Merge branch 'main' into seebees/optimize-below

Author: ajewellamz

.github/workflows/ci_test_latest_released_mpl_java.yml

@@ -0,0 +1,126 @@
+# This workflow is for testing that the latest released version
+# of the MPL is compatible with the current DB-ESDK Head
+name: Test Latest Released MPL Java with DB-ESDK HEAD
+
+on:
+  schedule:
+    - cron: "00 16 * * 1-5"
+  workflow_dispatch: # allows triggering this manually through the Actions UI
+    inputs:
+      run_test_vectors:
+        description: "Run Test Vectors?"
+        required: false
+        default: true
+        type: boolean
+
+jobs:
+  getVersion:
+    # Don't run the cron builds on forks
+    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
+    uses: ./.github/workflows/dafny_version.yml
+  getVerifyVersion:
+    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
+    uses: ./.github/workflows/dafny_verify_version.yml
+  getMplDependencyJavaVersion:
+    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
+    uses: ./.github/workflows/mpl_dependency_java_version.yml
+  testJava:
+    needs: [getVersion, getMplDependencyJavaVersion]
+    strategy:
+      max-parallel: 1
+      matrix:
+        java-version: [17]
+        os: [ubuntu-22.04]
+    runs-on: ${{ matrix.os }}
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2
+          role-session-name: DDBEC-Dafny-Java-Tests
+
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Setup Java ${{ matrix.java-version }}
+        uses: actions/setup-java@v4
+        with:
+          distribution: "corretto"
+          java-version: ${{ matrix.java-version }}
+
+      - name: Setup Dafny
+        uses: dafny-lang/[email protected]
+        with:
+          dafny-version: ${{ needs.getVersion.outputs.version }}
+
+      - name: Regenerate code using smithy-dafny if necessary
+        if: ${{ inputs.regenerate-code }}
+        uses: ./.github/actions/polymorph_codegen
+        with:
+          dafny: ${{ env.DAFNY_VERSION }}
+          library: DynamoDbEncryption
+          diff-generated-code: false
+          update-and-regenerate-mpl: true
+
+      # The following two steps: "Build and deploy to maven local" and "Run Extensive Tests"
+      # mimic the tests in ./codebuild/staging/release-staging.yml
+      - name: Build and deploy to maven local
+        shell: bash
+        working-directory: ./DynamoDbEncryption
+        run: |
+          # Run transpile by itself. We don't want to locally build the MPL because
+          # we want to verify that the version pulled down from maven works correctly
+          make transpile_implementation_java
+          make transpile_test_java
+          make mvn_local_deploy
+          make test_java
+
+      - name: Run Extensive Tests
+        working-directory: ./DynamoDbEncryption
+        run: |
+          gradle -p runtimes/java clean
+          gradle -p runtimes/java test
+
+      # This makes sure that we are using the correct MPL version to test the DB-ESDK.
+      # If this contains a SNAPSHOT version, this will fail because'
+      # we are NOT building the MPL recursively but pulling from Maven.
+      - name: Update project.properties to use the correct MPL version (from project.properties in DB-ESDK)
+        working-directory: ./submodules/MaterialProviders/
+        run: |
+          sed "s/mplVersion=.*/mplVersion=${{needs.getMplDependencyJavaVersion.outputs.version}}/g" project.properties > project.properties2; mv project.properties2 project.properties
+
+      # The following three steps: "Transpile MPL Test Vectors without recursively building the MPL",
+      # "Run Test Vectors", and "Test Examples" mimic the tests in ./codebuild/staging/validate-staging.yml
+      - name: Transpile MPL Test Vectors without recursively building the MPL
+        working-directory: ./submodules/MaterialProviders/TestVectorsAwsCryptographicMaterialProviders
+        run: |
+          # Run transpile by itself. We don't want to locally build the MPL because
+          # we want to verify that the version pulled down from maven works correctly
+          make transpile_implementation_java
+          make transpile_test_java
+          make mvn_local_deploy
+
+      - name: Run Test Vectors
+        if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && ${{inputs.run_test_vectors}})
+        working-directory: ./TestVectors
+        run: |
+          # Spin up ddb local
+          docker run --name dynamodb -d -p 8000:8000 amazon/dynamodb-local -jar DynamoDBLocal.jar -port 8000 -inMemory -cors *
+          # Run transpile by itself so we don't locally build the MPL.
+          make transpile_implementation_java
+          make transpile_test_java
+          gradle -p runtimes/java runTests
+
+      - name: Test Examples
+        working-directory: ./Examples
+        run: |
+          # Run Simple Examples
+          gradle -p runtimes/java/DynamoDbEncryption test
+          # Run Migration Examples
+          gradle -p runtimes/java/Migration/PlaintextToAWSDBE test
+          gradle -p runtimes/java/Migration/DDBECToAWSDBE test

