chore(test): add tests for attribute names that seem structured (#964)

* chore(test): add tests for attribute names that seem structured

Author: ajewellamz

.github/workflows/ci_examples_java.yml

@@ -32,7 +32,7 @@ jobs:
       matrix:
         java-version: [ 8, 11, 16, 17 ]
         os: [
-          macos-latest
+          macos-12
         ]
     runs-on: ${{ matrix.os }}
     permissions:

.github/workflows/ci_examples_net.yml

@@ -18,7 +18,7 @@ jobs:
         ]
         dotnet-version: [ '6.0.x' ]
         os: [
-          macos-latest,
+          macos-12,
         ]
     runs-on: ${{ matrix.os }}
     permissions:

.github/workflows/ci_test_java.yml

@@ -34,7 +34,7 @@ jobs:
         ]
         java-version: [ 8, 11, 16, 17 ]
         os: [
-          macos-latest
+          macos-12
         ]
     runs-on: ${{ matrix.os }}
     permissions:

.github/workflows/ci_test_net.yml

@@ -35,7 +35,7 @@ jobs:
         ]
         dotnet-version: [ '6.0.x' ]
         os: [
-          macos-latest,
+          macos-12,
           ubuntu-latest,
           windows-latest
         ]

.github/workflows/ci_todos.yml

@@ -9,7 +9,7 @@ on:
 
 jobs:
   findTodos:
-    runs-on: macos-latest
+    runs-on: macos-12
     steps:
       - uses: actions/checkout@v3
 

.github/workflows/ci_tv_verification.yml

@@ -35,7 +35,7 @@ jobs:
           DDBEncryption
         ]
         os: [
-          macos-latest,
+          macos-12,
         ]
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/ci_verification.yml

@@ -39,7 +39,7 @@ jobs:
           StructuredEncryption
         ]
         os: [
-          macos-latest,
+          macos-12,
         ]
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/sem_ver.yml

@@ -6,7 +6,7 @@ on:
 
 jobs:
   semantic-release:
-    runs-on: macos-latest
+    runs-on: macos-12
     permissions:
       id-token: write
       contents: read

.github/workflows/semantic_release.yml

@@ -15,7 +15,7 @@ jobs:
     # privileged operation, so we must make sure this list of users is a subset of the users labeled as maintainers of
     # https://github.com/orgs/aws/teams/aws-crypto-tools
     if: contains('["seebees","texastony","ShubhamChaturvedi7","lucasmcdonald3","josecorella","imabhichow","rishav-karanjit","antonf-amzn","justplaz","ajewellamz","RitvikKapila"]', github.actor)
-    runs-on: macos-latest
+    runs-on: macos-12
     permissions:
       id-token: write
       contents: write

DynamoDbEncryption/dafny/DynamoDbItemEncryptor/test/DynamoDBItemEncryptorTest.dfy

@@ -139,8 +139,8 @@ module DynamoDbItemEncryptorTest {
       print "\n", decryptRes.error, "\n";
     }
     expect decryptRes.Success?;
-    if decryptRes.value.plaintextItem != inputItem {
-      print "\nInput Item :\n", inputItem, "\n";
+    if decryptRes.value.plaintextItem != expectedOutputItem {
+      print "\nexpectedOutputItem :\n", expectedOutputItem, "\n";
       print "\nOutput Item :\n", decryptRes.value.plaintextItem, "\n";
     }
     expect decryptRes.value.plaintextItem == expectedOutputItem;
@@ -406,6 +406,148 @@ module DynamoDbItemEncryptorTest {
                                                  ];
   }
 
