chore: Upgrade to Dafny 4.0 (#112)

Co-authored-by: Alex Chew <[email protected]>
Co-authored-by: Robin Salkeld <[email protected]>

Author: 3 people

.github/workflows/ci_test_java.yml

@@ -65,9 +65,9 @@ jobs:
           echo "CODEARTIFACT_AUTH_TOKEN=$TOKEN" >> $GITHUB_ENV
 
       - name: Setup Dafny
-        uses: dafny-lang/setup-dafny-action@v1.4.0
+        uses: dafny-lang/setup-dafny-action@v1.6.1
         with:
-          dafny-version: "3.10.0"
+          dafny-version: "nightly-2023-04-12-f4836e9"
 
       - name: Setup Java ${{ matrix.java-version }}
         uses: actions/setup-java@v3

.github/workflows/ci_test_net.yml

@@ -43,16 +43,16 @@ jobs:
           git config --global --add url.https://github.com/.insteadOf [email protected]:
           git submodule update --init --recursive submodules/MaterialProviders
 
-      - name: Setup Dafny
-        uses: dafny-lang/[email protected]
-        with:
-          dafny-version: "3.10.0"
-
       - name: Setup .NET Core SDK ${{ matrix.dotnet-version }}
         uses: actions/setup-dotnet@v3
         with:
           dotnet-version: ${{ matrix.dotnet-version }}
 
+      - name: Setup Dafny
+        uses: dafny-lang/[email protected]
+        with:
+          dafny-version: "nightly-2023-04-12-f4836e9"
+
       - name: Download Dependencies 
         working-directory: ./${{ matrix.library }}
         run: make setup_net

.github/workflows/ci_verification.yml

@@ -40,9 +40,9 @@ jobs:
           git submodule update --init --recursive submodules/MaterialProviders
       
       - name: Setup Dafny
-        uses: dafny-lang/setup-dafny-action@v1
+        uses: dafny-lang/setup-dafny-action@v1.6.1
         with:
-          dafny-version: "3.10.0"
+          dafny-version: "nightly-2023-04-12-f4836e9"
 
       - name: Verify ${{ matrix.library }} Dafny code
         shell: bash

DynamoDbEncryption/Makefile

@@ -18,7 +18,7 @@ SERVICE_NAMESPACE_DynamoDbEncryption=aws.cryptography.dynamoDbEncryption
 SERVICE_NAMESPACE_DynamoDbItemEncryptor=aws.cryptography.dynamoDbEncryption.itemEncryptor
 SERVICE_NAMESPACE_DynamoDbEncryptionTransforms=aws.cryptography.dynamoDbEncryption.transforms
 
-MAX_RESOURCE_COUNT=10000000
+MAX_RESOURCE_COUNT=20000000
 # Order is important
 # In java they MUST be built
 # in the order they depend on each other
@@ -30,30 +30,44 @@ PROJECT_DEPENDENCIES := \
 STD_LIBRARY=submodules/MaterialProviders/StandardLibrary
 SMITHY_DEPS=submodules/MaterialProviders/model
 
+# Since we are packaging projects differently, we cannot make assumptions
+# about where the files are located. 
+# This is here to get unblocked but should be removed once we have migrated packages
+# to the new packaging format.
+PROJECT_INDEX := \
+	submodules/MaterialProviders/AwsCryptographyPrimitives/src/Index.dfy \
+	submodules/MaterialProviders/ComAmazonawsKms/src/Index.dfy \
+	submodules/MaterialProviders/ComAmazonawsDynamodb/src/Index.dfy \
+	submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Index.dfy \
+	submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/Index.dfy
+
 # Dependencies for each local service
 SERVICE_DEPS_StructuredEncryption := \
 	submodules/MaterialProviders/AwsCryptographyPrimitives \
 	submodules/MaterialProviders/ComAmazonawsKms \
 	submodules/MaterialProviders/ComAmazonawsDynamodb \
-	submodules/MaterialProviders/AwsCryptographicMaterialProviders
+	submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders
 SERVICE_DEPS_DynamoDbEncryption := \
 	submodules/MaterialProviders/AwsCryptographyPrimitives \
 	submodules/MaterialProviders/ComAmazonawsKms \
 	submodules/MaterialProviders/ComAmazonawsDynamodb \
-	submodules/MaterialProviders/AwsCryptographicMaterialProviders \
+	submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders \
+	submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore \
 	DynamoDbEncryption/dafny/StructuredEncryption
 SERVICE_DEPS_DynamoDbItemEncryptor := \
 	submodules/MaterialProviders/AwsCryptographyPrimitives \
 	submodules/MaterialProviders/ComAmazonawsKms \
 	submodules/MaterialProviders/ComAmazonawsDynamodb \
-	submodules/MaterialProviders/AwsCryptographicMaterialProviders \
+	submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders \
+	submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore \
 	DynamoDbEncryption/dafny/DynamoDbEncryption \
 	DynamoDbEncryption/dafny/StructuredEncryption
 SERVICE_DEPS_DynamoDbEncryptionTransforms := \
 	submodules/MaterialProviders/AwsCryptographyPrimitives \
 	submodules/MaterialProviders/ComAmazonawsKms \
 	submodules/MaterialProviders/ComAmazonawsDynamodb \
-	submodules/MaterialProviders/AwsCryptographicMaterialProviders \
+	submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders \
+	submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore \
 	DynamoDbEncryption/dafny/DynamoDbEncryption \
 	DynamoDbEncryption/dafny/StructuredEncryption \
 	DynamoDbEncryption/dafny/DynamoDbItemEncryptor

