diff --git a/.github/workflows/library_format.yml b/.github/workflows/library_format.yml new file mode 100644 index 000000000..5c74bd283 --- /dev/null +++ b/.github/workflows/library_format.yml @@ -0,0 +1,47 @@ +# This workflow performs static analysis checks. +name: Library format check + +on: + pull_request: + push: + branches: + - main + +jobs: + format_projects: + # Don't run the nightly build on forks + if: github.event_name != 'schedule' || github.repository_owner == 'aws' + strategy: + matrix: + library: + [ + DynamoDbEncryption, + ] + os: [ubuntu-latest] + runs-on: ${{ matrix.os }} + defaults: + run: + shell: bash + env: + DOTNET_CLI_TELEMETRY_OPTOUT: 1 + DOTNET_NOLOGO: 1 + steps: + - name: Support longpaths + run: | + git config --global core.longpaths true + + - uses: actions/checkout@v4 + with: + submodules: recursive + + - name: Setup Dafny + uses: dafny-lang/setup-dafny-action@v1.7.0 + with: + dafny-version: ${{ '4.2.0' }} + + - name: Check format of ${{ matrix.library }} Dafny code + working-directory: ./${{ matrix.library }} + run: | + # This works because `node` is installed by default on GHA runners + CORES=$(node -e 'console.log(os.cpus().length)') + make format_dafny-check diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/Model/AwsCryptographyDbEncryptionSdkDynamoDbTypes.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/Model/AwsCryptographyDbEncryptionSdkDynamoDbTypes.dfy index 9d2bbb34e..eda70a9d0 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/Model/AwsCryptographyDbEncryptionSdkDynamoDbTypes.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/Model/AwsCryptographyDbEncryptionSdkDynamoDbTypes.dfy @@ -2,543 +2,543 @@ // SPDX-License-Identifier: Apache-2.0 // Do not modify this file. This file is machine generated, and any changes to it will be overwritten. include "../../../../submodules/MaterialProviders/StandardLibrary/src/Index.dfy" - include "../../StructuredEncryption/src/Index.dfy" - include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Index.dfy" - include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/Index.dfy" - include "../../../../submodules/MaterialProviders/AwsCryptographyPrimitives/src/Index.dfy" - include "../../../../submodules/MaterialProviders/ComAmazonawsDynamodb/src/Index.dfy" - module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.internaldafny.types" } AwsCryptographyDbEncryptionSdkDynamoDbTypes - { - import opened Wrappers - import opened StandardLibrary.UInt - import opened UTF8 - import AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes - import AwsCryptographyMaterialProvidersTypes - import AwsCryptographyKeyStoreTypes - import AwsCryptographyPrimitivesTypes - import ComAmazonawsDynamodbTypes - // Generic helpers for verification of mock/unit tests. - datatype DafnyCallEvent = DafnyCallEvent(input: I, output: O) - - // Begin Generated Types - - datatype AsSet = | AsSet ( - - ) - type AttributeActions = map - type BeaconBitLength = x: int32 | IsValid_BeaconBitLength(x) witness * - predicate method IsValid_BeaconBitLength(x: int32) { - ( 1 <= x <= 63 ) -} - datatype BeaconKeySource = - | single(single: SingleKeyStore) - | multi(multi: MultiKeyStore) - datatype BeaconStyle = - | partOnly(partOnly: PartOnly) - | shared(shared: Shared) - | asSet(asSet: AsSet) - | sharedSet(sharedSet: SharedSet) - datatype BeaconVersion = | BeaconVersion ( - nameonly version: VersionNumber , - nameonly keyStore: AwsCryptographyKeyStoreTypes.IKeyStoreClient , - nameonly keySource: BeaconKeySource , - nameonly standardBeacons: StandardBeaconList , - nameonly compoundBeacons: Option := Option.None , - nameonly virtualFields: Option := Option.None , - nameonly encryptedParts: Option := Option.None , - nameonly signedParts: Option := Option.None - ) - type BeaconVersionList = x: seq | IsValid_BeaconVersionList(x) witness * - predicate method IsValid_BeaconVersionList(x: seq) { - ( 1 <= |x| <= 1 ) -} - type Char = x: string | IsValid_Char(x) witness * - predicate method IsValid_Char(x: string) { - ( 1 <= |x| <= 1 ) -} - datatype CompoundBeacon = | CompoundBeacon ( - nameonly name: string , - nameonly split: Char , - nameonly encrypted: Option := Option.None , - nameonly signed: Option := Option.None , - nameonly constructors: Option := Option.None - ) - type CompoundBeaconList = x: seq | IsValid_CompoundBeaconList(x) witness * - predicate method IsValid_CompoundBeaconList(x: seq) { - ( 1 <= |x| ) -} - datatype Constructor = | Constructor ( - nameonly parts: ConstructorPartList - ) - type ConstructorList = x: seq | IsValid_ConstructorList(x) witness * - predicate method IsValid_ConstructorList(x: seq) { - ( 1 <= |x| ) -} - datatype ConstructorPart = | ConstructorPart ( - nameonly name: string , - nameonly required: bool - ) - type ConstructorPartList = x: seq | IsValid_ConstructorPartList(x) witness * - predicate method IsValid_ConstructorPartList(x: seq) { - ( 1 <= |x| ) -} - datatype CreateDynamoDbEncryptionBranchKeyIdSupplierInput = | CreateDynamoDbEncryptionBranchKeyIdSupplierInput ( - nameonly ddbKeyBranchKeyIdSupplier: IDynamoDbKeyBranchKeyIdSupplier - ) - datatype CreateDynamoDbEncryptionBranchKeyIdSupplierOutput = | CreateDynamoDbEncryptionBranchKeyIdSupplierOutput ( - nameonly branchKeyIdSupplier: AwsCryptographyMaterialProvidersTypes.IBranchKeyIdSupplier - ) - class IDynamoDbEncryptionClientCallHistory { - ghost constructor() { - CreateDynamoDbEncryptionBranchKeyIdSupplier := []; -} - ghost var CreateDynamoDbEncryptionBranchKeyIdSupplier: seq>> -} - trait {:termination false} IDynamoDbEncryptionClient - { - // Helper to define any additional modifies/reads clauses. - // If your operations need to mutate state, - // add it in your constructor function: - // Modifies := {your, fields, here, History}; - // If you do not need to mutate anything: -// Modifies := {History}; +include "../../StructuredEncryption/src/Index.dfy" +include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Index.dfy" +include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographyKeyStore/src/Index.dfy" +include "../../../../submodules/MaterialProviders/AwsCryptographyPrimitives/src/Index.dfy" +include "../../../../submodules/MaterialProviders/ComAmazonawsDynamodb/src/Index.dfy" +module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.internaldafny.types" } AwsCryptographyDbEncryptionSdkDynamoDbTypes +{ + import opened Wrappers + import opened StandardLibrary.UInt + import opened UTF8 + import AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes + import AwsCryptographyMaterialProvidersTypes + import AwsCryptographyKeyStoreTypes + import AwsCryptographyPrimitivesTypes + import ComAmazonawsDynamodbTypes + // Generic helpers for verification of mock/unit tests. + datatype DafnyCallEvent = DafnyCallEvent(input: I, output: O) - ghost const Modifies: set - // For an unassigned field defined in a trait, - // Dafny can only assign a value in the constructor. - // This means that for Dafny to reason about this value, - // it needs some way to know (an invariant), - // about the state of the object. - // This builds on the Valid/Repr paradigm - // To make this kind requires safe to add - // to methods called from unverified code, - // the predicate MUST NOT take any arguments. - // This means that the correctness of this requires - // MUST only be evaluated by the class itself. - // If you require any additional mutation, - // then you MUST ensure everything you need in ValidState. - // You MUST also ensure ValidState in your constructor. - predicate ValidState() - ensures ValidState() ==> History in Modifies - ghost const History: IDynamoDbEncryptionClientCallHistory - predicate CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input: CreateDynamoDbEncryptionBranchKeyIdSupplierInput , output: Result) - // The public method to be called by library consumers - method CreateDynamoDbEncryptionBranchKeyIdSupplier ( input: CreateDynamoDbEncryptionBranchKeyIdSupplierInput ) - returns (output: Result) - requires - && ValidState() - && input.ddbKeyBranchKeyIdSupplier.ValidState() - && input.ddbKeyBranchKeyIdSupplier.Modifies !! {History} - modifies Modifies - {History} , - input.ddbKeyBranchKeyIdSupplier.Modifies , - History`CreateDynamoDbEncryptionBranchKeyIdSupplier - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} , - input.ddbKeyBranchKeyIdSupplier.Modifies - ensures - && ValidState() - && ( output.Success? ==> - && output.value.branchKeyIdSupplier.ValidState() - && output.value.branchKeyIdSupplier.Modifies !! {History} - && fresh(output.value.branchKeyIdSupplier) - && fresh ( output.value.branchKeyIdSupplier.Modifies - Modifies - {History} - input.ddbKeyBranchKeyIdSupplier.Modifies ) ) - ensures CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input, output) - ensures History.CreateDynamoDbEncryptionBranchKeyIdSupplier == old(History.CreateDynamoDbEncryptionBranchKeyIdSupplier) + [DafnyCallEvent(input, output)] - -} - datatype DynamoDbEncryptionConfig = | DynamoDbEncryptionConfig ( - - ) - class IDynamoDbKeyBranchKeyIdSupplierCallHistory { - ghost constructor() { - GetBranchKeyIdFromDdbKey := []; -} - ghost var GetBranchKeyIdFromDdbKey: seq>> -} - trait {:termination false} IDynamoDbKeyBranchKeyIdSupplier - { - // Helper to define any additional modifies/reads clauses. - // If your operations need to mutate state, - // add it in your constructor function: - // Modifies := {your, fields, here, History}; - // If you do not need to mutate anything: -// Modifies := {History}; + // Begin Generated Types - ghost const Modifies: set - // For an unassigned field defined in a trait, - // Dafny can only assign a value in the constructor. - // This means that for Dafny to reason about this value, - // it needs some way to know (an invariant), - // about the state of the object. - // This builds on the Valid/Repr paradigm - // To make this kind requires safe to add - // to methods called from unverified code, - // the predicate MUST NOT take any arguments. - // This means that the correctness of this requires - // MUST only be evaluated by the class itself. - // If you require any additional mutation, - // then you MUST ensure everything you need in ValidState. - // You MUST also ensure ValidState in your constructor. - predicate ValidState() - ensures ValidState() ==> History in Modifies - ghost const History: IDynamoDbKeyBranchKeyIdSupplierCallHistory - predicate GetBranchKeyIdFromDdbKeyEnsuresPublicly(input: GetBranchKeyIdFromDdbKeyInput , output: Result) - // The public method to be called by library consumers - method GetBranchKeyIdFromDdbKey ( input: GetBranchKeyIdFromDdbKeyInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`GetBranchKeyIdFromDdbKey - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures GetBranchKeyIdFromDdbKeyEnsuresPublicly(input, output) - ensures History.GetBranchKeyIdFromDdbKey == old(History.GetBranchKeyIdFromDdbKey) + [DafnyCallEvent(input, output)] - { - output := GetBranchKeyIdFromDdbKey' (input); - History.GetBranchKeyIdFromDdbKey := History.GetBranchKeyIdFromDdbKey + [DafnyCallEvent(input, output)]; -} - // The method to implement in the concrete class. - method GetBranchKeyIdFromDdbKey' ( input: GetBranchKeyIdFromDdbKeyInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures GetBranchKeyIdFromDdbKeyEnsuresPublicly(input, output) - ensures unchanged(History) - -} - datatype DynamoDbTableEncryptionConfig = | DynamoDbTableEncryptionConfig ( - nameonly logicalTableName: string , - nameonly partitionKeyName: ComAmazonawsDynamodbTypes.KeySchemaAttributeName , - nameonly sortKeyName: Option := Option.None , - nameonly search: Option := Option.None , - nameonly attributeActionsOnEncrypt: AttributeActions , - nameonly allowedUnsignedAttributes: Option := Option.None , - nameonly allowedUnsignedAttributePrefix: Option := Option.None , - nameonly algorithmSuiteId: Option := Option.None , - nameonly keyring: Option := Option.None , - nameonly cmm: Option := Option.None , - nameonly legacyOverride: Option := Option.None , - nameonly plaintextOverride: Option := Option.None - ) - type DynamoDbTableEncryptionConfigList = map - datatype DynamoDbTablesEncryptionConfig = | DynamoDbTablesEncryptionConfig ( - nameonly tableEncryptionConfigs: DynamoDbTableEncryptionConfigList - ) - datatype EncryptedPart = | EncryptedPart ( - nameonly name: string , - nameonly prefix: Prefix - ) - type EncryptedPartsList = x: seq | IsValid_EncryptedPartsList(x) witness * - predicate method IsValid_EncryptedPartsList(x: seq) { - ( 1 <= |x| ) -} - datatype GetBranchKeyIdFromDdbKeyInput = | GetBranchKeyIdFromDdbKeyInput ( - nameonly ddbKey: ComAmazonawsDynamodbTypes.Key - ) - datatype GetBranchKeyIdFromDdbKeyOutput = | GetBranchKeyIdFromDdbKeyOutput ( - nameonly branchKeyId: string - ) - datatype GetPrefix = | GetPrefix ( - nameonly length: int32 - ) - datatype GetSegment = | GetSegment ( - nameonly split: Char , - nameonly index: int32 - ) - datatype GetSegments = | GetSegments ( - nameonly split: Char , - nameonly low: int32 , - nameonly high: int32 - ) - datatype GetSubstring = | GetSubstring ( - nameonly low: int32 , - nameonly high: int32 - ) - datatype GetSuffix = | GetSuffix ( - nameonly length: int32 - ) - datatype Insert = | Insert ( - nameonly literal: string - ) - class ILegacyDynamoDbEncryptorCallHistory { - ghost constructor() { - -} - -} - trait {:termination false} ILegacyDynamoDbEncryptor - { - // Helper to define any additional modifies/reads clauses. - // If your operations need to mutate state, - // add it in your constructor function: - // Modifies := {your, fields, here, History}; - // If you do not need to mutate anything: -// Modifies := {History}; + datatype AsSet = | AsSet ( - ghost const Modifies: set - // For an unassigned field defined in a trait, - // Dafny can only assign a value in the constructor. - // This means that for Dafny to reason about this value, - // it needs some way to know (an invariant), - // about the state of the object. - // This builds on the Valid/Repr paradigm - // To make this kind requires safe to add - // to methods called from unverified code, - // the predicate MUST NOT take any arguments. - // This means that the correctness of this requires - // MUST only be evaluated by the class itself. - // If you require any additional mutation, - // then you MUST ensure everything you need in ValidState. - // You MUST also ensure ValidState in your constructor. - predicate ValidState() - ensures ValidState() ==> History in Modifies - ghost const History: ILegacyDynamoDbEncryptorCallHistory - -} - datatype LegacyOverride = | LegacyOverride ( - nameonly policy: LegacyPolicy , - nameonly encryptor: ILegacyDynamoDbEncryptor , - nameonly attributeActionsOnEncrypt: AttributeActions , - nameonly defaultAttributeFlag: Option := Option.None - ) - datatype LegacyPolicy = - | FORCE_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT - | FORBID_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT - | FORBID_LEGACY_ENCRYPT_FORBID_LEGACY_DECRYPT - datatype Lower = | Lower ( - - ) - datatype MultiKeyStore = | MultiKeyStore ( - nameonly keyFieldName: string , - nameonly cacheTTL: int32 , - nameonly cache: Option := Option.None - ) - datatype PartOnly = | PartOnly ( - - ) - datatype PlaintextOverride = - | FORCE_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ - | FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ - | FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ - type Prefix = x: string | IsValid_Prefix(x) witness * - predicate method IsValid_Prefix(x: string) { - ( 1 <= |x| ) -} - datatype SearchConfig = | SearchConfig ( - nameonly versions: BeaconVersionList , - nameonly writeVersion: VersionNumber - ) - datatype Shared = | Shared ( - nameonly other: string - ) - datatype SharedSet = | SharedSet ( - nameonly other: string - ) - datatype SignedPart = | SignedPart ( - nameonly name: string , - nameonly prefix: Prefix , - nameonly loc: Option := Option.None - ) - type SignedPartsList = x: seq | IsValid_SignedPartsList(x) witness * - predicate method IsValid_SignedPartsList(x: seq) { - ( 1 <= |x| ) -} - datatype SingleKeyStore = | SingleKeyStore ( - nameonly keyId: string , - nameonly cacheTTL: int32 - ) - datatype StandardBeacon = | StandardBeacon ( - nameonly name: string , - nameonly length: BeaconBitLength , - nameonly loc: Option := Option.None , - nameonly style: Option := Option.None - ) - type StandardBeaconList = x: seq | IsValid_StandardBeaconList(x) witness * - predicate method IsValid_StandardBeaconList(x: seq) { - ( 1 <= |x| ) -} - type TerminalLocation = x: string | IsValid_TerminalLocation(x) witness * - predicate method IsValid_TerminalLocation(x: string) { - ( 1 <= |x| ) -} - datatype Upper = | Upper ( - - ) - type VersionNumber = x: int32 | IsValid_VersionNumber(x) witness * - predicate method IsValid_VersionNumber(x: int32) { - ( 1 <= x ) -} - datatype VirtualField = | VirtualField ( - nameonly name: string , - nameonly parts: VirtualPartList - ) - type VirtualFieldList = x: seq | IsValid_VirtualFieldList(x) witness * - predicate method IsValid_VirtualFieldList(x: seq) { - ( 1 <= |x| ) -} - datatype VirtualPart = | VirtualPart ( - nameonly loc: TerminalLocation , - nameonly trans: Option := Option.None - ) - type VirtualPartList = x: seq | IsValid_VirtualPartList(x) witness * - predicate method IsValid_VirtualPartList(x: seq) { - ( 1 <= |x| ) -} - datatype VirtualTransform = - | upper(upper: Upper) - | lower(lower: Lower) - | insert(insert: Insert) - | prefix(prefix: GetPrefix) - | suffix(suffix: GetSuffix) - | substring(substring: GetSubstring) - | segment(segment: GetSegment) - | segments(segments: GetSegments) - type VirtualTransformList = x: seq | IsValid_VirtualTransformList(x) witness * - predicate method IsValid_VirtualTransformList(x: seq) { - ( 1 <= |x| ) -} - datatype Error = - // Local Error structures are listed here - | DynamoDbEncryptionException ( - nameonly message: string - ) - // Any dependent models are listed here - | AwsCryptographyDbEncryptionSdkStructuredEncryption(AwsCryptographyDbEncryptionSdkStructuredEncryption: AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes.Error) - | AwsCryptographyMaterialProviders(AwsCryptographyMaterialProviders: AwsCryptographyMaterialProvidersTypes.Error) - | AwsCryptographyKeyStore(AwsCryptographyKeyStore: AwsCryptographyKeyStoreTypes.Error) - | AwsCryptographyPrimitives(AwsCryptographyPrimitives: AwsCryptographyPrimitivesTypes.Error) - | ComAmazonawsDynamodb(ComAmazonawsDynamodb: ComAmazonawsDynamodbTypes.Error) - // The Collection error is used to collect several errors together - // This is useful when composing OR logic. - // Consider the following method: - // - // method FN(n:I) - // returns (res: Result) - // ensures A(I).Success? ==> res.Success? - // ensures B(I).Success? ==> res.Success? - // ensures A(I).Failure? && B(I).Failure? ==> res.Failure? - // - // If either A || B is successful then FN is successful. - // And if A && B fail then FN will fail. - // But what information should FN transmit back to the caller? - // While it may be correct to hide these details from the caller, - // this can not be the globally correct option. - // Suppose that A and B can be blocked by different ACLs, - // and that their representation of I is only eventually consistent. - // How can the caller distinguish, at a minimum for logging, - // the difference between the four failure modes? - // || (!access(A(I)) && !access(B(I))) - // || (!exit(A(I)) && !exit(B(I))) - // || (!access(A(I)) && !exit(B(I))) - // || (!exit(A(I)) && !access(B(I))) - | CollectionOfErrors(list: seq, nameonly message: string) - // The Opaque error, used for native, extern, wrapped or unknown errors - | Opaque(obj: object) - type OpaqueError = e: Error | e.Opaque? witness * -} - abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbService - { - import opened Wrappers - import opened StandardLibrary.UInt - import opened UTF8 - import opened Types = AwsCryptographyDbEncryptionSdkDynamoDbTypes - import Operations : AbstractAwsCryptographyDbEncryptionSdkDynamoDbOperations - function method DefaultDynamoDbEncryptionConfig(): DynamoDbEncryptionConfig - method DynamoDbEncryption(config: DynamoDbEncryptionConfig := DefaultDynamoDbEncryptionConfig()) - returns (res: Result) - ensures res.Success? ==> - && fresh(res.value) - && fresh(res.value.Modifies) - && fresh(res.value.History) - && res.value.ValidState() + ) + type AttributeActions = map + type BeaconBitLength = x: int32 | IsValid_BeaconBitLength(x) witness * + predicate method IsValid_BeaconBitLength(x: int32) { + ( 1 <= x <= 63 ) + } + datatype BeaconKeySource = + | single(single: SingleKeyStore) + | multi(multi: MultiKeyStore) + datatype BeaconStyle = + | partOnly(partOnly: PartOnly) + | shared(shared: Shared) + | asSet(asSet: AsSet) + | sharedSet(sharedSet: SharedSet) + datatype BeaconVersion = | BeaconVersion ( + nameonly version: VersionNumber , + nameonly keyStore: AwsCryptographyKeyStoreTypes.IKeyStoreClient , + nameonly keySource: BeaconKeySource , + nameonly standardBeacons: StandardBeaconList , + nameonly compoundBeacons: Option := Option.None , + nameonly virtualFields: Option := Option.None , + nameonly encryptedParts: Option := Option.None , + nameonly signedParts: Option := Option.None + ) + type BeaconVersionList = x: seq | IsValid_BeaconVersionList(x) witness * + predicate method IsValid_BeaconVersionList(x: seq) { + ( 1 <= |x| <= 1 ) + } + type Char = x: string | IsValid_Char(x) witness * + predicate method IsValid_Char(x: string) { + ( 1 <= |x| <= 1 ) + } + datatype CompoundBeacon = | CompoundBeacon ( + nameonly name: string , + nameonly split: Char , + nameonly encrypted: Option := Option.None , + nameonly signed: Option := Option.None , + nameonly constructors: Option := Option.None + ) + type CompoundBeaconList = x: seq | IsValid_CompoundBeaconList(x) witness * + predicate method IsValid_CompoundBeaconList(x: seq) { + ( 1 <= |x| ) + } + datatype Constructor = | Constructor ( + nameonly parts: ConstructorPartList + ) + type ConstructorList = x: seq | IsValid_ConstructorList(x) witness * + predicate method IsValid_ConstructorList(x: seq) { + ( 1 <= |x| ) + } + datatype ConstructorPart = | ConstructorPart ( + nameonly name: string , + nameonly required: bool + ) + type ConstructorPartList = x: seq | IsValid_ConstructorPartList(x) witness * + predicate method IsValid_ConstructorPartList(x: seq) { + ( 1 <= |x| ) + } + datatype CreateDynamoDbEncryptionBranchKeyIdSupplierInput = | CreateDynamoDbEncryptionBranchKeyIdSupplierInput ( + nameonly ddbKeyBranchKeyIdSupplier: IDynamoDbKeyBranchKeyIdSupplier + ) + datatype CreateDynamoDbEncryptionBranchKeyIdSupplierOutput = | CreateDynamoDbEncryptionBranchKeyIdSupplierOutput ( + nameonly branchKeyIdSupplier: AwsCryptographyMaterialProvidersTypes.IBranchKeyIdSupplier + ) + class IDynamoDbEncryptionClientCallHistory { + ghost constructor() { + CreateDynamoDbEncryptionBranchKeyIdSupplier := []; + } + ghost var CreateDynamoDbEncryptionBranchKeyIdSupplier: seq>> + } + trait {:termination false} IDynamoDbEncryptionClient + { + // Helper to define any additional modifies/reads clauses. + // If your operations need to mutate state, + // add it in your constructor function: + // Modifies := {your, fields, here, History}; + // If you do not need to mutate anything: + // Modifies := {History}; - // Helper function for the benefit of native code to create a Success(client) without referring to Dafny internals - function method CreateSuccessOfClient(client: IDynamoDbEncryptionClient): Result { - Success(client) - } // Helper function for the benefit of native code to create a Failure(error) without referring to Dafny internals - function method CreateFailureOfError(error: Error): Result { - Failure(error) - } - class DynamoDbEncryptionClient extends IDynamoDbEncryptionClient - { - constructor(config: Operations.InternalConfig) - requires Operations.ValidInternalConfig?(config) - ensures - && ValidState() - && fresh(History) - && this.config == config - const config: Operations.InternalConfig - predicate ValidState() - ensures ValidState() ==> - && Operations.ValidInternalConfig?(config) - && History !in Operations.ModifiesInternalConfig(config) - && Modifies == Operations.ModifiesInternalConfig(config) + {History} - predicate CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input: CreateDynamoDbEncryptionBranchKeyIdSupplierInput , output: Result) - {Operations.CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method CreateDynamoDbEncryptionBranchKeyIdSupplier ( input: CreateDynamoDbEncryptionBranchKeyIdSupplierInput ) - returns (output: Result) - requires - && ValidState() - && input.ddbKeyBranchKeyIdSupplier.ValidState() - && input.ddbKeyBranchKeyIdSupplier.Modifies !! {History} - modifies Modifies - {History} , - input.ddbKeyBranchKeyIdSupplier.Modifies , - History`CreateDynamoDbEncryptionBranchKeyIdSupplier - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} , - input.ddbKeyBranchKeyIdSupplier.Modifies - ensures - && ValidState() - && ( output.Success? ==> - && output.value.branchKeyIdSupplier.ValidState() - && output.value.branchKeyIdSupplier.Modifies !! {History} - && fresh(output.value.branchKeyIdSupplier) - && fresh ( output.value.branchKeyIdSupplier.Modifies - Modifies - {History} - input.ddbKeyBranchKeyIdSupplier.Modifies ) ) - ensures CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input, output) - ensures History.CreateDynamoDbEncryptionBranchKeyIdSupplier == old(History.CreateDynamoDbEncryptionBranchKeyIdSupplier) + [DafnyCallEvent(input, output)] - { - output := Operations.CreateDynamoDbEncryptionBranchKeyIdSupplier(config, input); - History.CreateDynamoDbEncryptionBranchKeyIdSupplier := History.CreateDynamoDbEncryptionBranchKeyIdSupplier + [DafnyCallEvent(input, output)]; -} - + ghost const Modifies: set + // For an unassigned field defined in a trait, + // Dafny can only assign a value in the constructor. + // This means that for Dafny to reason about this value, + // it needs some way to know (an invariant), + // about the state of the object. + // This builds on the Valid/Repr paradigm + // To make this kind requires safe to add + // to methods called from unverified code, + // the predicate MUST NOT take any arguments. + // This means that the correctness of this requires + // MUST only be evaluated by the class itself. + // If you require any additional mutation, + // then you MUST ensure everything you need in ValidState. + // You MUST also ensure ValidState in your constructor. + predicate ValidState() + ensures ValidState() ==> History in Modifies + ghost const History: IDynamoDbEncryptionClientCallHistory + predicate CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input: CreateDynamoDbEncryptionBranchKeyIdSupplierInput , output: Result) + // The public method to be called by library consumers + method CreateDynamoDbEncryptionBranchKeyIdSupplier ( input: CreateDynamoDbEncryptionBranchKeyIdSupplierInput ) + returns (output: Result) + requires + && ValidState() + && input.ddbKeyBranchKeyIdSupplier.ValidState() + && input.ddbKeyBranchKeyIdSupplier.Modifies !! {History} + modifies Modifies - {History} , + input.ddbKeyBranchKeyIdSupplier.Modifies , + History`CreateDynamoDbEncryptionBranchKeyIdSupplier + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} , + input.ddbKeyBranchKeyIdSupplier.Modifies + ensures + && ValidState() + && ( output.Success? ==> + && output.value.branchKeyIdSupplier.ValidState() + && output.value.branchKeyIdSupplier.Modifies !! {History} + && fresh(output.value.branchKeyIdSupplier) + && fresh ( output.value.branchKeyIdSupplier.Modifies - Modifies - {History} - input.ddbKeyBranchKeyIdSupplier.Modifies ) ) + ensures CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input, output) + ensures History.CreateDynamoDbEncryptionBranchKeyIdSupplier == old(History.CreateDynamoDbEncryptionBranchKeyIdSupplier) + [DafnyCallEvent(input, output)] + + } + datatype DynamoDbEncryptionConfig = | DynamoDbEncryptionConfig ( + + ) + class IDynamoDbKeyBranchKeyIdSupplierCallHistory { + ghost constructor() { + GetBranchKeyIdFromDdbKey := []; + } + ghost var GetBranchKeyIdFromDdbKey: seq>> + } + trait {:termination false} IDynamoDbKeyBranchKeyIdSupplier + { + // Helper to define any additional modifies/reads clauses. + // If your operations need to mutate state, + // add it in your constructor function: + // Modifies := {your, fields, here, History}; + // If you do not need to mutate anything: + // Modifies := {History}; + + ghost const Modifies: set + // For an unassigned field defined in a trait, + // Dafny can only assign a value in the constructor. + // This means that for Dafny to reason about this value, + // it needs some way to know (an invariant), + // about the state of the object. + // This builds on the Valid/Repr paradigm + // To make this kind requires safe to add + // to methods called from unverified code, + // the predicate MUST NOT take any arguments. + // This means that the correctness of this requires + // MUST only be evaluated by the class itself. + // If you require any additional mutation, + // then you MUST ensure everything you need in ValidState. + // You MUST also ensure ValidState in your constructor. + predicate ValidState() + ensures ValidState() ==> History in Modifies + ghost const History: IDynamoDbKeyBranchKeyIdSupplierCallHistory + predicate GetBranchKeyIdFromDdbKeyEnsuresPublicly(input: GetBranchKeyIdFromDdbKeyInput , output: Result) + // The public method to be called by library consumers + method GetBranchKeyIdFromDdbKey ( input: GetBranchKeyIdFromDdbKeyInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`GetBranchKeyIdFromDdbKey + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures GetBranchKeyIdFromDdbKeyEnsuresPublicly(input, output) + ensures History.GetBranchKeyIdFromDdbKey == old(History.GetBranchKeyIdFromDdbKey) + [DafnyCallEvent(input, output)] + { + output := GetBranchKeyIdFromDdbKey' (input); + History.GetBranchKeyIdFromDdbKey := History.GetBranchKeyIdFromDdbKey + [DafnyCallEvent(input, output)]; + } + // The method to implement in the concrete class. + method GetBranchKeyIdFromDdbKey' ( input: GetBranchKeyIdFromDdbKeyInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures GetBranchKeyIdFromDdbKeyEnsuresPublicly(input, output) + ensures unchanged(History) + + } + datatype DynamoDbTableEncryptionConfig = | DynamoDbTableEncryptionConfig ( + nameonly logicalTableName: string , + nameonly partitionKeyName: ComAmazonawsDynamodbTypes.KeySchemaAttributeName , + nameonly sortKeyName: Option := Option.None , + nameonly search: Option := Option.None , + nameonly attributeActionsOnEncrypt: AttributeActions , + nameonly allowedUnsignedAttributes: Option := Option.None , + nameonly allowedUnsignedAttributePrefix: Option := Option.None , + nameonly algorithmSuiteId: Option := Option.None , + nameonly keyring: Option := Option.None , + nameonly cmm: Option := Option.None , + nameonly legacyOverride: Option := Option.None , + nameonly plaintextOverride: Option := Option.None + ) + type DynamoDbTableEncryptionConfigList = map + datatype DynamoDbTablesEncryptionConfig = | DynamoDbTablesEncryptionConfig ( + nameonly tableEncryptionConfigs: DynamoDbTableEncryptionConfigList + ) + datatype EncryptedPart = | EncryptedPart ( + nameonly name: string , + nameonly prefix: Prefix + ) + type EncryptedPartsList = x: seq | IsValid_EncryptedPartsList(x) witness * + predicate method IsValid_EncryptedPartsList(x: seq) { + ( 1 <= |x| ) + } + datatype GetBranchKeyIdFromDdbKeyInput = | GetBranchKeyIdFromDdbKeyInput ( + nameonly ddbKey: ComAmazonawsDynamodbTypes.Key + ) + datatype GetBranchKeyIdFromDdbKeyOutput = | GetBranchKeyIdFromDdbKeyOutput ( + nameonly branchKeyId: string + ) + datatype GetPrefix = | GetPrefix ( + nameonly length: int32 + ) + datatype GetSegment = | GetSegment ( + nameonly split: Char , + nameonly index: int32 + ) + datatype GetSegments = | GetSegments ( + nameonly split: Char , + nameonly low: int32 , + nameonly high: int32 + ) + datatype GetSubstring = | GetSubstring ( + nameonly low: int32 , + nameonly high: int32 + ) + datatype GetSuffix = | GetSuffix ( + nameonly length: int32 + ) + datatype Insert = | Insert ( + nameonly literal: string + ) + class ILegacyDynamoDbEncryptorCallHistory { + ghost constructor() { + + } + + } + trait {:termination false} ILegacyDynamoDbEncryptor + { + // Helper to define any additional modifies/reads clauses. + // If your operations need to mutate state, + // add it in your constructor function: + // Modifies := {your, fields, here, History}; + // If you do not need to mutate anything: + // Modifies := {History}; + + ghost const Modifies: set + // For an unassigned field defined in a trait, + // Dafny can only assign a value in the constructor. + // This means that for Dafny to reason about this value, + // it needs some way to know (an invariant), + // about the state of the object. + // This builds on the Valid/Repr paradigm + // To make this kind requires safe to add + // to methods called from unverified code, + // the predicate MUST NOT take any arguments. + // This means that the correctness of this requires + // MUST only be evaluated by the class itself. + // If you require any additional mutation, + // then you MUST ensure everything you need in ValidState. + // You MUST also ensure ValidState in your constructor. + predicate ValidState() + ensures ValidState() ==> History in Modifies + ghost const History: ILegacyDynamoDbEncryptorCallHistory + + } + datatype LegacyOverride = | LegacyOverride ( + nameonly policy: LegacyPolicy , + nameonly encryptor: ILegacyDynamoDbEncryptor , + nameonly attributeActionsOnEncrypt: AttributeActions , + nameonly defaultAttributeFlag: Option := Option.None + ) + datatype LegacyPolicy = + | FORCE_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT + | FORBID_LEGACY_ENCRYPT_ALLOW_LEGACY_DECRYPT + | FORBID_LEGACY_ENCRYPT_FORBID_LEGACY_DECRYPT + datatype Lower = | Lower ( + + ) + datatype MultiKeyStore = | MultiKeyStore ( + nameonly keyFieldName: string , + nameonly cacheTTL: int32 , + nameonly cache: Option := Option.None + ) + datatype PartOnly = | PartOnly ( + + ) + datatype PlaintextOverride = + | FORCE_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ + | FORBID_PLAINTEXT_WRITE_ALLOW_PLAINTEXT_READ + | FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ + type Prefix = x: string | IsValid_Prefix(x) witness * + predicate method IsValid_Prefix(x: string) { + ( 1 <= |x| ) + } + datatype SearchConfig = | SearchConfig ( + nameonly versions: BeaconVersionList , + nameonly writeVersion: VersionNumber + ) + datatype Shared = | Shared ( + nameonly other: string + ) + datatype SharedSet = | SharedSet ( + nameonly other: string + ) + datatype SignedPart = | SignedPart ( + nameonly name: string , + nameonly prefix: Prefix , + nameonly loc: Option := Option.None + ) + type SignedPartsList = x: seq | IsValid_SignedPartsList(x) witness * + predicate method IsValid_SignedPartsList(x: seq) { + ( 1 <= |x| ) + } + datatype SingleKeyStore = | SingleKeyStore ( + nameonly keyId: string , + nameonly cacheTTL: int32 + ) + datatype StandardBeacon = | StandardBeacon ( + nameonly name: string , + nameonly length: BeaconBitLength , + nameonly loc: Option := Option.None , + nameonly style: Option := Option.None + ) + type StandardBeaconList = x: seq | IsValid_StandardBeaconList(x) witness * + predicate method IsValid_StandardBeaconList(x: seq) { + ( 1 <= |x| ) + } + type TerminalLocation = x: string | IsValid_TerminalLocation(x) witness * + predicate method IsValid_TerminalLocation(x: string) { + ( 1 <= |x| ) + } + datatype Upper = | Upper ( + + ) + type VersionNumber = x: int32 | IsValid_VersionNumber(x) witness * + predicate method IsValid_VersionNumber(x: int32) { + ( 1 <= x ) + } + datatype VirtualField = | VirtualField ( + nameonly name: string , + nameonly parts: VirtualPartList + ) + type VirtualFieldList = x: seq | IsValid_VirtualFieldList(x) witness * + predicate method IsValid_VirtualFieldList(x: seq) { + ( 1 <= |x| ) + } + datatype VirtualPart = | VirtualPart ( + nameonly loc: TerminalLocation , + nameonly trans: Option := Option.None + ) + type VirtualPartList = x: seq | IsValid_VirtualPartList(x) witness * + predicate method IsValid_VirtualPartList(x: seq) { + ( 1 <= |x| ) + } + datatype VirtualTransform = + | upper(upper: Upper) + | lower(lower: Lower) + | insert(insert: Insert) + | prefix(prefix: GetPrefix) + | suffix(suffix: GetSuffix) + | substring(substring: GetSubstring) + | segment(segment: GetSegment) + | segments(segments: GetSegments) + type VirtualTransformList = x: seq | IsValid_VirtualTransformList(x) witness * + predicate method IsValid_VirtualTransformList(x: seq) { + ( 1 <= |x| ) + } + datatype Error = + // Local Error structures are listed here + | DynamoDbEncryptionException ( + nameonly message: string + ) + // Any dependent models are listed here + | AwsCryptographyDbEncryptionSdkStructuredEncryption(AwsCryptographyDbEncryptionSdkStructuredEncryption: AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes.Error) + | AwsCryptographyMaterialProviders(AwsCryptographyMaterialProviders: AwsCryptographyMaterialProvidersTypes.Error) + | AwsCryptographyKeyStore(AwsCryptographyKeyStore: AwsCryptographyKeyStoreTypes.Error) + | AwsCryptographyPrimitives(AwsCryptographyPrimitives: AwsCryptographyPrimitivesTypes.Error) + | ComAmazonawsDynamodb(ComAmazonawsDynamodb: ComAmazonawsDynamodbTypes.Error) + // The Collection error is used to collect several errors together + // This is useful when composing OR logic. + // Consider the following method: + // + // method FN(n:I) + // returns (res: Result) + // ensures A(I).Success? ==> res.Success? + // ensures B(I).Success? ==> res.Success? + // ensures A(I).Failure? && B(I).Failure? ==> res.Failure? + // + // If either A || B is successful then FN is successful. + // And if A && B fail then FN will fail. + // But what information should FN transmit back to the caller? + // While it may be correct to hide these details from the caller, + // this can not be the globally correct option. + // Suppose that A and B can be blocked by different ACLs, + // and that their representation of I is only eventually consistent. + // How can the caller distinguish, at a minimum for logging, + // the difference between the four failure modes? + // || (!access(A(I)) && !access(B(I))) + // || (!exit(A(I)) && !exit(B(I))) + // || (!access(A(I)) && !exit(B(I))) + // || (!exit(A(I)) && !access(B(I))) + | CollectionOfErrors(list: seq, nameonly message: string) + // The Opaque error, used for native, extern, wrapped or unknown errors + | Opaque(obj: object) + type OpaqueError = e: Error | e.Opaque? witness * } +abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbService +{ + import opened Wrappers + import opened StandardLibrary.UInt + import opened UTF8 + import opened Types = AwsCryptographyDbEncryptionSdkDynamoDbTypes + import Operations : AbstractAwsCryptographyDbEncryptionSdkDynamoDbOperations + function method DefaultDynamoDbEncryptionConfig(): DynamoDbEncryptionConfig + method DynamoDbEncryption(config: DynamoDbEncryptionConfig := DefaultDynamoDbEncryptionConfig()) + returns (res: Result) + ensures res.Success? ==> + && fresh(res.value) + && fresh(res.value.Modifies) + && fresh(res.value.History) + && res.value.ValidState() + + // Helper function for the benefit of native code to create a Success(client) without referring to Dafny internals + function method CreateSuccessOfClient(client: IDynamoDbEncryptionClient): Result { + Success(client) + } // Helper function for the benefit of native code to create a Failure(error) without referring to Dafny internals + function method CreateFailureOfError(error: Error): Result { + Failure(error) + } + class DynamoDbEncryptionClient extends IDynamoDbEncryptionClient + { + constructor(config: Operations.InternalConfig) + requires Operations.ValidInternalConfig?(config) + ensures + && ValidState() + && fresh(History) + && this.config == config + const config: Operations.InternalConfig + predicate ValidState() + ensures ValidState() ==> + && Operations.ValidInternalConfig?(config) + && History !in Operations.ModifiesInternalConfig(config) + && Modifies == Operations.ModifiesInternalConfig(config) + {History} + predicate CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input: CreateDynamoDbEncryptionBranchKeyIdSupplierInput , output: Result) + {Operations.CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method CreateDynamoDbEncryptionBranchKeyIdSupplier ( input: CreateDynamoDbEncryptionBranchKeyIdSupplierInput ) + returns (output: Result) + requires + && ValidState() + && input.ddbKeyBranchKeyIdSupplier.ValidState() + && input.ddbKeyBranchKeyIdSupplier.Modifies !! {History} + modifies Modifies - {History} , + input.ddbKeyBranchKeyIdSupplier.Modifies , + History`CreateDynamoDbEncryptionBranchKeyIdSupplier + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} , + input.ddbKeyBranchKeyIdSupplier.Modifies + ensures + && ValidState() + && ( output.Success? ==> + && output.value.branchKeyIdSupplier.ValidState() + && output.value.branchKeyIdSupplier.Modifies !! {History} + && fresh(output.value.branchKeyIdSupplier) + && fresh ( output.value.branchKeyIdSupplier.Modifies - Modifies - {History} - input.ddbKeyBranchKeyIdSupplier.Modifies ) ) + ensures CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input, output) + ensures History.CreateDynamoDbEncryptionBranchKeyIdSupplier == old(History.CreateDynamoDbEncryptionBranchKeyIdSupplier) + [DafnyCallEvent(input, output)] + { + output := Operations.CreateDynamoDbEncryptionBranchKeyIdSupplier(config, input); + History.CreateDynamoDbEncryptionBranchKeyIdSupplier := History.CreateDynamoDbEncryptionBranchKeyIdSupplier + [DafnyCallEvent(input, output)]; + } + + } } - abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbOperations { - import opened Wrappers - import opened StandardLibrary.UInt - import opened UTF8 - import opened Types = AwsCryptographyDbEncryptionSdkDynamoDbTypes - type InternalConfig - predicate ValidInternalConfig?(config: InternalConfig) - function ModifiesInternalConfig(config: InternalConfig): set - predicate CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input: CreateDynamoDbEncryptionBranchKeyIdSupplierInput , output: Result) - // The private method to be refined by the library developer +abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbOperations { + import opened Wrappers + import opened StandardLibrary.UInt + import opened UTF8 + import opened Types = AwsCryptographyDbEncryptionSdkDynamoDbTypes + type InternalConfig + predicate ValidInternalConfig?(config: InternalConfig) + function ModifiesInternalConfig(config: InternalConfig): set + predicate CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input: CreateDynamoDbEncryptionBranchKeyIdSupplierInput , output: Result) + // The private method to be refined by the library developer - method CreateDynamoDbEncryptionBranchKeyIdSupplier ( config: InternalConfig , input: CreateDynamoDbEncryptionBranchKeyIdSupplierInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - && input.ddbKeyBranchKeyIdSupplier.ValidState() - modifies ModifiesInternalConfig(config) , - input.ddbKeyBranchKeyIdSupplier.Modifies - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) , - input.ddbKeyBranchKeyIdSupplier.Modifies - ensures - && ValidInternalConfig?(config) - && ( output.Success? ==> - && output.value.branchKeyIdSupplier.ValidState() - && fresh(output.value.branchKeyIdSupplier) - && fresh ( output.value.branchKeyIdSupplier.Modifies - ModifiesInternalConfig(config) - input.ddbKeyBranchKeyIdSupplier.Modifies ) ) - ensures CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input, output) + method CreateDynamoDbEncryptionBranchKeyIdSupplier ( config: InternalConfig , input: CreateDynamoDbEncryptionBranchKeyIdSupplierInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + && input.ddbKeyBranchKeyIdSupplier.ValidState() + modifies ModifiesInternalConfig(config) , + input.ddbKeyBranchKeyIdSupplier.Modifies + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) , + input.ddbKeyBranchKeyIdSupplier.Modifies + ensures + && ValidInternalConfig?(config) + && ( output.Success? ==> + && output.value.branchKeyIdSupplier.ValidState() + && fresh(output.value.branchKeyIdSupplier) + && fresh ( output.value.branchKeyIdSupplier.Modifies - ModifiesInternalConfig(config) - input.ddbKeyBranchKeyIdSupplier.Modifies ) ) + ensures CreateDynamoDbEncryptionBranchKeyIdSupplierEnsuresPublicly(input, output) } diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/AwsCryptographyDbEncryptionSdkDynamoDbOperations.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/AwsCryptographyDbEncryptionSdkDynamoDbOperations.dfy index b2138e353..23b45586e 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/AwsCryptographyDbEncryptionSdkDynamoDbOperations.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/AwsCryptographyDbEncryptionSdkDynamoDbOperations.dfy @@ -13,7 +13,7 @@ module AwsCryptographyDbEncryptionSdkDynamoDbOperations refines AbstractAwsCrypt { {} } datatype Config = Config( - ) + ) type InternalConfig = Config @@ -25,12 +25,12 @@ module AwsCryptographyDbEncryptionSdkDynamoDbOperations refines AbstractAwsCrypt input: CreateDynamoDbEncryptionBranchKeyIdSupplierInput ) returns (output: Result) { var supplier := new DynamoDbEncryptionBranchKeyIdSupplier.DynamoDbEncryptionBranchKeyIdSupplier( - input.ddbKeyBranchKeyIdSupplier + input.ddbKeyBranchKeyIdSupplier ); return Success( CreateDynamoDbEncryptionBranchKeyIdSupplierOutput( branchKeyIdSupplier := supplier ) - ); + ); } } diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/Beacon.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/Beacon.dfy index 2ab32b296..aa7ee172f 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/Beacon.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/Beacon.dfy @@ -179,11 +179,11 @@ module BaseBeacon { //# of the input string, the HMAC key from the [key materials](./search-config.md#get-beacon-key-materials) //# associated with this beacon, and the beacon length associated with this beacon. ensures res.Success? ==> - && keyName() in keys - && UTF8.Encode(val).Success? - && var str := UTF8.Encode(val).value; - && hash(str, keys[keyName()]).Success? - && res.value == hash(str, keys[keyName()]).value + && keyName() in keys + && UTF8.Encode(val).Success? + && var str := UTF8.Encode(val).value; + && hash(str, keys[keyName()]).Success? + && res.value == hash(str, keys[keyName()]).value { :- Need(keyName() in keys, E("Internal Error, no key for " + keyName())); var str := UTF8.Encode(val); @@ -230,64 +230,64 @@ module BaseBeacon { function method {:opaque} getHashSet(item : DDB.AttributeMap, key : Bytes) : (ret : Result, Error>) requires asSet ensures ret.Success? ==> - //= specification/searchable-encryption/beacons.md#value-for-a-set-standard-beacon - //= type=implication - //# * The returned - //# [AttributeValue](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_AttributeValue.html) - //# MUST be type "SS" StringSet. - && (ret.value.Some? ==> ret.value.value.SS?) - //= specification/searchable-encryption/beacons.md#value-for-a-set-standard-beacon - //= type=implication - //# * The resulting set MUST NOT contain duplicates. - && (ret.value.Some? ==> HasNoDuplicates(ret.value.value.SS)) - //= specification/searchable-encryption/beacons.md#asset-initialization - //= type=implication - //# * Writing an item MUST fail if the item contains this beacon's attribute, - //# and that attribute is not of type Set. - && var value := TermLoc.TermToAttr(loc, item, None); - && (value.Some? && !(value.value.SS? || value.value.NS? || value.value.BS?) ==> ret.Failure?) + //= specification/searchable-encryption/beacons.md#value-for-a-set-standard-beacon + //= type=implication + //# * The returned + //# [AttributeValue](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_AttributeValue.html) + //# MUST be type "SS" StringSet. + && (ret.value.Some? ==> ret.value.value.SS?) + //= specification/searchable-encryption/beacons.md#value-for-a-set-standard-beacon + //= type=implication + //# * The resulting set MUST NOT contain duplicates. + && (ret.value.Some? ==> HasNoDuplicates(ret.value.value.SS)) + //= specification/searchable-encryption/beacons.md#asset-initialization + //= type=implication + //# * Writing an item MUST fail if the item contains this beacon's attribute, + //# and that attribute is not of type Set. + && var value := TermLoc.TermToAttr(loc, item, None); + && (value.Some? && !(value.value.SS? || value.value.NS? || value.value.BS?) ==> ret.Failure?) { - var value := TermLoc.TermToAttr(loc, item, None); - if value.None? then - Success(None) - else - //= specification/searchable-encryption/beacons.md#asset-initialization - //# * The Standard Beacon MUST be stored in the item as a Set, - //# comprised of the [beacon values](#beacon-value) of all the elements in the original Set. - var setValue :- ValueToSet(value.value, key); - Success(Some(setValue)) + var value := TermLoc.TermToAttr(loc, item, None); + if value.None? then + Success(None) + else + //= specification/searchable-encryption/beacons.md#asset-initialization + //# * The Standard Beacon MUST be stored in the item as a Set, + //# comprised of the [beacon values](#beacon-value) of all the elements in the original Set. + var setValue :- ValueToSet(value.value, key); + Success(Some(setValue)) } function method {:opaque} getHashNonSet(item : DDB.AttributeMap, vf : VirtualFieldMap, key : Bytes) : (ret : Result, Error>) - requires !asSet - ensures ret.Success? ==> - //= specification/searchable-encryption/beacons.md#value-for-a-non-set-standard-beacon - //= type=implication - //# * The returned - //# [AttributeValue](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_AttributeValue.html) - //# MUST be type "S" String. - && (ret.value.Some? ==> ret.value.value.S?) - && VirtToBytes(loc, item, vf).Success? - && var bytes := VirtToBytes(loc, item, vf).value; - //= specification/searchable-encryption/beacons.md#value-for-a-standard-beacon - //= type=implication - //# * This operation MUST return no value if the associated field does not exist in the record - && (bytes.None? ==> ret.value.None?) - //= specification/searchable-encryption/beacons.md#value-for-a-non-set-standard-beacon - //= type=implication - //# * This operation MUST convert the attribute value of the associated field to - //# a sequence of bytes, as per [attribute serialization](../dynamodb-encryption-client/ddb-attribute-serialization.md). - && (bytes.Some? ==> ret.value.Some? && hash(bytes.value, key).Success? && ret.value.value == DDB.AttributeValue.S(hash(bytes.value, key).value)) - //= specification/searchable-encryption/beacons.md#value-for-a-non-set-standard-beacon - //= type=implication - //# * This operation MUST return the [basicHash](#basichash) of the resulting bytes and the configured [beacon length](#beacon-length). - && (bytes.Some? ==> ret.value.Some? && base.hash(bytes.value, key, length).Success? && ret.value.value == DDB.AttributeValue.S(base.hash(bytes.value, key, length).value)) + requires !asSet + ensures ret.Success? ==> + //= specification/searchable-encryption/beacons.md#value-for-a-non-set-standard-beacon + //= type=implication + //# * The returned + //# [AttributeValue](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_AttributeValue.html) + //# MUST be type "S" String. + && (ret.value.Some? ==> ret.value.value.S?) + && VirtToBytes(loc, item, vf).Success? + && var bytes := VirtToBytes(loc, item, vf).value; + //= specification/searchable-encryption/beacons.md#value-for-a-standard-beacon + //= type=implication + //# * This operation MUST return no value if the associated field does not exist in the record + && (bytes.None? ==> ret.value.None?) + //= specification/searchable-encryption/beacons.md#value-for-a-non-set-standard-beacon + //= type=implication + //# * This operation MUST convert the attribute value of the associated field to + //# a sequence of bytes, as per [attribute serialization](../dynamodb-encryption-client/ddb-attribute-serialization.md). + && (bytes.Some? ==> ret.value.Some? && hash(bytes.value, key).Success? && ret.value.value == DDB.AttributeValue.S(hash(bytes.value, key).value)) + //= specification/searchable-encryption/beacons.md#value-for-a-non-set-standard-beacon + //= type=implication + //# * This operation MUST return the [basicHash](#basichash) of the resulting bytes and the configured [beacon length](#beacon-length). + && (bytes.Some? ==> ret.value.Some? && base.hash(bytes.value, key, length).Success? && ret.value.value == DDB.AttributeValue.S(base.hash(bytes.value, key, length).value)) { - var bytes :- VirtToBytes(loc, item, vf); - if bytes.None? then - Success(None) - else - var res :- hash(bytes.value, key); - Success(Some(DDB.AttributeValue.S(res))) + var bytes :- VirtToBytes(loc, item, vf); + if bytes.None? then + Success(None) + else + var res :- hash(bytes.value, key); + Success(Some(DDB.AttributeValue.S(res))) } function method {:opaque} getNaked(item : DDB.AttributeMap, vf : VirtualFieldMap) : Result, Error> diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/CompoundBeacon.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/CompoundBeacon.dfy index 541232f5e..f2ff84f45 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/CompoundBeacon.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/CompoundBeacon.dfy @@ -195,14 +195,14 @@ module CompoundBeacon { else Join(beaconParts, "") } - + function method CListToString(p : ConstructorList) : string { var beaconParts := Seq.Map((s : Constructor) => CPartsToString(s.parts), p); Join(beaconParts, ", ") } - - // Can this constructor produce this list of parts? + + // Can this constructor produce this list of parts? // e.g. if the constructor has A_.B_ then // these are ok : A_foo, B_foo, A_foo.B_foo // these are bad : B_foo.A_foo, A_foo.A_foo @@ -222,7 +222,7 @@ module CompoundBeacon { false } - // Fail unless one of these constructor can make a beacon composed of this sequence of parts + // Fail unless one of these constructor can make a beacon composed of this sequence of parts predicate method {:tailrecursion} IsValidPartOrder(candidates : seq, inParts : seq) { if |candidates| == 0 then @@ -233,7 +233,7 @@ module CompoundBeacon { IsValidPartOrder(candidates[1..], inParts) } - // Fail unless it is possible to construct a beacon composed of this sequence of parts + // Fail unless it is possible to construct a beacon composed of this sequence of parts function method ValidatePartOrder(inParts : seq, orig : string) : Result { if IsValidPartOrder(construct, inParts) then @@ -273,7 +273,7 @@ module CompoundBeacon { SkipSignedPieces(pieces[1..]) } - // predicate : are these pieces compatible with a less than operation + // predicate : are these pieces compatible with a less than operation function method IsLessThanComparable(pieces : seq) : Result { var rest :- SkipSignedPieces(pieces); @@ -292,7 +292,7 @@ module CompoundBeacon { Seq.Flatten(Seq.Map((p : BeaconPart) => p.GetFields(virtualFields), parts)) } - // calculate value for a single piece of a compound beacon query string + // calculate value for a single piece of a compound beacon query string function method FindAndCalcPart(value : string, keys : MaybeKeyMap) : Result requires !keys.DontUseKeys? { diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/ConfigToInfo.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/ConfigToInfo.dfy index af965a325..cb01aa7bf 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/ConfigToInfo.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/ConfigToInfo.dfy @@ -266,9 +266,9 @@ module SearchConfigToInfo { && var name := loc[0].key; && name in outer.attributeActionsOnEncrypt && ( - || outer.attributeActionsOnEncrypt[name] == SE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT - || outer.attributeActionsOnEncrypt[name] == SE.SIGN_ONLY - ) + || outer.attributeActionsOnEncrypt[name] == SE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT + || outer.attributeActionsOnEncrypt[name] == SE.SIGN_ONLY + ) } // is this terminal location encrypted diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/DynamoDbEncryptionBranchKeyIdSupplier.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/DynamoDbEncryptionBranchKeyIdSupplier.dfy index 8e95530b9..4533b8def 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/DynamoDbEncryptionBranchKeyIdSupplier.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/DynamoDbEncryptionBranchKeyIdSupplier.dfy @@ -11,7 +11,7 @@ module DynamoDbEncryptionBranchKeyIdSupplier { class DynamoDbEncryptionBranchKeyIdSupplier extends MPL.IBranchKeyIdSupplier - { + { const ddbKeyBranchKeyIdSupplier: IDynamoDbKeyBranchKeyIdSupplier predicate ValidState() diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/DynamoToStruct.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/DynamoToStruct.dfy index 38e852c4d..84543c2a7 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/DynamoToStruct.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/DynamoToStruct.dfy @@ -61,8 +61,8 @@ module DynamoToStruct { //# - The [Terminal Value](../structured-encryption/structures.md#terminal-value) for each attribute MUST //# be the [Value](./ddb-attribute-serialization.md#type-id) of the [serialization](./ddb-attribute-serialization.md) of this Attribute Value. ensures ret.Success? ==> forall kv <- ret.value.Items :: - && TopLevelAttributeToBytes(item[kv.0]).Success? - && kv.1.content.Terminal.value == TopLevelAttributeToBytes(item[kv.0]).value + && TopLevelAttributeToBytes(item[kv.0]).Success? + && kv.1.content.Terminal.value == TopLevelAttributeToBytes(item[kv.0]).value { var structuredMap := map k <- item :: k := AttrToStructured(item[k]); @@ -85,14 +85,14 @@ module DynamoToStruct { //= type=implication //# - MUST NOT have any `Key` strings that are invalid DynamoDB AttributeNames, that is, with more than 65535 characters. ensures ret.Success? ==> forall k <- s.Keys :: IsValid_AttributeName(k) - + //= specification/dynamodb-encryption-client/ddb-item-conversion.md#convert-structured-data-to-ddb-item //= type=implication //# - Each Attribute MUST be deserializable //# according to [the serialization scheme](./ddb-attribute-serialization.md#value). ensures ret.Success? ==> forall kv <- ret.value.Items :: - && StructuredToAttr(s[kv.0]).Success? - && kv.1 == StructuredToAttr(s[kv.0]).value + && StructuredToAttr(s[kv.0]).Success? + && kv.1 == StructuredToAttr(s[kv.0]).value { if forall k <- s.Keys :: IsValid_AttributeName(k) then var structuredData := map k <- s :: k := StructuredToAttr(s[k]); @@ -113,7 +113,7 @@ module DynamoToStruct { lemma RoundTripFromItem(item : AttributeValue) ensures item.B? && AttrToStructured(item).Success? ==> StructuredToAttr(AttrToStructured(item).value).Success? ensures item.NULL? && AttrToStructured(item).Success? ==> - && StructuredToAttr(AttrToStructured(item).value).Success? + && StructuredToAttr(AttrToStructured(item).value).Success? ensures item.BOOL? && AttrToStructured(item).Success? ==> StructuredToAttr(AttrToStructured(item).value).Success? { reveal AttrToStructured(); @@ -127,12 +127,12 @@ module DynamoToStruct { // Prove round trip. A work in progress lemma RoundTripFromStructured(s : StructuredData) ensures StructuredToAttr(s).Success? && s.content.Terminal.typeId == SE.BINARY ==> - && AttrToStructured(StructuredToAttr(s).value).Success? + && AttrToStructured(StructuredToAttr(s).value).Success? ensures StructuredToAttr(s).Success? && s.content.Terminal.typeId == SE.BOOLEAN ==> - && AttrToStructured(StructuredToAttr(s).value).Success? + && AttrToStructured(StructuredToAttr(s).value).Success? ensures StructuredToAttr(s).Success? && s.content.Terminal.typeId == SE.NULL ==> - && AttrToStructured(StructuredToAttr(s).value).Success? -{ + && AttrToStructured(StructuredToAttr(s).value).Success? + { reveal AttrToStructured(); reveal StructuredToAttr(); reveal TopLevelAttributeToBytes(); @@ -165,8 +165,8 @@ module DynamoToStruct { ensures ret.Success? ==> ret.value.content.Terminal? ensures ret.Success? ==> ret.value.content.Terminal.typeId == AttrToTypeId(item) ensures ret.Success? ==> - && TopLevelAttributeToBytes(item).Success? - && ret.value.content.Terminal.value == TopLevelAttributeToBytes(item).value + && TopLevelAttributeToBytes(item).Success? + && ret.value.content.Terminal.value == TopLevelAttributeToBytes(item).value { var body :- TopLevelAttributeToBytes(item); Success(StructuredData(content := Terminal(StructuredDataTerminal(value := body, typeId := AttrToTypeId(item))), attributes := None)) @@ -195,10 +195,10 @@ module DynamoToStruct { Success(attrValueAndLength.val) } - const BOOL_LEN : nat := 1 // number of bytes in an encoded boolean - const TYPEID_LEN : nat := 2 // number of bytes in a TerminalTypeId - const LENGTH_LEN : nat := 4 // number of bytes in an encoded count or length - const PREFIX_LEN : nat := 6 // number of bytes in a prefix, i.e. 2-byte type and 4-byte length + const BOOL_LEN : nat := 1 // number of bytes in an encoded boolean + const TYPEID_LEN : nat := 2 // number of bytes in a TerminalTypeId + const LENGTH_LEN : nat := 4 // number of bytes in an encoded count or length + const PREFIX_LEN : nat := 6 // number of bytes in a prefix, i.e. 2-byte type and 4-byte length function method AttrToTypeId(a : AttributeValue) : TerminalTypeId { @@ -233,13 +233,13 @@ module DynamoToStruct { //# - `0x00` if the value is `false` //# - `0x01` if the value is `true` ensures a.BOOL? && !prefix && depth <= MAX_STRUCTURE_DEPTH ==> - && (a.BOOL ==> ret.Success? && |ret.value| == BOOL_LEN && ret.value[0] == 1) - && (!a.BOOL ==> ret.Success? && |ret.value| == BOOL_LEN && ret.value[0] == 0) + && (a.BOOL ==> ret.Success? && |ret.value| == BOOL_LEN && ret.value[0] == 1) + && (!a.BOOL ==> ret.Success? && |ret.value| == BOOL_LEN && ret.value[0] == 0) ensures a.BOOL? && prefix && depth <= MAX_STRUCTURE_DEPTH ==> - && (a.BOOL ==> (ret.Success? && |ret.value| == PREFIX_LEN+BOOL_LEN && ret.value[PREFIX_LEN] == 1 - && ret.value[0..TYPEID_LEN] == SE.BOOLEAN && ret.value[TYPEID_LEN..PREFIX_LEN] == [0,0,0,1])) - && (!a.BOOL ==> (ret.Success? && |ret.value| == PREFIX_LEN+BOOL_LEN && ret.value[PREFIX_LEN] == 0 - && ret.value[0..TYPEID_LEN] == SE.BOOLEAN && ret.value[TYPEID_LEN..PREFIX_LEN] == [0,0,0,1])) + && (a.BOOL ==> (ret.Success? && |ret.value| == PREFIX_LEN+BOOL_LEN && ret.value[PREFIX_LEN] == 1 + && ret.value[0..TYPEID_LEN] == SE.BOOLEAN && ret.value[TYPEID_LEN..PREFIX_LEN] == [0,0,0,1])) + && (!a.BOOL ==> (ret.Success? && |ret.value| == PREFIX_LEN+BOOL_LEN && ret.value[PREFIX_LEN] == 0 + && ret.value[0..TYPEID_LEN] == SE.BOOLEAN && ret.value[TYPEID_LEN..PREFIX_LEN] == [0,0,0,1])) //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#binary //= type=implication @@ -247,31 +247,31 @@ module DynamoToStruct { //# or more plainly, Binary Attribute Values are used as is. ensures a.B? && !prefix && depth <= MAX_STRUCTURE_DEPTH ==> ret.Success? && ret.value == a.B ensures a.B? && prefix && ret.Success? && depth <= MAX_STRUCTURE_DEPTH ==> - && ret.value[PREFIX_LEN..] == a.B - && ret.value[0..TYPEID_LEN] == SE.BINARY - && U32ToBigEndian(|a.B|).Success? - && ret.value[TYPEID_LEN..PREFIX_LEN] == U32ToBigEndian(|a.B|).value - && BigEndianToU32(ret.value[TYPEID_LEN..PREFIX_LEN]).value == |a.B| + && ret.value[PREFIX_LEN..] == a.B + && ret.value[0..TYPEID_LEN] == SE.BINARY + && U32ToBigEndian(|a.B|).Success? + && ret.value[TYPEID_LEN..PREFIX_LEN] == U32ToBigEndian(|a.B|).value + && BigEndianToU32(ret.value[TYPEID_LEN..PREFIX_LEN]).value == |a.B| //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#null //= type=implication //# Null MUST be serialized as a zero-length byte string. ensures a.NULL? && !prefix && depth <= MAX_STRUCTURE_DEPTH ==> ret.Success? && |ret.value| == 0 ensures a.NULL? && prefix && depth <= MAX_STRUCTURE_DEPTH ==> ret.Success? && |ret.value| == PREFIX_LEN && ret.value[0..TYPEID_LEN] == SE.NULL && ret.value[TYPEID_LEN..PREFIX_LEN] == [0,0,0,0] - + //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#string //= type=implication //# String MUST be serialized as UTF-8 encoded bytes. - ensures a.S? && ret.Success? && !prefix ==> - UTF8.Decode(ret.value).Success? && UTF8.Decode(ret.value).value == a.S - ensures a.S? && ret.Success? && prefix ==> - && UTF8.Decode(ret.value[PREFIX_LEN..]).Success? - && UTF8.Decode(ret.value[PREFIX_LEN..]).value == a.S - && ret.value[0..TYPEID_LEN] == SE.STRING - && UTF8.Encode(a.S).Success? - && U32ToBigEndian(|UTF8.Encode(a.S).value|).Success? - && ret.value[TYPEID_LEN..PREFIX_LEN] == U32ToBigEndian(|UTF8.Encode(a.S).value|).value - + ensures a.S? && ret.Success? && !prefix ==> + UTF8.Decode(ret.value).Success? && UTF8.Decode(ret.value).value == a.S + ensures a.S? && ret.Success? && prefix ==> + && UTF8.Decode(ret.value[PREFIX_LEN..]).Success? + && UTF8.Decode(ret.value[PREFIX_LEN..]).value == a.S + && ret.value[0..TYPEID_LEN] == SE.STRING + && UTF8.Encode(a.S).Success? + && U32ToBigEndian(|UTF8.Encode(a.S).value|).Success? + && ret.value[TYPEID_LEN..PREFIX_LEN] == U32ToBigEndian(|UTF8.Encode(a.S).value|).value + //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#number //= type=implication //# This value MUST be normalized in the same way as DynamoDB normalizes numbers. @@ -280,18 +280,18 @@ module DynamoToStruct { //= type=implication //# This normalized value MUST then be serialized as UTF-8 encoded bytes. ensures a.N? && ret.Success? && !prefix ==> - && Norm.NormalizeNumber(a.N).Success? - && var nn := Norm.NormalizeNumber(a.N).value; - && UTF8.Decode(ret.value).Success? && UTF8.Decode(ret.value).value == nn - ensures a.N? && ret.Success? && prefix ==> - && Norm.NormalizeNumber(a.N).Success? - && var nn := Norm.NormalizeNumber(a.N).value; - && UTF8.Decode(ret.value[PREFIX_LEN..]).Success? - && UTF8.Decode(ret.value[PREFIX_LEN..]).value == nn - && ret.value[0..TYPEID_LEN] == SE.NUMBER - && UTF8.Encode(nn).Success? - && U32ToBigEndian(|UTF8.Encode(nn).value|).Success? - && ret.value[TYPEID_LEN..PREFIX_LEN] == U32ToBigEndian(|UTF8.Encode(nn).value|).value + && Norm.NormalizeNumber(a.N).Success? + && var nn := Norm.NormalizeNumber(a.N).value; + && UTF8.Decode(ret.value).Success? && UTF8.Decode(ret.value).value == nn + ensures a.N? && ret.Success? && prefix ==> + && Norm.NormalizeNumber(a.N).Success? + && var nn := Norm.NormalizeNumber(a.N).value; + && UTF8.Decode(ret.value[PREFIX_LEN..]).Success? + && UTF8.Decode(ret.value[PREFIX_LEN..]).value == nn + && ret.value[0..TYPEID_LEN] == SE.NUMBER + && UTF8.Encode(nn).Success? + && U32ToBigEndian(|UTF8.Encode(nn).value|).Success? + && ret.value[TYPEID_LEN..PREFIX_LEN] == U32ToBigEndian(|UTF8.Encode(nn).value|).value //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#set-entries //= type=implication @@ -312,23 +312,23 @@ module DynamoToStruct { //# equal to the number of serialized entries in //# [Set Entries](#set-entries). ensures a.BS? && ret.Success? && !prefix ==> - && U32ToBigEndian(|a.BS|).Success? - && |ret.value| >= LENGTH_LEN - && ret.value[0..LENGTH_LEN] == U32ToBigEndian(|a.BS|).value - && BigEndianToU32(ret.value[0..LENGTH_LEN]).value == |a.BS| + && U32ToBigEndian(|a.BS|).Success? + && |ret.value| >= LENGTH_LEN + && ret.value[0..LENGTH_LEN] == U32ToBigEndian(|a.BS|).value + && BigEndianToU32(ret.value[0..LENGTH_LEN]).value == |a.BS| - //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#set-count - //= type=implication - //# Set Count MAY be `0`, - //# in which case [Set Entries](#set-entries) is a zero-length byte string. - && (|a.BS| == 0 ==> |ret.value| == LENGTH_LEN) + //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#set-count + //= type=implication + //# Set Count MAY be `0`, + //# in which case [Set Entries](#set-entries) is a zero-length byte string. + && (|a.BS| == 0 ==> |ret.value| == LENGTH_LEN) ensures a.BS? && ret.Success? && prefix ==> - && U32ToBigEndian(|a.BS|).Success? - && |ret.value| >= PREFIX_LEN + LENGTH_LEN - && ret.value[0..TYPEID_LEN] == SE.BINARY_SET - && ret.value[PREFIX_LEN..PREFIX_LEN+LENGTH_LEN] == U32ToBigEndian(|a.BS|).value - && (|a.BS| == 0 ==> |ret.value| == PREFIX_LEN + LENGTH_LEN) + && U32ToBigEndian(|a.BS|).Success? + && |ret.value| >= PREFIX_LEN + LENGTH_LEN + && ret.value[0..TYPEID_LEN] == SE.BINARY_SET + && ret.value[PREFIX_LEN..PREFIX_LEN+LENGTH_LEN] == U32ToBigEndian(|a.BS|).value + && (|a.BS| == 0 ==> |ret.value| == PREFIX_LEN + LENGTH_LEN) //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#set-entries //= type=implication @@ -337,15 +337,15 @@ module DynamoToStruct { ensures a.SS? && ret.Success? ==> Seq.HasNoDuplicates(a.SS) ensures a.SS? && ret.Success? && !prefix ==> - && U32ToBigEndian(|a.SS|).Success? - && |ret.value| >= LENGTH_LEN - && ret.value[0..LENGTH_LEN] == U32ToBigEndian(|a.SS|).value - && BigEndianToU32(ret.value[0..LENGTH_LEN]).value == |a.SS| + && U32ToBigEndian(|a.SS|).Success? + && |ret.value| >= LENGTH_LEN + && ret.value[0..LENGTH_LEN] == U32ToBigEndian(|a.SS|).value + && BigEndianToU32(ret.value[0..LENGTH_LEN]).value == |a.SS| ensures a.SS? && ret.Success? && prefix ==> - && U32ToBigEndian(|a.SS|).Success? - && |ret.value| >= PREFIX_LEN + LENGTH_LEN - && ret.value[0..TYPEID_LEN] == SE.STRING_SET - && ret.value[PREFIX_LEN..PREFIX_LEN+LENGTH_LEN] == U32ToBigEndian(|a.SS|).value + && U32ToBigEndian(|a.SS|).Success? + && |ret.value| >= PREFIX_LEN + LENGTH_LEN + && ret.value[0..TYPEID_LEN] == SE.STRING_SET + && ret.value[PREFIX_LEN..PREFIX_LEN+LENGTH_LEN] == U32ToBigEndian(|a.SS|).value //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#set-entries //= type=implication @@ -354,14 +354,14 @@ module DynamoToStruct { ensures a.NS? && ret.Success? ==> Seq.HasNoDuplicates(a.NS) ensures a.NS? && ret.Success? && !prefix ==> - && U32ToBigEndian(|a.NS|).Success? - && |ret.value| >= LENGTH_LEN - && ret.value[0..LENGTH_LEN] == U32ToBigEndian(|a.NS|).value + && U32ToBigEndian(|a.NS|).Success? + && |ret.value| >= LENGTH_LEN + && ret.value[0..LENGTH_LEN] == U32ToBigEndian(|a.NS|).value ensures a.NS? && ret.Success? && prefix ==> - && U32ToBigEndian(|a.NS|).Success? - && |ret.value| >= PREFIX_LEN + LENGTH_LEN - && ret.value[0..TYPEID_LEN] == SE.NUMBER_SET - && ret.value[PREFIX_LEN..PREFIX_LEN+LENGTH_LEN] == U32ToBigEndian(|a.NS|).value + && U32ToBigEndian(|a.NS|).Success? + && |ret.value| >= PREFIX_LEN + LENGTH_LEN + && ret.value[0..TYPEID_LEN] == SE.NUMBER_SET + && ret.value[PREFIX_LEN..PREFIX_LEN+LENGTH_LEN] == U32ToBigEndian(|a.NS|).value //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#list //= type=implication @@ -371,28 +371,28 @@ module DynamoToStruct { //# | List Count | 4 | //# | List Entries | Variable | ensures a.L? && ret.Success? && !prefix ==> - //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#list-count - //= type=implication - //# List Count MUST be a big-endian unsigned integer - //# equal to the number of serialized list entries in - //# [List Entries](#list-entries). - && U32ToBigEndian(|a.L|).Success? - && |ret.value| >= LENGTH_LEN - && ret.value[0..LENGTH_LEN] == U32ToBigEndian(|a.L|).value - && BigEndianToU32(ret.value[0..LENGTH_LEN]).value == |a.L| - - //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#list-count - //= type=implication - //# List Count MAY be `0`, - //# in which case [List Entries](#list-entries) is an empty byte string. - && (|a.L| == 0 ==> |ret.value| == LENGTH_LEN) + //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#list-count + //= type=implication + //# List Count MUST be a big-endian unsigned integer + //# equal to the number of serialized list entries in + //# [List Entries](#list-entries). + && U32ToBigEndian(|a.L|).Success? + && |ret.value| >= LENGTH_LEN + && ret.value[0..LENGTH_LEN] == U32ToBigEndian(|a.L|).value + && BigEndianToU32(ret.value[0..LENGTH_LEN]).value == |a.L| + + //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#list-count + //= type=implication + //# List Count MAY be `0`, + //# in which case [List Entries](#list-entries) is an empty byte string. + && (|a.L| == 0 ==> |ret.value| == LENGTH_LEN) ensures a.L? && ret.Success? && prefix ==> - && U32ToBigEndian(|a.L|).Success? - && |ret.value| >= PREFIX_LEN + LENGTH_LEN - && ret.value[0..TYPEID_LEN] == SE.LIST - && ret.value[PREFIX_LEN..PREFIX_LEN+LENGTH_LEN] == U32ToBigEndian(|a.L|).value - && (|a.L| == 0 ==> |ret.value| == PREFIX_LEN + LENGTH_LEN) + && U32ToBigEndian(|a.L|).Success? + && |ret.value| >= PREFIX_LEN + LENGTH_LEN + && ret.value[0..TYPEID_LEN] == SE.LIST + && ret.value[PREFIX_LEN..PREFIX_LEN+LENGTH_LEN] == U32ToBigEndian(|a.L|).value + && (|a.L| == 0 ==> |ret.value| == PREFIX_LEN + LENGTH_LEN) //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#map-attribute //= type=implication @@ -402,28 +402,28 @@ module DynamoToStruct { //# | Key Value Pair Count | 4 | //# | Key Value Pair Entries | Variable | ensures a.M? && ret.Success? && !prefix ==> - && U32ToBigEndian(|a.M|).Success? - && |ret.value| >= LENGTH_LEN - - //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#key-value-pair-count - //= type=implication - //# Key Value Pair Count MUST be a big-endian unsigned integer - //# equal to the number of serialized key-value pairs in - //# [Key Value Pair Entries](#key-value-pair-entries). - && ret.value[0..LENGTH_LEN] == U32ToBigEndian(|a.M|).value - && BigEndianToU32(ret.value[0..LENGTH_LEN]).value == |a.M| - - //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#key-value-pair-count - //= type=implication - //# Key Value Pair Count MAY be `0`, - //# in which case [Key Value Pair Entries](#key-value-pair-entries) is an empty bytestring. - && (|a.M| == 0 ==> |ret.value| == LENGTH_LEN) + && U32ToBigEndian(|a.M|).Success? + && |ret.value| >= LENGTH_LEN + + //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#key-value-pair-count + //= type=implication + //# Key Value Pair Count MUST be a big-endian unsigned integer + //# equal to the number of serialized key-value pairs in + //# [Key Value Pair Entries](#key-value-pair-entries). + && ret.value[0..LENGTH_LEN] == U32ToBigEndian(|a.M|).value + && BigEndianToU32(ret.value[0..LENGTH_LEN]).value == |a.M| + + //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#key-value-pair-count + //= type=implication + //# Key Value Pair Count MAY be `0`, + //# in which case [Key Value Pair Entries](#key-value-pair-entries) is an empty bytestring. + && (|a.M| == 0 ==> |ret.value| == LENGTH_LEN) ensures a.M? && ret.Success? && prefix ==> - && U32ToBigEndian(|a.M|).Success? - && |ret.value| >= PREFIX_LEN + LENGTH_LEN - && ret.value[0..TYPEID_LEN] == AttrToTypeId(a) - && (|a.M| == 0 ==> |ret.value| == PREFIX_LEN + LENGTH_LEN) + && U32ToBigEndian(|a.M|).Success? + && |ret.value| >= PREFIX_LEN + LENGTH_LEN + && ret.value[0..TYPEID_LEN] == AttrToTypeId(a) + && (|a.M| == 0 ==> |ret.value| == PREFIX_LEN + LENGTH_LEN) { :- Need(depth <= MAX_STRUCTURE_DEPTH, "Depth of attribute structure to serialize exceeds limit of " + MAX_STRUCTURE_DEPTH_STR); @@ -539,15 +539,15 @@ module DynamoToStruct { lemma U32ToBigEndianRoundTrip(x : nat) ensures U32ToBigEndian(x).Success? ==> - && BigEndianToU32(U32ToBigEndian(x).value).Success? - && BigEndianToU32(U32ToBigEndian(x).value).value == x + && BigEndianToU32(U32ToBigEndian(x).value).Success? + && BigEndianToU32(U32ToBigEndian(x).value).value == x {} lemma BigEndianToU32RoundTrip(x : seq) requires |x| == 4 ensures BigEndianToU32(x).Success? ==> - && U32ToBigEndian(BigEndianToU32(x).value).Success? - && U32ToBigEndian(BigEndianToU32(x).value).value == x + && U32ToBigEndian(BigEndianToU32(x).value).Success? + && U32ToBigEndian(BigEndianToU32(x).value).value == x {} function method U32ToBigEndian(x : nat) : (ret : Result, string>) @@ -566,7 +566,7 @@ module DynamoToStruct { else Success(SeqToUInt32(x[..LENGTH_LEN]) as nat) } - + predicate IsSorted(s: seq, lessThanOrEq: (T, T) -> bool) { forall j, k :: 0 <= j < k < |s| ==> lessThanOrEq(s[j], s[k]) } @@ -575,11 +575,11 @@ module DynamoToStruct { // The Duvet implications set-entries and set-entry-length mentioned in SerializeBinaryValue // are also implied here for String Sets and Number Sets ensures ret.Success? ==> - && UTF8.Encode(s).Success? - && U32ToBigEndian(|UTF8.Encode(s).value|).Success? - && |ret.value| == LENGTH_LEN + |UTF8.Encode(s).value| - && ret.value[0..LENGTH_LEN] == U32ToBigEndian(|UTF8.Encode(s).value|).value - && ret.value[LENGTH_LEN..] == UTF8.Encode(s).value + && UTF8.Encode(s).Success? + && U32ToBigEndian(|UTF8.Encode(s).value|).Success? + && |ret.value| == LENGTH_LEN + |UTF8.Encode(s).value| + && ret.value[0..LENGTH_LEN] == U32ToBigEndian(|UTF8.Encode(s).value|).value + && ret.value[LENGTH_LEN..] == UTF8.Encode(s).value { var val :- UTF8.Encode(s); var len :- U32ToBigEndian(|val|); @@ -588,7 +588,7 @@ module DynamoToStruct { // String Set or Number Set to Bytes function method {:tailrecursion} {:opaque} CollectString( setToSerialize : StringSetAttributeValue, - serialized : seq := []) + serialized : seq := []) : Result, string> { if |setToSerialize| == 0 then @@ -609,19 +609,19 @@ module DynamoToStruct { //# | Set Entry Length | 4 | //# | Set Entry Value | Variable. Equal to Set Entry Length. | ensures ret.Success? ==> - && U32ToBigEndian(|b|).Success? - && |ret.value| == LENGTH_LEN + |b| - //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#set-entry-length - //= type=implication - //# Set Entry Length MUST be a big-endian unsigned integer - //# equal to the length of [Set Entry Value](#set-entry-value). - && ret.value[0..LENGTH_LEN] == U32ToBigEndian(|b|).value - && ret.value[LENGTH_LEN..] == b + && U32ToBigEndian(|b|).Success? + && |ret.value| == LENGTH_LEN + |b| + //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#set-entry-length + //= type=implication + //# Set Entry Length MUST be a big-endian unsigned integer + //# equal to the length of [Set Entry Value](#set-entry-value). + && ret.value[0..LENGTH_LEN] == U32ToBigEndian(|b|).value + && ret.value[LENGTH_LEN..] == b { var len :- U32ToBigEndian(|b|); Success(len + b) } - + // Binary Set to Bytes function method {:tailrecursion} CollectBinary(setToSerialize : BinarySetAttributeValue, serialized : seq := []) : Result, string> { @@ -673,7 +673,7 @@ module DynamoToStruct { } function method SerializeMapItem(key : string, value : seq) : (ret : Result, string>) - + //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#key-type //= type=implication //# Key Type MUST be the [Type ID](#type-id) for Strings. @@ -682,41 +682,41 @@ module DynamoToStruct { //= type=implication //# Map Key MUST be a [String Value](#string). ensures ret.Success? ==> - && |ret.value| >= TYPEID_LEN - && ret.value[0..TYPEID_LEN] == SE.STRING - && UTF8.Encode(key).Success? - && |ret.value| == TYPEID_LEN + LENGTH_LEN + |UTF8.Encode(key).value| + |value| - && UTF8.Decode(ret.value[TYPEID_LEN+LENGTH_LEN..TYPEID_LEN+LENGTH_LEN+|UTF8.Encode(key).value|]).Success? - && UTF8.Decode(ret.value[TYPEID_LEN+LENGTH_LEN..TYPEID_LEN+LENGTH_LEN+|UTF8.Encode(key).value|]).value == key + && |ret.value| >= TYPEID_LEN + && ret.value[0..TYPEID_LEN] == SE.STRING + && UTF8.Encode(key).Success? + && |ret.value| == TYPEID_LEN + LENGTH_LEN + |UTF8.Encode(key).value| + |value| + && UTF8.Decode(ret.value[TYPEID_LEN+LENGTH_LEN..TYPEID_LEN+LENGTH_LEN+|UTF8.Encode(key).value|]).Success? + && UTF8.Decode(ret.value[TYPEID_LEN+LENGTH_LEN..TYPEID_LEN+LENGTH_LEN+|UTF8.Encode(key).value|]).value == key //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#key-length //= type=implication //# Key Length MUST be a non-zero big-endian unsigned integer //# equal to the length of [Map Key](#map-key). ensures ret.Success? ==> - && UTF8.Encode(key).Success? - && U32ToBigEndian(|UTF8.Encode(key).value|).Success? - && |ret.value| >= TYPEID_LEN+LENGTH_LEN - && ret.value[TYPEID_LEN..TYPEID_LEN+LENGTH_LEN] == U32ToBigEndian(|UTF8.Encode(key).value|).value + && UTF8.Encode(key).Success? + && U32ToBigEndian(|UTF8.Encode(key).value|).Success? + && |ret.value| >= TYPEID_LEN+LENGTH_LEN + && ret.value[TYPEID_LEN..TYPEID_LEN+LENGTH_LEN] == U32ToBigEndian(|UTF8.Encode(key).value|).value { - var name :- UTF8.Encode(key); - assert UTF8.Decode(name).Success?; - var len :- U32ToBigEndian(|name|); + var name :- UTF8.Encode(key); + assert UTF8.Decode(name).Success?; + var len :- U32ToBigEndian(|name|); - //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#key-value-pair-entries - //# Each key-value pair MUST be serialized as: - //# | Field | Length | - //# | ------------ | -------- | - //# | Key Type | 2 | - //# | Key Length | 4 | - //# | Map Key | Variable | - //# | Value Type | 2 | - //# | Value Length | 4 | - //# | Map Value | Variable | - - var serialized := SE.STRING + len + name + value; - assert |serialized| == TYPEID_LEN + LENGTH_LEN + |name| + |value|; - Success(serialized) + //= specification/dynamodb-encryption-client/ddb-attribute-serialization.md#key-value-pair-entries + //# Each key-value pair MUST be serialized as: + //# | Field | Length | + //# | ------------ | -------- | + //# | Key Type | 2 | + //# | Key Length | 4 | + //# | Map Key | Variable | + //# | Value Type | 2 | + //# | Value Length | 4 | + //# | Map Value | Variable | + + var serialized := SE.STRING + len + name + value; + assert |serialized| == TYPEID_LEN + LENGTH_LEN + |name| + |value|; + Success(serialized) } // Map to Bytes // input sequence is already serialized @@ -751,7 +751,7 @@ module DynamoToStruct { var data :- SerializeMapItem(keys[0], mapToSerialize[keys[0]]); CollectOrderedMapSubset(keys[1..], mapToSerialize, serialized + data) } - + function method BoolToUint8(b : bool) : uint8 { if b then 1 else 0 @@ -835,10 +835,10 @@ module DynamoToStruct { // Bytes to Number Set function method {:tailrecursion} {:vcs_split_on_every_assert} {:opaque} DeserializeNumberSet( - serialized : seq, - remainingCount : nat, - origSerializedSize : nat, - resultSet : AttrValueAndLength) + serialized : seq, + remainingCount : nat, + origSerializedSize : nat, + resultSet : AttrValueAndLength) : (ret : Result) requires resultSet.val.NS? ensures ret.Success? ==> ret.value.val.NS? @@ -865,12 +865,12 @@ module DynamoToStruct { var nattr := AttributeValue.NS(resultSet.val.NS + [nstring]); DeserializeNumberSet(serialized[len..], remainingCount-1, origSerializedSize, AttrValueAndLength(nattr, resultSet.len + len + LENGTH_LEN)) } - + // Bytes to List // Can't be {:tailrecursion} because it calls BytesToAttr which might again call DeserializeList function method {:vcs_split_on_every_assert} {:opaque} DeserializeList( - serialized : seq, - remainingCount : nat, + serialized : seq, + remainingCount : nat, ghost origSerializedSize : nat, depth : nat, resultList : AttrValueAndLength) @@ -954,7 +954,7 @@ module DynamoToStruct { assert |serialized| + newResultMap.len == origSerializedSize; DeserializeMap(serialized, remainingCount - 1, origSerializedSize, depth, newResultMap) } - + // Bytes to AttributeValue // Can't be {:tailrecursion} because it calls DeserializeList and DeserializeMap which then call BytesToAttr function method {:vcs_split_on_every_assert} {:opaque} BytesToAttr( @@ -970,12 +970,12 @@ module DynamoToStruct { { :- Need(depth <= MAX_STRUCTURE_DEPTH, "Depth of attribute structure to deserialize exceeds limit of " + MAX_STRUCTURE_DEPTH_STR); var len :- if hasLen then - if |value| < LENGTH_LEN then - Failure("Out of bytes reading length") - else - BigEndianToU32(value) - else - Success(|value|); + if |value| < LENGTH_LEN then + Failure("Out of bytes reading length") + else + BigEndianToU32(value) + else + Success(|value|); var value := if hasLen then value[LENGTH_LEN..] else value; var lengthBytes := if hasLen then LENGTH_LEN else 0; @@ -1055,7 +1055,7 @@ module DynamoToStruct { else Failure("Unsupported TerminalTypeId") - + } function method FlattenValueMap(m : map>): map { diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/FilterExpr.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/FilterExpr.dfy index a28e3f143..b9cdb6384 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/FilterExpr.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/FilterExpr.dfy @@ -1280,18 +1280,18 @@ module DynamoDBFilterExpr { else if |b| == 0 then false else - if a[0] == b[0] then - UnicodeLess(a[1..], b[1..]) // correct independent of surrogate status + if a[0] == b[0] then + UnicodeLess(a[1..], b[1..]) // correct independent of surrogate status + else + var aIsHighSurrogate := IsHighSurrogate(a[0]); + var bIsHighSurrogate := IsHighSurrogate(b[0]); + if aIsHighSurrogate == bIsHighSurrogate then + a[0] < b[0] else - var aIsHighSurrogate := IsHighSurrogate(a[0]); - var bIsHighSurrogate := IsHighSurrogate(b[0]); - if aIsHighSurrogate == bIsHighSurrogate then - a[0] < b[0] - else - bIsHighSurrogate - // we know aIsHighSurrogate != bIsHighSurrogate and a[0] != b[0] - // so if bIsHighSurrogate then a is less - // and if aIsHighSurrogate then a is greater + bIsHighSurrogate + // we know aIsHighSurrogate != bIsHighSurrogate and a[0] != b[0] + // so if bIsHighSurrogate then a is less + // and if aIsHighSurrogate then a is greater } predicate method UnicodeLessOrEqual(a : string, b : string) diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/SearchInfo.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/SearchInfo.dfy index bee6418a7..672700655 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/SearchInfo.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/SearchInfo.dfy @@ -455,7 +455,7 @@ module SearchableEncryptionInfo { else cmp.GetBeaconValue(value, keys, forEquality) } - + predicate ValidState() { if Standard? then diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/TermLoc.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/TermLoc.dfy index 9acdbd326..9e01fdc19 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/TermLoc.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/TermLoc.dfy @@ -38,10 +38,10 @@ module TermLoc { type Bytes = seq type SelectorList = x : seq | |x| < UINT64_LIMIT - //= specification/searchable-encryption/virtual.md#terminal-location - //= type=implication - //# A Terminal Location specification MUST be a list of one more [Segments](#segments), - //# the first one of which must be a string index. + //= specification/searchable-encryption/virtual.md#terminal-location + //= type=implication + //# A Terminal Location specification MUST be a list of one more [Segments](#segments), + //# the first one of which must be a string index. type TermLoc = x : seq | ValidTermLoc(x) witness * predicate method ValidTermLoc(s : seq) { @@ -92,7 +92,7 @@ module TermLoc { Success(None) else var res :- AttrValueToString(part.value); - Success(Some(res)) + Success(Some(res)) } // return the string value for the given terminal in the given item @@ -175,11 +175,11 @@ module TermLoc { // that is, '[' or '.' function method {:opaque} FindStartOfNext(s : string) : (index : Option) - ensures index.Some? ==> - && index.value < |s| - && (s[index.value] == '.' || s[index.value] == '[') - && '.' !in s[..index.value] - && '[' !in s[..index.value] + ensures index.Some? ==> + && index.value < |s| + && (s[index.value] == '.' || s[index.value] == '[') + && '.' !in s[..index.value] + && '[' !in s[..index.value] ensures index.None? ==> '.' !in s && '[' !in s { var dot := FindIndexMatching(s, '.', 0); @@ -221,18 +221,18 @@ module TermLoc { //# - A literal "[" followed by a decimal integer followed by a literal "]", //# indicating an index into a Structured Data List. ensures ret.Success? ==> - && (s[0] == '.' ==> ret.value.Map?) - && (s[0] == '[' ==> ret.value.List?) + && (s[0] == '.' ==> ret.value.Map?) + && (s[0] == '[' ==> ret.value.List?) { if s[0] == '.' then Success(Map(s[1..])) else - if s[|s|-1] != ']' then - Failure(E("List index must end with ]")) - else - var num :- GetNumber(s[1..|s|-1]); - :- Need(num < UINT64_LIMIT, E("Array selector exceeds maximum.")); - Success(List(num as uint64)) + if s[|s|-1] != ']' then + Failure(E("List index must end with ]")) + else + var num :- GetNumber(s[1..|s|-1]); + :- Need(num < UINT64_LIMIT, E("Array selector exceeds maximum.")); + Success(List(num as uint64)) } // convert string to SelectorList diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/UpdateExpr.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/UpdateExpr.dfy index ef5685b9a..e9341e574 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/UpdateExpr.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/UpdateExpr.dfy @@ -95,14 +95,14 @@ module DynamoDbUpdateExpr { else if '0' <= ch <= '9' then true else if ch in ['[' ,']' ,'.'] then - true + true else - false + false } // length of the prefix of s that is an attribute name function method {:tailrecursion} AttrLen(s : string): (res : nat) - ensures res <= |s| + ensures res <= |s| { if 0 == |s| then 0 diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/Virtual.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/Virtual.dfy index bdcf851a8..c3cdbf5f6 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/Virtual.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/Virtual.dfy @@ -285,9 +285,9 @@ module DdbVirtualFields { //# GetSegments MUST return the range of parts from low (inclusive) to high (exclusive), //# joined on the `split` character. && (lo < hi ==> ret == Join(parts[lo..hi], [split])) - //= specification/searchable-encryption/virtual.md#getsegments-transform-initialization - //= type=implication - //# If high is less than or equal to low, an empty string MUST be returned. + //= specification/searchable-encryption/virtual.md#getsegments-transform-initialization + //= type=implication + //# If high is less than or equal to low, an empty string MUST be returned. && (lo >= hi ==> ret == "") { var parts := Split(s, split); diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/Beacon.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/Beacon.dfy index a8f34146d..83ae833cb 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/Beacon.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/Beacon.dfy @@ -308,9 +308,9 @@ module TestBaseBeacon { { var version := GetLotsaBeacons(); var shareBeacon := T.StandardBeacon(name := "shareBeacon", length := 24, loc := None, - style := Some( - T.shared(T.Shared(other := "NameTitle")) - )); + style := Some( + T.shared(T.Shared(other := "NameTitle")) + )); var newConfig := FullTableConfig.(attributeActionsOnEncrypt := FullTableConfig.attributeActionsOnEncrypt["shareBeacon" := SE.ENCRYPT_AND_SIGN]); version := version.(standardBeacons := version.standardBeacons + [shareBeacon]); @@ -324,13 +324,13 @@ module TestBaseBeacon { { var version := GetLotsaBeacons(); var shareBeacon := T.StandardBeacon(name := "shareBeacon", length := 24, loc := None, - style := Some( - T.shared(T.Shared(other := "std2")) - )); + style := Some( + T.shared(T.Shared(other := "std2")) + )); var other := T.StandardBeacon(name := "std4", length := 24, loc := None, - style := Some( - T.shared(T.Shared(other := "shareBeacon")) - )); + style := Some( + T.shared(T.Shared(other := "shareBeacon")) + )); var newConfig := FullTableConfig.(attributeActionsOnEncrypt := FullTableConfig.attributeActionsOnEncrypt["shareBeacon" := SE.ENCRYPT_AND_SIGN]); version := version.(compoundBeacons := None, standardBeacons := [std2, shareBeacon, other]); @@ -344,9 +344,9 @@ module TestBaseBeacon { { var version := GetLotsaBeacons(); var shareBeacon := T.StandardBeacon(name := "shareBeacon", length := 24, loc := None, - style := Some( - T.shared(T.Shared(other := "shareBeacon")) - )); + style := Some( + T.shared(T.Shared(other := "shareBeacon")) + )); var newConfig := FullTableConfig.(attributeActionsOnEncrypt := FullTableConfig.attributeActionsOnEncrypt["shareBeacon" := SE.ENCRYPT_AND_SIGN]); version := version.(compoundBeacons := None, standardBeacons := [std2, shareBeacon]); @@ -360,9 +360,9 @@ module TestBaseBeacon { { var version := GetLotsaBeacons(); var shareBeacon := T.StandardBeacon(name := "shareBeacon", length := 24, loc := None, - style := Some( - T.shared(T.Shared(other := "DoesNotExist")) - )); + style := Some( + T.shared(T.Shared(other := "DoesNotExist")) + )); version := version.(standardBeacons := version.standardBeacons + [shareBeacon]); var newConfig := FullTableConfig.(attributeActionsOnEncrypt := FullTableConfig.attributeActionsOnEncrypt["shareBeacon" := SE.ENCRYPT_AND_SIGN]); @@ -377,9 +377,9 @@ module TestBaseBeacon { { var version := GetLotsaBeacons(); var shareBeacon := T.StandardBeacon(name := "shareBeacon", length := 23, loc := None, - style := Some( - T.shared(T.Shared(other := "std2")) - )); + style := Some( + T.shared(T.Shared(other := "std2")) + )); version := version.(standardBeacons := version.standardBeacons + [shareBeacon]); var newConfig := FullTableConfig.(attributeActionsOnEncrypt := FullTableConfig.attributeActionsOnEncrypt["shareBeacon" := SE.ENCRYPT_AND_SIGN]); @@ -723,16 +723,16 @@ module TestBaseBeacon { method {:test} CompoundMixed() { - var Mixed := T.CompoundBeacon ( - name := "Mixed", - split := ".", - encrypted := Some([Title]), - signed := Some([Month]), - constructors := Some([ - T.Constructor(parts := [T.ConstructorPart(name := "Name", required := true), T.ConstructorPart(name := "Year", required := true)]), - T.Constructor(parts := [T.ConstructorPart(name := "Title", required := true), T.ConstructorPart(name := "Month", required := false)]) - ]) - ); + var Mixed := T.CompoundBeacon ( + name := "Mixed", + split := ".", + encrypted := Some([Title]), + signed := Some([Month]), + constructors := Some([ + T.Constructor(parts := [T.ConstructorPart(name := "Name", required := true), T.ConstructorPart(name := "Year", required := true)]), + T.Constructor(parts := [T.ConstructorPart(name := "Title", required := true), T.ConstructorPart(name := "Month", required := false)]) + ]) + ); var version := GetLotsaBeacons(); version := version.(compoundBeacons := Some([Mixed]), signedParts := Some([Year]), encryptedParts := Some([Name])); diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/DynamoDbEncryptionBranchKeyIdSupplierTest.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/DynamoDbEncryptionBranchKeyIdSupplierTest.dfy index 452c151b8..02469a5f2 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/DynamoDbEncryptionBranchKeyIdSupplierTest.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/DynamoDbEncryptionBranchKeyIdSupplierTest.dfy @@ -15,7 +15,7 @@ module DynamoDbEncryptionBranchKeyIdSupplierTest { import CSE = AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes import SE = StructuredEncryptionUtil import Base64 - import KeyStore + import KeyStore import KeyStoreTypes = AwsCryptographyKeyStoreTypes const TEST_DBE_ALG_SUITE_ID := MPL.AlgorithmSuiteId.DBE(MPL.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_SYMSIG_HMAC_SHA384) @@ -44,7 +44,7 @@ module DynamoDbEncryptionBranchKeyIdSupplierTest { const EC_PARTITION_NAME := UTF8.EncodeAscii("aws-crypto-partition-name") const RESERVED_PREFIX := "aws-crypto-attr." - method {:test} TestHappyCase() + method {:test} TestHappyCase() { var ddbKeyToBranchKeyId: Types.IDynamoDbKeyBranchKeyIdSupplier := new TestBranchKeyIdSupplier(); var ddbEncResources :- expect DynamoDbEncryption.DynamoDbEncryption(); @@ -81,7 +81,7 @@ module DynamoDbEncryptionBranchKeyIdSupplierTest { ); var keyAttrName := UTF8.EncodeAscii(RESERVED_PREFIX + BRANCH_KEY); - + // Test Encryption Context with Case A var materials :- expect mpl.InitializeEncryptionMaterials( MPL.InitializeEncryptionMaterialsInput( @@ -96,13 +96,13 @@ module DynamoDbEncryptionBranchKeyIdSupplierTest { var caseA :- expect UTF8.Encode(Base64.Encode(CASE_A_BYTES)); var contextCaseA := materials.encryptionContext[keyAttrName := caseA]; var materialsA := materials.(encryptionContext := contextCaseA); - TestRoundtrip(hierarchyKeyring, materialsA, TEST_DBE_ALG_SUITE_ID, BRANCH_KEY_ID_A); + TestRoundtrip(hierarchyKeyring, materialsA, TEST_DBE_ALG_SUITE_ID, BRANCH_KEY_ID_A); // Test Encryption Context with Case B var caseB :- expect UTF8.Encode(Base64.Encode(CASE_B_BYTES)); var contextCaseB := materials.encryptionContext[keyAttrName := caseB]; var materialsB := materials.(encryptionContext := contextCaseB); - TestRoundtrip(hierarchyKeyring, materialsB, TEST_DBE_ALG_SUITE_ID, BRANCH_KEY_ID_B); + TestRoundtrip(hierarchyKeyring, materialsB, TEST_DBE_ALG_SUITE_ID, BRANCH_KEY_ID_B); } method TestRoundtrip( @@ -118,14 +118,14 @@ module DynamoDbEncryptionBranchKeyIdSupplierTest { var encryptionMaterialsOut :- expect hierarchyKeyring.OnEncrypt( MPL.OnEncryptInput(materials:=encryptionMaterialsIn) ); - + var mpl :- expect MaterialProviders.MaterialProviders(); var _ :- expect mpl.EncryptionMaterialsHasPlaintextDataKey(encryptionMaterialsOut.materials); expect |encryptionMaterialsOut.materials.encryptedDataKeys| == 1; var edk := encryptionMaterialsOut.materials.encryptedDataKeys[0]; - + // Verify the edk was created with the expected branch key var expectedBranchKeyIdUTF8 :- expect UTF8.Encode(expectedBranchKeyId); expect edk.keyProviderInfo == expectedBranchKeyIdUTF8; @@ -145,7 +145,7 @@ module DynamoDbEncryptionBranchKeyIdSupplierTest { ); expect encryptionMaterialsOut.materials.plaintextDataKey - == decryptionMaterialsOut.materials.plaintextDataKey; + == decryptionMaterialsOut.materials.plaintextDataKey; } // returns "branchKeyIdA" when item contains "branchKey":"caseA" @@ -170,7 +170,7 @@ module DynamoDbEncryptionBranchKeyIdSupplierTest { {true} method GetBranchKeyIdFromDdbKey'(input: Types.GetBranchKeyIdFromDdbKeyInput) - returns (output: Result) + returns (output: Result) requires ValidState() modifies Modifies - {History} decreases Modifies - {History} diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/DynamoToStruct.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/DynamoToStruct.dfy index 40687b911..183904d2b 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/DynamoToStruct.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/DynamoToStruct.dfy @@ -315,10 +315,10 @@ module DynamoToStructTest { var listValue := AttributeValue.L([nValue]); var encodedListData := StructuredDataTerminal(value := [ - 0,0,0,1, // 1 member in list - 0,2, 0,0,0,1, 49 // 1st member is N("1") - ], - typeId := [3,0]); + 0,0,0,1, // 1 member in list + 0,2, 0,0,0,1, 49 // 1st member is N("1") + ], + typeId := [3,0]); var encodedListValue := StructuredData(content := Terminal(encodedListData), attributes := None); var listStruct := AttrToStructured(listValue); expect listStruct.Success?; @@ -397,15 +397,15 @@ module DynamoToStructTest { var stringSetValue := AttributeValue.SS(["&","。","𐀂"]); // Note that string values are UTF-8 encoded, but sorted by UTF-16 encoding. var encodedStringSetData := StructuredDataTerminal(value := [ - 0,0,0,3, // 3 entries in set - 0,0,0,1, // 1st entry is 1 byte - 0x26, // "&" in UTF-8 encoding - 0,0,0,4, // 2nd entry is 4 bytes - 0xF0,0x90,0x80,0x82, // "𐀂" in UTF-8 encoding - 0,0,0,3, // 3rd entry is 3 bytes - 0xEF,0xBD,0xA1 // "。" in UTF-8 encoding - ], - typeId := [1,1] + 0,0,0,3, // 3 entries in set + 0,0,0,1, // 1st entry is 1 byte + 0x26, // "&" in UTF-8 encoding + 0,0,0,4, // 2nd entry is 4 bytes + 0xF0,0x90,0x80,0x82, // "𐀂" in UTF-8 encoding + 0,0,0,3, // 3rd entry is 3 bytes + 0xEF,0xBD,0xA1 // "。" in UTF-8 encoding + ], + typeId := [1,1] ); var encodedStringSetValue := StructuredData(content := Terminal(encodedStringSetData), attributes := None); var stringSetStruct := AttrToStructured(stringSetValue); @@ -444,15 +444,15 @@ module DynamoToStructTest { var listValue := AttributeValue.L([nSetValue, sSetValue, bSetValue]); var encodedListData := StructuredDataTerminal(value := [ - 0,0,0,3, // 3 members in list - 1,2, 0,0,0,20, // 1st member is a NS and is 20 bytes long - 0,0,0,3, 0,0,0,1, 49, 0,0,0,2, 49,48, 0,0,0,1, 50, // NS - 1,1, 0,0,0,24, // 2nd member is a SS and is 24 bytes long - 0,0,0,3, 0,0,0,1, 0x26, 0,0,0,4, 0xF0,0x90,0x80,0x82, 0,0,0,3, 0xEF,0xBD,0xA1, // SS - 1,0xFF, 0,0,0,20, // 3rd member is a BS and is 20 bytes long - 0,0,0,3, 0,0,0,1, 1, 0,0,0,2, 1,0, 0,0,0,1, 2 // BS - ], - typeId := [3,0]); + 0,0,0,3, // 3 members in list + 1,2, 0,0,0,20, // 1st member is a NS and is 20 bytes long + 0,0,0,3, 0,0,0,1, 49, 0,0,0,2, 49,48, 0,0,0,1, 50, // NS + 1,1, 0,0,0,24, // 2nd member is a SS and is 24 bytes long + 0,0,0,3, 0,0,0,1, 0x26, 0,0,0,4, 0xF0,0x90,0x80,0x82, 0,0,0,3, 0xEF,0xBD,0xA1, // SS + 1,0xFF, 0,0,0,20, // 3rd member is a BS and is 20 bytes long + 0,0,0,3, 0,0,0,1, 1, 0,0,0,2, 1,0, 0,0,0,1, 2 // BS + ], + typeId := [3,0]); var encodedListValue := StructuredData(content := Terminal(encodedListData), attributes := None); var listStruct := AttrToStructured(listValue); expect listStruct.Success?; diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/FilterExpr.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/FilterExpr.dfy index 4154f3318..8c72d4c6d 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/FilterExpr.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/FilterExpr.dfy @@ -147,7 +147,7 @@ module TestDynamoDBFilterExpr { expect exprString == "aws_dbe_b_std2 = :A AND #Field_4 = :B"; } - method {:test} TestNoBeaconFail() { + method {:test} TestNoBeaconFail() { var context := ExprContext ( None, Some("std2 = :A AND #Field4 = :B"), @@ -302,7 +302,7 @@ module TestDynamoDBFilterExpr { expect_equal(newItems, [item1]); } - method {:test} TestFilterFailNumeric() { + method {:test} TestFilterFailNumeric() { var item1 : DDB.AttributeMap := map[ "one" := DN("800") ]; @@ -315,9 +315,9 @@ module TestDynamoDBFilterExpr { var newItems := FilterResults(bv, [item1], None, Some("one < :two"), None, Some(values)); expect newItems.Failure?; expect newItems.error == E("Number needs digits either before or after the decimal point. when parsing 'foo'."); - } + } - method {:test} TestFilterCompareNumeric() { + method {:test} TestFilterCompareNumeric() { var item1 : DDB.AttributeMap := map[ "one" := DN("800") ]; diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/NormalizeNumber.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/NormalizeNumber.dfy index f4b1c2cd5..884d56d3d 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/NormalizeNumber.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/NormalizeNumber.dfy @@ -58,7 +58,7 @@ module TestNormalizeNumber { check_failure("1E+126"); // we don't allow one magnitude higher check_failure("10E+125"); check_normal("100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", - "100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"); + "100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"); check_failure("1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"); check_failure("9.99999999999999999999999999999999999991E+125"); // we don't allow more precision check_failure("999999999999999999999999999999999999990000000000000000000000000000000000000000000000000000000000000000000000000000000000000001"); diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/Virtual.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/Virtual.dfy index 471c6247a..092e5d762 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryption/test/Virtual.