sync

Lucas McDonald · Lucas McDonald · commit 5df5f9c03582 · 2025-05-16T13:42:53.000-07:00
diff --git a/DynamoDbEncryption/runtimes/python/src/aws_dbesdk_dynamodb/encrypted/client.py b/DynamoDbEncryption/runtimes/python/src/aws_dbesdk_dynamodb/encrypted/client.py
@@ -419,45 +419,25 @@ def update_item(self, **kwargs):
             output_item_to_ddb_transform_method=self._resource_to_client_shape_converter.update_item_response,
         )
 
-    def get_paginator(self, operation_name: str) -> EncryptedPaginator | botocore.client.Paginator:
+    def execute_statement(self, **kwargs):
         """
-        Get a paginator from the underlying client.
+        Calls ``execute_statement`` on the underlying client if the table is not configured for encryption.
 
-        If the paginator requested is for  "scan" or "query", the paginator returned will
-        transparently decrypt the returned items.
+        If the table is configured for encryption, this operation will raise DynamoDbEncryptionTransformsException.
 
-        https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb.html#paginators
+        The input and output syntaxes match those for the boto3 DynamoDB client ``execute_statement`` API:
+
+        https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/execute_statement.html
 
         Args:
-            operation_name (str): Name of operation for which to get paginator
+            **kwargs: Keyword arguments to pass to the operation. This matches the boto3 client ``execute_statement``
+                request syntax.
 
         Returns:
-            EncryptedPaginator | botocore.client.Paginator: An EncryptedPaginator that will transparently decrypt items
-            for ``scan``/``query`` operations; for other operations, the standard paginator.
-
-        """
-        paginator = self._client.get_paginator(operation_name)
-
-        if operation_name in ("scan", "query"):
-            return EncryptedPaginator(
-                paginator=paginator,
-                encryption_config=self._encryption_config,
-                expect_standard_dictionaries=self._expect_standard_dictionaries,
-            )
-        else:
-            # The paginator can still be used for list_backups, list_tables, and list_tags_of_resource,
-            # but there is nothing to encrypt/decrypt in these operations.
-            return paginator
-
-    def execute_statement(self, **kwargs):
-        """
-        Not implemented. Raises DynamoDbEncryptionTransformsException.
-
-        Args:
-            **kwargs: Any arguments passed to this method
+            dict: The response from DynamoDB. This matches the boto3 client ``execute_statement`` response syntax.
 
         Raises:
-            DynamoDbEncryptionTransformsException: This operation is not supported on encrypted tables.
+            DynamoDbEncryptionTransformsException: If this operation is called for an encrypted table.
 
         """
         return self._client_operation_logic(
@@ -475,13 +455,23 @@ def execute_statement(self, **kwargs):
 
     def execute_transaction(self, **kwargs):
         """
-        Not implemented. Raises DynamoDbEncryptionTransformsException.
+        Calls ``execute_transaction`` on the underlying client if the table is not configured for encryption.
+
+        If the table is configured for encryption, this operation will raise DynamoDbEncryptionTransformsException.
+
+        The input and output syntaxes match those for the boto3 DynamoDB client ``execute_transaction`` API:
+
+        https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/execute_transaction.html
 
         Args:
-            **kwargs: Any arguments passed to this method
+            **kwargs: Keyword arguments to pass to the operation. This matches the boto3 client ``execute_transaction``
+                request syntax.
+
+        Returns:
+            dict: The response from DynamoDB. This matches the boto3 client ``execute_transaction`` response syntax.
 
         Raises:
-            DynamoDbEncryptionTransformsException: This operation is not supported on encrypted tables.
+            DynamoDbEncryptionTransformsException: If this operation is called for an encrypted table.
 
         """
         return self._client_operation_logic(
@@ -499,13 +489,23 @@ def execute_transaction(self, **kwargs):
 
     def batch_execute_statement(self, **kwargs):
         """
-        Not implemented. Raises DynamoDbEncryptionTransformsException.
+        Calls ``batch_execute_statement`` on the underlying client if the table is not configured for encryption.
+
+        If the table is configured for encryption, this operation will raise DynamoDbEncryptionTransformsException.
+
+        The input and output syntaxes match those for the boto3 DynamoDB client ``batch_execute_statement`` API:
+
+        https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/batch_execute_statement.html
 
         Args:
-            **kwargs: Any arguments passed to this method
+            **kwargs: Keyword arguments to pass to the operation. This matches the boto3 client ``batch_execute_statement``
+                request syntax.
+
+        Returns:
+            dict: The response from DynamoDB. This matches the boto3 client ``batch_execute_statement`` response syntax.
 
         Raises:
-            DynamoDbEncryptionTransformsException: This operation is not supported on encrypted tables.
+            DynamoDbEncryptionTransformsException: If this operation is called for an encrypted table.
 
