 4. Create the DynamoDbEnhancedClient using the AWS SDK Client created above,
     //    and create a Table with your modelled class
     final DynamoDbEnhancedClient enhancedClient = DynamoDbEnhancedClient
       .builder()
@@ -107,7 +107,7 @@ public static void MigrationStep3(
       schemaOnEncrypt
     );
 
-    // 6. Put an item into your table using the DynamoDb Enhanced Client.
+    // 5. Put an item into your table using the DynamoDb Enhanced Client.
     //    This item will be encrypted in the latest format, using the
     //    configuration from your modelled class to decide
     //    which attribute to encrypt and/or sign.
@@ -120,7 +120,7 @@ public static void MigrationStep3(
 
     table.putItem(item);
 
-    // 7. Get an item back from the table using the DynamoDb Enhanced Client.
+    // 6. Get an item back from the table using the DynamoDb Enhanced Client.
     //    If this is an item written in the old format (e.g. any item written
     //    during Step 0 or 1), then we fail to return the item.
     //    If this is an item written in the new format (e.g. any item written

Examples/runtimes/java/Migration/DDBECv2ToAWSDBE/.gitattributes

@@ -0,0 +1,9 @@
+#
+# https://help.github.com/articles/dealing-with-line-endings/
+#
+# Linux start script should use lf
+/gradlew        text eol=lf
+
+# These are Windows script files and should use crlf
+*.bat           text eol=crlf
+

Examples/runtimes/java/Migration/DDBECv2ToAWSDBE/.gitignore

@@ -0,0 +1,5 @@
+# Ignore Gradle project-specific cache directory
+.gradle
+
+# Ignore Gradle build output directory
+build

Examples/runtimes/java/Migration/DDBECv2ToAWSDBE/build.gradle.kts

@@ -0,0 +1,121 @@
+import java.io.File
+import java.io.FileInputStream
+import java.util.Properties
+import java.net.URI
+import javax.annotation.Nullable
+import org.gradle.api.tasks.testing.logging.TestExceptionFormat
+import org.gradle.api.tasks.testing.logging.TestLogEvent
+
+plugins {
+    `java`
+    `java-library`
+}
+
+var props = Properties().apply {
+    load(FileInputStream(File(rootProject.rootDir, "../../../../../project.properties")))
+}
+
+group = "software.amazon.cryptography"
+version = "1.0-SNAPSHOT"
+description = "AWSDatabaseEncryptionSDKMigrationExamples"
+
+var mplVersion = props.getProperty("mplDependencyJavaVersion")
+var ddbecVersion = props.getProperty("projectJavaVersion")
+
+java {
+    toolchain.languageVersion.set(JavaLanguageVersion.of(8))
+    sourceSets["main"].java {
+        srcDir("src/main/java")
+    }
+    sourceSets["test"].java {
+        srcDir("src/test/java")
+    }
+}
+
+var caUrl: URI? = null
+@Nullable
+val caUrlStr: String? = System.getenv("CODEARTIFACT_REPO_URL")
+if (!caUrlStr.isNullOrBlank()) {
+    caUrl = URI.create(caUrlStr)
+}
+
+var caPassword: String? = null
+@Nullable
+val caPasswordString: String? = System.getenv("CODEARTIFACT_TOKEN")
+if (!caPasswordString.isNullOrBlank()) {
+    caPassword = caPasswordString
+}
+
+repositories {
+    mavenLocal()
+    maven {
+        name = "DynamoDB Local Release Repository - US West (Oregon) Region"
+        url  = URI.create("https://s3-us-west-2.amazonaws.com/dynamodb-local/release")
+    }
+    mavenCentral()
+    if (caUrl != null && caPassword != null) {
+        maven {
+            name = "CodeArtifact"
+            url = caUrl!!
+            credentials {
+                username = "aws"
+                password = caPassword!!
+            }
+        }
+    }
+}
+
+dependencies {
+    implementation("software.amazon.cryptography:aws-database-encryption-sdk-dynamodb:${ddbecVersion}")
+    implementation("software.amazon.cryptography:aws-cryptographic-material-providers:${mplVersion}")
+
+    implementation(platform("software.amazon.awssdk:bom:2.19.1"))
+    implementation("software.amazon.awssdk:dynamodb")
+    implementation("software.amazon.awssdk:dynamodb-enhanced")
+    implementation("software.amazon.awssdk:kms")
+
+    // https://mvnrepository.com/artifact/org.testng/testng
+    testImplementation("org.testng:testng:7.5")
+}
+
+tasks.withType<JavaCompile>() {
+    options.encoding = "UTF-8"
+}
+
+tasks.test {
+    useTestNG()
+
+    // This will show System.out.println statements
+    testLogging.showStandardStreams = true
+
+    testLogging {
+        lifecycle {
+            events = mutableSetOf(TestLogEvent.FAILED, TestLogEvent.PASSED, TestLogEvent.SKIPPED)
+            exceptionFormat = TestExceptionFormat.FULL
+            showExceptions = true
+            showCauses = true
+            showStackTraces = true
+            showStandardStreams = true
+        }
+        info.events = lifecycle.events
+        info.exceptionFormat = lifecycle.exceptionFormat
+    }
+
+    // See https://github.com/gradle/kotlin-dsl/issues/836
+    addTestListener(object : TestListener {
+        override fun beforeSuite(suite: TestDescriptor) {}
+        override fun beforeTest(testDescriptor: TestDescriptor) {}
+        override fun afterTest(testDescriptor: TestDescriptor, result: TestResult) {}
+
+        override fun afterSuite(suite: TestDescriptor, result: TestResult) {
+            if (suite.parent == null) { // root suite
+                logger.lifecycle("----")
+                logger.lifecycle("Test result: ${result.resultType}")
+                logger.lifecycle("Test summary: ${result.testCount} tests, " +
+                        "${result.successfulTestCount} succeeded, " +
+                        "${result.failedTestCount} failed, " +
+                        "${result.skippedTestCount} skipped")
+            }
+        }
+    })
+}

Examples/runtimes/java/Migration/DDBECv2ToAWSDBE/gradle/wrapper/gradle-wrapper.jar

@@ -0,0 +1,6 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-bin.zip
+networkTimeout=10000
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists