pr feedback

Author: ajewellamz

DynamoDbEncryption/README.md

@@ -33,6 +33,13 @@ Within `runtimes/java`:
 - `ImplementationFromDafny.cs` contains all Dafny to .NET transpiled code.
 - `Generated/` contains all Smithy to .NET generated code.
 
+#### Rust
+
+`runtimes/rust` contains the Rust related code and build instructions for this project.
+
+- `src/` contains all hand written Dotnet code, including externs, and also all Smithy to Rust generated code.
+- `src/implementation_from_dafny.cs` contains all Dafny to .NET transpiled code.
+
 ### Development
 
 Common Makefile targets are:
@@ -74,10 +81,12 @@ Common Makefile targets are:
   that end up adding or removing dafny-generated files.
   - The above command takes a while to complete.
 - `make test_net_mac_intel` builds and tests the transpiled code in .NET in an Intel-MacOS environment.
+- `make transpile_rust` transpiles all of the Dafny code into runtimes/rust/src/implementation_from_dafny.
+- `make polymorph_rust` transpiles the smithy files into untimes/rust/src/*.rs
 
 ### Development Requirements
 
-- Dafny 4.1.0: https://github.com/dafny-lang/dafny
+- Dafny 4.9.0: https://github.com/dafny-lang/dafny
 - A Java 8 or newer development environment
 
 #### (Optional) Dafny Report Generator Requirements

DynamoDbEncryption/runtimes/rust/README.md

@@ -1,79 +1,66 @@
 # AWS Database Encryption SDK for DynamoDB
 
-📣 Note: This repository contains the source code and related files for all
-language implementations of the AWS Database Encryption SDK for DynamoDB.
-See our [supported languages](#supported-languages) section for more information.
+AWS Database Encryption SDK for DynamoDB
 
-The AWS Database Encryption SDK (DB-ESDK) for DynamoDB is a client-side encryption
-library that allows you to perform attribute-level encryption, enabling you to encrypt specific
-attribute values within items before storing them in your DynamoDB table. All encryption and
-decryption are performed within your application. This lets you protect sensitive data in-transit
-and at-rest, as data cannot be exposed unless decrypted by your application.
+## Using the AWS Database Encryption SDK for DynamoDB for Rust
 
-For more details about the design and architecture of the DB-ESDK for DynamoDB,
-see the [AWS Database Encryption SDK Developer Guide](https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/).
+The AWS Database Encryption SDK for DynamoDB is available on [Crates.io](https://www.crates.io/).
 
-# Security
+## Building the AWS Database Encryption SDK for DynamoDB
 
-If you discover a potential security issue in this project
-we ask that you notify AWS/Amazon Security via our
-[vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/).
-Please **do not** create a public GitHub issue.
+To build, the AWS Database Encryption SDK for DynamoDB requires the most up to date version of [Dafny](https://github.com/dafny-lang/dafny) on your PATH.
 
-# Support Policy
+You will also need to ensure that you fetch all submodules using either `git clone --recursive ...` when cloning the repository or `git submodule update --init` on an existing clone.
 
-See [Support Policy](./SUPPORT_POLICY.rst) for details
-on the current support status of all major versions of this library.
+To setup your project to use the AWS Database Encryption SDK for DynamoDB in Rust, run:
 
-## Giving Feedback
+```
+cd DynamoDbEncryption
+# Polymorph smithy to Rust
+make polymorph_rust
+# Transpile Dafny to Rust
+make transpile_rust
+# Build Project
+cd runtimes/rust
+cargo build
+```
 
-We need your help in making this SDK great.
-Please participate in the community and contribute to this effort by
-submitting issues,
-participating in discussion forums and
-submitting pull requests through the following channels:
+### (Optional) Set up the AWS Database Encryption SDK for DynamoDB to work with AWS KMS
 
-- Submit [issues](https://github.com/aws/aws-database-encryption-sdk-dynamodb-java/issues)
-  \- this is the **preferred** channel to interact with our team
-- Articulate your
-  [feature request](https://github.com/aws/aws-database-encryption-sdk-dynamodb-java/issues?q=is%3Aopen+is%3Aissue+label%3A%22feature-request%22)
-  or upvote existing ones
-- Ask [questions](https://repost.aws/tags/TAc3VKZnkNQyimpHnCHetNOQ/aws-crypto-tools) on AWS re:Post under AWS Crypto Tools tag
+If you set up the AWS Database Encryption SDK for DynamoDB to use the AWS KMS Keyring,
+the AWS Database Encryption SDK for DynamoDB will make calls to AWS KMS on your behalf,
+using the appropriate AWS SDK.
 