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryption/test/Virtual.dfy @@ -102,7 +102,7 @@ module TestDdbVirtualFields { expect DoTransform(pn5, "1.23.456.7890") == ""; expect DoTransform(pn6, "1.23.456.7890") == ""; } - method {:test} TestSegments() { + method {:test} TestSegments() { var p00 : VirtualTransform := segments(GetSegments(split := ".", low := 0, high := 0)); var p12 : VirtualTransform := segments(GetSegments(split := ".", low := 1, high := 2)); var pn32 : VirtualTransform := segments(GetSegments(split := ".", low := -3, high := 2)); diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/Model/AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/Model/AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes.dfy index 87da7669b..b2c21ac3f 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/Model/AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/Model/AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes.dfy @@ -2,1861 +2,1861 @@ // SPDX-License-Identifier: Apache-2.0 // Do not modify this file. This file is machine generated, and any changes to it will be overwritten. include "../../../../submodules/MaterialProviders/StandardLibrary/src/Index.dfy" - include "../../DynamoDbEncryption/src/Index.dfy" - include "../../DynamoDbItemEncryptor/src/Index.dfy" - include "../../StructuredEncryption/src/Index.dfy" - include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Index.dfy" - include "../../../../submodules/MaterialProviders/ComAmazonawsDynamodb/src/Index.dfy" - module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.transforms.internaldafny.types" } AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes - { - import opened Wrappers - import opened StandardLibrary.UInt - import opened UTF8 - import AwsCryptographyDbEncryptionSdkDynamoDbTypes - import AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes - import AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes - import AwsCryptographyMaterialProvidersTypes - import ComAmazonawsDynamodbTypes - // Generic helpers for verification of mock/unit tests. - datatype DafnyCallEvent = DafnyCallEvent(input: I, output: O) - - // Begin Generated Types - - datatype BatchExecuteStatementInputTransformInput = | BatchExecuteStatementInputTransformInput ( - nameonly sdkInput: ComAmazonawsDynamodbTypes.BatchExecuteStatementInput - ) - datatype BatchExecuteStatementInputTransformOutput = | BatchExecuteStatementInputTransformOutput ( - nameonly transformedInput: ComAmazonawsDynamodbTypes.BatchExecuteStatementInput - ) - datatype BatchExecuteStatementOutputTransformInput = | BatchExecuteStatementOutputTransformInput ( - nameonly sdkOutput: ComAmazonawsDynamodbTypes.BatchExecuteStatementOutput , - nameonly originalInput: ComAmazonawsDynamodbTypes.BatchExecuteStatementInput - ) - datatype BatchExecuteStatementOutputTransformOutput = | BatchExecuteStatementOutputTransformOutput ( - nameonly transformedOutput: ComAmazonawsDynamodbTypes.BatchExecuteStatementOutput - ) - datatype BatchGetItemInputTransformInput = | BatchGetItemInputTransformInput ( - nameonly sdkInput: ComAmazonawsDynamodbTypes.BatchGetItemInput - ) - datatype BatchGetItemInputTransformOutput = | BatchGetItemInputTransformOutput ( - nameonly transformedInput: ComAmazonawsDynamodbTypes.BatchGetItemInput - ) - datatype BatchGetItemOutputTransformInput = | BatchGetItemOutputTransformInput ( - nameonly sdkOutput: ComAmazonawsDynamodbTypes.BatchGetItemOutput , - nameonly originalInput: ComAmazonawsDynamodbTypes.BatchGetItemInput - ) - datatype BatchGetItemOutputTransformOutput = | BatchGetItemOutputTransformOutput ( - nameonly transformedOutput: ComAmazonawsDynamodbTypes.BatchGetItemOutput - ) - datatype BatchWriteItemInputTransformInput = | BatchWriteItemInputTransformInput ( - nameonly sdkInput: ComAmazonawsDynamodbTypes.BatchWriteItemInput - ) - datatype BatchWriteItemInputTransformOutput = | BatchWriteItemInputTransformOutput ( - nameonly transformedInput: ComAmazonawsDynamodbTypes.BatchWriteItemInput - ) - datatype BatchWriteItemOutputTransformInput = | BatchWriteItemOutputTransformInput ( - nameonly sdkOutput: ComAmazonawsDynamodbTypes.BatchWriteItemOutput , - nameonly originalInput: ComAmazonawsDynamodbTypes.BatchWriteItemInput - ) - datatype BatchWriteItemOutputTransformOutput = | BatchWriteItemOutputTransformOutput ( - nameonly transformedOutput: ComAmazonawsDynamodbTypes.BatchWriteItemOutput - ) - datatype DeleteItemInputTransformInput = | DeleteItemInputTransformInput ( - nameonly sdkInput: ComAmazonawsDynamodbTypes.DeleteItemInput - ) - datatype DeleteItemInputTransformOutput = | DeleteItemInputTransformOutput ( - nameonly transformedInput: ComAmazonawsDynamodbTypes.DeleteItemInput - ) - datatype DeleteItemOutputTransformInput = | DeleteItemOutputTransformInput ( - nameonly sdkOutput: ComAmazonawsDynamodbTypes.DeleteItemOutput , - nameonly originalInput: ComAmazonawsDynamodbTypes.DeleteItemInput - ) - datatype DeleteItemOutputTransformOutput = | DeleteItemOutputTransformOutput ( - nameonly transformedOutput: ComAmazonawsDynamodbTypes.DeleteItemOutput - ) - class IDynamoDbEncryptionTransformsClientCallHistory { - ghost constructor() { - PutItemInputTransform := []; - PutItemOutputTransform := []; - GetItemInputTransform := []; - GetItemOutputTransform := []; - BatchWriteItemInputTransform := []; - BatchWriteItemOutputTransform := []; - BatchGetItemInputTransform := []; - BatchGetItemOutputTransform := []; - ScanInputTransform := []; - ScanOutputTransform := []; - QueryInputTransform := []; - QueryOutputTransform := []; - TransactWriteItemsInputTransform := []; - TransactWriteItemsOutputTransform := []; - UpdateItemInputTransform := []; - UpdateItemOutputTransform := []; - DeleteItemInputTransform := []; - DeleteItemOutputTransform := []; - TransactGetItemsInputTransform := []; - TransactGetItemsOutputTransform := []; - ExecuteStatementInputTransform := []; - ExecuteStatementOutputTransform := []; - BatchExecuteStatementInputTransform := []; - BatchExecuteStatementOutputTransform := []; - ExecuteTransactionInputTransform := []; - ExecuteTransactionOutputTransform := []; - ResolveAttributes := []; +include "../../DynamoDbEncryption/src/Index.dfy" +include "../../DynamoDbItemEncryptor/src/Index.dfy" +include "../../StructuredEncryption/src/Index.dfy" +include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Index.dfy" +include "../../../../submodules/MaterialProviders/ComAmazonawsDynamodb/src/Index.dfy" +module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.transforms.internaldafny.types" } AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes +{ + import opened Wrappers + import opened StandardLibrary.UInt + import opened UTF8 + import AwsCryptographyDbEncryptionSdkDynamoDbTypes + import AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes + import AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes + import AwsCryptographyMaterialProvidersTypes + import ComAmazonawsDynamodbTypes + // Generic helpers for verification of mock/unit tests. + datatype DafnyCallEvent = DafnyCallEvent(input: I, output: O) + + // Begin Generated Types + + datatype BatchExecuteStatementInputTransformInput = | BatchExecuteStatementInputTransformInput ( + nameonly sdkInput: ComAmazonawsDynamodbTypes.BatchExecuteStatementInput + ) + datatype BatchExecuteStatementInputTransformOutput = | BatchExecuteStatementInputTransformOutput ( + nameonly transformedInput: ComAmazonawsDynamodbTypes.BatchExecuteStatementInput + ) + datatype BatchExecuteStatementOutputTransformInput = | BatchExecuteStatementOutputTransformInput ( + nameonly sdkOutput: ComAmazonawsDynamodbTypes.BatchExecuteStatementOutput , + nameonly originalInput: ComAmazonawsDynamodbTypes.BatchExecuteStatementInput + ) + datatype BatchExecuteStatementOutputTransformOutput = | BatchExecuteStatementOutputTransformOutput ( + nameonly transformedOutput: ComAmazonawsDynamodbTypes.BatchExecuteStatementOutput + ) + datatype BatchGetItemInputTransformInput = | BatchGetItemInputTransformInput ( + nameonly sdkInput: ComAmazonawsDynamodbTypes.BatchGetItemInput + ) + datatype BatchGetItemInputTransformOutput = | BatchGetItemInputTransformOutput ( + nameonly transformedInput: ComAmazonawsDynamodbTypes.BatchGetItemInput + ) + datatype BatchGetItemOutputTransformInput = | BatchGetItemOutputTransformInput ( + nameonly sdkOutput: ComAmazonawsDynamodbTypes.BatchGetItemOutput , + nameonly originalInput: ComAmazonawsDynamodbTypes.BatchGetItemInput + ) + datatype BatchGetItemOutputTransformOutput = | BatchGetItemOutputTransformOutput ( + nameonly transformedOutput: ComAmazonawsDynamodbTypes.BatchGetItemOutput + ) + datatype BatchWriteItemInputTransformInput = | BatchWriteItemInputTransformInput ( + nameonly sdkInput: ComAmazonawsDynamodbTypes.BatchWriteItemInput + ) + datatype BatchWriteItemInputTransformOutput = | BatchWriteItemInputTransformOutput ( + nameonly transformedInput: ComAmazonawsDynamodbTypes.BatchWriteItemInput + ) + datatype BatchWriteItemOutputTransformInput = | BatchWriteItemOutputTransformInput ( + nameonly sdkOutput: ComAmazonawsDynamodbTypes.BatchWriteItemOutput , + nameonly originalInput: ComAmazonawsDynamodbTypes.BatchWriteItemInput + ) + datatype BatchWriteItemOutputTransformOutput = | BatchWriteItemOutputTransformOutput ( + nameonly transformedOutput: ComAmazonawsDynamodbTypes.BatchWriteItemOutput + ) + datatype DeleteItemInputTransformInput = | DeleteItemInputTransformInput ( + nameonly sdkInput: ComAmazonawsDynamodbTypes.DeleteItemInput + ) + datatype DeleteItemInputTransformOutput = | DeleteItemInputTransformOutput ( + nameonly transformedInput: ComAmazonawsDynamodbTypes.DeleteItemInput + ) + datatype DeleteItemOutputTransformInput = | DeleteItemOutputTransformInput ( + nameonly sdkOutput: ComAmazonawsDynamodbTypes.DeleteItemOutput , + nameonly originalInput: ComAmazonawsDynamodbTypes.DeleteItemInput + ) + datatype DeleteItemOutputTransformOutput = | DeleteItemOutputTransformOutput ( + nameonly transformedOutput: ComAmazonawsDynamodbTypes.DeleteItemOutput + ) + class IDynamoDbEncryptionTransformsClientCallHistory { + ghost constructor() { + PutItemInputTransform := []; + PutItemOutputTransform := []; + GetItemInputTransform := []; + GetItemOutputTransform := []; + BatchWriteItemInputTransform := []; + BatchWriteItemOutputTransform := []; + BatchGetItemInputTransform := []; + BatchGetItemOutputTransform := []; + ScanInputTransform := []; + ScanOutputTransform := []; + QueryInputTransform := []; + QueryOutputTransform := []; + TransactWriteItemsInputTransform := []; + TransactWriteItemsOutputTransform := []; + UpdateItemInputTransform := []; + UpdateItemOutputTransform := []; + DeleteItemInputTransform := []; + DeleteItemOutputTransform := []; + TransactGetItemsInputTransform := []; + TransactGetItemsOutputTransform := []; + ExecuteStatementInputTransform := []; + ExecuteStatementOutputTransform := []; + BatchExecuteStatementInputTransform := []; + BatchExecuteStatementOutputTransform := []; + ExecuteTransactionInputTransform := []; + ExecuteTransactionOutputTransform := []; + ResolveAttributes := []; + } + ghost var PutItemInputTransform: seq>> + ghost var PutItemOutputTransform: seq>> + ghost var GetItemInputTransform: seq>> + ghost var GetItemOutputTransform: seq>> + ghost var BatchWriteItemInputTransform: seq>> + ghost var BatchWriteItemOutputTransform: seq>> + ghost var BatchGetItemInputTransform: seq>> + ghost var BatchGetItemOutputTransform: seq>> + ghost var ScanInputTransform: seq>> + ghost var ScanOutputTransform: seq>> + ghost var QueryInputTransform: seq>> + ghost var QueryOutputTransform: seq>> + ghost var TransactWriteItemsInputTransform: seq>> + ghost var TransactWriteItemsOutputTransform: seq>> + ghost var UpdateItemInputTransform: seq>> + ghost var UpdateItemOutputTransform: seq>> + ghost var DeleteItemInputTransform: seq>> + ghost var DeleteItemOutputTransform: seq>> + ghost var TransactGetItemsInputTransform: seq>> + ghost var TransactGetItemsOutputTransform: seq>> + ghost var ExecuteStatementInputTransform: seq>> + ghost var ExecuteStatementOutputTransform: seq>> + ghost var BatchExecuteStatementInputTransform: seq>> + ghost var BatchExecuteStatementOutputTransform: seq>> + ghost var ExecuteTransactionInputTransform: seq>> + ghost var ExecuteTransactionOutputTransform: seq>> + ghost var ResolveAttributes: seq>> + } + trait {:termination false} IDynamoDbEncryptionTransformsClient + { + // Helper to define any additional modifies/reads clauses. + // If your operations need to mutate state, + // add it in your constructor function: + // Modifies := {your, fields, here, History}; + // If you do not need to mutate anything: + // Modifies := {History}; + + ghost const Modifies: set + // For an unassigned field defined in a trait, + // Dafny can only assign a value in the constructor. + // This means that for Dafny to reason about this value, + // it needs some way to know (an invariant), + // about the state of the object. + // This builds on the Valid/Repr paradigm + // To make this kind requires safe to add + // to methods called from unverified code, + // the predicate MUST NOT take any arguments. + // This means that the correctness of this requires + // MUST only be evaluated by the class itself. + // If you require any additional mutation, + // then you MUST ensure everything you need in ValidState. + // You MUST also ensure ValidState in your constructor. + predicate ValidState() + ensures ValidState() ==> History in Modifies + ghost const History: IDynamoDbEncryptionTransformsClientCallHistory + predicate PutItemInputTransformEnsuresPublicly(input: PutItemInputTransformInput , output: Result) + // The public method to be called by library consumers + method PutItemInputTransform ( input: PutItemInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`PutItemInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures PutItemInputTransformEnsuresPublicly(input, output) + ensures History.PutItemInputTransform == old(History.PutItemInputTransform) + [DafnyCallEvent(input, output)] + + predicate PutItemOutputTransformEnsuresPublicly(input: PutItemOutputTransformInput , output: Result) + // The public method to be called by library consumers + method PutItemOutputTransform ( input: PutItemOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`PutItemOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures PutItemOutputTransformEnsuresPublicly(input, output) + ensures History.PutItemOutputTransform == old(History.PutItemOutputTransform) + [DafnyCallEvent(input, output)] + + predicate GetItemInputTransformEnsuresPublicly(input: GetItemInputTransformInput , output: Result) + // The public method to be called by library consumers + method GetItemInputTransform ( input: GetItemInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`GetItemInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures GetItemInputTransformEnsuresPublicly(input, output) + ensures History.GetItemInputTransform == old(History.GetItemInputTransform) + [DafnyCallEvent(input, output)] + + predicate GetItemOutputTransformEnsuresPublicly(input: GetItemOutputTransformInput , output: Result) + // The public method to be called by library consumers + method GetItemOutputTransform ( input: GetItemOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`GetItemOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures GetItemOutputTransformEnsuresPublicly(input, output) + ensures History.GetItemOutputTransform == old(History.GetItemOutputTransform) + [DafnyCallEvent(input, output)] + + predicate BatchWriteItemInputTransformEnsuresPublicly(input: BatchWriteItemInputTransformInput , output: Result) + // The public method to be called by library consumers + method BatchWriteItemInputTransform ( input: BatchWriteItemInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`BatchWriteItemInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures BatchWriteItemInputTransformEnsuresPublicly(input, output) + ensures History.BatchWriteItemInputTransform == old(History.BatchWriteItemInputTransform) + [DafnyCallEvent(input, output)] + + predicate BatchWriteItemOutputTransformEnsuresPublicly(input: BatchWriteItemOutputTransformInput , output: Result) + // The public method to be called by library consumers + method BatchWriteItemOutputTransform ( input: BatchWriteItemOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`BatchWriteItemOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures BatchWriteItemOutputTransformEnsuresPublicly(input, output) + ensures History.BatchWriteItemOutputTransform == old(History.BatchWriteItemOutputTransform) + [DafnyCallEvent(input, output)] + + predicate BatchGetItemInputTransformEnsuresPublicly(input: BatchGetItemInputTransformInput , output: Result) + // The public method to be called by library consumers + method BatchGetItemInputTransform ( input: BatchGetItemInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`BatchGetItemInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures BatchGetItemInputTransformEnsuresPublicly(input, output) + ensures History.BatchGetItemInputTransform == old(History.BatchGetItemInputTransform) + [DafnyCallEvent(input, output)] + + predicate BatchGetItemOutputTransformEnsuresPublicly(input: BatchGetItemOutputTransformInput , output: Result) + // The public method to be called by library consumers + method BatchGetItemOutputTransform ( input: BatchGetItemOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`BatchGetItemOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures BatchGetItemOutputTransformEnsuresPublicly(input, output) + ensures History.BatchGetItemOutputTransform == old(History.BatchGetItemOutputTransform) + [DafnyCallEvent(input, output)] + + predicate ScanInputTransformEnsuresPublicly(input: ScanInputTransformInput , output: Result) + // The public method to be called by library consumers + method ScanInputTransform ( input: ScanInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ScanInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ScanInputTransformEnsuresPublicly(input, output) + ensures History.ScanInputTransform == old(History.ScanInputTransform) + [DafnyCallEvent(input, output)] + + predicate ScanOutputTransformEnsuresPublicly(input: ScanOutputTransformInput , output: Result) + // The public method to be called by library consumers + method ScanOutputTransform ( input: ScanOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ScanOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ScanOutputTransformEnsuresPublicly(input, output) + ensures History.ScanOutputTransform == old(History.ScanOutputTransform) + [DafnyCallEvent(input, output)] + + predicate QueryInputTransformEnsuresPublicly(input: QueryInputTransformInput , output: Result) + // The public method to be called by library consumers + method QueryInputTransform ( input: QueryInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`QueryInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures QueryInputTransformEnsuresPublicly(input, output) + ensures History.QueryInputTransform == old(History.QueryInputTransform) + [DafnyCallEvent(input, output)] + + predicate QueryOutputTransformEnsuresPublicly(input: QueryOutputTransformInput , output: Result) + // The public method to be called by library consumers + method QueryOutputTransform ( input: QueryOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`QueryOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures QueryOutputTransformEnsuresPublicly(input, output) + ensures History.QueryOutputTransform == old(History.QueryOutputTransform) + [DafnyCallEvent(input, output)] + + predicate TransactWriteItemsInputTransformEnsuresPublicly(input: TransactWriteItemsInputTransformInput , output: Result) + // The public method to be called by library consumers + method TransactWriteItemsInputTransform ( input: TransactWriteItemsInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`TransactWriteItemsInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures TransactWriteItemsInputTransformEnsuresPublicly(input, output) + ensures History.TransactWriteItemsInputTransform == old(History.TransactWriteItemsInputTransform) + [DafnyCallEvent(input, output)] + + predicate TransactWriteItemsOutputTransformEnsuresPublicly(input: TransactWriteItemsOutputTransformInput , output: Result) + // The public method to be called by library consumers + method TransactWriteItemsOutputTransform ( input: TransactWriteItemsOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`TransactWriteItemsOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures TransactWriteItemsOutputTransformEnsuresPublicly(input, output) + ensures History.TransactWriteItemsOutputTransform == old(History.TransactWriteItemsOutputTransform) + [DafnyCallEvent(input, output)] + + predicate UpdateItemInputTransformEnsuresPublicly(input: UpdateItemInputTransformInput , output: Result) + // The public method to be called by library consumers + method UpdateItemInputTransform ( input: UpdateItemInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`UpdateItemInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures UpdateItemInputTransformEnsuresPublicly(input, output) + ensures History.UpdateItemInputTransform == old(History.UpdateItemInputTransform) + [DafnyCallEvent(input, output)] + + predicate UpdateItemOutputTransformEnsuresPublicly(input: UpdateItemOutputTransformInput , output: Result) + // The public method to be called by library consumers + method UpdateItemOutputTransform ( input: UpdateItemOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`UpdateItemOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures UpdateItemOutputTransformEnsuresPublicly(input, output) + ensures History.UpdateItemOutputTransform == old(History.UpdateItemOutputTransform) + [DafnyCallEvent(input, output)] + + predicate DeleteItemInputTransformEnsuresPublicly(input: DeleteItemInputTransformInput , output: Result) + // The public method to be called by library consumers + method DeleteItemInputTransform ( input: DeleteItemInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`DeleteItemInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures DeleteItemInputTransformEnsuresPublicly(input, output) + ensures History.DeleteItemInputTransform == old(History.DeleteItemInputTransform) + [DafnyCallEvent(input, output)] + + predicate DeleteItemOutputTransformEnsuresPublicly(input: DeleteItemOutputTransformInput , output: Result) + // The public method to be called by library consumers + method DeleteItemOutputTransform ( input: DeleteItemOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`DeleteItemOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures DeleteItemOutputTransformEnsuresPublicly(input, output) + ensures History.DeleteItemOutputTransform == old(History.DeleteItemOutputTransform) + [DafnyCallEvent(input, output)] + + predicate TransactGetItemsInputTransformEnsuresPublicly(input: TransactGetItemsInputTransformInput , output: Result) + // The public method to be called by library consumers + method TransactGetItemsInputTransform ( input: TransactGetItemsInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`TransactGetItemsInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures TransactGetItemsInputTransformEnsuresPublicly(input, output) + ensures History.TransactGetItemsInputTransform == old(History.TransactGetItemsInputTransform) + [DafnyCallEvent(input, output)] + + predicate TransactGetItemsOutputTransformEnsuresPublicly(input: TransactGetItemsOutputTransformInput , output: Result) + // The public method to be called by library consumers + method TransactGetItemsOutputTransform ( input: TransactGetItemsOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`TransactGetItemsOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures TransactGetItemsOutputTransformEnsuresPublicly(input, output) + ensures History.TransactGetItemsOutputTransform == old(History.TransactGetItemsOutputTransform) + [DafnyCallEvent(input, output)] + + predicate ExecuteStatementInputTransformEnsuresPublicly(input: ExecuteStatementInputTransformInput , output: Result) + // The public method to be called by library consumers + method ExecuteStatementInputTransform ( input: ExecuteStatementInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ExecuteStatementInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ExecuteStatementInputTransformEnsuresPublicly(input, output) + ensures History.ExecuteStatementInputTransform == old(History.ExecuteStatementInputTransform) + [DafnyCallEvent(input, output)] + + predicate ExecuteStatementOutputTransformEnsuresPublicly(input: ExecuteStatementOutputTransformInput , output: Result) + // The public method to be called by library consumers + method ExecuteStatementOutputTransform ( input: ExecuteStatementOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ExecuteStatementOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ExecuteStatementOutputTransformEnsuresPublicly(input, output) + ensures History.ExecuteStatementOutputTransform == old(History.ExecuteStatementOutputTransform) + [DafnyCallEvent(input, output)] + + predicate BatchExecuteStatementInputTransformEnsuresPublicly(input: BatchExecuteStatementInputTransformInput , output: Result) + // The public method to be called by library consumers + method BatchExecuteStatementInputTransform ( input: BatchExecuteStatementInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`BatchExecuteStatementInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures BatchExecuteStatementInputTransformEnsuresPublicly(input, output) + ensures History.BatchExecuteStatementInputTransform == old(History.BatchExecuteStatementInputTransform) + [DafnyCallEvent(input, output)] + + predicate BatchExecuteStatementOutputTransformEnsuresPublicly(input: BatchExecuteStatementOutputTransformInput , output: Result) + // The public method to be called by library consumers + method BatchExecuteStatementOutputTransform ( input: BatchExecuteStatementOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`BatchExecuteStatementOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures BatchExecuteStatementOutputTransformEnsuresPublicly(input, output) + ensures History.BatchExecuteStatementOutputTransform == old(History.BatchExecuteStatementOutputTransform) + [DafnyCallEvent(input, output)] + + predicate ExecuteTransactionInputTransformEnsuresPublicly(input: ExecuteTransactionInputTransformInput , output: Result) + // The public method to be called by library consumers + method ExecuteTransactionInputTransform ( input: ExecuteTransactionInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ExecuteTransactionInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ExecuteTransactionInputTransformEnsuresPublicly(input, output) + ensures History.ExecuteTransactionInputTransform == old(History.ExecuteTransactionInputTransform) + [DafnyCallEvent(input, output)] + + predicate ExecuteTransactionOutputTransformEnsuresPublicly(input: ExecuteTransactionOutputTransformInput , output: Result) + // The public method to be called by library consumers + method ExecuteTransactionOutputTransform ( input: ExecuteTransactionOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ExecuteTransactionOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ExecuteTransactionOutputTransformEnsuresPublicly(input, output) + ensures History.ExecuteTransactionOutputTransform == old(History.ExecuteTransactionOutputTransform) + [DafnyCallEvent(input, output)] + + predicate ResolveAttributesEnsuresPublicly(input: ResolveAttributesInput , output: Result) + // The public method to be called by library consumers + method ResolveAttributes ( input: ResolveAttributesInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ResolveAttributes + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ResolveAttributesEnsuresPublicly(input, output) + ensures History.ResolveAttributes == old(History.ResolveAttributes) + [DafnyCallEvent(input, output)] + + } + datatype ExecuteStatementInputTransformInput = | ExecuteStatementInputTransformInput ( + nameonly sdkInput: ComAmazonawsDynamodbTypes.ExecuteStatementInput + ) + datatype ExecuteStatementInputTransformOutput = | ExecuteStatementInputTransformOutput ( + nameonly transformedInput: ComAmazonawsDynamodbTypes.ExecuteStatementInput + ) + datatype ExecuteStatementOutputTransformInput = | ExecuteStatementOutputTransformInput ( + nameonly sdkOutput: ComAmazonawsDynamodbTypes.ExecuteStatementOutput , + nameonly originalInput: ComAmazonawsDynamodbTypes.ExecuteStatementInput + ) + datatype ExecuteStatementOutputTransformOutput = | ExecuteStatementOutputTransformOutput ( + nameonly transformedOutput: ComAmazonawsDynamodbTypes.ExecuteStatementOutput + ) + datatype ExecuteTransactionInputTransformInput = | ExecuteTransactionInputTransformInput ( + nameonly sdkInput: ComAmazonawsDynamodbTypes.ExecuteTransactionInput + ) + datatype ExecuteTransactionInputTransformOutput = | ExecuteTransactionInputTransformOutput ( + nameonly transformedInput: ComAmazonawsDynamodbTypes.ExecuteTransactionInput + ) + datatype ExecuteTransactionOutputTransformInput = | ExecuteTransactionOutputTransformInput ( + nameonly sdkOutput: ComAmazonawsDynamodbTypes.ExecuteTransactionOutput , + nameonly originalInput: ComAmazonawsDynamodbTypes.ExecuteTransactionInput + ) + datatype ExecuteTransactionOutputTransformOutput = | ExecuteTransactionOutputTransformOutput ( + nameonly transformedOutput: ComAmazonawsDynamodbTypes.ExecuteTransactionOutput + ) + datatype GetItemInputTransformInput = | GetItemInputTransformInput ( + nameonly sdkInput: ComAmazonawsDynamodbTypes.GetItemInput + ) + datatype GetItemInputTransformOutput = | GetItemInputTransformOutput ( + nameonly transformedInput: ComAmazonawsDynamodbTypes.GetItemInput + ) + datatype GetItemOutputTransformInput = | GetItemOutputTransformInput ( + nameonly sdkOutput: ComAmazonawsDynamodbTypes.GetItemOutput , + nameonly originalInput: ComAmazonawsDynamodbTypes.GetItemInput + ) + datatype GetItemOutputTransformOutput = | GetItemOutputTransformOutput ( + nameonly transformedOutput: ComAmazonawsDynamodbTypes.GetItemOutput + ) + datatype PutItemInputTransformInput = | PutItemInputTransformInput ( + nameonly sdkInput: ComAmazonawsDynamodbTypes.PutItemInput + ) + datatype PutItemInputTransformOutput = | PutItemInputTransformOutput ( + nameonly transformedInput: ComAmazonawsDynamodbTypes.PutItemInput + ) + datatype PutItemOutputTransformInput = | PutItemOutputTransformInput ( + nameonly sdkOutput: ComAmazonawsDynamodbTypes.PutItemOutput , + nameonly originalInput: ComAmazonawsDynamodbTypes.PutItemInput + ) + datatype PutItemOutputTransformOutput = | PutItemOutputTransformOutput ( + nameonly transformedOutput: ComAmazonawsDynamodbTypes.PutItemOutput + ) + datatype QueryInputTransformInput = | QueryInputTransformInput ( + nameonly sdkInput: ComAmazonawsDynamodbTypes.QueryInput + ) + datatype QueryInputTransformOutput = | QueryInputTransformOutput ( + nameonly transformedInput: ComAmazonawsDynamodbTypes.QueryInput + ) + datatype QueryOutputTransformInput = | QueryOutputTransformInput ( + nameonly sdkOutput: ComAmazonawsDynamodbTypes.QueryOutput , + nameonly originalInput: ComAmazonawsDynamodbTypes.QueryInput + ) + datatype QueryOutputTransformOutput = | QueryOutputTransformOutput ( + nameonly transformedOutput: ComAmazonawsDynamodbTypes.QueryOutput + ) + datatype ResolveAttributesInput = | ResolveAttributesInput ( + nameonly TableName: ComAmazonawsDynamodbTypes.TableName , + nameonly Item: ComAmazonawsDynamodbTypes.AttributeMap , + nameonly Version: Option := Option.None + ) + datatype ResolveAttributesOutput = | ResolveAttributesOutput ( + nameonly VirtualFields: StringMap , + nameonly CompoundBeacons: StringMap + ) + datatype ScanInputTransformInput = | ScanInputTransformInput ( + nameonly sdkInput: ComAmazonawsDynamodbTypes.ScanInput + ) + datatype ScanInputTransformOutput = | ScanInputTransformOutput ( + nameonly transformedInput: ComAmazonawsDynamodbTypes.ScanInput + ) + datatype ScanOutputTransformInput = | ScanOutputTransformInput ( + nameonly sdkOutput: ComAmazonawsDynamodbTypes.ScanOutput , + nameonly originalInput: ComAmazonawsDynamodbTypes.ScanInput + ) + datatype ScanOutputTransformOutput = | ScanOutputTransformOutput ( + nameonly transformedOutput: ComAmazonawsDynamodbTypes.ScanOutput + ) + type StringMap = map + datatype TransactGetItemsInputTransformInput = | TransactGetItemsInputTransformInput ( + nameonly sdkInput: ComAmazonawsDynamodbTypes.TransactGetItemsInput + ) + datatype TransactGetItemsInputTransformOutput = | TransactGetItemsInputTransformOutput ( + nameonly transformedInput: ComAmazonawsDynamodbTypes.TransactGetItemsInput + ) + datatype TransactGetItemsOutputTransformInput = | TransactGetItemsOutputTransformInput ( + nameonly sdkOutput: ComAmazonawsDynamodbTypes.TransactGetItemsOutput , + nameonly originalInput: ComAmazonawsDynamodbTypes.TransactGetItemsInput + ) + datatype TransactGetItemsOutputTransformOutput = | TransactGetItemsOutputTransformOutput ( + nameonly transformedOutput: ComAmazonawsDynamodbTypes.TransactGetItemsOutput + ) + datatype TransactWriteItemsInputTransformInput = | TransactWriteItemsInputTransformInput ( + nameonly sdkInput: ComAmazonawsDynamodbTypes.TransactWriteItemsInput + ) + datatype TransactWriteItemsInputTransformOutput = | TransactWriteItemsInputTransformOutput ( + nameonly transformedInput: ComAmazonawsDynamodbTypes.TransactWriteItemsInput + ) + datatype TransactWriteItemsOutputTransformInput = | TransactWriteItemsOutputTransformInput ( + nameonly sdkOutput: ComAmazonawsDynamodbTypes.TransactWriteItemsOutput , + nameonly originalInput: ComAmazonawsDynamodbTypes.TransactWriteItemsInput + ) + datatype TransactWriteItemsOutputTransformOutput = | TransactWriteItemsOutputTransformOutput ( + nameonly transformedOutput: ComAmazonawsDynamodbTypes.TransactWriteItemsOutput + ) + datatype UpdateItemInputTransformInput = | UpdateItemInputTransformInput ( + nameonly sdkInput: ComAmazonawsDynamodbTypes.UpdateItemInput + ) + datatype UpdateItemInputTransformOutput = | UpdateItemInputTransformOutput ( + nameonly transformedInput: ComAmazonawsDynamodbTypes.UpdateItemInput + ) + datatype UpdateItemOutputTransformInput = | UpdateItemOutputTransformInput ( + nameonly sdkOutput: ComAmazonawsDynamodbTypes.UpdateItemOutput , + nameonly originalInput: ComAmazonawsDynamodbTypes.UpdateItemInput + ) + datatype UpdateItemOutputTransformOutput = | UpdateItemOutputTransformOutput ( + nameonly transformedOutput: ComAmazonawsDynamodbTypes.UpdateItemOutput + ) + datatype Error = + // Local Error structures are listed here + | DynamoDbEncryptionTransformsException ( + nameonly message: string + ) + // Any dependent models are listed here + | AwsCryptographyDbEncryptionSdkDynamoDb(AwsCryptographyDbEncryptionSdkDynamoDb: AwsCryptographyDbEncryptionSdkDynamoDbTypes.Error) + | AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptor(AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptor: AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes.Error) + | AwsCryptographyDbEncryptionSdkStructuredEncryption(AwsCryptographyDbEncryptionSdkStructuredEncryption: AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes.Error) + | AwsCryptographyMaterialProviders(AwsCryptographyMaterialProviders: AwsCryptographyMaterialProvidersTypes.Error) + | ComAmazonawsDynamodb(ComAmazonawsDynamodb: ComAmazonawsDynamodbTypes.Error) + // The Collection error is used to collect several errors together + // This is useful when composing OR logic. + // Consider the following method: + // + // method FN(n:I) + // returns (res: Result) + // ensures A(I).Success? ==> res.Success? + // ensures B(I).Success? ==> res.Success? + // ensures A(I).Failure? && B(I).Failure? ==> res.Failure? + // + // If either A || B is successful then FN is successful. + // And if A && B fail then FN will fail. + // But what information should FN transmit back to the caller? + // While it may be correct to hide these details from the caller, + // this can not be the globally correct option. + // Suppose that A and B can be blocked by different ACLs, + // and that their representation of I is only eventually consistent. + // How can the caller distinguish, at a minimum for logging, + // the difference between the four failure modes? + // || (!access(A(I)) && !access(B(I))) + // || (!exit(A(I)) && !exit(B(I))) + // || (!access(A(I)) && !exit(B(I))) + // || (!exit(A(I)) && !access(B(I))) + | CollectionOfErrors(list: seq, nameonly message: string) + // The Opaque error, used for native, extern, wrapped or unknown errors + | Opaque(obj: object) + type OpaqueError = e: Error | e.Opaque? witness * } - ghost var PutItemInputTransform: seq>> - ghost var PutItemOutputTransform: seq>> - ghost var GetItemInputTransform: seq>> - ghost var GetItemOutputTransform: seq>> - ghost var BatchWriteItemInputTransform: seq>> - ghost var BatchWriteItemOutputTransform: seq>> - ghost var BatchGetItemInputTransform: seq>> - ghost var BatchGetItemOutputTransform: seq>> - ghost var ScanInputTransform: seq>> - ghost var ScanOutputTransform: seq>> - ghost var QueryInputTransform: seq>> - ghost var QueryOutputTransform: seq>> - ghost var TransactWriteItemsInputTransform: seq>> - ghost var TransactWriteItemsOutputTransform: seq>> - ghost var UpdateItemInputTransform: seq>> - ghost var UpdateItemOutputTransform: seq>> - ghost var DeleteItemInputTransform: seq>> - ghost var DeleteItemOutputTransform: seq>> - ghost var TransactGetItemsInputTransform: seq>> - ghost var TransactGetItemsOutputTransform: seq>> - ghost var ExecuteStatementInputTransform: seq>> - ghost var ExecuteStatementOutputTransform: seq>> - ghost var BatchExecuteStatementInputTransform: seq>> - ghost var BatchExecuteStatementOutputTransform: seq>> - ghost var ExecuteTransactionInputTransform: seq>> - ghost var ExecuteTransactionOutputTransform: seq>> - ghost var ResolveAttributes: seq>> +abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbTransformsService +{ + import opened Wrappers + import opened StandardLibrary.UInt + import opened UTF8 + import opened Types = AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes + import Operations : AbstractAwsCryptographyDbEncryptionSdkDynamoDbTransformsOperations + function method DefaultDynamoDbTablesEncryptionConfig(): AwsCryptographyDbEncryptionSdkDynamoDbTypes.DynamoDbTablesEncryptionConfig + method DynamoDbEncryptionTransforms(config: AwsCryptographyDbEncryptionSdkDynamoDbTypes.DynamoDbTablesEncryptionConfig := DefaultDynamoDbTablesEncryptionConfig()) + returns (res: Result) + // BEGIN MANUAL EDIT + requires var tmps0 := set t0 | t0 in config.tableEncryptionConfigs.Values; + forall tmp0 :: tmp0 in tmps0 ==> + tmp0.keyring.Some? ==> + tmp0.keyring.value.ValidState() + requires var tmps1 := set t1 | t1 in config.tableEncryptionConfigs.Values; + forall tmp1 :: tmp1 in tmps1 ==> + tmp1.cmm.Some? ==> + tmp1.cmm.value.ValidState() + requires var tmps2 := set t2 | t2 in config.tableEncryptionConfigs.Values; + forall tmp2 :: tmp2 in tmps2 ==> + tmp2.legacyOverride.Some? ==> + tmp2.legacyOverride.value.encryptor.ValidState() + requires var tmps3 := set t3 | t3 in config.tableEncryptionConfigs.Values; + forall tmp3 :: tmp3 in tmps3 ==> + tmp3.search.Some? ==> + var tmps4 := set t4 | t4 in tmp3.search.value.versions; + forall tmp4 :: tmp4 in tmps4 ==> + tmp4.keyStore.ValidState() + modifies var tmps5 := set t5 | t5 in config.tableEncryptionConfigs.Values + && t5.keyring.Some? + :: t5.keyring.value; + var tmps5FlattenedModifiesSet: set> := set t0 + | t0 in tmps5 :: t0.Modifies; + (set tmp6ModifyEntry, tmp6Modifies | + tmp6Modifies in tmps5FlattenedModifiesSet + && tmp6ModifyEntry in tmp6Modifies + :: tmp6ModifyEntry) + modifies var tmps7 := set t7 | t7 in config.tableEncryptionConfigs.Values + && t7.cmm.Some? + :: t7.cmm.value; + var tmps7FlattenedModifiesSet: set> := set t0 + | t0 in tmps7 :: t0.Modifies; + (set tmp8ModifyEntry, tmp8Modifies | + tmp8Modifies in tmps7FlattenedModifiesSet + && tmp8ModifyEntry in tmp8Modifies + :: tmp8ModifyEntry) + modifies var tmps9 := set t9 | t9 in config.tableEncryptionConfigs.Values + && t9.legacyOverride.Some? + :: t9.legacyOverride.value.encryptor; + var tmps9FlattenedModifiesSet: set> := set t0 + | t0 in tmps9 :: t0.Modifies; + (set tmp10ModifyEntry, tmp10Modifies | + tmp10Modifies in tmps9FlattenedModifiesSet + && tmp10ModifyEntry in tmp10Modifies + :: tmp10ModifyEntry) + modifies var tmps11 := set t11 | t11 in config.tableEncryptionConfigs.Values + && t11.search.Some? + :: set t12 | t12 in t11.search.value.versions :: t12.keyStore; + var tmps11FlattenedModifiesSet: set> := set t0 + , t1 | t0 in tmps11 && t1 in t0 :: t1.Modifies; + (set tmp13ModifyEntry, tmp13Modifies | + tmp13Modifies in tmps11FlattenedModifiesSet + && tmp13ModifyEntry in tmp13Modifies + :: tmp13ModifyEntry) + ensures res.Success? ==> + && fresh(res.value) + && fresh(res.value.Modifies + - ( var tmps14 := set t14 | t14 in config.tableEncryptionConfigs.Values + && t14.keyring.Some? + :: t14.keyring.value; + var tmps14FlattenedModifiesSet: set> := set t0 + | t0 in tmps14 :: t0.Modifies; + (set tmp15ModifyEntry, tmp15Modifies | + tmp15Modifies in tmps14FlattenedModifiesSet + && tmp15ModifyEntry in tmp15Modifies + :: tmp15ModifyEntry) + ) - ( var tmps16 := set t16 | t16 in config.tableEncryptionConfigs.Values + && t16.cmm.Some? + :: t16.cmm.value; + var tmps16FlattenedModifiesSet: set> := set t0 + | t0 in tmps16 :: t0.Modifies; + (set tmp17ModifyEntry, tmp17Modifies | + tmp17Modifies in tmps16FlattenedModifiesSet + && tmp17ModifyEntry in tmp17Modifies + :: tmp17ModifyEntry) + ) - ( var tmps18 := set t18 | t18 in config.tableEncryptionConfigs.Values + && t18.legacyOverride.Some? + :: t18.legacyOverride.value.encryptor; + var tmps18FlattenedModifiesSet: set> := set t0 + | t0 in tmps18 :: t0.Modifies; + (set tmp19ModifyEntry, tmp19Modifies | + tmp19Modifies in tmps18FlattenedModifiesSet + && tmp19ModifyEntry in tmp19Modifies + :: tmp19ModifyEntry) + ) - ( var tmps20 := set t20 | t20 in config.tableEncryptionConfigs.Values + && t20.search.Some? + :: set t21 | t21 in t20.search.value.versions :: t21.keyStore; + var tmps20FlattenedModifiesSet: set> := set t0 + , t1 | t0 in tmps20 && t1 in t0 :: t1.Modifies; + (set tmp22ModifyEntry, tmp22Modifies | + tmp22Modifies in tmps20FlattenedModifiesSet + && tmp22ModifyEntry in tmp22Modifies + :: tmp22ModifyEntry) + ) ) + && fresh(res.value.History) + && res.value.ValidState() + ensures var tmps23 := set t23 | t23 in config.tableEncryptionConfigs.Values; + forall tmp23 :: tmp23 in tmps23 ==> + tmp23.keyring.Some? ==> + tmp23.keyring.value.ValidState() + ensures var tmps24 := set t24 | t24 in config.tableEncryptionConfigs.Values; + forall tmp24 :: tmp24 in tmps24 ==> + tmp24.cmm.Some? ==> + tmp24.cmm.value.ValidState() + ensures var tmps25 := set t25 | t25 in config.tableEncryptionConfigs.Values; + forall tmp25 :: tmp25 in tmps25 ==> + tmp25.legacyOverride.Some? ==> + tmp25.legacyOverride.value.encryptor.ValidState() + ensures var tmps26 := set t26 | t26 in config.tableEncryptionConfigs.Values; + forall tmp26 :: tmp26 in tmps26 ==> + tmp26.search.Some? ==> + var tmps27 := set t27 | t27 in tmp26.search.value.versions; + forall tmp27 :: tmp27 in tmps27 ==> + tmp27.keyStore.ValidState() + // END MANUAL EDIT + + // Helper function for the benefit of native code to create a Success(client) without referring to Dafny internals + function method CreateSuccessOfClient(client: IDynamoDbEncryptionTransformsClient): Result { + Success(client) + } // Helper function for the benefit of native code to create a Failure(error) without referring to Dafny internals + function method CreateFailureOfError(error: Error): Result { + Failure(error) + } + class DynamoDbEncryptionTransformsClient extends IDynamoDbEncryptionTransformsClient + { + constructor(config: Operations.InternalConfig) + requires Operations.ValidInternalConfig?(config) + ensures + && ValidState() + && fresh(History) + && this.config == config + const config: Operations.InternalConfig + predicate ValidState() + ensures ValidState() ==> + && Operations.ValidInternalConfig?(config) + && History !in Operations.ModifiesInternalConfig(config) + && Modifies == Operations.ModifiesInternalConfig(config) + {History} + predicate PutItemInputTransformEnsuresPublicly(input: PutItemInputTransformInput , output: Result) + {Operations.PutItemInputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method PutItemInputTransform ( input: PutItemInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`PutItemInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures PutItemInputTransformEnsuresPublicly(input, output) + ensures History.PutItemInputTransform == old(History.PutItemInputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.PutItemInputTransform(config, input); + History.PutItemInputTransform := History.PutItemInputTransform + [DafnyCallEvent(input, output)]; + } + + predicate PutItemOutputTransformEnsuresPublicly(input: PutItemOutputTransformInput , output: Result) + {Operations.PutItemOutputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method PutItemOutputTransform ( input: PutItemOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`PutItemOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures PutItemOutputTransformEnsuresPublicly(input, output) + ensures History.PutItemOutputTransform == old(History.PutItemOutputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.PutItemOutputTransform(config, input); + History.PutItemOutputTransform := History.PutItemOutputTransform + [DafnyCallEvent(input, output)]; + } + + predicate GetItemInputTransformEnsuresPublicly(input: GetItemInputTransformInput , output: Result) + {Operations.GetItemInputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method GetItemInputTransform ( input: GetItemInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`GetItemInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures GetItemInputTransformEnsuresPublicly(input, output) + ensures History.GetItemInputTransform == old(History.GetItemInputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.GetItemInputTransform(config, input); + History.GetItemInputTransform := History.GetItemInputTransform + [DafnyCallEvent(input, output)]; + } + + predicate GetItemOutputTransformEnsuresPublicly(input: GetItemOutputTransformInput , output: Result) + {Operations.GetItemOutputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method GetItemOutputTransform ( input: GetItemOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`GetItemOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures GetItemOutputTransformEnsuresPublicly(input, output) + ensures History.GetItemOutputTransform == old(History.GetItemOutputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.GetItemOutputTransform(config, input); + History.GetItemOutputTransform := History.GetItemOutputTransform + [DafnyCallEvent(input, output)]; + } + + predicate BatchWriteItemInputTransformEnsuresPublicly(input: BatchWriteItemInputTransformInput , output: Result) + {Operations.BatchWriteItemInputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method BatchWriteItemInputTransform ( input: BatchWriteItemInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`BatchWriteItemInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures BatchWriteItemInputTransformEnsuresPublicly(input, output) + ensures History.BatchWriteItemInputTransform == old(History.BatchWriteItemInputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.BatchWriteItemInputTransform(config, input); + History.BatchWriteItemInputTransform := History.BatchWriteItemInputTransform + [DafnyCallEvent(input, output)]; + } + + predicate BatchWriteItemOutputTransformEnsuresPublicly(input: BatchWriteItemOutputTransformInput , output: Result) + {Operations.BatchWriteItemOutputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method BatchWriteItemOutputTransform ( input: BatchWriteItemOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`BatchWriteItemOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures BatchWriteItemOutputTransformEnsuresPublicly(input, output) + ensures History.BatchWriteItemOutputTransform == old(History.BatchWriteItemOutputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.BatchWriteItemOutputTransform(config, input); + History.BatchWriteItemOutputTransform := History.BatchWriteItemOutputTransform + [DafnyCallEvent(input, output)]; + } + + predicate BatchGetItemInputTransformEnsuresPublicly(input: BatchGetItemInputTransformInput , output: Result) + {Operations.BatchGetItemInputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method BatchGetItemInputTransform ( input: BatchGetItemInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`BatchGetItemInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures BatchGetItemInputTransformEnsuresPublicly(input, output) + ensures History.BatchGetItemInputTransform == old(History.BatchGetItemInputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.BatchGetItemInputTransform(config, input); + History.BatchGetItemInputTransform := History.BatchGetItemInputTransform + [DafnyCallEvent(input, output)]; + } + + predicate BatchGetItemOutputTransformEnsuresPublicly(input: BatchGetItemOutputTransformInput , output: Result) + {Operations.BatchGetItemOutputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method BatchGetItemOutputTransform ( input: BatchGetItemOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`BatchGetItemOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures BatchGetItemOutputTransformEnsuresPublicly(input, output) + ensures History.BatchGetItemOutputTransform == old(History.BatchGetItemOutputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.BatchGetItemOutputTransform(config, input); + History.BatchGetItemOutputTransform := History.BatchGetItemOutputTransform + [DafnyCallEvent(input, output)]; + } + + predicate ScanInputTransformEnsuresPublicly(input: ScanInputTransformInput , output: Result) + {Operations.ScanInputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method ScanInputTransform ( input: ScanInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ScanInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ScanInputTransformEnsuresPublicly(input, output) + ensures History.ScanInputTransform == old(History.ScanInputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.ScanInputTransform(config, input); + History.ScanInputTransform := History.ScanInputTransform + [DafnyCallEvent(input, output)]; + } + + predicate ScanOutputTransformEnsuresPublicly(input: ScanOutputTransformInput , output: Result) + {Operations.ScanOutputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method ScanOutputTransform ( input: ScanOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ScanOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ScanOutputTransformEnsuresPublicly(input, output) + ensures History.ScanOutputTransform == old(History.ScanOutputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.ScanOutputTransform(config, input); + History.ScanOutputTransform := History.ScanOutputTransform + [DafnyCallEvent(input, output)]; + } + + predicate QueryInputTransformEnsuresPublicly(input: QueryInputTransformInput , output: Result) + {Operations.QueryInputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method QueryInputTransform ( input: QueryInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`QueryInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures QueryInputTransformEnsuresPublicly(input, output) + ensures History.QueryInputTransform == old(History.QueryInputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.QueryInputTransform(config, input); + History.QueryInputTransform := History.QueryInputTransform + [DafnyCallEvent(input, output)]; + } + + predicate QueryOutputTransformEnsuresPublicly(input: QueryOutputTransformInput , output: Result) + {Operations.QueryOutputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method QueryOutputTransform ( input: QueryOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`QueryOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures QueryOutputTransformEnsuresPublicly(input, output) + ensures History.QueryOutputTransform == old(History.QueryOutputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.QueryOutputTransform(config, input); + History.QueryOutputTransform := History.QueryOutputTransform + [DafnyCallEvent(input, output)]; + } + + predicate TransactWriteItemsInputTransformEnsuresPublicly(input: TransactWriteItemsInputTransformInput , output: Result) + {Operations.TransactWriteItemsInputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method TransactWriteItemsInputTransform ( input: TransactWriteItemsInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`TransactWriteItemsInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures TransactWriteItemsInputTransformEnsuresPublicly(input, output) + ensures History.TransactWriteItemsInputTransform == old(History.TransactWriteItemsInputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.TransactWriteItemsInputTransform(config, input); + History.TransactWriteItemsInputTransform := History.TransactWriteItemsInputTransform + [DafnyCallEvent(input, output)]; + } + + predicate TransactWriteItemsOutputTransformEnsuresPublicly(input: TransactWriteItemsOutputTransformInput , output: Result) + {Operations.TransactWriteItemsOutputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method TransactWriteItemsOutputTransform ( input: TransactWriteItemsOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`TransactWriteItemsOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures TransactWriteItemsOutputTransformEnsuresPublicly(input, output) + ensures History.TransactWriteItemsOutputTransform == old(History.TransactWriteItemsOutputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.TransactWriteItemsOutputTransform(config, input); + History.TransactWriteItemsOutputTransform := History.TransactWriteItemsOutputTransform + [DafnyCallEvent(input, output)]; + } + + predicate UpdateItemInputTransformEnsuresPublicly(input: UpdateItemInputTransformInput , output: Result) + {Operations.UpdateItemInputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method UpdateItemInputTransform ( input: UpdateItemInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`UpdateItemInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures UpdateItemInputTransformEnsuresPublicly(input, output) + ensures History.UpdateItemInputTransform == old(History.UpdateItemInputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.UpdateItemInputTransform(config, input); + History.UpdateItemInputTransform := History.UpdateItemInputTransform + [DafnyCallEvent(input, output)]; + } + + predicate UpdateItemOutputTransformEnsuresPublicly(input: UpdateItemOutputTransformInput , output: Result) + {Operations.UpdateItemOutputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method UpdateItemOutputTransform ( input: UpdateItemOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`UpdateItemOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures UpdateItemOutputTransformEnsuresPublicly(input, output) + ensures History.UpdateItemOutputTransform == old(History.UpdateItemOutputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.UpdateItemOutputTransform(config, input); + History.UpdateItemOutputTransform := History.UpdateItemOutputTransform + [DafnyCallEvent(input, output)]; + } + + predicate DeleteItemInputTransformEnsuresPublicly(input: DeleteItemInputTransformInput , output: Result) + {Operations.DeleteItemInputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method DeleteItemInputTransform ( input: DeleteItemInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`DeleteItemInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures DeleteItemInputTransformEnsuresPublicly(input, output) + ensures History.DeleteItemInputTransform == old(History.DeleteItemInputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.DeleteItemInputTransform(config, input); + History.DeleteItemInputTransform := History.DeleteItemInputTransform + [DafnyCallEvent(input, output)]; + } + + predicate DeleteItemOutputTransformEnsuresPublicly(input: DeleteItemOutputTransformInput , output: Result) + {Operations.DeleteItemOutputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method DeleteItemOutputTransform ( input: DeleteItemOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`DeleteItemOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures DeleteItemOutputTransformEnsuresPublicly(input, output) + ensures History.DeleteItemOutputTransform == old(History.DeleteItemOutputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.DeleteItemOutputTransform(config, input); + History.DeleteItemOutputTransform := History.DeleteItemOutputTransform + [DafnyCallEvent(input, output)]; + } + + predicate TransactGetItemsInputTransformEnsuresPublicly(input: