sync

Lucas McDonald · Lucas McDonald · commit e9f917bf0651 · 2025-05-16T11:59:33.000-07:00
diff --git a/DynamoDbEncryption/runtimes/python/src/aws_dbesdk_dynamodb/encrypted/client.py b/DynamoDbEncryption/runtimes/python/src/aws_dbesdk_dynamodb/encrypted/client.py
@@ -69,12 +69,14 @@ class EncryptedClient(EncryptedBotoInterface):
         * ``transact_write_items``
         * ``delete_item``
 
+    Any calls to ``update_item`` can only update unsigned attributes. If an attribute to be updated is marked as signed,
+    this operation will raise a ``DynamoDbEncryptionTransformsException``.
+
     The following operations are not supported and will raise DynamoDbEncryptionTransformsException:
 
         * ``execute_statement``
         * ``execute_transaction``
         * ``batch_execute_statement``
-        * ``update_item``
 
     Any other operations on this class will defer to the underlying boto3 DynamoDB client's implementation.
 
@@ -383,6 +385,70 @@ def delete_item(self, **kwargs):
             output_item_to_ddb_transform_method=self._resource_to_client_shape_converter.delete_item_response,
         )
 
+    def update_item(self, **kwargs):
+        """
+        Update an unsigned attribute in an item on a table.
+
+        If the attribute is signed, this operation will raise DynamoDbEncryptionTransformsException.
+
+        The input and output syntaxes match those for the boto3 DynamoDB client ``update_item`` API:
+
+        https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb/client/update_item.html
+
+        Args:
+            **kwargs: Keyword arguments to pass to the operation. This matches the boto3 client ``update_item``
+                request syntax.
+
+        Returns:
+            dict: The response from DynamoDB. This matches the boto3 client ``update_item`` response syntax.
+
+        Raises:
+            DynamoDbEncryptionTransformsException: If an attribute specified in the ``UpdateExpression`` is signed.
+
+        """
+        return self._client_operation_logic(
+            operation_input=kwargs,
+            input_item_to_ddb_transform_method=self._resource_to_client_shape_converter.update_item_request,
+            input_item_to_dict_transform_method=self._client_to_resource_shape_converter.update_item_request,
+            input_transform_method=self._transformer.update_item_input_transform,
+            input_transform_shape=UpdateItemInputTransformInput,
+            output_transform_method=self._transformer.update_item_output_transform,
+            output_transform_shape=UpdateItemOutputTransformInput,
+            client_method=self._client.update_item,
+            output_item_to_dict_transform_method=self._client_to_resource_shape_converter.update_item_response,
+            output_item_to_ddb_transform_method=self._resource_to_client_shape_converter.update_item_response,
+        )
+
+    def get_paginator(self, operation_name: str) -> EncryptedPaginator | botocore.client.Paginator:
+        """
+        Get a paginator from the underlying client.
+
+        If the paginator requested is for  "scan" or "query", the paginator returned will
+        transparently decrypt the returned items.
+
+        https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb.html#paginators
+
+        Args:
+            operation_name (str): Name of operation for which to get paginator
+
+        Returns:
+            EncryptedPaginator | botocore.client.Paginator: An EncryptedPaginator that will transparently decrypt items
+            for ``scan``/``query`` operations; for other operations, the standard paginator.
+
+        """
+        paginator = self._client.get_paginator(operation_name)
+
+        if operation_name in ("scan", "query"):
+            return EncryptedPaginator(
+                paginator=paginator,
+                encryption_config=self._encryption_config,
+                expect_standard_dictionaries=self._expect_standard_dictionaries,
+            )
+        else:
+            # The paginator can still be used for list_backups, list_tables, and list_tags_of_resource,
+            # but there is nothing to encrypt/decrypt in these operations.
+            return paginator
+
     def execute_statement(self, **kwargs):
         """
         Not implemented. Raises DynamoDbEncryptionTransformsException.
@@ -431,30 +497,6 @@ def execute_transaction(self, **kwargs):
             output_item_to_ddb_transform_method=self._resource_to_client_shape_converter.execute_transaction_response,
         )
 
