m

Author: ajewellamz

DynamoDbEncryption/runtimes/rust/src/bin/example/basic_get_put_example.rs

@@ -2,51 +2,50 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use crate::test_utils;
+use db_esdk::aws_cryptography_keyStore::client as keystore_client;
 use db_esdk::aws_cryptography_keyStore::types::key_store_config::KeyStoreConfig;
 use db_esdk::aws_cryptography_keyStore::types::KmsConfiguration;
-use db_esdk::aws_cryptography_keyStore::client as keystore_client;
 
 /*
-  The Hierarchical Keyring Example and Searchable Encryption Examples
-  rely on the existence of a DDB-backed key store with pre-existing
-  branch key material or beacon key material.
-
-  See the "Create KeyStore Table Example" for how to first set up
-  the DDB Table that will back this KeyStore.
-
-  This example demonstrates configuring a KeyStore and then
-  using a helper method to create a branch key and beacon key
-  that share the same Id, then return that Id.
-  We will always create a new beacon key alongside a new branch key,
-  even if you are not using searchable encryption.
-
-  This key creation should occur within your control plane.
- */
-    pub async fn keystore_create_key() -> String
-    {
-      let key_store_table_name = test_utils::TEST_KEYSTORE_NAME;
-      let logical_key_store_name = test_utils::TEST_LOGICAL_KEYSTORE_NAME;
-      let kms_key_arn = test_utils::TEST_KEYSTORE_KMS_KEY_ID;
-
-      // 1. Configure your KeyStore resource.
-      //    This SHOULD be the same configuration that was used to create the DDB table
-      //    in the "Create KeyStore Table Example".
-      let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
-      let key_store_config = KeyStoreConfig::builder()
-          .kms_client(aws_sdk_kms::Client::new(&sdk_config))
-          .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
-          .ddb_table_name(key_store_table_name)
-          .logical_key_store_name(logical_key_store_name)
-          .kms_configuration(KmsConfiguration::KmsKeyArn(kms_key_arn.to_string()))
-          .build()
-          .unwrap();
-        
-        let keystore = keystore_client::Client::from_conf(key_store_config).unwrap();
-
-      // 2. Create a new branch key and beacon key in our KeyStore.
-      //    Both the branch key and the beacon key will share an Id.
-      //    This creation is eventually consistent.
-
-      let new_key = keystore.create_key().send().await.unwrap();
-      return new_key.branch_key_identifier.unwrap();
-  }
+ The Hierarchical Keyring Example and Searchable Encryption Examples
+ rely on the existence of a DDB-backed key store with pre-existing
+ branch key material or beacon key material.
+
+ See the "Create KeyStore Table Example" for how to first set up
+ the DDB Table that will back this KeyStore.
+
+ This example demonstrates configuring a KeyStore and then
+ using a helper method to create a branch key and beacon key
+ that share the same Id, then return that Id.
+ We will always create a new beacon key alongside a new branch key,
+ even if you are not using searchable encryption.
+
+ This key creation should occur within your control plane.
+*/
+pub async fn keystore_create_key() -> String {
+    let key_store_table_name = test_utils::TEST_KEYSTORE_NAME;
+    let logical_key_store_name = test_utils::TEST_LOGICAL_KEYSTORE_NAME;
+    let kms_key_arn = test_utils::TEST_KEYSTORE_KMS_KEY_ID;
+
+    // 1. Configure your KeyStore resource.
+    //    This SHOULD be the same configuration that was used to create the DDB table
+    //    in the "Create KeyStore Table Example".
+    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
+    let key_store_config = KeyStoreConfig::builder()
+        .kms_client(aws_sdk_kms::Client::new(&sdk_config))
+        .ddb_client(aws_sdk_dynamodb::Client::new(&sdk_config))
+        .ddb_table_name(key_store_table_name)
+        .logical_key_store_name(logical_key_store_name)
+        .kms_configuration(KmsConfiguration::KmsKeyArn(kms_key_arn.to_string()))
+        .build()
+        .unwrap();
+
+    let keystore = keystore_client::Client::from_conf(key_store_config).unwrap();
+
+    // 2. Create a new branch key and beacon key in our KeyStore.
+    //    Both the branch key and the beacon key will share an Id.
+    //    This creation is eventually consistent.
+
+    let new_key = keystore.create_key().send().await.unwrap();
+    new_key.branch_key_identifier.unwrap()
+}

DynamoDbEncryption/runtimes/rust/src/bin/example/create_keystore_key.rs

@@ -2,52 +2,64 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use crate::test_utils;
+use aws_sdk_dynamodb::types::AttributeValue;
 use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::client as dbesdk_client;
 use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::dynamo_db_encryption_config::DynamoDbEncryptionConfig;
-use std::collections::HashMap;
-use aws_sdk_dynamodb::types::AttributeValue;
 use db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::GetEncryptedDataKeyDescriptionUnion;
+use std::collections::HashMap;
+
+pub async fn get_encrypted_data_key_description() {
+    let kms_key_id = test_utils::TEST_KMS_KEY_ID;
+    let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
+    let config = DynamoDbEncryptionConfig::builder().build().unwrap();
+    let ddb_enc = dbesdk_client::Client::from_conf(config).unwrap();
+
+    // 1. Define keys that will be used to retrieve item from the DynamoDB table.
+    let key_to_get = HashMap::from([
+        (
+            "partition_key".to_string(),
+            AttributeValue::S("BasicPutGetExample".to_string()),
+        ),
+        ("sort_key".to_string(), AttributeValue::N("0".to_string())),
+    ]);
+
+    // 2. Create a Amazon DynamoDB Client and retrieve item from DynamoDB table
+    let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
+    let ddb = aws_sdk_dynamodb::Client::new(&sdk_config);
+    let get_item_response = ddb
+        .get_item()
+        .set_key(Some(key_to_get))
+        .table_name(ddb_table_name)
+        .send()
+        .await
+        .unwrap();
 