-# Getting Started
+However, you must first set up AWS credentials for use with the AWS SDK.
 
-### Repository structure
+## Testing the AWS Database Encryption SDK for DynamoDB for Rust
 
-This repository is a top level repository which houses all source code in order to compile this library into
-different runtimes.
+### Configure AWS credentials
 
-This library is written in Dafny, a formally verifiable programming language that can be compiled into
-different runtimes. This library is currently **ONLY** supported in Java and .NET
+To run the test suite you must first set up AWS credentials for use with the AWS SDK.
+This is required in order to run the integration tests, which use a KMS Keyring against a publicly accessible KMS CMK.
 
-### AWS Integration
+### Run the tests
 
-You need an Amazon Web Services (AWS) account to use the DB-ESDK for DynamoDB as it's specifically designed to work with Amazon DynamoDB. Optionally, you can use AWS Key Management Service (AWS KMS) as your main keyring provider.
+Run the test suite with:
 
-- **To create an AWS account**, go to
-  [Sign In or Create an AWS Account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html)
-  and then choose **I am a new user.**  
-  Follow the instructions to create an AWS account.
+```
+cd AwsEncryptionSDK
+make test_rust
+```
 
-- **(Optional) To create a key in AWS KMS**, see
-  [Creating Keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html).
+Run tests on examples, to ensure they are up to date:
 
-## Supported Languages
+```
+cd AwsEncryptionSDK/runtimes/rust/
+cargo test --examples
+```
 
-- Java
-- .NET
-- Dafny
+Please look at the Examples on how to use the Encryption SDK in Rust [here](examples).
 
-# Contributing
+Please note that tests and test vectors require internet access and valid AWS credentials, since calls to KMS are made as part of the test workflow.
 
-See [CONTRIBUTING](CONTRIBUTING.md) for more information.
+## License
 
-# License
+This library is licensed under the Apache 2.0 License.
 
-This project is licensed under the Apache-2.0 License.
-
-[ddbenhanced]: https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/dynamodb-enhanced-client.html

DynamoDbEncryption/runtimes/rust/examples/README.md

@@ -0,0 +1,38 @@
+# AWS Database Encryption SDK for DynamoDb Java Examples
+
+This project contains examples for using the AWS Database Encryption SDK for DynamoDb in Rust.
+
+Overview:
+
+```
+├── ..
+├── examples: Examples source
+│   ├── basic_get_put_example.rs: Example using AWS DB ESDK to Put and Get an encrypted item from DynamoDB
+│   ├── create_keystore_key.rs: Example creating a branch key in a Keystore DynamoDB table
+│   ├── clientsupplier/: Examples using a custom KMS ClientSupplier
+│   ├── itemencryptor/: Examples using the DynamoDbItemEncryptor
+│   ├── keyring/: Examples creating and using different keyrings
+│   └── searchableencryption/: Examples demonstrating searchable encryption configuration and usage
+└── src: Source code including tests
+```
+
+## Getting Started
+
+### Development Requirements
+
+- A Rust 1.80 or newer development environment
+
+### Building and Running
+
+All of the examples are called from the `main` method.
+To run a given example, inspect its particular setup requirements,
+create and/or grant access to any required AWS resources,
+and run the example.
+
+## Security
+
+See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.
+
+## License
+
+This project is licensed under the Apache-2.0 License.