.github/workflows/ci_todos.yml

@@ -17,8 +17,8 @@ jobs:
         shell: bash
         # TODOs may be committed as long as the same line contains a link to a Github Issue or refers to a CrypTool SIM.
         run: |
-          ALL_TODO_COUNT=$( { grep -r "TODO" . --exclude-dir=./TestVectors/runtimes --exclude-dir=./submodules --exclude-dir=./.git --exclude=./.github/workflows/ci_todos.yml || true; } | wc -l)
-          GOOD_TODO_COUNT=$( { grep -r "TODO.*\(github.com\/.*issues.*\/[1-9][0-9]*\|CrypTool-[1-9][0-9]*\)" . --exclude-dir=./submodules --exclude-dir=./.git  --exclude-dir=./TestVectors/runtimes --exclude=./.github/workflows/ci_todos.yml || true; } | wc -l)
+          ALL_TODO_COUNT=$( { grep -r "TODO" . --exclude-dir=./releases --exclude-dir=./TestVectors/runtimes --exclude-dir=./submodules --exclude-dir=./.git --exclude=./.github/workflows/ci_todos.yml || true; } | wc -l)
+          GOOD_TODO_COUNT=$( { grep -r "TODO.*\(github.com\/.*issues.*\/[1-9][0-9]*\|CrypTool-[1-9][0-9]*\)" . --exclude-dir=./releases --exclude-dir=./submodules --exclude-dir=./.git  --exclude-dir=./TestVectors/runtimes --exclude=./.github/workflows/ci_todos.yml || true; } | wc -l)
           if [ "$ALL_TODO_COUNT" != "$GOOD_TODO_COUNT" ]; then
             exit 1;
           fi

.github/workflows/mpl_dependency_java_version.yml

@@ -0,0 +1,25 @@
+# This workflow reads the project.properties
+# into the environment variables
+# and then creates an output variable for `mplDependencyJavaVersion`
+name: MPL Dependency Java Version
+
+on:
+  workflow_call:
+    outputs:
+      version:
+        description: "The MPL Dependency Java version from project.properties"
+        value: ${{ jobs.getMplDependencyJavaVersion.outputs.version }}
+
+jobs:
+  getMplDependencyJavaVersion:
+    runs-on: ubuntu-22.04
+    outputs:
+      version: ${{ steps.read_property.outputs.mplDependencyJavaVersion }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Read version from Properties-file
+        id: read_property
+        uses: christian-draeger/[email protected]
+        with:
+          path: "./project.properties"
+          properties: "mplDependencyJavaVersion"

.github/workflows/mpl_head_version.yml

@@ -1,6 +1,6 @@
-# This workflow reads the project.properties
+# This workflow reads the project.properties in the MPL submodule
 # into the environment variables
-# and then creates an output variable for `dafnyVerifyVersion `
+# and then creates an output variable for `mplVersion`
 name: MPL HEAD Version
 
 on:
@@ -13,7 +13,7 @@ on:
         type: string
     outputs:
       version:
-        description: "The dafny version for verify"
+        description: "The MPL version"
         value: ${{ jobs.getMplHeadVersion.outputs.version }}
 
 jobs:

CHANGELOG.md

@@ -1,6 +1,6 @@
 # Changelog
 
-## [3.8.0](https://github.com/aws/aws-database-encryption-sdk-dynamodb/compare/v3.7.0...v3.8.0) (2025-01-27)
+## [3.8.0](https://github.com/aws/aws-database-encryption-sdk-dynamodb/compare/v3.7.0...v3.8.0) (2025-02-05)
 
 This release is available in the following languages:
 
@@ -9,6 +9,7 @@ This release is available in the following languages:
 ### Features
 
 - **SharedCache:** Shared Cache for Searchable Encryption ([#1476](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1476)) ([46076f8](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/46076f86aec77f7df204c1e06a8ecb2400f01b6f))
+- bump to dafny 4.9.0 and mpl 1.9.0 ([#1627](https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/1627))
 
 ### Fixes
 
@@ -21,6 +22,12 @@ This release is available in the following languages:
 
