{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE DuplicateRecordFields #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE TypeFamilies #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-binds #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Amazonka.KMS.Encrypt
-- Copyright   : (c) 2013-2021 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
--
-- Encrypts plaintext into ciphertext by using a KMS key. The @Encrypt@
-- operation has two primary use cases:
--
-- -   You can encrypt small amounts of arbitrary data, such as a personal
--     identifier or database password, or other sensitive information.
--
-- -   You can use the @Encrypt@ operation to move encrypted data from one
--     Amazon Web Services Region to another. For example, in Region A,
--     generate a data key and use the plaintext key to encrypt your data.
--     Then, in Region A, use the @Encrypt@ operation to encrypt the
--     plaintext data key under a KMS key in Region B. Now, you can move
--     the encrypted data and the encrypted data key to Region B. When
--     necessary, you can decrypt the encrypted data key and the encrypted
--     data entirely within in Region B.
--
-- You don\'t need to use the @Encrypt@ operation to encrypt a data key.
-- The GenerateDataKey and GenerateDataKeyPair operations return a
-- plaintext data key and an encrypted copy of that data key.
--
-- When you encrypt data, you must specify a symmetric or asymmetric KMS
-- key to use in the encryption operation. The KMS key must have a
-- @KeyUsage@ value of @ENCRYPT_DECRYPT.@ To find the @KeyUsage@ of a KMS
-- key, use the DescribeKey operation.
--
-- If you use a symmetric KMS key, you can use an encryption context to add
-- additional security to your encryption operation. If you specify an
-- @EncryptionContext@ when encrypting data, you must specify the same
-- encryption context (a case-sensitive exact match) when decrypting the
-- data. Otherwise, the request to decrypt fails with an
-- @InvalidCiphertextException@. For more information, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context Encryption Context>
-- in the /Key Management Service Developer Guide/.
--
-- If you specify an asymmetric KMS key, you must also specify the
-- encryption algorithm. The algorithm must be compatible with the KMS key
-- type.
--
-- When you use an asymmetric KMS key to encrypt or reencrypt data, be sure
-- to record the KMS key and encryption algorithm that you choose. You will
-- be required to provide the same KMS key and encryption algorithm when
-- you decrypt the data. If the KMS key and algorithm do not match the
-- values used to encrypt the data, the decrypt operation fails.
--
-- You are not required to supply the key ID and encryption algorithm when
-- you decrypt with symmetric KMS keys because KMS stores this information
-- in the ciphertext blob. KMS cannot store metadata in ciphertext
-- generated with asymmetric keys. The standard format for asymmetric key
-- ciphertext does not include configurable fields.
--
-- The maximum size of the data that you can encrypt varies with the type
-- of KMS key and the encryption algorithm that you choose.
--
-- -   Symmetric KMS keys
--
--     -   @SYMMETRIC_DEFAULT@: 4096 bytes
--
-- -   @RSA_2048@
--
--     -   @RSAES_OAEP_SHA_1@: 214 bytes
--
--     -   @RSAES_OAEP_SHA_256@: 190 bytes
--
-- -   @RSA_3072@
--
--     -   @RSAES_OAEP_SHA_1@: 342 bytes
--
--     -   @RSAES_OAEP_SHA_256@: 318 bytes
--
-- -   @RSA_4096@
--
--     -   @RSAES_OAEP_SHA_1@: 470 bytes
--
--     -   @RSAES_OAEP_SHA_256@: 446 bytes
--
-- The KMS key that you use for this operation must be in a compatible key
-- state. For details, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html Key state: Effect on your KMS key>
-- in the /Key Management Service Developer Guide/.
--
-- __Cross-account use__: Yes. To perform this operation with a KMS key in
-- a different Amazon Web Services account, specify the key ARN or alias
-- ARN in the value of the @KeyId@ parameter.
--
-- __Required permissions__:
-- <https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html kms:Encrypt>
-- (key policy)
--
-- __Related operations:__
--
-- -   Decrypt
--
-- -   GenerateDataKey
--
-- -   GenerateDataKeyPair
module Amazonka.KMS.Encrypt
  ( -- * Creating a Request
    Encrypt (..),
    newEncrypt,

    -- * Request Lenses
    encrypt_encryptionContext,
    encrypt_grantTokens,
    encrypt_encryptionAlgorithm,
    encrypt_keyId,
    encrypt_plaintext,

    -- * Destructuring the Response
    EncryptResponse (..),
    newEncryptResponse,

    -- * Response Lenses
    encryptResponse_keyId,
    encryptResponse_encryptionAlgorithm,
    encryptResponse_ciphertextBlob,
    encryptResponse_httpStatus,
  )
where

import qualified Amazonka.Core as Core
import Amazonka.KMS.Types
import qualified Amazonka.Lens as Lens
import qualified Amazonka.Prelude as Prelude
import qualified Amazonka.Request as Request
import qualified Amazonka.Response as Response

