aws
diff --git a/‎DynamoDbEncryption/dafny/StructuredEncryption/Model/AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes.dfy
+61 b/‎DynamoDbEncryption/dafny/StructuredEncryption/Model/AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes.dfy
+61
diff --git a/‎DynamoDbEncryption/dafny/StructuredEncryption/Model/StructuredEncryption.smithy
+20-1 b/‎DynamoDbEncryption/dafny/StructuredEncryption/Model/StructuredEncryption.smithy
+20-1
diff --git a/‎DynamoDbEncryption/dafny/StructuredEncryption/src/AwsCryptographyDbEncryptionSdkStructuredEncryptionOperations.dfy
+15 b/‎DynamoDbEncryption/dafny/StructuredEncryption/src/AwsCryptographyDbEncryptionSdkStructuredEncryptionOperations.dfy
+15
diff --git a/‎DynamoDbEncryption/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/dbencryptionsdk/structuredencryption/StructuredEncryption.java
+17 b/‎DynamoDbEncryption/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/dbencryptionsdk/structuredencryption/StructuredEncryption.java
+17
diff --git a/‎DynamoDbEncryption/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/dbencryptionsdk/structuredencryption/ToDafny.java
+28 b/‎DynamoDbEncryption/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/dbencryptionsdk/structuredencryption/ToDafny.java
+28
diff --git a/‎DynamoDbEncryption/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/dbencryptionsdk/structuredencryption/ToNative.java
+32 b/‎DynamoDbEncryption/runtimes/java/src/main/smithy-generated/software/amazon/cryptography/dbencryptionsdk/structuredencryption/ToNative.java
+32
@@ -93,6 +93,14 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.structuredencrypti
   type Path = seq<PathSegment>
   datatype PathSegment =
     | member(member: StructureSegment)
+  datatype ResolveAuthActionsInput = | ResolveAuthActionsInput (
+    nameonly tableName: string ,
+    nameonly authActions: AuthList ,
+    nameonly headerBytes: seq<uint8>
+  )
+  datatype ResolveAuthActionsOutput = | ResolveAuthActionsOutput (
+    nameonly cryptoActions: CryptoList
+  )
   type StructuredDataMap = map<string, StructuredDataTerminal>
   datatype StructuredDataTerminal = | StructuredDataTerminal (
     nameonly value: TerminalValue ,
@@ -104,11 +112,13 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.structuredencrypti
       DecryptStructure := [];
       EncryptPathStructure := [];
       DecryptPathStructure := [];
+      ResolveAuthActions := [];
     }
     ghost var EncryptStructure: seq<DafnyCallEvent<EncryptStructureInput, Result<EncryptStructureOutput, Error>>>
     ghost var DecryptStructure: seq<DafnyCallEvent<DecryptStructureInput, Result<DecryptStructureOutput, Error>>>
     ghost var EncryptPathStructure: seq<DafnyCallEvent<EncryptPathStructureInput, Result<EncryptPathStructureOutput, Error>>>
     ghost var DecryptPathStructure: seq<DafnyCallEvent<DecryptPathStructureInput, Result<DecryptPathStructureOutput, Error>>>
+    ghost var ResolveAuthActions: seq<DafnyCallEvent<ResolveAuthActionsInput, Result<ResolveAuthActionsOutput, Error>>>
   }
   trait {:termination false} IStructuredEncryptionClient
   {
@@ -213,6 +223,21 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.structuredencrypti
       ensures DecryptPathStructureEnsuresPublicly(input, output)
       ensures History.DecryptPathStructure == old(History.DecryptPathStructure) + [DafnyCallEvent(input, output)]
 
+    predicate ResolveAuthActionsEnsuresPublicly(input: ResolveAuthActionsInput , output: Result<ResolveAuthActionsOutput, Error>)
+    // The public method to be called by library consumers
+    method ResolveAuthActions ( input: ResolveAuthActionsInput )
+      returns (output: Result<ResolveAuthActionsOutput, Error>)
+      requires
+        && ValidState()
+      modifies Modifies - {History} ,
+               History`ResolveAuthActions
+      // Dafny will skip type parameters when generating a default decreases clause.
+      decreases Modifies - {History}
+      ensures
+        && ValidState()
+      ensures ResolveAuthActionsEnsuresPublicly(input, output)
+      ensures History.ResolveAuthActions == old(History.ResolveAuthActions) + [DafnyCallEvent(input, output)]
+
   }
   datatype StructuredEncryptionConfig = | StructuredEncryptionConfig (
 
@@ -394,6 +419,26 @@ abstract module AbstractAwsCryptographyDbEncryptionSdkStructuredEncryptionServic
       History.DecryptPathStructure := History.DecryptPathStructure + [DafnyCallEvent(input, output)];
     }
 