+  method {:test} TestV2RoundTripSpecial() {
+    var actions : DDBE.AttributeActions :=
+      map [
+        "bar" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "a.b" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        ".a" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "a." := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        ".a." := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "a[2]" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "a#b" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "$" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "$a" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "$a.b" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "$[a]" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "$['a']" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "$[\"a\"]" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "(a)" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "$['" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "$'a'" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "$\"a\"" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "$(a)" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT,
+        "$(a" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT
+
+      ];
+    var config := TestFixtures.GetEncryptorConfigFromActions(actions);
+    var encryptor := TestFixtures.GetDynamoDbItemEncryptorFrom(config);
+
+    var inputItem := map[
+      "bar" := DDBS("key"),
+      "a.b" := DDBS("aaa"),
+      ".a" := DDBS("bbb"),
+      "a." := DDBS("ccc"),
+      ".a." := DDBS("ddd"),
+      "a[2]" := DDBS("eee"),
+      "a#b" := DDBS("fff"),
+      "$" := DDBS("ggg"),
+      "$a" := DDBS("hhh"),
+      "$a.b" := DDBS("iii"),
+      "$[a]" := DDBS("jjj"),
+      "$['a']" := DDBS("kkk"),
+      "$[\"a\"]" := DDBS("lll"),
+      "(a)" := DDBS("mmm"),
+      "$['" := DDBS("nnn"),
+      "$'a'" := DDBS("ooo"),
+      "$\"a\"" := DDBS("ppp"),
+      "$(a)" := DDBS("qqq"),
+      "$(a" := DDBS("rrr")
+    ];
+
+    var encryptRes := encryptor.EncryptItem(
+      Types.EncryptItemInput(
+        plaintextItem:=inputItem
+      )
+    );
+
+    if encryptRes.Failure? {
+      print "\n\n", encryptRes, "\n\n";
+    }
+    expect encryptRes.Success?;
+    expect encryptRes.value.encryptedItem.Keys == inputItem.Keys + {SE.HeaderField, SE.FooterField};
+    var smallEncrypted := encryptRes.value.encryptedItem - {SE.HeaderField, SE.FooterField};
+    expect smallEncrypted == inputItem;
+
+    var decryptRes := encryptor.DecryptItem(
+      Types.DecryptItemInput(
+        encryptedItem:=encryptRes.value.encryptedItem
+      )
+    );
+
+    if decryptRes.Failure? {
+      print "\n", decryptRes.error, "\n";
+    }
+    expect decryptRes.Success?;
+    if decryptRes.value.plaintextItem != inputItem {
+      print "\nInput Item :\n", inputItem, "\n";
+      print "\nOutput Item :\n", decryptRes.value.plaintextItem, "\n";
+    }
+    expect decryptRes.value.plaintextItem == inputItem;
+
+    var parsedHeader := decryptRes.value.parsedHeader;
+    expect parsedHeader.Some?;
+    expect parsedHeader.value.algorithmSuiteId == AlgorithmSuites.DBE_ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384_SYMSIG_HMAC_SHA384.id.DBE;
+    expect parsedHeader.value.attributeActionsOnEncrypt == actions - {"nothing"};
+    // Expect the verification key in the context
+    expect |parsedHeader.value.storedEncryptionContext| == 1;
+    expect PublicKeyUtf8 in parsedHeader.value.storedEncryptionContext.Keys;
+    expect |parsedHeader.value.encryptedDataKeys| == 1;
+
+    var strEC := SE.EcAsString(parsedHeader.value.encryptionContext);
+    expect "aws-crypto-public-key" in strEC.Keys;
+    strEC := strEC - {"aws-crypto-public-key"};
+    expect strEC ==
+           map[
+             "aws-crypto-legend" := "SSSSSSSSSSSSSSSSSSS",
+             "aws-crypto-attr.bar" := "key",
+             "aws-crypto-attr.a.b" := "aaa",
+             "aws-crypto-attr..a" := "bbb",
+             "aws-crypto-attr.a." := "ccc",
+             "aws-crypto-attr..a." := "ddd",
+             "aws-crypto-attr.a[2]" := "eee",
+             "aws-crypto-attr.a#b" := "fff",
+             "aws-crypto-attr.$" := "ggg",
+             "aws-crypto-attr.$a" := "hhh",
+             "aws-crypto-attr.$a.b" := "iii",
+             "aws-crypto-attr.$[a]" := "jjj",
+             "aws-crypto-attr.$['a']" := "kkk",
+             "aws-crypto-attr.$[\"a\"]" := "lll",
+             "aws-crypto-attr.(a)" := "mmm",
+             "aws-crypto-attr.$['" := "nnn",
+             "aws-crypto-attr.$'a'" := "ooo",
+             "aws-crypto-attr.$\"a\"" := "ppp",
+             "aws-crypto-attr.$(a)" := "qqq",
+             "aws-crypto-attr.$(a" := "rrr",
+             "aws-crypto-partition-name" := "bar",
+             "aws-crypto-table-name" := "foo"
+           ];
+    expect parsedHeader.value.selectorContext ==
+           map[
+             "bar" := DDBS("key"),
+             "a.b" := DDBS("aaa"),
+             ".a" := DDBS("bbb"),
+             "a." := DDBS("ccc"),
+             ".a." := DDBS("ddd"),
+             "a[2]" := DDBS("eee"),
+             "a#b" := DDBS("fff"),
+             "$" := DDBS("ggg"),
+             "$a" := DDBS("hhh"),
+             "$a.b" := DDBS("iii"),
+             "$[a]" := DDBS("jjj"),
+             "$['a']" := DDBS("kkk"),
+             "$[\"a\"]" := DDBS("lll"),
+             "(a)" := DDBS("mmm"),
+             "$['" := DDBS("nnn"),
+             "$'a'" := DDBS("ooo"),
+             "$\"a\"" := DDBS("ppp"),
+             "$(a)" := DDBS("qqq"),
+             "$(a" := DDBS("rrr"),
+             "aws_dbe_table_name" := DDB.AttributeValue.S("foo"),
+             "aws_dbe_partition_name" := DDB.AttributeValue.S("bar")
+           ];
+  }
+
   method {:test} TestRoundTrip() {
     var encryptor := TestFixtures.GetDynamoDbItemEncryptor();
     var inputItem := map[