-- | /See:/ 'newEncrypt' smart constructor.
data Encrypt = Encrypt'
  { -- | Specifies the encryption context that will be used to encrypt the data.
    -- An encryption context is valid only for
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations cryptographic operations>
    -- with a symmetric KMS key. The standard asymmetric encryption algorithms
    -- that KMS uses do not support an encryption context.
    --
    -- An /encryption context/ is a collection of non-secret key-value pairs
    -- that represents additional authenticated data. When you use an
    -- encryption context to encrypt data, you must specify the same (an exact
    -- case-sensitive match) encryption context to decrypt the data. An
    -- encryption context is optional when encrypting with a symmetric KMS key,
    -- but it is highly recommended.
    --
    -- For more information, see
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context Encryption Context>
    -- in the /Key Management Service Developer Guide/.
    Encrypt -> Maybe (HashMap Text Text)
encryptionContext :: Prelude.Maybe (Prelude.HashMap Prelude.Text Prelude.Text),
    -- | A list of grant tokens.
    --
    -- Use a grant token when your permission to call this operation comes from
    -- a new grant that has not yet achieved /eventual consistency/. For more
    -- information, see
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token Grant token>
    -- and
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token Using a grant token>
    -- in the /Key Management Service Developer Guide/.
    Encrypt -> Maybe [Text]
grantTokens :: Prelude.Maybe [Prelude.Text],
    -- | Specifies the encryption algorithm that KMS will use to encrypt the
    -- plaintext message. The algorithm must be compatible with the KMS key
    -- that you specify.
    --
    -- This parameter is required only for asymmetric KMS keys. The default
    -- value, @SYMMETRIC_DEFAULT@, is the algorithm used for symmetric KMS
    -- keys. If you are using an asymmetric KMS key, we recommend
    -- RSAES_OAEP_SHA_256.
    Encrypt -> Maybe EncryptionAlgorithmSpec
encryptionAlgorithm :: Prelude.Maybe EncryptionAlgorithmSpec,
    -- | Identifies the KMS key to use in the encryption operation.
    --
    -- To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
    -- When using an alias name, prefix it with @\"alias\/\"@. To specify a KMS
    -- key in a different Amazon Web Services account, you must use the key ARN
    -- or alias ARN.
    --
    -- For example:
    --
    -- -   Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@
    --
    -- -   Key ARN:
    --     @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@
    --
    -- -   Alias name: @alias\/ExampleAlias@
    --
    -- -   Alias ARN: @arn:aws:kms:us-east-2:111122223333:alias\/ExampleAlias@
    --
    -- To get the key ID and key ARN for a KMS key, use ListKeys or
    -- DescribeKey. To get the alias name and alias ARN, use ListAliases.
    Encrypt -> Text
keyId :: Prelude.Text,
    -- | Data to be encrypted.
    Encrypt -> Sensitive Base64
plaintext :: Core.Sensitive Core.Base64
  }
  deriving (Encrypt -> Encrypt -> Bool
(Encrypt -> Encrypt -> Bool)
-> (Encrypt -> Encrypt -> Bool) -> Eq Encrypt
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: Encrypt -> Encrypt -> Bool
$c/= :: Encrypt -> Encrypt -> Bool
== :: Encrypt -> Encrypt -> Bool
$c== :: Encrypt -> Encrypt -> Bool
Prelude.Eq, Int -> Encrypt -> ShowS
[Encrypt] -> ShowS
Encrypt -> String
(Int -> Encrypt -> ShowS)
-> (Encrypt -> String) -> ([Encrypt] -> ShowS) -> Show Encrypt
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [Encrypt] -> ShowS
$cshowList :: [Encrypt] -> ShowS
show :: Encrypt -> String
$cshow :: Encrypt -> String
showsPrec :: Int -> Encrypt -> ShowS
$cshowsPrec :: Int -> Encrypt -> ShowS
Prelude.Show, (forall x. Encrypt -> Rep Encrypt x)
-> (forall x. Rep Encrypt x -> Encrypt) -> Generic Encrypt
forall x. Rep Encrypt x -> Encrypt
forall x. Encrypt -> Rep Encrypt x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x. Rep Encrypt x -> Encrypt
$cfrom :: forall x. Encrypt -> Rep Encrypt x
Prelude.Generic)