-pub async fn  get_encrypted_data_key_description()
-    {
-        let kms_key_id = test_utils::TEST_KMS_KEY_ID;
-        let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
-        let config = DynamoDbEncryptionConfig::builder().build().unwrap();
-        let ddb_enc = dbesdk_client::Client::from_conf(config).unwrap();
-
-        // 1. Define keys that will be used to retrieve item from the DynamoDB table.
-        let key_to_get = HashMap::from([
-          ("partition_key".to_string(), AttributeValue::S("BasicPutGetExample".to_string())),
-          ("sort_key".to_string(), AttributeValue::N("0".to_string())),
-        ]);
-
-
-        // 2. Create a Amazon DynamoDB Client and retrieve item from DynamoDB table
-        let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
-        let ddb = aws_sdk_dynamodb::Client::new(&sdk_config);
-        let get_item_response = ddb.get_item()
-          .set_key(Some(key_to_get))
-          .table_name(ddb_table_name)
-          .send().await.unwrap();
-
-
-        // 3. Extract the item from the dynamoDB table and prepare input for the GetEncryptedDataKeyDescription method.
-        // Here, we are sending dynamodb item but you can also input the header itself by extracting the header from 
-        // "aws_dbe_head" attribute in the dynamoDB item. The part of the code where we send input as the header is commented.
-        let returned_item = get_item_response.item.unwrap();
-        let input_union = GetEncryptedDataKeyDescriptionUnion::Item(returned_item);
-        let output = ddb_enc.get_encrypted_data_key_description()
+    // 3. Extract the item from the dynamoDB table and prepare input for the GetEncryptedDataKeyDescription method.
+    // Here, we are sending dynamodb item but you can also input the header itself by extracting the header from
+    // "aws_dbe_head" attribute in the dynamoDB item. The part of the code where we send input as the header is commented.
+    let returned_item = get_item_response.item.unwrap();
+    let input_union = GetEncryptedDataKeyDescriptionUnion::Item(returned_item);
+    let output = ddb_enc
+        .get_encrypted_data_key_description()
         .input(input_union)
-        .send().await.unwrap();
+        .send()
+        .await
+        .unwrap();
 
-        // The code below shows how we can send header as the input to the DynamoDB. This code is written to demo the 
-        // alternative approach. So, it is commented.
-        // let input_union = GetEncryptedDataKeyDescriptionUnion::Header(returned_item["aws_dbe_head"].as_b().unwrap().clone());
+    // The code below shows how we can send header as the input to the DynamoDB. This code is written to demo the
+    // alternative approach. So, it is commented.
+    // let input_union = GetEncryptedDataKeyDescriptionUnion::Header(returned_item["aws_dbe_head"].as_b().unwrap().clone());
 
-        // 4. Get encrypted DataKey Descriptions from GetEncryptedDataKeyDescription method output and assert if its true.
-        let encrypted_data_key_descriptions = output.encrypted_data_key_description_output.unwrap();
-        assert_eq!(encrypted_data_key_descriptions[0].key_provider_id, Some("aws-kms".to_string()));
-        assert_eq!(encrypted_data_key_descriptions[0].key_provider_info, Some(kms_key_id.to_string()));
+    // 4. Get encrypted DataKey Descriptions from GetEncryptedDataKeyDescription method output and assert if its true.
+    let encrypted_data_key_descriptions = output.encrypted_data_key_description_output.unwrap();
+    assert_eq!(
+        encrypted_data_key_descriptions[0].key_provider_id,
+        Some("aws-kms".to_string())
+    );
+    assert_eq!(
+        encrypted_data_key_descriptions[0].key_provider_info,
+        Some(kms_key_id.to_string())
+    );
 
-        println!("get_encrypted_data_key_description successful.");
-      }
+    println!("get_encrypted_data_key_description successful.");
+}

DynamoDbEncryption/runtimes/rust/src/bin/example/get_encrypted_data_key_description.rs

@@ -6,19 +6,21 @@
 #![deny(clippy::all)]
 
 pub mod basic_get_put_example;
-pub mod test_utils;
-pub mod itemencryptor;
-pub mod searchableencryption;
 pub mod create_keystore_key;
 pub mod get_encrypted_data_key_description;
+pub mod itemencryptor;
+pub mod keyring;
 pub mod multi_get_put_example;
+pub mod searchableencryption;
+pub mod test_utils;
 
 #[tokio::main]
 pub async fn main() {
     basic_get_put_example::put_item_get_item().await;
     itemencryptor::item_encrypt_decrypt::encrypt_decrypt().await;
     get_encrypted_data_key_description::get_encrypted_data_key_description().await;
     multi_get_put_example::multi_put_get().await;
+    keyring::raw_rsa_keyring::put_item_get_item().await;
 
