m

lucasmcdonald3 · lucasmcdonald3 · commit 0f4f37a90414 · 2025-01-21T10:55:44.000-08:00
diff --git a/TestVectors/dafny/DDBEncryption/src/CreateWrappedItemEncryptor.dfy b/TestVectors/dafny/DDBEncryption/src/CreateWrappedItemEncryptor.dfy
@@ -0,0 +1,70 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+include "../Model/AwsCryptographyDynamoDbEncryptionTypesWrapped.dfy"
+include "../../../../DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/Index.dfy"
+
+module {:extern} CreateWrappedItemEncryptor {
+  import opened Wrappers
+  import AwsCryptographyDbEncryptionSdkDynamoDbTypes
+  import ENC = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes
+  import DynamoDbItemEncryptor
+  import Operations = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorOperations
+
+  // The `ensures` clause is copy-pasted from the DynamoDbItemEncryptor client method's `ensures` clause.
+  method {:extern} CreateWrappedItemEncryptor(config: ENC.DynamoDbItemEncryptorConfig)
+    returns (output: Result<ENC.IDynamoDbItemEncryptorClient, AwsCryptographyDbEncryptionSdkDynamoDbTypes.Error>)
+    requires config.keyring.Some? ==>
+      config.keyring.value.ValidState()
+    requires config.cmm.Some? ==>
+      config.cmm.value.ValidState()
+    requires config.legacyOverride.Some? ==>
+      config.legacyOverride.value.encryptor.ValidState()
+    modifies if config.keyring.Some? then
+        config.keyring.value.Modifies
+      else {}
+    modifies if config.cmm.Some? then
+        config.cmm.value.Modifies
+      else {}
+    modifies if config.legacyOverride.Some? then
+               config.legacyOverride.value.encryptor.Modifies
+             else {}
+    ensures output.Success? ==>
+          && output.value is DynamoDbItemEncryptor.DynamoDbItemEncryptorClient
+          && fresh(output.value)
+          && fresh(output.value.History)
+          && output.value.ValidState()
+          && var rconfig := (output.value as DynamoDbItemEncryptor.DynamoDbItemEncryptorClient).config;
+          && fresh(output.value.Modifies - Operations.ModifiesInternalConfig(rconfig))
+          && rconfig.logicalTableName == config.logicalTableName
+          && rconfig.partitionKeyName == config.partitionKeyName
+          && rconfig.sortKeyName == config.sortKeyName
+          && rconfig.attributeActionsOnEncrypt == config.attributeActionsOnEncrypt
+          && rconfig.allowedUnsignedAttributes == config.allowedUnsignedAttributes
+          && rconfig.allowedUnsignedAttributePrefix == config.allowedUnsignedAttributePrefix
+          && rconfig.algorithmSuiteId == config.algorithmSuiteId
+
+          //= specification/dynamodb-encryption-client/ddb-table-encryption-config.md#attribute-actions
+          //= type=implication
+          //# The [Key Action](#key-action)
+          //# MUST be configured to the partition attribute and, if present, sort attribute.
+          && rconfig.version == Operations.VersionFromActions(config.attributeActionsOnEncrypt)
+          && config.partitionKeyName in config.attributeActionsOnEncrypt
+          && config.attributeActionsOnEncrypt[config.partitionKeyName] == Operations.KeyActionFromVersion(rconfig.version)
+          && (config.sortKeyName.Some? ==>
+                && config.sortKeyName.value in config.attributeActionsOnEncrypt
+                && config.attributeActionsOnEncrypt[config.sortKeyName.value] == Operations.KeyActionFromVersion(rconfig.version))
+
+    //= specification/dynamodb-encryption-client/ddb-table-encryption-config.md#plaintext-policy
+    //# If not specified, encryption and decryption MUST behave according to `FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ`.
+    ensures
+      && output.Success?
+      && config.plaintextOverride.None?
+      ==>
+        && var config := (output.value as DynamoDbItemEncryptor.DynamoDbItemEncryptorClient).config;
+        && config.plaintextOverride.FORBID_PLAINTEXT_WRITE_FORBID_PLAINTEXT_READ?
+  {
+    var encryptor :- expect DynamoDbItemEncryptor.DynamoDbItemEncryptor(config);
+    return Success(encryptor);
+  }
+}
diff --git a/TestVectors/dafny/DDBEncryption/src/JsonConfig.dfy b/TestVectors/dafny/DDBEncryption/src/JsonConfig.dfy
@@ -3,6 +3,7 @@
 
 include "JsonItem.dfy"
 include "CreateInterceptedDDBClient.dfy"
+include "CreateWrappedItemEncryptor.dfy"
 include "../../../../DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/Index.dfy"
 
 module {:options "-functionSyntax:4"} JsonConfig {
@@ -31,10 +32,10 @@ module {:options "-functionSyntax:4"} JsonConfig {
   import ParseJsonManifests
   import CreateInterceptedDDBClient
   import DynamoDbItemEncryptor
+  import CreateWrappedItemEncryptor
+  import Operations = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorOperations
 