-- |
-- Create a value of 'Encrypt' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'encryptionContext', 'encrypt_encryptionContext' - Specifies the encryption context that will be used to encrypt the data.
-- An encryption context is valid only for
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations cryptographic operations>
-- with a symmetric KMS key. The standard asymmetric encryption algorithms
-- that KMS uses do not support an encryption context.
--
-- An /encryption context/ is a collection of non-secret key-value pairs
-- that represents additional authenticated data. When you use an
-- encryption context to encrypt data, you must specify the same (an exact
-- case-sensitive match) encryption context to decrypt the data. An
-- encryption context is optional when encrypting with a symmetric KMS key,
-- but it is highly recommended.
--
-- For more information, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context Encryption Context>
-- in the /Key Management Service Developer Guide/.
--
-- 'grantTokens', 'encrypt_grantTokens' - A list of grant tokens.
--
-- Use a grant token when your permission to call this operation comes from
-- a new grant that has not yet achieved /eventual consistency/. For more
-- information, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token Grant token>
-- and
-- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token Using a grant token>
-- in the /Key Management Service Developer Guide/.
--
-- 'encryptionAlgorithm', 'encrypt_encryptionAlgorithm' - Specifies the encryption algorithm that KMS will use to encrypt the
-- plaintext message. The algorithm must be compatible with the KMS key
-- that you specify.
--
-- This parameter is required only for asymmetric KMS keys. The default
-- value, @SYMMETRIC_DEFAULT@, is the algorithm used for symmetric KMS
-- keys. If you are using an asymmetric KMS key, we recommend
-- RSAES_OAEP_SHA_256.
--
-- 'keyId', 'encrypt_keyId' - Identifies the KMS key to use in the encryption operation.
--
-- To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
-- When using an alias name, prefix it with @\"alias\/\"@. To specify a KMS
-- key in a different Amazon Web Services account, you must use the key ARN
-- or alias ARN.
--
-- For example:
--
-- -   Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- -   Key ARN:
--     @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- -   Alias name: @alias\/ExampleAlias@
--
-- -   Alias ARN: @arn:aws:kms:us-east-2:111122223333:alias\/ExampleAlias@
--
-- To get the key ID and key ARN for a KMS key, use ListKeys or
-- DescribeKey. To get the alias name and alias ARN, use ListAliases.
--
-- 'plaintext', 'encrypt_plaintext' - Data to be encrypted.--
-- -- /Note:/ This 'Lens' automatically encodes and decodes Base64 data.
-- -- The underlying isomorphism will encode to Base64 representation during
-- -- serialisation, and decode from Base64 representation during deserialisation.
-- -- This 'Lens' accepts and returns only raw unencoded data.
newEncrypt ::
  -- | 'keyId'
  Prelude.Text ->
  -- | 'plaintext'
  Prelude.ByteString ->
  Encrypt
newEncrypt :: Text -> ByteString -> Encrypt
newEncrypt Text
pKeyId_ ByteString
pPlaintext_ =
  Encrypt' :: Maybe (HashMap Text Text)
-> Maybe [Text]
-> Maybe EncryptionAlgorithmSpec
-> Text
-> Sensitive Base64
-> Encrypt
Encrypt'
    { $sel:encryptionContext:Encrypt' :: Maybe (HashMap Text Text)
encryptionContext = Maybe (HashMap Text Text)
forall a. Maybe a
Prelude.Nothing,
      $sel:grantTokens:Encrypt' :: Maybe [Text]
grantTokens = Maybe [Text]
forall a. Maybe a
Prelude.Nothing,
      $sel:encryptionAlgorithm:Encrypt' :: Maybe EncryptionAlgorithmSpec
encryptionAlgorithm = Maybe EncryptionAlgorithmSpec
forall a. Maybe a
Prelude.Nothing,
      $sel:keyId:Encrypt' :: Text
keyId = Text
pKeyId_,
      $sel:plaintext:Encrypt' :: Sensitive Base64
plaintext =
        Tagged Base64 (Identity Base64)
-> Tagged (Sensitive Base64) (Identity (Sensitive Base64))
forall a. Iso' (Sensitive a) a
Core._Sensitive (Tagged Base64 (Identity Base64)
 -> Tagged (Sensitive Base64) (Identity (Sensitive Base64)))
-> (Tagged ByteString (Identity ByteString)
    -> Tagged Base64 (Identity Base64))
-> Tagged ByteString (Identity ByteString)
-> Tagged (Sensitive Base64) (Identity (Sensitive Base64))
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. Tagged ByteString (Identity ByteString)
-> Tagged Base64 (Identity Base64)
Iso' Base64 ByteString
Core._Base64
          (Tagged ByteString (Identity ByteString)
 -> Tagged (Sensitive Base64) (Identity (Sensitive Base64)))
-> ByteString -> Sensitive Base64
forall t b. AReview t b -> b -> t
Lens.# ByteString
pPlaintext_
    }

-- | Specifies the encryption context that will be used to encrypt the data.
-- An encryption context is valid only for
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations cryptographic operations>
-- with a symmetric KMS key. The standard asymmetric encryption algorithms
-- that KMS uses do not support an encryption context.
--
-- An /encryption context/ is a collection of non-secret key-value pairs
-- that represents additional authenticated data. When you use an
-- encryption context to encrypt data, you must specify the same (an exact
-- case-sensitive match) encryption context to decrypt the data. An
-- encryption context is optional when encrypting with a symmetric KMS key,
-- but it is highly recommended.
--
-- For more information, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context Encryption Context>
-- in the /Key Management Service Developer Guide/.
encrypt_encryptionContext :: Lens.Lens' Encrypt (Prelude.Maybe (Prelude.HashMap Prelude.Text Prelude.Text))
encrypt_encryptionContext :: (Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
-> Encrypt -> f Encrypt
encrypt_encryptionContext = (Encrypt -> Maybe (HashMap Text Text))
-> (Encrypt -> Maybe (HashMap Text Text) -> Encrypt)
-> Lens
     Encrypt
     Encrypt
     (Maybe (HashMap Text Text))
     (Maybe (HashMap Text Text))
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\Encrypt' {Maybe (HashMap Text Text)
encryptionContext :: Maybe (HashMap Text Text)
$sel:encryptionContext:Encrypt' :: Encrypt -> Maybe (HashMap Text Text)
encryptionContext} -> Maybe (HashMap Text Text)
encryptionContext) (\s :: Encrypt
s@Encrypt' {} Maybe (HashMap Text Text)
a -> Encrypt
s {$sel:encryptionContext:Encrypt' :: Maybe (HashMap Text Text)
encryptionContext = Maybe (HashMap Text Text)
a} :: Encrypt) ((Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
 -> Encrypt -> f Encrypt)
-> ((Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
    -> Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
-> (Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
-> Encrypt
-> f Encrypt
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. AnIso
  (HashMap Text Text)
  (HashMap Text Text)
  (HashMap Text Text)
  (HashMap Text Text)
-> Iso
     (Maybe (HashMap Text Text))
     (Maybe (HashMap Text Text))
     (Maybe (HashMap Text Text))
     (Maybe (HashMap Text Text))
forall (f :: * -> *) (g :: * -> *) s t a b.
(Functor f, Functor g) =>
AnIso s t a b -> Iso (f s) (g t) (f a) (g b)
Lens.mapping AnIso
  (HashMap Text Text)
  (HashMap Text Text)
  (HashMap Text Text)
  (HashMap Text Text)
forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b
Lens.coerced