     // let key_id = create_keystore_key::keystore_create_key().await;
     // // let key_id2 = create_keystore_key::keystore_create_key().await;
@@ -29,22 +31,21 @@ pub async fn main() {
     // searchableencryption::basic_searchable_encryption::put_and_query_with_beacon(&key_id).await;
     // // FIXME : ScanError will have to wait until we have a reasonable error message strategy
 
-/*
-            await MultiPutGetExample.MultiPutGet();
-            await ClientSupplierExample.ClientSupplierPutItemGetItem();
-            await MultiMrkKeyringExample.MultiMrkKeyringGetItemPutItem();
-            await RawAesKeyringExample.RawAesKeyringGetItemPutItem();
-            await MrkDiscoveryMultiKeyringExample.MultiMrkDiscoveryKeyringGetItemPutItem();
-            await MultiKeyringExample.MultiKeyringGetItemPutItem();
-            await RawRsaKeyringExample.RawRsaKeyringGetItemPutItem();
-            await KmsRsaKeyringExample.KmsRsaKeyringGetItemPutItem();
-
-
-            await HierarchicalKeyringExample.HierarchicalKeyringGetItemPutItem(keyId, keyId2);
-            await CompoundBeaconSearchableEncryptionExample.PutItemQueryItemWithCompoundBeacon(keyId);
-            await VirtualBeaconSearchableEncryptionExample.PutItemQueryItemWithVirtualBeacon(keyId);
-            await BeaconStylesSearchableEncryptionExample.PutItemQueryItemWithBeaconStyles(keyId);
-            await ComplexSearchableEncryptionExample.RunExample(keyId);
-*/
+    /*
+                await ClientSupplierExample.ClientSupplierPutItemGetItem();
+                await MultiMrkKeyringExample.MultiMrkKeyringGetItemPutItem();
+                await RawAesKeyringExample.RawAesKeyringGetItemPutItem();
+                await MrkDiscoveryMultiKeyringExample.MultiMrkDiscoveryKeyringGetItemPutItem();
+                await MultiKeyringExample.MultiKeyringGetItemPutItem();
+                await RawRsaKeyringExample.RawRsaKeyringGetItemPutItem();
+                await KmsRsaKeyringExample.KmsRsaKeyringGetItemPutItem();
+
+
+                await HierarchicalKeyringExample.HierarchicalKeyringGetItemPutItem(keyId, keyId2);
+                await CompoundBeaconSearchableEncryptionExample.PutItemQueryItemWithCompoundBeacon(keyId);
+                await VirtualBeaconSearchableEncryptionExample.PutItemQueryItemWithVirtualBeacon(keyId);
+                await BeaconStylesSearchableEncryptionExample.PutItemQueryItemWithBeaconStyles(keyId);
+                await ComplexSearchableEncryptionExample.RunExample(keyId);
+    */
     println!("All examples completed successfully.\n");
 }

DynamoDbEncryption/runtimes/rust/src/bin/example/itemencryptor/item_encrypt_decrypt.rs

@@ -1,45 +1,46 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-pub const TEST_KEYSTORE_NAME : &str = "KeyStoreDdbTable";
-pub const TEST_LOGICAL_KEYSTORE_NAME : &str = "KeyStoreDdbTable";
+pub const TEST_KEYSTORE_NAME: &str = "KeyStoreDdbTable";
+pub const TEST_LOGICAL_KEYSTORE_NAME: &str = "KeyStoreDdbTable";
 
-pub const TEST_KEYSTORE_KMS_KEY_ID : &str = "arn:aws:kms:us-west-2:370957321024:key/9d989aa2-2f9c-438c-a745-cc57d3ad0126";
+pub const TEST_KEYSTORE_KMS_KEY_ID: &str =
+    "arn:aws:kms:us-west-2:370957321024:key/9d989aa2-2f9c-438c-a745-cc57d3ad0126";
 
-pub const TEST_AWS_ACCOUNT_ID : &str = "658956600833";
+pub const TEST_AWS_ACCOUNT_ID: &str = "658956600833";
 
-pub const TEST_AWS_REGION : &str = "us-west-2";
+pub const TEST_AWS_REGION: &str = "us-west-2";
 
 // These are public KMS Keys that MUST only be used for testing, and MUST NOT be used for any production data
-pub const TEST_KMS_KEY_ID : &str =
+pub const TEST_KMS_KEY_ID: &str =
     "arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f";
 
-pub const TEST_MRK_KEY_ID : &str =
+pub const TEST_MRK_KEY_ID: &str =
     "arn:aws:kms:us-west-2:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7";
 
-pub const TEST_KMS_RSA_KEY_ID : &str =
+pub const TEST_KMS_RSA_KEY_ID: &str =
     "arn:aws:kms:us-west-2:658956600833:key/8b432da4-dde4-4bc3-a794-c7d68cbab5a6";
 
-pub const TEST_MRK_REPLICA_KEY_ID_US_EAST_1 : &str =
+pub const TEST_MRK_REPLICA_KEY_ID_US_EAST_1: &str =
     "arn:aws:kms:us-east-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7";
 
-pub const TEST_MRK_REPLICA_KEY_ID_EU_WEST_1 : &str =
+pub const TEST_MRK_REPLICA_KEY_ID_EU_WEST_1: &str =
     "arn:aws:kms:eu-west-1:658956600833:key/mrk-80bd8ecdcd4342aebd84b7dc9da498a7";
 