+    predicate ResolveAuthActionsEnsuresPublicly(input: ResolveAuthActionsInput , output: Result<ResolveAuthActionsOutput, Error>)
+    {Operations.ResolveAuthActionsEnsuresPublicly(input, output)}
+    // The public method to be called by library consumers
+    method ResolveAuthActions ( input: ResolveAuthActionsInput )
+      returns (output: Result<ResolveAuthActionsOutput, Error>)
+      requires
+        && ValidState()
+      modifies Modifies - {History} ,
+               History`ResolveAuthActions
+      // Dafny will skip type parameters when generating a default decreases clause.
+      decreases Modifies - {History}
+      ensures
+        && ValidState()
+      ensures ResolveAuthActionsEnsuresPublicly(input, output)
+      ensures History.ResolveAuthActions == old(History.ResolveAuthActions) + [DafnyCallEvent(input, output)]
+    {
+      output := Operations.ResolveAuthActions(config, input);
+      History.ResolveAuthActions := History.ResolveAuthActions + [DafnyCallEvent(input, output)];
+    }
+
   }
 }
 abstract module AbstractAwsCryptographyDbEncryptionSdkStructuredEncryptionOperations {
@@ -478,4 +523,20 @@ abstract module AbstractAwsCryptographyDbEncryptionSdkStructuredEncryptionOperat
     ensures
       && ValidInternalConfig?(config)
     ensures DecryptPathStructureEnsuresPublicly(input, output)
+
+
+  predicate ResolveAuthActionsEnsuresPublicly(input: ResolveAuthActionsInput , output: Result<ResolveAuthActionsOutput, Error>)
+  // The private method to be refined by the library developer
+
+
+  method ResolveAuthActions ( config: InternalConfig , input: ResolveAuthActionsInput )
+    returns (output: Result<ResolveAuthActionsOutput, Error>)
+    requires
+      && ValidInternalConfig?(config)
+    modifies ModifiesInternalConfig(config)
+    // Dafny will skip type parameters when generating a default decreases clause.
+    decreases ModifiesInternalConfig(config)
+    ensures
+      && ValidInternalConfig?(config)
+    ensures ResolveAuthActionsEnsuresPublicly(input, output)
 }
@@ -22,7 +22,7 @@ use aws.polymorph#localService
 )
 service StructuredEncryption {
     version: "2022-07-08",
-    operations: [EncryptStructure, DecryptStructure, EncryptPathStructure, DecryptPathStructure],
+    operations: [EncryptStructure, DecryptStructure, EncryptPathStructure, DecryptPathStructure, ResolveAuthActions],
     errors: [StructuredEncryptionException]
 }
 
@@ -49,6 +49,11 @@ operation DecryptPathStructure {
     output: DecryptPathStructureOutput,
 }
 
+operation ResolveAuthActions {
+    input: ResolveAuthActionsInput,
+    output: ResolveAuthActionsOutput,
+}
+
 //= specification/structured-encryption/decrypt-path-structure.md#parsed-header
 //= type=implication
 //# This structure MUST contain the following values,
@@ -226,6 +231,20 @@ structure DecryptPathStructureOutput {
     parsedHeader: ParsedHeader,
 }
 
+structure ResolveAuthActionsInput {
+    @required
+    tableName: String,
+    @required
+    authActions: AuthList,
+    @required
+    headerBytes: Blob
+}
+
+structure ResolveAuthActionsOutput {
+    @required
+    cryptoActions: CryptoList,
+}
+
 // Only handles bytes.
 // It is the responsibility of the caller to
 // serialize and deserialize the data they
 
@@ -85,6 +85,21 @@ module AwsCryptographyDbEncryptionSdkStructuredEncryptionOperations refines Abst
     true
   }
 
+  predicate ResolveAuthActionsEnsuresPublicly(
+    input: ResolveAuthActionsInput,
+    output: Result<ResolveAuthActionsOutput, Error>) {
+    true
+  }
+
+  method ResolveAuthActions (config: InternalConfig, input: ResolveAuthActionsInput)
+    returns (output: Result<ResolveAuthActionsOutput, Error>)
+  {
+    var head :- Header.PartialDeserialize(input.headerBytes);
+    :- Need(ValidString(input.tableName), E("Bad Table Name"));
+    var canonData :- CanonizeForDecrypt(input.tableName, input.authActions, head.legend);
+    return Success(ResolveAuthActionsOutput(cryptoActions := UnCanon(canonData)));
+  }
+
   predicate method SameUnCanon(x : CanonCryptoItem, y : CryptoItem)
   {
     && x.origKey == y.key
 