-- | A list of grant tokens.
--
-- Use a grant token when your permission to call this operation comes from
-- a new grant that has not yet achieved /eventual consistency/. For more
-- information, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token Grant token>
-- and
-- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token Using a grant token>
-- in the /Key Management Service Developer Guide/.
encrypt_grantTokens :: Lens.Lens' Encrypt (Prelude.Maybe [Prelude.Text])
encrypt_grantTokens :: (Maybe [Text] -> f (Maybe [Text])) -> Encrypt -> f Encrypt
encrypt_grantTokens = (Encrypt -> Maybe [Text])
-> (Encrypt -> Maybe [Text] -> Encrypt)
-> Lens Encrypt Encrypt (Maybe [Text]) (Maybe [Text])
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\Encrypt' {Maybe [Text]
grantTokens :: Maybe [Text]
$sel:grantTokens:Encrypt' :: Encrypt -> Maybe [Text]
grantTokens} -> Maybe [Text]
grantTokens) (\s :: Encrypt
s@Encrypt' {} Maybe [Text]
a -> Encrypt
s {$sel:grantTokens:Encrypt' :: Maybe [Text]
grantTokens = Maybe [Text]
a} :: Encrypt) ((Maybe [Text] -> f (Maybe [Text])) -> Encrypt -> f Encrypt)
-> ((Maybe [Text] -> f (Maybe [Text]))
    -> Maybe [Text] -> f (Maybe [Text]))
-> (Maybe [Text] -> f (Maybe [Text]))
-> Encrypt
-> f Encrypt
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. AnIso [Text] [Text] [Text] [Text]
-> Iso (Maybe [Text]) (Maybe [Text]) (Maybe [Text]) (Maybe [Text])
forall (f :: * -> *) (g :: * -> *) s t a b.
(Functor f, Functor g) =>
AnIso s t a b -> Iso (f s) (g t) (f a) (g b)
Lens.mapping AnIso [Text] [Text] [Text] [Text]
forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b
Lens.coerced

-- | Specifies the encryption algorithm that KMS will use to encrypt the
-- plaintext message. The algorithm must be compatible with the KMS key
-- that you specify.
--
-- This parameter is required only for asymmetric KMS keys. The default
-- value, @SYMMETRIC_DEFAULT@, is the algorithm used for symmetric KMS
-- keys. If you are using an asymmetric KMS key, we recommend
-- RSAES_OAEP_SHA_256.
encrypt_encryptionAlgorithm :: Lens.Lens' Encrypt (Prelude.Maybe EncryptionAlgorithmSpec)
encrypt_encryptionAlgorithm :: (Maybe EncryptionAlgorithmSpec
 -> f (Maybe EncryptionAlgorithmSpec))
-> Encrypt -> f Encrypt
encrypt_encryptionAlgorithm = (Encrypt -> Maybe EncryptionAlgorithmSpec)
-> (Encrypt -> Maybe EncryptionAlgorithmSpec -> Encrypt)
-> Lens
     Encrypt
     Encrypt
     (Maybe EncryptionAlgorithmSpec)
     (Maybe EncryptionAlgorithmSpec)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\Encrypt' {Maybe EncryptionAlgorithmSpec
encryptionAlgorithm :: Maybe EncryptionAlgorithmSpec
$sel:encryptionAlgorithm:Encrypt' :: Encrypt -> Maybe EncryptionAlgorithmSpec
encryptionAlgorithm} -> Maybe EncryptionAlgorithmSpec
encryptionAlgorithm) (\s :: Encrypt
s@Encrypt' {} Maybe EncryptionAlgorithmSpec
a -> Encrypt
s {$sel:encryptionAlgorithm:Encrypt' :: Maybe EncryptionAlgorithmSpec
encryptionAlgorithm = Maybe EncryptionAlgorithmSpec
a} :: Encrypt)