TransactGetItemsInputTransformInput , output: Result) + {Operations.TransactGetItemsInputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method TransactGetItemsInputTransform ( input: TransactGetItemsInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`TransactGetItemsInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures TransactGetItemsInputTransformEnsuresPublicly(input, output) + ensures History.TransactGetItemsInputTransform == old(History.TransactGetItemsInputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.TransactGetItemsInputTransform(config, input); + History.TransactGetItemsInputTransform := History.TransactGetItemsInputTransform + [DafnyCallEvent(input, output)]; + } + + predicate TransactGetItemsOutputTransformEnsuresPublicly(input: TransactGetItemsOutputTransformInput , output: Result) + {Operations.TransactGetItemsOutputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method TransactGetItemsOutputTransform ( input: TransactGetItemsOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`TransactGetItemsOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures TransactGetItemsOutputTransformEnsuresPublicly(input, output) + ensures History.TransactGetItemsOutputTransform == old(History.TransactGetItemsOutputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.TransactGetItemsOutputTransform(config, input); + History.TransactGetItemsOutputTransform := History.TransactGetItemsOutputTransform + [DafnyCallEvent(input, output)]; + } + + predicate ExecuteStatementInputTransformEnsuresPublicly(input: ExecuteStatementInputTransformInput , output: Result) + {Operations.ExecuteStatementInputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method ExecuteStatementInputTransform ( input: ExecuteStatementInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ExecuteStatementInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ExecuteStatementInputTransformEnsuresPublicly(input, output) + ensures History.ExecuteStatementInputTransform == old(History.ExecuteStatementInputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.ExecuteStatementInputTransform(config, input); + History.ExecuteStatementInputTransform := History.ExecuteStatementInputTransform + [DafnyCallEvent(input, output)]; + } + + predicate ExecuteStatementOutputTransformEnsuresPublicly(input: ExecuteStatementOutputTransformInput , output: Result) + {Operations.ExecuteStatementOutputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method ExecuteStatementOutputTransform ( input: ExecuteStatementOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ExecuteStatementOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ExecuteStatementOutputTransformEnsuresPublicly(input, output) + ensures History.ExecuteStatementOutputTransform == old(History.ExecuteStatementOutputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.ExecuteStatementOutputTransform(config, input); + History.ExecuteStatementOutputTransform := History.ExecuteStatementOutputTransform + [DafnyCallEvent(input, output)]; + } + + predicate BatchExecuteStatementInputTransformEnsuresPublicly(input: BatchExecuteStatementInputTransformInput , output: Result) + {Operations.BatchExecuteStatementInputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method BatchExecuteStatementInputTransform ( input: BatchExecuteStatementInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`BatchExecuteStatementInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures BatchExecuteStatementInputTransformEnsuresPublicly(input, output) + ensures History.BatchExecuteStatementInputTransform == old(History.BatchExecuteStatementInputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.BatchExecuteStatementInputTransform(config, input); + History.BatchExecuteStatementInputTransform := History.BatchExecuteStatementInputTransform + [DafnyCallEvent(input, output)]; + } + + predicate BatchExecuteStatementOutputTransformEnsuresPublicly(input: BatchExecuteStatementOutputTransformInput , output: Result) + {Operations.BatchExecuteStatementOutputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method BatchExecuteStatementOutputTransform ( input: BatchExecuteStatementOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`BatchExecuteStatementOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures BatchExecuteStatementOutputTransformEnsuresPublicly(input, output) + ensures History.BatchExecuteStatementOutputTransform == old(History.BatchExecuteStatementOutputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.BatchExecuteStatementOutputTransform(config, input); + History.BatchExecuteStatementOutputTransform := History.BatchExecuteStatementOutputTransform + [DafnyCallEvent(input, output)]; + } + + predicate ExecuteTransactionInputTransformEnsuresPublicly(input: ExecuteTransactionInputTransformInput , output: Result) + {Operations.ExecuteTransactionInputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method ExecuteTransactionInputTransform ( input: ExecuteTransactionInputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ExecuteTransactionInputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ExecuteTransactionInputTransformEnsuresPublicly(input, output) + ensures History.ExecuteTransactionInputTransform == old(History.ExecuteTransactionInputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.ExecuteTransactionInputTransform(config, input); + History.ExecuteTransactionInputTransform := History.ExecuteTransactionInputTransform + [DafnyCallEvent(input, output)]; + } + + predicate ExecuteTransactionOutputTransformEnsuresPublicly(input: ExecuteTransactionOutputTransformInput , output: Result) + {Operations.ExecuteTransactionOutputTransformEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method ExecuteTransactionOutputTransform ( input: ExecuteTransactionOutputTransformInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ExecuteTransactionOutputTransform + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ExecuteTransactionOutputTransformEnsuresPublicly(input, output) + ensures History.ExecuteTransactionOutputTransform == old(History.ExecuteTransactionOutputTransform) + [DafnyCallEvent(input, output)] + { + output := Operations.ExecuteTransactionOutputTransform(config, input); + History.ExecuteTransactionOutputTransform := History.ExecuteTransactionOutputTransform + [DafnyCallEvent(input, output)]; + } + + predicate ResolveAttributesEnsuresPublicly(input: ResolveAttributesInput , output: Result) + {Operations.ResolveAttributesEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method ResolveAttributes ( input: ResolveAttributesInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`ResolveAttributes + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures ResolveAttributesEnsuresPublicly(input, output) + ensures History.ResolveAttributes == old(History.ResolveAttributes) + [DafnyCallEvent(input, output)] + { + output := Operations.ResolveAttributes(config, input); + History.ResolveAttributes := History.ResolveAttributes + [DafnyCallEvent(input, output)]; + } + + } } - trait {:termination false} IDynamoDbEncryptionTransformsClient - { - // Helper to define any additional modifies/reads clauses. - // If your operations need to mutate state, - // add it in your constructor function: - // Modifies := {your, fields, here, History}; - // If you do not need to mutate anything: -// Modifies := {History}; - - ghost const Modifies: set - // For an unassigned field defined in a trait, - // Dafny can only assign a value in the constructor. - // This means that for Dafny to reason about this value, - // it needs some way to know (an invariant), - // about the state of the object. - // This builds on the Valid/Repr paradigm - // To make this kind requires safe to add - // to methods called from unverified code, - // the predicate MUST NOT take any arguments. - // This means that the correctness of this requires - // MUST only be evaluated by the class itself. - // If you require any additional mutation, - // then you MUST ensure everything you need in ValidState. - // You MUST also ensure ValidState in your constructor. - predicate ValidState() - ensures ValidState() ==> History in Modifies - ghost const History: IDynamoDbEncryptionTransformsClientCallHistory - predicate PutItemInputTransformEnsuresPublicly(input: PutItemInputTransformInput , output: Result) - // The public method to be called by library consumers - method PutItemInputTransform ( input: PutItemInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`PutItemInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures PutItemInputTransformEnsuresPublicly(input, output) - ensures History.PutItemInputTransform == old(History.PutItemInputTransform) + [DafnyCallEvent(input, output)] - - predicate PutItemOutputTransformEnsuresPublicly(input: PutItemOutputTransformInput , output: Result) - // The public method to be called by library consumers - method PutItemOutputTransform ( input: PutItemOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`PutItemOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures PutItemOutputTransformEnsuresPublicly(input, output) - ensures History.PutItemOutputTransform == old(History.PutItemOutputTransform) + [DafnyCallEvent(input, output)] - - predicate GetItemInputTransformEnsuresPublicly(input: GetItemInputTransformInput , output: Result) - // The public method to be called by library consumers - method GetItemInputTransform ( input: GetItemInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`GetItemInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures GetItemInputTransformEnsuresPublicly(input, output) - ensures History.GetItemInputTransform == old(History.GetItemInputTransform) + [DafnyCallEvent(input, output)] - - predicate GetItemOutputTransformEnsuresPublicly(input: GetItemOutputTransformInput , output: Result) - // The public method to be called by library consumers - method GetItemOutputTransform ( input: GetItemOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`GetItemOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures GetItemOutputTransformEnsuresPublicly(input, output) - ensures History.GetItemOutputTransform == old(History.GetItemOutputTransform) + [DafnyCallEvent(input, output)] - - predicate BatchWriteItemInputTransformEnsuresPublicly(input: BatchWriteItemInputTransformInput , output: Result) - // The public method to be called by library consumers - method BatchWriteItemInputTransform ( input: BatchWriteItemInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`BatchWriteItemInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures BatchWriteItemInputTransformEnsuresPublicly(input, output) - ensures History.BatchWriteItemInputTransform == old(History.BatchWriteItemInputTransform) + [DafnyCallEvent(input, output)] - - predicate BatchWriteItemOutputTransformEnsuresPublicly(input: BatchWriteItemOutputTransformInput , output: Result) - // The public method to be called by library consumers - method BatchWriteItemOutputTransform ( input: BatchWriteItemOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`BatchWriteItemOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures BatchWriteItemOutputTransformEnsuresPublicly(input, output) - ensures History.BatchWriteItemOutputTransform == old(History.BatchWriteItemOutputTransform) + [DafnyCallEvent(input, output)] - - predicate BatchGetItemInputTransformEnsuresPublicly(input: BatchGetItemInputTransformInput , output: Result) - // The public method to be called by library consumers - method BatchGetItemInputTransform ( input: BatchGetItemInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`BatchGetItemInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures BatchGetItemInputTransformEnsuresPublicly(input, output) - ensures History.BatchGetItemInputTransform == old(History.BatchGetItemInputTransform) + [DafnyCallEvent(input, output)] - - predicate BatchGetItemOutputTransformEnsuresPublicly(input: BatchGetItemOutputTransformInput , output: Result) - // The public method to be called by library consumers - method BatchGetItemOutputTransform ( input: BatchGetItemOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`BatchGetItemOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures BatchGetItemOutputTransformEnsuresPublicly(input, output) - ensures History.BatchGetItemOutputTransform == old(History.BatchGetItemOutputTransform) + [DafnyCallEvent(input, output)] - - predicate ScanInputTransformEnsuresPublicly(input: ScanInputTransformInput , output: Result) - // The public method to be called by library consumers - method ScanInputTransform ( input: ScanInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`ScanInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures ScanInputTransformEnsuresPublicly(input, output) - ensures History.ScanInputTransform == old(History.ScanInputTransform) + [DafnyCallEvent(input, output)] - - predicate ScanOutputTransformEnsuresPublicly(input: ScanOutputTransformInput , output: Result) - // The public method to be called by library consumers - method ScanOutputTransform ( input: ScanOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`ScanOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures ScanOutputTransformEnsuresPublicly(input, output) - ensures History.ScanOutputTransform == old(History.ScanOutputTransform) + [DafnyCallEvent(input, output)] - - predicate QueryInputTransformEnsuresPublicly(input: QueryInputTransformInput , output: Result) - // The public method to be called by library consumers - method QueryInputTransform ( input: QueryInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`QueryInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures QueryInputTransformEnsuresPublicly(input, output) - ensures History.QueryInputTransform == old(History.QueryInputTransform) + [DafnyCallEvent(input, output)] - - predicate QueryOutputTransformEnsuresPublicly(input: QueryOutputTransformInput , output: Result) - // The public method to be called by library consumers - method QueryOutputTransform ( input: QueryOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`QueryOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures QueryOutputTransformEnsuresPublicly(input, output) - ensures History.QueryOutputTransform == old(History.QueryOutputTransform) + [DafnyCallEvent(input, output)] - - predicate TransactWriteItemsInputTransformEnsuresPublicly(input: TransactWriteItemsInputTransformInput , output: Result) - // The public method to be called by library consumers - method TransactWriteItemsInputTransform ( input: TransactWriteItemsInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`TransactWriteItemsInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures TransactWriteItemsInputTransformEnsuresPublicly(input, output) - ensures History.TransactWriteItemsInputTransform == old(History.TransactWriteItemsInputTransform) + [DafnyCallEvent(input, output)] - - predicate TransactWriteItemsOutputTransformEnsuresPublicly(input: TransactWriteItemsOutputTransformInput , output: Result) - // The public method to be called by library consumers - method TransactWriteItemsOutputTransform ( input: TransactWriteItemsOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`TransactWriteItemsOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures TransactWriteItemsOutputTransformEnsuresPublicly(input, output) - ensures History.TransactWriteItemsOutputTransform == old(History.TransactWriteItemsOutputTransform) + [DafnyCallEvent(input, output)] - - predicate UpdateItemInputTransformEnsuresPublicly(input: UpdateItemInputTransformInput , output: Result) - // The public method to be called by library consumers - method UpdateItemInputTransform ( input: UpdateItemInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`UpdateItemInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures UpdateItemInputTransformEnsuresPublicly(input, output) - ensures History.UpdateItemInputTransform == old(History.UpdateItemInputTransform) + [DafnyCallEvent(input, output)] - - predicate UpdateItemOutputTransformEnsuresPublicly(input: UpdateItemOutputTransformInput , output: Result) - // The public method to be called by library consumers - method UpdateItemOutputTransform ( input: UpdateItemOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`UpdateItemOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures UpdateItemOutputTransformEnsuresPublicly(input, output) - ensures History.UpdateItemOutputTransform == old(History.UpdateItemOutputTransform) + [DafnyCallEvent(input, output)] - - predicate DeleteItemInputTransformEnsuresPublicly(input: DeleteItemInputTransformInput , output: Result) - // The public method to be called by library consumers - method DeleteItemInputTransform ( input: DeleteItemInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`DeleteItemInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures DeleteItemInputTransformEnsuresPublicly(input, output) - ensures History.DeleteItemInputTransform == old(History.DeleteItemInputTransform) + [DafnyCallEvent(input, output)] - - predicate DeleteItemOutputTransformEnsuresPublicly(input: DeleteItemOutputTransformInput , output: Result) - // The public method to be called by library consumers - method DeleteItemOutputTransform ( input: DeleteItemOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`DeleteItemOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures DeleteItemOutputTransformEnsuresPublicly(input, output) - ensures History.DeleteItemOutputTransform == old(History.DeleteItemOutputTransform) + [DafnyCallEvent(input, output)] - - predicate TransactGetItemsInputTransformEnsuresPublicly(input: TransactGetItemsInputTransformInput , output: Result) - // The public method to be called by library consumers - method TransactGetItemsInputTransform ( input: TransactGetItemsInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`TransactGetItemsInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures TransactGetItemsInputTransformEnsuresPublicly(input, output) - ensures History.TransactGetItemsInputTransform == old(History.TransactGetItemsInputTransform) + [DafnyCallEvent(input, output)] - - predicate TransactGetItemsOutputTransformEnsuresPublicly(input: TransactGetItemsOutputTransformInput , output: Result) - // The public method to be called by library consumers - method TransactGetItemsOutputTransform ( input: TransactGetItemsOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`TransactGetItemsOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures TransactGetItemsOutputTransformEnsuresPublicly(input, output) - ensures History.TransactGetItemsOutputTransform == old(History.TransactGetItemsOutputTransform) + [DafnyCallEvent(input, output)] - - predicate ExecuteStatementInputTransformEnsuresPublicly(input: ExecuteStatementInputTransformInput , output: Result) - // The public method to be called by library consumers - method ExecuteStatementInputTransform ( input: ExecuteStatementInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`ExecuteStatementInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures ExecuteStatementInputTransformEnsuresPublicly(input, output) - ensures History.ExecuteStatementInputTransform == old(History.ExecuteStatementInputTransform) + [DafnyCallEvent(input, output)] - - predicate ExecuteStatementOutputTransformEnsuresPublicly(input: ExecuteStatementOutputTransformInput , output: Result) - // The public method to be called by library consumers - method ExecuteStatementOutputTransform ( input: ExecuteStatementOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`ExecuteStatementOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures ExecuteStatementOutputTransformEnsuresPublicly(input, output) - ensures History.ExecuteStatementOutputTransform == old(History.ExecuteStatementOutputTransform) + [DafnyCallEvent(input, output)] - - predicate BatchExecuteStatementInputTransformEnsuresPublicly(input: BatchExecuteStatementInputTransformInput , output: Result) - // The public method to be called by library consumers - method BatchExecuteStatementInputTransform ( input: BatchExecuteStatementInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`BatchExecuteStatementInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures BatchExecuteStatementInputTransformEnsuresPublicly(input, output) - ensures History.BatchExecuteStatementInputTransform == old(History.BatchExecuteStatementInputTransform) + [DafnyCallEvent(input, output)] - - predicate BatchExecuteStatementOutputTransformEnsuresPublicly(input: BatchExecuteStatementOutputTransformInput , output: Result) - // The public method to be called by library consumers - method BatchExecuteStatementOutputTransform ( input: BatchExecuteStatementOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`BatchExecuteStatementOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures BatchExecuteStatementOutputTransformEnsuresPublicly(input, output) - ensures History.BatchExecuteStatementOutputTransform == old(History.BatchExecuteStatementOutputTransform) + [DafnyCallEvent(input, output)] - - predicate ExecuteTransactionInputTransformEnsuresPublicly(input: ExecuteTransactionInputTransformInput , output: Result) - // The public method to be called by library consumers - method ExecuteTransactionInputTransform ( input: ExecuteTransactionInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`ExecuteTransactionInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures ExecuteTransactionInputTransformEnsuresPublicly(input, output) - ensures History.ExecuteTransactionInputTransform == old(History.ExecuteTransactionInputTransform) + [DafnyCallEvent(input, output)] - - predicate ExecuteTransactionOutputTransformEnsuresPublicly(input: ExecuteTransactionOutputTransformInput , output: Result) - // The public method to be called by library consumers - method ExecuteTransactionOutputTransform ( input: ExecuteTransactionOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`ExecuteTransactionOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures ExecuteTransactionOutputTransformEnsuresPublicly(input, output) - ensures History.ExecuteTransactionOutputTransform == old(History.ExecuteTransactionOutputTransform) + [DafnyCallEvent(input, output)] - - predicate ResolveAttributesEnsuresPublicly(input: ResolveAttributesInput , output: Result) - // The public method to be called by library consumers - method ResolveAttributes ( input: ResolveAttributesInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`ResolveAttributes - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures ResolveAttributesEnsuresPublicly(input, output) - ensures History.ResolveAttributes == old(History.ResolveAttributes) + [DafnyCallEvent(input, output)] - -} - datatype ExecuteStatementInputTransformInput = | ExecuteStatementInputTransformInput ( - nameonly sdkInput: ComAmazonawsDynamodbTypes.ExecuteStatementInput - ) - datatype ExecuteStatementInputTransformOutput = | ExecuteStatementInputTransformOutput ( - nameonly transformedInput: ComAmazonawsDynamodbTypes.ExecuteStatementInput - ) - datatype ExecuteStatementOutputTransformInput = | ExecuteStatementOutputTransformInput ( - nameonly sdkOutput: ComAmazonawsDynamodbTypes.ExecuteStatementOutput , - nameonly originalInput: ComAmazonawsDynamodbTypes.ExecuteStatementInput - ) - datatype ExecuteStatementOutputTransformOutput = | ExecuteStatementOutputTransformOutput ( - nameonly transformedOutput: ComAmazonawsDynamodbTypes.ExecuteStatementOutput - ) - datatype ExecuteTransactionInputTransformInput = | ExecuteTransactionInputTransformInput ( - nameonly sdkInput: ComAmazonawsDynamodbTypes.ExecuteTransactionInput - ) - datatype ExecuteTransactionInputTransformOutput = | ExecuteTransactionInputTransformOutput ( - nameonly transformedInput: ComAmazonawsDynamodbTypes.ExecuteTransactionInput - ) - datatype ExecuteTransactionOutputTransformInput = | ExecuteTransactionOutputTransformInput ( - nameonly sdkOutput: ComAmazonawsDynamodbTypes.ExecuteTransactionOutput , - nameonly originalInput: ComAmazonawsDynamodbTypes.ExecuteTransactionInput - ) - datatype ExecuteTransactionOutputTransformOutput = | ExecuteTransactionOutputTransformOutput ( - nameonly transformedOutput: ComAmazonawsDynamodbTypes.ExecuteTransactionOutput - ) - datatype GetItemInputTransformInput = | GetItemInputTransformInput ( - nameonly sdkInput: ComAmazonawsDynamodbTypes.GetItemInput - ) - datatype GetItemInputTransformOutput = | GetItemInputTransformOutput ( - nameonly transformedInput: ComAmazonawsDynamodbTypes.GetItemInput - ) - datatype GetItemOutputTransformInput = | GetItemOutputTransformInput ( - nameonly sdkOutput: ComAmazonawsDynamodbTypes.GetItemOutput , - nameonly originalInput: ComAmazonawsDynamodbTypes.GetItemInput - ) - datatype GetItemOutputTransformOutput = | GetItemOutputTransformOutput ( - nameonly transformedOutput: ComAmazonawsDynamodbTypes.GetItemOutput - ) - datatype PutItemInputTransformInput = | PutItemInputTransformInput ( - nameonly sdkInput: ComAmazonawsDynamodbTypes.PutItemInput - ) - datatype PutItemInputTransformOutput = | PutItemInputTransformOutput ( - nameonly transformedInput: ComAmazonawsDynamodbTypes.PutItemInput - ) - datatype PutItemOutputTransformInput = | PutItemOutputTransformInput ( - nameonly sdkOutput: ComAmazonawsDynamodbTypes.PutItemOutput , - nameonly originalInput: ComAmazonawsDynamodbTypes.PutItemInput - ) - datatype PutItemOutputTransformOutput = | PutItemOutputTransformOutput ( - nameonly transformedOutput: ComAmazonawsDynamodbTypes.PutItemOutput - ) - datatype QueryInputTransformInput = | QueryInputTransformInput ( - nameonly sdkInput: ComAmazonawsDynamodbTypes.QueryInput - ) - datatype QueryInputTransformOutput = | QueryInputTransformOutput ( - nameonly transformedInput: ComAmazonawsDynamodbTypes.QueryInput - ) - datatype QueryOutputTransformInput = | QueryOutputTransformInput ( - nameonly sdkOutput: ComAmazonawsDynamodbTypes.QueryOutput , - nameonly originalInput: ComAmazonawsDynamodbTypes.QueryInput - ) - datatype QueryOutputTransformOutput = | QueryOutputTransformOutput ( - nameonly transformedOutput: ComAmazonawsDynamodbTypes.QueryOutput - ) - datatype ResolveAttributesInput = | ResolveAttributesInput ( - nameonly TableName: ComAmazonawsDynamodbTypes.TableName , - nameonly Item: ComAmazonawsDynamodbTypes.AttributeMap , - nameonly Version: Option := Option.None - ) - datatype ResolveAttributesOutput = | ResolveAttributesOutput ( - nameonly VirtualFields: StringMap , - nameonly CompoundBeacons: StringMap - ) - datatype ScanInputTransformInput = | ScanInputTransformInput ( - nameonly sdkInput: ComAmazonawsDynamodbTypes.ScanInput - ) - datatype ScanInputTransformOutput = | ScanInputTransformOutput ( - nameonly transformedInput: ComAmazonawsDynamodbTypes.ScanInput - ) - datatype ScanOutputTransformInput = | ScanOutputTransformInput ( - nameonly sdkOutput: ComAmazonawsDynamodbTypes.ScanOutput , - nameonly originalInput: ComAmazonawsDynamodbTypes.ScanInput - ) - datatype ScanOutputTransformOutput = | ScanOutputTransformOutput ( - nameonly transformedOutput: ComAmazonawsDynamodbTypes.ScanOutput - ) - type StringMap = map - datatype TransactGetItemsInputTransformInput = | TransactGetItemsInputTransformInput ( - nameonly sdkInput: ComAmazonawsDynamodbTypes.TransactGetItemsInput - ) - datatype TransactGetItemsInputTransformOutput = | TransactGetItemsInputTransformOutput ( - nameonly transformedInput: ComAmazonawsDynamodbTypes.TransactGetItemsInput - ) - datatype TransactGetItemsOutputTransformInput = | TransactGetItemsOutputTransformInput ( - nameonly sdkOutput: ComAmazonawsDynamodbTypes.TransactGetItemsOutput , - nameonly originalInput: ComAmazonawsDynamodbTypes.TransactGetItemsInput - ) - datatype TransactGetItemsOutputTransformOutput = | TransactGetItemsOutputTransformOutput ( - nameonly transformedOutput: ComAmazonawsDynamodbTypes.TransactGetItemsOutput - ) - datatype TransactWriteItemsInputTransformInput = | TransactWriteItemsInputTransformInput ( - nameonly sdkInput: ComAmazonawsDynamodbTypes.TransactWriteItemsInput - ) - datatype TransactWriteItemsInputTransformOutput = | TransactWriteItemsInputTransformOutput ( - nameonly transformedInput: ComAmazonawsDynamodbTypes.TransactWriteItemsInput - ) - datatype TransactWriteItemsOutputTransformInput = | TransactWriteItemsOutputTransformInput ( - nameonly sdkOutput: ComAmazonawsDynamodbTypes.TransactWriteItemsOutput , - nameonly originalInput: ComAmazonawsDynamodbTypes.TransactWriteItemsInput - ) - datatype TransactWriteItemsOutputTransformOutput = | TransactWriteItemsOutputTransformOutput ( - nameonly transformedOutput: ComAmazonawsDynamodbTypes.TransactWriteItemsOutput - ) - datatype UpdateItemInputTransformInput = | UpdateItemInputTransformInput ( - nameonly sdkInput: ComAmazonawsDynamodbTypes.UpdateItemInput - ) - datatype UpdateItemInputTransformOutput = | UpdateItemInputTransformOutput ( - nameonly transformedInput: ComAmazonawsDynamodbTypes.UpdateItemInput - ) - datatype UpdateItemOutputTransformInput = | UpdateItemOutputTransformInput ( - nameonly sdkOutput: ComAmazonawsDynamodbTypes.UpdateItemOutput , - nameonly originalInput: ComAmazonawsDynamodbTypes.UpdateItemInput - ) - datatype UpdateItemOutputTransformOutput = | UpdateItemOutputTransformOutput ( - nameonly transformedOutput: ComAmazonawsDynamodbTypes.UpdateItemOutput - ) - datatype Error = - // Local Error structures are listed here - | DynamoDbEncryptionTransformsException ( - nameonly message: string - ) - // Any dependent models are listed here - | AwsCryptographyDbEncryptionSdkDynamoDb(AwsCryptographyDbEncryptionSdkDynamoDb: AwsCryptographyDbEncryptionSdkDynamoDbTypes.Error) - | AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptor(AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptor: AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes.Error) - | AwsCryptographyDbEncryptionSdkStructuredEncryption(AwsCryptographyDbEncryptionSdkStructuredEncryption: AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes.Error) - | AwsCryptographyMaterialProviders(AwsCryptographyMaterialProviders: AwsCryptographyMaterialProvidersTypes.Error) - | ComAmazonawsDynamodb(ComAmazonawsDynamodb: ComAmazonawsDynamodbTypes.Error) - // The Collection error is used to collect several errors together - // This is useful when composing OR logic. - // Consider the following method: - // - // method FN(n:I) - // returns (res: Result) - // ensures A(I).Success? ==> res.Success? - // ensures B(I).Success? ==> res.Success? - // ensures A(I).Failure? && B(I).Failure? ==> res.Failure? - // - // If either A || B is successful then FN is successful. - // And if A && B fail then FN will fail. - // But what information should FN transmit back to the caller? - // While it may be correct to hide these details from the caller, - // this can not be the globally correct option. - // Suppose that A and B can be blocked by different ACLs, - // and that their representation of I is only eventually consistent. - // How can the caller distinguish, at a minimum for logging, - // the difference between the four failure modes? - // || (!access(A(I)) && !access(B(I))) - // || (!exit(A(I)) && !exit(B(I))) - // || (!access(A(I)) && !exit(B(I))) - // || (!exit(A(I)) && !access(B(I))) - | CollectionOfErrors(list: seq, nameonly message: string) - // The Opaque error, used for native, extern, wrapped or unknown errors - | Opaque(obj: object) - type OpaqueError = e: Error | e.Opaque? witness * -} - abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbTransformsService - { - import opened Wrappers - import opened StandardLibrary.UInt - import opened UTF8 - import opened Types = AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes - import Operations : AbstractAwsCryptographyDbEncryptionSdkDynamoDbTransformsOperations - function method DefaultDynamoDbTablesEncryptionConfig(): AwsCryptographyDbEncryptionSdkDynamoDbTypes.DynamoDbTablesEncryptionConfig - method DynamoDbEncryptionTransforms(config: AwsCryptographyDbEncryptionSdkDynamoDbTypes.DynamoDbTablesEncryptionConfig := DefaultDynamoDbTablesEncryptionConfig()) - returns (res: Result) -// BEGIN MANUAL EDIT - requires var tmps0 := set t0 | t0 in config.tableEncryptionConfigs.Values; - forall tmp0 :: tmp0 in tmps0 ==> - tmp0.keyring.Some? ==> - tmp0.keyring.value.ValidState() - requires var tmps1 := set t1 | t1 in config.tableEncryptionConfigs.Values; - forall tmp1 :: tmp1 in tmps1 ==> - tmp1.cmm.Some? ==> - tmp1.cmm.value.ValidState() - requires var tmps2 := set t2 | t2 in config.tableEncryptionConfigs.Values; - forall tmp2 :: tmp2 in tmps2 ==> - tmp2.legacyOverride.Some? ==> - tmp2.legacyOverride.value.encryptor.ValidState() - requires var tmps3 := set t3 | t3 in config.tableEncryptionConfigs.Values; - forall tmp3 :: tmp3 in tmps3 ==> - tmp3.search.Some? ==> - var tmps4 := set t4 | t4 in tmp3.search.value.versions; - forall tmp4 :: tmp4 in tmps4 ==> - tmp4.keyStore.ValidState() - modifies var tmps5 := set t5 | t5 in config.tableEncryptionConfigs.Values - && t5.keyring.Some? - :: t5.keyring.value; - var tmps5FlattenedModifiesSet: set> := set t0 - | t0 in tmps5 :: t0.Modifies; - (set tmp6ModifyEntry, tmp6Modifies | - tmp6Modifies in tmps5FlattenedModifiesSet - && tmp6ModifyEntry in tmp6Modifies - :: tmp6ModifyEntry) - modifies var tmps7 := set t7 | t7 in config.tableEncryptionConfigs.Values - && t7.cmm.Some? - :: t7.cmm.value; - var tmps7FlattenedModifiesSet: set> := set t0 - | t0 in tmps7 :: t0.Modifies; - (set tmp8ModifyEntry, tmp8Modifies | - tmp8Modifies in tmps7FlattenedModifiesSet - && tmp8ModifyEntry in tmp8Modifies - :: tmp8ModifyEntry) - modifies var tmps9 := set t9 | t9 in config.tableEncryptionConfigs.Values - && t9.legacyOverride.Some? - :: t9.legacyOverride.value.encryptor; - var tmps9FlattenedModifiesSet: set> := set t0 - | t0 in tmps9 :: t0.Modifies; - (set tmp10ModifyEntry, tmp10Modifies | - tmp10Modifies in tmps9FlattenedModifiesSet - && tmp10ModifyEntry in tmp10Modifies - :: tmp10ModifyEntry) - modifies var tmps11 := set t11 | t11 in config.tableEncryptionConfigs.Values - && t11.search.Some? - :: set t12 | t12 in t11.search.value.versions :: t12.keyStore; - var tmps11FlattenedModifiesSet: set> := set t0 -, t1 | t0 in tmps11 && t1 in t0 :: t1.Modifies; - (set tmp13ModifyEntry, tmp13Modifies | - tmp13Modifies in tmps11FlattenedModifiesSet - && tmp13ModifyEntry in tmp13Modifies - :: tmp13ModifyEntry) - ensures res.Success? ==> - && fresh(res.value) - && fresh(res.value.Modifies - - ( var tmps14 := set t14 | t14 in config.tableEncryptionConfigs.Values - && t14.keyring.Some? - :: t14.keyring.value; - var tmps14FlattenedModifiesSet: set> := set t0 - | t0 in tmps14 :: t0.Modifies; - (set tmp15ModifyEntry, tmp15Modifies | - tmp15Modifies in tmps14FlattenedModifiesSet - && tmp15ModifyEntry in tmp15Modifies - :: tmp15ModifyEntry) - ) - ( var tmps16 := set t16 | t16 in config.tableEncryptionConfigs.Values - && t16.cmm.Some? - :: t16.cmm.value; - var tmps16FlattenedModifiesSet: set> := set t0 - | t0 in tmps16 :: t0.Modifies; - (set tmp17ModifyEntry, tmp17Modifies | - tmp17Modifies in tmps16FlattenedModifiesSet - && tmp17ModifyEntry in tmp17Modifies - :: tmp17ModifyEntry) - ) - ( var tmps18 := set t18 | t18 in config.tableEncryptionConfigs.Values - && t18.legacyOverride.Some? - :: t18.legacyOverride.value.encryptor; - var tmps18FlattenedModifiesSet: set> := set t0 - | t0 in tmps18 :: t0.Modifies; - (set tmp19ModifyEntry, tmp19Modifies | - tmp19Modifies in tmps18FlattenedModifiesSet - && tmp19ModifyEntry in tmp19Modifies - :: tmp19ModifyEntry) - ) - ( var tmps20 := set t20 | t20 in config.tableEncryptionConfigs.Values - && t20.search.Some? - :: set t21 | t21 in t20.search.value.versions :: t21.keyStore; - var tmps20FlattenedModifiesSet: set> := set t0 -, t1 | t0 in tmps20 && t1 in t0 :: t1.Modifies; - (set tmp22ModifyEntry, tmp22Modifies | - tmp22Modifies in tmps20FlattenedModifiesSet - && tmp22ModifyEntry in tmp22Modifies - :: tmp22ModifyEntry) - ) ) - && fresh(res.value.History) - && res.value.ValidState() - ensures var tmps23 := set t23 | t23 in config.tableEncryptionConfigs.Values; - forall tmp23 :: tmp23 in tmps23 ==> - tmp23.keyring.Some? ==> - tmp23.keyring.value.ValidState() - ensures var tmps24 := set t24 | t24 in config.tableEncryptionConfigs.Values; - forall tmp24 :: tmp24 in tmps24 ==> - tmp24.cmm.Some? ==> - tmp24.cmm.value.ValidState() - ensures var tmps25 := set t25 | t25 in config.tableEncryptionConfigs.Values; - forall tmp25 :: tmp25 in tmps25 ==> - tmp25.legacyOverride.Some? ==> - tmp25.legacyOverride.value.encryptor.ValidState() - ensures var tmps26 := set t26 | t26 in config.tableEncryptionConfigs.Values; - forall tmp26 :: tmp26 in tmps26 ==> - tmp26.search.Some? ==> - var tmps27 := set t27 | t27 in tmp26.search.value.versions; - forall tmp27 :: tmp27 in tmps27 ==> - tmp27.keyStore.ValidState() -// END MANUAL EDIT - - // Helper function for the benefit of native code to create a Success(client) without referring to Dafny internals - function method CreateSuccessOfClient(client: IDynamoDbEncryptionTransformsClient): Result { - Success(client) - } // Helper function for the benefit of native code to create a Failure(error) without referring to Dafny internals - function method CreateFailureOfError(error: Error): Result { - Failure(error) - } - class DynamoDbEncryptionTransformsClient extends IDynamoDbEncryptionTransformsClient - { - constructor(config: Operations.InternalConfig) - requires Operations.ValidInternalConfig?(config) - ensures - && ValidState() - && fresh(History) - && this.config == config - const config: Operations.InternalConfig - predicate ValidState() - ensures ValidState() ==> - && Operations.ValidInternalConfig?(config) - && History !in Operations.ModifiesInternalConfig(config) - && Modifies == Operations.ModifiesInternalConfig(config) + {History} - predicate PutItemInputTransformEnsuresPublicly(input: PutItemInputTransformInput , output: Result) - {Operations.PutItemInputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method PutItemInputTransform ( input: PutItemInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`PutItemInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures PutItemInputTransformEnsuresPublicly(input, output) - ensures History.PutItemInputTransform == old(History.PutItemInputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.PutItemInputTransform(config, input); - History.PutItemInputTransform := History.PutItemInputTransform + [DafnyCallEvent(input, output)]; -} - - predicate PutItemOutputTransformEnsuresPublicly(input: PutItemOutputTransformInput , output: Result) - {Operations.PutItemOutputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method PutItemOutputTransform ( input: PutItemOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`PutItemOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures PutItemOutputTransformEnsuresPublicly(input, output) - ensures History.PutItemOutputTransform == old(History.PutItemOutputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.PutItemOutputTransform(config, input); - History.PutItemOutputTransform := History.PutItemOutputTransform + [DafnyCallEvent(input, output)]; -} - - predicate GetItemInputTransformEnsuresPublicly(input: GetItemInputTransformInput , output: Result) - {Operations.GetItemInputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method GetItemInputTransform ( input: GetItemInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`GetItemInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures GetItemInputTransformEnsuresPublicly(input, output) - ensures History.GetItemInputTransform == old(History.GetItemInputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.GetItemInputTransform(config, input); - History.GetItemInputTransform := History.GetItemInputTransform + [DafnyCallEvent(input, output)]; -} - - predicate GetItemOutputTransformEnsuresPublicly(input: GetItemOutputTransformInput , output: Result) - {Operations.GetItemOutputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method GetItemOutputTransform ( input: GetItemOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`GetItemOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures GetItemOutputTransformEnsuresPublicly(input, output) - ensures History.GetItemOutputTransform == old(History.GetItemOutputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.GetItemOutputTransform(config, input); - History.GetItemOutputTransform := History.GetItemOutputTransform + [DafnyCallEvent(input, output)]; -} - - predicate BatchWriteItemInputTransformEnsuresPublicly(input: BatchWriteItemInputTransformInput , output: Result) - {Operations.BatchWriteItemInputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method BatchWriteItemInputTransform ( input: BatchWriteItemInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`BatchWriteItemInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures BatchWriteItemInputTransformEnsuresPublicly(input, output) - ensures History.BatchWriteItemInputTransform == old(History.BatchWriteItemInputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.BatchWriteItemInputTransform(config, input); - History.BatchWriteItemInputTransform := History.BatchWriteItemInputTransform + [DafnyCallEvent(input, output)]; -} - - predicate BatchWriteItemOutputTransformEnsuresPublicly(input: BatchWriteItemOutputTransformInput , output: Result) - {Operations.BatchWriteItemOutputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method BatchWriteItemOutputTransform ( input: BatchWriteItemOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`BatchWriteItemOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures BatchWriteItemOutputTransformEnsuresPublicly(input, output) - ensures History.BatchWriteItemOutputTransform == old(History.BatchWriteItemOutputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.BatchWriteItemOutputTransform(config, input); - History.BatchWriteItemOutputTransform := History.BatchWriteItemOutputTransform + [DafnyCallEvent(input, output)]; -} - - predicate BatchGetItemInputTransformEnsuresPublicly(input: BatchGetItemInputTransformInput , output: Result) - {Operations.BatchGetItemInputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method BatchGetItemInputTransform ( input: BatchGetItemInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`BatchGetItemInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures BatchGetItemInputTransformEnsuresPublicly(input, output) - ensures History.BatchGetItemInputTransform == old(History.BatchGetItemInputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.BatchGetItemInputTransform(config, input); - History.BatchGetItemInputTransform := History.BatchGetItemInputTransform + [DafnyCallEvent(input, output)]; -} - - predicate BatchGetItemOutputTransformEnsuresPublicly(input: BatchGetItemOutputTransformInput , output: Result) - {Operations.BatchGetItemOutputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method BatchGetItemOutputTransform ( input: BatchGetItemOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`BatchGetItemOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures BatchGetItemOutputTransformEnsuresPublicly(input, output) - ensures History.BatchGetItemOutputTransform == old(History.BatchGetItemOutputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.BatchGetItemOutputTransform(config, input); - History.BatchGetItemOutputTransform := History.BatchGetItemOutputTransform + [DafnyCallEvent(input, output)]; -} - - predicate ScanInputTransformEnsuresPublicly(input: ScanInputTransformInput , output: Result) - {Operations.ScanInputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method ScanInputTransform ( input: ScanInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`ScanInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures ScanInputTransformEnsuresPublicly(input, output) - ensures History.ScanInputTransform == old(History.ScanInputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.ScanInputTransform(config, input); - History.ScanInputTransform := History.ScanInputTransform + [DafnyCallEvent(input, output)]; -} - - predicate ScanOutputTransformEnsuresPublicly(input: ScanOutputTransformInput , output: Result) - {Operations.ScanOutputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method ScanOutputTransform ( input: ScanOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`ScanOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures ScanOutputTransformEnsuresPublicly(input, output) - ensures History.ScanOutputTransform == old(History.ScanOutputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.ScanOutputTransform(config, input); - History.ScanOutputTransform := History.ScanOutputTransform + [DafnyCallEvent(input, output)]; -} - - predicate QueryInputTransformEnsuresPublicly(input: QueryInputTransformInput , output: Result) - {Operations.QueryInputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method QueryInputTransform ( input: QueryInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`QueryInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures QueryInputTransformEnsuresPublicly(input, output) - ensures History.QueryInputTransform == old(History.QueryInputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.QueryInputTransform(config, input); - History.QueryInputTransform := History.QueryInputTransform + [DafnyCallEvent(input, output)]; -} - - predicate QueryOutputTransformEnsuresPublicly(input: QueryOutputTransformInput , output: Result) - {Operations.QueryOutputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method QueryOutputTransform ( input: QueryOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`QueryOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures QueryOutputTransformEnsuresPublicly(input, output) - ensures History.QueryOutputTransform == old(History.QueryOutputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.QueryOutputTransform(config, input); - History.QueryOutputTransform := History.QueryOutputTransform + [DafnyCallEvent(input, output)]; -} - - predicate TransactWriteItemsInputTransformEnsuresPublicly(input: TransactWriteItemsInputTransformInput , output: Result) - {Operations.TransactWriteItemsInputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method TransactWriteItemsInputTransform ( input: TransactWriteItemsInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`TransactWriteItemsInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures TransactWriteItemsInputTransformEnsuresPublicly(input, output) - ensures History.TransactWriteItemsInputTransform == old(History.TransactWriteItemsInputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.TransactWriteItemsInputTransform(config, input); - History.TransactWriteItemsInputTransform := History.TransactWriteItemsInputTransform + [DafnyCallEvent(input, output)]; -} - - predicate TransactWriteItemsOutputTransformEnsuresPublicly(input: TransactWriteItemsOutputTransformInput , output: Result) - {Operations.TransactWriteItemsOutputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method TransactWriteItemsOutputTransform ( input: TransactWriteItemsOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`TransactWriteItemsOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures TransactWriteItemsOutputTransformEnsuresPublicly(input, output) - ensures History.TransactWriteItemsOutputTransform == old(History.TransactWriteItemsOutputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.TransactWriteItemsOutputTransform(config, input); - History.TransactWriteItemsOutputTransform := History.TransactWriteItemsOutputTransform + [DafnyCallEvent(input, output)]; -} - - predicate UpdateItemInputTransformEnsuresPublicly(input: UpdateItemInputTransformInput , output: Result) - {Operations.UpdateItemInputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method UpdateItemInputTransform ( input: UpdateItemInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`UpdateItemInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures UpdateItemInputTransformEnsuresPublicly(input, output) - ensures History.UpdateItemInputTransform == old(History.UpdateItemInputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.UpdateItemInputTransform(config, input); - History.UpdateItemInputTransform := History.UpdateItemInputTransform + [DafnyCallEvent(input, output)]; -} - - predicate UpdateItemOutputTransformEnsuresPublicly(input: UpdateItemOutputTransformInput , output: Result) - {Operations.UpdateItemOutputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method UpdateItemOutputTransform ( input: UpdateItemOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`UpdateItemOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures UpdateItemOutputTransformEnsuresPublicly(input, output) - ensures History.UpdateItemOutputTransform == old(History.UpdateItemOutputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.UpdateItemOutputTransform(config, input); - History.UpdateItemOutputTransform := History.UpdateItemOutputTransform + [DafnyCallEvent(input, output)]; -} - - predicate DeleteItemInputTransformEnsuresPublicly(input: DeleteItemInputTransformInput , output: Result) - {Operations.DeleteItemInputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method DeleteItemInputTransform ( input: DeleteItemInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`DeleteItemInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures DeleteItemInputTransformEnsuresPublicly(input, output) - ensures History.DeleteItemInputTransform == old(History.DeleteItemInputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.DeleteItemInputTransform(config, input); - History.DeleteItemInputTransform := History.DeleteItemInputTransform + [DafnyCallEvent(input, output)]; -} - - predicate DeleteItemOutputTransformEnsuresPublicly(input: DeleteItemOutputTransformInput , output: Result) - {Operations.DeleteItemOutputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method DeleteItemOutputTransform ( input: DeleteItemOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`DeleteItemOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures DeleteItemOutputTransformEnsuresPublicly(input, output) - ensures History.DeleteItemOutputTransform == old(History.DeleteItemOutputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.DeleteItemOutputTransform(config, input); - History.DeleteItemOutputTransform := History.DeleteItemOutputTransform + [DafnyCallEvent(input, output)]; -} - - predicate TransactGetItemsInputTransformEnsuresPublicly(input: TransactGetItemsInputTransformInput , output: Result) - {Operations.TransactGetItemsInputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method TransactGetItemsInputTransform ( input: TransactGetItemsInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`TransactGetItemsInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures TransactGetItemsInputTransformEnsuresPublicly(input, output) - ensures History.TransactGetItemsInputTransform == old(History.TransactGetItemsInputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.TransactGetItemsInputTransform(config, input); - History.TransactGetItemsInputTransform := History.TransactGetItemsInputTransform + [DafnyCallEvent(input, output)]; -} - - predicate TransactGetItemsOutputTransformEnsuresPublicly(input: TransactGetItemsOutputTransformInput , output: Result) - {Operations.TransactGetItemsOutputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method TransactGetItemsOutputTransform ( input: TransactGetItemsOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`TransactGetItemsOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures TransactGetItemsOutputTransformEnsuresPublicly(input, output) - ensures History.TransactGetItemsOutputTransform == old(History.TransactGetItemsOutputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.TransactGetItemsOutputTransform(config, input); - History.TransactGetItemsOutputTransform := History.TransactGetItemsOutputTransform + [DafnyCallEvent(input, output)]; -} - - predicate ExecuteStatementInputTransformEnsuresPublicly(input: ExecuteStatementInputTransformInput , output: Result) - {Operations.ExecuteStatementInputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method ExecuteStatementInputTransform ( input: ExecuteStatementInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`ExecuteStatementInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures ExecuteStatementInputTransformEnsuresPublicly(input, output) - ensures History.ExecuteStatementInputTransform == old(History.ExecuteStatementInputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.ExecuteStatementInputTransform(config, input); - History.ExecuteStatementInputTransform := History.ExecuteStatementInputTransform + [DafnyCallEvent(input, output)]; -} - - predicate ExecuteStatementOutputTransformEnsuresPublicly(input: ExecuteStatementOutputTransformInput , output: Result) - {Operations.ExecuteStatementOutputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method ExecuteStatementOutputTransform ( input: ExecuteStatementOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`ExecuteStatementOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures ExecuteStatementOutputTransformEnsuresPublicly(input, output) - ensures History.ExecuteStatementOutputTransform == old(History.ExecuteStatementOutputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.ExecuteStatementOutputTransform(config, input); - History.ExecuteStatementOutputTransform := History.ExecuteStatementOutputTransform + [DafnyCallEvent(input, output)]; -} - - predicate BatchExecuteStatementInputTransformEnsuresPublicly(input: BatchExecuteStatementInputTransformInput , output: Result) - {Operations.BatchExecuteStatementInputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method BatchExecuteStatementInputTransform ( input: BatchExecuteStatementInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`BatchExecuteStatementInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures BatchExecuteStatementInputTransformEnsuresPublicly(input, output) - ensures History.BatchExecuteStatementInputTransform == old(History.BatchExecuteStatementInputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.BatchExecuteStatementInputTransform(config, input); - History.BatchExecuteStatementInputTransform := History.BatchExecuteStatementInputTransform + [DafnyCallEvent(input, output)]; -} - - predicate BatchExecuteStatementOutputTransformEnsuresPublicly(input: BatchExecuteStatementOutputTransformInput , output: Result) - {Operations.BatchExecuteStatementOutputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method BatchExecuteStatementOutputTransform ( input: BatchExecuteStatementOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`BatchExecuteStatementOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures BatchExecuteStatementOutputTransformEnsuresPublicly(input, output) - ensures History.BatchExecuteStatementOutputTransform == old(History.BatchExecuteStatementOutputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.BatchExecuteStatementOutputTransform(config, input); - History.BatchExecuteStatementOutputTransform := History.BatchExecuteStatementOutputTransform + [DafnyCallEvent(input, output)]; -} - - predicate ExecuteTransactionInputTransformEnsuresPublicly(input: ExecuteTransactionInputTransformInput , output: Result) - {Operations.ExecuteTransactionInputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method ExecuteTransactionInputTransform ( input: ExecuteTransactionInputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`ExecuteTransactionInputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures ExecuteTransactionInputTransformEnsuresPublicly(input, output) - ensures History.ExecuteTransactionInputTransform == old(History.ExecuteTransactionInputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.ExecuteTransactionInputTransform(config, input); - History.ExecuteTransactionInputTransform := History.ExecuteTransactionInputTransform + [DafnyCallEvent(input, output)]; -} - - predicate ExecuteTransactionOutputTransformEnsuresPublicly(input: ExecuteTransactionOutputTransformInput , output: Result) - {Operations.ExecuteTransactionOutputTransformEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method ExecuteTransactionOutputTransform ( input: ExecuteTransactionOutputTransformInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`ExecuteTransactionOutputTransform - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures ExecuteTransactionOutputTransformEnsuresPublicly(input, output) - ensures History.ExecuteTransactionOutputTransform == old(History.ExecuteTransactionOutputTransform) + [DafnyCallEvent(input, output)] - { - output := Operations.ExecuteTransactionOutputTransform(config, input); - History.ExecuteTransactionOutputTransform := History.ExecuteTransactionOutputTransform + [DafnyCallEvent(input, output)]; -} - - predicate ResolveAttributesEnsuresPublicly(input: ResolveAttributesInput , output: Result) - {Operations.ResolveAttributesEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method ResolveAttributes ( input: ResolveAttributesInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`ResolveAttributes - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures ResolveAttributesEnsuresPublicly(input, output) - ensures History.ResolveAttributes == old(History.ResolveAttributes) + [DafnyCallEvent(input, output)] - { - output := Operations.ResolveAttributes(config, input); - History.ResolveAttributes := History.ResolveAttributes + [DafnyCallEvent(input, output)]; -} - -} -} - abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbTransformsOperations { - import opened Wrappers - import opened StandardLibrary.UInt - import opened UTF8 - import opened Types = AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes - type InternalConfig - predicate ValidInternalConfig?