Merge branch 'main' into rkapila/shared-cache-examples

Author: RitvikKapila

.github/workflows/check-files.yml

@@ -14,7 +14,7 @@ jobs:
     env:
       # unfortunately we can't check if the approver is part of the CODEOWNERS. This is a subset of aws/aws-crypto-tools-team
       # to add more allowlisted approvers just modify this env variable
-      maintainers: seebees, texastony, ShubhamChaturvedi7, lucasmcdonald3, josecorella, imabhichow, rishav-karanjit, antonf-amzn, justplaz, ajewellamz
+      maintainers: seebees, texastony, ShubhamChaturvedi7, lucasmcdonald3, josecorella, imabhichow, rishav-karanjit, antonf-amzn, kessplas, ajewellamz, RitvikKapila
     steps:
       - uses: actions/checkout@v3
         with:

.github/workflows/ci_examples_java.yml

@@ -29,7 +29,7 @@ jobs:
       max-parallel: 1
       matrix:
         java-version: [8, 11, 16, 17]
-        os: [macos-12]
+        os: [macos-13]
     runs-on: ${{ matrix.os }}
     permissions:
       id-token: write

.github/workflows/ci_examples_net.yml

@@ -27,7 +27,7 @@ jobs:
       matrix:
         library: [DynamoDbEncryption]
         dotnet-version: ["6.0.x"]
-        os: [macos-12]
+        os: [macos-13]
     runs-on: ${{ matrix.os }}
     permissions:
       id-token: write

.github/workflows/ci_test_java.yml

@@ -29,7 +29,7 @@ jobs:
       matrix:
         library: [DynamoDbEncryption]
         java-version: [8, 11, 16, 17]
-        os: [macos-12]
+        os: [macos-13]
     runs-on: ${{ matrix.os }}
     permissions:
       id-token: write

.github/workflows/ci_test_net.yml

@@ -25,7 +25,7 @@ jobs:
       matrix:
         library: [DynamoDbEncryption]
         dotnet-version: ["6.0.x"]
-        os: [macos-12, ubuntu-latest, windows-latest]
+        os: [macos-13, ubuntu-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     permissions:
       id-token: write

.github/workflows/ci_todos.yml

@@ -9,7 +9,7 @@ on:
 
 jobs:
   findTodos:
-    runs-on: macos-12
+    runs-on: macos-13
     steps:
       - uses: actions/checkout@v3
 

.github/workflows/dafny_interop_examples_java.yml

@@ -28,7 +28,7 @@ jobs:
       max-parallel: 1
       matrix:
         java-version: [8, 11, 16, 17]
-        os: [macos-12]
+        os: [macos-13]
     runs-on: ${{ matrix.os }}
     permissions:
       id-token: write

.github/workflows/dafny_interop_examples_net.yml

@@ -24,7 +24,7 @@ jobs:
       matrix:
         library: [DynamoDbEncryption]
         dotnet-version: ["6.0.x"]
-        os: [macos-12]
+        os: [macos-13]
     runs-on: ${{ matrix.os }}
     permissions:
       id-token: write

.github/workflows/dafny_interop_java.yml

@@ -28,7 +28,7 @@ jobs:
       matrix:
         library: [DynamoDbEncryption]
         java-version: [8, 11, 16, 17]
-        os: [macos-12]
+        os: [macos-13]
     runs-on: ${{ matrix.os }}
     permissions:
       id-token: write

.github/workflows/dafny_interop_test_net.yml

@@ -24,7 +24,7 @@ jobs:
       matrix:
         library: [DynamoDbEncryption]
         dotnet-version: ["6.0.x"]
-        os: [macos-12, ubuntu-latest, windows-latest]
+        os: [macos-13, ubuntu-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     permissions:
       id-token: write

.github/workflows/library_dafny_verification.yml

@@ -39,7 +39,7 @@ jobs:
             DynamoDbItemEncryptor,
             StructuredEncryption,
           ]
-        os: [macos-12]
+        os: [macos-13]
     runs-on: ${{ matrix.os }}
     defaults:
       run:
@@ -72,7 +72,7 @@ jobs:
           sed "s/mplDependencyJavaVersion=.*/mplDependencyJavaVersion=${{inputs.mpl-version}}/g" project.properties > project.properties2; mv project.properties2 project.properties
 
       # dafny-reportgenerator requires next6
-      # but only 7.0 is installed on macos-12-large
+      # but only 7.0 is installed on macos-13-large
       - name: Setup .NET Core SDK '6.0.x'
         uses: actions/setup-dotnet@v4
         with:

.github/workflows/library_format.yml

@@ -19,7 +19,7 @@ jobs:
     if: github.event_name != 'schedule' || github.repository_owner == 'aws'
     strategy:
       matrix:
-        os: [macos-12]
+        os: [macos-13]
     runs-on: ${{ matrix.os }}
     defaults:
       run:
@@ -39,7 +39,7 @@ jobs:
       - name: Setup Dafny
         uses: dafny-lang/[email protected]
         with:
-          dafny-version: ${{ '4.2.0' }}
+          dafny-version: ${{ inputs.dafny }}
 