-- | Identifies the KMS key to use in the encryption operation.
--
-- To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
-- When using an alias name, prefix it with @\"alias\/\"@. To specify a KMS
-- key in a different Amazon Web Services account, you must use the key ARN
-- or alias ARN.
--
-- For example:
--
-- -   Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- -   Key ARN:
--     @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- -   Alias name: @alias\/ExampleAlias@
--
-- -   Alias ARN: @arn:aws:kms:us-east-2:111122223333:alias\/ExampleAlias@
--
-- To get the key ID and key ARN for a KMS key, use ListKeys or
-- DescribeKey. To get the alias name and alias ARN, use ListAliases.
encrypt_keyId :: Lens.Lens' Encrypt Prelude.Text
encrypt_keyId :: (Text -> f Text) -> Encrypt -> f Encrypt
encrypt_keyId = (Encrypt -> Text)
-> (Encrypt -> Text -> Encrypt) -> Lens Encrypt Encrypt Text Text
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\Encrypt' {Text
keyId :: Text
$sel:keyId:Encrypt' :: Encrypt -> Text
keyId} -> Text
keyId) (\s :: Encrypt
s@Encrypt' {} Text
a -> Encrypt
s {$sel:keyId:Encrypt' :: Text
keyId = Text
a} :: Encrypt)

-- | Data to be encrypted.--
-- -- /Note:/ This 'Lens' automatically encodes and decodes Base64 data.
-- -- The underlying isomorphism will encode to Base64 representation during
-- -- serialisation, and decode from Base64 representation during deserialisation.
-- -- This 'Lens' accepts and returns only raw unencoded data.
encrypt_plaintext :: Lens.Lens' Encrypt Prelude.ByteString
encrypt_plaintext :: (ByteString -> f ByteString) -> Encrypt -> f Encrypt
encrypt_plaintext = (Encrypt -> Sensitive Base64)
-> (Encrypt -> Sensitive Base64 -> Encrypt)
-> Lens Encrypt Encrypt (Sensitive Base64) (Sensitive Base64)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\Encrypt' {Sensitive Base64
plaintext :: Sensitive Base64
$sel:plaintext:Encrypt' :: Encrypt -> Sensitive Base64
plaintext} -> Sensitive Base64
plaintext) (\s :: Encrypt
s@Encrypt' {} Sensitive Base64
a -> Encrypt
s {$sel:plaintext:Encrypt' :: Sensitive Base64
plaintext = Sensitive Base64
a} :: Encrypt) ((Sensitive Base64 -> f (Sensitive Base64))
 -> Encrypt -> f Encrypt)
-> ((ByteString -> f ByteString)
    -> Sensitive Base64 -> f (Sensitive Base64))
-> (ByteString -> f ByteString)
-> Encrypt
-> f Encrypt
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. (Base64 -> f Base64) -> Sensitive Base64 -> f (Sensitive Base64)
forall a. Iso' (Sensitive a) a
Core._Sensitive ((Base64 -> f Base64) -> Sensitive Base64 -> f (Sensitive Base64))
-> ((ByteString -> f ByteString) -> Base64 -> f Base64)
-> (ByteString -> f ByteString)
-> Sensitive Base64
-> f (Sensitive Base64)
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. (ByteString -> f ByteString) -> Base64 -> f Base64
Iso' Base64 ByteString
Core._Base64

instance Core.AWSRequest Encrypt where
  type AWSResponse Encrypt = EncryptResponse
  request :: Encrypt -> Request Encrypt
request = Service -> Encrypt -> Request Encrypt
forall a. (ToRequest a, ToJSON a) => Service -> a -> Request a
Request.postJSON Service
defaultService
  response :: Logger
-> Service
-> Proxy Encrypt
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse Encrypt)))
response =
    (Int
 -> ResponseHeaders
 -> Object
 -> Either String (AWSResponse Encrypt))
-> Logger
-> Service
-> Proxy Encrypt
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse Encrypt)))
forall (m :: * -> *) a.
MonadResource m =>
(Int -> ResponseHeaders -> Object -> Either String (AWSResponse a))
-> Logger
-> Service
-> Proxy a
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse a)))
Response.receiveJSON
      ( \Int
s ResponseHeaders
h Object
x ->
          Maybe Text
-> Maybe EncryptionAlgorithmSpec
-> Maybe Base64
-> Int
-> EncryptResponse
EncryptResponse'
            (Maybe Text
 -> Maybe EncryptionAlgorithmSpec
 -> Maybe Base64
 -> Int
 -> EncryptResponse)
-> Either String (Maybe Text)
-> Either
     String
     (Maybe EncryptionAlgorithmSpec
      -> Maybe Base64 -> Int -> EncryptResponse)
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> (Object
x Object -> Text -> Either String (Maybe Text)
forall a. FromJSON a => Object -> Text -> Either String (Maybe a)
Core..?> Text
"KeyId")
            Either
  String
  (Maybe EncryptionAlgorithmSpec
   -> Maybe Base64 -> Int -> EncryptResponse)
-> Either String (Maybe EncryptionAlgorithmSpec)
-> Either String (Maybe Base64 -> Int -> EncryptResponse)
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> (Object
x Object -> Text -> Either String (Maybe EncryptionAlgorithmSpec)
forall a. FromJSON a => Object -> Text -> Either String (Maybe a)
Core..?> Text
"EncryptionAlgorithm")
            Either String (Maybe Base64 -> Int -> EncryptResponse)
-> Either String (Maybe Base64)
-> Either String (Int -> EncryptResponse)
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> (Object
x Object -> Text -> Either String (Maybe Base64)
forall a. FromJSON a => Object -> Text -> Either String (Maybe a)
Core..?> Text
"CiphertextBlob")
            Either String (Int -> EncryptResponse)
-> Either String Int -> Either String EncryptResponse
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> (Int -> Either String Int
forall (f :: * -> *) a. Applicative f => a -> f a
Prelude.pure (Int -> Int
forall a. Enum a => a -> Int
Prelude.fromEnum Int
s))
      )