 ### Maintenance
 
+- make const policy an extern ([#1587](https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/1587)) ([be3b96e](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/be3b96e7d6c441aee3b87862a2989309560413ba))
+- mpl: Bump to 1.9.0 ([#1621](https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/1621)) ([04a8eb2](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/04a8eb2ec84e57b795562618331e9c7e6f0de0c4))
+- release Rust 1.0.0 ([#1612](https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/1612)) ([3392200](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/3392200e2c844710a2d1b6d9c9942c8b9769f71e))
+- remove unsafe from interceptor ([#1620](https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/1620)) ([f6ef3f4](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/f6ef3f4b05010aa06f5a0f7f0d48ca05db4f71f1))
+- TestVectors: Reuse single KeyVectors client across TestVectors ([#1577](https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/1577)) ([dabcaf1](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/dabcaf12c198bd3dda78996a42ae5a5682f2b88a))
+- update for async support ([#1560](https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/1560)) ([700f939](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/700f939e9e5c5e8ed7f7880ea74213231ab6e6ed))
 - add dependabot for rust ([#1481](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1481)) ([67f3d2e](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/67f3d2e567b513a53d208f60ec6991a0b6c825d0))
 - Add ECDH examples ([#1461](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1461)) ([cc937b4](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/cc937b41190c17e1087acbdcd524becc1a97e214))
 - add Rust release directory ([#1479](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1479)) ([97dde01](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/97dde01a3b6d9a33a8b60dcb6e63debc5329d691))

DynamoDbEncryption/dafny/DynamoDbEncryption/src/ConfigToInfo.dfy

@@ -176,7 +176,7 @@ module SearchConfigToInfo {
     var cache;
     if cacheType.Shared? {
       cache := cacheType.Shared;
-      reveal ValidSharedCache(config);
+      reveal ValidSharedCache();
     } else {
       //= specification/searchable-encryption/search-config.md#key-store-cache
       //# For a Beacon Key Source a [CMC](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/cryptographic-materials-cache.md)

DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/InternalLegacyOverride.dfy

@@ -13,7 +13,7 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.itemencry
     static method {:extern} Build(encryptorConfig: Types.DynamoDbItemEncryptorConfig)
       returns (output: Result<Option<InternalLegacyOverride>, Types.Error>)
 
-    const policy: DDBE.LegacyPolicy
+    const {:extern} policy: DDBE.LegacyPolicy
 
     method {:extern} EncryptItem(input: Types.EncryptItemInput)
       returns (output: Result<Types.EncryptItemOutput, Types.Error>)

DynamoDbEncryption/runtimes/net/Extern/InternalLegacyConfig.cs

@@ -8,7 +8,18 @@ namespace software.amazon.cryptography.dbencryptionsdk.dynamodb.itemencryptor.in
 
   public partial class InternalLegacyOverride
   {
-
+    public software.amazon.cryptography.dbencryptionsdk.dynamodb.internaldafny.types._ILegacyPolicy _policy
+    {
+      get => software.amazon.cryptography.dbencryptionsdk.dynamodb.internaldafny.types.LegacyPolicy.create_FORBID__LEGACY__ENCRYPT__FORBID__LEGACY__DECRYPT();
+      set { }
+    }
+    public software.amazon.cryptography.dbencryptionsdk.dynamodb.internaldafny.types._ILegacyPolicy policy
+    {
+      get
+      {
+        return this._policy;
+      }
+    }
     public static Wrappers_Compile._IResult<
       Wrappers_Compile._IOption<InternalLegacyOverride>,
       _IError

DynamoDbEncryption/runtimes/rust/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "aws-db-esdk"
-version = "0.2.0"
+version = "1.0.0"
 edition = "2021"
 rust-version = "1.81.0"
 keywords = ["cryptography", "security", "dynamodb", "encryption", "client-side"]

DynamoDbEncryption/runtimes/rust/src/intercept.rs

@@ -91,9 +91,6 @@ impl DbEsdkInterceptor {
     }
 }
 
-unsafe impl Sync for DbEsdkInterceptor {}
-unsafe impl Send for DbEsdkInterceptor {}
-
 #[derive(Debug)]
 struct OriginalRequest(Input);
 

DynamoDbEncryption/runtimes/rust/src/software_externs.rs

@@ -58,6 +58,9 @@ pub mod software {
                                 }
 
                                 impl InternalLegacyOverride {
+                                    pub fn policy(&self) -> Rc<LegacyPolicy> {
+                                        self.r#__i_policy.clone()
+                                    }
                                     pub fn Build(
                                         config: &Rc<crate::software::amazon::cryptography::dbencryptionsdk::dynamodb::itemencryptor::internaldafny::types::DynamoDbItemEncryptorConfig>,
                                     ) -> Rc<