         """
         return self._client_operation_logic(
@@ -521,6 +521,36 @@ def batch_execute_statement(self, **kwargs):
             output_item_to_ddb_transform_method=self._resource_to_client_shape_converter.batch_execute_statement_response,
         )
 
+    def get_paginator(self, operation_name: str) -> EncryptedPaginator | botocore.client.Paginator:
+        """
+        Get a paginator from the underlying client.
+
+        If the paginator requested is for  "scan" or "query", the paginator returned will
+        transparently decrypt the returned items.
+
+        https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb.html#paginators
+
+        Args:
+            operation_name (str): Name of operation for which to get paginator
+
+        Returns:
+            EncryptedPaginator | botocore.client.Paginator: An EncryptedPaginator that will transparently decrypt items
+            for ``scan``/``query`` operations; for other operations, the standard paginator.
+
+        """
+        paginator = self._client.get_paginator(operation_name)
+
+        if operation_name in ("scan", "query"):
+            return EncryptedPaginator(
+                paginator=paginator,
+                encryption_config=self._encryption_config,
+                expect_standard_dictionaries=self._expect_standard_dictionaries,
+            )
+        else:
+            # The paginator can still be used for list_backups, list_tables, and list_tags_of_resource,
+            # but there is nothing to encrypt/decrypt in these operations.
+            return paginator
+
     def _client_operation_logic(
         self,
         *,
diff --git a/DynamoDbEncryption/runtimes/python/test/integ/encrypted/test_client.py b/DynamoDbEncryption/runtimes/python/test/integ/encrypted/test_client.py
@@ -24,7 +24,6 @@
     simple_key_dict,
 )
 from ...requests import (
-    basic_batch_execute_statement_request,
     basic_batch_get_item_request_ddb,
     basic_batch_get_item_request_dict,
     basic_batch_write_item_delete_request_ddb,
@@ -33,8 +32,12 @@
     basic_batch_write_item_put_request_dict,
     basic_delete_item_request_ddb,
     basic_delete_item_request_dict,
-    basic_execute_statement_request,
-    basic_execute_transaction_request,
+    basic_execute_statement_request_encrypted_table,
+    basic_execute_statement_request_plaintext_table,
+    basic_execute_transaction_request_encrypted_table,
+    basic_execute_transaction_request_plaintext_table,
+    basic_batch_execute_statement_request_encrypted_table,
+    basic_batch_execute_statement_request_plaintext_table,
     basic_get_item_request_ddb,
     basic_get_item_request_dict,
     basic_put_item_request_ddb,
@@ -428,68 +431,129 @@ def test_WHEN_update_item_with_signed_attribute_THEN_raises_DynamoDbEncryptionTr
         client.update_item(**update_item_request_signed_attribute)
 
 
+@pytest.fixture(params=[True, False], ids=["encrypted_table", "plaintext_table"])
+def execute_uses_encrypted_table(request):
+    return request.param
+
 @pytest.fixture
-def execute_statement_request():
-    return basic_execute_statement_request()
+def execute_statement_request(execute_uses_encrypted_table):
+    if execute_uses_encrypted_table:
+        return basic_execute_statement_request_encrypted_table()
+    return basic_execute_statement_request_plaintext_table()
 
 
-def test_WHEN_execute_statement_THEN_raises_DynamoDbEncryptionTransformsException(
+def test_WHEN_execute_statement_for_encrypted_table_THEN_raises_DynamoDbEncryptionTransformsException(
     client,
     execute_statement_request,
     encrypted,
+    execute_uses_encrypted_table,
 ):
     """Test that execute_statement raises DynamoDbEncryptionTransformsException."""
     if not encrypted:
         pytest.skip("Skipping negative test for plaintext client")
 
-    # Given: Encrypted client and update item parameters
-    # Then: DynamoDbEncryptionTransformsException is raised
-    with pytest.raises(DynamoDbEncryptionTransformsException):
-        # When: Calling update_item
-        client.execute_statement(**execute_statement_request)
+    if execute_uses_encrypted_table:
+        # Given: Encrypted client and execute_statement request on encrypted table
+        # Then: DynamoDbEncryptionTransformsException is raised
+        with pytest.raises(DynamoDbEncryptionTransformsException):
+            # When: Calling execute_statement
+            client.execute_statement(**execute_statement_request)
+    else:
+        pytest.skip("Skipping test for plaintext table; this test is only for encrypted tables")
+
+def test_WHEN_execute_statement_for_plaintext_table_THEN_passes(
+    client,
+    execute_statement_request,
+    execute_uses_encrypted_table,
+):
+    if execute_uses_encrypted_table:
+        pytest.skip("Skipping test for encrypted table; this test is only for plaintext tables")
 