 
-  const DEFAULT_KEYS : string := "../../../submodules/MaterialProviders/TestVectorsAwsCryptographicMaterialProviders/dafny/TestVectorsAwsCryptographicMaterialProviders/test/keys.json"
-
   predicate IsValidInt32(x: int)  { -0x8000_0000 <= x < 0x8000_0000}
   type ConfigName = string
 
@@ -130,7 +131,11 @@ module {:options "-functionSyntax:4"} JsonConfig {
     }
   }
 
-  method GetRoundTripTests(data : JSON) returns (output : Result<seq<RoundTripTest>, string>)
+  method GetRoundTripTests(data : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<seq<RoundTripTest>, string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     :- Need(data.Object?, "RoundTripTest Test must be an object.");
     var configs : map<string, TableConfig> := map[];
@@ -139,26 +144,34 @@ module {:options "-functionSyntax:4"} JsonConfig {
     for i := 0 to |data.obj| {
       var obj := data.obj[i];
       match obj.0 {
-        case "Configs" => var src :- GetTableConfigs(obj.1); configs := src;
+        case "Configs" => var src :- GetTableConfigs(obj.1, keys); configs := src;
         case "Records" => var src :- GetRecords(obj.1); records := src;
         case _ => return Failure("Unexpected part of a write test : '" + obj.0 + "'");
       }
     }
     return Success([RoundTripTest(configs, records)]);
   }
 
-  method GetWriteTests(data : JSON) returns (output : Result<seq<WriteTest> , string>)
+  method GetWriteTests(data : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<seq<WriteTest> , string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     :- Need(data.Array?, "Write Test list must be an array.");
     var results : seq<WriteTest> := [];
     for i := 0 to |data.arr| {
       var obj := data.arr[i];
-      var item :- GetOneWriteTest(obj);
+      var item :- GetOneWriteTest(obj, keys);
       results := results + [item];
     }
     return Success(results);
   }
-  method GetOneWriteTest(data : JSON) returns (output : Result<WriteTest, string>)
+  method GetOneWriteTest(data : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<WriteTest, string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     :- Need(data.Object?, "A Write Test must be an object.");
     var config : Option<TableConfig> := None;
@@ -168,7 +181,7 @@ module {:options "-functionSyntax:4"} JsonConfig {
     for i := 0 to |data.obj| {
       var obj := data.obj[i];
       match obj.0 {
-        case "Config" => var src :- GetOneTableConfig("foo", obj.1); config := Some(src);
+        case "Config" => var src :- GetOneTableConfig("foo", obj.1, keys); config := Some(src);
         case "FileName" =>
           :- Need(obj.1.String?, "Write Test file name must be a string.");
           fileName := obj.1.str;
@@ -181,18 +194,26 @@ module {:options "-functionSyntax:4"} JsonConfig {
     return Success(WriteTest(config.value, records, fileName));
   }
 
-  method GetDecryptTests(data : JSON) returns (output : Result<seq<DecryptTest> , string>)
+  method GetDecryptTests(data : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<seq<DecryptTest> , string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     :- Need(data.Array?, "Decrypt Test list must be an array.");
     var results : seq<DecryptTest> := [];
     for i := 0 to |data.arr| {
       var obj := data.arr[i];
-      var item :- GetOneDecryptTest(obj);
+      var item :- GetOneDecryptTest(obj, keys);
       results := results + [item];
     }
     return Success(results);
   }
-  method GetOneDecryptTest(data : JSON) returns (output : Result<DecryptTest, string>)
+  method GetOneDecryptTest(data : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<DecryptTest, string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     :- Need(data.Object?, "A Decrypt Test must be an object.");
     var config : Option<TableConfig> := None;
@@ -202,7 +223,7 @@ module {:options "-functionSyntax:4"} JsonConfig {
     for i := 0 to |data.obj| {
       var obj := data.obj[i];
       match obj.0 {
-        case "Config" => var src :- GetOneTableConfig("foo", obj.1); config := Some(src);
+        case "Config" => var src :- GetOneTableConfig("foo", obj.1, keys); config := Some(src);
         case "EncryptedRecords" => encRecords :- GetRecords(obj.1);
         case "PlainTextRecords" => plainRecords :- GetRecords(obj.1);
         case _ => return Failure("Unexpected part of a encrypt test : '" + obj.0 + "'");
@@ -214,24 +235,31 @@ module {:options "-functionSyntax:4"} JsonConfig {
     return Success(DecryptTest(config.value, encRecords, plainRecords));
   }
 
-  method GetTableConfigs(data : JSON) returns (output : Result<map<string, TableConfig> , string>)
+  method GetTableConfigs(data : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<map<string, TableConfig> , string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     :- Need(data.Object?, "Search Config list must be an object.");
     var results : map<string, TableConfig> := map[];
     for i := 0 to |data.obj| {
       var obj := data.obj[i];
-      var item :- GetOneTableConfig(obj.0, obj.1);
+      var item :- GetOneTableConfig(obj.0, obj.1, keys);
       results := results[obj.0 := item];
     }
     return Success(results);
   }
 
