test: Run ESDK .NET v4.0.1 Test Vectors in CI (#1979)

Co-authored-by: Tony Knapp <[email protected]>
Co-authored-by: seebees <[email protected]>

Author: 3 people

.github/workflows/ci.yml

@@ -58,6 +58,66 @@ jobs:
           env-vars-for-codebuild: JAVA_ENV_VERSION
         env:
           JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }}
+  vectorTestsMasterKeyProvider:
+    name: Vector Tests MasterKeyProvider
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        platform:
+          - distribution: openjdk
+            image: "aws/codebuild/standard:3.0"
+          - distribution: corretto
+            image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" # Corretto only runs on AL2
+        version: [ 8, 11 ]
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+          aws-region: us-west-2
+          role-duration-seconds: 3600
+      - name: Vector Tests ${{ matrix.platform.distribution }}${{ matrix.version }}
+        uses: aws-actions/aws-codebuild-run-build@v1
+        timeout-minutes: 60
+        with:
+          project-name: AWS-ESDK-Java-CI
+          buildspec-override: codebuild/ci/vectors-ci-mkp.yml
+          compute-type-override: BUILD_GENERAL1_LARGE
+          image-override: ${{ matrix.platform.image }}
+          env-vars-for-codebuild: JAVA_ENV_VERSION
+        env:
+          JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }}
+  netVectorTests:
+    name: ESDK-NET Vector Tests
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        platform:
+          - distribution: openjdk
+            image: "aws/codebuild/standard:3.0"
+          - distribution: corretto
+            image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" # Corretto only runs on AL2
+        version: [ 8, 11 ]
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }}
+          aws-region: us-west-2
+          role-duration-seconds: 3600
+      - name: Vector Tests ${{ matrix.platform.distribution }}${{ matrix.version }}
+        uses: aws-actions/aws-codebuild-run-build@v1
+        timeout-minutes: 60
+        with:
+          project-name: AWS-ESDK-Java-CI
+          buildspec-override: codebuild/ci/net-vectors-ci.yml
+          compute-type-override: BUILD_GENERAL1_LARGE
+          image-override: ${{ matrix.platform.image }}
+          env-vars-for-codebuild: JAVA_ENV_VERSION
+        env:
+          JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }}
   generateTestVectors:
     name: Generate Vectors
     runs-on: ubuntu-latest

codebuild/ci/net-vectors-ci.yml

@@ -0,0 +1,39 @@
+version: 0.2
+# Runs Only the ESDK-NET v4.0.1 Decryption Vectors, testing Required EC CMM
+phases:
+  install:
+    runtime-versions:
+      java: $JAVA_ENV_VERSION
+    commands:
+      - git submodule update --init submodules/MaterialProviders
+      # Get Dafny
+      - curl https://github.com/dafny-lang/dafny/releases/download/v4.2.0/dafny-4.2.0-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      # Get Gradle 7.6
+      - curl https://services.gradle.org/distributions/gradle-7.6-all.zip -L -o gradle.zip
+      - unzip -qq gradle.zip && rm gradle.zip
+      - export PATH="$PWD/gradle-7.6/bin:$PATH"
+  pre_build:
+    commands:
+      # Assume Role to access non-prod resources
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Java-Role-us-west-2" --role-session-name "CB-TestVectorResources")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+
+      # Build and deploy TestVectors to maven local
+      - cd submodules/MaterialProviders/TestVectorsAwsCryptographicMaterialProviders/
+      - make build_java && make mvn_local_deploy
+      - cd $CODEBUILD_SRC_DIR
+
+      # Fetch ESDK .NET v4.0.1 Test Vectors
+      - VECTOR_ZIP=$CODEBUILD_SRC_DIR/v4-Net-4.0.1.zip
+      - VECTORS_URL=https://github.com/aws/aws-encryption-sdk-dafny/raw/mainline/AwsEncryptionSDK/runtimes/net/TestVectorsNative/TestVectors/resources/v4-Net-4.0.1.zip
+      - curl -s --output $VECTOR_ZIP --location $VECTORS_URL
+  build:
+    commands:
+      # NOTE: We need to pass the absolute path of the vectors
+      - mvn -B -ntp install -Dgpg.skip=true -Djacoco.skip=true "-Dtest=TestVectorRunner" "-DtestVectorZip=file://$VECTOR_ZIP"

codebuild/ci/vectors-ci-mkp.yml

@@ -0,0 +1,35 @@
+version: 0.2
+# Runs "Golden Manifest" against legacy Master Key Providers
+phases:
+  install:
+    runtime-versions:
+      java: $JAVA_ENV_VERSION
+    commands:
+      - git submodule update --init submodules/MaterialProviders
+      # Get Dafny
+      - curl https://github.com/dafny-lang/dafny/releases/download/v4.2.0/dafny-4.2.0-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      # Get Gradle 7.6
+      - curl https://services.gradle.org/distributions/gradle-7.6-all.zip -L -o gradle.zip
+      - unzip -qq gradle.zip && rm gradle.zip
+      - export PATH="$PWD/gradle-7.6/bin:$PATH"
+  pre_build:
+    commands:
+      # Assume Role to access non-prod resources
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Java-Role-us-west-2" --role-session-name "CB-TestVectorResources")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+
+      # Build and deploy TestVectors to maven local
+      - cd submodules/MaterialProviders/TestVectorsAwsCryptographicMaterialProviders/
+      - make build_java && make mvn_local_deploy
+      - cd $CODEBUILD_SRC_DIR
+  build:
+    commands:
+      # Enable masterKey to run Test Vectors against MasterKeyProvider
+      # NOTE: We need to pass the absolute path of the vectors
+      - mvn -B -ntp install -Dgpg.skip=true -Djacoco.skip=true "-Dtest=TestVectorRunner" "-Dmasterkey=true" "-DtestVectorZip=file://$CODEBUILD_SRC_DIR/src/test/resources/aws-encryption-sdk-test-vectors/vectors/awses-decrypt/python-2.3.0.zip"

codebuild/ci/vectors-ci.yml

@@ -1,5 +1,5 @@
 version: 0.2
-
+# Runs "Golden Manifest" against Keyrings
 phases:
   install:
     runtime-versions:
@@ -30,4 +30,5 @@ phases:
       - cd $CODEBUILD_SRC_DIR
   build:
     commands:
+      # NOTE: We need to pass the absolute path of the vectors
       - mvn install -T 8 -Dgpg.skip=true -ntp "-DtestVectorZip=file://$CODEBUILD_SRC_DIR/src/test/resources/aws-encryption-sdk-test-vectors/vectors/awses-decrypt/python-2.3.0.zip"