SUPPORT_POLICY.rst

@@ -30,4 +30,21 @@ This table describes the current support status of each major version of the AWS
       -
       -
 
+Version Support Matrix for Rust
+===============================
+This table describes the current support status of each major version of the AWS Encryption SDK for Rust. It also shows the next status each major version will transition to, and the date at which that transition will happen.
+
+.. list-table::
+    :widths: 30 50 50 50
+    :header-rows: 1
+
+    * - Major version
+      - Current status
+      - Next status
+      - Next status date
+    * - 1.x
+      - Generally Available
+      -
+      - 
+
 .. _AWS SDKs and Tools Maintenance Policy: https://docs.aws.amazon.com/sdkref/latest/guide/maint-policy.html#version-life-cycle

TestVectors/dafny/DDBEncryption/src/DecryptManifest.dfy

@@ -20,12 +20,17 @@ module {:options "-functionSyntax:4"} DecryptManifest {
   import opened JSONHelpers
   import JsonConfig
   import ENC = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes
+  import KeyVectors
 
-  method OnePositiveTest(name : string, config : JSON, encrypted : JSON, plaintext : JSON) returns (output : Result<bool, string>)
+  method OnePositiveTest(name : string, config : JSON, encrypted : JSON, plaintext : JSON, keys : KeyVectors.KeyVectorsClient)
+    returns (output : Result<bool, string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     var enc :- JsonConfig.GetRecord(encrypted);
     var plain :- JsonConfig.GetRecord(plaintext);
-    var encryptor :- JsonConfig.GetItemEncryptor(name, config);
+    var encryptor :- JsonConfig.GetItemEncryptor(name, config, keys);
     var decrypted :- expect encryptor.DecryptItem(
       ENC.DecryptItemInput(
         encryptedItem:=enc.item
@@ -36,10 +41,14 @@ module {:options "-functionSyntax:4"} DecryptManifest {
     return Success(true);
   }
 
-  method OneNegativeTest(name : string, config : JSON, encrypted : JSON) returns (output : Result<bool, string>)
+  method OneNegativeTest(name : string, config : JSON, encrypted : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<bool, string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     var enc :- JsonConfig.GetRecord(encrypted);
-    var encryptor :- JsonConfig.GetItemEncryptor(name, config);
+    var encryptor :- JsonConfig.GetItemEncryptor(name, config, keys);
     var decrypted := encryptor.DecryptItem(
       ENC.DecryptItemInput(
         encryptedItem:=enc.item
@@ -51,7 +60,11 @@ module {:options "-functionSyntax:4"} DecryptManifest {
     return Success(true);
   }
 
-  method OneTest(name : string, value : JSON) returns (output : Result<bool, string>)
+  method OneTest(name : string, value : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<bool, string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     :- Need(value.Object?, "Test must be an object");
 
@@ -89,15 +102,19 @@ module {:options "-functionSyntax:4"} DecryptManifest {
 
     if types.value == "positive-decrypt" {
       :- Need(plaintext.Some?, "positive-decrypt Test requires a 'plaintext' member.");
-      output := OnePositiveTest(name, config.value, encrypted.value, plaintext.value);
+      output := OnePositiveTest(name, config.value, encrypted.value, plaintext.value, keys);
     } else if types.value == "negative-decrypt" {
-      output := OneNegativeTest(name, config.value, encrypted.value);
+      output := OneNegativeTest(name, config.value, encrypted.value, keys);
     } else {
       return Failure("Invalid encrypt type : '" + types.value + "'.");
     }
   }
 
-  method Decrypt(inFile : string) returns (output : Result<bool, string>)
+  method Decrypt(inFile : string, keyVectors: KeyVectors.KeyVectorsClient)
+    returns (output : Result<bool, string>)
+    requires keyVectors.ValidState()
+    modifies keyVectors.Modifies
+    ensures keyVectors.ValidState()
   {
     var timeStamp :- expect Time.GetCurrentTimeStamp();
     print timeStamp + " Decrypt : ", inFile, "\n";
@@ -154,7 +171,7 @@ module {:options "-functionSyntax:4"} DecryptManifest {
     for i := 0 to |tests.value| {
       var obj := tests.value[i];
       :- Need(obj.1.Object?, "Value of test '" + obj.0 + "' must be an Object.");
-      var _ :- OneTest(obj.0, obj.1);
+      var _ :- OneTest(obj.0, obj.1, keyVectors);
     }
 
     timeStamp :- expect Time.GetCurrentTimeStamp();