-  method GetItemEncryptor(name : string, data : JSON)
+  method GetItemEncryptor(name : string, data : JSON, keys: KeyVectors.KeyVectorsClient)
     returns (encryptor : Result<DynamoDbItemEncryptor.DynamoDbItemEncryptorClient, string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
     ensures encryptor.Success? ==>
               && encryptor.value.ValidState()
               && fresh(encryptor.value)
-              && fresh(encryptor.value.Modifies)
+              && fresh(encryptor.value.Modifies - Operations.ModifiesInternalConfig(encryptor.value.config))
   {
     :- Need(data.Object?, "A Table Config must be an object.");
     var logicalTableName := TableName;
@@ -296,11 +324,6 @@ module {:options "-functionSyntax:4"} JsonConfig {
       }
     }
 
-    var keys :- expect KeyVectors.KeyVectors(
-      KeyVectorsTypes.KeyVectorsConfig(
-        keyManifestPath := DEFAULT_KEYS
-      )
-    );
     var keyDescription :-
       if |key| == 0 then
         Success(KeyVectorsTypes.Hierarchy(KeyVectorsTypes.HierarchyKeyring(
@@ -327,13 +350,20 @@ module {:options "-functionSyntax:4"} JsonConfig {
         legacyOverride := legacyOverride,
         plaintextOverride := plaintextOverride
       );
-    var enc : ENC.IDynamoDbItemEncryptorClient :- expect DynamoDbItemEncryptor.DynamoDbItemEncryptor(encryptorConfig);
+    var enc : ENC.IDynamoDbItemEncryptorClient :- expect CreateWrappedItemEncryptor.CreateWrappedItemEncryptor(encryptorConfig);
+    // var enc : ENC.IDynamoDbItemEncryptorClient :- expect DynamoDbItemEncryptor.DynamoDbItemEncryptor(encryptorConfig);
     assert enc is DynamoDbItemEncryptor.DynamoDbItemEncryptorClient;
     var encr := enc as DynamoDbItemEncryptor.DynamoDbItemEncryptorClient;
     return Success(encr);
   }
 
-  method GetOneTableConfig(name : string, data : JSON) returns (output : Result<TableConfig, string>)
+
+
+  method GetOneTableConfig(name : string, data : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<TableConfig, string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     :- Need(data.Object?, "A Table Config must be an object.");
     var logicalTableName := TableName;
@@ -400,11 +430,6 @@ module {:options "-functionSyntax:4"} JsonConfig {
       }
     }
 
-    var keys :- expect KeyVectors.KeyVectors(
-      KeyVectorsTypes.KeyVectorsConfig(
-        keyManifestPath := DEFAULT_KEYS
-      )
-    );
     var keyDescription :-
       if |key| == 0 then
         Success(KeyVectorsTypes.Hierarchy(KeyVectorsTypes.HierarchyKeyring(
@@ -1114,19 +1139,27 @@ module {:options "-functionSyntax:4"} JsonConfig {
                    ));
   }
 
-  method GetIoTests(data : JSON) returns (output : Result<seq<IoTest> , string>)
+  method GetIoTests(data : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<seq<IoTest> , string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     :- Need(data.Object?, "IoTests must be an object.");
     var results : seq<IoTest> := [];
     for i := 0 to |data.obj| {
       var obj := data.obj[i];
-      var item :- GetOneIoTest(obj.0, obj.1);
+      var item :- GetOneIoTest(obj.0, obj.1, keys);
       results := results + [item];
     }
     return Success(results);
   }
 
-  method GetOneIoTest(name : string, data : JSON) returns (output : Result<IoTest, string>)
+  method GetOneIoTest(name : string, data : JSON, keys: KeyVectors.KeyVectorsClient)
+    returns (output : Result<IoTest, string>)
+    requires keys.ValidState()
+    modifies keys.Modifies
+    ensures keys.ValidState()
   {
     :- Need(data.Object?, "IoTest must be an object.");
     var readConfig : Option<TableConfig> := None;
@@ -1138,8 +1171,8 @@ module {:options "-functionSyntax:4"} JsonConfig {
     for i := 0 to |data.obj| {
       var obj := data.obj[i];
       match obj.0 {
-        case "WriteConfig" => var config :- GetOneTableConfig(obj.0, obj.1); writeConfig := Some(config);
-        case "ReadConfig" => var config :- GetOneTableConfig(obj.0, obj.1); readConfig := Some(config);
+        case "WriteConfig" => var config :- GetOneTableConfig(obj.0, obj.1, keys); writeConfig := Some(config);
+        case "ReadConfig" => var config :- GetOneTableConfig(obj.0, obj.1, keys); readConfig := Some(config);
         case "Records" => records :- GetRecords(obj.1);
         case "Values" => values :- GetValueMap(data.obj[i].1);
         case "Queries" => queries :- GetSimpleQueries(data.obj[i].1);