(config: InternalConfig) - function ModifiesInternalConfig(config: InternalConfig): set - predicate PutItemInputTransformEnsuresPublicly(input: PutItemInputTransformInput , output: Result) - // The private method to be refined by the library developer - - - method PutItemInputTransform ( config: InternalConfig , input: PutItemInputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures PutItemInputTransformEnsuresPublicly(input, output) - - - predicate PutItemOutputTransformEnsuresPublicly(input: PutItemOutputTransformInput , output: Result) - // The private method to be refined by the library developer - - - method PutItemOutputTransform ( config: InternalConfig , input: PutItemOutputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures PutItemOutputTransformEnsuresPublicly(input, output) - - - predicate GetItemInputTransformEnsuresPublicly(input: GetItemInputTransformInput , output: Result) - // The private method to be refined by the library developer - - - method GetItemInputTransform ( config: InternalConfig , input: GetItemInputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures GetItemInputTransformEnsuresPublicly(input, output) - - - predicate GetItemOutputTransformEnsuresPublicly(input: GetItemOutputTransformInput , output: Result) - // The private method to be refined by the library developer - - - method GetItemOutputTransform ( config: InternalConfig , input: GetItemOutputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures GetItemOutputTransformEnsuresPublicly(input, output) - - - predicate BatchWriteItemInputTransformEnsuresPublicly(input: BatchWriteItemInputTransformInput , output: Result) - // The private method to be refined by the library developer - - - method BatchWriteItemInputTransform ( config: InternalConfig , input: BatchWriteItemInputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures BatchWriteItemInputTransformEnsuresPublicly(input, output) - - - predicate BatchWriteItemOutputTransformEnsuresPublicly(input: BatchWriteItemOutputTransformInput , output: Result) - // The private method to be refined by the library developer - - - method BatchWriteItemOutputTransform ( config: InternalConfig , input: BatchWriteItemOutputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures BatchWriteItemOutputTransformEnsuresPublicly(input, output) - +abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbTransformsOperations { + import opened Wrappers + import opened StandardLibrary.UInt + import opened UTF8 + import opened Types = AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes + type InternalConfig + predicate ValidInternalConfig?(config: InternalConfig) + function ModifiesInternalConfig(config: InternalConfig): set + predicate PutItemInputTransformEnsuresPublicly(input: PutItemInputTransformInput , output: Result) + // The private method to be refined by the library developer + + + method PutItemInputTransform ( config: InternalConfig , input: PutItemInputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures PutItemInputTransformEnsuresPublicly(input, output) + + + predicate PutItemOutputTransformEnsuresPublicly(input: PutItemOutputTransformInput , output: Result) + // The private method to be refined by the library developer + + + method PutItemOutputTransform ( config: InternalConfig , input: PutItemOutputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures PutItemOutputTransformEnsuresPublicly(input, output) + + + predicate GetItemInputTransformEnsuresPublicly(input: GetItemInputTransformInput , output: Result) + // The private method to be refined by the library developer + + + method GetItemInputTransform ( config: InternalConfig , input: GetItemInputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures GetItemInputTransformEnsuresPublicly(input, output) + + + predicate GetItemOutputTransformEnsuresPublicly(input: GetItemOutputTransformInput , output: Result) + // The private method to be refined by the library developer + + + method GetItemOutputTransform ( config: InternalConfig , input: GetItemOutputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures GetItemOutputTransformEnsuresPublicly(input, output) + + + predicate BatchWriteItemInputTransformEnsuresPublicly(input: BatchWriteItemInputTransformInput , output: Result) + // The private method to be refined by the library developer + + + method BatchWriteItemInputTransform ( config: InternalConfig , input: BatchWriteItemInputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures BatchWriteItemInputTransformEnsuresPublicly(input, output) + + + predicate BatchWriteItemOutputTransformEnsuresPublicly(input: BatchWriteItemOutputTransformInput , output: Result) + // The private method to be refined by the library developer + + + method BatchWriteItemOutputTransform ( config: InternalConfig , input: BatchWriteItemOutputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures BatchWriteItemOutputTransformEnsuresPublicly(input, output) + - predicate BatchGetItemInputTransformEnsuresPublicly(input: BatchGetItemInputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate BatchGetItemInputTransformEnsuresPublicly(input: BatchGetItemInputTransformInput , output: Result) + // The private method to be refined by the library developer - method BatchGetItemInputTransform ( config: InternalConfig , input: BatchGetItemInputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures BatchGetItemInputTransformEnsuresPublicly(input, output) + method BatchGetItemInputTransform ( config: InternalConfig , input: BatchGetItemInputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures BatchGetItemInputTransformEnsuresPublicly(input, output) - predicate BatchGetItemOutputTransformEnsuresPublicly(input: BatchGetItemOutputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate BatchGetItemOutputTransformEnsuresPublicly(input: BatchGetItemOutputTransformInput , output: Result) + // The private method to be refined by the library developer - method BatchGetItemOutputTransform ( config: InternalConfig , input: BatchGetItemOutputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures BatchGetItemOutputTransformEnsuresPublicly(input, output) + method BatchGetItemOutputTransform ( config: InternalConfig , input: BatchGetItemOutputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures BatchGetItemOutputTransformEnsuresPublicly(input, output) - predicate ScanInputTransformEnsuresPublicly(input: ScanInputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate ScanInputTransformEnsuresPublicly(input: ScanInputTransformInput , output: Result) + // The private method to be refined by the library developer - method ScanInputTransform ( config: InternalConfig , input: ScanInputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures ScanInputTransformEnsuresPublicly(input, output) + method ScanInputTransform ( config: InternalConfig , input: ScanInputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures ScanInputTransformEnsuresPublicly(input, output) - predicate ScanOutputTransformEnsuresPublicly(input: ScanOutputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate ScanOutputTransformEnsuresPublicly(input: ScanOutputTransformInput , output: Result) + // The private method to be refined by the library developer - method ScanOutputTransform ( config: InternalConfig , input: ScanOutputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures ScanOutputTransformEnsuresPublicly(input, output) + method ScanOutputTransform ( config: InternalConfig , input: ScanOutputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures ScanOutputTransformEnsuresPublicly(input, output) - predicate QueryInputTransformEnsuresPublicly(input: QueryInputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate QueryInputTransformEnsuresPublicly(input: QueryInputTransformInput , output: Result) + // The private method to be refined by the library developer - method QueryInputTransform ( config: InternalConfig , input: QueryInputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures QueryInputTransformEnsuresPublicly(input, output) + method QueryInputTransform ( config: InternalConfig , input: QueryInputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures QueryInputTransformEnsuresPublicly(input, output) - predicate QueryOutputTransformEnsuresPublicly(input: QueryOutputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate QueryOutputTransformEnsuresPublicly(input: QueryOutputTransformInput , output: Result) + // The private method to be refined by the library developer - method QueryOutputTransform ( config: InternalConfig , input: QueryOutputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures QueryOutputTransformEnsuresPublicly(input, output) + method QueryOutputTransform ( config: InternalConfig , input: QueryOutputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures QueryOutputTransformEnsuresPublicly(input, output) - predicate TransactWriteItemsInputTransformEnsuresPublicly(input: TransactWriteItemsInputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate TransactWriteItemsInputTransformEnsuresPublicly(input: TransactWriteItemsInputTransformInput , output: Result) + // The private method to be refined by the library developer - method TransactWriteItemsInputTransform ( config: InternalConfig , input: TransactWriteItemsInputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures TransactWriteItemsInputTransformEnsuresPublicly(input, output) + method TransactWriteItemsInputTransform ( config: InternalConfig , input: TransactWriteItemsInputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures TransactWriteItemsInputTransformEnsuresPublicly(input, output) - predicate TransactWriteItemsOutputTransformEnsuresPublicly(input: TransactWriteItemsOutputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate TransactWriteItemsOutputTransformEnsuresPublicly(input: TransactWriteItemsOutputTransformInput , output: Result) + // The private method to be refined by the library developer - method TransactWriteItemsOutputTransform ( config: InternalConfig , input: TransactWriteItemsOutputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures TransactWriteItemsOutputTransformEnsuresPublicly(input, output) + method TransactWriteItemsOutputTransform ( config: InternalConfig , input: TransactWriteItemsOutputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures TransactWriteItemsOutputTransformEnsuresPublicly(input, output) - predicate UpdateItemInputTransformEnsuresPublicly(input: UpdateItemInputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate UpdateItemInputTransformEnsuresPublicly(input: UpdateItemInputTransformInput , output: Result) + // The private method to be refined by the library developer - method UpdateItemInputTransform ( config: InternalConfig , input: UpdateItemInputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures UpdateItemInputTransformEnsuresPublicly(input, output) + method UpdateItemInputTransform ( config: InternalConfig , input: UpdateItemInputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures UpdateItemInputTransformEnsuresPublicly(input, output) - predicate UpdateItemOutputTransformEnsuresPublicly(input: UpdateItemOutputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate UpdateItemOutputTransformEnsuresPublicly(input: UpdateItemOutputTransformInput , output: Result) + // The private method to be refined by the library developer - method UpdateItemOutputTransform ( config: InternalConfig , input: UpdateItemOutputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures UpdateItemOutputTransformEnsuresPublicly(input, output) + method UpdateItemOutputTransform ( config: InternalConfig , input: UpdateItemOutputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures UpdateItemOutputTransformEnsuresPublicly(input, output) - predicate DeleteItemInputTransformEnsuresPublicly(input: DeleteItemInputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate DeleteItemInputTransformEnsuresPublicly(input: DeleteItemInputTransformInput , output: Result) + // The private method to be refined by the library developer - method DeleteItemInputTransform ( config: InternalConfig , input: DeleteItemInputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures DeleteItemInputTransformEnsuresPublicly(input, output) + method DeleteItemInputTransform ( config: InternalConfig , input: DeleteItemInputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures DeleteItemInputTransformEnsuresPublicly(input, output) - predicate DeleteItemOutputTransformEnsuresPublicly(input: DeleteItemOutputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate DeleteItemOutputTransformEnsuresPublicly(input: DeleteItemOutputTransformInput , output: Result) + // The private method to be refined by the library developer - method DeleteItemOutputTransform ( config: InternalConfig , input: DeleteItemOutputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures DeleteItemOutputTransformEnsuresPublicly(input, output) + method DeleteItemOutputTransform ( config: InternalConfig , input: DeleteItemOutputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures DeleteItemOutputTransformEnsuresPublicly(input, output) - predicate TransactGetItemsInputTransformEnsuresPublicly(input: TransactGetItemsInputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate TransactGetItemsInputTransformEnsuresPublicly(input: TransactGetItemsInputTransformInput , output: Result) + // The private method to be refined by the library developer - method TransactGetItemsInputTransform ( config: InternalConfig , input: TransactGetItemsInputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures TransactGetItemsInputTransformEnsuresPublicly(input, output) + method TransactGetItemsInputTransform ( config: InternalConfig , input: TransactGetItemsInputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures TransactGetItemsInputTransformEnsuresPublicly(input, output) - predicate TransactGetItemsOutputTransformEnsuresPublicly(input: TransactGetItemsOutputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate TransactGetItemsOutputTransformEnsuresPublicly(input: TransactGetItemsOutputTransformInput , output: Result) + // The private method to be refined by the library developer - method TransactGetItemsOutputTransform ( config: InternalConfig , input: TransactGetItemsOutputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures TransactGetItemsOutputTransformEnsuresPublicly(input, output) + method TransactGetItemsOutputTransform ( config: InternalConfig , input: TransactGetItemsOutputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures TransactGetItemsOutputTransformEnsuresPublicly(input, output) - predicate ExecuteStatementInputTransformEnsuresPublicly(input: ExecuteStatementInputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate ExecuteStatementInputTransformEnsuresPublicly(input: ExecuteStatementInputTransformInput , output: Result) + // The private method to be refined by the library developer - method ExecuteStatementInputTransform ( config: InternalConfig , input: ExecuteStatementInputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures ExecuteStatementInputTransformEnsuresPublicly(input, output) - + method ExecuteStatementInputTransform ( config: InternalConfig , input: ExecuteStatementInputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures ExecuteStatementInputTransformEnsuresPublicly(input, output) + - predicate ExecuteStatementOutputTransformEnsuresPublicly(input: ExecuteStatementOutputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate ExecuteStatementOutputTransformEnsuresPublicly(input: ExecuteStatementOutputTransformInput , output: Result) + // The private method to be refined by the library developer - method ExecuteStatementOutputTransform ( config: InternalConfig , input: ExecuteStatementOutputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures ExecuteStatementOutputTransformEnsuresPublicly(input, output) - + method ExecuteStatementOutputTransform ( config: InternalConfig , input: ExecuteStatementOutputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures ExecuteStatementOutputTransformEnsuresPublicly(input, output) + - predicate BatchExecuteStatementInputTransformEnsuresPublicly(input: BatchExecuteStatementInputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate BatchExecuteStatementInputTransformEnsuresPublicly(input: BatchExecuteStatementInputTransformInput , output: Result) + // The private method to be refined by the library developer - method BatchExecuteStatementInputTransform ( config: InternalConfig , input: BatchExecuteStatementInputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures BatchExecuteStatementInputTransformEnsuresPublicly(input, output) - + method BatchExecuteStatementInputTransform ( config: InternalConfig , input: BatchExecuteStatementInputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures BatchExecuteStatementInputTransformEnsuresPublicly(input, output) + - predicate BatchExecuteStatementOutputTransformEnsuresPublicly(input: BatchExecuteStatementOutputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate BatchExecuteStatementOutputTransformEnsuresPublicly(input: BatchExecuteStatementOutputTransformInput , output: Result) + // The private method to be refined by the library developer - method BatchExecuteStatementOutputTransform ( config: InternalConfig , input: BatchExecuteStatementOutputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures BatchExecuteStatementOutputTransformEnsuresPublicly(input, output) - + method BatchExecuteStatementOutputTransform ( config: InternalConfig , input: BatchExecuteStatementOutputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures BatchExecuteStatementOutputTransformEnsuresPublicly(input, output) + - predicate ExecuteTransactionInputTransformEnsuresPublicly(input: ExecuteTransactionInputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate ExecuteTransactionInputTransformEnsuresPublicly(input: ExecuteTransactionInputTransformInput , output: Result) + // The private method to be refined by the library developer - method ExecuteTransactionInputTransform ( config: InternalConfig , input: ExecuteTransactionInputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures ExecuteTransactionInputTransformEnsuresPublicly(input, output) - + method ExecuteTransactionInputTransform ( config: InternalConfig , input: ExecuteTransactionInputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures ExecuteTransactionInputTransformEnsuresPublicly(input, output) + - predicate ExecuteTransactionOutputTransformEnsuresPublicly(input: ExecuteTransactionOutputTransformInput , output: Result) - // The private method to be refined by the library developer + predicate ExecuteTransactionOutputTransformEnsuresPublicly(input: ExecuteTransactionOutputTransformInput , output: Result) + // The private method to be refined by the library developer - method ExecuteTransactionOutputTransform ( config: InternalConfig , input: ExecuteTransactionOutputTransformInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures ExecuteTransactionOutputTransformEnsuresPublicly(input, output) - + method ExecuteTransactionOutputTransform ( config: InternalConfig , input: ExecuteTransactionOutputTransformInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures ExecuteTransactionOutputTransformEnsuresPublicly(input, output) + - predicate ResolveAttributesEnsuresPublicly(input: ResolveAttributesInput , output: Result) - // The private method to be refined by the library developer + predicate ResolveAttributesEnsuresPublicly(input: ResolveAttributesInput , output: Result) + // The private method to be refined by the library developer - method ResolveAttributes ( config: InternalConfig , input: ResolveAttributesInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures ResolveAttributesEnsuresPublicly(input, output) + method ResolveAttributes ( config: InternalConfig , input: ResolveAttributesInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures ResolveAttributesEnsuresPublicly(input, output) } diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/AttributeResolver.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/AttributeResolver.dfy index 9a7a76ec8..2dbaed02b 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/AttributeResolver.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/AttributeResolver.dfy @@ -24,21 +24,21 @@ module AttributeResolver { || config.tableEncryptionConfigs[input.TableName].search.None? { return Success( - ResolveAttributesOutput( + ResolveAttributesOutput( VirtualFields := map[], CompoundBeacons := map[] - ) - ); + ) + ); } else { var tableConfig := config.tableEncryptionConfigs[input.TableName]; var vf :- GetVirtualFields(tableConfig.search.value, input.Item, input.Version); var cb :- GetCompoundBeacons(tableConfig.search.value, input.Item, input.Version); return Success( - ResolveAttributesOutput( + ResolveAttributesOutput( VirtualFields := vf, CompoundBeacons := cb - ) - ); + ) + ); } } diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/AwsCryptographyDbEncryptionSdkDynamoDbTransformsOperations.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/AwsCryptographyDbEncryptionSdkDynamoDbTransformsOperations.dfy index 4a1387911..806faac6b 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/AwsCryptographyDbEncryptionSdkDynamoDbTransformsOperations.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/AwsCryptographyDbEncryptionSdkDynamoDbTransformsOperations.dfy @@ -134,7 +134,7 @@ module AwsCryptographyDbEncryptionSdkDynamoDbTransformsOperations refines Abstra method TransactWriteItemsInputTransform(config: InternalConfig, input: TransactWriteItemsInputTransformInput) returns (output: Result) { - output := TransactWriteItemsTransform.Input(config, input); + output := TransactWriteItemsTransform.Input(config, input); } predicate TransactWriteItemsOutputTransformEnsuresPublicly(input: TransactWriteItemsOutputTransformInput, output: Result) diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/BatchExecuteStatementTransform.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/BatchExecuteStatementTransform.dfy index 908507a2c..fbb72444f 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/BatchExecuteStatementTransform.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/BatchExecuteStatementTransform.dfy @@ -42,13 +42,13 @@ module BatchExecuteStatementTransform { ensures output.Success? ==> output.value.transformedInput == input.sdkInput { for i := 0 to |input.sdkInput.Statements| - /* - invariant forall x : nat | 0 <= x < i :: - var statement := DdbStatement.TableFromStatement(input.sdkInput.Statements[x].Statement); - && statement.Success? - && statement.value - !in config.tableEncryptionConfigs; - */ + /* + invariant forall x : nat | 0 <= x < i :: + var statement := DdbStatement.TableFromStatement(input.sdkInput.Statements[x].Statement); + && statement.Success? + && statement.value + !in config.tableEncryptionConfigs; + */ { var statement := input.sdkInput.Statements[i].Statement; var tableName :- MapString(DdbStatement.TableFromStatement(statement)); diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/BatchGetItemTransform.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/BatchGetItemTransform.dfy index aaf52f89b..26c0172ba 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/BatchGetItemTransform.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/BatchGetItemTransform.dfy @@ -27,8 +27,8 @@ module BatchGetItemTransform { ensures output.Success? ==> SameOption(input.sdkOutput.Responses, output.value.transformedOutput.Responses) ensures output.Success? && input.sdkOutput.Responses.Some? ==> - && output.value.transformedOutput.Responses.Some? - // true but expensive -- input.sdkOutput.Responses.value.Keys == output.value.transformedOutput.Responses.value.Keys + && output.value.transformedOutput.Responses.Some? + // true but expensive -- input.sdkOutput.Responses.value.Keys == output.value.transformedOutput.Responses.value.Keys { if NoMap(input.sdkOutput.Responses) { return Success(BatchGetItemOutputTransformOutput(transformedOutput := input.sdkOutput)); diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/DdbMiddlewareConfig.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/DdbMiddlewareConfig.dfy index 4e116edb4..f74e9f29b 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/DdbMiddlewareConfig.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/DdbMiddlewareConfig.dfy @@ -9,7 +9,7 @@ module DdbMiddlewareConfig { import EncTypes = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes import DDBE = AwsCryptographyDbEncryptionSdkDynamoDbTypes import SearchableEncryptionInfo - + datatype TableConfig = TableConfig( physicalTableName: ComAmazonawsDynamodbTypes.TableName, logicalTableName: string, @@ -38,8 +38,8 @@ module DdbMiddlewareConfig { { //set x, y | y in config.tableEncryptionConfigs && x in OneSearchModifies(config.tableEncryptionConfigs[y]) :: x set versions <- set configValue <- config.tableEncryptionConfigs.Values | configValue.search.Some? :: configValue.search.value.versions, - keyStore <- set version <- versions :: version.keySource.store, - obj <- keyStore.Modifies | obj in keyStore.Modifies :: obj + keyStore <- set version <- versions :: version.keySource.store, + obj <- keyStore.Modifies | obj in keyStore.Modifies :: obj } @@ -61,16 +61,16 @@ module DdbMiddlewareConfig { predicate ValidConfig?(config: Config) { && (forall tableName <- config.tableEncryptionConfigs :: - config.tableEncryptionConfigs[tableName].physicalTableName == tableName) - //= specification/dynamodb-encryption-client/ddb-table-encryption-config.md#logical-table-name - //# When mapping [DynamoDB Table Names](#dynamodb-table-name) to [logical table name](#logical-table-name) - //# there MUST a one to one mapping between the two. + config.tableEncryptionConfigs[tableName].physicalTableName == tableName) + //= specification/dynamodb-encryption-client/ddb-table-encryption-config.md#logical-table-name + //# When mapping [DynamoDB Table Names](#dynamodb-table-name) to [logical table name](#logical-table-name) + //# there MUST a one to one mapping between the two. && (forall - c1 <- config.tableEncryptionConfigs.Values, - c2 <- config.tableEncryptionConfigs.Values - | c1 != c2 - :: c1.logicalTableName != c2.logicalTableName - ) + c1 <- config.tableEncryptionConfigs.Values, + c2 <- config.tableEncryptionConfigs.Values + | c1 != c2 + :: c1.logicalTableName != c2.logicalTableName + ) } diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/DdbStatement.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/DdbStatement.dfy index 1cf0a613f..dd8287cf6 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/DdbStatement.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/DdbStatement.dfy @@ -103,7 +103,7 @@ module DdbStatement { // states that the target of the select is either "Table" or "Table.Index" // In either case, we want just the Table function method {:opaque} TableFromSelectStatement(s : string) - : Option + : Option { var name :- TableFromSelectStatementInner(s); if '.' in name then @@ -115,7 +115,7 @@ module DdbStatement { // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ql-reference.update.html function method {:opaque} TableFromUpdateStatement(s : string) - : Option + : Option { var s := StripLeadingWhitespace(s); var len := FindTokenLen(s); @@ -127,7 +127,7 @@ module DdbStatement { // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ql-reference.delete.html function method {:opaque} TableFromDeleteStatement(s : string) - : Option + : Option { var s := StripLeadingWhitespace(s); var len := FindTokenLen(s); @@ -144,7 +144,7 @@ module DdbStatement { // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ql-reference.insert.html function method {:opaque} TableFromInsertStatement(s : string) - : Option + : Option { var s := StripLeadingWhitespace(s); var len := FindTokenLen(s); diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/DeleteItemTransform.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/DeleteItemTransform.dfy index 663907c36..a51074df4 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/DeleteItemTransform.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/DeleteItemTransform.dfy @@ -21,34 +21,34 @@ module DeleteItemTransform { ensures output.Success? && input.sdkInput.TableName in config.tableEncryptionConfigs ==> - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-deleteitem - //= type=implication - //# The DeleteItem request MUST NOT refer to any legacy parameters, - //# specifically Expected and ConditionalOperator MUST NOT be set. - && NoMap(input.sdkInput.Expected) - && input.sdkInput.ConditionalOperator.None? - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-deleteitem - //= type=implication - //# The ConditionExpression MUST be [valid](ddb-support.md#testconditionexpression). - && var tableConfig := config.tableEncryptionConfigs[input.sdkInput.TableName]; - && TestConditionExpression(tableConfig, - input.sdkInput.ConditionExpression, - input.sdkInput.ExpressionAttributeNames, - input.sdkInput.ExpressionAttributeValues).Success? - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-deleteitem - //= type=implication - //# If all of the above validation succeeds, the DeleteItem request MUST be unchanged. - && output.value.transformedInput == input.sdkInput + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-deleteitem + //= type=implication + //# The DeleteItem request MUST NOT refer to any legacy parameters, + //# specifically Expected and ConditionalOperator MUST NOT be set. + && NoMap(input.sdkInput.Expected) + && input.sdkInput.ConditionalOperator.None? + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-deleteitem + //= type=implication + //# The ConditionExpression MUST be [valid](ddb-support.md#testconditionexpression). + && var tableConfig := config.tableEncryptionConfigs[input.sdkInput.TableName]; + && TestConditionExpression(tableConfig, + input.sdkInput.ConditionExpression, + input.sdkInput.ExpressionAttributeNames, + input.sdkInput.ExpressionAttributeValues).Success? + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-deleteitem + //= type=implication + //# If all of the above validation succeeds, the DeleteItem request MUST be unchanged. + && output.value.transformedInput == input.sdkInput //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-deleteitem //= type=implication //# If the `TableName` in the request does not refer to an [encrypted-table](#encrypted-table), //# the DeleteItem request MUST be unchanged. ensures input.sdkInput.TableName !in config.tableEncryptionConfigs ==> - && output.Success? - && output.value.transformedInput == input.sdkInput + && output.Success? + && output.value.transformedInput == input.sdkInput { if input.sdkInput.TableName in config.tableEncryptionConfigs { @@ -57,9 +57,9 @@ module DeleteItemTransform { var tableConfig := config.tableEncryptionConfigs[input.sdkInput.TableName]; var _ :- TestConditionExpression(tableConfig, - input.sdkInput.ConditionExpression, - input.sdkInput.ExpressionAttributeNames, - input.sdkInput.ExpressionAttributeValues); + input.sdkInput.ConditionExpression, + input.sdkInput.ExpressionAttributeNames, + input.sdkInput.ExpressionAttributeValues); } return Success(DeleteItemInputTransformOutput(transformedInput := input.sdkInput)); } @@ -82,55 +82,55 @@ module DeleteItemTransform { // [ReturnValues](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DeleteItem.html#DDB-DeleteItem-request-ReturnValues) // had a value of `ALL_OLD` and an item was deleted. ensures ( - && output.Success? - && input.originalInput.TableName in config.tableEncryptionConfigs - && !NoMap(input.sdkOutput.Attributes) - ) ==> - && var tableConfig := config.tableEncryptionConfigs[input.originalInput.TableName]; - && var oldHistory := old(tableConfig.itemEncryptor.History.DecryptItem); - && var newHistory := tableConfig.itemEncryptor.History.DecryptItem; - - && |newHistory| == |oldHistory|+1 - && Seq.Last(newHistory).output.Success? - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-deleteitem - //= type=implication - //# In this case, the [Item Encryptor](./ddb-item-encryptor.md) MUST perform - //# [Decrypt Item](./decrypt-item.md) where the input - //# [DynamoDB Item](./decrypt-item.md#dynamodb-item) - //# is the `Attributes` field in the original response - && Seq.Last(newHistory).input.encryptedItem == input.sdkOutput.Attributes.value - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-deleteitem - //= type=implication - //# Beacons MUST be [removed](ddb-support.md#removebeacons) from the result. - && RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).Success? - && var item := RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).value; - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-deleteitem - //= type=implication - //# The DeleteItem response's `Attributes` field MUST be - //# replaced by the encrypted DynamoDb Item outputted above. - && output.value.transformedOutput.Attributes.Some? - && (item == output.value.transformedOutput.Attributes.value) + && output.Success? + && input.originalInput.TableName in config.tableEncryptionConfigs + && !NoMap(input.sdkOutput.Attributes) + ) ==> + && var tableConfig := config.tableEncryptionConfigs[input.originalInput.TableName]; + && var oldHistory := old(tableConfig.itemEncryptor.History.DecryptItem); + && var newHistory := tableConfig.itemEncryptor.History.DecryptItem; + + && |newHistory| == |oldHistory|+1 + && Seq.Last(newHistory).output.Success? + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-deleteitem + //= type=implication + //# In this case, the [Item Encryptor](./ddb-item-encryptor.md) MUST perform + //# [Decrypt Item](./decrypt-item.md) where the input + //# [DynamoDB Item](./decrypt-item.md#dynamodb-item) + //# is the `Attributes` field in the original response + && Seq.Last(newHistory).input.encryptedItem == input.sdkOutput.Attributes.value + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-deleteitem + //= type=implication + //# Beacons MUST be [removed](ddb-support.md#removebeacons) from the result. + && RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).Success? + && var item := RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).value; + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-deleteitem + //= type=implication + //# The DeleteItem response's `Attributes` field MUST be + //# replaced by the encrypted DynamoDb Item outputted above. + && output.value.transformedOutput.Attributes.Some? + && (item == output.value.transformedOutput.Attributes.value) // Passthrough the response if the above specification is not met ensures ( - && output.Success? - && ( - || input.originalInput.TableName !in config.tableEncryptionConfigs - || input.sdkOutput.Attributes.None? - ) - ) ==> - output.value.transformedOutput == input.sdkOutput - + && output.Success? + && ( + || input.originalInput.TableName !in config.tableEncryptionConfigs + || input.sdkOutput.Attributes.None? + ) + ) ==> + output.value.transformedOutput == input.sdkOutput + requires ValidConfig?(config) ensures ValidConfig?(config) modifies ModifiesConfig(config) { var tableName := input.originalInput.TableName; if tableName !in config.tableEncryptionConfigs || NoMap(input.sdkOutput.Attributes) - { + { return Success(DeleteItemOutputTransformOutput(transformedOutput := input.sdkOutput)); } var tableConfig := config.tableEncryptionConfigs[tableName]; diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/ExecuteStatementTransform.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/ExecuteStatementTransform.dfy index 46fb9ba31..a9cd4347d 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/ExecuteStatementTransform.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/ExecuteStatementTransform.dfy @@ -4,7 +4,7 @@ include "DynamoDbMiddlewareSupport.dfy" include "DdbStatement.dfy" -module ExecuteStatementTransform { +module ExecuteStatementTransform { import opened DdbMiddlewareConfig import opened DynamoDbMiddlewareSupport import opened Wrappers @@ -28,7 +28,7 @@ module ExecuteStatementTransform { //# with a [DynamoDB Table Name](./ddb-item-encryptor.md#dynamodb-table-name) //# equal to table named in the request. ensures var statement := DdbStatement.TableFromStatement(input.sdkInput.Statement); - statement.Failure? || statement.value in config.tableEncryptionConfigs ==> output.Failure? + statement.Failure? || statement.value in config.tableEncryptionConfigs ==> output.Failure? //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-executestatement //= type=implication @@ -36,8 +36,8 @@ module ExecuteStatementTransform { //# there MUST NOT be any modification //# to the ExecuteStatement request. ensures var statement := DdbStatement.TableFromStatement(input.sdkInput.Statement); - (statement.Success? && statement.value !in config.tableEncryptionConfigs) - ==> (output.Success? && output.value.transformedInput == input.sdkInput) + (statement.Success? && statement.value !in config.tableEncryptionConfigs) + ==> (output.Success? && output.value.transformedInput == input.sdkInput) { var tableName :- MapString(DdbStatement.TableFromStatement(input.sdkInput.Statement)); if tableName in config.tableEncryptionConfigs { diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/ExecuteTransactionTransform.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/ExecuteTransactionTransform.dfy index 2c85c6b8e..5f9366a62 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/ExecuteTransactionTransform.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/ExecuteTransactionTransform.dfy @@ -28,9 +28,9 @@ module ExecuteTransactionTransform { //# with a [DynamoDB Table Name](./ddb-item-encryptor.md#dynamodb-table-name) //# equal to table named in any of the `TransactStatements` of the request. ensures output.Success? ==> - forall i : nat | 0 <= i < |input.sdkInput.TransactStatements| :: - var statement := DdbStatement.TableFromStatement(input.sdkInput.TransactStatements[i].Statement); - statement.Success? && statement.value !in config.tableEncryptionConfigs + forall i : nat | 0 <= i < |input.sdkInput.TransactStatements| :: + var statement := DdbStatement.TableFromStatement(input.sdkInput.TransactStatements[i].Statement); + statement.Success? && statement.value !in config.tableEncryptionConfigs //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-executetransaction //= type=implication @@ -41,8 +41,8 @@ module ExecuteTransactionTransform { { for i := 0 to |input.sdkInput.TransactStatements| invariant forall x : nat | 0 <= x < i :: - var tableName := DdbStatement.TableFromStatement(input.sdkInput.TransactStatements[x].Statement); - tableName.Success? && tableName.value !in config.tableEncryptionConfigs + var tableName := DdbStatement.TableFromStatement(input.sdkInput.TransactStatements[x].Statement); + tableName.Success? && tableName.value !in config.tableEncryptionConfigs { var statement := input.sdkInput.TransactStatements[i].Statement; var tableName := DdbStatement.TableFromStatement(statement); diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/GetItemTransform.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/GetItemTransform.dfy index 5200eabcf..c7069652b 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/GetItemTransform.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/GetItemTransform.dfy @@ -34,33 +34,33 @@ module GetItemTransform { ensures output.Success? && input.originalInput.TableName !in config.tableEncryptionConfigs ==> output.value.transformedOutput == input.sdkOutput ensures output.Success? && NoMap(input.sdkOutput.Item) ==> NoMap(output.value.transformedOutput.Item) ensures output.Success? && input.originalInput.TableName in config.tableEncryptionConfigs && !NoMap(input.sdkOutput.Item) ==> - var tableConfig := config.tableEncryptionConfigs[input.originalInput.TableName]; - var oldHistory := old(tableConfig.itemEncryptor.History.DecryptItem); - var newHistory := tableConfig.itemEncryptor.History.DecryptItem; + var tableConfig := config.tableEncryptionConfigs[input.originalInput.TableName]; + var oldHistory := old(tableConfig.itemEncryptor.History.DecryptItem); + var newHistory := tableConfig.itemEncryptor.History.DecryptItem; - && |newHistory| == |oldHistory|+1 - && Seq.Last(newHistory).output.Success? + && |newHistory| == |oldHistory|+1 + && Seq.Last(newHistory).output.Success? - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-getitem - //= type=implication - //# The [Item Encryptor](./ddb-item-encryptor.md) MUST perform - //# [Decrypt Item](./decrypt-item.md) where the input - //# [DynamoDB Item](./decrypt-item.md#dynamodb-item) - //# is the `Item` field in the original response - && Seq.Last(newHistory).input.encryptedItem == input.sdkOutput.Item.value + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-getitem + //= type=implication + //# The [Item Encryptor](./ddb-item-encryptor.md) MUST perform + //# [Decrypt Item](./decrypt-item.md) where the input + //# [DynamoDB Item](./decrypt-item.md#dynamodb-item) + //# is the `Item` field in the original response + && Seq.Last(newHistory).input.encryptedItem == input.sdkOutput.Item.value - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-getitem - //= type=implication - //# Beacons MUST be [removed](ddb-support.md#removebeacons) from the result. - && RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).Success? - && var item := RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).value; + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-getitem + //= type=implication + //# Beacons MUST be [removed](ddb-support.md#removebeacons) from the result. + && RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).Success? + && var item := RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).value; - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-getitem - //= type=implication - //# The GetItem response's `Item` field MUST be - //# replaced by the encrypted DynamoDb Item outputted above. - && output.value.transformedOutput.Item.Some? - && (item == output.value.transformedOutput.Item.value) + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-getitem + //= type=implication + //# The GetItem response's `Item` field MUST be + //# replaced by the encrypted DynamoDb Item outputted above. + && output.value.transformedOutput.Item.Some? + && (item == output.value.transformedOutput.Item.value) requires ValidConfig?(config) ensures ValidConfig?(config) diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/Index.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/Index.dfy index 8684982c0..75aba7222 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/Index.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/Index.dfy @@ -35,15 +35,15 @@ module function TheModifies(config: AwsCryptographyDbEncryptionSdkDynamoDbTypes.DynamoDbTablesEncryptionConfig) : set { - var tmps11 := set t11 | t11 in config.tableEncryptionConfigs.Values - && t11.search.Some? - :: set t12 | t12 in t11.search.value.versions :: t12.keyStore; - var tmps11FlattenedModifiesSet: set> := set t0 - , t1 | t0 in tmps11 && t1 in t0 :: t1.Modifies; - (set tmp13ModifyEntry, tmp13Modifies | - tmp13Modifies in tmps11FlattenedModifiesSet - && tmp13ModifyEntry in tmp13Modifies - :: tmp13ModifyEntry) + var tmps11 := set t11 | t11 in config.tableEncryptionConfigs.Values + && t11.search.Some? + :: set t12 | t12 in t11.search.value.versions :: t12.keyStore; + var tmps11FlattenedModifiesSet: set> := set t0 + , t1 | t0 in tmps11 && t1 in t0 :: t1.Modifies; + (set tmp13ModifyEntry, tmp13Modifies | + tmp13Modifies in tmps11FlattenedModifiesSet + && tmp13ModifyEntry in tmp13Modifies + :: tmp13ModifyEntry) } function SearchModifies(config: AwsCryptographyDbEncryptionSdkDynamoDbTypes.DynamoDbTablesEncryptionConfig, tableName : string) @@ -85,9 +85,9 @@ module ensures 0 == |internalConfigs| ==> CorrectlyTransferedStructure?(internalConfigs, config) { forall tableName <- internalConfigs - :: - && tableName in config.tableEncryptionConfigs - && ConfigsMatch(tableName, internalConfigs[tableName], config.tableEncryptionConfigs[tableName]) + :: + && tableName in config.tableEncryptionConfigs + && ConfigsMatch(tableName, internalConfigs[tableName], config.tableEncryptionConfigs[tableName]) } predicate {:opaque} ConfigsMatch( tableName: string, @@ -103,14 +103,14 @@ module method {:vcs_split_on_every_assert} DynamoDbEncryptionTransforms(config: AwsCryptographyDbEncryptionSdkDynamoDbTypes.DynamoDbTablesEncryptionConfig) returns (res: Result) - //= specification/dynamodb-encryption-client/ddb-table-encryption-config.md#logical-table-name - //= type=implication - //# When mapping [DynamoDB Table Names](#dynamodb-table-name) to [logical table name](#logical-table-name) - //# there MUST a one to one mapping between the two. - ensures res.Success? ==> - && res.value is DynamoDbEncryptionTransformsClient - && var config := (res.value as DynamoDbEncryptionTransformsClient).config; - && DdbMiddlewareConfig.ValidConfig?(config) + //= specification/dynamodb-encryption-client/ddb-table-encryption-config.md#logical-table-name + //= type=implication + //# When mapping [DynamoDB Table Names](#dynamodb-table-name) to [logical table name](#logical-table-name) + //# there MUST a one to one mapping between the two. + ensures res.Success? ==> + && res.value is DynamoDbEncryptionTransformsClient + && var config := (res.value as DynamoDbEncryptionTransformsClient).config; + && DdbMiddlewareConfig.ValidConfig?(config) { var internalConfigs: map := map[]; assert ValidWholeSearchConfig(config); @@ -123,107 +123,107 @@ module ghost var inputConfigsModifies: set := set tableConfig <- config.tableEncryptionConfigs.Values, o <- ( - (if tableConfig.keyring.Some? then tableConfig.keyring.value.Modifies else {}) - + (if tableConfig.cmm.Some? then tableConfig.cmm.value.Modifies else {}) - + (if tableConfig.legacyOverride.Some? then tableConfig.legacyOverride.value.encryptor.Modifies else {}) - ) + (if tableConfig.keyring.Some? then tableConfig.keyring.value.Modifies else {}) + + (if tableConfig.cmm.Some? then tableConfig.cmm.value.Modifies else {}) + + (if tableConfig.legacyOverride.Some? then tableConfig.legacyOverride.value.encryptor.Modifies else {}) + ) :: o; var allLogicalTableNames := {}; while m'.Keys != {} - invariant m'.Keys <= config.tableEncryptionConfigs.Keys - invariant forall k <- m' :: m'[k] == config.tableEncryptionConfigs[k] - invariant forall internalConfig <- internalConfigs.Values :: internalConfig.logicalTableName in allLogicalTableNames + invariant m'.Keys <= config.tableEncryptionConfigs.Keys + invariant forall k <- m' :: m'[k] == config.tableEncryptionConfigs[k] + invariant forall internalConfig <- internalConfigs.Values :: internalConfig.logicalTableName in allLogicalTableNames - invariant CorrectlyTransferedStructure?(internalConfigs, config) - invariant AllTableConfigsValid?(internalConfigs) - invariant ValidConfig?(Config(internalConfigs)) + invariant CorrectlyTransferedStructure?(internalConfigs, config) + invariant AllTableConfigsValid?(internalConfigs) + invariant ValidConfig?