instance Prelude.Hashable Encrypt

instance Prelude.NFData Encrypt

instance Core.ToHeaders Encrypt where
  toHeaders :: Encrypt -> ResponseHeaders
toHeaders =
    ResponseHeaders -> Encrypt -> ResponseHeaders
forall a b. a -> b -> a
Prelude.const
      ( [ResponseHeaders] -> ResponseHeaders
forall a. Monoid a => [a] -> a
Prelude.mconcat
          [ HeaderName
"X-Amz-Target"
              HeaderName -> ByteString -> ResponseHeaders
forall a. ToHeader a => HeaderName -> a -> ResponseHeaders
Core.=# (ByteString
"TrentService.Encrypt" :: Prelude.ByteString),
            HeaderName
"Content-Type"
              HeaderName -> ByteString -> ResponseHeaders
forall a. ToHeader a => HeaderName -> a -> ResponseHeaders
Core.=# ( ByteString
"application/x-amz-json-1.1" ::
                          Prelude.ByteString
                      )
          ]
      )

instance Core.ToJSON Encrypt where
  toJSON :: Encrypt -> Value
toJSON Encrypt' {Maybe [Text]
Maybe (HashMap Text Text)
Maybe EncryptionAlgorithmSpec
Text
Sensitive Base64
plaintext :: Sensitive Base64
keyId :: Text
encryptionAlgorithm :: Maybe EncryptionAlgorithmSpec
grantTokens :: Maybe [Text]
encryptionContext :: Maybe (HashMap Text Text)
$sel:plaintext:Encrypt' :: Encrypt -> Sensitive Base64
$sel:keyId:Encrypt' :: Encrypt -> Text
$sel:encryptionAlgorithm:Encrypt' :: Encrypt -> Maybe EncryptionAlgorithmSpec
$sel:grantTokens:Encrypt' :: Encrypt -> Maybe [Text]
$sel:encryptionContext:Encrypt' :: Encrypt -> Maybe (HashMap Text Text)
..} =
    [Pair] -> Value
Core.object
      ( [Maybe Pair] -> [Pair]
forall a. [Maybe a] -> [a]
Prelude.catMaybes
          [ (Text
"EncryptionContext" Text -> HashMap Text Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=)
              (HashMap Text Text -> Pair)
-> Maybe (HashMap Text Text) -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe (HashMap Text Text)
encryptionContext,
            (Text
"GrantTokens" Text -> [Text] -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=) ([Text] -> Pair) -> Maybe [Text] -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe [Text]
grantTokens,
            (Text
"EncryptionAlgorithm" Text -> EncryptionAlgorithmSpec -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=)
              (EncryptionAlgorithmSpec -> Pair)
-> Maybe EncryptionAlgorithmSpec -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe EncryptionAlgorithmSpec
encryptionAlgorithm,
            Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just (Text
"KeyId" Text -> Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= Text
keyId),
            Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just (Text
"Plaintext" Text -> Sensitive Base64 -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= Sensitive Base64
plaintext)
          ]
      )

instance Core.ToPath Encrypt where
  toPath :: Encrypt -> ByteString
toPath = ByteString -> Encrypt -> ByteString
forall a b. a -> b -> a
Prelude.const ByteString
"/"

instance Core.ToQuery Encrypt where
  toQuery :: Encrypt -> QueryString
toQuery = QueryString -> Encrypt -> QueryString
forall a b. a -> b -> a
Prelude.const QueryString
forall a. Monoid a => a
Prelude.mempty