 // Our tests require access to DDB Table with this name
-pub const TEST_DDB_TABLE_NAME : &str = "DynamoDbEncryptionInterceptorTestTableCS";
-pub const TEST_COMPLEX_TABLE_NAME : &str = "ComplexBeaconTestTableCS";
+pub const TEST_DDB_TABLE_NAME: &str = "DynamoDbEncryptionInterceptorTestTableCS";
+pub const TEST_COMPLEX_TABLE_NAME: &str = "ComplexBeaconTestTableCS";
 
 // Our tests require access to DDB Tables with these name
-pub const SIMPLE_BEACON_TEST_DDB_TABLE_NAME : &str = "SimpleBeaconTestTable";
-pub const UNIT_INSPECTION_TEST_DDB_TABLE_NAME : &str = "UnitInspectionTestTableCS";
+pub const SIMPLE_BEACON_TEST_DDB_TABLE_NAME: &str = "SimpleBeaconTestTable";
+pub const UNIT_INSPECTION_TEST_DDB_TABLE_NAME: &str = "UnitInspectionTestTableCS";
 
 // The branch key must have been created using this KMS key
 // Note: This is a public resource that anyone can access.
 // This MUST NOT be used to encrypt any production data.
-pub const TEST_BRANCH_KEY_WRAPPING_KMS_KEY_ARN : &str =
+pub const TEST_BRANCH_KEY_WRAPPING_KMS_KEY_ARN: &str =
     "arn:aws:kms:us-west-2:370957321024:key/9d989aa2-2f9c-438c-a745-cc57d3ad0126";
 
 // Our tests require access to DDB Table with this name configured as a branch keystore
-pub const TEST_BRANCH_KEYSTORE_DDB_TABLE_NAME : &str = "KeyStoreDdbTable";
-pub const TEST_COMPLEX_DDB_TABLE_NAME : &str = "ComplexBeaconTestTable";
+pub const TEST_BRANCH_KEYSTORE_DDB_TABLE_NAME: &str = "KeyStoreDdbTable";
+pub const TEST_COMPLEX_DDB_TABLE_NAME: &str = "ComplexBeaconTestTable";

DynamoDbEncryption/runtimes/rust/src/bin/example/main.rs

@@ -1,41 +1,57 @@
-use aws_config::Region;
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
 
-fn dafny_tokio_runtime() -> tokio::runtime::Runtime
-{
-  tokio::runtime::Builder::new_multi_thread()
-      .enable_all()
-      .build()
-      .unwrap()
-}
+#![deny(warnings, unconditional_panic)]
+#![deny(nonstandard_style)]
+#![deny(clippy::all)]
+
+use aws_config::Region;
 
 #[allow(non_snake_case)]
 impl crate::r#software::amazon::cryptography::services::dynamodb::internaldafny::_default {
-  pub fn DDBClientForRegion(region: &::dafny_runtime::Sequence<::dafny_runtime::DafnyCharUTF16>) -> ::std::rc::Rc<
+    pub fn DDBClientForRegion(region: &::dafny_runtime::Sequence<::dafny_runtime::DafnyCharUTF16>) -> ::std::rc::Rc<
     crate::r#_Wrappers_Compile::Result<
       ::dafny_runtime::Object<dyn crate::r#software::amazon::cryptography::services::dynamodb::internaldafny::types::IDynamoDBClient>,
       ::std::rc::Rc<crate::r#software::amazon::cryptography::services::dynamodb::internaldafny::types::Error>
       >
-    > {
-    let region = dafny_runtime::dafny_runtime_conversions::unicode_chars_false::dafny_string_to_string(region);
-    let shared_config = dafny_tokio_runtime().block_on(aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()));
-    let shared_config = shared_config.to_builder().region(Region::new(region)).build();
-    let inner = aws_sdk_dynamodb::Client::new(&shared_config);
-    let client = crate::deps::com_amazonaws_dynamodb::client::Client { inner };
-    let dafny_client = ::dafny_runtime::upcast_object()(::dafny_runtime::object::new(client));
-    std::rc::Rc::new(crate::r#_Wrappers_Compile::Result::Success { value: dafny_client })
-  }
+    >{
+        let region =
+            dafny_runtime::dafny_runtime_conversions::unicode_chars_false::dafny_string_to_string(
+                region,
+            );
+        let shared_config = tokio::task::block_in_place(|| {
+            tokio::runtime::Handle::current().block_on(async {
+                aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()).await
+            })
+        });
+        let shared_config = shared_config
+            .to_builder()
+            .region(Region::new(region))
+            .build();
+        let inner = aws_sdk_dynamodb::Client::new(&shared_config);
+        let client = crate::deps::com_amazonaws_dynamodb::client::Client { inner };
+        let dafny_client = ::dafny_runtime::upcast_object()(::dafny_runtime::object::new(client));
+        std::rc::Rc::new(crate::r#_Wrappers_Compile::Result::Success {
+            value: dafny_client,
+        })
+    }
 