(Config(internalConfigs)) - decreases m'.Keys - modifies inputConfigsModifies + decreases m'.Keys + modifies inputConfigsModifies { - var tableName: string :| tableName in m'; - var inputConfig := config.tableEncryptionConfigs[tableName]; - :- Need(inputConfig.logicalTableName !in allLogicalTableNames, E("Duplicate logical table maped to multipule physical tables: " + inputConfig.logicalTableName)); + var tableName: string :| tableName in m'; + var inputConfig := config.tableEncryptionConfigs[tableName]; + :- Need(inputConfig.logicalTableName !in allLogicalTableNames, E("Duplicate logical table maped to multipule physical tables: " + inputConfig.logicalTableName)); - assert SearchConfigToInfo.ValidSearchConfig(inputConfig.search); - SearchInModifies(config, tableName); - var searchR := SearchConfigToInfo.Convert(inputConfig); - var search :- searchR.MapFailure(e => AwsCryptographyDbEncryptionSdkDynamoDb(e)); - assert search.None? || search.value.ValidState(); + assert SearchConfigToInfo.ValidSearchConfig(inputConfig.search); + SearchInModifies(config, tableName); + var searchR := SearchConfigToInfo.Convert(inputConfig); + var search :- searchR.MapFailure(e => AwsCryptographyDbEncryptionSdkDynamoDb(e)); + assert search.None? || search.value.ValidState(); - // Add Signed Beacons to attributeActionsOnEncrypt - var signedBeacons := if search.None? then [] else search.value.curr().ListSignedBeacons(); - //= specification/searchable-encryption/beacons.md#signed-beacons - //# Initialization MUST fail if `NAME` is explicitly configured with an - //# [attribute actions](../dynamodb-encryption-client/ddb-item-encryptor.md#attribute-actions) or - //# [unauthenticated attributes](../dynamodb-encryption-client/ddb-item-encryptor.md#unauthenticated-attributes), - //# or begins with the [unauthenticated attribute prefix](../dynamodb-encryption-client/ddb-item-encryptor.md#unauthenticated-attribute-prefix). - var badBeacons := Seq.Filter(s => IsConfigured(inputConfig, s), signedBeacons); - if 0 < |badBeacons| { - return Failure(E("Signed beacons cannot be configured with CryptoActions or as unauthenticated : " + Join(badBeacons, ", "))); - } - :- Need(forall k <- signedBeacons :: DDB.IsValid_AttributeName(k), E("Beacon configured with bad name")); - //= specification/searchable-encryption/beacons.md#signed-beacons - //# `NAME` MUST be automatically configured with an attribute action of SIGN_ONLY. - var newActions := AddSignedBeaconActions(signedBeacons, inputConfig.attributeActionsOnEncrypt); + // Add Signed Beacons to attributeActionsOnEncrypt + var signedBeacons := if search.None? then [] else search.value.curr().ListSignedBeacons(); + //= specification/searchable-encryption/beacons.md#signed-beacons + //# Initialization MUST fail if `NAME` is explicitly configured with an + //# [attribute actions](../dynamodb-encryption-client/ddb-item-encryptor.md#attribute-actions) or + //# [unauthenticated attributes](../dynamodb-encryption-client/ddb-item-encryptor.md#unauthenticated-attributes), + //# or begins with the [unauthenticated attribute prefix](../dynamodb-encryption-client/ddb-item-encryptor.md#unauthenticated-attribute-prefix). + var badBeacons := Seq.Filter(s => IsConfigured(inputConfig, s), signedBeacons); + if 0 < |badBeacons| { + return Failure(E("Signed beacons cannot be configured with CryptoActions or as unauthenticated : " + Join(badBeacons, ", "))); + } + :- Need(forall k <- signedBeacons :: DDB.IsValid_AttributeName(k), E("Beacon configured with bad name")); + //= specification/searchable-encryption/beacons.md#signed-beacons + //# `NAME` MUST be automatically configured with an attribute action of SIGN_ONLY. + var newActions := AddSignedBeaconActions(signedBeacons, inputConfig.attributeActionsOnEncrypt); - var encryptorConfig := IE_Types.DynamoDbItemEncryptorConfig( - logicalTableName := inputConfig.logicalTableName, - partitionKeyName := inputConfig.partitionKeyName, - sortKeyName := inputConfig.sortKeyName, - attributeActionsOnEncrypt := newActions, - allowedUnsignedAttributes := inputConfig.allowedUnsignedAttributes, - allowedUnsignedAttributePrefix := inputConfig.allowedUnsignedAttributePrefix, - algorithmSuiteId := inputConfig.algorithmSuiteId, - keyring := inputConfig.keyring, - cmm := inputConfig.cmm, - legacyOverride := inputConfig.legacyOverride, - plaintextOverride := inputConfig.plaintextOverride - ); - var itemEncryptorRes := DynamoDbItemEncryptor.DynamoDbItemEncryptor(encryptorConfig); - var itemEncryptorX : IE_Types.IDynamoDbItemEncryptorClient :- itemEncryptorRes - .MapFailure(e => AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptor(e)); - assert itemEncryptorX is DynamoDbItemEncryptor.DynamoDbItemEncryptorClient; - var itemEncryptor := itemEncryptorX as DynamoDbItemEncryptor.DynamoDbItemEncryptorClient; - assert itemEncryptor.ValidState(); - var encConfig := itemEncryptor.config; - assert inputConfig.logicalTableName == encConfig.logicalTableName; - assert inputConfig.partitionKeyName == encConfig.partitionKeyName; - assert inputConfig.sortKeyName == encConfig.sortKeyName; + var encryptorConfig := IE_Types.DynamoDbItemEncryptorConfig( + logicalTableName := inputConfig.logicalTableName, + partitionKeyName := inputConfig.partitionKeyName, + sortKeyName := inputConfig.sortKeyName, + attributeActionsOnEncrypt := newActions, + allowedUnsignedAttributes := inputConfig.allowedUnsignedAttributes, + allowedUnsignedAttributePrefix := inputConfig.allowedUnsignedAttributePrefix, + algorithmSuiteId := inputConfig.algorithmSuiteId, + keyring := inputConfig.keyring, + cmm := inputConfig.cmm, + legacyOverride := inputConfig.legacyOverride, + plaintextOverride := inputConfig.plaintextOverride + ); + var itemEncryptorRes := DynamoDbItemEncryptor.DynamoDbItemEncryptor(encryptorConfig); + var itemEncryptorX : IE_Types.IDynamoDbItemEncryptorClient :- itemEncryptorRes + .MapFailure(e => AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptor(e)); + assert itemEncryptorX is DynamoDbItemEncryptor.DynamoDbItemEncryptorClient; + var itemEncryptor := itemEncryptorX as DynamoDbItemEncryptor.DynamoDbItemEncryptorClient; + assert itemEncryptor.ValidState(); + var encConfig := itemEncryptor.config; + assert inputConfig.logicalTableName == encConfig.logicalTableName; + assert inputConfig.partitionKeyName == encConfig.partitionKeyName; + assert inputConfig.sortKeyName == encConfig.sortKeyName; - var internalConfig: DdbMiddlewareConfig.ValidTableConfig := DdbMiddlewareConfig.TableConfig( - physicalTableName := tableName, - logicalTableName := inputConfig.logicalTableName, - partitionKeyName := inputConfig.partitionKeyName, - sortKeyName := inputConfig.sortKeyName, - itemEncryptor := itemEncryptor, - search := search - ); + var internalConfig: DdbMiddlewareConfig.ValidTableConfig := DdbMiddlewareConfig.TableConfig( + physicalTableName := tableName, + logicalTableName := inputConfig.logicalTableName, + partitionKeyName := inputConfig.partitionKeyName, + sortKeyName := inputConfig.sortKeyName, + itemEncryptor := itemEncryptor, + search := search + ); - internalConfigs := internalConfigs[tableName := internalConfig]; - allLogicalTableNames := allLogicalTableNames + {internalConfig.logicalTableName}; + internalConfigs := internalConfigs[tableName := internalConfig]; + allLogicalTableNames := allLogicalTableNames + {internalConfig.logicalTableName}; - assert AllTableConfigsValid?(internalConfigs) by { - reveal AllTableConfigsValid?(); - assert AllTableConfigsValid?(internalConfigs - {tableName}); - assert ValidTableConfig?(internalConfig); - } - assert ValidConfig?(Config(internalConfigs)) by { - assert ValidConfig?(Config(internalConfigs - {tableName})); - assert internalConfig.physicalTableName == tableName; - } + assert AllTableConfigsValid?(internalConfigs) by { + reveal AllTableConfigsValid?(); + assert AllTableConfigsValid?(internalConfigs - {tableName}); + assert ValidTableConfig?(internalConfig); + } + assert ValidConfig?(Config(internalConfigs)) by { + assert ValidConfig?(Config(internalConfigs - {tableName})); + assert internalConfig.physicalTableName == tableName; + } - assert CorrectlyTransferedStructure?(internalConfigs, config) by { - reveal CorrectlyTransferedStructure?(); - reveal ConfigsMatch(); - assert CorrectlyTransferedStructure?(internalConfigs - {tableName}, config); - assert ConfigsMatch(tableName, internalConfig, inputConfig); - } + assert CorrectlyTransferedStructure?(internalConfigs, config) by { + reveal CorrectlyTransferedStructure?(); + reveal ConfigsMatch(); + assert CorrectlyTransferedStructure?(internalConfigs - {tableName}, config); + assert ConfigsMatch(tableName, internalConfig, inputConfig); + } - // Pop 'tableName' off the map, so that we may continue iterating - m' := map k' | k' in m' && k' != tableName :: m'[k']; + // Pop 'tableName' off the map, so that we may continue iterating + m' := map k' | k' in m' && k' != tableName :: m'[k']; } assert SearchValidState(DdbMiddlewareConfig.Config(tableEncryptionConfigs := internalConfigs)); @@ -234,43 +234,43 @@ module // I'm really sorry, but I can't get the freshness to verify // and my time box has run out of time. assume {:axiom} fresh( - client.Modifies + client.Modifies - ( var tmps14 := set t14 | t14 in config.tableEncryptionConfigs.Values - && t14.keyring.Some? - :: t14.keyring.value; - var tmps14FlattenedModifiesSet: set> := set t0 - | t0 in tmps14 :: t0.Modifies; - (set tmp15ModifyEntry, tmp15Modifies | - tmp15Modifies in tmps14FlattenedModifiesSet - && tmp15ModifyEntry in tmp15Modifies - :: tmp15ModifyEntry) + && t14.keyring.Some? + :: t14.keyring.value; + var tmps14FlattenedModifiesSet: set> := set t0 + | t0 in tmps14 :: t0.Modifies; + (set tmp15ModifyEntry, tmp15Modifies | + tmp15Modifies in tmps14FlattenedModifiesSet + && tmp15ModifyEntry in tmp15Modifies + :: tmp15ModifyEntry) ) - ( var tmps16 := set t16 | t16 in config.tableEncryptionConfigs.Values - && t16.cmm.Some? - :: t16.cmm.value; - var tmps16FlattenedModifiesSet: set> := set t0 - | t0 in tmps16 :: t0.Modifies; - (set tmp17ModifyEntry, tmp17Modifies | - tmp17Modifies in tmps16FlattenedModifiesSet - && tmp17ModifyEntry in tmp17Modifies - :: tmp17ModifyEntry) + && t16.cmm.Some? + :: t16.cmm.value; + var tmps16FlattenedModifiesSet: set> := set t0 + | t0 in tmps16 :: t0.Modifies; + (set tmp17ModifyEntry, tmp17Modifies | + tmp17Modifies in tmps16FlattenedModifiesSet + && tmp17ModifyEntry in tmp17Modifies + :: tmp17ModifyEntry) ) - ( var tmps18 := set t18 | t18 in config.tableEncryptionConfigs.Values - && t18.legacyOverride.Some? - :: t18.legacyOverride.value.encryptor; - var tmps18FlattenedModifiesSet: set> := set t0 - | t0 in tmps18 :: t0.Modifies; - (set tmp19ModifyEntry, tmp19Modifies | - tmp19Modifies in tmps18FlattenedModifiesSet - && tmp19ModifyEntry in tmp19Modifies - :: tmp19ModifyEntry) + && t18.legacyOverride.Some? + :: t18.legacyOverride.value.encryptor; + var tmps18FlattenedModifiesSet: set> := set t0 + | t0 in tmps18 :: t0.Modifies; + (set tmp19ModifyEntry, tmp19Modifies | + tmp19Modifies in tmps18FlattenedModifiesSet + && tmp19ModifyEntry in tmp19Modifies + :: tmp19ModifyEntry) ) - ( var tmps20 := set t20 | t20 in config.tableEncryptionConfigs.Values - && t20.search.Some? - :: set t21 | t21 in t20.search.value.versions :: t21.keyStore; - var tmps20FlattenedModifiesSet: set> := set t0 - , t1 | t0 in tmps20 && t1 in t0 :: t1.Modifies; - (set tmp22ModifyEntry, tmp22Modifies | - tmp22Modifies in tmps20FlattenedModifiesSet - && tmp22ModifyEntry in tmp22Modifies - :: tmp22ModifyEntry) + && t20.search.Some? + :: set t21 | t21 in t20.search.value.versions :: t21.keyStore; + var tmps20FlattenedModifiesSet: set> := set t0 + , t1 | t0 in tmps20 && t1 in t0 :: t1.Modifies; + (set tmp22ModifyEntry, tmp22Modifies | + tmp22Modifies in tmps20FlattenedModifiesSet + && tmp22ModifyEntry in tmp22Modifies + :: tmp22ModifyEntry) ) ); return Success(client); diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/PutItemTransform.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/PutItemTransform.dfy index ded8880ed..9a1086170 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/PutItemTransform.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/PutItemTransform.dfy @@ -24,35 +24,35 @@ module PutItemTransform { //# If the `TableName` in the request does not refer to an [encrypted-table](#encrypted-table), //# the PutItem request MUST be unchanged. ensures output.Success? && input.sdkInput.TableName !in config.tableEncryptionConfigs ==> - output.value.transformedInput == input.sdkInput + output.value.transformedInput == input.sdkInput ensures output.Success? && input.sdkInput.TableName in config.tableEncryptionConfigs ==> - && var tableConfig := config.tableEncryptionConfigs[input.sdkInput.TableName]; - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#encrypt-before-putitem - //= type=implication - //# The PutItem request MUST NOT refer to any legacy parameters, - //# specifically Expected and ConditionalOperator MUST NOT be set. - && NoMap(input.sdkInput.Expected) && input.sdkInput.ConditionalOperator.None? - - // && var oldHistory := old(tableConfig.itemEncryptor.History.EncryptItem); - // && var newHistory := tableConfig.itemEncryptor.History.EncryptItem; - // && |newHistory| == |oldHistory|+1 - // && Seq.Last(newHistory).output.Success? - // && var encryptInput := Seq.Last(newHistory).input; - // && var encryptOutput := Seq.Last(newHistory).output.value; - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#encrypt-before-putitem - //= type=implication - //# The Item MUST be [writable](ddb-support.md#writable). - && IsWriteable(tableConfig, input.sdkInput.Item).Success? - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#encrypt-before-putitem - //= type=implication - //# The ConditionExpression MUST be [valid](ddb-support.md#testconditionexpression). - && TestConditionExpression(tableConfig, - input.sdkInput.ConditionExpression, - input.sdkInput.ExpressionAttributeNames, - input.sdkInput.ExpressionAttributeValues).Success? + && var tableConfig := config.tableEncryptionConfigs[input.sdkInput.TableName]; + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#encrypt-before-putitem + //= type=implication + //# The PutItem request MUST NOT refer to any legacy parameters, + //# specifically Expected and ConditionalOperator MUST NOT be set. + && NoMap(input.sdkInput.Expected) && input.sdkInput.ConditionalOperator.None? + + // && var oldHistory := old(tableConfig.itemEncryptor.History.EncryptItem); + // && var newHistory := tableConfig.itemEncryptor.History.EncryptItem; + // && |newHistory| == |oldHistory|+1 + // && Seq.Last(newHistory).output.Success? + // && var encryptInput := Seq.Last(newHistory).input; + // && var encryptOutput := Seq.Last(newHistory).output.value; + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#encrypt-before-putitem + //= type=implication + //# The Item MUST be [writable](ddb-support.md#writable). + && IsWriteable(tableConfig, input.sdkInput.Item).Success? + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#encrypt-before-putitem + //= type=implication + //# The ConditionExpression MUST be [valid](ddb-support.md#testconditionexpression). + && TestConditionExpression(tableConfig, + input.sdkInput.ConditionExpression, + input.sdkInput.ExpressionAttributeNames, + input.sdkInput.ExpressionAttributeValues).Success? { if input.sdkInput.TableName !in config.tableEncryptionConfigs { @@ -65,9 +65,9 @@ module PutItemTransform { var _ :- IsWriteable(tableConfig, input.sdkInput.Item); var _ :- TestConditionExpression(tableConfig, - input.sdkInput.ConditionExpression, - input.sdkInput.ExpressionAttributeNames, - input.sdkInput.ExpressionAttributeValues); + input.sdkInput.ConditionExpression, + input.sdkInput.ExpressionAttributeNames, + input.sdkInput.ExpressionAttributeValues); var item :- AddSignedBeacons(tableConfig, input.sdkInput.Item); var encryptRes := tableConfig.itemEncryptor.EncryptItem( EncTypes.EncryptItemInput(plaintextItem:=item) @@ -96,55 +96,55 @@ module PutItemTransform { // [ReturnValues](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_PutItem.html#DDB-PutItem-request-ReturnValues) // had a value of `ALL_OLD` and the PutItem call replaced a pre-existing item. ensures ( - && output.Success? - && input.originalInput.TableName in config.tableEncryptionConfigs - && !NoMap(input.sdkOutput.Attributes) - ) ==> - && var tableConfig := config.tableEncryptionConfigs[input.originalInput.TableName]; - && var oldHistory := old(tableConfig.itemEncryptor.History.DecryptItem); - && var newHistory := tableConfig.itemEncryptor.History.DecryptItem; - - && |newHistory| == |oldHistory|+1 - && Seq.Last(newHistory).output.Success? - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-putitem - //= type=implication - //# In this case, the [Item Encryptor](./ddb-item-encryptor.md) MUST perform - //# [Decrypt Item](./decrypt-item.md) where the input - //# [DynamoDB Item](./decrypt-item.md#dynamodb-item) - //# is the `Attributes` field in the original response - && Seq.Last(newHistory).input.encryptedItem == input.sdkOutput.Attributes.value - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-putitem - //= type=implication - //# Beacons MUST be [removed](ddb-support.md#removebeacons) from the result. - && RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).Success? - && var item := RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).value; - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-putitem - //= type=implication - //# The PutItem response's `Attributes` field MUST be - //# replaced by the encrypted DynamoDb Item outputted above. - && output.value.transformedOutput.Attributes.Some? - && (item == output.value.transformedOutput.Attributes.value) + && output.Success? + && input.originalInput.TableName in config.tableEncryptionConfigs + && !NoMap(input.sdkOutput.Attributes) + ) ==> + && var tableConfig := config.tableEncryptionConfigs[input.originalInput.TableName]; + && var oldHistory := old(tableConfig.itemEncryptor.History.DecryptItem); + && var newHistory := tableConfig.itemEncryptor.History.DecryptItem; + + && |newHistory| == |oldHistory|+1 + && Seq.Last(newHistory).output.Success? + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-putitem + //= type=implication + //# In this case, the [Item Encryptor](./ddb-item-encryptor.md) MUST perform + //# [Decrypt Item](./decrypt-item.md) where the input + //# [DynamoDB Item](./decrypt-item.md#dynamodb-item) + //# is the `Attributes` field in the original response + && Seq.Last(newHistory).input.encryptedItem == input.sdkOutput.Attributes.value + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-putitem + //= type=implication + //# Beacons MUST be [removed](ddb-support.md#removebeacons) from the result. + && RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).Success? + && var item := RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).value; + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-putitem + //= type=implication + //# The PutItem response's `Attributes` field MUST be + //# replaced by the encrypted DynamoDb Item outputted above. + && output.value.transformedOutput.Attributes.Some? + && (item == output.value.transformedOutput.Attributes.value) // Passthrough the response if the above specification is not met ensures ( - && output.Success? - && ( - || input.originalInput.TableName !in config.tableEncryptionConfigs - || input.sdkOutput.Attributes.None? - ) - ) ==> - output.value.transformedOutput == input.sdkOutput - + && output.Success? + && ( + || input.originalInput.TableName !in config.tableEncryptionConfigs + || input.sdkOutput.Attributes.None? + ) + ) ==> + output.value.transformedOutput == input.sdkOutput + requires ValidConfig?(config) ensures ValidConfig?(config) modifies ModifiesConfig(config) { var tableName := input.originalInput.TableName; if tableName !in config.tableEncryptionConfigs || NoMap(input.sdkOutput.Attributes) - { + { return Success(PutItemOutputTransformOutput(transformedOutput := input.sdkOutput)); } var tableConfig := config.tableEncryptionConfigs[tableName]; diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/TransactGetItemsTransform.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/TransactGetItemsTransform.dfy index 63353ed15..6ba019611 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/TransactGetItemsTransform.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/TransactGetItemsTransform.dfy @@ -26,12 +26,12 @@ module TransactGetItemsTransform { modifies ModifiesConfig(config) ensures NoList(input.sdkOutput.Responses) ==> - && output.Success? - && output.value.transformedOutput == input.sdkOutput + && output.Success? + && output.value.transformedOutput == input.sdkOutput ensures output.Success? && input.sdkOutput.Responses.Some? ==> - && output.value.transformedOutput.Responses.Some? - && |output.value.transformedOutput.Responses.value| == |input.originalInput.TransactItems| + && output.value.transformedOutput.Responses.Some? + && |output.value.transformedOutput.Responses.value| == |input.originalInput.TransactItems| { if NoList(input.sdkOutput.Responses) { return Success(TransactGetItemsOutputTransformOutput(transformedOutput := input.sdkOutput)); diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/TransactWriteItemsTransform.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/TransactWriteItemsTransform.dfy index 58af3a64b..fc559c68c 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/TransactWriteItemsTransform.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/TransactWriteItemsTransform.dfy @@ -32,12 +32,12 @@ module TransactWriteItemsTransform { //# To protect against a possible fifth field being added to the TransactWriteItem structure in the future, //# the client MUST fail if none of the `Update`, `ConditionCheck`, `Delete` and `Put` fields are set. ensures output.Success? ==> - forall item <- input.sdkInput.TransactItems :: IsValid(item) + forall item <- input.sdkInput.TransactItems :: IsValid(item) { :- Need(forall item <- input.sdkInput.TransactItems :: IsValid(item), E("Each item in TransactWriteItems must specify at least one supported operation")); var result : seq := []; for x := 0 to |input.sdkInput.TransactItems| - // invariant |result| == x + // invariant |result| == x { var item := input.sdkInput.TransactItems[x]; @@ -46,33 +46,33 @@ module TransactWriteItemsTransform { //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#encrypt-before-transactwriteitems //# - The ConditionExpression of the `ConditionCheck` MUST be [valid](ddb-support.md#testconditionexpression). var _ :- TestConditionExpression(tableConfig, - Some(item.ConditionCheck.value.ConditionExpression), - item.ConditionCheck.value.ExpressionAttributeNames, - item.ConditionCheck.value.ExpressionAttributeValues); + Some(item.ConditionCheck.value.ConditionExpression), + item.ConditionCheck.value.ExpressionAttributeNames, + item.ConditionCheck.value.ExpressionAttributeValues); } if item.Delete.Some? && item.Delete.value.TableName in config.tableEncryptionConfigs { var tableConfig := config.tableEncryptionConfigs[item.Delete.value.TableName]; //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#encrypt-before-transactwriteitems //# - The ConditionExpression of the `Delete` MUST be [valid](ddb-support.md#testconditionexpression). var _ :- TestConditionExpression(tableConfig, - item.Delete.value.ConditionExpression, - item.Delete.value.ExpressionAttributeNames, - item.Delete.value.ExpressionAttributeValues); + item.Delete.value.ConditionExpression, + item.Delete.value.ExpressionAttributeNames, + item.Delete.value.ExpressionAttributeValues); } if item.Update.Some? && item.Update.value.TableName in config.tableEncryptionConfigs { var tableConfig := config.tableEncryptionConfigs[item.Update.value.TableName]; //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#encrypt-before-transactwriteitems //# - The UpdateExpression of the `Update` MUST be [valid](ddb-support.md#testupdateexpression). var _ :- TestUpdateExpression(tableConfig, - Some(item.Update.value.UpdateExpression), - item.Update.value.ExpressionAttributeNames, - item.Update.value.ExpressionAttributeValues); + Some(item.Update.value.UpdateExpression), + item.Update.value.ExpressionAttributeNames, + item.Update.value.ExpressionAttributeValues); //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#encrypt-before-transactwriteitems //# - The ConditionExpression of the `Update` MUST be [valid](ddb-support.md#testconditionexpression). var _ :- TestConditionExpression(tableConfig, - item.Update.value.ConditionExpression, - item.Update.value.ExpressionAttributeNames, - item.Update.value.ExpressionAttributeValues); + item.Update.value.ConditionExpression, + item.Update.value.ExpressionAttributeNames, + item.Update.value.ExpressionAttributeValues); } if item.Put.Some? && item.Put.value.TableName in config.tableEncryptionConfigs { @@ -85,9 +85,9 @@ module TransactWriteItemsTransform { //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#encrypt-before-transactwriteitems //# - The ConditionExpression `Put` MUST be [valid](ddb-support.md#testconditionexpression). var _ :- TestConditionExpression(tableConfig, - item.Put.value.ConditionExpression, - item.Put.value.ExpressionAttributeNames, - item.Put.value.ExpressionAttributeValues); + item.Put.value.ConditionExpression, + item.Put.value.ExpressionAttributeNames, + item.Put.value.ExpressionAttributeValues); var beaconItem :- AddSignedBeacons(tableConfig, item.Put.value.Item); diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/UpdateItemTransform.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/UpdateItemTransform.dfy index 23cfa8afb..852c819d6 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/UpdateItemTransform.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/UpdateItemTransform.dfy @@ -19,35 +19,35 @@ module UpdateItemTransform { modifies ModifiesConfig(config) ensures output.Success? && input.sdkInput.TableName in config.tableEncryptionConfigs ==> - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-updateitem - //= type=implication - //# The UpdateItem request MUST NOT refer to any legacy parameters, - //# specifically Expected, AttributeUpdates and ConditionalOperator MUST NOT be set. - && NoMap(input.sdkInput.Expected) - && NoMap(input.sdkInput.AttributeUpdates) - && input.sdkInput.ConditionalOperator.None? - && var tableConfig := config.tableEncryptionConfigs[input.sdkInput.TableName]; - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-updateitem - //= type=implication - //# The UpdateExpression MUST be [valid](ddb-support.md#testupdateexpression). - && TestUpdateExpression(tableConfig, - input.sdkInput.UpdateExpression, - input.sdkInput.ExpressionAttributeNames, - input.sdkInput.ExpressionAttributeValues).Success? - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-updateitem - //= type=implication - //# If all of the above validation succeeds, the UpdateItem request MUST be unchanged. - && output.value.transformedInput == input.sdkInput + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-updateitem + //= type=implication + //# The UpdateItem request MUST NOT refer to any legacy parameters, + //# specifically Expected, AttributeUpdates and ConditionalOperator MUST NOT be set. + && NoMap(input.sdkInput.Expected) + && NoMap(input.sdkInput.AttributeUpdates) + && input.sdkInput.ConditionalOperator.None? + && var tableConfig := config.tableEncryptionConfigs[input.sdkInput.TableName]; + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-updateitem + //= type=implication + //# The UpdateExpression MUST be [valid](ddb-support.md#testupdateexpression). + && TestUpdateExpression(tableConfig, + input.sdkInput.UpdateExpression, + input.sdkInput.ExpressionAttributeNames, + input.sdkInput.ExpressionAttributeValues).Success? + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-updateitem + //= type=implication + //# If all of the above validation succeeds, the UpdateItem request MUST be unchanged. + && output.value.transformedInput == input.sdkInput //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#validate-before-updateitem //= type=implication //# If the `TableName` in the request does not refer to an [encrypted-table](#encrypted-table), //# the UpdateItem request MUST be unchanged. ensures input.sdkInput.TableName !in config.tableEncryptionConfigs ==> - && output.Success? - && output.value.transformedInput == input.sdkInput + && output.Success? + && output.value.transformedInput == input.sdkInput { if input.sdkInput.TableName in config.tableEncryptionConfigs { :- Need(NoMap(input.sdkInput.Expected), E("Legacy parameter 'Expected' not supported in UpdateItem with Encryption")); @@ -56,9 +56,9 @@ module UpdateItemTransform { var tableConfig := config.tableEncryptionConfigs[input.sdkInput.TableName]; var _ :- TestUpdateExpression(tableConfig, - input.sdkInput.UpdateExpression, - input.sdkInput.ExpressionAttributeNames, - input.sdkInput.ExpressionAttributeValues); + input.sdkInput.UpdateExpression, + input.sdkInput.ExpressionAttributeNames, + input.sdkInput.ExpressionAttributeValues); } return Success(UpdateItemInputTransformOutput(transformedInput := input.sdkInput)); } @@ -77,74 +77,74 @@ module UpdateItemTransform { // with a [DynamoDB Table Name](./ddb-item-encryptor.md#dynamodb-table-name) // equal to the `TableName` on the UpdateItem request. // - the response contains [Attributes](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateItem.html#DDB-UpdateItem-response-Attributes). - // - the original UpdateItem request had a + // - the original UpdateItem request had a // [ReturnValues](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateItem.html#DDB-UpdateItem-request-ReturnValues) // with a value of `ALL_OLD` or `ALL_NEW`. ensures ( - && output.Success? - && input.originalInput.TableName in config.tableEncryptionConfigs - && !NoMap(input.sdkOutput.Attributes) - && input.originalInput.ReturnValues.Some? - && ( - || input.originalInput.ReturnValues.value.ALL_OLD? - || input.originalInput.ReturnValues.value.ALL_NEW? - ) - ) ==> - && var tableConfig := config.tableEncryptionConfigs[input.originalInput.TableName]; - && var oldHistory := old(tableConfig.itemEncryptor.History.DecryptItem); - && var newHistory := tableConfig.itemEncryptor.History.DecryptItem; - - && |newHistory| == |oldHistory|+1 - && Seq.Last(newHistory).output.Success? - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-updateitem - //= type=implication - //# In this case, the [Item Encryptor](./ddb-item-encryptor.md) MUST perform - //# [Decrypt Item](./decrypt-item.md) where the input - //# [DynamoDB Item](./decrypt-item.md#dynamodb-item) - //# is the `Attributes` field in the original response - && Seq.Last(newHistory).input.encryptedItem == input.sdkOutput.Attributes.value - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-updateitem - //= type=implication - //# Beacons MUST be [removed](ddb-support.md#removebeacons) from the result. - && RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).Success? - && var item := RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).value; - - //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-updateitem - //= type=implication - //# The UpdateItem response's `Attributes` field MUST be - //# replaced by the encrypted DynamoDb Item outputted above. - && output.value.transformedOutput.Attributes.Some? - && (item == output.value.transformedOutput.Attributes.value) + && output.Success? + && input.originalInput.TableName in config.tableEncryptionConfigs + && !NoMap(input.sdkOutput.Attributes) + && input.originalInput.ReturnValues.Some? + && ( + || input.originalInput.ReturnValues.value.ALL_OLD? + || input.originalInput.ReturnValues.value.ALL_NEW? + ) + ) ==> + && var tableConfig := config.tableEncryptionConfigs[input.originalInput.TableName]; + && var oldHistory := old(tableConfig.itemEncryptor.History.DecryptItem); + && var newHistory := tableConfig.itemEncryptor.History.DecryptItem; + + && |newHistory| == |oldHistory|+1 + && Seq.Last(newHistory).output.Success? + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-updateitem + //= type=implication + //# In this case, the [Item Encryptor](./ddb-item-encryptor.md) MUST perform + //# [Decrypt Item](./decrypt-item.md) where the input + //# [DynamoDB Item](./decrypt-item.md#dynamodb-item) + //# is the `Attributes` field in the original response + && Seq.Last(newHistory).input.encryptedItem == input.sdkOutput.Attributes.value + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-updateitem + //= type=implication + //# Beacons MUST be [removed](ddb-support.md#removebeacons) from the result. + && RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).Success? + && var item := RemoveBeacons(tableConfig, Seq.Last(newHistory).output.value.plaintextItem).value; + + //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-updateitem + //= type=implication + //# The UpdateItem response's `Attributes` field MUST be + //# replaced by the encrypted DynamoDb Item outputted above. + && output.value.transformedOutput.Attributes.Some? + && (item == output.value.transformedOutput.Attributes.value) //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-updateitem //= type=implication //# In all other cases, the UpdateItem response MUST NOT be modified. ensures ( - && output.Success? - && ( - || input.originalInput.TableName !in config.tableEncryptionConfigs - || input.sdkOutput.Attributes.None? - ) - ) ==> ( - && output.value.transformedOutput == input.sdkOutput - ) + && output.Success? + && ( + || input.originalInput.TableName !in config.tableEncryptionConfigs + || input.sdkOutput.Attributes.None? + ) + ) ==> ( + && output.value.transformedOutput == input.sdkOutput + ) ensures ( - && output.Success? - && input.originalInput.TableName in config.tableEncryptionConfigs - && input.sdkOutput.Attributes.Some? - && (input.originalInput.ReturnValues.Some? ==> ( - || input.originalInput.ReturnValues.value.UPDATED_NEW? - || input.originalInput.ReturnValues.value.UPDATED_OLD? - ) - ) - ) ==> ( - && var tableConfig := config.tableEncryptionConfigs[input.originalInput.TableName]; - && output.value.transformedOutput == input.sdkOutput - && forall k <- input.sdkOutput.Attributes.value.Keys :: !IsSigned(tableConfig, k) - ) + && output.Success? + && input.originalInput.TableName in config.tableEncryptionConfigs + && input.sdkOutput.Attributes.Some? + && (input.originalInput.ReturnValues.Some? ==> ( + || input.originalInput.ReturnValues.value.UPDATED_NEW? + || input.originalInput.ReturnValues.value.UPDATED_OLD? + ) + ) + ) ==> ( + && var tableConfig := config.tableEncryptionConfigs[input.originalInput.TableName]; + && output.value.transformedOutput == input.sdkOutput + && forall k <- input.sdkOutput.Attributes.value.Keys :: !IsSigned(tableConfig, k) + ) //= specification/dynamodb-encryption-client/ddb-sdk-integration.md#decrypt-after-updateitem //= type=implication @@ -153,18 +153,18 @@ module UpdateItemTransform { //# per the [DynamoDB Encryption Client Config](#dynamodb-encryption-client-configuration), //# an error MUST be raised. ensures ( - && input.originalInput.TableName in config.tableEncryptionConfigs - && var tableConfig := config.tableEncryptionConfigs[input.originalInput.TableName]; - && input.sdkOutput.Attributes.Some? - && (input.originalInput.ReturnValues.Some? ==> ( - || input.originalInput.ReturnValues.value.UPDATED_NEW? - || input.originalInput.ReturnValues.value.UPDATED_OLD? - ) - ) - && exists k <- input.sdkOutput.Attributes.value.Keys :: IsSigned(tableConfig, k) - ) ==> - output.Failure? - + && input.originalInput.TableName in config.tableEncryptionConfigs + && var tableConfig := config.tableEncryptionConfigs[input.originalInput.TableName]; + && input.sdkOutput.Attributes.Some? + && (input.originalInput.ReturnValues.Some? ==> ( + || input.originalInput.ReturnValues.value.UPDATED_NEW? + || input.originalInput.ReturnValues.value.UPDATED_OLD? + ) + ) + && exists k <- input.sdkOutput.Attributes.value.Keys :: IsSigned(tableConfig, k) + ) ==> + output.Failure? + requires ValidConfig?(config) ensures ValidConfig?(config) modifies ModifiesConfig(config) @@ -182,16 +182,16 @@ module UpdateItemTransform { var attributes := input.sdkOutput.Attributes.value; if !( - && input.originalInput.ReturnValues.Some? - && ( - || input.originalInput.ReturnValues.value.ALL_NEW? - || input.originalInput.ReturnValues.value.ALL_OLD?) + && input.originalInput.ReturnValues.Some? + && ( + || input.originalInput.ReturnValues.value.ALL_NEW? + || input.originalInput.ReturnValues.value.ALL_OLD?) ) { // This error should not be possible to reach if we assume the DDB API contract is correct. // We include this runtime check for defensive purposes. :- Need(forall k <- attributes.Keys :: !IsSigned(tableConfig, k), - E("UpdateItems response contains signed attributes, but does not include the entire item which is required for verification.")); + E("UpdateItems response contains signed attributes, but does not include the entire item which is required for verification.")); return Success(UpdateItemOutputTransformOutput(transformedOutput := input.sdkOutput)); } diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/DdbStatement.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/DdbStatement.dfy index 82c4bdc01..4e554aed0 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/DdbStatement.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/DdbStatement.dfy @@ -109,7 +109,7 @@ module DdbStatementTest { ExpectEqual(TableFromStatement("UPDATE \"Music\" SET AwardsWon=1 SET AwardDetail={'Grammys':[2020, 2018]} WHERE Artist='Acme Band' AND SongTitle='PartiQL Rocks"), Success("Music")); ExpectEqual(TableFromStatement( -@"UPDATE ""Music"" + @"UPDATE ""Music"" SET AwardsWon=1 SET AwardDetail={'Grammys':[2020, 2018]} WHERE Artist='Acme Band' AND SongTitle='PartiQL Rocks' @@ -119,15 +119,15 @@ RETURNING ALL OLD *"), Success("Music")); // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ql-reference.select.html method {:test} TestSelectFromDocs() { ExpectEqual(TableFromStatement( -@"SELECT OrderID, Total + @"SELECT OrderID, Total FROM ""Orders"" WHERE OrderID IN [1, 2, 3] ORDER BY OrderID DESC"), Success("Orders")); ExpectEqual(TableFromStatement( -@"SELECT Devices.FireStick.DateWatched[0] + @"SELECT Devices.FireStick.DateWatched[0] FROM WatchList WHERE CustomerID= 'C1' AND MovieID= 'M1'"), Success("WatchList")); ExpectEqual(TableFromStatement( -@"SELECT * + @"SELECT * FROM ""Orders"" WHERE OrderID IN [100, 300, 234]"), Success("Orders")); } @@ -135,14 +135,14 @@ WHERE OrderID IN [100, 300, 234]"), Success("Orders")); // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ql-reference.delete.html method {:test} TestDeleteFromDocs() { ExpectEqual(TableFromStatement( -@"DELETE FROM ""Music"" WHERE ""Artist"" = 'Acme Band' AND ""SongTitle"" = 'PartiQL Rocks' RETURNING ALL OLD * + @"DELETE FROM ""Music"" WHERE ""Artist"" = 'Acme Band' AND ""SongTitle"" = 'PartiQL Rocks' RETURNING ALL OLD * "), Success("Music")); } // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ql-functions.exists.html method {:test} TestExistsFromDocs() { ExpectEqual(TableFromStatement( -@"EXISTS( + @"EXISTS( SELECT * FROM ""Music"" WHERE ""Artist"" = 'Acme Band' AND ""SongTitle"" = 'PartiQL Rocks') "), Success("Music")); @@ -151,9 +151,9 @@ WHERE OrderID IN [100, 300, 234]"), Success("Orders")); // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ql-reference.insert.html method {:test} TestInsertFromDocs() { ExpectEqual(TableFromStatement( -@"INSERT INTO ""Music"" value {'Artist' : 'Acme Band','SongTitle' : 'PartiQL Rocks'} + @"INSERT INTO ""Music"" value {'Artist' : 'Acme Band','SongTitle' : 'PartiQL Rocks'} "), Success("Music")); ExpectEqual(TableFromStatement( -@"INSERT INTO ""Mu s ic"" value {'Artist' : 'Acme Band','SongTitle' : 'PartiQL Rocks'} + @"INSERT INTO ""Mu s ic"" value {'Artist' : 'Acme Band','SongTitle' : 'PartiQL Rocks'} "), Success("Mu s ic")); } diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/ExecuteStatementTransform.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/ExecuteStatementTransform.dfy index 2dbfdd4ec..5be9ff5e1 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/ExecuteStatementTransform.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/ExecuteStatementTransform.dfy @@ -33,8 +33,8 @@ module ExecuteStatementTransformTest { method {:test} TestExecuteStatementInputEncrypted() { var middlewareUnderTest := TestFixtures.GetDynamoDbEncryptionTransforms(); - var statement := GetStatement("update \"foo\""); - var bad_input := DDB.ExecuteStatementInput( + var statement := GetStatement("update \"foo\""); + var bad_input := DDB.ExecuteStatementInput( Statement := statement, Parameters := None(), ConsistentRead := None(), @@ -61,8 +61,8 @@ module ExecuteStatementTransformTest { ConsumedCapacity := None(), LastEvaluatedKey := None() ); - var statement := GetStatement("foo"); - var input := DDB.ExecuteStatementInput( + var statement := GetStatement("foo"); + var input := DDB.ExecuteStatementInput( Statement := statement, Parameters := None(), ConsistentRead := None(), diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/TestFixtures.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/TestFixtures.dfy index f8a13e598..8ae5ea78a 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/TestFixtures.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/TestFixtures.dfy @@ -134,7 +134,7 @@ module TestFixtures { } method GetDynamoDbItemEncryptor() - returns (encryptor: DynamoDbItemEncryptor.DynamoDbItemEncryptorClient) + returns (encryptor: DynamoDbItemEncryptor.DynamoDbItemEncryptorClient) ensures encryptor.ValidState() ensures fresh(encryptor) ensures fresh(encryptor.Modifies) @@ -177,7 +177,7 @@ module TestFixtures { } method GetKmsKeyring() - returns (keyring: AwsCryptographyMaterialProvidersTypes.IKeyring) + returns (keyring: AwsCryptographyMaterialProvidersTypes.IKeyring) ensures keyring.ValidState() ensures fresh(keyring) ensures fresh(keyring.Modifies) @@ -193,7 +193,7 @@ module TestFixtures { } method GetStaticKeyring() - returns (keyring: AwsCryptographyMaterialProvidersTypes.IKeyring) + returns (keyring: AwsCryptographyMaterialProvidersTypes.IKeyring) ensures keyring.ValidState() ensures fresh(keyring) ensures fresh(keyring.Modifies) @@ -210,7 +210,7 @@ module TestFixtures { } method GetDynamoDbEncryptionTransforms() - returns (encryption: DynamoDbEncryptionTransforms.DynamoDbEncryptionTransformsClient) + returns (encryption: DynamoDbEncryptionTransforms.DynamoDbEncryptionTransformsClient) ensures encryption.ValidState() ensures fresh(encryption) ensures fresh(encryption.Modifies) @@ -228,7 +228,7 @@ module TestFixtures { "sign" := CSE.SIGN_ONLY, "encrypt" := CSE.ENCRYPT_AND_SIGN, "plain" := CSE.DO_NOTHING - ], + ], allowedUnsignedAttributes := Some(["plain"]), allowedUnsignedAttributePrefix := None(), algorithmSuiteId := None(), diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/UpdateItemTransform.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/UpdateItemTransform.dfy index f11206bd7..b989267eb 100644 --- a/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/UpdateItemTransform.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/test/UpdateItemTransform.dfy @@ -37,7 +37,7 @@ module UpdateItemTransformTest { expect_equal("UpdateItemInput", transformed.value.transformedInput, input); } - method {:test} TestUpdateItemInputUpdateExpressionSigned() { + method {:test} TestUpdateItemInputUpdateExpressionSigned() { var middlewareUnderTest := TestFixtures.GetDynamoDbEncryptionTransforms(); var tableName := GetTableName("foo"); var input := DDB.UpdateItemInput( @@ -64,7 +64,7 @@ module UpdateItemTransformTest { } - method {:test} TestUpdateItemInputUpdateExpressionEncrypted() { + method {:test} TestUpdateItemInputUpdateExpressionEncrypted() { var middlewareUnderTest := TestFixtures.GetDynamoDbEncryptionTransforms(); var tableName := GetTableName("foo"); var input := DDB.UpdateItemInput( @@ -91,7 +91,7 @@ module UpdateItemTransformTest { } - method {:test} TestUpdateItemInputUpdateExpressionPlain() { + method {:test} TestUpdateItemInputUpdateExpressionPlain() { var middlewareUnderTest := TestFixtures.GetDynamoDbEncryptionTransforms(); var tableName := GetTableName("no_such_table"); var input := DDB.UpdateItemInput( diff --git a/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/Model/AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes.dfy b/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/Model/AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes.dfy index f51ac0792..7e57a65e5 100644 --- a/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/Model/AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/Model/AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes.dfy @@ -2,312 +2,312 @@ // SPDX-License-Identifier: Apache-2.0 // Do not modify this file. This file is machine generated, and any changes to it will be overwritten. include "../../../../submodules/MaterialProviders/StandardLibrary/src/Index.dfy" - include "../../DynamoDbEncryption/src/Index.dfy" - include "../../StructuredEncryption/src/Index.dfy" - include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Index.dfy" - include "../../../../submodules/MaterialProviders/AwsCryptographyPrimitives/src/Index.dfy" - include "../../../../submodules/MaterialProviders/ComAmazonawsDynamodb/src/Index.dfy" - module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.itemencryptor.internaldafny.types" } AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes - { - import opened Wrappers - import opened StandardLibrary.UInt - import opened UTF8 - import AwsCryptographyDbEncryptionSdkDynamoDbTypes - import AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes - import AwsCryptographyMaterialProvidersTypes - import AwsCryptographyPrimitivesTypes - import ComAmazonawsDynamodbTypes - // Generic helpers for verification of mock/unit tests. - datatype DafnyCallEvent = DafnyCallEvent(input: I, output: O) - - // Begin Generated Types - - datatype DecryptItemInput = | DecryptItemInput ( - nameonly encryptedItem: ComAmazonawsDynamodbTypes.AttributeMap - ) - datatype DecryptItemOutput = | DecryptItemOutput ( - nameonly plaintextItem: ComAmazonawsDynamodbTypes.AttributeMap , - nameonly parsedHeader: Option := Option.None - ) - class IDynamoDbItemEncryptorClientCallHistory { - ghost constructor() { - EncryptItem := []; - DecryptItem := []; -} - ghost var EncryptItem: seq>> - ghost var DecryptItem: seq>> -} - trait {:termination false} IDynamoDbItemEncryptorClient - { - // Helper to define any additional modifies/reads clauses. - // If your operations need to mutate state, - // add it in your constructor function: - // Modifies := {your, fields, here, History}; - // If you do not need to mutate anything: -// Modifies := {History}; +include "../../DynamoDbEncryption/src/Index.dfy" +include "../../StructuredEncryption/src/Index.dfy" +include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Index.dfy" +include "../../../../submodules/MaterialProviders/AwsCryptographyPrimitives/src/Index.dfy" +include "../../../../submodules/MaterialProviders/ComAmazonawsDynamodb/src/Index.dfy" +module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.itemencryptor.internaldafny.types" } AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes +{ + import opened Wrappers + import opened StandardLibrary.UInt + import opened UTF8 + import AwsCryptographyDbEncryptionSdkDynamoDbTypes + import AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes + import AwsCryptographyMaterialProvidersTypes + import AwsCryptographyPrimitivesTypes + import ComAmazonawsDynamodbTypes + // Generic helpers for verification of mock/unit tests. + datatype DafnyCallEvent = DafnyCallEvent(input: I, output: O) - ghost const Modifies: set - // For an unassigned field defined in a trait, - // Dafny can only assign a value in the constructor. - // This means that for Dafny to reason about this value, - // it needs some way to know (an invariant), - // about the state of the object. - // This builds on the Valid/Repr paradigm - // To make this kind requires safe to add - // to methods called from unverified code, - // the predicate MUST NOT take any arguments. - // This means that the correctness of this requires - // MUST only be evaluated by the class itself. - // If you require any additional mutation, - // then you MUST ensure everything you need in ValidState. - // You MUST also ensure ValidState in your constructor. - predicate ValidState() - ensures ValidState() ==> History in Modifies - ghost const History: IDynamoDbItemEncryptorClientCallHistory - predicate EncryptItemEnsuresPublicly(input: EncryptItemInput , output: Result) - // The public method to be called by library consumers - method EncryptItem ( input: EncryptItemInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`EncryptItem - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures EncryptItemEnsuresPublicly(input, output) - ensures History.EncryptItem == old(History.EncryptItem) + [DafnyCallEvent(input, output)] - - predicate DecryptItemEnsuresPublicly(input: DecryptItemInput , output: Result) - // The public method to be called by library consumers - method DecryptItem ( input: DecryptItemInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`DecryptItem - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures DecryptItemEnsuresPublicly(input, output) - ensures History.DecryptItem == old(History.DecryptItem) + [DafnyCallEvent(input, output)] - -} - datatype DynamoDbItemEncryptorConfig = | DynamoDbItemEncryptorConfig ( - nameonly logicalTableName: string , - nameonly partitionKeyName: ComAmazonawsDynamodbTypes.KeySchemaAttributeName , - nameonly sortKeyName: Option := Option.None , - nameonly attributeActionsOnEncrypt: AwsCryptographyDbEncryptionSdkDynamoDbTypes.AttributeActions , - nameonly allowedUnsignedAttributes: Option := Option.None , - nameonly allowedUnsignedAttributePrefix: Option := Option.None , - nameonly algorithmSuiteId: Option := Option.None , - nameonly keyring: Option := Option.None , - nameonly cmm: Option := Option.None , - nameonly legacyOverride: Option := Option.None , - nameonly plaintextOverride: Option := Option.None - ) - datatype EncryptItemInput = | EncryptItemInput ( - nameonly plaintextItem: ComAmazonawsDynamodbTypes.AttributeMap - ) - datatype EncryptItemOutput = | EncryptItemOutput ( - nameonly encryptedItem: ComAmazonawsDynamodbTypes.AttributeMap , - nameonly parsedHeader: Option := Option.None - ) - datatype ParsedHeader = | ParsedHeader ( - nameonly attributeActionsOnEncrypt: AwsCryptographyDbEncryptionSdkDynamoDbTypes.AttributeActions , - nameonly algorithmSuiteId: AwsCryptographyMaterialProvidersTypes.DBEAlgorithmSuiteId , - nameonly encryptedDataKeys: AwsCryptographyMaterialProvidersTypes.EncryptedDataKeyList , - nameonly storedEncryptionContext: AwsCryptographyMaterialProvidersTypes.EncryptionContext , - nameonly encryptionContext: AwsCryptographyMaterialProvidersTypes.EncryptionContext , - nameonly selectorContext: ComAmazonawsDynamodbTypes.Key - ) - datatype Error = - // Local Error structures are listed here - | DynamoDbItemEncryptorException ( - nameonly message: string - ) - // Any dependent models are listed here - | AwsCryptographyDbEncryptionSdkDynamoDb(AwsCryptographyDbEncryptionSdkDynamoDb: AwsCryptographyDbEncryptionSdkDynamoDbTypes.Error) - | AwsCryptographyDbEncryptionSdkStructuredEncryption(AwsCryptographyDbEncryptionSdkStructuredEncryption: AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes.Error) - | AwsCryptographyMaterialProviders(AwsCryptographyMaterialProviders: AwsCryptographyMaterialProvidersTypes.Error) - | AwsCryptographyPrimitives(AwsCryptographyPrimitives: AwsCryptographyPrimitivesTypes.Error) - | ComAmazonawsDynamodb(ComAmazonawsDynamodb: ComAmazonawsDynamodbTypes.Error) - // The Collection error is used to collect several errors together - // This is useful when composing OR logic. - // Consider the following method: - // - // method FN(n:I) - // returns (res: Result) - // ensures A(I).Success? ==> res.Success? - // ensures B(I).Success? ==> res.Success? - // ensures A(I).Failure? && B(I).Failure? ==> res.Failure? - // - // If either A || B is successful then FN is successful. - // And if A && B fail then FN will fail. - // But what information should FN transmit back to the caller? - // While it may be correct to hide these details from the caller, - // this can not be the globally correct option. - // Suppose that A and B can be blocked by different ACLs, - // and that their representation of I is only eventually consistent. - // How can the caller distinguish, at a minimum for logging, - // the difference between the four failure modes? - // || (!access(A(I)) && !access(B(I))) - // || (!exit(A(I)) && !exit(B(I))) - // || (!access(A(I)) && !exit(B(I))) - // || (!exit(A(I)) && !access(B(I))) - | CollectionOfErrors(list: seq, nameonly message: string) - // The Opaque error, used for native, extern, wrapped or unknown errors - | Opaque(obj: object) - type OpaqueError = e: Error | e.Opaque? witness * -} - abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorService - { - import opened Wrappers - import opened StandardLibrary.UInt - import opened UTF8 - import opened Types = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes - import Operations : AbstractAwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorOperations - function method DefaultDynamoDbItemEncryptorConfig(): DynamoDbItemEncryptorConfig - method DynamoDbItemEncryptor(config: DynamoDbItemEncryptorConfig := DefaultDynamoDbItemEncryptorConfig()) - returns (res: Result) - requires config.keyring.Some? ==> - config.keyring.value.ValidState() - requires config.cmm.Some? ==> - config.cmm.value.ValidState() - requires config.legacyOverride.Some? ==> - config.legacyOverride.value.encryptor.ValidState() - modifies if config.keyring.Some? then - config.keyring.value.Modifies - else {} - modifies if config.cmm.Some? then - config.cmm.value.Modifies - else {} - modifies if config.legacyOverride.Some? then - config.legacyOverride.value.encryptor.Modifies - else {} - ensures res.Success? ==> - && fresh(res.value) - && fresh(res.value.Modifies - - ( if config.keyring.Some? then - config.keyring.value.Modifies - else {} - ) - ( if config.cmm.Some? then - config.cmm.value.Modifies - else {} - ) - ( if config.legacyOverride.Some? then - config.legacyOverride.value.encryptor.Modifies - else {} - ) ) - && fresh(res.value.History) - && res.value.ValidState() - ensures config.keyring.Some? ==> - config.keyring.value.ValidState() - ensures config.cmm.Some? ==> - config.cmm.value.ValidState() - ensures config.legacyOverride.Some? ==> - config.legacyOverride.value.encryptor.ValidState() + // Begin Generated Types - // Helper function for the benefit of native code to create a Success(client) without referring to Dafny internals - function method CreateSuccessOfClient(client: IDynamoDbItemEncryptorClient): Result { - Success(client) - } // Helper function for the benefit of native code to create a Failure(error) without referring to Dafny internals - function method CreateFailureOfError(error: Error): Result { - Failure(error) - } - class DynamoDbItemEncryptorClient extends IDynamoDbItemEncryptorClient - { - constructor(config: Operations.InternalConfig) - requires Operations.ValidInternalConfig?