-- | /See:/ 'newEncryptResponse' smart constructor.
data EncryptResponse = EncryptResponse'
  { -- | The Amazon Resource Name
    -- (<https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN key ARN>)
    -- of the KMS key that was used to encrypt the plaintext.
    EncryptResponse -> Maybe Text
keyId :: Prelude.Maybe Prelude.Text,
    -- | The encryption algorithm that was used to encrypt the plaintext.
    EncryptResponse -> Maybe EncryptionAlgorithmSpec
encryptionAlgorithm :: Prelude.Maybe EncryptionAlgorithmSpec,
    -- | The encrypted plaintext. When you use the HTTP API or the Amazon Web
    -- Services CLI, the value is Base64-encoded. Otherwise, it is not
    -- Base64-encoded.
    EncryptResponse -> Maybe Base64
ciphertextBlob :: Prelude.Maybe Core.Base64,
    -- | The response's http status code.
    EncryptResponse -> Int
httpStatus :: Prelude.Int
  }
  deriving (EncryptResponse -> EncryptResponse -> Bool
(EncryptResponse -> EncryptResponse -> Bool)
-> (EncryptResponse -> EncryptResponse -> Bool)
-> Eq EncryptResponse
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: EncryptResponse -> EncryptResponse -> Bool
$c/= :: EncryptResponse -> EncryptResponse -> Bool
== :: EncryptResponse -> EncryptResponse -> Bool
$c== :: EncryptResponse -> EncryptResponse -> Bool
Prelude.Eq, ReadPrec [EncryptResponse]
ReadPrec EncryptResponse
Int -> ReadS EncryptResponse
ReadS [EncryptResponse]
(Int -> ReadS EncryptResponse)
-> ReadS [EncryptResponse]
-> ReadPrec EncryptResponse
-> ReadPrec [EncryptResponse]
-> Read EncryptResponse
forall a.
(Int -> ReadS a)
-> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a
readListPrec :: ReadPrec [EncryptResponse]
$creadListPrec :: ReadPrec [EncryptResponse]
readPrec :: ReadPrec EncryptResponse
$creadPrec :: ReadPrec EncryptResponse
readList :: ReadS [EncryptResponse]
$creadList :: ReadS [EncryptResponse]
readsPrec :: Int -> ReadS EncryptResponse
$creadsPrec :: Int -> ReadS EncryptResponse
Prelude.Read, Int -> EncryptResponse -> ShowS
[EncryptResponse] -> ShowS
EncryptResponse -> String
(Int -> EncryptResponse -> ShowS)
-> (EncryptResponse -> String)
-> ([EncryptResponse] -> ShowS)
-> Show EncryptResponse
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [EncryptResponse] -> ShowS
$cshowList :: [EncryptResponse] -> ShowS
show :: EncryptResponse -> String
$cshow :: EncryptResponse -> String
showsPrec :: Int -> EncryptResponse -> ShowS
$cshowsPrec :: Int -> EncryptResponse -> ShowS
Prelude.Show, (forall x. EncryptResponse -> Rep EncryptResponse x)
-> (forall x. Rep EncryptResponse x -> EncryptResponse)
-> Generic EncryptResponse
forall x. Rep EncryptResponse x -> EncryptResponse
forall x. EncryptResponse -> Rep EncryptResponse x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x. Rep EncryptResponse x -> EncryptResponse
$cfrom :: forall x. EncryptResponse -> Rep EncryptResponse x
Prelude.Generic)

-- |
-- Create a value of 'EncryptResponse' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'keyId', 'encryptResponse_keyId' - The Amazon Resource Name
-- (<https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN key ARN>)
-- of the KMS key that was used to encrypt the plaintext.
--
-- 'encryptionAlgorithm', 'encryptResponse_encryptionAlgorithm' - The encryption algorithm that was used to encrypt the plaintext.
--
-- 'ciphertextBlob', 'encryptResponse_ciphertextBlob' - The encrypted plaintext. When you use the HTTP API or the Amazon Web
-- Services CLI, the value is Base64-encoded. Otherwise, it is not
-- Base64-encoded.--
-- -- /Note:/ This 'Lens' automatically encodes and decodes Base64 data.
-- -- The underlying isomorphism will encode to Base64 representation during
-- -- serialisation, and decode from Base64 representation during deserialisation.
-- -- This 'Lens' accepts and returns only raw unencoded data.
--
-- 'httpStatus', 'encryptResponse_httpStatus' - The response's http status code.
newEncryptResponse ::
  -- | 'httpStatus'
  Prelude.Int ->
  EncryptResponse
newEncryptResponse :: Int -> EncryptResponse
newEncryptResponse Int
pHttpStatus_ =
  EncryptResponse' :: Maybe Text
-> Maybe EncryptionAlgorithmSpec
-> Maybe Base64
-> Int
-> EncryptResponse
EncryptResponse'
    { $sel:keyId:EncryptResponse' :: Maybe Text
keyId = Maybe Text
forall a. Maybe a
Prelude.Nothing,
      $sel:encryptionAlgorithm:EncryptResponse' :: Maybe EncryptionAlgorithmSpec
encryptionAlgorithm = Maybe EncryptionAlgorithmSpec
forall a. Maybe a
Prelude.Nothing,
      $sel:ciphertextBlob:EncryptResponse' :: Maybe Base64
ciphertextBlob = Maybe Base64
forall a. Maybe a
Prelude.Nothing,
      $sel:httpStatus:EncryptResponse' :: Int
httpStatus = Int
pHttpStatus_
    }

-- | The Amazon Resource Name
-- (<https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN key ARN>)
-- of the KMS key that was used to encrypt the plaintext.
encryptResponse_keyId :: Lens.Lens' EncryptResponse (Prelude.Maybe Prelude.Text)
encryptResponse_keyId :: (Maybe Text -> f (Maybe Text))
-> EncryptResponse -> f EncryptResponse
encryptResponse_keyId = (EncryptResponse -> Maybe Text)
-> (EncryptResponse -> Maybe Text -> EncryptResponse)
-> Lens EncryptResponse EncryptResponse (Maybe Text) (Maybe Text)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\EncryptResponse' {Maybe Text
keyId :: Maybe Text
$sel:keyId:EncryptResponse' :: EncryptResponse -> Maybe Text
keyId} -> Maybe Text
keyId) (\s :: EncryptResponse
s@EncryptResponse' {} Maybe Text
a -> EncryptResponse
s {$sel:keyId:EncryptResponse' :: Maybe Text
keyId = Maybe Text
a} :: EncryptResponse)