   pub fn DynamoDBClient() -> ::std::rc::Rc<
   crate::r#_Wrappers_Compile::Result<
     ::dafny_runtime::Object<dyn crate::r#software::amazon::cryptography::services::dynamodb::internaldafny::types::IDynamoDBClient>,
     ::std::rc::Rc<crate::r#software::amazon::cryptography::services::dynamodb::internaldafny::types::Error>
     >
-  > {
-      let shared_config = dafny_tokio_runtime().block_on(aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()));
-      let inner = aws_sdk_dynamodb::Client::new(&shared_config);
-      let client = crate::deps::com_amazonaws_dynamodb::client::Client { inner };
-      let dafny_client = ::dafny_runtime::upcast_object()(::dafny_runtime::object::new(client));
-      std::rc::Rc::new(crate::r#_Wrappers_Compile::Result::Success { value: dafny_client })
+    >{
+        let shared_config = tokio::task::block_in_place(|| {
+            tokio::runtime::Handle::current().block_on(async {
+                aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()).await
+            })
+        });
+        let inner = aws_sdk_dynamodb::Client::new(&shared_config);
+        let client = crate::deps::com_amazonaws_dynamodb::client::Client { inner };
+        let dafny_client = ::dafny_runtime::upcast_object()(::dafny_runtime::object::new(client));
+        std::rc::Rc::new(crate::r#_Wrappers_Compile::Result::Success {
+            value: dafny_client,
+        })
     }
-
 }

DynamoDbEncryption/runtimes/rust/src/bin/example/multi_get_put_example.rs

@@ -94,10 +94,8 @@ pub mod ECDH {
             if ec_group.is_null() {
                 return Err("Error in EC_KEY_get0_group in X509_to_X962.".to_string());
             }
-            if nid.is_some() {
-                if nid.unwrap() != unsafe { EC_GROUP_get_curve_name(ec_group) } {
-                    return Err("Curve type mismatch in X509_to_X962.".to_string());
-                }
+            if nid.is_some() && nid.unwrap() != unsafe { EC_GROUP_get_curve_name(ec_group) } {
+                return Err("Curve type mismatch in X509_to_X962.".to_string());
             }
             let ec_point = unsafe { EC_KEY_get0_public_key(ec_key) };
             if ec_point.is_null() {

DynamoDbEncryption/runtimes/rust/src/bin/example/searchableencryption/basic_searchable_encryption.rs

@@ -1,3 +1,10 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+#![deny(warnings, unconditional_panic)]
+#![deny(nonstandard_style)]
+#![deny(clippy::all)]
+
 use aws_sdk_dynamodb::{
     config::{
         interceptors::{BeforeSerializationInterceptorContextMut, FinalizerInterceptorContextMut},
@@ -7,94 +14,81 @@ use aws_sdk_dynamodb::{
 };
 use aws_smithy_runtime_api::client::interceptors::context::Input;
 use aws_smithy_types::config_bag::{Storable, StoreReplace};
-use std::sync::LazyLock;
-
-/// A runtime for executing operations on the asynchronous client in a blocking manner.
-/// Necessary because Dafny only generates synchronous code.
-static dafny_tokio_runtime: LazyLock<tokio::runtime::Runtime> = LazyLock::new(|| {
-    tokio::runtime::Builder::new_multi_thread()
-          .enable_all()
-          .build()
-          .unwrap()
-});
-
 
 #[macro_export]
 macro_rules! modify_request {
-    ($cfg:ident,$request:ident,$self:ident,$transform:ident) => {
-        {
-            // store the original request
-            $cfg.interceptor_state().store_put(OriginalRequest(Input::erase($request.clone())));
-
-            // transform the request
-            // *$request = tokio::task::block_in_place(|| {
-            let result = tokio::task::block_in_place(|| {
-                    tokio::runtime::Handle::current().block_on(async {
-                    $self.client
+    ($cfg:ident,$request:ident,$self:ident,$transform:ident) => {{
+        // store the original request
+        $cfg.interceptor_state()
+            .store_put(OriginalRequest(Input::erase($request.clone())));
+
+        // transform the request
+        // *$request = tokio::task::block_in_place(|| {
+        let result = tokio::task::block_in_place(|| {
+            tokio::runtime::Handle::current().block_on(async {
+                $self
+                    .client
                     .$transform()
                     .sdk_input($request.clone())
                     .send()
                     .await
-                })
-              });
-            match result {
-                Ok(x) => *$request = x.transformed_input.unwrap(),
-                Err(x) => {
-                    let s = format!("{:?}", x);
-                    return Err(s.into());
-                }
-            };
-        }
-    };
+            })
+        });
+        match result {
+            Ok(x) => *$request = x.transformed_input.unwrap(),
+            Err(x) => {
+                let s = format!("{:?}", x);
+                return Err(s.into());
+            }
+        };
+    }};
 }
 
-
-
-
 #[macro_export]
 macro_rules! modify_response {
-    ($cfg:ident,$type:ty,$response:ident,$self:ident,$transform:ident) => {
-        {
-            // retrieve the original request
-            let original = $cfg
-                .load::<OriginalRequest>()
-                .expect("we put this in ourselves");
-            let original = original
-                .0
-                .downcast_ref::<$type>()
-                .expect("we know this type corresponds to the output type");
-
-            // transform the response
-            let result = tokio::task::block_in_place(|| {
-                tokio::runtime::Handle::current().block_on(async {
-                    $self.client
+    ($cfg:ident,$type:ty,$response:ident,$self:ident,$transform:ident) => {{
+        // retrieve the original request
+        let original = $cfg
+            .load::<OriginalRequest>()
+            .expect("we put this in ourselves");
+        let original = original
+            .0
+            .downcast_ref::<$type>()
+            .expect("we know this type corresponds to the output type");
+
+        // transform the response
+        let result = tokio::task::block_in_place(|| {
+            tokio::runtime::Handle::current().block_on(async {
+                $self
+                    .client
                     .$transform()
                     .original_input(original.clone())
                     .sdk_output($response.clone())
                     .send()
                     .await
-                })
-              });
-            match result {
-                Ok(x) => *$response = x.transformed_output.unwrap(),
-                Err(x) => {
-                    let s = format!("{:?}", x);
-                    return Err(s.into());
-                }
-            };
-        }
-    };
+            })
+        });
+        match result {
+            Ok(x) => *$response = x.transformed_output.unwrap(),
+            Err(x) => {
+                let s = format!("{:?}", x);
+                return Err(s.into());
+            }
+        };
+    }};
 }
 