@@ -18,6 +18,8 @@
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.EncryptPathStructureOutput;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.EncryptStructureInput;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.EncryptStructureOutput;
+import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.ResolveAuthActionsInput;
+import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.ResolveAuthActionsOutput;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.StructuredEncryptionConfig;
 
 public class StructuredEncryption {
@@ -100,6 +102,21 @@ public EncryptStructureOutput EncryptStructure(EncryptStructureInput input) {
     return ToNative.EncryptStructureOutput(result.dtor_value());
   }
 
+  public ResolveAuthActionsOutput ResolveAuthActions(
+    ResolveAuthActionsInput input
+  ) {
+    software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types.ResolveAuthActionsInput dafnyValue =
+      ToDafny.ResolveAuthActionsInput(input);
+    Result<
+      software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types.ResolveAuthActionsOutput,
+      Error
+    > result = this._impl.ResolveAuthActions(dafnyValue);
+    if (result.is_Failure()) {
+      throw ToNative.Error(result.dtor_error());
+    }
+    return ToNative.ResolveAuthActionsOutput(result.dtor_value());
+  }
+
   protected IStructuredEncryptionClient impl() {
     return this._impl;
   }
 
@@ -31,6 +31,8 @@
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types.IStructuredEncryptionClient;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types.ParsedHeader;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types.PathSegment;
+import software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types.ResolveAuthActionsInput;
+import software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types.ResolveAuthActionsOutput;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types.StructureSegment;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types.StructuredDataTerminal;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types.StructuredEncryptionConfig;
@@ -394,6 +396,32 @@ public static ParsedHeader ParsedHeader(
     );
   }
 
+  public static ResolveAuthActionsInput ResolveAuthActionsInput(
+    software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.ResolveAuthActionsInput nativeValue
+  ) {
+    DafnySequence<? extends Character> tableName;
+    tableName =
+      software.amazon.smithy.dafny.conversion.ToDafny.Simple.CharacterSequence(
+        nativeValue.tableName()
+      );
+    DafnySequence<? extends AuthItem> authActions;
+    authActions = ToDafny.AuthList(nativeValue.authActions());
+    DafnySequence<? extends Byte> headerBytes;
+    headerBytes =
+      software.amazon.smithy.dafny.conversion.ToDafny.Simple.ByteSequence(
+        nativeValue.headerBytes()
+      );
+    return new ResolveAuthActionsInput(tableName, authActions, headerBytes);
+  }
+
+  public static ResolveAuthActionsOutput ResolveAuthActionsOutput(
+    software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.ResolveAuthActionsOutput nativeValue
+  ) {
+    DafnySequence<? extends CryptoItem> cryptoActions;
+    cryptoActions = ToDafny.CryptoList(nativeValue.cryptoActions());
+    return new ResolveAuthActionsOutput(cryptoActions);
+  }
+
   public static StructuredDataTerminal StructuredDataTerminal(
     software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.StructuredDataTerminal nativeValue
   ) {
 
@@ -32,6 +32,8 @@
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.OpaqueError;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.ParsedHeader;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.PathSegment;
+import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.ResolveAuthActionsInput;
+import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.ResolveAuthActionsOutput;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.StructureSegment;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.StructuredDataTerminal;
 import software.amazon.cryptography.dbencryptionsdk.structuredencryption.model.StructuredEncryptionConfig;
@@ -340,6 +342,36 @@ public static ParsedHeader ParsedHeader(
     return nativeBuilder.build();
   }
 
+  public static ResolveAuthActionsInput ResolveAuthActionsInput(
+    software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types.ResolveAuthActionsInput dafnyValue
+  ) {
+    ResolveAuthActionsInput.Builder nativeBuilder =
+      ResolveAuthActionsInput.builder();
+    nativeBuilder.tableName(
+      software.amazon.smithy.dafny.conversion.ToNative.Simple.String(
+        dafnyValue.dtor_tableName()
+      )
+    );
+    nativeBuilder.authActions(ToNative.AuthList(dafnyValue.dtor_authActions()));
+    nativeBuilder.headerBytes(
+      software.amazon.smithy.dafny.conversion.ToNative.Simple.ByteBuffer(
+        dafnyValue.dtor_headerBytes()
+      )
+    );
+    return nativeBuilder.build();
+  }
+
+  public static ResolveAuthActionsOutput ResolveAuthActionsOutput(
+    software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types.ResolveAuthActionsOutput dafnyValue
+  ) {
+    ResolveAuthActionsOutput.Builder nativeBuilder =
+      ResolveAuthActionsOutput.builder();
+    nativeBuilder.cryptoActions(
+      ToNative.CryptoList(dafnyValue.dtor_cryptoActions())
+    );
+    return nativeBuilder.build();
+  }
+
   public static StructuredDataTerminal StructuredDataTerminal(
     software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types.StructuredDataTerminal dafnyValue
   ) {