DynamoDbEncryption/dafny/DynamoDbEncryption/Model/AwsCryptographyDynamoDbEncryptionTypes.dfy

@@ -3,7 +3,10 @@
 // Do not modify this file. This file is machine generated, and any changes to it will be overwritten.
 include "../../../../submodules/MaterialProviders/StandardLibrary/src/Index.dfy"
  include "../../StructuredEncryption/src/Index.dfy"
- include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/src/Index.dfy"
+ // TODO begin manual update
+ include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Index.dfy"
+ include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/Index.dfy"
+ // TODO end manual update
  include "../../../../submodules/MaterialProviders/AwsCryptographyPrimitives/src/Index.dfy"
  include "../../../../submodules/MaterialProviders/ComAmazonawsDynamodb/src/Index.dfy"
  module {:extern "Dafny.Aws.Cryptography.DynamoDbEncryption.Types" } AwsCryptographyDynamoDbEncryptionTypes

DynamoDbEncryption/dafny/DynamoDbEncryption/src/Beacon.dfy

@@ -251,7 +251,7 @@ module BaseBeacon {
       [HexChar(TruncateNibble(bytes[0] % 16, topBits))] + ToHexString(bytes[1..])
   }
 
-  lemma CheckBytesToHex()
+  lemma {:vcs_split_on_every_assert} CheckBytesToHex()
     ensures
       && var bytes := [1,2,3,4,5,6,7,0xb7];
       && BytesToHex(bytes, 1) == "1"

DynamoDbEncryption/dafny/DynamoDbEncryption/src/DynamoToStruct.dfy

@@ -504,10 +504,8 @@ module DynamoToStruct {
         //# A Map MAY hold any DynamoDB Attribute Value data type,
         //# and MAY hold values of different types.
         var bytes := map kv <- m.Items | true :: kv.0 := AttrToBytes(kv.1, true);
-        var bytes :- SimplifyMapValue(bytes);
-        var keys := SortedSets.ComputeSetToOrderedSequence2(bytes.Keys, CharLess);
         var count :- U32ToBigEndian(|m|);
-        var body :- CollectMap(keys, bytes);
+        var body :- MapAttrToBytes(bytes);
         Success(count + body)
      case L(l) =>
         var count :- U32ToBigEndian(|l|);
@@ -524,6 +522,11 @@ module DynamoToStruct {
       Success(baseBytes)
   }
 
+  function method MapAttrToBytes(bytes: map<AttributeName, Result<seq<uint8>, string>>): (ret: Result<seq<uint8>, string>) {
+    var bytes :- SimplifyMapValue(bytes);
+    CollectMap(bytes)
+  }
+
   lemma BigEndianLemma()
     ensures U32ToBigEndian(3) == Success([0,0,0,3])
     ensures BigEndianToU32([0,0,0,3]) == Success(3)
@@ -712,6 +715,18 @@ module DynamoToStruct {
   // Map to Bytes
   // input sequence is already serialized
   function method {:tailrecursion} {:opaque} CollectMap(
+    mapToSerialize : map<AttributeName, seq<uint8>>,
+    serialized : seq<uint8> := []
+  )
+    : (ret : Result<seq<uint8>, string>)
+    ensures (ret.Success? && |mapToSerialize| == 0) ==> (ret.value == serialized)
+    ensures (ret.Success? && |mapToSerialize| == 0) ==> (|ret.value| == |serialized|)
+  {
+    var keys := SortedSets.ComputeSetToOrderedSequence2(mapToSerialize.Keys, CharLess);
+    CollectOrderedMapSubset(keys, mapToSerialize, serialized)
+  }
+
+  function method {:tailrecursion} {:opaque} CollectOrderedMapSubset(
     keys : seq<AttributeName>,
     mapToSerialize : map<AttributeName, seq<uint8>>,
     serialized : seq<uint8> := []
@@ -725,7 +740,7 @@ module DynamoToStruct {
       Success(serialized)
     else
       var data :- SerializeMapItem(keys[0], mapToSerialize[keys[0]]);
-      CollectMap(keys[1..], mapToSerialize, serialized + data)
+      CollectOrderedMapSubset(keys[1..], mapToSerialize, serialized + data)
   }
 