 #[derive(Debug)]
 pub struct DbEsdkInterceptor {
-    client : crate::client::Client
+    client: crate::client::Client,
 }
 
 impl DbEsdkInterceptor {
-    pub fn new(config : crate::types::dynamo_db_tables_encryption_config::DynamoDbTablesEncryptionConfig) -> Self {
+    pub fn new(
+        config: crate::types::dynamo_db_tables_encryption_config::DynamoDbTablesEncryptionConfig,
+    ) -> Self {
         let client = crate::client::Client::from_conf(config).unwrap(); // FIXME
-        DbEsdkInterceptor {client}
+        DbEsdkInterceptor { client }
     }
 }
 
@@ -152,7 +146,7 @@ impl Intercept for DbEsdkInterceptor {
 
     // macro_rules! modify_response {
     //     ($cfg:ident,$type:ty,$output:ident,$self:ident,$transform:ident) => {
-    
+
     fn modify_before_attempt_completion(
         &self,
         context: &mut FinalizerInterceptorContextMut,

DynamoDbEncryption/runtimes/rust/src/bin/example/test_utils.rs

@@ -1,64 +1,68 @@
-use aws_config::Region;
-use std::any::Any;
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
 
-fn dafny_tokio_runtime() -> tokio::runtime::Runtime
-{
-  tokio::runtime::Builder::new_multi_thread()
-      .enable_all()
-      .build()
-      .unwrap()
-}
+#![deny(warnings, unconditional_panic)]
+#![deny(nonstandard_style)]
+#![deny(clippy::all)]
 
-impl crate::r#software::amazon::cryptography::services::kms::internaldafny::_default {
-  #[allow(non_snake_case)]
-  pub fn KMSClientForRegion(region: &::dafny_runtime::Sequence<::dafny_runtime::DafnyCharUTF16>) -> ::std::rc::Rc<crate::r#_Wrappers_Compile::Result<::dafny_runtime::Object<dyn crate::software::amazon::cryptography::services::kms::internaldafny::types::IKMSClient>, ::std::rc::Rc<crate::software::amazon::cryptography::services::kms::internaldafny::types::Error>>>{
-    let region = dafny_runtime::dafny_runtime_conversions::unicode_chars_false::dafny_string_to_string(region);
-    // let shared_config = dafny_tokio_runtime().block_on(aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()));
-    let shared_config = tokio::task::block_in_place(|| {
-      tokio::runtime::Handle::current().block_on(async {
-        aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()).await
-      })
-    });
+use aws_config::Region;
 
-    let shared_config = shared_config.to_builder().region(Region::new(region)).build();
-    let inner = aws_sdk_kms::Client::new(&shared_config);
-    let client = crate::deps::com_amazonaws_kms::client::Client { inner };
-    let dafny_client = ::dafny_runtime::upcast_object()(::dafny_runtime::object::new(client));
-    std::rc::Rc::new(crate::r#_Wrappers_Compile::Result::Success { value: dafny_client })
-  }
-/*
-let res = task::spawn_blocking(move || {
-    // Stand-in for compute-heavy work or using synchronous APIs
-    v.push_str("world");
-    // Pass ownership of the value back to the asynchronous context
-    v
-}).await?;
+impl crate::r#software::amazon::cryptography::services::kms::internaldafny::_default {
+    #[allow(non_snake_case)]
+    pub fn KMSClientForRegion(region: &::dafny_runtime::Sequence<::dafny_runtime::DafnyCharUTF16>) -> ::std::rc::Rc<crate::r#_Wrappers_Compile::Result<::dafny_runtime::Object<dyn crate::software::amazon::cryptography::services::kms::internaldafny::types::IKMSClient>, ::std::rc::Rc<crate::software::amazon::cryptography::services::kms::internaldafny::types::Error>>>{
+        let region =
+            dafny_runtime::dafny_runtime_conversions::unicode_chars_false::dafny_string_to_string(
+                region,
+            );
+        let shared_config = tokio::task::block_in_place(|| {
+            tokio::runtime::Handle::current().block_on(async {
+                aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()).await
+            })
+        });
 
-*/
+        let shared_config = shared_config
+            .to_builder()
+            .region(Region::new(region))
+            .build();
+        let inner = aws_sdk_kms::Client::new(&shared_config);
+        let client = crate::deps::com_amazonaws_kms::client::Client { inner };
+        let dafny_client = ::dafny_runtime::upcast_object()(::dafny_runtime::object::new(client));
+        std::rc::Rc::new(crate::r#_Wrappers_Compile::Result::Success {
+            value: dafny_client,
+        })
+    }
 