-    def update_item(self, **kwargs):
-        """
-        Not implemented. Raises DynamoDbEncryptionTransformsException.
-
-        Args:
-            **kwargs: Any arguments passed to this method
-
-        Raises:
-            DynamoDbEncryptionTransformsException: This operation is not supported on encrypted tables.
-
-        """
-        return self._client_operation_logic(
-            operation_input=kwargs,
-            input_item_to_ddb_transform_method=self._resource_to_client_shape_converter.update_item_request,
-            input_item_to_dict_transform_method=self._client_to_resource_shape_converter.update_item_request,
-            input_transform_method=self._transformer.update_item_input_transform,
-            input_transform_shape=UpdateItemInputTransformInput,
-            output_transform_method=self._transformer.update_item_output_transform,
-            output_transform_shape=UpdateItemOutputTransformInput,
-            client_method=self._client.update_item,
-            output_item_to_dict_transform_method=self._client_to_resource_shape_converter.update_item_response,
-            output_item_to_ddb_transform_method=self._resource_to_client_shape_converter.update_item_response,
-        )
-
     def batch_execute_statement(self, **kwargs):
         """
         Not implemented. Raises DynamoDbEncryptionTransformsException.
@@ -479,36 +521,6 @@ def batch_execute_statement(self, **kwargs):
             output_item_to_ddb_transform_method=self._resource_to_client_shape_converter.batch_execute_statement_response,
         )
 
-    def get_paginator(self, operation_name: str) -> EncryptedPaginator | botocore.client.Paginator:
-        """
-        Get a paginator from the underlying client.
-
-        If the paginator requested is for  "scan" or "query", the paginator returned will
-        transparently decrypt the returned items.
-
-        https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb.html#paginators
-
-        Args:
-            operation_name (str): Name of operation for which to get paginator
-
-        Returns:
-            EncryptedPaginator | botocore.client.Paginator: An EncryptedPaginator that will transparently decrypt items
-            for ``scan``/``query`` operations; for other operations, the standard paginator.
-
-        """
-        paginator = self._client.get_paginator(operation_name)
-
-        if operation_name in ("scan", "query"):
-            return EncryptedPaginator(
-                paginator=paginator,
-                encryption_config=self._encryption_config,
-                expect_standard_dictionaries=self._expect_standard_dictionaries,
-            )
-        else:
-            # The paginator can still be used for list_backups, list_tables, and list_tags_of_resource,
-            # but there is nothing to encrypt/decrypt in these operations.
-            return paginator
-
     def _client_operation_logic(
         self,
         *,
diff --git a/DynamoDbEncryption/runtimes/python/test/integ/encrypted/test_client.py b/DynamoDbEncryption/runtimes/python/test/integ/encrypted/test_client.py
@@ -24,6 +24,7 @@
     simple_key_dict,
 )
 from ...requests import (
+    basic_batch_execute_statement_request,
     basic_batch_get_item_request_ddb,
     basic_batch_get_item_request_dict,
     basic_batch_write_item_delete_request_ddb,
@@ -32,6 +33,8 @@
     basic_batch_write_item_put_request_dict,
     basic_delete_item_request_ddb,
     basic_delete_item_request_dict,
+    basic_execute_statement_request,
+    basic_execute_transaction_request,
     basic_get_item_request_ddb,
     basic_get_item_request_dict,
     basic_put_item_request_ddb,
@@ -46,11 +49,10 @@
     basic_transact_write_item_delete_request_dict,
     basic_transact_write_item_put_request_ddb,
     basic_transact_write_item_put_request_dict,
-    basic_update_item_request_ddb,
-    basic_update_item_request_dict,
-    basic_execute_statement_request,
-    basic_execute_transaction_request,
-    basic_batch_execute_statement_request,
+    basic_update_item_request_ddb_signed_attribute,
+    basic_update_item_request_ddb_unsigned_attribute,
+    basic_update_item_request_dict_signed_attribute,
+    basic_update_item_request_dict_unsigned_attribute,
 )
 from . import sort_dynamodb_json_lists
 
@@ -381,14 +383,39 @@ def test_GIVEN_valid_transact_write_and_get_requests_WHEN_transact_write_and_get
 
 
 @pytest.fixture
-def update_item_request(expect_standard_dictionaries, test_item):
+def update_item_request_unsigned_attribute(expect_standard_dictionaries, test_item):
     if expect_standard_dictionaries:
-        return {**basic_update_item_request_dict(test_item), "TableName": INTEG_TEST_DEFAULT_DYNAMODB_TABLE_NAME}
-    return basic_update_item_request_ddb(test_item)
+        return {
+            **basic_update_item_request_dict_unsigned_attribute(test_item),
+            "TableName": INTEG_TEST_DEFAULT_DYNAMODB_TABLE_NAME,
+        }
+    return basic_update_item_request_ddb_unsigned_attribute(test_item)
 