DynamoDbEncryption/runtimes/rust/examples/clientsupplier/client_supplier_example.rs

@@ -1,9 +1,11 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
 use super::regional_role_client_supplier::RegionalRoleClientSupplier;
 use crate::test_utils;
 use aws_db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::DynamoDbTableEncryptionConfig;
 use aws_db_esdk::aws_cryptography_dbEncryptionSdk_structuredEncryption::types::CryptoAction;
 use aws_db_esdk::aws_cryptography_materialProviders::client as mpl_client;
-//use aws_db_esdk::aws_cryptography_materialProviders::types::client_supplier::ClientSupplierRef;
 use aws_db_esdk::aws_cryptography_materialProviders::types::material_providers_config::MaterialProvidersConfig;
 use aws_db_esdk::aws_cryptography_materialProviders::types::DiscoveryFilter;
 use aws_db_esdk::intercept::DbEsdkInterceptor;
@@ -54,9 +56,6 @@ pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
     // defined in the RegionalRoleClientSupplier class in this directory.
     // Note: RegionalRoleClientSupplier will internally use the key_arn's region
     // to retrieve the correct IAM role.
-    //    let supplier_ref = ClientSupplierRef {
-    //        inner: std::rc::Rc::new(std::cell::RefCell::new(RegionalRoleClientSupplier {})),
-    //    };
 
     let mrk_keyring_with_client_supplier = mpl
         .create_aws_kms_mrk_multi_keyring()
@@ -176,7 +175,7 @@ pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
         AttributeValue::S("encrypt and sign me!".to_string())
     );
 
-    // 7. Create a MRK discovery multi-keyring with a custom client supplier.
+    // 8. Create a MRK discovery multi-keyring with a custom client supplier.
     //    A discovery MRK multi-keyring will be composed of
     //    multiple discovery MRK keyrings, one for each region.
     //    Each component keyring has its own KMS client in a particular region.

DynamoDbEncryption/runtimes/rust/examples/clientsupplier/mod.rs

@@ -1,3 +1,6 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
 pub mod client_supplier_example;
 pub mod regional_role_client_supplier;
 pub mod regional_role_client_supplier_config;

DynamoDbEncryption/runtimes/rust/examples/clientsupplier/regional_role_client_supplier.rs

@@ -1,3 +1,6 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
 use aws_config::Region;
 use aws_db_esdk::aws_cryptography_materialProviders::operation::get_client::GetClientInput;
 use aws_db_esdk::aws_cryptography_materialProviders::types::error::Error;

DynamoDbEncryption/runtimes/rust/examples/clientsupplier/regional_role_client_supplier_config.rs

@@ -1,3 +1,6 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
 use std::collections::HashMap;
 
 /*

DynamoDbEncryption/runtimes/rust/examples/keyring/hierarchical_keyring.rs

@@ -10,7 +10,6 @@ use aws_db_esdk::aws_cryptography_keyStore::types::key_store_config::KeyStoreCon
 use aws_db_esdk::aws_cryptography_keyStore::types::KmsConfiguration;
 use aws_db_esdk::aws_cryptography_materialProviders::client as mpl_client;
 use aws_db_esdk::aws_cryptography_materialProviders::types::material_providers_config::MaterialProvidersConfig;
-//use aws_db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::dynamo_db_key_branch_key_id_supplier::DynamoDbKeyBranchKeyIdSupplierRef;
 use aws_db_esdk::aws_cryptography_dbEncryptionSdk_dynamoDb::types::DynamoDbTableEncryptionConfig;
 use aws_db_esdk::aws_cryptography_dbEncryptionSdk_structuredEncryption::types::CryptoAction;
 use aws_db_esdk::intercept::DbEsdkInterceptor;
@@ -94,9 +93,7 @@ pub async fn put_item_get_item(
     let dbesdk_config = DynamoDbEncryptionConfig::builder().build()?;
     let dbesdk = dbesdk_client::Client::from_conf(dbesdk_config)?;
     let supplier = ExampleBranchKeyIdSupplier::new(tenant1_branch_key_id, tenant2_branch_key_id);
-    //    let supplier_ref = DynamoDbKeyBranchKeyIdSupplierRef {
-    //        inner: ::std::rc::Rc::new(std::cell::RefCell::new(supplier)),
-    //    };
+
     let branch_key_id_supplier = dbesdk
         .create_dynamo_db_encryption_branch_key_id_supplier()
         .ddb_key_branch_key_id_supplier(supplier)
@@ -212,7 +209,7 @@ pub async fn put_item_get_item(
         .send()
         .await?;
 
-    // 10. Get the item back from our table using the same client.
+    // 9. Get the item back from our table using the same client.
     //     The client will decrypt the item client-side, and return
     //     back the original item.
     //     Because the returned item's partition value is "tenantId1",