(config) - ensures - && ValidState() - && fresh(History) - && this.config == config - const config: Operations.InternalConfig - predicate ValidState() - ensures ValidState() ==> - && Operations.ValidInternalConfig?(config) - && History !in Operations.ModifiesInternalConfig(config) - && Modifies == Operations.ModifiesInternalConfig(config) + {History} - predicate EncryptItemEnsuresPublicly(input: EncryptItemInput , output: Result) - {Operations.EncryptItemEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method EncryptItem ( input: EncryptItemInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`EncryptItem - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures EncryptItemEnsuresPublicly(input, output) - ensures History.EncryptItem == old(History.EncryptItem) + [DafnyCallEvent(input, output)] - { - output := Operations.EncryptItem(config, input); - History.EncryptItem := History.EncryptItem + [DafnyCallEvent(input, output)]; -} - - predicate DecryptItemEnsuresPublicly(input: DecryptItemInput , output: Result) - {Operations.DecryptItemEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method DecryptItem ( input: DecryptItemInput ) - returns (output: Result) - requires - && ValidState() - modifies Modifies - {History} , - History`DecryptItem - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} - ensures - && ValidState() - ensures DecryptItemEnsuresPublicly(input, output) - ensures History.DecryptItem == old(History.DecryptItem) + [DafnyCallEvent(input, output)] - { - output := Operations.DecryptItem(config, input); - History.DecryptItem := History.DecryptItem + [DafnyCallEvent(input, output)]; -} - + datatype DecryptItemInput = | DecryptItemInput ( + nameonly encryptedItem: ComAmazonawsDynamodbTypes.AttributeMap + ) + datatype DecryptItemOutput = | DecryptItemOutput ( + nameonly plaintextItem: ComAmazonawsDynamodbTypes.AttributeMap , + nameonly parsedHeader: Option := Option.None + ) + class IDynamoDbItemEncryptorClientCallHistory { + ghost constructor() { + EncryptItem := []; + DecryptItem := []; + } + ghost var EncryptItem: seq>> + ghost var DecryptItem: seq>> + } + trait {:termination false} IDynamoDbItemEncryptorClient + { + // Helper to define any additional modifies/reads clauses. + // If your operations need to mutate state, + // add it in your constructor function: + // Modifies := {your, fields, here, History}; + // If you do not need to mutate anything: + // Modifies := {History}; + + ghost const Modifies: set + // For an unassigned field defined in a trait, + // Dafny can only assign a value in the constructor. + // This means that for Dafny to reason about this value, + // it needs some way to know (an invariant), + // about the state of the object. + // This builds on the Valid/Repr paradigm + // To make this kind requires safe to add + // to methods called from unverified code, + // the predicate MUST NOT take any arguments. + // This means that the correctness of this requires + // MUST only be evaluated by the class itself. + // If you require any additional mutation, + // then you MUST ensure everything you need in ValidState. + // You MUST also ensure ValidState in your constructor. + predicate ValidState() + ensures ValidState() ==> History in Modifies + ghost const History: IDynamoDbItemEncryptorClientCallHistory + predicate EncryptItemEnsuresPublicly(input: EncryptItemInput , output: Result) + // The public method to be called by library consumers + method EncryptItem ( input: EncryptItemInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`EncryptItem + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures EncryptItemEnsuresPublicly(input, output) + ensures History.EncryptItem == old(History.EncryptItem) + [DafnyCallEvent(input, output)] + + predicate DecryptItemEnsuresPublicly(input: DecryptItemInput , output: Result) + // The public method to be called by library consumers + method DecryptItem ( input: DecryptItemInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`DecryptItem + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures DecryptItemEnsuresPublicly(input, output) + ensures History.DecryptItem == old(History.DecryptItem) + [DafnyCallEvent(input, output)] + + } + datatype DynamoDbItemEncryptorConfig = | DynamoDbItemEncryptorConfig ( + nameonly logicalTableName: string , + nameonly partitionKeyName: ComAmazonawsDynamodbTypes.KeySchemaAttributeName , + nameonly sortKeyName: Option := Option.None , + nameonly attributeActionsOnEncrypt: AwsCryptographyDbEncryptionSdkDynamoDbTypes.AttributeActions , + nameonly allowedUnsignedAttributes: Option := Option.None , + nameonly allowedUnsignedAttributePrefix: Option := Option.None , + nameonly algorithmSuiteId: Option := Option.None , + nameonly keyring: Option := Option.None , + nameonly cmm: Option := Option.None , + nameonly legacyOverride: Option := Option.None , + nameonly plaintextOverride: Option := Option.None + ) + datatype EncryptItemInput = | EncryptItemInput ( + nameonly plaintextItem: ComAmazonawsDynamodbTypes.AttributeMap + ) + datatype EncryptItemOutput = | EncryptItemOutput ( + nameonly encryptedItem: ComAmazonawsDynamodbTypes.AttributeMap , + nameonly parsedHeader: Option := Option.None + ) + datatype ParsedHeader = | ParsedHeader ( + nameonly attributeActionsOnEncrypt: AwsCryptographyDbEncryptionSdkDynamoDbTypes.AttributeActions , + nameonly algorithmSuiteId: AwsCryptographyMaterialProvidersTypes.DBEAlgorithmSuiteId , + nameonly encryptedDataKeys: AwsCryptographyMaterialProvidersTypes.EncryptedDataKeyList , + nameonly storedEncryptionContext: AwsCryptographyMaterialProvidersTypes.EncryptionContext , + nameonly encryptionContext: AwsCryptographyMaterialProvidersTypes.EncryptionContext , + nameonly selectorContext: ComAmazonawsDynamodbTypes.Key + ) + datatype Error = + // Local Error structures are listed here + | DynamoDbItemEncryptorException ( + nameonly message: string + ) + // Any dependent models are listed here + | AwsCryptographyDbEncryptionSdkDynamoDb(AwsCryptographyDbEncryptionSdkDynamoDb: AwsCryptographyDbEncryptionSdkDynamoDbTypes.Error) + | AwsCryptographyDbEncryptionSdkStructuredEncryption(AwsCryptographyDbEncryptionSdkStructuredEncryption: AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes.Error) + | AwsCryptographyMaterialProviders(AwsCryptographyMaterialProviders: AwsCryptographyMaterialProvidersTypes.Error) + | AwsCryptographyPrimitives(AwsCryptographyPrimitives: AwsCryptographyPrimitivesTypes.Error) + | ComAmazonawsDynamodb(ComAmazonawsDynamodb: ComAmazonawsDynamodbTypes.Error) + // The Collection error is used to collect several errors together + // This is useful when composing OR logic. + // Consider the following method: + // + // method FN(n:I) + // returns (res: Result) + // ensures A(I).Success? ==> res.Success? + // ensures B(I).Success? ==> res.Success? + // ensures A(I).Failure? && B(I).Failure? ==> res.Failure? + // + // If either A || B is successful then FN is successful. + // And if A && B fail then FN will fail. + // But what information should FN transmit back to the caller? + // While it may be correct to hide these details from the caller, + // this can not be the globally correct option. + // Suppose that A and B can be blocked by different ACLs, + // and that their representation of I is only eventually consistent. + // How can the caller distinguish, at a minimum for logging, + // the difference between the four failure modes? + // || (!access(A(I)) && !access(B(I))) + // || (!exit(A(I)) && !exit(B(I))) + // || (!access(A(I)) && !exit(B(I))) + // || (!exit(A(I)) && !access(B(I))) + | CollectionOfErrors(list: seq, nameonly message: string) + // The Opaque error, used for native, extern, wrapped or unknown errors + | Opaque(obj: object) + type OpaqueError = e: Error | e.Opaque? witness * } +abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorService +{ + import opened Wrappers + import opened StandardLibrary.UInt + import opened UTF8 + import opened Types = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes + import Operations : AbstractAwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorOperations + function method DefaultDynamoDbItemEncryptorConfig(): DynamoDbItemEncryptorConfig + method DynamoDbItemEncryptor(config: DynamoDbItemEncryptorConfig := DefaultDynamoDbItemEncryptorConfig()) + returns (res: Result) + requires config.keyring.Some? ==> + config.keyring.value.ValidState() + requires config.cmm.Some? ==> + config.cmm.value.ValidState() + requires config.legacyOverride.Some? ==> + config.legacyOverride.value.encryptor.ValidState() + modifies if config.keyring.Some? then + config.keyring.value.Modifies + else {} + modifies if config.cmm.Some? then + config.cmm.value.Modifies + else {} + modifies if config.legacyOverride.Some? then + config.legacyOverride.value.encryptor.Modifies + else {} + ensures res.Success? ==> + && fresh(res.value) + && fresh(res.value.Modifies + - ( if config.keyring.Some? then + config.keyring.value.Modifies + else {} + ) - ( if config.cmm.Some? then + config.cmm.value.Modifies + else {} + ) - ( if config.legacyOverride.Some? then + config.legacyOverride.value.encryptor.Modifies + else {} + ) ) + && fresh(res.value.History) + && res.value.ValidState() + ensures config.keyring.Some? ==> + config.keyring.value.ValidState() + ensures config.cmm.Some? ==> + config.cmm.value.ValidState() + ensures config.legacyOverride.Some? ==> + config.legacyOverride.value.encryptor.ValidState() + + // Helper function for the benefit of native code to create a Success(client) without referring to Dafny internals + function method CreateSuccessOfClient(client: IDynamoDbItemEncryptorClient): Result { + Success(client) + } // Helper function for the benefit of native code to create a Failure(error) without referring to Dafny internals + function method CreateFailureOfError(error: Error): Result { + Failure(error) + } + class DynamoDbItemEncryptorClient extends IDynamoDbItemEncryptorClient + { + constructor(config: Operations.InternalConfig) + requires Operations.ValidInternalConfig?(config) + ensures + && ValidState() + && fresh(History) + && this.config == config + const config: Operations.InternalConfig + predicate ValidState() + ensures ValidState() ==> + && Operations.ValidInternalConfig?(config) + && History !in Operations.ModifiesInternalConfig(config) + && Modifies == Operations.ModifiesInternalConfig(config) + {History} + predicate EncryptItemEnsuresPublicly(input: EncryptItemInput , output: Result) + {Operations.EncryptItemEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method EncryptItem ( input: EncryptItemInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`EncryptItem + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures EncryptItemEnsuresPublicly(input, output) + ensures History.EncryptItem == old(History.EncryptItem) + [DafnyCallEvent(input, output)] + { + output := Operations.EncryptItem(config, input); + History.EncryptItem := History.EncryptItem + [DafnyCallEvent(input, output)]; + } + + predicate DecryptItemEnsuresPublicly(input: DecryptItemInput , output: Result) + {Operations.DecryptItemEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method DecryptItem ( input: DecryptItemInput ) + returns (output: Result) + requires + && ValidState() + modifies Modifies - {History} , + History`DecryptItem + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} + ensures + && ValidState() + ensures DecryptItemEnsuresPublicly(input, output) + ensures History.DecryptItem == old(History.DecryptItem) + [DafnyCallEvent(input, output)] + { + output := Operations.DecryptItem(config, input); + History.DecryptItem := History.DecryptItem + [DafnyCallEvent(input, output)]; + } + + } } - abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorOperations { - import opened Wrappers - import opened StandardLibrary.UInt - import opened UTF8 - import opened Types = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes - type InternalConfig - predicate ValidInternalConfig?(config: InternalConfig) - function ModifiesInternalConfig(config: InternalConfig): set - predicate EncryptItemEnsuresPublicly(input: EncryptItemInput , output: Result) - // The private method to be refined by the library developer +abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorOperations { + import opened Wrappers + import opened StandardLibrary.UInt + import opened UTF8 + import opened Types = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes + type InternalConfig + predicate ValidInternalConfig?(config: InternalConfig) + function ModifiesInternalConfig(config: InternalConfig): set + predicate EncryptItemEnsuresPublicly(input: EncryptItemInput , output: Result) + // The private method to be refined by the library developer - method EncryptItem ( config: InternalConfig , input: EncryptItemInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures EncryptItemEnsuresPublicly(input, output) + method EncryptItem ( config: InternalConfig , input: EncryptItemInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures EncryptItemEnsuresPublicly(input, output) - predicate DecryptItemEnsuresPublicly(input: DecryptItemInput , output: Result) - // The private method to be refined by the library developer + predicate DecryptItemEnsuresPublicly(input: DecryptItemInput , output: Result) + // The private method to be refined by the library developer - method DecryptItem ( config: InternalConfig , input: DecryptItemInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - modifies ModifiesInternalConfig(config) - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) - ensures - && ValidInternalConfig?(config) - ensures DecryptItemEnsuresPublicly(input, output) + method DecryptItem ( config: InternalConfig , input: DecryptItemInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + modifies ModifiesInternalConfig(config) + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) + ensures + && ValidInternalConfig?(config) + ensures DecryptItemEnsuresPublicly(input, output) } diff --git a/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/Index.dfy b/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/Index.dfy index a63a9f44c..6e61cbf9a 100644 --- a/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/Index.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/Index.dfy @@ -47,55 +47,55 @@ module method {:vcs_split_on_every_assert} DynamoDbItemEncryptor(config: DynamoDbItemEncryptorConfig) returns (res: Result) ensures res.Success? ==> - && res.value is DynamoDbItemEncryptorClient - && var rconfig := (res.value as DynamoDbItemEncryptorClient).config; - && rconfig.logicalTableName == config.logicalTableName - && rconfig.partitionKeyName == config.partitionKeyName - && rconfig.sortKeyName == config.sortKeyName - && rconfig.attributeActionsOnEncrypt == config.attributeActionsOnEncrypt - && rconfig.allowedUnsignedAttributes == config.allowedUnsignedAttributes - && rconfig.allowedUnsignedAttributePrefix == config.allowedUnsignedAttributePrefix - && rconfig.algorithmSuiteId == config.algorithmSuiteId - - //= specification/dynamodb-encryption-client/ddb-table-encryption-config.md#attribute-actions - //= type=implication - //# The [Key Action](#key-action) - //# MUST be configured to the partition attribute and, if present, sort attribute. - && rconfig.version == Operations.VersionFromActions(config.attributeActionsOnEncrypt) - && config.partitionKeyName in config.attributeActionsOnEncrypt - && config.attributeActionsOnEncrypt[config.partitionKeyName] == Operations.KeyActionFromVersion(rconfig.version) - && (config.sortKeyName.Some? ==> - && config.sortKeyName.value in config.attributeActionsOnEncrypt - && config.attributeActionsOnEncrypt[config.sortKeyName.value] == Operations.KeyActionFromVersion(rconfig.version)) + && res.value is DynamoDbItemEncryptorClient + && var rconfig := (res.value as DynamoDbItemEncryptorClient).config; + && rconfig.logicalTableName == config.logicalTableName + && rconfig.partitionKeyName == config.partitionKeyName + && rconfig.sortKeyName == config.sortKeyName + && rconfig.attributeActionsOnEncrypt == config.attributeActionsOnEncrypt + && rconfig.allowedUnsignedAttributes == config.allowedUnsignedAttributes + && rconfig.allowedUnsignedAttributePrefix == config.allowedUnsignedAttributePrefix + && rconfig.algorithmSuiteId == config.algorithmSuiteId + + //= specification/dynamodb-encryption-client/ddb-table-encryption-config.md#attribute-actions + //= type=implication + //# The [Key Action](#key-action) + //# MUST be configured to the partition attribute and, if present, sort attribute. + && rconfig.version == Operations.VersionFromActions(config.attributeActionsOnEncrypt) + && config.partitionKeyName in config.attributeActionsOnEncrypt + && config.attributeActionsOnEncrypt[config.partitionKeyName] == Operations.KeyActionFromVersion(rconfig.version) + && (config.sortKeyName.Some? ==> + && config.sortKeyName.value in config.attributeActionsOnEncrypt + && config.attributeActionsOnEncrypt[config.sortKeyName.value] == Operations.KeyActionFromVersion(rconfig.version)) //= specification/dynamodb-encryption-client/ddb-table-encryption-config.md#plaintext-policy //# If not specified, encryption and decryption MUST behave according to `FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ`. ensures - && res.Success? - && config.plaintextOverride.None? + && res.Success? + && config.plaintextOverride.None? ==> && var config := (res.value as DynamoDbItemEncryptorClient).config; && config.plaintextOverride.FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ? { :- Need(config.keyring.None? || config.cmm.None?, DynamoDbItemEncryptorException( - message := "Cannot provide both a keyring and a CMM" - )); + message := "Cannot provide both a keyring and a CMM" + )); :- Need(config.keyring.Some? || config.cmm.Some?, DynamoDbItemEncryptorException( - message := "Must provide either a keyring or a CMM" - )); + message := "Must provide either a keyring or a CMM" + )); var version := Operations.VersionFromActions(config.attributeActionsOnEncrypt); var keyAction := Operations.KeyActionFromVersion(version); var keyActionStr := Operations.KeyActionStringFromVersion(version); :- Need( - && config.partitionKeyName in config.attributeActionsOnEncrypt - && config.attributeActionsOnEncrypt[config.partitionKeyName] == keyAction, + && config.partitionKeyName in config.attributeActionsOnEncrypt + && config.attributeActionsOnEncrypt[config.partitionKeyName] == keyAction, DynamoDbItemEncryptorException( message := "Partition key attribute action MUST be " + keyActionStr )); :- Need( (config.sortKeyName.Some? ==> - && config.sortKeyName.value in config.attributeActionsOnEncrypt - && config.attributeActionsOnEncrypt[config.sortKeyName.value] == keyAction), + && config.sortKeyName.value in config.attributeActionsOnEncrypt + && config.attributeActionsOnEncrypt[config.sortKeyName.value] == keyAction), DynamoDbItemEncryptorException( message := "Sort key attribute action MUST be " + keyActionStr )); @@ -104,30 +104,30 @@ module var attributeNames : seq := SortedSets.ComputeSetToOrderedSequence2(config.attributeActionsOnEncrypt.Keys, CharLess); for i := 0 to |attributeNames| invariant forall j | 0 <= j < i :: - && UnreservedPrefix(attributeNames[j]) - && (Operations.ForwardCompatibleAttributeAction( - attributeNames[j], - config.attributeActionsOnEncrypt[attributeNames[j]], - config.allowedUnsignedAttributes, - config.allowedUnsignedAttributePrefix)) + && UnreservedPrefix(attributeNames[j]) + && (Operations.ForwardCompatibleAttributeAction( + attributeNames[j], + config.attributeActionsOnEncrypt[attributeNames[j]], + config.allowedUnsignedAttributes, + config.allowedUnsignedAttributePrefix)) { var attributeName := attributeNames[i]; var action := config.attributeActionsOnEncrypt[attributeName]; if !(Operations.ForwardCompatibleAttributeAction( - attributeName, - action, - config.allowedUnsignedAttributes, - config.allowedUnsignedAttributePrefix - )) + attributeName, + action, + config.allowedUnsignedAttributes, + config.allowedUnsignedAttributePrefix + )) { return Failure(DynamoDbItemEncryptorException( - message := Operations.ExplainNotForwardCompatible(attributeName, action, config.allowedUnsignedAttributes, config.allowedUnsignedAttributePrefix) - )); + message := Operations.ExplainNotForwardCompatible(attributeName, action, config.allowedUnsignedAttributes, config.allowedUnsignedAttributePrefix) + )); } if !UnreservedPrefix(attributeName) { return Failure(DynamoDbItemEncryptorException( - message := "Attribute: " + attributeName + " is reserved, and may not be configured." - )); + message := "Attribute: " + attributeName + " is reserved, and may not be configured." + )); } assert UnreservedPrefix(attributeName); assert UnreservedPrefix(attributeNames[i]); @@ -140,7 +140,7 @@ module // Create the structured encryption client var structuredEncryptionRes := StructuredEncryption.StructuredEncryption(); var structuredEncryptionX : CSE.IStructuredEncryptionClient :- structuredEncryptionRes - .MapFailure(e => AwsCryptographyDbEncryptionSdkDynamoDb(DDBE.AwsCryptographyDbEncryptionSdkStructuredEncryption(e))); + .MapFailure(e => AwsCryptographyDbEncryptionSdkDynamoDb(DDBE.AwsCryptographyDbEncryptionSdkStructuredEncryption(e))); assert structuredEncryptionX is StructuredEncryption.StructuredEncryptionClient; var structuredEncryption := structuredEncryptionX as StructuredEncryption.StructuredEncryptionClient; @@ -179,14 +179,14 @@ module // )); if !(internalLegacyOverride.None? || config.plaintextOverride.None?) { return Failure(DynamoDbItemEncryptorException( - message := "Cannot configure both a plaintext policy and a legacy config." - )); + message := "Cannot configure both a plaintext policy and a legacy config." + )); } var plaintextOverride := if config.plaintextOverride.Some? then config.plaintextOverride.value else - DDBE.PlaintextOverride.FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ; + DDBE.PlaintextOverride.FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ; var internalConfig := Operations.Config( version := version, @@ -215,9 +215,9 @@ module var client := new DynamoDbItemEncryptorClient(internalConfig); assert fresh(client.Modifies - - ( if config.keyring.Some? then config.keyring.value.Modifies else {}) - - ( if config.cmm.Some? then config.cmm.value.Modifies else {} ) - - ( if config.legacyOverride.Some? then config.legacyOverride.value.encryptor.Modifies else {})); + - ( if config.keyring.Some? then config.keyring.value.Modifies else {}) + - ( if config.cmm.Some? then config.cmm.value.Modifies else {} ) + - ( if config.legacyOverride.Some? then config.legacyOverride.value.encryptor.Modifies else {})); return Success(client); } diff --git a/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/InternalLegacyOverride.dfy b/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/InternalLegacyOverride.dfy index 45baa5a5a..1078bde53 100644 --- a/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/InternalLegacyOverride.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/InternalLegacyOverride.dfy @@ -23,5 +23,5 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.itemencry predicate method {:extern} IsLegacyInput(input: Types.DecryptItemInput) } - + } diff --git a/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/test/DynamoDBItemEncryptorTest.dfy b/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/test/DynamoDBItemEncryptorTest.dfy index f54c7b46f..c48464bc7 100644 --- a/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/test/DynamoDBItemEncryptorTest.dfy +++ b/DynamoDbEncryption/dafny/DynamoDbItemEncryptor/test/DynamoDBItemEncryptorTest.dfy @@ -72,26 +72,26 @@ module DynamoDbItemEncryptorTest { } const Actions1 : DDBE.AttributeActions := map[ - "bar" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, - "sortKey" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, - "encrypt" := CSE.ENCRYPT_AND_SIGN, - "sign" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, - "sign2" := CSE.SIGN_ONLY, - "sign3" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, - "sign4" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, - "nothing" := CSE.DO_NOTHING - ] - - const Actions2 : DDBE.AttributeActions := map[ - GetAttrName("bar") := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, - GetAttrName("sortKey") := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, - GetAttrName("encrypt") := CSE.ENCRYPT_AND_SIGN, - GetAttrName("sign") := CSE.SIGN_ONLY, - GetAttrName("sign2") := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, - GetAttrName("sign3") := CSE.SIGN_ONLY, - GetAttrName("sign4") := CSE.SIGN_ONLY, - GetAttrName("nothing") := CSE.DO_NOTHING - ] + "bar" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, + "sortKey" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, + "encrypt" := CSE.ENCRYPT_AND_SIGN, + "sign" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, + "sign2" := CSE.SIGN_ONLY, + "sign3" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, + "sign4" := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, + "nothing" := CSE.DO_NOTHING + ] + + const Actions2 : DDBE.AttributeActions := map[ + GetAttrName("bar") := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, + GetAttrName("sortKey") := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, + GetAttrName("encrypt") := CSE.ENCRYPT_AND_SIGN, + GetAttrName("sign") := CSE.SIGN_ONLY, + GetAttrName("sign2") := CSE.SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT, + GetAttrName("sign3") := CSE.SIGN_ONLY, + GetAttrName("sign4") := CSE.SIGN_ONLY, + GetAttrName("nothing") := CSE.DO_NOTHING + ] method {:test} TestV2RoundTripComplexSwitch() { var config := TestFixtures.GetEncryptorConfigFromActions(Actions1, Some("sortKey")); diff --git a/DynamoDbEncryption/dafny/StructuredEncryption/Model/AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes.dfy b/DynamoDbEncryption/dafny/StructuredEncryption/Model/AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes.dfy index 089a96ab8..4c88de3b4 100644 --- a/DynamoDbEncryption/dafny/StructuredEncryption/Model/AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes.dfy +++ b/DynamoDbEncryption/dafny/StructuredEncryption/Model/AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes.dfy @@ -2,346 +2,346 @@ // SPDX-License-Identifier: Apache-2.0 // Do not modify this file. This file is machine generated, and any changes to it will be overwritten. include "../../../../submodules/MaterialProviders/StandardLibrary/src/Index.dfy" - include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Index.dfy" - include "../../../../submodules/MaterialProviders/AwsCryptographyPrimitives/src/Index.dfy" - module {:extern "software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types" } AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes - { - import opened Wrappers - import opened StandardLibrary.UInt - import opened UTF8 - import AwsCryptographyMaterialProvidersTypes - import AwsCryptographyPrimitivesTypes - // Generic helpers for verification of mock/unit tests. - datatype DafnyCallEvent = DafnyCallEvent(input: I, output: O) - - // Begin Generated Types - - datatype AuthenticateAction = - | SIGN - | DO_NOT_SIGN - datatype AuthenticateSchema = | AuthenticateSchema ( - nameonly content: AuthenticateSchemaContent , - nameonly attributes: Option := Option.None - ) - type AuthenticateSchemaAttributes = map - datatype AuthenticateSchemaContent = - | Action(Action: AuthenticateAction) - | SchemaMap(SchemaMap: AuthenticateSchemaMap) - | SchemaList(SchemaList: AuthenticateSchemaList) - type AuthenticateSchemaList = seq - type AuthenticateSchemaMap = map - datatype CryptoAction = - | ENCRYPT_AND_SIGN - | SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT - | SIGN_ONLY - | DO_NOTHING - datatype CryptoSchema = | CryptoSchema ( - nameonly content: CryptoSchemaContent , - nameonly attributes: Option := Option.None - ) - type CryptoSchemaAttributes = map - datatype CryptoSchemaContent = - | Action(Action: CryptoAction) - | SchemaMap(SchemaMap: CryptoSchemaMap) - | SchemaList(SchemaList: CryptoSchemaList) - type CryptoSchemaList = seq - type CryptoSchemaMap = map - datatype DecryptStructureInput = | DecryptStructureInput ( - nameonly tableName: string , - nameonly encryptedStructure: StructuredData , - nameonly authenticateSchema: AuthenticateSchema , - nameonly cmm: AwsCryptographyMaterialProvidersTypes.ICryptographicMaterialsManager , - nameonly encryptionContext: Option := Option.None - ) - datatype DecryptStructureOutput = | DecryptStructureOutput ( - nameonly plaintextStructure: StructuredData , - nameonly parsedHeader: ParsedHeader - ) - datatype EncryptStructureInput = | EncryptStructureInput ( - nameonly tableName: string , - nameonly plaintextStructure: StructuredData , - nameonly cryptoSchema: CryptoSchema , - nameonly cmm: AwsCryptographyMaterialProvidersTypes.ICryptographicMaterialsManager , - nameonly algorithmSuiteId: Option := Option.None , - nameonly encryptionContext: Option := Option.None - ) - datatype EncryptStructureOutput = | EncryptStructureOutput ( - nameonly encryptedStructure: StructuredData , - nameonly parsedHeader: ParsedHeader - ) - datatype ParsedHeader = | ParsedHeader ( - nameonly cryptoSchema: CryptoSchema , - nameonly algorithmSuiteId: AwsCryptographyMaterialProvidersTypes.DBEAlgorithmSuiteId , - nameonly encryptedDataKeys: AwsCryptographyMaterialProvidersTypes.EncryptedDataKeyList , - nameonly storedEncryptionContext: AwsCryptographyMaterialProvidersTypes.EncryptionContext , - nameonly encryptionContext: AwsCryptographyMaterialProvidersTypes.EncryptionContext - ) - datatype StructuredData = | StructuredData ( - nameonly content: StructuredDataContent , - nameonly attributes: Option := Option.None - ) - type StructuredDataAttributes = map - datatype StructuredDataContent = - | Terminal(Terminal: StructuredDataTerminal) - | DataList(DataList: StructuredDataList) - | DataMap(DataMap: StructuredDataMap) - type StructuredDataList = seq - type StructuredDataMap = map - datatype StructuredDataTerminal = | StructuredDataTerminal ( - nameonly value: TerminalValue , - nameonly typeId: TerminalTypeId - ) - class IStructuredEncryptionClientCallHistory { - ghost constructor() { - EncryptStructure := []; - DecryptStructure := []; -} - ghost var EncryptStructure: seq>> - ghost var DecryptStructure: seq>> -} - trait {:termination false} IStructuredEncryptionClient - { - // Helper to define any additional modifies/reads clauses. - // If your operations need to mutate state, - // add it in your constructor function: - // Modifies := {your, fields, here, History}; - // If you do not need to mutate anything: -// Modifies := {History}; +include "../../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Index.dfy" +include "../../../../submodules/MaterialProviders/AwsCryptographyPrimitives/src/Index.dfy" +module {:extern "software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types" } AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes +{ + import opened Wrappers + import opened StandardLibrary.UInt + import opened UTF8 + import AwsCryptographyMaterialProvidersTypes + import AwsCryptographyPrimitivesTypes + // Generic helpers for verification of mock/unit tests. + datatype DafnyCallEvent = DafnyCallEvent(input: I, output: O) - ghost const Modifies: set - // For an unassigned field defined in a trait, - // Dafny can only assign a value in the constructor. - // This means that for Dafny to reason about this value, - // it needs some way to know (an invariant), - // about the state of the object. - // This builds on the Valid/Repr paradigm - // To make this kind requires safe to add - // to methods called from unverified code, - // the predicate MUST NOT take any arguments. - // This means that the correctness of this requires - // MUST only be evaluated by the class itself. - // If you require any additional mutation, - // then you MUST ensure everything you need in ValidState. - // You MUST also ensure ValidState in your constructor. - predicate ValidState() - ensures ValidState() ==> History in Modifies - ghost const History: IStructuredEncryptionClientCallHistory - predicate EncryptStructureEnsuresPublicly(input: EncryptStructureInput , output: Result) - // The public method to be called by library consumers - method EncryptStructure ( input: EncryptStructureInput ) - returns (output: Result) - requires - && ValidState() - && input.cmm.ValidState() - && input.cmm.Modifies !! {History} - modifies Modifies - {History} , - input.cmm.Modifies , - History`EncryptStructure - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} , - input.cmm.Modifies - ensures - && ValidState() - ensures EncryptStructureEnsuresPublicly(input, output) - ensures History.EncryptStructure == old(History.EncryptStructure) + [DafnyCallEvent(input, output)] - - predicate DecryptStructureEnsuresPublicly(input: DecryptStructureInput , output: Result) - // The public method to be called by library consumers - method DecryptStructure ( input: DecryptStructureInput ) - returns (output: Result) - requires - && ValidState() - && input.cmm.ValidState() - && input.cmm.Modifies !! {History} - modifies Modifies - {History} , - input.cmm.Modifies , - History`DecryptStructure - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} , - input.cmm.Modifies - ensures - && ValidState() - ensures DecryptStructureEnsuresPublicly(input, output) - ensures History.DecryptStructure == old(History.DecryptStructure) + [DafnyCallEvent(input, output)] - -} - datatype StructuredEncryptionConfig = | StructuredEncryptionConfig ( - - ) - type TerminalTypeId = x: seq | IsValid_TerminalTypeId(x) witness * - predicate method IsValid_TerminalTypeId(x: seq) { - ( 2 <= |x| <= 2 ) -} - type TerminalValue = seq - type Version = x: int32 | IsValid_Version(x) witness * - predicate method IsValid_Version(x: int32) { - ( 1 <= x <= 1 ) -} - datatype Error = - // Local Error structures are listed here - | StructuredEncryptionException ( - nameonly message: string - ) - // Any dependent models are listed here - | AwsCryptographyMaterialProviders(AwsCryptographyMaterialProviders: AwsCryptographyMaterialProvidersTypes.Error) - | AwsCryptographyPrimitives(AwsCryptographyPrimitives: AwsCryptographyPrimitivesTypes.Error) - // The Collection error is used to collect several errors together - // This is useful when composing OR logic. - // Consider the following method: - // - // method FN(n:I) - // returns (res: Result) - // ensures A(I).Success? ==> res.Success? - // ensures B(I).Success? ==> res.Success? - // ensures A(I).Failure? && B(I).Failure? ==> res.Failure? - // - // If either A || B is successful then FN is successful. - // And if A && B fail then FN will fail. - // But what information should FN transmit back to the caller? - // While it may be correct to hide these details from the caller, - // this can not be the globally correct option. - // Suppose that A and B can be blocked by different ACLs, - // and that their representation of I is only eventually consistent. - // How can the caller distinguish, at a minimum for logging, - // the difference between the four failure modes? - // || (!access(A(I)) && !access(B(I))) - // || (!exit(A(I)) && !exit(B(I))) - // || (!access(A(I)) && !exit(B(I))) - // || (!exit(A(I)) && !access(B(I))) - | CollectionOfErrors(list: seq, nameonly message: string) - // The Opaque error, used for native, extern, wrapped or unknown errors - | Opaque(obj: object) - type OpaqueError = e: Error | e.Opaque? witness * -} - abstract module AbstractAwsCryptographyDbEncryptionSdkStructuredEncryptionService - { - import opened Wrappers - import opened StandardLibrary.UInt - import opened UTF8 - import opened Types = AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes - import Operations : AbstractAwsCryptographyDbEncryptionSdkStructuredEncryptionOperations - function method DefaultStructuredEncryptionConfig(): StructuredEncryptionConfig - method StructuredEncryption(config: StructuredEncryptionConfig := DefaultStructuredEncryptionConfig()) - returns (res: Result) - ensures res.Success? ==> - && fresh(res.value) - && fresh(res.value.Modifies) - && fresh(res.value.History) - && res.value.ValidState() + // Begin Generated Types - // Helper function for the benefit of native code to create a Success(client) without referring to Dafny internals - function method CreateSuccessOfClient(client: IStructuredEncryptionClient): Result { - Success(client) - } // Helper function for the benefit of native code to create a Failure(error) without referring to Dafny internals - function method CreateFailureOfError(error: Error): Result { - Failure(error) - } - class StructuredEncryptionClient extends IStructuredEncryptionClient - { - constructor(config: Operations.InternalConfig) - requires Operations.ValidInternalConfig?(config) - ensures - && ValidState() - && fresh(History) - && this.config == config - const config: Operations.InternalConfig - predicate ValidState() - ensures ValidState() ==> - && Operations.ValidInternalConfig?(config) - && History !in Operations.ModifiesInternalConfig(config) - && Modifies == Operations.ModifiesInternalConfig(config) + {History} - predicate EncryptStructureEnsuresPublicly(input: EncryptStructureInput , output: Result) - {Operations.EncryptStructureEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method EncryptStructure ( input: EncryptStructureInput ) - returns (output: Result) - requires - && ValidState() - && input.cmm.ValidState() - && input.cmm.Modifies !! {History} - modifies Modifies - {History} , - input.cmm.Modifies , - History`EncryptStructure - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} , - input.cmm.Modifies - ensures - && ValidState() - ensures EncryptStructureEnsuresPublicly(input, output) - ensures History.EncryptStructure == old(History.EncryptStructure) + [DafnyCallEvent(input, output)] - { - output := Operations.EncryptStructure(config, input); - History.EncryptStructure := History.EncryptStructure + [DafnyCallEvent(input, output)]; -} - - predicate DecryptStructureEnsuresPublicly(input: DecryptStructureInput , output: Result) - {Operations.DecryptStructureEnsuresPublicly(input, output)} - // The public method to be called by library consumers - method DecryptStructure ( input: DecryptStructureInput ) - returns (output: Result) - requires - && ValidState() - && input.cmm.ValidState() - && input.cmm.Modifies !! {History} - modifies Modifies - {History} , - input.cmm.Modifies , - History`DecryptStructure - // Dafny will skip type parameters when generating a default decreases clause. - decreases Modifies - {History} , - input.cmm.Modifies - ensures - && ValidState() - ensures DecryptStructureEnsuresPublicly(input, output) - ensures History.DecryptStructure == old(History.DecryptStructure) + [DafnyCallEvent(input, output)] - { - output := Operations.DecryptStructure(config, input); - History.DecryptStructure := History.DecryptStructure + [DafnyCallEvent(input, output)]; -} - + datatype AuthenticateAction = + | SIGN + | DO_NOT_SIGN + datatype AuthenticateSchema = | AuthenticateSchema ( + nameonly content: AuthenticateSchemaContent , + nameonly attributes: Option := Option.None + ) + type AuthenticateSchemaAttributes = map + datatype AuthenticateSchemaContent = + | Action(Action: AuthenticateAction) + | SchemaMap(SchemaMap: AuthenticateSchemaMap) + | SchemaList(SchemaList: AuthenticateSchemaList) + type AuthenticateSchemaList = seq + type AuthenticateSchemaMap = map + datatype CryptoAction = + | ENCRYPT_AND_SIGN + | SIGN_AND_INCLUDE_IN_ENCRYPTION_CONTEXT + | SIGN_ONLY + | DO_NOTHING + datatype CryptoSchema = | CryptoSchema ( + nameonly content: CryptoSchemaContent , + nameonly attributes: Option := Option.None + ) + type CryptoSchemaAttributes = map + datatype CryptoSchemaContent = + | Action(Action: CryptoAction) + | SchemaMap(SchemaMap: CryptoSchemaMap) + | SchemaList(SchemaList: CryptoSchemaList) + type CryptoSchemaList = seq + type CryptoSchemaMap = map + datatype DecryptStructureInput = | DecryptStructureInput ( + nameonly tableName: string , + nameonly encryptedStructure: StructuredData , + nameonly authenticateSchema: AuthenticateSchema , + nameonly cmm: AwsCryptographyMaterialProvidersTypes.ICryptographicMaterialsManager , + nameonly encryptionContext: Option := Option.None + ) + datatype DecryptStructureOutput = | DecryptStructureOutput ( + nameonly plaintextStructure: StructuredData , + nameonly parsedHeader: ParsedHeader + ) + datatype EncryptStructureInput = | EncryptStructureInput ( + nameonly tableName: string , + nameonly plaintextStructure: StructuredData , + nameonly cryptoSchema: CryptoSchema , + nameonly cmm: AwsCryptographyMaterialProvidersTypes.ICryptographicMaterialsManager , + nameonly algorithmSuiteId: Option := Option.None , + nameonly encryptionContext: Option := Option.None + ) + datatype EncryptStructureOutput = | EncryptStructureOutput ( + nameonly encryptedStructure: StructuredData , + nameonly parsedHeader: ParsedHeader + ) + datatype ParsedHeader = | ParsedHeader ( + nameonly cryptoSchema: CryptoSchema , + nameonly algorithmSuiteId: AwsCryptographyMaterialProvidersTypes.DBEAlgorithmSuiteId , + nameonly encryptedDataKeys: AwsCryptographyMaterialProvidersTypes.EncryptedDataKeyList , + nameonly storedEncryptionContext: AwsCryptographyMaterialProvidersTypes.EncryptionContext , + nameonly encryptionContext: AwsCryptographyMaterialProvidersTypes.EncryptionContext + ) + datatype StructuredData = | StructuredData ( + nameonly content: StructuredDataContent , + nameonly attributes: Option := Option.None + ) + type StructuredDataAttributes = map + datatype StructuredDataContent = + | Terminal(Terminal: StructuredDataTerminal) + | DataList(DataList: StructuredDataList) + | DataMap(DataMap: StructuredDataMap) + type StructuredDataList = seq + type StructuredDataMap = map + datatype StructuredDataTerminal = | StructuredDataTerminal ( + nameonly value: TerminalValue , + nameonly typeId: TerminalTypeId + ) + class IStructuredEncryptionClientCallHistory { + ghost constructor() { + EncryptStructure := []; + DecryptStructure := []; + } + ghost var EncryptStructure: seq>> + ghost var DecryptStructure: seq>> + } + trait {:termination false} IStructuredEncryptionClient + { + // Helper to define any additional modifies/reads clauses. + // If your operations need to mutate state, + // add it in your constructor function: + // Modifies := {your, fields, here, History}; + // If you do not need to mutate anything: + // Modifies := {History}; + + ghost const Modifies: set + // For an unassigned field defined in a trait, + // Dafny can only assign a value in the constructor. + // This means that for Dafny to reason about this value, + // it needs some way to know (an invariant), + // about the state of the object. + // This builds on the Valid/Repr paradigm + // To make this kind requires safe to add + // to methods called from unverified code, + // the predicate MUST NOT take any arguments. + // This means that the correctness of this requires + // MUST only be evaluated by the class itself. + // If you require any additional mutation, + // then you MUST ensure everything you need in ValidState. + // You MUST also ensure ValidState in your constructor. + predicate ValidState() + ensures ValidState() ==> History in Modifies + ghost const History: IStructuredEncryptionClientCallHistory + predicate EncryptStructureEnsuresPublicly(input: EncryptStructureInput , output: Result) + // The public method to be called by library consumers + method EncryptStructure ( input: EncryptStructureInput ) + returns (output: Result) + requires + && ValidState() + && input.cmm.ValidState() + && input.cmm.Modifies !! {History} + modifies Modifies - {History} , + input.cmm.Modifies , + History`EncryptStructure + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} , + input.cmm.Modifies + ensures + && ValidState() + ensures EncryptStructureEnsuresPublicly(input, output) + ensures History.EncryptStructure == old(History.EncryptStructure) + [DafnyCallEvent(input, output)] + + predicate DecryptStructureEnsuresPublicly(input: DecryptStructureInput , output: Result) + // The public method to be called by library consumers + method DecryptStructure ( input: DecryptStructureInput ) + returns (output: Result) + requires + && ValidState() + && input.cmm.ValidState() + && input.cmm.Modifies !! {History} + modifies Modifies - {History} , + input.cmm.Modifies , + History`DecryptStructure + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} , + input.cmm.Modifies + ensures + && ValidState() + ensures DecryptStructureEnsuresPublicly(input, output) + ensures History.DecryptStructure == old(History.DecryptStructure) + [DafnyCallEvent(input, output)] + + } + datatype StructuredEncryptionConfig = | StructuredEncryptionConfig ( + + ) + type TerminalTypeId = x: seq | IsValid_TerminalTypeId(x) witness * + predicate method IsValid_TerminalTypeId(x: seq) { + ( 2 <= |x| <= 2 ) + } + type TerminalValue = seq + type Version = x: int32 | IsValid_Version(x) witness * + predicate method IsValid_Version(x: int32) { + ( 1 <= x <= 1 ) + } + datatype Error = + // Local Error structures are listed here + | StructuredEncryptionException ( + nameonly message: string + ) + // Any dependent models are listed here + | AwsCryptographyMaterialProviders(AwsCryptographyMaterialProviders: AwsCryptographyMaterialProvidersTypes.Error) + | AwsCryptographyPrimitives(AwsCryptographyPrimitives: AwsCryptographyPrimitivesTypes.Error) + // The Collection error is used to collect several errors together + // This is useful when composing OR logic. + // Consider the following method: + // + // method FN(n:I) + // returns (res: Result) + // ensures A(I).Success? ==> res.Success? + // ensures B(I).Success? ==> res.Success? + // ensures A(I).Failure? && B(I).Failure? ==> res.Failure? + // + // If either A || B is successful then FN is successful. + // And if A && B fail then FN will fail. + // But what information should FN transmit back to the caller? + // While it may be correct to hide these details from the caller, + // this can not be the globally correct option. + // Suppose that A and B can be blocked by different ACLs, + // and that their representation of I is only eventually consistent. + // How can the caller distinguish, at a minimum for logging, + // the difference between the four failure modes? + // || (!access(A(I)) && !access(B(I))) + // || (!exit(A(I)) && !exit(B(I))) + // || (!access(A(I)) && !exit(B(I))) + // || (!exit(A(I)) && !access(B(I))) + | CollectionOfErrors(list: seq, nameonly message: string) + // The Opaque error, used for native, extern, wrapped or unknown errors + | Opaque(obj: object) + type OpaqueError = e: Error | e.Opaque? witness * } +abstract module AbstractAwsCryptographyDbEncryptionSdkStructuredEncryptionService +{ + import opened Wrappers + import opened StandardLibrary.UInt + import opened UTF8 + import opened Types = AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes + import Operations : AbstractAwsCryptographyDbEncryptionSdkStructuredEncryptionOperations + function method DefaultStructuredEncryptionConfig(): StructuredEncryptionConfig + method StructuredEncryption(config: StructuredEncryptionConfig := DefaultStructuredEncryptionConfig()) + returns (res: Result) + ensures res.Success? ==> + && fresh(res.value) + && fresh(res.value.Modifies) + && fresh(res.value.History) + && res.value.ValidState() + + // Helper function for the benefit of native code to create a Success(client) without referring to Dafny internals + function method CreateSuccessOfClient(client: IStructuredEncryptionClient): Result { + Success(client) + } // Helper function for the benefit of native code to create a Failure(error) without referring to Dafny internals + function method CreateFailureOfError(error: Error): Result { + Failure(error) + } + class StructuredEncryptionClient extends IStructuredEncryptionClient + { + constructor(config: Operations.InternalConfig) + requires Operations.ValidInternalConfig?(config) + ensures + && ValidState() + && fresh(History) + && this.config == config + const config: Operations.InternalConfig + predicate ValidState() + ensures ValidState() ==> + && Operations.ValidInternalConfig?(config) + && History !in Operations.ModifiesInternalConfig(config) + && Modifies == Operations.ModifiesInternalConfig(config) + {History} + predicate EncryptStructureEnsuresPublicly(input: EncryptStructureInput , output: Result) + {Operations.EncryptStructureEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method EncryptStructure ( input: EncryptStructureInput ) + returns (output: Result) + requires + && ValidState() + && input.cmm.ValidState() + && input.cmm.Modifies !! {History} + modifies Modifies - {History} , + input.cmm.Modifies , + History`EncryptStructure + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} , + input.cmm.Modifies + ensures + && ValidState() + ensures EncryptStructureEnsuresPublicly(input, output) + ensures History.EncryptStructure == old(History.EncryptStructure) + [DafnyCallEvent(input, output)] + { + output := Operations.EncryptStructure(config, input); + History.EncryptStructure := History.EncryptStructure + [DafnyCallEvent(input, output)]; + } + + predicate DecryptStructureEnsuresPublicly(input: DecryptStructureInput , output: Result) + {Operations.DecryptStructureEnsuresPublicly(input, output)} + // The public method to be called by library consumers + method DecryptStructure ( input: DecryptStructureInput ) + returns (output: Result) + requires + && ValidState() + && input.cmm.ValidState() + && input.cmm.Modifies !! {History} + modifies Modifies - {History} , + input.cmm.Modifies , + History`DecryptStructure + // Dafny will skip type parameters when generating a default decreases clause. + decreases Modifies - {History} , + input.cmm.Modifies + ensures + && ValidState() + ensures DecryptStructureEnsuresPublicly(input, output) + ensures History.DecryptStructure == old(History.DecryptStructure) + [DafnyCallEvent(input, output)] + { + output := Operations.DecryptStructure(config, input); + History.DecryptStructure := History.DecryptStructure + [DafnyCallEvent(input, output)]; + } + + } } - abstract module AbstractAwsCryptographyDbEncryptionSdkStructuredEncryptionOperations { - import opened Wrappers - import opened StandardLibrary.UInt - import opened UTF8 - import opened Types = AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes - type InternalConfig - predicate ValidInternalConfig?(config: InternalConfig) - function ModifiesInternalConfig(config: InternalConfig): set - predicate EncryptStructureEnsuresPublicly(input: EncryptStructureInput , output: Result) - // The private method to be refined by the library developer +abstract module AbstractAwsCryptographyDbEncryptionSdkStructuredEncryptionOperations { + import opened Wrappers + import opened StandardLibrary.UInt + import opened UTF8 + import opened Types = AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes + type InternalConfig + predicate ValidInternalConfig?(config: InternalConfig) + function ModifiesInternalConfig(config: InternalConfig): set + predicate EncryptStructureEnsuresPublicly(input: EncryptStructureInput , output: Result) + // The private method to be refined by the library developer - method EncryptStructure ( config: InternalConfig , input: EncryptStructureInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - && input.cmm.ValidState() - modifies ModifiesInternalConfig(config) , - input.cmm.Modifies - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) , - input.cmm.Modifies - ensures - && ValidInternalConfig?(config) - ensures EncryptStructureEnsuresPublicly(input, output) + method EncryptStructure ( config: InternalConfig , input: EncryptStructureInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + && input.cmm.ValidState() + modifies ModifiesInternalConfig(config) , + input.cmm.Modifies + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) , + input.cmm.Modifies + ensures + && ValidInternalConfig?(config) + ensures EncryptStructureEnsuresPublicly(input, output) - predicate DecryptStructureEnsuresPublicly(input: DecryptStructureInput , output: Result) - // The private method to be refined by the library developer + predicate DecryptStructureEnsuresPublicly(input: DecryptStructureInput , output: Result) + // The private method to be refined by the library developer - method DecryptStructure ( config: InternalConfig , input: DecryptStructureInput ) - returns (output: Result) - requires - && ValidInternalConfig?(config) - && input.cmm.ValidState() - modifies ModifiesInternalConfig(config) , - input.cmm.Modifies - // Dafny will skip type parameters when generating a default decreases clause. - decreases ModifiesInternalConfig(config) , - input.cmm.Modifies - ensures - && ValidInternalConfig?(config) - ensures DecryptStructureEnsuresPublicly(input, output) + method DecryptStructure ( config: InternalConfig , input: DecryptStructureInput ) + returns (output: Result) + requires + && ValidInternalConfig?