m

Author: ajewellamz

DynamoDbEncryption/dafny/DynamoDbEncryption/Model/AwsCryptographyDbEncryptionSdkDynamoDbTypes.dfy

@@ -55,7 +55,76 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.internald
   }
   type BucketCount = x: int32 | IsValid_BucketCount(x) witness *
   predicate method IsValid_BucketCount(x: int32) {
-    ( 1 <= x  )
+    ( 1 <= x <= 255 )
+  }
+  type BucketNumber = x: int32 | IsValid_BucketNumber(x) witness *
+  predicate method IsValid_BucketNumber(x: int32) {
+    ( 0 <= x <= 254 )
+  }
+  class IBucketSelectorCallHistory {
+    ghost constructor() {
+      GetBucketNumber := [];
+    }
+    ghost var GetBucketNumber: seq<DafnyCallEvent<GetBucketNumberInput, Result<GetBucketNumberOutput, Error>>>
+  }
+  trait {:termination false} IBucketSelector
+  {
+    // Helper to define any additional modifies/reads clauses.
+    // If your operations need to mutate state,
+    // add it in your constructor function:
+    // Modifies := {your, fields, here, History};
+    // If you do not need to mutate anything:
+    // Modifies := {History};
+
+    ghost const Modifies: set<object>
+    // For an unassigned field defined in a trait,
+    // Dafny can only assign a value in the constructor.
+    // This means that for Dafny to reason about this value,
+    // it needs some way to know (an invariant),
+    // about the state of the object.
+    // This builds on the Valid/Repr paradigm
+    // To make this kind requires safe to add
+    // to methods called from unverified code,
+    // the predicate MUST NOT take any arguments.
+    // This means that the correctness of this requires
+    // MUST only be evaluated by the class itself.
+    // If you require any additional mutation,
+    // then you MUST ensure everything you need in ValidState.
+    // You MUST also ensure ValidState in your constructor.
+    predicate ValidState()
+      ensures ValidState() ==> History in Modifies
+    ghost const History: IBucketSelectorCallHistory
+    predicate GetBucketNumberEnsuresPublicly(input: GetBucketNumberInput , output: Result<GetBucketNumberOutput, Error>)
+    // The public method to be called by library consumers
+    method GetBucketNumber ( input: GetBucketNumberInput )
+      returns (output: Result<GetBucketNumberOutput, Error>)
+      requires
+        && ValidState()
+      modifies Modifies - {History} ,
+               History`GetBucketNumber
+      // Dafny will skip type parameters when generating a default decreases clause.
+      decreases Modifies - {History}
+      ensures
+        && ValidState()
+      ensures GetBucketNumberEnsuresPublicly(input, output)
+      ensures History.GetBucketNumber == old(History.GetBucketNumber) + [DafnyCallEvent(input, output)]
+    {
+      output := GetBucketNumber' (input);
+      History.GetBucketNumber := History.GetBucketNumber + [DafnyCallEvent(input, output)];
+    }
+    // The method to implement in the concrete class.
+    method GetBucketNumber' ( input: GetBucketNumberInput )
+      returns (output: Result<GetBucketNumberOutput, Error>)
+      requires
+        && ValidState()
+      modifies Modifies - {History}
+      // Dafny will skip type parameters when generating a default decreases clause.
+      decreases Modifies - {History}
+      ensures
+        && ValidState()
+      ensures GetBucketNumberEnsuresPublicly(input, output)
+      ensures unchanged(History)
+
   }
   type Char = x: string | IsValid_Char(x) witness *
   predicate method IsValid_Char(x: string) {
@@ -250,7 +319,8 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.internald
     nameonly keyring: Option<AwsCryptographyMaterialProvidersTypes.IKeyring> := Option.None ,
     nameonly cmm: Option<AwsCryptographyMaterialProvidersTypes.ICryptographicMaterialsManager> := Option.None ,
     nameonly legacyOverride: Option<LegacyOverride> := Option.None ,
-    nameonly plaintextOverride: Option<PlaintextOverride> := Option.None
+    nameonly plaintextOverride: Option<PlaintextOverride> := Option.None ,
+    nameonly bucketSelector: Option<IBucketSelector> := Option.None
   )
   type DynamoDbTableEncryptionConfigList = map<ComAmazonawsDynamodbTypes.TableName, DynamoDbTableEncryptionConfig>
   datatype DynamoDbTablesEncryptionConfig = | DynamoDbTablesEncryptionConfig (
@@ -277,6 +347,13 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.internald
   datatype GetBranchKeyIdFromDdbKeyOutput = | GetBranchKeyIdFromDdbKeyOutput (
     nameonly branchKeyId: string
   )
+  datatype GetBucketNumberInput = | GetBucketNumberInput (
+    nameonly item: ComAmazonawsDynamodbTypes.AttributeMap ,
+    nameonly numberOfBuckets: BucketCount
+  )
+  datatype GetBucketNumberOutput = | GetBucketNumberOutput (
+    nameonly bucketNumber: BucketNumber
+  )
   datatype GetEncryptedDataKeyDescriptionInput = | GetEncryptedDataKeyDescriptionInput (
     nameonly input: GetEncryptedDataKeyDescriptionUnion
   )