-  #[allow(non_snake_case)]
-  pub fn KMSClient() -> ::std::rc::Rc<crate::r#_Wrappers_Compile::Result<::dafny_runtime::Object<dyn crate::software::amazon::cryptography::services::kms::internaldafny::types::IKMSClient>, ::std::rc::Rc<crate::software::amazon::cryptography::services::kms::internaldafny::types::Error>>>{
-    let shared_config = dafny_tokio_runtime().block_on(aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()));
-    let inner = aws_sdk_kms::Client::new(&shared_config);
-    let client = crate::deps::com_amazonaws_kms::client::Client { inner };
-    let dafny_client = ::dafny_runtime::upcast_object()(::dafny_runtime::object::new(client));
-    std::rc::Rc::new(crate::r#_Wrappers_Compile::Result::Success { value: dafny_client })
-  }
+    #[allow(non_snake_case)]
+    pub fn KMSClient() -> ::std::rc::Rc<crate::r#_Wrappers_Compile::Result<::dafny_runtime::Object<dyn crate::software::amazon::cryptography::services::kms::internaldafny::types::IKMSClient>, ::std::rc::Rc<crate::software::amazon::cryptography::services::kms::internaldafny::types::Error>>>{
+        let shared_config = tokio::task::block_in_place(|| {
+            tokio::runtime::Handle::current().block_on(async {
+                aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()).await
+            })
+        });
+        let inner = aws_sdk_kms::Client::new(&shared_config);
+        let client = crate::deps::com_amazonaws_kms::client::Client { inner };
+        let dafny_client = ::dafny_runtime::upcast_object()(::dafny_runtime::object::new(client));
+        std::rc::Rc::new(crate::r#_Wrappers_Compile::Result::Success {
+            value: dafny_client,
+        })
+    }
 
-  #[allow(non_snake_case)]
-  pub fn RegionMatch(
-      kmsClient: &::dafny_runtime::Object<dyn crate::software::amazon::cryptography::services::kms::internaldafny::types::IKMSClient>,
-      region: &::dafny_runtime::Sequence<::dafny_runtime::DafnyCharUTF16>,
-  ) -> ::std::rc::Rc<crate::r#_Wrappers_Compile::Option<bool>> {
-    let region = dafny_runtime::dafny_runtime_conversions::unicode_chars_false::dafny_string_to_string(region);
-    let any = dafny_runtime::cast_any_object!(kmsClient);
-    let client = dafny_runtime::cast_object!(any, crate::deps::com_amazonaws_kms::client::Client);
-    let flag = match client.as_ref().inner.config().region() {
-      Some(r) => {
-        r.as_ref() == &region
-      },
-      None => false
-    };
-    ::std::rc::Rc::new(crate::r#_Wrappers_Compile::Option::Some{value : flag})
-  }
+    #[allow(non_snake_case)]
+    pub fn RegionMatch(
+        kmsClient: &::dafny_runtime::Object<dyn crate::software::amazon::cryptography::services::kms::internaldafny::types::IKMSClient>,
+        region: &::dafny_runtime::Sequence<::dafny_runtime::DafnyCharUTF16>,
+    ) -> ::std::rc::Rc<crate::r#_Wrappers_Compile::Option<bool>> {
+        let region =
+            dafny_runtime::dafny_runtime_conversions::unicode_chars_false::dafny_string_to_string(
+                region,
+            );
+        let any = dafny_runtime::cast_any_object!(kmsClient);
+        let client =
+            dafny_runtime::cast_object!(any, crate::deps::com_amazonaws_kms::client::Client);
+        let flag = match client.as_ref().inner.config().region() {
+            Some(r) => r.as_ref() == region,
+            None => false,
+        };
+        ::std::rc::Rc::new(crate::r#_Wrappers_Compile::Option::Some { value: flag })
+    }
 }

DynamoDbEncryption/runtimes/rust/src/ddb.rs

@@ -9,20 +9,20 @@
 #[allow(non_snake_case)]
 pub mod RSAEncryption {
     pub mod RSA {
+        use crate::_Wrappers_Compile as Wrappers;
         use crate::software::amazon::cryptography::primitives::internaldafny::types::RSAPaddingMode;
         use crate::*;
         use ::std::rc::Rc;
         use aws_lc_rs::encoding::{AsDer, Pkcs8V1Der, PublicKeyX509Der};
-        use crate::_Wrappers_Compile as Wrappers;
 
         use aws_lc_rs::rsa::KeySize;
         use aws_lc_rs::rsa::OaepAlgorithm;
         use aws_lc_rs::rsa::OaepPrivateDecryptingKey;
         use aws_lc_rs::rsa::OaepPublicEncryptingKey;
+        use aws_lc_rs::rsa::Pkcs1PrivateDecryptingKey;
+        use aws_lc_rs::rsa::Pkcs1PublicEncryptingKey;
         use aws_lc_rs::rsa::PrivateDecryptingKey;
         use aws_lc_rs::rsa::PublicEncryptingKey;
-        use aws_lc_rs::rsa::Pkcs1PublicEncryptingKey;
-        use aws_lc_rs::rsa::Pkcs1PrivateDecryptingKey;
         use pem;
         use software::amazon::cryptography::primitives::internaldafny::types::Error as DafnyError;
 