 
-def test_WHEN_update_item_THEN_raises_DynamoDbEncryptionTransformsException(
-    client, update_item_request, encrypted,
+def test_WHEN_update_item_with_unsigned_attribute_THEN_passes(
+    client, update_item_request_unsigned_attribute, encrypted, get_item_request
+):
+    # Given: Valid update_item request
+    # When: update_item
+    update_response = client.update_item(**update_item_request_unsigned_attribute)
+    # Then: update_item succeeds
+    assert update_response["ResponseMetadata"]["HTTPStatusCode"] == 200
+
+
+@pytest.fixture
+def update_item_request_signed_attribute(expect_standard_dictionaries, test_item):
+    if expect_standard_dictionaries:
+        return {
+            **basic_update_item_request_dict_signed_attribute(test_item),
+            "TableName": INTEG_TEST_DEFAULT_DYNAMODB_TABLE_NAME,
+        }
+    return basic_update_item_request_ddb_signed_attribute(test_item)
+
+
+def test_WHEN_update_item_with_signed_attribute_THEN_raises_DynamoDbEncryptionTransformsException(
+    client,
+    update_item_request_signed_attribute,
+    encrypted,
 ):
     """Test that update_item raises DynamoDbEncryptionTransformsException."""
     if not encrypted:
@@ -398,9 +425,7 @@ def test_WHEN_update_item_THEN_raises_DynamoDbEncryptionTransformsException(
     # Then: DynamoDbEncryptionTransformsException is raised
     with pytest.raises(DynamoDbEncryptionTransformsException):
         # When: Calling update_item
-        client.update_item(
-            **update_item_request
-        )
+        client.update_item(**update_item_request_signed_attribute)
 
 
 @pytest.fixture
@@ -409,7 +434,9 @@ def execute_statement_request():
 
 
 def test_WHEN_execute_statement_THEN_raises_DynamoDbEncryptionTransformsException(
-    client, execute_statement_request, encrypted,
+    client,
+    execute_statement_request,
+    encrypted,
 ):
     """Test that execute_statement raises DynamoDbEncryptionTransformsException."""
     if not encrypted:
@@ -419,9 +446,7 @@ def test_WHEN_execute_statement_THEN_raises_DynamoDbEncryptionTransformsExceptio
     # Then: DynamoDbEncryptionTransformsException is raised
     with pytest.raises(DynamoDbEncryptionTransformsException):
         # When: Calling update_item
-        client.execute_statement(
-            **execute_statement_request
-        )
+        client.execute_statement(**execute_statement_request)
 
 
 @pytest.fixture
@@ -430,7 +455,9 @@ def execute_transaction_request():
 
 
 def test_WHEN_execute_transaction_THEN_raises_DynamoDbEncryptionTransformsException(
-    client, execute_transaction_request, encrypted,
+    client,
+    execute_transaction_request,
+    encrypted,
 ):
     """Test that execute_transaction raises DynamoDbEncryptionTransformsException."""
     if not encrypted:
@@ -440,9 +467,7 @@ def test_WHEN_execute_transaction_THEN_raises_DynamoDbEncryptionTransformsExcept
     # Then: DynamoDbEncryptionTransformsException is raised
     with pytest.raises(DynamoDbEncryptionTransformsException):
         # When: Calling update_item
-        client.execute_transaction(
-            **execute_transaction_request
-        )
+        client.execute_transaction(**execute_transaction_request)
 
 
 @pytest.fixture
@@ -451,7 +476,9 @@ def batch_execute_statement_request():
 
 
 def test_WHEN_batch_execute_statement_THEN_raises_DynamoDbEncryptionTransformsException(
-    client, batch_execute_statement_request, encrypted,
+    client,
+    batch_execute_statement_request,
+    encrypted,
 ):
     """Test that batch_execute_statement raises DynamoDbEncryptionTransformsException."""
     if not encrypted:
@@ -461,9 +488,7 @@ def test_WHEN_batch_execute_statement_THEN_raises_DynamoDbEncryptionTransformsEx
     # Then: DynamoDbEncryptionTransformsException is raised
     with pytest.raises(DynamoDbEncryptionTransformsException):
         # When: Calling update_item
-        client.batch_execute_statement(
-            **batch_execute_statement_request
-        )
+        client.batch_execute_statement(**batch_execute_statement_request)
 
 
 def test_WHEN_get_paginator_THEN_correct_paginator_is_returned():