TestVectors/dafny/DDBEncryption/src/WriteManifest.dfy

@@ -35,6 +35,35 @@ module {:options "-functionSyntax:4"} WriteManifest {
           ""Junk"": ""ENCRYPT_AND_SIGN""
         }
       }"
+
+  // Attribute names with special characters that seem likely to break
+  // when we introduce structured encryption
+  const SpecialConfig := @"{
+        ""attributeActionsOnEncrypt"": {
+          ""RecNum"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""a.b"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""a[2]"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""a#b"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""'a'"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""'a"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""a'"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""'a.b'"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""$'a'"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""$.a"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""$.[a]"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""$.['a']"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""$.['a"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""\""a\"""": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""\""a"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""a\"""": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""\""a.b\"""": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""$\""a\"""": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""$.a"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""$.[a]"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""$.[\""a\""]"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
+          ""$.[\""a"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT""
+        }
+      }"
   const BasicV2Config := @"{
         ""attributeActionsOnEncrypt"": {
           ""RecNum"": ""SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT"",
@@ -121,6 +150,30 @@ module {:options "-functionSyntax:4"} WriteManifest {
           ""Stuff"": ""StuffData"",
           ""Junk"": ""JunkData""
         }"
+  const SpecialRecord := @"{
+          ""RecNum"": 1,
+          ""a.b"": ""aaa"",
+          ""a[2]"": ""bbb"",
+          ""a#b"": ""ccc"",
+          ""'a'"": ""ddd"",
+          ""'a"": ""eee"",
+          ""a'"": ""fff"",
+          ""'a.b'"": ""ggg"",
+          ""$'a'"": ""hhh"",
+          ""$.a"": ""iii"",
+          ""$.[a]"": ""jjj"",
+          ""$.['a']"": ""kkk"",
+          ""$.['a"": ""lll"",
+          ""\""a\"""": ""mmm"",
+          ""\""a"": ""nnn"",
+          ""a\"""": ""ooo"",
+          ""\""a.b\"""": ""ppp"",
+          ""$\""a\"""": ""qqq"",
+          ""$.a"": ""rrr"",
+          ""$.[a]"": ""sss"",
+          ""$.[\""a\""]"": ""ttt"",
+          ""$.[\""a"": ""uuu""
+        }"
   const BadRecord := @"{
           ""Stuff"": ""StuffData"",
           ""Junk"": ""JunkData""
@@ -342,8 +395,9 @@ module {:options "-functionSyntax:4"} WriteManifest {
     var test11 := MakeTest("11", "positive-encrypt", "Basic encrypt V2", BasicV2Config, BasicRecord);
     var test12 := MakeTest("12", "positive-encrypt", "Basic encrypt V2 switching1", LongerV2Config1, BasicRecord, Some(LongerV2Config2));
     var test13 := MakeTest("13", "positive-encrypt", "Basic encrypt V2 switching2", LongerV2Config2, BasicRecord, Some(LongerV2Config1));
+    var test14 := MakeTest("14", "positive-encrypt", "Special characters in attribute names", SpecialConfig, SpecialRecord);
     var configTests := MakeConfigTests();
-    var tests : seq<(string, JSON)> := [test1, test2, test3, test4, test5, test6, test7, test8, test9, test10, test11, test12, test13] + configTests;
+    var tests : seq<(string, JSON)> := [test1, test2, test3, test4, test5, test6, test7, test8, test9, test10, test11, test12, test13, test14] + configTests;
     var final := Object(result + [("tests", Object(tests))]);
 
     var jsonBytes :- expect API.Serialize(final);