@@ -196,9 +196,10 @@ pub mod RSAEncryption {
         }
 
         pub fn encrypt_pkcs1(public_key: &[u8], plain_text: &[u8]) -> Result<Vec<u8>, String> {
-            let public_key = PublicEncryptingKey::from_der(public_key)
-                .map_err(|e| format!("{:?}", e))?;
-            let public_key = Pkcs1PublicEncryptingKey::new(public_key).map_err(|e| format!("{:?}", e))?;
+            let public_key =
+                PublicEncryptingKey::from_der(public_key).map_err(|e| format!("{:?}", e))?;
+            let public_key =
+                Pkcs1PublicEncryptingKey::new(public_key).map_err(|e| format!("{:?}", e))?;
             let mut ciphertext: Vec<u8> = vec![0; plain_text.len() + public_key.key_size_bytes()];
             let cipher_text = public_key
                 .encrypt(plain_text, &mut ciphertext)
@@ -209,7 +210,8 @@ pub mod RSAEncryption {
         pub fn decrypt_pkcs1(private_key: &[u8], cipher_text: &[u8]) -> Result<Vec<u8>, String> {
             let private_key = PrivateDecryptingKey::from_pkcs8(private_key)
                 .map_err(|e| format!("from_pkcs8 : {:?}", e))?;
-            let private_key = Pkcs1PrivateDecryptingKey::new(private_key).map_err(|e| format!("new : {:?}", e))?;
+            let private_key = Pkcs1PrivateDecryptingKey::new(private_key)
+                .map_err(|e| format!("new : {:?}", e))?;
             let mut message: Vec<u8> = vec![0; cipher_text.len()];
             let message = private_key
                 .decrypt(cipher_text, &mut message)

DynamoDbEncryption/runtimes/rust/src/ecdh.rs

@@ -25,6 +25,7 @@ pub mod software {
                                 use crate::software::amazon::cryptography::dbencryptionsdk::dynamodb::itemencryptor::internaldafny::types::Error as DafnyError;
                                 use crate::software::amazon::cryptography::dbencryptionsdk::dynamodb::internaldafny::types::LegacyPolicy;
                                 use ::std::rc::Rc;
+                                type Legacy = ::dafny_runtime::Object<crate::software::amazon::cryptography::dbencryptionsdk::dynamodb::itemencryptor::internaldafny::legacy::InternalLegacyOverride>;
 
                                 fn error(s: &str) -> Rc<DafnyError> {
                                     Rc::new(DafnyError::DynamoDbItemEncryptorException {
@@ -35,19 +36,36 @@ pub mod software {
                                 pub struct InternalLegacyOverride {
                                     pub r#__i_policy: Rc<LegacyPolicy>,
                                 }
-                                fn fail_override() -> Rc<crate::_Wrappers_Compile::Result<Rc<crate::_Wrappers_Compile::Option<::dafny_runtime::Object<crate::software::amazon::cryptography::dbencryptionsdk::dynamodb::itemencryptor::internaldafny::legacy::InternalLegacyOverride>>>, Rc<DafnyError>>>{
+                                fn fail_override() -> Rc<
+                                    crate::_Wrappers_Compile::Result<
+                                        Rc<crate::_Wrappers_Compile::Option<Legacy>>,
+                                        Rc<DafnyError>,
+                                    >,
+                                > {
                                     Rc::new(crate::_Wrappers_Compile::Result::Failure {
                                         error: error("Legacy configuration unsupported."),
                                     })
                                 }
-                                fn success_override() -> Rc<crate::_Wrappers_Compile::Result<Rc<crate::_Wrappers_Compile::Option<::dafny_runtime::Object<crate::software::amazon::cryptography::dbencryptionsdk::dynamodb::itemencryptor::internaldafny::legacy::InternalLegacyOverride>>>, Rc<DafnyError>>>{
+                                fn success_override() -> Rc<
+                                    crate::_Wrappers_Compile::Result<
+                                        Rc<crate::_Wrappers_Compile::Option<Legacy>>,
+                                        Rc<DafnyError>,
+                                    >,
+                                > {
                                     Rc::new(crate::_Wrappers_Compile::Result::Success {
                                         value: Rc::new(crate::_Wrappers_Compile::Option::None {}),
                                     })
                                 }
 
                                 impl InternalLegacyOverride {
-                                    pub fn Build(config: &Rc<crate::software::amazon::cryptography::dbencryptionsdk::dynamodb::itemencryptor::internaldafny::types::DynamoDbItemEncryptorConfig>) -> Rc<crate::_Wrappers_Compile::Result<Rc<crate::_Wrappers_Compile::Option<::dafny_runtime::Object<crate::software::amazon::cryptography::dbencryptionsdk::dynamodb::itemencryptor::internaldafny::legacy::InternalLegacyOverride>>>, Rc<DafnyError>>>{
+                                    pub fn Build(
+                                        config: &Rc<crate::software::amazon::cryptography::dbencryptionsdk::dynamodb::itemencryptor::internaldafny::types::DynamoDbItemEncryptorConfig>,
+                                    ) -> Rc<
+                                        crate::_Wrappers_Compile::Result<
+                                            Rc<crate::_Wrappers_Compile::Option<Legacy>>,
+                                            Rc<DafnyError>,
+                                        >,
+                                    > {
                                         match &**config.legacyOverride() {
                                             crate::_Wrappers_Compile::Option::Some{value} => {
                                                 match &**value.policy() {