(config) + && input.cmm.ValidState() + modifies ModifiesInternalConfig(config) , + input.cmm.Modifies + // Dafny will skip type parameters when generating a default decreases clause. + decreases ModifiesInternalConfig(config) , + input.cmm.Modifies + ensures + && ValidInternalConfig?(config) + ensures DecryptStructureEnsuresPublicly(input, output) } diff --git a/DynamoDbEncryption/dafny/StructuredEncryption/src/Crypt.dfy b/DynamoDbEncryption/dafny/StructuredEncryption/src/Crypt.dfy index 418396b11..a5b7f294c 100644 --- a/DynamoDbEncryption/dafny/StructuredEncryption/src/Crypt.dfy +++ b/DynamoDbEncryption/dafny/StructuredEncryption/src/Crypt.dfy @@ -29,15 +29,15 @@ module StructuredEncryptionCrypt { requires |HKDFOutput| == KeySize requires offset as nat * 3 < UINT32_LIMIT ensures ret.Success? ==> - //= specification/structured-encryption/encrypt-structure.md#calculate-cipherkey-and-nonce - //= type=implication - //# The `FieldKey` for a given key and offset MUST be the first 44 bytes - //# of the aes256ctr_stream - //# of the `FieldRootKey` and the `FieldKeyNonce` of three times the given offset. - && |ret.value| == KeySize+NonceSize - && |ret.value| == 44 - && AesKdfCtr.Stream(FieldKeyNonce(offset * 3), HKDFOutput, (KeySize+NonceSize) as uint32).Success? - && ret.value == AesKdfCtr.Stream(FieldKeyNonce(offset * 3), HKDFOutput, (KeySize+NonceSize) as uint32).value + //= specification/structured-encryption/encrypt-structure.md#calculate-cipherkey-and-nonce + //= type=implication + //# The `FieldKey` for a given key and offset MUST be the first 44 bytes + //# of the aes256ctr_stream + //# of the `FieldRootKey` and the `FieldKeyNonce` of three times the given offset. + && |ret.value| == KeySize+NonceSize + && |ret.value| == 44 + && AesKdfCtr.Stream(FieldKeyNonce(offset * 3), HKDFOutput, (KeySize+NonceSize) as uint32).Success? + && ret.value == AesKdfCtr.Stream(FieldKeyNonce(offset * 3), HKDFOutput, (KeySize+NonceSize) as uint32).value { var keyR := AesKdfCtr.Stream(FieldKeyNonce(offset * 3), HKDFOutput, (KeySize+NonceSize) as uint32); keyR.MapFailure(e => AwsCryptographyPrimitives(e)) @@ -55,18 +55,18 @@ module StructuredEncryptionCrypt { //# | 0x2c | 1 | 44, the length of the eventual FieldKey | //# | offset | 4 | 32 bit integer representation of offset | ensures ret == - UTF8.EncodeAscii("AwsDbeField") - + [(KeySize+NonceSize) as uint8] - + UInt32ToSeq(offset) - { - UTF8.EncodeAscii("AwsDbeField") - + [(KeySize+NonceSize) as uint8] // length - + UInt32ToSeq(offset) - } - + UTF8.EncodeAscii("AwsDbeField") + + [(KeySize+NonceSize) as uint8] + + UInt32ToSeq(offset) + { + UTF8.EncodeAscii("AwsDbeField") + + [(KeySize+NonceSize) as uint8] // length + + UInt32ToSeq(offset) + } + const LABEL_COMMITMENT_KEY := UTF8.EncodeAscii("AWS_DBE_COMMIT_KEY") const LABEL_ENCRYPTION_KEY := UTF8.EncodeAscii("AWS_DBE_DERIVE_KEY") - + // suitable for header field method GetCommitKey( client: Primitives.AtomicPrimitivesClient, @@ -77,36 +77,36 @@ module StructuredEncryptionCrypt { returns (ret : Result) requires ValidSuite(alg) ensures ret.Success? ==> - //= specification/structured-encryption/header.md#commit-key - //= type=implication - //# The calculated Commitment Key MUST have length equal to the - //# [algorithm suite's encryption key length](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/algorithm-suites.md#algorithm-suites-encryption-settings). - && |ret.value| == AlgorithmSuites.GetEncryptKeyLength(alg) as int - - //= specification/structured-encryption/header.md#commit-key - //= type=implication - //# The HKDF used to calculate the Commitment Key MUST be the - //# [Commit Key KDF](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/algorithm-suites.md#algorithm-suites-commit-key-derivation-settings) - //# indicated by the algorithm suite. - && var history := client.History.Hkdf; - && 0 < |history| - && var hkdfInput := Seq.Last(history).input; - && hkdfInput.digestAlgorithm == alg.commitment.HKDF.hmac - - //= specification/structured-encryption/header.md#commit-key - //= type=implication - //# The `info` used for the HKDF function MUST be - //# | Field | Length | - //# | -------------------- | -------- | - //# | "AWS_DBE_COMMIT_KEY" | 18 | - //# | Message ID | 32 | - && hkdfInput.info == LABEL_COMMITMENT_KEY + msgID - - //= specification/structured-encryption/header.md#commit-key - //= type=implication - //# The HKDF calculation MUST use a supplied key, no salt, and an `info` as described above. - && hkdfInput.ikm == key - && hkdfInput.salt == None + //= specification/structured-encryption/header.md#commit-key + //= type=implication + //# The calculated Commitment Key MUST have length equal to the + //# [algorithm suite's encryption key length](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/algorithm-suites.md#algorithm-suites-encryption-settings). + && |ret.value| == AlgorithmSuites.GetEncryptKeyLength(alg) as int + + //= specification/structured-encryption/header.md#commit-key + //= type=implication + //# The HKDF used to calculate the Commitment Key MUST be the + //# [Commit Key KDF](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/algorithm-suites.md#algorithm-suites-commit-key-derivation-settings) + //# indicated by the algorithm suite. + && var history := client.History.Hkdf; + && 0 < |history| + && var hkdfInput := Seq.Last(history).input; + && hkdfInput.digestAlgorithm == alg.commitment.HKDF.hmac + + //= specification/structured-encryption/header.md#commit-key + //= type=implication + //# The `info` used for the HKDF function MUST be + //# | Field | Length | + //# | -------------------- | -------- | + //# | "AWS_DBE_COMMIT_KEY" | 18 | + //# | Message ID | 32 | + && hkdfInput.info == LABEL_COMMITMENT_KEY + msgID + + //= specification/structured-encryption/header.md#commit-key + //= type=implication + //# The HKDF calculation MUST use a supplied key, no salt, and an `info` as described above. + && hkdfInput.ikm == key + && hkdfInput.salt == None modifies client.Modifies requires client.ValidState() @@ -181,32 +181,32 @@ module StructuredEncryptionCrypt { requires ValidSuite(alg) ensures ret.Success? ==> - //= specification/structured-encryption/encrypt-structure.md#calculate-cipherkey-and-nonce - //= type=implication - //# The HKDF algorithm used to calculate the Field Root Key MUST be the - //# [Encryption Key KDF](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/algorithm-suites.md#algorithm-suites-encryption-key-derivation-settings) - //# indicated by the algorithm suite, using a provided plaintext data key, no salt, - //# and an info as calculated [above](#calculate-info) - - //= specification/structured-encryption/encrypt-structure.md#calculate-cipherkey-and-nonce - //= type=implication - //# The `FieldRootKey` MUST be generated with the plaintext data key in the encryption materials - //# and the Message ID generated for this Encrypted Structured Data. - - //= specification/structured-encryption/encrypt-structure.md#calculate-info - //= type=implication - //# The `info` used for the HKDF function MUST be - //# | Field | Length | - //# | -------------------- | -------- | - //# | "AWS_DBE_DERIVE_KEY" | 18 | - //# | Message ID | 32 | - && var history := client.History.Hkdf; - && 0 < |history| - && var hkdfInput := Seq.Last(history).input; - && hkdfInput.digestAlgorithm == alg.kdf.HKDF.hmac - && hkdfInput.info == LABEL_ENCRYPTION_KEY + head.msgID - && hkdfInput.salt == None - && hkdfInput.ikm == key + //= specification/structured-encryption/encrypt-structure.md#calculate-cipherkey-and-nonce + //= type=implication + //# The HKDF algorithm used to calculate the Field Root Key MUST be the + //# [Encryption Key KDF](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/algorithm-suites.md#algorithm-suites-encryption-key-derivation-settings) + //# indicated by the algorithm suite, using a provided plaintext data key, no salt, + //# and an info as calculated [above](#calculate-info) + + //= specification/structured-encryption/encrypt-structure.md#calculate-cipherkey-and-nonce + //= type=implication + //# The `FieldRootKey` MUST be generated with the plaintext data key in the encryption materials + //# and the Message ID generated for this Encrypted Structured Data. + + //= specification/structured-encryption/encrypt-structure.md#calculate-info + //= type=implication + //# The `info` used for the HKDF function MUST be + //# | Field | Length | + //# | -------------------- | -------- | + //# | "AWS_DBE_DERIVE_KEY" | 18 | + //# | Message ID | 32 | + && var history := client.History.Hkdf; + && 0 < |history| + && var hkdfInput := Seq.Last(history).input; + && hkdfInput.digestAlgorithm == alg.kdf.HKDF.hmac + && hkdfInput.info == LABEL_ENCRYPTION_KEY + head.msgID + && hkdfInput.salt == None + && hkdfInput.ikm == key modifies client.Modifies requires client.ValidState() @@ -284,44 +284,44 @@ module StructuredEncryptionCrypt { requires offset as nat * 3 < UINT32_LIMIT ensures ret.Success? ==> - //= specification/structured-encryption/encrypt-structure.md#terminal-data-encryption - //= type=implication - //# The output encrypted Terminal Data MUST have a [Terminal Type Id](./structures.md#terminal-type-id) - //# equal `0xFFFF`. - && ret.value.content.Terminal? - && ret.value.content.Terminal.typeId == BYTES_TYPE_ID - - //= specification/structured-encryption/encrypt-structure.md#terminal-data-encryption - //= type=implication - //# The output encrypted Terminal Data MUST have a [Terminal Value](./structures.md#terminal-value) - //# with the following serialization: - // | Field | Length | - // | -------------------------- | -------- | - // | Terminal Type Id | 2 | - // | Encrypted Terminal Value | Variable | - - //= specification/structured-encryption/encrypt-structure.md#terminal-type-id - //= type=implication - //# Terminal Type Id MUST equal the input Terminal Data's Terminal Type Id. - && |ret.value.content.Terminal.value| >= 2 - && ret.value.content.Terminal.value[..2] == data.typeId - && var history := client.History.AESEncrypt; - && 0 < |history| - && var encryptInput := Seq.Last(history).input; - && encryptInput.encAlg == alg.encrypt.AES_GCM - && FieldKey(fieldRootKey, offset).Success? - && var fieldKey := FieldKey(fieldRootKey, offset).value; - //= specification/structured-encryption/encrypt-structure.md#calculate-cipherkey-and-nonce - //= type=implication - //# The `Cipherkey` MUST be the first 32 bytes of the `FieldKey` - && KeySize == 32 - && encryptInput.key == fieldKey[0..KeySize] - //= specification/structured-encryption/encrypt-structure.md#calculate-cipherkey-and-nonce - //= type=implication - //# The `Nonce` MUST be the remaining 12 bytes of the `FieldKey` - && NonceSize == 12 - && |fieldKey| - KeySize == 12 - && encryptInput.iv == fieldKey[KeySize..] + //= specification/structured-encryption/encrypt-structure.md#terminal-data-encryption + //= type=implication + //# The output encrypted Terminal Data MUST have a [Terminal Type Id](./structures.md#terminal-type-id) + //# equal `0xFFFF`. + && ret.value.content.Terminal? + && ret.value.content.Terminal.typeId == BYTES_TYPE_ID + + //= specification/structured-encryption/encrypt-structure.md#terminal-data-encryption + //= type=implication + //# The output encrypted Terminal Data MUST have a [Terminal Value](./structures.md#terminal-value) + //# with the following serialization: + // | Field | Length | + // | -------------------------- | -------- | + // | Terminal Type Id | 2 | + // | Encrypted Terminal Value | Variable | + + //= specification/structured-encryption/encrypt-structure.md#terminal-type-id + //= type=implication + //# Terminal Type Id MUST equal the input Terminal Data's Terminal Type Id. + && |ret.value.content.Terminal.value| >= 2 + && ret.value.content.Terminal.value[..2] == data.typeId + && var history := client.History.AESEncrypt; + && 0 < |history| + && var encryptInput := Seq.Last(history).input; + && encryptInput.encAlg == alg.encrypt.AES_GCM + && FieldKey(fieldRootKey, offset).Success? + && var fieldKey := FieldKey(fieldRootKey, offset).value; + //= specification/structured-encryption/encrypt-structure.md#calculate-cipherkey-and-nonce + //= type=implication + //# The `Cipherkey` MUST be the first 32 bytes of the `FieldKey` + && KeySize == 32 + && encryptInput.key == fieldKey[0..KeySize] + //= specification/structured-encryption/encrypt-structure.md#calculate-cipherkey-and-nonce + //= type=implication + //# The `Nonce` MUST be the remaining 12 bytes of the `FieldKey` + && NonceSize == 12 + && |fieldKey| - KeySize == 12 + && encryptInput.iv == fieldKey[KeySize..] modifies client.Modifies - {client.History} , client.History`AESEncrypt, client.History`AESDecrypt requires client.ValidState() @@ -371,13 +371,13 @@ module StructuredEncryptionCrypt { returns (ret : Result) requires offset as nat * 3 < UINT32_LIMIT ensures ret.Success? ==> - && ret.value.content.Terminal? - && |data.value| >= (AuthTagSize+2) - //= specification/structured-encryption/decrypt-structure.md#terminal-data-decryption - //= type=implication - //# The output Terminal Data MUST have a [Terminal Type Id](./structures.md#terminal-type-id) - //# equal to the deserialized Terminal Type Id. - && ret.value.content.Terminal.typeId == data.value[0..TYPEID_LEN] + && ret.value.content.Terminal? + && |data.value| >= (AuthTagSize+2) + //= specification/structured-encryption/decrypt-structure.md#terminal-data-decryption + //= type=implication + //# The output Terminal Data MUST have a [Terminal Type Id](./structures.md#terminal-type-id) + //# equal to the deserialized Terminal Type Id. + && ret.value.content.Terminal.typeId == data.value[0..TYPEID_LEN] modifies client.Modifies - {client.History} , client.History`AESEncrypt, client.History`AESDecrypt requires client.ValidState() diff --git a/DynamoDbEncryption/dafny/StructuredEncryption/src/Footer.dfy b/DynamoDbEncryption/dafny/StructuredEncryption/src/Footer.dfy index e322d16e9..c670907ad 100644 --- a/DynamoDbEncryption/dafny/StructuredEncryption/src/Footer.dfy +++ b/DynamoDbEncryption/dafny/StructuredEncryption/src/Footer.dfy @@ -52,7 +52,7 @@ module StructuredEncryptionFooter { sig : Option ) { function method serialize() - : Bytes + : Bytes { SerializeTags(tags) + SerializeSig(sig) } @@ -94,7 +94,7 @@ module StructuredEncryptionFooter { //# The number of [HMACs in the footer](./footer.md#hmacs) //# MUST be the number of [Encrypted Data Keys in the header](./header.md#encrypted-data-keys). ensures ret.Success? ==> - |edks| == |tags| + |edks| == |tags| modifies client.Modifies requires client.ValidState() @@ -163,26 +163,26 @@ module StructuredEncryptionFooter { function method GetCanonicalEncryptedField(fieldName : CanonicalPath, value : StructuredDataTerminal) : (ret : Result) ensures ret.Success? ==> - //= specification/structured-encryption/footer.md#canonical-encrypted-field - //= type=implication - //# The canonical form of an encrypted field MUST be - //# | Field | Length (bytes) | Interpreted as | - //# | ----- | -------------- | -------------- | - //# | The [canonical path](./header.md#canonical-path) of the field name | Variable | Bytes | - //# | encrypted data length - 2 | 8 | 64-bit integer | - //# | "ENCRYPTED" | 9 | Literal Ascii text | - //# | TypeID | 2 | the type ID of the unencrypted Terminal | - //# | value | Variable | the encrypted Terminal value | - && 2 <= |value.value| < UINT64_LIMIT - && ret.value == - fieldName - + UInt64ToSeq((|value.value| - 2) as uint64) - + UTF8.EncodeAscii("ENCRYPTED") - + value.value // this is 2 bytes of unencrypted type, followed by encrypted value + //= specification/structured-encryption/footer.md#canonical-encrypted-field + //= type=implication + //# The canonical form of an encrypted field MUST be + //# | Field | Length (bytes) | Interpreted as | + //# | ----- | -------------- | -------------- | + //# | The [canonical path](./header.md#canonical-path) of the field name | Variable | Bytes | + //# | encrypted data length - 2 | 8 | 64-bit integer | + //# | "ENCRYPTED" | 9 | Literal Ascii text | + //# | TypeID | 2 | the type ID of the unencrypted Terminal | + //# | value | Variable | the encrypted Terminal value | + && 2 <= |value.value| < UINT64_LIMIT + && ret.value == + fieldName + + UInt64ToSeq((|value.value| - 2) as uint64) + + UTF8.EncodeAscii("ENCRYPTED") + + value.value // this is 2 bytes of unencrypted type, followed by encrypted value { :- Need(2 <= |value.value| < UINT64_LIMIT, E("Bad length.")); Success( - fieldName + fieldName + UInt64ToSeq((|value.value| - 2) as uint64) + UTF8.EncodeAscii("ENCRYPTED") + value.value @@ -192,27 +192,27 @@ module StructuredEncryptionFooter { function method GetCanonicalPlaintextField(fieldName : CanonicalPath, value : StructuredDataTerminal) : (ret : Result) ensures ret.Success? ==> - //= specification/structured-encryption/footer.md#canonical-plaintext-field - //= type=implication - //# The canonical form of a plaintext field MUST be - //# | Field | Length (bytes) | Interpreted as | - //# | ----- | -------------- | -------------- | - //# | The [canonical path](./header.md#canonical-path) of the field name | Variable | Bytes | - //# | data length | 8 | 64-bit integer | - //# | "PLAINTEXT" | 9 | Literal Ascii text | - //# | TypeID | 2 | the type ID of the Terminal | - //# | value | Variable | the Terminal value | - && |value.value| < UINT64_LIMIT - && ret.value == - fieldName - + UInt64ToSeq((|value.value|) as uint64) - + UTF8.EncodeAscii("PLAINTEXT") - + value.typeId - + value.value + //= specification/structured-encryption/footer.md#canonical-plaintext-field + //= type=implication + //# The canonical form of a plaintext field MUST be + //# | Field | Length (bytes) | Interpreted as | + //# | ----- | -------------- | -------------- | + //# | The [canonical path](./header.md#canonical-path) of the field name | Variable | Bytes | + //# | data length | 8 | 64-bit integer | + //# | "PLAINTEXT" | 9 | Literal Ascii text | + //# | TypeID | 2 | the type ID of the Terminal | + //# | value | Variable | the Terminal value | + && |value.value| < UINT64_LIMIT + && ret.value == + fieldName + + UInt64ToSeq((|value.value|) as uint64) + + UTF8.EncodeAscii("PLAINTEXT") + + value.typeId + + value.value { :- Need(|value.value| < UINT64_LIMIT, E("Bad length.")); Success( - fieldName + fieldName + UInt64ToSeq((|value.value|) as uint64) + UTF8.EncodeAscii("PLAINTEXT") + value.typeId @@ -265,25 +265,25 @@ module StructuredEncryptionFooter { requires forall k <- allData :: allData[k].content.Terminal? ensures ret.Success? ==> - //= specification/structured-encryption/footer.md#canonical-record - //= type=implication - //# The canonical form of a record MUST be - //# | Field | Length (bytes) | Interpreted as | - //# | ----- | -------------- | -------------- | - //# | header | Variable | The full serialized header with commitment | - //# | AAD Length | 8 | 64-bit integer, the length of the following AAD data | - //# | AAD | Variable | The serialization of the Encryption Context from the Encryption Materials | - //# | Field Data | Variable | For each [signed field](#signed-fields), ordered lexicographically by [canonical path](./header.md#canonical-path), the [canonical field](#canonical-field). - && CanonContent(signedFields, encFields, encData, allData).Success? - && var canon := CanonContent(signedFields, encFields, encData, allData).value; - && var AAD := Header.SerializeContext(enc); - && |AAD| < UINT64_LIMIT - && var len := UInt64ToSeq(|AAD| as uint64); - && ret.value == - header - + len - + AAD - + canon + //= specification/structured-encryption/footer.md#canonical-record + //= type=implication + //# The canonical form of a record MUST be + //# | Field | Length (bytes) | Interpreted as | + //# | ----- | -------------- | -------------- | + //# | header | Variable | The full serialized header with commitment | + //# | AAD Length | 8 | 64-bit integer, the length of the following AAD data | + //# | AAD | Variable | The serialization of the Encryption Context from the Encryption Materials | + //# | Field Data | Variable | For each [signed field](#signed-fields), ordered lexicographically by [canonical path](./header.md#canonical-path), the [canonical field](#canonical-field). + && CanonContent(signedFields, encFields, encData, allData).Success? + && var canon := CanonContent(signedFields, encFields, encData, allData).value; + && var AAD := Header.SerializeContext(enc); + && |AAD| < UINT64_LIMIT + && var len := UInt64ToSeq(|AAD| as uint64); + && ret.value == + header + + len + + AAD + + canon { var canon :- CanonContent(signedFields, encFields, encData, allData); var AAD := Header.SerializeContext(enc); @@ -305,7 +305,7 @@ module StructuredEncryptionFooter { requires forall k <- encData :: encData[k].content.Terminal? requires forall k <- allData :: allData[k].content.Terminal? ensures ret.Success? ==> - |ret.value| == 48 + |ret.value| == 48 //= specification/structured-encryption/footer.md#hash-calculation //= type=implication //# The canonical hash of a record MUST be the SHA384 of the canonical form of the record. @@ -334,16 +334,16 @@ module StructuredEncryptionFooter { requires forall k <- allData :: allData[k].content.Terminal? ensures (ret.Success? && mat.algorithmSuite.signature.ECDSA?) ==> - //= specification/structured-encryption/footer.md#signature - //= type=implication - //# The `signature`, if it exists, MUST be calculated using the - //# [asymmetric signature algorithm](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/algorithm-suites.md#algorithm-suites-signature-settings) - //# indicated by the algorithm suite. - && var history := client.History.ECDSASign; - && 0 < |history| - && var signInput := Seq.Last(history).input; - && signInput.signatureAlgorithm == mat.algorithmSuite.signature.ECDSA.curve - // Can't do signInput.message == cHash, because SHA is a method, not a function + //= specification/structured-encryption/footer.md#signature + //= type=implication + //# The `signature`, if it exists, MUST be calculated using the + //# [asymmetric signature algorithm](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/algorithm-suites.md#algorithm-suites-signature-settings) + //# indicated by the algorithm suite. + && var history := client.History.ECDSASign; + && 0 < |history| + && var signInput := Seq.Last(history).input; + && signInput.signatureAlgorithm == mat.algorithmSuite.signature.ECDSA.curve + // Can't do signInput.message == cHash, because SHA is a method, not a function modifies client.Modifies requires client.ValidState() @@ -387,10 +387,10 @@ module StructuredEncryptionFooter { //# The `signature`, if it exists, MUST be calculated over the [Canonical Hash](#canonical-hash), //# using the asymmetric signing key in the encryption materials. var verInput := Prim.ECDSASignInput( - signatureAlgorithm := mat.algorithmSuite.signature.ECDSA.curve, - signingKey := mat.signingKey.value, - message := canonicalHash - ); + signatureAlgorithm := mat.algorithmSuite.signature.ECDSA.curve, + signingKey := mat.signingKey.value, + message := canonicalHash + ); var sigR := client.ECDSASign(verInput); var sig :- sigR.MapFailure(e => AwsCryptographyPrimitives(e)); //assert |sig| == SignatureSize; @@ -430,7 +430,7 @@ module StructuredEncryptionFooter { } function method DeserializeFooter(data : Bytes, hasSig : bool) - : Result + : Result { if hasSig then :- Need((|data| - SignatureSize) % RecipientTagSize == 0, E("Mangled signed footer has strange size")); diff --git a/DynamoDbEncryption/dafny/StructuredEncryption/src/Paths.dfy b/DynamoDbEncryption/dafny/StructuredEncryption/src/Paths.dfy index 28bec2a20..0ce1a63c9 100644 --- a/DynamoDbEncryption/dafny/StructuredEncryption/src/Paths.dfy +++ b/DynamoDbEncryption/dafny/StructuredEncryption/src/Paths.dfy @@ -36,18 +36,18 @@ module StructuredEncryptionPaths { function method canonicalPath(table : GoodString) : (ret : CanonicalPath) ensures ret == - //= specification/structured-encryption/header.md#canonical-path - //= type=implication - //# The canonical path MUST start with the UTF8 encoded table name. - UTF8.Encode(table).value - //= specification/structured-encryption/header.md#canonical-path - //= type=implication - //# This MUST be followed by the depth of the Terminal within Structured Data. - + UInt64ToSeq(|parts| as uint64) - //= specification/structured-encryption/header.md#canonical-path - //= type=implication - //# This MUST be followed by the encoding for each Structured Data in the path, including the Terminal itself. - + MakeCanonicalPath(parts) + //= specification/structured-encryption/header.md#canonical-path + //= type=implication + //# The canonical path MUST start with the UTF8 encoded table name. + UTF8.Encode(table).value + //= specification/structured-encryption/header.md#canonical-path + //= type=implication + //# This MUST be followed by the depth of the Terminal within Structured Data. + + UInt64ToSeq(|parts| as uint64) + //= specification/structured-encryption/header.md#canonical-path + //= type=implication + //# This MUST be followed by the encoding for each Structured Data in the path, including the Terminal itself. + + MakeCanonicalPath(parts) { var tableName := UTF8.Encode(table).value; var depth := UInt64ToSeq(|parts| as uint64); @@ -76,7 +76,7 @@ module StructuredEncryptionPaths { { TerminalLocation([Map(attr)]) } - + function method {:opaque} SimpleCanon(table : GoodString, attr : GoodString) : CanonicalPath { @@ -107,7 +107,7 @@ module StructuredEncryptionPaths { // get the Canonical Path for these Selectors function method {:tailrecursion} MakeCanonicalPath(src : SelectorList) - : CanonicalPath + : CanonicalPath { if |src| == 0 then [] @@ -115,9 +115,9 @@ module StructuredEncryptionPaths { CanonicalPart(src[0]) + MakeCanonicalPath(src[1..]) } -// End code, begin lemmas. -// The only useful one is SimpleCanonUnique -// The others are here to prove that + // End code, begin lemmas. + // The only useful one is SimpleCanonUnique + // The others are here to prove that lemma CanonicalPartMapUnique(x : Selector, y : Selector) requires x.Map? diff --git a/DynamoDbEncryption/dafny/StructuredEncryption/test/Crypt.dfy b/DynamoDbEncryption/dafny/StructuredEncryption/test/Crypt.dfy index 21757dcbc..b7b1895ef 100644 --- a/DynamoDbEncryption/dafny/StructuredEncryption/test/Crypt.dfy +++ b/DynamoDbEncryption/dafny/StructuredEncryption/test/Crypt.dfy @@ -18,204 +18,204 @@ module TestStructuredEncryptionCrypt { ) const FieldKeyTestVector : seq := [ FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000000", - offset := 0, - output := "4d17ac4f80763c4f5c1523ca2322b89918d5ad8b728aea9e052b177e41570f7be7ff404ace5e9b22aa1e8968" + input := "0000000000000000000000000000000000000000000000000000000000000000", + offset := 0, + output := "4d17ac4f80763c4f5c1523ca2322b89918d5ad8b728aea9e052b177e41570f7be7ff404ace5e9b22aa1e8968" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000000", - offset := 1, - output := "18fcefe222b4d2a414c908f35c2e09153068198ad2b33fd0921596e5b02e7c1a48b2c6e720dc75167db54f46" + input := "0000000000000000000000000000000000000000000000000000000000000000", + offset := 1, + output := "18fcefe222b4d2a414c908f35c2e09153068198ad2b33fd0921596e5b02e7c1a48b2c6e720dc75167db54f46" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000000", - offset := 2, - output := "ec387607afb264f56ba44abd037c469fdfff9d5861a976a4261083e6dfa48d883b6c85c440003ed094a1eee7" + input := "0000000000000000000000000000000000000000000000000000000000000000", + offset := 2, + output := "ec387607afb264f56ba44abd037c469fdfff9d5861a976a4261083e6dfa48d883b6c85c440003ed094a1eee7" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000000", - offset := 3, - output := "7124e0a5e057d168d17c76be6d61efff694048b301786d7952f463b509d2a542fe5cdf045f096f99ec3dca5b" + input := "0000000000000000000000000000000000000000000000000000000000000000", + offset := 3, + output := "7124e0a5e057d168d17c76be6d61efff694048b301786d7952f463b509d2a542fe5cdf045f096f99ec3dca5b" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000000", - offset := 4, - output := "56e053ebe6f7a937b9fec2847e82b3a9c5daa20d49d9e6eb7951595e68a0bb826277d52685464da6cf8271d8" + input := "0000000000000000000000000000000000000000000000000000000000000000", + offset := 4, + output := "56e053ebe6f7a937b9fec2847e82b3a9c5daa20d49d9e6eb7951595e68a0bb826277d52685464da6cf8271d8" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000000", - offset := 5, - output := "8aacffc78d68c3350f510883394edfb1caaf21ddf363485dc4f6bcb4aef7a4dfaf8a0a0b9f647accc39db0f6" + input := "0000000000000000000000000000000000000000000000000000000000000000", + offset := 5, + output := "8aacffc78d68c3350f510883394edfb1caaf21ddf363485dc4f6bcb4aef7a4dfaf8a0a0b9f647accc39db0f6" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000000", - offset := 6, - output := "7fb8a9f5b5e8c838523944fe7da143ef0dab663df66ef22c0cec7653b541115dfda3a55fae43c4a27459909d" + input := "0000000000000000000000000000000000000000000000000000000000000000", + offset := 6, + output := "7fb8a9f5b5e8c838523944fe7da143ef0dab663df66ef22c0cec7653b541115dfda3a55fae43c4a27459909d" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000000", - offset := 7, - output := "edfa5a6c99e14d131753163c2b890b135b8a6d4e310884d7d365a0670ef46686ef44b77c1c5a945797f17dd5" + input := "0000000000000000000000000000000000000000000000000000000000000000", + offset := 7, + output := "edfa5a6c99e14d131753163c2b890b135b8a6d4e310884d7d365a0670ef46686ef44b77c1c5a945797f17dd5" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000001", - offset := 0, - output := "c6a8b4e10a23bac8e13ae2d4edc0311509a5ce01b4d2357f8b1e667eeef77066cb9a2c4481d66ad1ede3d50f" + input := "0000000000000000000000000000000000000000000000000000000000000001", + offset := 0, + output := "c6a8b4e10a23bac8e13ae2d4edc0311509a5ce01b4d2357f8b1e667eeef77066cb9a2c4481d66ad1ede3d50f" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000001", - offset := 1, - output := "d54d4fe8e8295a523644dd49698f637a30f0c1e868c47a2a38e0e756ca0fcdee8e5aa355796debbb8fcb898b" + input := "0000000000000000000000000000000000000000000000000000000000000001", + offset := 1, + output := "d54d4fe8e8295a523644dd49698f637a30f0c1e868c47a2a38e0e756ca0fcdee8e5aa355796debbb8fcb898b" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000001", - offset := 2, - output := "254489ab5be234d848f4fb21cba3ea27962c50363c9924054fffe34bd4f87d641fdb793224ccbf3e6ca9fa60" + input := "0000000000000000000000000000000000000000000000000000000000000001", + offset := 2, + output := "254489ab5be234d848f4fb21cba3ea27962c50363c9924054fffe34bd4f87d641fdb793224ccbf3e6ca9fa60" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000001", - offset := 3, - output := "b600f98e1c868209de7d563362ab8131bc8d0a5b58bf2590a8309889a94ee505515a02692824f7e32a31142f" + input := "0000000000000000000000000000000000000000000000000000000000000001", + offset := 3, + output := "b600f98e1c868209de7d563362ab8131bc8d0a5b58bf2590a8309889a94ee505515a02692824f7e32a31142f" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000001", - offset := 4, - output := "0af797f151dca40bd6db2cf69d5f3fdb98f34a3efe5f4af778cb3f8b942b507bd6eca848dd8e4b62e9d2db42" + input := "0000000000000000000000000000000000000000000000000000000000000001", + offset := 4, + output := "0af797f151dca40bd6db2cf69d5f3fdb98f34a3efe5f4af778cb3f8b942b507bd6eca848dd8e4b62e9d2db42" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000001", - offset := 5, - output := "9207c0c3dacd1b015d92689b78ba0bd49a1547f670d20097cc94cd35e569af02597a187f2ff7402f92149a19" + input := "0000000000000000000000000000000000000000000000000000000000000001", + offset := 5, + output := "9207c0c3dacd1b015d92689b78ba0bd49a1547f670d20097cc94cd35e569af02597a187f2ff7402f92149a19" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000001", - offset := 6, - output := "ca14fb5a292ec5f76669a04811532d3ed0d09421bdce95d629b0d3259b35888cf17e28e1ed4c1c136b4e5866" + input := "0000000000000000000000000000000000000000000000000000000000000001", + offset := 6, + output := "ca14fb5a292ec5f76669a04811532d3ed0d09421bdce95d629b0d3259b35888cf17e28e1ed4c1c136b4e5866" ), FieldKeyTestItem( - input := "0000000000000000000000000000000000000000000000000000000000000001", - offset := 7, - output := "da1188242ab66975027f11e49ecca9e7e23aaf1215855c263460a24f7d000cab89600be8ad6781d226190bed" + input := "0000000000000000000000000000000000000000000000000000000000000001", + offset := 7, + output := "da1188242ab66975027f11e49ecca9e7e23aaf1215855c263460a24f7d000cab89600be8ad6781d226190bed" ), FieldKeyTestItem( - input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - offset := 0, - output := "0c7e451b952b793d95c66bef5df16a7e42cd70bca33d5f9e01651751b4dbff0e4f9524335caef55a68d55f2a" + input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + offset := 0, + output := "0c7e451b952b793d95c66bef5df16a7e42cd70bca33d5f9e01651751b4dbff0e4f9524335caef55a68d55f2a" ), FieldKeyTestItem( - input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - offset := 1, - output := "de3cdd84c99d3f6c011469433b2c24994e1836f2c923ee1fab47c3bedca95c1dd0fc547887cf9948efe1ffb6" + input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + offset := 1, + output := "de3cdd84c99d3f6c011469433b2c24994e1836f2c923ee1fab47c3bedca95c1dd0fc547887cf9948efe1ffb6" ), FieldKeyTestItem( - input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - offset := 2, - output := "a088b21f062333d7a588da26ae30e11239949abd30b8a971621f2d664e5f2406212a4d51a04e63d314de54c3" + input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + offset := 2, + output := "a088b21f062333d7a588da26ae30e11239949abd30b8a971621f2d664e5f2406212a4d51a04e63d314de54c3" ), FieldKeyTestItem( - input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - offset := 3, - output := "dc3448317b6d74b6dd662a9270fe808ab1dd7faf0f009e6e5e9f3aaac969d947d81e5bbc933819b8d6f2d76e" + input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + offset := 3, + output := "dc3448317b6d74b6dd662a9270fe808ab1dd7faf0f009e6e5e9f3aaac969d947d81e5bbc933819b8d6f2d76e" ), FieldKeyTestItem( - input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - offset := 4, - output := "87c5acfda18b650896588cd1f67e8f69cab31aed59df54b49c0748f4646e4789153bccb33b96ed760e9dfd44" + input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + offset := 4, + output := "87c5acfda18b650896588cd1f67e8f69cab31aed59df54b49c0748f4646e4789153bccb33b96ed760e9dfd44" ), FieldKeyTestItem( - input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - offset := 5, - output := "392d11b7e0884a5e42ef50f408cd79cbb0b96f792d67025527fd0ff0cfacad33c4dcead6021b34e4d0d1a3a2" + input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + offset := 5, + output := "392d11b7e0884a5e42ef50f408cd79cbb0b96f792d67025527fd0ff0cfacad33c4dcead6021b34e4d0d1a3a2" ), FieldKeyTestItem( - input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - offset := 6, - output := "6092ee61588d3b1013b82c05ea7a894cdb9649d2fa8695f731c946aa75c47c4db0996bff661f8a796533c348" + input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + offset := 6, + output := "6092ee61588d3b1013b82c05ea7a894cdb9649d2fa8695f731c946aa75c47c4db0996bff661f8a796533c348" ), FieldKeyTestItem( - input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - offset := 7, - output := "d0270cfa0da88692a057c39b39644970786367da64008206e51a799af19f65db5b1531d01c52216431c451e5" + input := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + offset := 7, + output := "d0270cfa0da88692a057c39b39644970786367da64008206e51a799af19f65db5b1531d01c52216431c451e5" ), FieldKeyTestItem( - input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", - offset := 0, - output := "772cb513bc2bebfed36dfa3c22dec2c5cb09466dd1b5275cd1f2713339b32e9c7993c521808a0bd6faa4cb4f" + input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", + offset := 0, + output := "772cb513bc2bebfed36dfa3c22dec2c5cb09466dd1b5275cd1f2713339b32e9c7993c521808a0bd6faa4cb4f" ), FieldKeyTestItem( - input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", - offset := 1, - output := "e93a3a5dd1633af15027c2ec078fc536ddf295110dfa5053592842a8c1f1010ad15c2462d0371ff27d98e99b" + input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", + offset := 1, + output := "e93a3a5dd1633af15027c2ec078fc536ddf295110dfa5053592842a8c1f1010ad15c2462d0371ff27d98e99b" ), FieldKeyTestItem( - input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", - offset := 2, - output := "66f92041859c2000b8ff492629ae1ef875666c360fcfadeefe11e9f9f257887c4d1289c43ac1a442ec14a426" + input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", + offset := 2, + output := "66f92041859c2000b8ff492629ae1ef875666c360fcfadeefe11e9f9f257887c4d1289c43ac1a442ec14a426" ), FieldKeyTestItem( - input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", - offset := 3, - output := "02dd4a565fcc6d308ce3f9a2818c8426c3476b2fb6ea66f1c4688c313b061177a6c69a2663122e4c5f3895dd" + input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", + offset := 3, + output := "02dd4a565fcc6d308ce3f9a2818c8426c3476b2fb6ea66f1c4688c313b061177a6c69a2663122e4c5f3895dd" ), FieldKeyTestItem( - input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", - offset := 4, - output := "010a7cd17c89ac7668ba45332bdd956e388113f1ee9d01f387c5574ffdd86ade24b0430300d4009b0802335f" + input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", + offset := 4, + output := "010a7cd17c89ac7668ba45332bdd956e388113f1ee9d01f387c5574ffdd86ade24b0430300d4009b0802335f" ), FieldKeyTestItem( - input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", - offset := 5, - output := "aecfa53a5f05f6b3b5185584573d527790c8d3504d5a0deb2af3d58c35164d58f232704851f7c9f357dcfb5b" + input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", + offset := 5, + output := "aecfa53a5f05f6b3b5185584573d527790c8d3504d5a0deb2af3d58c35164d58f232704851f7c9f357dcfb5b" ), FieldKeyTestItem( - input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", - offset := 6, - output := "3482b90bb7ddbed3d2b1f270ea648043539d7d6797861ec12c3d0797a07d31ecf3b160aab844008934823436" + input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", + offset := 6, + output := "3482b90bb7ddbed3d2b1f270ea648043539d7d6797861ec12c3d0797a07d31ecf3b160aab844008934823436" ), FieldKeyTestItem( - input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", - offset := 7, - output := "5c82960fb8370644b7fb7fd41f090e0098f52130379381ed4c21379fa65884e6e1367326c067856388b57589" + input := "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef", + offset := 7, + output := "5c82960fb8370644b7fb7fd41f090e0098f52130379381ed4c21379fa65884e6e1367326c067856388b57589" ), FieldKeyTestItem( - input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", - offset := 0, - output := "d7d8c2e84dd5f56663b98501bf702a04f32451e62a1c30177d89bbf51beadd1090718c72ba120f7f20cf1e97" + input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", + offset := 0, + output := "d7d8c2e84dd5f56663b98501bf702a04f32451e62a1c30177d89bbf51beadd1090718c72ba120f7f20cf1e97" ), FieldKeyTestItem( - input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", - offset := 1, - output := "fadae5fa4f62e4cbec50d3b4572166fbccc114cb800ed066a4632e966fa18f1189a1fb7cd20ad1c93f29531d" + input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", + offset := 1, + output := "fadae5fa4f62e4cbec50d3b4572166fbccc114cb800ed066a4632e966fa18f1189a1fb7cd20ad1c93f29531d" ), FieldKeyTestItem( - input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", - offset := 2, - output := "14db82fab8f6f8e49a8061cf1689172b5bd37508560a8e9d42c21c507657a64a47545b155304c73198847429" + input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", + offset := 2, + output := "14db82fab8f6f8e49a8061cf1689172b5bd37508560a8e9d42c21c507657a64a47545b155304c73198847429" ), FieldKeyTestItem( - input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", - offset := 3, - output := "4d83002cf87da3f9670999c707ee4ed8483c297390eb5abb989ea8cb514f4bf27e43bf1f92e6b76c3045080e" + input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", + offset := 3, + output := "4d83002cf87da3f9670999c707ee4ed8483c297390eb5abb989ea8cb514f4bf27e43bf1f92e6b76c3045080e" ), FieldKeyTestItem( - input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", - offset := 4, - output := "06fbc86f1e9716f218823710ef51b4558476a1cff4e5d706baac5ad14de544eb7e94197677f99cb46e12d63c" + input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", + offset := 4, + output := "06fbc86f1e9716f218823710ef51b4558476a1cff4e5d706baac5ad14de544eb7e94197677f99cb46e12d63c" ), FieldKeyTestItem( - input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", - offset := 5, - output := "12ede6750d1f02e0aca4b159f4b7aac9fca85355ac7f21e39f44b37e4157dea6f76b9fd44aa7fe540256522b" + input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", + offset := 5, + output := "12ede6750d1f02e0aca4b159f4b7aac9fca85355ac7f21e39f44b37e4157dea6f76b9fd44aa7fe540256522b" ), FieldKeyTestItem( - input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", - offset := 6, - output := "7bfd555c3be12c57402b5db97cbfd897aefec952c3ba878642e5b22005cf1074ce854d210ac3c48c5fd0fbe2" + input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", + offset := 6, + output := "7bfd555c3be12c57402b5db97cbfd897aefec952c3ba878642e5b22005cf1074ce854d210ac3c48c5fd0fbe2" ), FieldKeyTestItem( - input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", - offset := 7, - output := "20847d5de204cb578f3012940fa9876ddb3386ae9719cf9adcbdd611385011b2e7d5375fb6d3fd5ea77ba461" + input := "59d9a5166a507f3cf0dfd60809a8b387b409d0b0c935abbfe08833fa9ffc1ecc", + offset := 7, + output := "20847d5de204cb578f3012940fa9876ddb3386ae9719cf9adcbdd611385011b2e7d5375fb6d3fd5ea77ba461" ) ] diff --git a/DynamoDbEncryption/dafny/StructuredEncryption/test/Header.dfy b/DynamoDbEncryption/dafny/StructuredEncryption/test/Header.dfy index 56dec900f..cbec73441 100644 --- a/DynamoDbEncryption/dafny/StructuredEncryption/test/Header.dfy +++ b/DynamoDbEncryption/dafny/StructuredEncryption/test/Header.dfy @@ -27,9 +27,9 @@ module TestHeader { legend := [0x65, 0x73], encContext := map[EncodeAscii("abc") := EncodeAscii("def")], dataKeys := [CMP.EncryptedDataKey( - keyProviderId := EncodeAscii("provID") , - keyProviderInfo := [1,2,3,4,5], - ciphertext := [6,7,8,9])] + keyProviderId := EncodeAscii("provID") , + keyProviderInfo := [1,2,3,4,5], + ciphertext := [6,7,8,9])] ); var ser := head.serialize() + head.msgID; // msgID as fake commitment var orig :- expect PartialDeserialize(ser); @@ -45,9 +45,9 @@ module TestHeader { legend := [0x65, 0x73], encContext := map[EncodeAscii("abc") := EncodeAscii("def")], dataKeys := [CMP.EncryptedDataKey( - keyProviderId := EncodeAscii("provID") , - keyProviderInfo := [1,2,3,4,5], - ciphertext := [6,7,8,9])] + keyProviderId := EncodeAscii("provID") , + keyProviderInfo := [1,2,3,4,5], + ciphertext := [6,7,8,9])] ); var key : Bytes := head.msgID; var alg := AlgorithmSuites.DBE_ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384_SYMSIG_HMAC_SHA384; @@ -77,12 +77,12 @@ module TestHeader { var cont : CMPEncryptionContext := map[EncodeAscii("abc") := EncodeAscii("def"), EncodeAscii("cba") := EncodeAscii("fed")]; var serCont := SerializeContext(cont); expect serCont == [ - 0,2, // two items - 0,3,a,b,c, - 0,3,d,e,f, - 0,3,c,b,a, - 0,3,f,e,d - ]; + 0,2, // two items + 0,3,a,b,c, + 0,3,d,e,f, + 0,3,c,b,a, + 0,3,f,e,d + ]; var newCont := GetContext(serCont); expect newCont.Success?; expect newCont.value.0 == cont; diff --git a/DynamoDbEncryption/dafny/StructuredEncryption/test/Paths.dfy b/DynamoDbEncryption/dafny/StructuredEncryption/test/Paths.dfy index 9ba1059e3..bc71ad1f2 100644 --- a/DynamoDbEncryption/dafny/StructuredEncryption/test/Paths.dfy +++ b/DynamoDbEncryption/dafny/StructuredEncryption/test/Paths.dfy @@ -14,27 +14,27 @@ module PathsTests { assert(ValidString("example_table")); var name := Selector.Map("name"); var pathToTest := TerminalLocation([name]); - expect pathToTest.canonicalPath(tableName) == - UTF8.EncodeAscii("example_table") - + [0,0,0,0,0,0,0,1] // depth - + ['$' as uint8] // map - + [0,0,0,0,0,0,0,4] // length - + UTF8.EncodeAscii("name"); + expect pathToTest.canonicalPath(tableName) == + UTF8.EncodeAscii("example_table") + + [0,0,0,0,0,0,0,1] // depth + + ['$' as uint8] // map + + [0,0,0,0,0,0,0,4] // length + + UTF8.EncodeAscii("name"); var history := Selector.Map("status-history"); var index := Selector.List(0); var timestamp := Selector.Map("timestamp"); var pathToTest2 := TerminalLocation([history, index, timestamp]); - expect pathToTest2.canonicalPath(tableName) == - UTF8.EncodeAscii("example_table") - + [0,0,0,0,0,0,0,3] // depth - + ['$' as uint8] // map - + [0,0,0,0,0,0,0,14] // length of "status-history" - + UTF8.EncodeAscii("status-history") - + ['#' as uint8] // array - + [0,0,0,0,0,0,0,0] // index - + ['$' as uint8] // map - + [0,0,0,0,0,0,0,9] // length of "timestamp" - + UTF8.EncodeAscii("timestamp"); + expect pathToTest2.canonicalPath(tableName) == + UTF8.EncodeAscii("example_table") + + [0,0,0,0,0,0,0,3] // depth + + ['$' as uint8] // map + + [0,0,0,0,0,0,0,14] // length of "status-history" + + UTF8.EncodeAscii("status-history") + + ['#' as uint8] // array + + [0,0,0,0,0,0,0,0] // index + + ['$' as uint8] // map + + [0,0,0,0,0,0,0,9] // length of "timestamp" + + UTF8.EncodeAscii("timestamp"); } } diff --git a/DynamoDbEncryption/dafny/StructuredEncryption/test/StructuredDataTestFixtures.dfy b/DynamoDbEncryption/dafny/StructuredEncryption/test/StructuredDataTestFixtures.dfy index 95018416f..c0711b9c3 100644 --- a/DynamoDbEncryption/dafny/StructuredEncryption/test/StructuredDataTestFixtures.dfy +++ b/DynamoDbEncryption/dafny/StructuredEncryption/test/StructuredDataTestFixtures.dfy @@ -15,116 +15,116 @@ module StructuredDataTestFixtures { const TEST_BLOB_VALUE : seq := [0x21, 0x64, 0x6c, 0x72, 0x6f, 0x77, 0x20, 0x2c, 0x6f, 0x6c, 0x6c, 0x65, 0x68]; const TEST_STRUCTURED_DATA := StructuredData( - content := StructuredDataContent.DataMap( - DataMap := map[ - "foo" := StructuredData( - content := StructuredDataContent.Terminal( - Terminal := StructuredDataTerminal( - value := TEST_BLOB_VALUE, - typeId := TEST_TYPE_ID - ) - ), - attributes := None() - ), - "bar" := StructuredData( - content := StructuredDataContent.Terminal( - Terminal := StructuredDataTerminal( - value := TEST_BLOB_VALUE, - typeId := TEST_TYPE_ID - ) - ), - attributes := None() - ), - "fizzbuzz" := StructuredData( - content := StructuredDataContent.Terminal( - Terminal := StructuredDataTerminal( - value := TEST_BLOB_VALUE, - typeId := TEST_TYPE_ID - ) - ), - attributes := None() - ) - ] - ), - attributes := None() - ); + content := StructuredDataContent.DataMap( + DataMap := map[ + "foo" := StructuredData( + content := StructuredDataContent.Terminal( + Terminal := StructuredDataTerminal( + value := TEST_BLOB_VALUE, + typeId := TEST_TYPE_ID + ) + ), + attributes := None() + ), + "bar" := StructuredData( + content := StructuredDataContent.Terminal( + Terminal := StructuredDataTerminal( + value := TEST_BLOB_VALUE, + typeId := TEST_TYPE_ID + ) + ), + attributes := None() + ), + "fizzbuzz" := StructuredData( + content := StructuredDataContent.Terminal( + Terminal := StructuredDataTerminal( + value := TEST_BLOB_VALUE, + typeId := TEST_TYPE_ID + ) + ), + attributes := None() + ) + ] + ), + attributes := None() + ); const TEST_CRYPTO_SCHEMA := CryptoSchema( - content := CryptoSchemaContent.SchemaMap( - SchemaMap := map[ - "foo" := CryptoSchema( - content := CryptoSchemaContent.Action( - Action := CryptoAction.ENCRYPT_AND_SIGN - ), - attributes := None() - ), - "bar" := CryptoSchema( - content := CryptoSchemaContent.Action( - Action := CryptoAction.SIGN_ONLY - ), - attributes := None() - ), - "fizzbuzz" := CryptoSchema( - content := CryptoSchemaContent.Action( - Action := CryptoAction.DO_NOTHING - ), - attributes := None() - ) - ] - ), - attributes := None() - ); + content := CryptoSchemaContent.SchemaMap( + SchemaMap := map[ + "foo" := CryptoSchema( + content := CryptoSchemaContent.Action( + Action := CryptoAction.ENCRYPT_AND_SIGN + ), + attributes := None() + ), + "bar" := CryptoSchema( + content := CryptoSchemaContent.Action( + Action := CryptoAction.SIGN_ONLY + ), + attributes := None() + ), + "fizzbuzz" := CryptoSchema( + content := CryptoSchemaContent.Action( + Action := CryptoAction.DO_NOTHING + ), + attributes := None() + ) + ] + ), + attributes := None() + ); const TEST_CRYPTO_SCHEMA_AUTH_ONLY := CryptoSchema( - content := CryptoSchemaContent.SchemaMap( - SchemaMap := map[ - "foo" := CryptoSchema( - content := CryptoSchemaContent.Action( - Action := CryptoAction.ENCRYPT_AND_SIGN - ), - attributes := None() - ), - "bar" := CryptoSchema( - content := CryptoSchemaContent.Action( - Action := CryptoAction.SIGN_ONLY - ), - attributes := None() - ) - ] - ), - attributes := None() - ); + content := CryptoSchemaContent.SchemaMap( + SchemaMap := map[ + "foo" := CryptoSchema( + content := CryptoSchemaContent.Action( + Action := CryptoAction.ENCRYPT_AND_SIGN + ), + attributes := None() + ), + "bar" := CryptoSchema( + content := CryptoSchemaContent.Action( + Action := CryptoAction.SIGN_ONLY + ), + attributes := None() + ) + ] + ), + attributes := None() + ); const TEST_AUTHENTICATE_SCHEMA := AuthenticateSchema( - content := AuthenticateSchemaContent.SchemaMap( - SchemaMap := map[ - "foo" := AuthenticateSchema( - content := AuthenticateSchemaContent.Action( - Action := AuthenticateAction.SIGN - ), - attributes := None() - ), - "bar" := AuthenticateSchema( - content := AuthenticateSchemaContent.Action( - Action := AuthenticateAction.SIGN - ), - attributes := None() - ), - "fizzbuzz" := AuthenticateSchema( - content := AuthenticateSchemaContent.Action( - Action := AuthenticateAction.DO_NOT_SIGN - ), - attributes := None() - ) - ] - ), - attributes := None() - ); + content := AuthenticateSchemaContent.SchemaMap( + SchemaMap := map[ + "foo" := AuthenticateSchema( + content := AuthenticateSchemaContent.Action( + Action := AuthenticateAction.SIGN + ), + attributes := None() + ), + "bar" := AuthenticateSchema( + content := AuthenticateSchemaContent.Action( + Action := AuthenticateAction.SIGN + ), + attributes := None() + ), + "fizzbuzz" := AuthenticateSchema( + content := AuthenticateSchemaContent.Action( + Action := AuthenticateAction.DO_NOT_SIGN + ), + attributes := None() + ) + ] + ), + attributes := None() + ); const PUBLIC_US_WEST_2_KMS_TEST_KEY := "arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f"; method GetDefaultCMMWithKMSKeyring() - returns (cmm: AwsCryptographyMaterialProvidersTypes.ICryptographicMaterialsManager) - ensures cmm.ValidState(); - ensures fresh(cmm); - ensures fresh(cmm.Modifies); + returns (cmm: AwsCryptographyMaterialProvidersTypes.ICryptographicMaterialsManager) + ensures cmm.ValidState(); + ensures fresh(cmm); + ensures fresh(cmm.Modifies); { var matProv :- expect MaterialProviders.MaterialProviders(MaterialProviders.DefaultMaterialProvidersConfig()); var keyringInput := AwsCryptographyMaterialProvidersTypes.CreateAwsKmsMultiKeyringInput( diff --git a/Makefile b/Makefile index c9349baec..3a11dac94 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,9 @@ +# This finds all Dafny projects in this repository +# This makes building root level targets for each project easy +# PROJECTS = $(shell find . -mindepth 2 -maxdepth 2 -type f -name "Makefile" | xargs dirname | xargs basename) +# for the moment, just the DynamoDbEncryption directory +PROJECTS = "DynamoDbEncryption" + duvet: | duvet_extract duvet_report duvet_extract: @@ -12,3 +18,8 @@ duvet_report: --source-pattern "DynamoDbEncryption/dafny/**/*.smithy" \ --source-pattern "DynamoDbEncryption/runtimes/java/src/main/java/**/*.java" \ --html specification_compliance_report.html + +format_dafny: + $(foreach PROJECT, $(PROJECTS), \ + $(MAKE) -C $(PROJECT) format_dafny && \ + ) true diff --git a/SharedMakefile.mk b/SharedMakefile.mk index 41fb832ef..326403179 100644 --- a/SharedMakefile.mk +++ b/SharedMakefile.mk @@ -60,7 +60,6 @@ verify: -vcsCores:$(CORES) \ -compile:0 \ -definiteAssignment:3 \ - -quantifierSyntax:3 \ -unicodeChar:0 \ -functionSyntax:3 \ -verificationLogger:csv \ @@ -77,7 +76,6 @@ verify_single: -vcsCores:$(CORES) \ -compile:0 \ -definiteAssignment:3 \ - -quantifierSyntax:3 \ -unicodeChar:0 \ -functionSyntax:3 \ -verificationLogger:text \ @@ -93,7 +91,6 @@ verify_service: -vcsCores:$(CORES) \ -compile:0 \ -definiteAssignment:3 \ - -quantifierSyntax:3 \ -unicodeChar:0 \ -functionSyntax:3 \ -verificationLogger:csv \ @@ -101,10 +98,22 @@ verify_service: -trace \ `find ./dafny/$(SERVICE) -name '*.dfy'` \ +format_dafny: + dafny format \ + --function-syntax 3 \ + --unicode-char false \ + `find . -name '*.dfy'` + +format_dafny-check: + dafny format \ + --check \ + --function-syntax 3 \ + --unicode-char false \ + `find . -name '*.dfy'` + format: dafny format \ --function-syntax 3 \ - --quantifier-syntax 3 \ --unicode-char false \ `find . -name '*.dfy'` @@ -112,7 +121,6 @@ format-check: dafny format \ --check \ --function-syntax 3 \ - --quantifier-syntax 3 \ --unicode-char false \ `find . -name '*.dfy'` @@ -160,7 +168,6 @@ transpile_implementation: -compile:0 \ -optimizeErasableDatatypeWrapper:0 \ $(COMPILE_SUFFIX_OPTION) \ - -quantifierSyntax:3 \ -unicodeChar:0 \ -functionSyntax:3 \ -useRuntimeLib \ @@ -183,7 +190,6 @@ transpile_test: -compile:0 \ -optimizeErasableDatatypeWrapper:0 \ $(COMPILE_SUFFIX_OPTION) \ - -quantifierSyntax:3 \ -unicodeChar:0 \ -functionSyntax:3 \ -useRuntimeLib \