-- | The encryption algorithm that was used to encrypt the plaintext.
encryptResponse_encryptionAlgorithm :: Lens.Lens' EncryptResponse (Prelude.Maybe EncryptionAlgorithmSpec)
encryptResponse_encryptionAlgorithm :: (Maybe EncryptionAlgorithmSpec
 -> f (Maybe EncryptionAlgorithmSpec))
-> EncryptResponse -> f EncryptResponse
encryptResponse_encryptionAlgorithm = (EncryptResponse -> Maybe EncryptionAlgorithmSpec)
-> (EncryptResponse
    -> Maybe EncryptionAlgorithmSpec -> EncryptResponse)
-> Lens
     EncryptResponse
     EncryptResponse
     (Maybe EncryptionAlgorithmSpec)
     (Maybe EncryptionAlgorithmSpec)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\EncryptResponse' {Maybe EncryptionAlgorithmSpec
encryptionAlgorithm :: Maybe EncryptionAlgorithmSpec
$sel:encryptionAlgorithm:EncryptResponse' :: EncryptResponse -> Maybe EncryptionAlgorithmSpec
encryptionAlgorithm} -> Maybe EncryptionAlgorithmSpec
encryptionAlgorithm) (\s :: EncryptResponse
s@EncryptResponse' {} Maybe EncryptionAlgorithmSpec
a -> EncryptResponse
s {$sel:encryptionAlgorithm:EncryptResponse' :: Maybe EncryptionAlgorithmSpec
encryptionAlgorithm = Maybe EncryptionAlgorithmSpec
a} :: EncryptResponse)

-- | The encrypted plaintext. When you use the HTTP API or the Amazon Web
-- Services CLI, the value is Base64-encoded. Otherwise, it is not
-- Base64-encoded.--
-- -- /Note:/ This 'Lens' automatically encodes and decodes Base64 data.
-- -- The underlying isomorphism will encode to Base64 representation during
-- -- serialisation, and decode from Base64 representation during deserialisation.
-- -- This 'Lens' accepts and returns only raw unencoded data.
encryptResponse_ciphertextBlob :: Lens.Lens' EncryptResponse (Prelude.Maybe Prelude.ByteString)
encryptResponse_ciphertextBlob :: (Maybe ByteString -> f (Maybe ByteString))
-> EncryptResponse -> f EncryptResponse
encryptResponse_ciphertextBlob = (EncryptResponse -> Maybe Base64)
-> (EncryptResponse -> Maybe Base64 -> EncryptResponse)
-> Lens
     EncryptResponse EncryptResponse (Maybe Base64) (Maybe Base64)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\EncryptResponse' {Maybe Base64
ciphertextBlob :: Maybe Base64
$sel:ciphertextBlob:EncryptResponse' :: EncryptResponse -> Maybe Base64
ciphertextBlob} -> Maybe Base64
ciphertextBlob) (\s :: EncryptResponse
s@EncryptResponse' {} Maybe Base64
a -> EncryptResponse
s {$sel:ciphertextBlob:EncryptResponse' :: Maybe Base64
ciphertextBlob = Maybe Base64
a} :: EncryptResponse) ((Maybe Base64 -> f (Maybe Base64))
 -> EncryptResponse -> f EncryptResponse)
-> ((Maybe ByteString -> f (Maybe ByteString))
    -> Maybe Base64 -> f (Maybe Base64))
-> (Maybe ByteString -> f (Maybe ByteString))
-> EncryptResponse
-> f EncryptResponse
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. AnIso Base64 Base64 ByteString ByteString
-> Iso
     (Maybe Base64) (Maybe Base64) (Maybe ByteString) (Maybe ByteString)
forall (f :: * -> *) (g :: * -> *) s t a b.
(Functor f, Functor g) =>
AnIso s t a b -> Iso (f s) (g t) (f a) (g b)
Lens.mapping AnIso Base64 Base64 ByteString ByteString
Iso' Base64 ByteString
Core._Base64

-- | The response's http status code.
encryptResponse_httpStatus :: Lens.Lens' EncryptResponse Prelude.Int
encryptResponse_httpStatus :: (Int -> f Int) -> EncryptResponse -> f EncryptResponse
encryptResponse_httpStatus = (EncryptResponse -> Int)
-> (EncryptResponse -> Int -> EncryptResponse)
-> Lens EncryptResponse EncryptResponse Int Int
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\EncryptResponse' {Int
httpStatus :: Int
$sel:httpStatus:EncryptResponse' :: EncryptResponse -> Int
httpStatus} -> Int
httpStatus) (\s :: EncryptResponse
s@EncryptResponse' {} Int
a -> EncryptResponse
s {$sel:httpStatus:EncryptResponse' :: Int
httpStatus = Int
a} :: EncryptResponse)

instance Prelude.NFData EncryptResponse