       - name: Check format of Java code et al
         run: |

.github/workflows/sem_ver.yml

@@ -6,7 +6,7 @@ on:
 
 jobs:
   semantic-release:
-    runs-on: macos-12
+    runs-on: macos-13
     permissions:
       id-token: write
       contents: read

.github/workflows/semantic_release.yml

@@ -14,8 +14,8 @@ jobs:
     # there is no easy way in gha to check if the actor is part of the team, running semantic release is a more
     # privileged operation, so we must make sure this list of users is a subset of the users labeled as maintainers of
     # https://github.com/orgs/aws/teams/aws-crypto-tools
-    if: contains('["seebees","texastony","ShubhamChaturvedi7","lucasmcdonald3","josecorella","imabhichow","rishav-karanjit","antonf-amzn","justplaz","ajewellamz","RitvikKapila"]', github.actor)
-    runs-on: macos-12
+    if: contains('["seebees","texastony","ShubhamChaturvedi7","lucasmcdonald3","josecorella","imabhichow","rishav-karanjit","antonf-amzn","kessplas","ajewellamz","RitvikKapila"]', github.actor)
+    runs-on: macos-13
     permissions:
       id-token: write
       contents: write

.github/workflows/test_vector_verification.yml

@@ -29,7 +29,7 @@ jobs:
     if: github.event_name != 'schedule' || github.repository_owner == 'aws'
     strategy:
       matrix:
-        os: [macos-12]
+        os: [macos-13]
     runs-on: ${{ matrix.os }}
     defaults:
       run:
@@ -62,7 +62,7 @@ jobs:
           sed "s/mplDependencyJavaVersion=.*/mplDependencyJavaVersion=${{inputs.mpl-version}}/g" project.properties > project.properties2; mv project.properties2 project.properties
 
       # dafny-reportgenerator requires next6
-      # but only 7.0 is installed on macos-12-large
+      # but only 7.0 is installed on macos-13-large
       - name: Setup .NET Core SDK '6.0.x'
         uses: actions/setup-dotnet@v4
         with:

DynamoDbEncryption/dafny/DynamoDbEncryption/Model/AwsCryptographyDbEncryptionSdkDynamoDbTypes.dfy

@@ -143,7 +143,9 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.internald
                && output.value.branchKeyIdSupplier.ValidState()
                && output.value.branchKeyIdSupplier.Modifies !! {History}
                && fresh(output.value.branchKeyIdSupplier)
-               && fresh ( output.value.branchKeyIdSupplier.Modifies - Modifies - {History} - input.ddbKeyBranchKeyIdSupplier.Modifies ) )
+               && fresh ( output.value.branchKeyIdSupplier.Modifies
+                          - Modifies - {History}
+                          - input.ddbKeyBranchKeyIdSupplier.Modifies ) )
       ensures CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input, output)
       ensures History.CreateDynamoDbEncryptionBranchKeyIdSupplier == old(History.CreateDynamoDbEncryptionBranchKeyIdSupplier) + [DafnyCallEvent(input, output)]
 
@@ -535,7 +537,9 @@ abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbService
                && output.value.branchKeyIdSupplier.ValidState()
                && output.value.branchKeyIdSupplier.Modifies !! {History}
                && fresh(output.value.branchKeyIdSupplier)
-               && fresh ( output.value.branchKeyIdSupplier.Modifies - Modifies - {History} - input.ddbKeyBranchKeyIdSupplier.Modifies ) )
+               && fresh ( output.value.branchKeyIdSupplier.Modifies
+                          - Modifies - {History}
+                          - input.ddbKeyBranchKeyIdSupplier.Modifies ) )
       ensures CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input, output)
       ensures History.CreateDynamoDbEncryptionBranchKeyIdSupplier == old(History.CreateDynamoDbEncryptionBranchKeyIdSupplier) + [DafnyCallEvent(input, output)]
     {
@@ -592,7 +596,9 @@ abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbOperations {
       && ( output.Success? ==>
              && output.value.branchKeyIdSupplier.ValidState()
              && fresh(output.value.branchKeyIdSupplier)
-             && fresh ( output.value.branchKeyIdSupplier.Modifies - ModifiesInternalConfig(config) - input.ddbKeyBranchKeyIdSupplier.Modifies ) )
+             && fresh ( output.value.branchKeyIdSupplier.Modifies
+                        - ModifiesInternalConfig(config)
+                        - input.ddbKeyBranchKeyIdSupplier.Modifies ) )
     ensures CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input, output)
 
 

DynamoDbEncryption/dafny/DynamoDbEncryption/src/Beacon.dfy

@@ -19,7 +19,7 @@ module BaseBeacon {
 
   import DDB = ComAmazonawsDynamodbTypes
   import Prim = AwsCryptographyPrimitivesTypes
-  import Aws.Cryptography.Primitives
+  import Primitives = AtomicPrimitives
   import UTF8
   import SortedSets
   import TermLoc