+    # Given: Client calls execute_statement on plaintext table
+    # When: Calling execute_statement
+    response = client.execute_statement(**execute_statement_request)
+    # Then: Success
+    assert response["ResponseMetadata"]["HTTPStatusCode"] == 200
 
 @pytest.fixture
-def execute_transaction_request():
-    return basic_execute_transaction_request()
+def execute_transaction_request(execute_uses_encrypted_table):
+    if execute_uses_encrypted_table:
+        return basic_execute_transaction_request_encrypted_table()
+    return basic_execute_transaction_request_plaintext_table()
 
 
-def test_WHEN_execute_transaction_THEN_raises_DynamoDbEncryptionTransformsException(
+def test_WHEN_execute_transaction_for_encrypted_table_THEN_raises_DynamoDbEncryptionTransformsException(
     client,
     execute_transaction_request,
     encrypted,
+    execute_uses_encrypted_table,
 ):
     """Test that execute_transaction raises DynamoDbEncryptionTransformsException."""
     if not encrypted:
         pytest.skip("Skipping negative test for plaintext client")
+    
+    if execute_uses_encrypted_table:
+        # Given: Encrypted client and execute_transaction request on encrypted table
+        # Then: DynamoDbEncryptionTransformsException is raised
+        with pytest.raises(DynamoDbEncryptionTransformsException):
+            # When: Calling execute_transaction
+            client.execute_transaction(**execute_transaction_request)
+    else:
+        pytest.skip("Skipping test for plaintext table; this test is only for encrypted tables")
 
-    # Given: Encrypted client and update item parameters
-    # Then: DynamoDbEncryptionTransformsException is raised
-    with pytest.raises(DynamoDbEncryptionTransformsException):
-        # When: Calling update_item
-        client.execute_transaction(**execute_transaction_request)
+def test_WHEN_execute_transaction_for_plaintext_table_THEN_passes(
+    client,
+    execute_transaction_request,
+    execute_uses_encrypted_table,
+):
+    if execute_uses_encrypted_table:
+        pytest.skip("Skipping test for encrypted table; this test is only for plaintext tables")
 
+    # Given: Client calls execute_transaction on plaintext table
+    # When: Calling execute_transaction
+    response = client.execute_transaction(**execute_transaction_request)
+    # Then: Success
+    assert response["ResponseMetadata"]["HTTPStatusCode"] == 200
 
 @pytest.fixture
-def batch_execute_statement_request():
-    return basic_batch_execute_statement_request()
+def batch_execute_statement_request(execute_uses_encrypted_table):
+    if execute_uses_encrypted_table:
+        return basic_batch_execute_statement_request_encrypted_table()
+    return basic_batch_execute_statement_request_plaintext_table()
 
 
-def test_WHEN_batch_execute_statement_THEN_raises_DynamoDbEncryptionTransformsException(
+def test_WHEN_batch_execute_statement_for_encrypted_table_THEN_raises_DynamoDbEncryptionTransformsException(
     client,
     batch_execute_statement_request,
     encrypted,
+    execute_uses_encrypted_table,
 ):
     """Test that batch_execute_statement raises DynamoDbEncryptionTransformsException."""
     if not encrypted:
         pytest.skip("Skipping negative test for plaintext client")
 
-    # Given: Encrypted client and update item parameters
-    # Then: DynamoDbEncryptionTransformsException is raised
-    with pytest.raises(DynamoDbEncryptionTransformsException):
-        # When: Calling update_item
-        client.batch_execute_statement(**batch_execute_statement_request)
+    if execute_uses_encrypted_table:
+        # Given: Encrypted client and batch_execute_statement request on encrypted table
+        # Then: DynamoDbEncryptionTransformsException is raised
+        with pytest.raises(DynamoDbEncryptionTransformsException):
+            # When: Calling batch_execute_statement
+            client.batch_execute_statement(**batch_execute_statement_request)
+    else:
+        pytest.skip("Skipping test for plaintext table; this test is only for encrypted tables")
 
+def test_WHEN_batch_execute_statement_for_plaintext_table_THEN_passes(
+    client,
+    batch_execute_statement_request,
+    execute_uses_encrypted_table,
+):
+    if execute_uses_encrypted_table:
+        pytest.skip("Skipping test for encrypted table; this test is only for plaintext tables")
+
+    # Given: Client calls batch_execute_statement on plaintext table
+    # When: Calling batch_execute_statement
+    response = client.batch_execute_statement(**batch_execute_statement_request)
+    # Then: Success
+    assert response["ResponseMetadata"]["HTTPStatusCode"] == 200
 
 def test_WHEN_get_paginator_THEN_correct_paginator_is_returned():
     """Test get_paginator for scan and query operations."""