DynamoDbEncryption/dafny/DynamoDbEncryption/Model/DynamoDbEncryption.smithy

@@ -49,6 +49,30 @@ service DynamoDbEncryption {
     errors: [ DynamoDbEncryptionException ]
 }
 
+resource BucketSelector {
+  operations: [GetBucketNumber]
+}
+
+@reference(resource: BucketSelector)
+structure BucketSelectorReference {}
+
+operation GetBucketNumber {
+  input: GetBucketNumberInput,
+  output: GetBucketNumberOutput,
+}
+
+structure GetBucketNumberInput {
+  @required
+  item: AttributeMap,
+  @required
+  numberOfBuckets : BucketCount
+}
+
+structure GetBucketNumberOutput {
+  @required
+  bucketNumber: BucketNumber
+}
+
 @javadoc("Returns encrypted data key description.")
 operation GetEncryptedDataKeyDescription {
     input: GetEncryptedDataKeyDescriptionInput,
@@ -206,7 +230,10 @@ structure DynamoDbTableEncryptionConfig {
     @javadoc("A configuration that override encryption and/or decryption to instead perform legacy encryption and/or decryption. Used as part of migration from version 2.x to version 3.x.")
     legacyOverride: LegacyOverride,
     @javadoc("A configuration that override encryption and/or decryption to instead passthrough and write and/or read plaintext. Used to update plaintext tables to fully use client-side encryption.")
-    plaintextOverride: PlaintextOverride
+    plaintextOverride: PlaintextOverride,
+
+    @javadoc("How to choose the bucket for an item. Default behavior is a random between 0 and numberOfBuckets.")
+    bucketSelector: BucketSelectorReference,
 }
 
 map AttributeActions {
@@ -286,9 +313,12 @@ integer BeaconBitLength
 @range(min: 1)
 integer VersionNumber
 
-@range(min: 1)
+@range(min: 1, max: 255)
 integer BucketCount
 
+@range(min: 0, max: 254)
+integer BucketNumber
+
 @length(min: 1, max: 1)
 string Char
 

DynamoDbEncryption/dafny/DynamoDbEncryption/src/Beacon.dfy

@@ -15,6 +15,7 @@ module BaseBeacon {
   import opened DynamoDbEncryptionUtil
   import opened DdbVirtualFields
   import opened Seq
+  import opened StandardLibrary.MemoryMath
   import DynamoToStruct
 