DynamoDbEncryption/dafny/DynamoDbEncryption/src/CompoundBeacon.dfy

@@ -16,7 +16,7 @@ module CompoundBeacon {
   import opened DdbVirtualFields
 
   import Prim = AwsCryptographyPrimitivesTypes
-  import Aws.Cryptography.Primitives
+  import Primitives = AtomicPrimitives
   import UTF8
   import Seq
   import SortedSets

DynamoDbEncryption/dafny/DynamoDbEncryption/src/ConfigToInfo.dfy

@@ -32,7 +32,7 @@ module SearchConfigToInfo {
   import CB = CompoundBeacon
   import SE = AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes
   import MPT = AwsCryptographyMaterialProvidersTypes
-  import Aws.Cryptography.Primitives
+  import Primitives = AtomicPrimitives
 
   // convert configured SearchConfig to internal SearchInfo
   method Convert(outer : DynamoDbTableEncryptionConfig)
@@ -137,14 +137,19 @@ module SearchConfigToInfo {
       else
         MPT.Default(Default := MPT.DefaultCache(entryCapacity := 1));
 
-    //= specification/searchable-encryption/search-config.md#key-store-cache
-    //# For a Beacon Key Source a [CMC](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/cryptographic-materials-cache.md)
-    //# MUST be created.
-    var input := MPT.CreateCryptographicMaterialsCacheInput(
-      cache := cacheType
-    );
-    var maybeCache := mpl.CreateCryptographicMaterialsCache(input);
-    var cache :- maybeCache.MapFailure(e => AwsCryptographyMaterialProviders(e));
+    var cache;
+    if cacheType.Shared? {
+      cache := cacheType.Shared;
+    } else {
+      //= specification/searchable-encryption/search-config.md#key-store-cache
+      //# For a Beacon Key Source a [CMC](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/cryptographic-materials-cache.md)
+      //# MUST be created.
+      var input := MPT.CreateCryptographicMaterialsCacheInput(
+        cache := cacheType
+      );
+      var maybeCache := mpl.CreateCryptographicMaterialsCache(input);
+      cache :- maybeCache.MapFailure(e => AwsCryptographyMaterialProviders(e));
+    }
 
     if config.multi? {
       :- Need(0 < config.multi.cacheTTL, E("Beacon Cache TTL must be at least 1."));

DynamoDbEncryption/dafny/DynamoDbEncryption/src/SearchInfo.dfy

@@ -21,7 +21,7 @@ module SearchableEncryptionInfo {
   import UTF8
   import opened Time
   import KeyStore = AwsCryptographyKeyStoreTypes
-  import Aws.Cryptography.Primitives
+  import Primitives = AtomicPrimitives
   import Prim = AwsCryptographyPrimitivesTypes
   import MP = AwsCryptographyMaterialProvidersTypes
   import KeyStoreTypes = AwsCryptographyKeyStoreTypes
@@ -71,11 +71,11 @@ module SearchableEncryptionInfo {
       //# MUST be generated in accordance with [HMAC Key Generation](#hmac-key-generation).
       var newKey :- GetBeaconKey(client, key, keysLeft[0]);
       reveal Seq.HasNoDuplicates();
-      //= specification/searchable-encryption/search-config.md#get-beacon-key-materials
-      //# [Beacon Key Materials](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/structures.md#beacon-key-materials) MUST be generated
-      //# with the [beacon key id](#beacon-key-id) equal to the `beacon key id`
-      //# and the [HMAC Keys](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/structures.md#hmac-keys) equal to a map
-      //# of every [standard beacons](beacons.md#standard-beacon-initialization) name to its generated HMAC key.
+             //= specification/searchable-encryption/search-config.md#get-beacon-key-materials
+             //# [Beacon Key Materials](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/structures.md#beacon-key-materials) MUST be generated
+             //# with the [beacon key id](#beacon-key-id) equal to the `beacon key id`
+             //# and the [HMAC Keys](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/structures.md#hmac-keys) equal to a map
+             //# of every [standard beacons](beacons.md#standard-beacon-initialization) name to its generated HMAC key.
       output := GetHmacKeys(client, allKeys, keysLeft[1..], key, acc[keysLeft[0] := newKey]);
     }
   }

DynamoDbEncryption/dafny/DynamoDbEncryption/test/BeaconTestFixtures.dfy

@@ -17,7 +17,7 @@ module BeaconTestFixtures {
   import DDBC = Com.Amazonaws.Dynamodb
   import KTypes = AwsCryptographyKeyStoreTypes
   import SI = SearchableEncryptionInfo
-  import Aws.Cryptography.Primitives
+  import Primitives = AtomicPrimitives
   import MaterialProviders
   import MPT = AwsCryptographyMaterialProvidersTypes
   import SortedSets
@@ -181,6 +181,9 @@ module BeaconTestFixtures {
     ensures output.keyStore.ValidState()
     ensures fresh(output.keyStore.Modifies)
     ensures output.version == 1
+    ensures
+      && output.keySource.multi?
+      && output.keySource.multi.cache.None?
   {
     var store := GetKeyStore();
     return BeaconVersion (