DynamoDbEncryption/runtimes/rust/examples/keyring/kms_rsa_keyring.rs

@@ -176,7 +176,7 @@ pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
         .send()
         .await?;
 
-    // 9. Get the item back from our table using the client.
+    // 8. Get the item back from our table using the client.
     //    The client will decrypt the item client-side using the RSA keyring
     //    and return the original item.
     let key_to_get = HashMap::from([

DynamoDbEncryption/runtimes/rust/examples/keyring/mod.rs

@@ -1,3 +1,6 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
 pub mod branch_key_id_supplier;
 pub mod hierarchical_keyring;
 pub mod kms_rsa_keyring;

DynamoDbEncryption/runtimes/rust/examples/keyring/mrk_discovery_multi_keyring.rs

@@ -119,7 +119,7 @@ pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
         .build();
     let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
 
-    // 7. Put an item into our table using the above client.
+    // 6. Put an item into our table using the above client.
     //    Before the item gets sent to DynamoDb, it will be encrypted
     //    client-side using the MRK multi-keyring.
     let item = HashMap::from([
@@ -140,7 +140,7 @@ pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
         .send()
         .await?;
 
-    // 8. Construct a discovery filter.
+    // 7. Construct a discovery filter.
     //    A discovery filter limits the set of encrypted data keys
     //    the keyring can use to decrypt data.
     //    We will only let the keyring use keys in the selected AWS accounts
@@ -152,7 +152,7 @@ pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
         .account_ids(account_ids)
         .build()?;
 
-    // 9. Construct a discovery keyring.
+    // 8. Construct a discovery keyring.
     //    Note that we choose to use the MRK discovery multi-keyring, even though
     //    our original keyring used a single KMS key.
 
@@ -163,7 +163,7 @@ pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
         .send()
         .await?;
 
-    // 10. Create new DDB config and client using the decrypt discovery keyring.
+    // 9. Create new DDB config and client using the decrypt discovery keyring.
     //     This is the same as the above config, except we pass in the decrypt keyring.
     let table_config_for_decrypt = DynamoDbTableEncryptionConfig::builder()
         .logical_table_name(ddb_table_name)
@@ -186,7 +186,7 @@ pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
         .build();
     let ddb_for_decrypt = aws_sdk_dynamodb::Client::from_conf(dynamo_config_for_decrypt);
 
-    // 11. Get the item back from our table using the client.
+    // 10. Get the item back from our table using the client.
     //     The client will retrieve encrypted items from the DDB table, then
     //     detect the KMS key that was used to encrypt their data keys.
     //     The client will make a request to KMS to decrypt with the encrypting KMS key.

DynamoDbEncryption/runtimes/rust/examples/keyring/multi_keyring.rs

@@ -152,7 +152,7 @@ pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
         .build();
     let ddb = aws_sdk_dynamodb::Client::from_conf(dynamo_config);
 
-    // 9. Put an item into our table using the above client.
+    // 8. Put an item into our table using the above client.
     //    Before the item gets sent to DynamoDb, it will be encrypted
     //    client-side using the multi-keyring.
     //    The item will be encrypted with all wrapping keys in the keyring,
@@ -175,7 +175,7 @@ pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
         .send()
         .await?;
 
-    // 10. Get the item back from our table using the above client.
+    // 9. Get the item back from our table using the above client.
     //     The client will decrypt the item client-side using the AWS KMS
     //     keyring, and return back the original item.
     //     Since the generator key is the first available key in the keyring,
@@ -198,7 +198,7 @@ pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
 
     assert_eq!(resp.item, Some(item.clone()));
 
-    // 11. Create a new config and client with only the raw AES keyring to GET the item
+    // 10. Create a new config and client with only the raw AES keyring to GET the item
     //     This is the same setup as above, except the config uses the `rawAesKeyring`.
     let only_aes_table_config = DynamoDbTableEncryptionConfig::builder()
         .logical_table_name(ddb_table_name)
@@ -221,7 +221,7 @@ pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
         .build();
     let only_aes_ddb = aws_sdk_dynamodb::Client::from_conf(only_aes_dynamo_config);
 
-    // 12. Get the item back from our table using the client
+    // 11. Get the item back from our table using the client
     //     configured with only the raw AES keyring.
     //     The client will decrypt the item client-side using the raw
     //     AES keyring, and return back the original item.