   import DDB = ComAmazonawsDynamodbTypes
@@ -111,7 +112,8 @@ module BaseBeacon {
     loc : string,
     partOnly : bool,
     asSet : bool,
-    share : Option<string>
+    share : Option<string>,
+    numberOfBuckets : Option<BucketCount>
   )
     : (ret : Result<ValidStandardBeacon, Error>)
     ensures ret.Success? ==>
@@ -121,6 +123,8 @@ module BaseBeacon {
     var termLoc :- TermLoc.MakeTermLoc(loc);
     var beaconName := BeaconPrefix + name;
     :- Need(DDB.IsValid_AttributeName(beaconName), E(beaconName + " is not a valid attribute name."));
+    var numBuckets : nat := if numberOfBuckets.Some? then numberOfBuckets.value as nat else 0;
+    :- Need(numBuckets < 256, E(beaconName + " has numberOfBuckets greater than 255"));
     Success(StandardBeacon.StandardBeacon(
               BeaconBase (
                 client := client,
@@ -131,7 +135,8 @@ module BaseBeacon {
               termLoc,
               partOnly,
               asSet,
-              share
+              share,
+              numBuckets as uint8
             ))
   }
   datatype StandardBeacon = StandardBeacon (
@@ -140,18 +145,27 @@ module BaseBeacon {
     loc : TermLoc.TermLoc,
     partOnly : bool,
     asSet : bool,
-    share : Option<string>
+    share : Option<string>,
+    numberOfBuckets : uint8
   ) {
+    function method constrained_bucket(bucket : Bytes) : Bytes
+    {
+      SequenceIsSafeBecauseItIsInMemory(bucket);
+      if numberOfBuckets == 0 || |bucket| as uint64 == 0 then
+        bucket
+      else
+        [bucket[0] % numberOfBuckets]
+    }
     function method {:opaque} hash(val : Bytes, key : Bytes, bucket : Bytes)
       : (ret : Result<string, Error>)
       ensures ret.Success? ==>
                 && |ret.value| > 0
-                && base.hash(val, key, length, bucket).Success?
-                && ret.value == base.hash(val, key, length, bucket).value
+                && base.hash(val, key, length, constrained_bucket(bucket)).Success?
+                && ret.value == base.hash(val, key, length, constrained_bucket(bucket)).value
 
                 && |ret.value| == (((length as uint8) + 3) / 4) as nat
     {
-      base.hash(val, key, length, bucket)
+      base.hash(val, key, length, constrained_bucket(bucket))
     }
 
     // return the name of the hmac key to use

DynamoDbEncryption/dafny/DynamoDbEncryption/src/ConfigToInfo.dfy

@@ -526,6 +526,18 @@ module SearchConfigToInfo {
       Failure(E("Beacon " + name + " is shared to " + share + " which is not defined."))
   }
 
+  predicate method BucketConstraintOk(outer : DynamoDbTableEncryptionConfig, inner : Option<BucketCount>)
+  {
+    if inner.None? || outer.search.None? || |outer.search.value.versions| == 0 then
+      true
+    else
+      var num := outer.search.value.versions[0].numberOfBuckets;
+      if num.None? then
+        false
+      else
+        inner.value < num.value
+  }
+
   // convert configured StandardBeacons to internal Beacons
   method {:tailrecursion} AddStandardBeacons(
     beacons : seq<StandardBeacon>,
@@ -588,10 +600,10 @@ module SearchConfigToInfo {
         //# A SharedSet Beacon MUST behave both as [Shared](#shared-initialization) and [AsSet](#asset-initialization).
         case sharedSet(t) => share := Some(t.other); isAsSet := true;
       }
-
     }
+    :- Need(BucketConstraintOk(outer, beacons[0].numberOfBuckets), E("Constrained numberOfBuckets for  " + beacons[0].name + " must be less than the global numberOfBuckets."));
     var newBeacon :- B.MakeStandardBeacon(client, beacons[0].name, beacons[0].length as B.BeaconLength, locString,
-                                          isPartOnly, isAsSet, share);
+                                          isPartOnly, isAsSet, share, beacons[0].numberOfBuckets);
 
     //= specification/searchable-encryption/search-config.md#beacon-version-initialization
     //# Initialization MUST fail if the [terminal location](virtual.md#terminal-location)