   function method BoolToUint8(b : bool) : uint8
@@ -887,6 +902,8 @@ module DynamoToStruct {
     ensures ret.Success? ==> ret.value.len <= origSerializedSize
     decreases |serialized|
   {
+    ghost var serializedInitial := serialized;
+
     if remainingCount == 0 then
       Success(resultMap)
     else
@@ -903,6 +920,8 @@ module DynamoToStruct {
       var key :- UTF8.Decode(serialized[..len]);
       var serialized := serialized[len..];
 
+      assert |serialized| + 6 + len == |serializedInitial|;
+
       // get typeId of value
       :- Need(2 <= |serialized|, "Out of bytes reading Map Value");
       :- Need(IsValid_AttributeName(key), "Key is not valid AttributeName");
@@ -911,6 +930,7 @@ module DynamoToStruct {
 
       // get value and construct result
       var nval :- BytesToAttr(serialized, TerminalTypeId_value, true);
+      var serialized := serialized[nval.len..];
 
       //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#key-value-pair-entries
       //# This sequence MUST NOT contain duplicate [Map Keys](#map-key).
@@ -919,7 +939,9 @@ module DynamoToStruct {
       //# - Conversion from a Structured Data Map MUST fail if it has duplicate keys
       :- Need(key !in resultMap.val.M, "Duplicate key in map.");
       var nattr := AttributeValue.M(resultMap.val.M[key := nval.val]);
-      DeserializeMap(serialized[nval.len..], remainingCount-1, origSerializedSize, AttrValueAndLength(nattr, resultMap.len + nval.len + 8 + len))
+      var newResultMap := AttrValueAndLength(nattr, resultMap.len + nval.len + 8 + len);
+      assert |serialized| + newResultMap.len == origSerializedSize;
+      DeserializeMap(serialized, remainingCount - 1, origSerializedSize, newResultMap)
   }
 
   // Bytes to AttributeValue

DynamoDbEncryption/dafny/DynamoDbEncryption/test/DynamoDbEncryptionBranchKeyIdSupplierTest.dfy

@@ -1,9 +1,6 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-include "../../../../submodules/MaterialProviders/StandardLibrary/src/StandardLibrary.dfy"
-include "../../DynamoDbEncryption/src/Index.dfy"
-include "../../../../submodules/MaterialProviders/ComAmazonawsDynamodb/Model/ComAmazonawsDynamodbTypes.dfy"
-include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/Model/AwsCryptographyMaterialProvidersTypes.dfy"
+include "../src/Index.dfy"
 
 module DynamoDbEncryptionBranchKeyIdSupplierTest {
   import opened Wrappers

DynamoDbEncryption/dafny/DynamoDbEncryption/test/FilterExpr.dfy

@@ -112,7 +112,7 @@ module TestDynamoDBFilterExpr {
     var exprString := ParsedExprToString(newContext.expr);
     expect exprString == "aws_dbe_b_std2 < :A AND #Field4 = :B";
   }
-  method {:test} TestBasicBeacons() {
+  method {:test} {:vcs_split_on_every_assert} TestBasicBeacons() {
     var context := ExprContext (
       expr := Some("std2 < :A AND #Field4 = :B"),
       values:= Some(map[
@@ -128,7 +128,8 @@ module TestDynamoDBFilterExpr {
     expect_equal(newContext.expr, Some("aws_dbe_b_std2 < :A AND #Field4 = :B"));
     var newName := "aws_dbe_b_std4";
     expect IsValid_AttributeName(newName);
-    expect_equal(newContext.names, Some(map["#Field4" := newName]));
+    var expectedNames: DDB.ExpressionAttributeNameMap := map["#Field4" := newName];
+    expect_equal(newContext.names, Some(expectedNames));
     var itemBeacons :- expect beaconVersion.GenerateBeacons(SimpleItem);
     expect "aws_dbe_b_std2" in itemBeacons;
     expect "aws_dbe_b_std4" in itemBeacons;

DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/QueryTransform.dfy

@@ -104,26 +104,32 @@ Dafny decided it can't do this anymore
     var tableConfig := config.tableEncryptionConfigs[tableName];
     var decryptedItems : DDB.ItemList := [];
     var encryptedItems := input.sdkOutput.Items.value;
-    ghost var historySize := |tableConfig.itemEncryptor.History.DecryptItem|;
+    ghost var originalHistory := tableConfig.itemEncryptor.History.DecryptItem;
+    ghost var historySize := |originalHistory|;
     for x := 0 to |encryptedItems|
       invariant |decryptedItems| == x
 
-      invariant
-        && (|tableConfig.itemEncryptor.History.DecryptItem| ==
-            |old(tableConfig.itemEncryptor.History.DecryptItem)| + |decryptedItems|)
+      invariant (|tableConfig.itemEncryptor.History.DecryptItem| == |originalHistory| + |decryptedItems|)
 
       invariant (forall i : nat | historySize <= i < |decryptedItems|+historySize ::
         var item := tableConfig.itemEncryptor.History.DecryptItem[i];
         && item.output.Success?
-        && item.input.encryptedItem == input.sdkOutput.Items.value[i-historySize]
+        && item.input.encryptedItem == encryptedItems[i-historySize]
         && item.output.value.plaintextItem == decryptedItems[i-historySize])
+
+      invariant ValidConfig?(config)
     {
       //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-query
       //# Each of these entries on the original response MUST be replaced
       //# with the resulting decrypted [DynamoDB Item](./decrypt-item.md#dynamodb-item-1).
-      var decryptRes := tableConfig.itemEncryptor.DecryptItem(EncTypes.DecryptItemInput(encryptedItem:=encryptedItems[x]));
+      var decryptInput := EncTypes.DecryptItemInput(encryptedItem := encryptedItems[x]);
+      var decryptRes := tableConfig.itemEncryptor.DecryptItem(decryptInput);
+      ghost var newHistoryEvent := tableConfig.itemEncryptor.History.DecryptItem[historySize + x];
+      assert newHistoryEvent == EncTypes.DafnyCallEvent(decryptInput, decryptRes);
+
       var decrypted :- MapError(decryptRes);
       decryptedItems := decryptedItems + [decrypted.plaintextItem];
+      assert newHistoryEvent.output.value.plaintextItem == decrypted.plaintextItem;
     }
 
     //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-query
@@ -133,4 +139,3 @@ Dafny decided it can't do this anymore
     return Success(QueryOutputTransformOutput(transformedOutput := finalResult));
   }
 }
-

DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/ScanTransform.dfy

@@ -101,26 +101,33 @@ module ScanTransform {
     var tableConfig := config.tableEncryptionConfigs[tableName];
     var decryptedItems : DDB.ItemList := [];
     var encryptedItems := input.sdkOutput.Items.value;
-    ghost var historySize := |tableConfig.itemEncryptor.History.DecryptItem|;
+    ghost var originalHistory := tableConfig.itemEncryptor.History.DecryptItem;
+    ghost var historySize := |originalHistory|;
     for x := 0 to |encryptedItems|
       invariant |decryptedItems| == x
-      invariant
-        && (|tableConfig.itemEncryptor.History.DecryptItem| ==
-            |old(tableConfig.itemEncryptor.History.DecryptItem)| + |decryptedItems|)
+      invariant (|tableConfig.itemEncryptor.History.DecryptItem| == |originalHistory| + |decryptedItems|)
 
       invariant (forall i : nat | historySize <= i < |decryptedItems|+historySize ::
         var item := tableConfig.itemEncryptor.History.DecryptItem[i];
         && item.output.Success?
         && item.input.encryptedItem == input.sdkOutput.Items.value[i-historySize]
         && item.output.value.plaintextItem == decryptedItems[i-historySize])
+
+      invariant ValidConfig?(config)
     {
       //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-scan
       //# Each of these entries on the original response MUST be replaced
       //# with the resulting decrypted
       //# [DynamoDB Item](./decrypt-item.md#dynamodb-item-1).
-      var decryptRes := tableConfig.itemEncryptor.DecryptItem(EncTypes.DecryptItemInput(encryptedItem:=encryptedItems[x]));
+
+      var decryptInput := EncTypes.DecryptItemInput(encryptedItem := encryptedItems[x]);
+      var decryptRes := tableConfig.itemEncryptor.DecryptItem(decryptInput);
+      ghost var newHistoryEvent := tableConfig.itemEncryptor.History.DecryptItem[historySize + x];
+      assert newHistoryEvent == EncTypes.DafnyCallEvent(decryptInput, decryptRes);
+
       var decrypted :- MapError(decryptRes);
       decryptedItems := decryptedItems + [decrypted.plaintextItem];
+      assert newHistoryEvent.output.value.plaintextItem == decrypted.plaintextItem;
     }
     //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-scan
     //# The resulting decrypted response MUST be [filtered](ddb-support.md#scanoutputforbeacons) from the result.

DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/TransactGetItemsTransform.dfy

@@ -19,7 +19,7 @@ module TransactGetItemsTransform {
     return Success(TransactGetItemsInputTransformOutput(transformedInput := input.sdkInput));
   }
 
-  method Output(config: Config, input: TransactGetItemsOutputTransformInput)
+  method {:vcs_split_on_every_assert} Output(config: Config, input: TransactGetItemsOutputTransformInput)
     returns (output: Result<TransactGetItemsOutputTransformOutput, Error>)
     requires ValidConfig?(config)
     ensures ValidConfig?(config)
@@ -43,6 +43,7 @@ module TransactGetItemsTransform {
     var encryptedItems := input.sdkOutput.Responses.value;
     for x := 0 to |encryptedItems|
       invariant |decryptedItems| == x
+      invariant ValidConfig?(config)
     {
       var tableName := input.originalInput.TransactItems[x].Get.TableName;
       if tableName !in config.tableEncryptionConfigs {

DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/TestFixtures.dfy

@@ -1,7 +1,6 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-include "../../DynamoDbEncryptionTransforms/src/Index.dfy"
-include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/Model/AwsCryptographyMaterialProvidersTypes.dfy"
+include "../src/Index.dfy"
 
 module TestFixtures {
   import opened Wrappers

DynamoDbEncryption/dafny/DynamoDbItemEncryptor/Model/AwsCryptographyDynamoDbEncryptionItemEncryptorTypes.dfy

@@ -3,7 +3,10 @@
 // Do not modify this file. This file is machine generated, and any changes to it will be overwritten.
 include "../../../../submodules/MaterialProviders/StandardLibrary/src/Index.dfy"
  include "../../DynamoDbEncryption/src/Index.dfy"
- include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/src/Index.dfy"
+ // TODO begin manual update
+ include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Index.dfy"
+ include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/Index.dfy"
+ // TODO end manual update
  include "../../../../submodules/MaterialProviders/AwsCryptographyPrimitives/src/Index.dfy"
  include "../../../../submodules/MaterialProviders/ComAmazonawsDynamodb/src/Index.dfy"
  module {:extern "Dafny.Aws.Cryptography.DynamoDbEncryption.ItemEncryptor.Types" } AwsCryptographyDynamoDbEncryptionItemEncryptorTypes

DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/AwsCryptographyDynamoDbEncryptionItemEncryptorOperations.dfy

@@ -1,7 +1,7 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 include "../Model/AwsCryptographyDynamoDbEncryptionItemEncryptorTypes.dfy"
-include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/src/CMMs/ExpectedEncryptionContextCMM.dfy"
+include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/CMMs/ExpectedEncryptionContextCMM.dfy"
 include "../../DynamoDbEncryption/src/DynamoToStruct.dfy"
 include "../../DynamoDbEncryption/src/SearchInfo.dfy"
 include "Util.dfy"

DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/Index.dfy

@@ -43,7 +43,7 @@ module
     !(ReservedPrefix <= attr)
   }
 
-  method DynamoDbItemEncryptor(config: DynamoDbItemEncryptorConfig)
+  method {:vcs_split_on_every_assert} DynamoDbItemEncryptor(config: DynamoDbItemEncryptorConfig)
     returns (res: Result<DynamoDbItemEncryptorClient, Error>)
     ensures res.Success? ==>
       && res.value.config.tableName == config.tableName
@@ -227,7 +227,10 @@ module
       internalLegacyConfig := internalLegacyConfig,
       plaintextPolicy := plaintextPolicy
     );
-    assert Operations.ValidInternalConfig?(internalConfig); // Dafny needs some extra help here
+
+    // Dafny needs some extra help here
+    assert (forall attribute <- internalConfig.attributeActions.Keys :: !(ReservedPrefix <= attribute));
+    assert Operations.ValidInternalConfig?(internalConfig);
 
     var client := new DynamoDbItemEncryptorClient(internalConfig);
     return Success(client);