Merge branch 'main' into seebees/optimize-below

Author: ajewellamz

.github/workflows/ci_test_latest_released_mpl_java.yml

@@ -0,0 +1,126 @@
+# This workflow is for testing that the latest released version
+# of the MPL is compatible with the current DB-ESDK Head
+name: Test Latest Released MPL Java with DB-ESDK HEAD
+
+on:
+  schedule:
+    - cron: "00 16 * * 1-5"
+  workflow_dispatch: # allows triggering this manually through the Actions UI
+    inputs:
+      run_test_vectors:
+        description: "Run Test Vectors?"
+        required: false
+        default: true
+        type: boolean
+
+jobs:
+  getVersion:
+    # Don't run the cron builds on forks
+    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
+    uses: ./.github/workflows/dafny_version.yml
+  getVerifyVersion:
+    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
+    uses: ./.github/workflows/dafny_verify_version.yml
+  getMplDependencyJavaVersion:
+    if: github.event_name != 'schedule' || github.repository_owner == 'aws'
+    uses: ./.github/workflows/mpl_dependency_java_version.yml
+  testJava:
+    needs: [getVersion, getMplDependencyJavaVersion]
+    strategy:
+      max-parallel: 1
+      matrix:
+        java-version: [17]
+        os: [ubuntu-22.04]
+    runs-on: ${{ matrix.os }}
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2
+          role-session-name: DDBEC-Dafny-Java-Tests
+
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: Setup Java ${{ matrix.java-version }}
+        uses: actions/setup-java@v4
+        with:
+          distribution: "corretto"
+          java-version: ${{ matrix.java-version }}
+
+      - name: Setup Dafny
+        uses: dafny-lang/[email protected]
+        with:
+          dafny-version: ${{ needs.getVersion.outputs.version }}
+
+      - name: Regenerate code using smithy-dafny if necessary
+        if: ${{ inputs.regenerate-code }}
+        uses: ./.github/actions/polymorph_codegen
+        with:
+          dafny: ${{ env.DAFNY_VERSION }}
+          library: DynamoDbEncryption
+          diff-generated-code: false
+          update-and-regenerate-mpl: true
+
+      # The following two steps: "Build and deploy to maven local" and "Run Extensive Tests"
+      # mimic the tests in ./codebuild/staging/release-staging.yml
+      - name: Build and deploy to maven local
+        shell: bash
+        working-directory: ./DynamoDbEncryption
+        run: |
+          # Run transpile by itself. We don't want to locally build the MPL because
+          # we want to verify that the version pulled down from maven works correctly
+          make transpile_implementation_java
+          make transpile_test_java
+          make mvn_local_deploy
+          make test_java
+
+      - name: Run Extensive Tests
+        working-directory: ./DynamoDbEncryption
+        run: |
+          gradle -p runtimes/java clean
+          gradle -p runtimes/java test
+
+      # This makes sure that we are using the correct MPL version to test the DB-ESDK.
+      # If this contains a SNAPSHOT version, this will fail because'
+      # we are NOT building the MPL recursively but pulling from Maven.
+      - name: Update project.properties to use the correct MPL version (from project.properties in DB-ESDK)
+        working-directory: ./submodules/MaterialProviders/
+        run: |
+          sed "s/mplVersion=.*/mplVersion=${{needs.getMplDependencyJavaVersion.outputs.version}}/g" project.properties > project.properties2; mv project.properties2 project.properties
+
+      # The following three steps: "Transpile MPL Test Vectors without recursively building the MPL",
+      # "Run Test Vectors", and "Test Examples" mimic the tests in ./codebuild/staging/validate-staging.yml
+      - name: Transpile MPL Test Vectors without recursively building the MPL
+        working-directory: ./submodules/MaterialProviders/TestVectorsAwsCryptographicMaterialProviders
+        run: |
+          # Run transpile by itself. We don't want to locally build the MPL because
+          # we want to verify that the version pulled down from maven works correctly
+          make transpile_implementation_java
+          make transpile_test_java
+          make mvn_local_deploy
+
+      - name: Run Test Vectors
+        if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && ${{inputs.run_test_vectors}})
+        working-directory: ./TestVectors
+        run: |
+          # Spin up ddb local
+          docker run --name dynamodb -d -p 8000:8000 amazon/dynamodb-local -jar DynamoDBLocal.jar -port 8000 -inMemory -cors *
+          # Run transpile by itself so we don't locally build the MPL.
+          make transpile_implementation_java
+          make transpile_test_java
+          gradle -p runtimes/java runTests
+
+      - name: Test Examples
+        working-directory: ./Examples
+        run: |
+          # Run Simple Examples
+          gradle -p runtimes/java/DynamoDbEncryption test
+          # Run Migration Examples
+          gradle -p runtimes/java/Migration/PlaintextToAWSDBE test
+          gradle -p runtimes/java/Migration/DDBECToAWSDBE test

.github/workflows/ci_todos.yml

@@ -17,8 +17,8 @@ jobs:
         shell: bash
         # TODOs may be committed as long as the same line contains a link to a Github Issue or refers to a CrypTool SIM.
         run: |
-          ALL_TODO_COUNT=$( { grep -r "TODO" . --exclude-dir=./TestVectors/runtimes --exclude-dir=./submodules --exclude-dir=./.git --exclude=./.github/workflows/ci_todos.yml || true; } | wc -l)
-          GOOD_TODO_COUNT=$( { grep -r "TODO.*\(github.com\/.*issues.*\/[1-9][0-9]*\|CrypTool-[1-9][0-9]*\)" . --exclude-dir=./submodules --exclude-dir=./.git  --exclude-dir=./TestVectors/runtimes --exclude=./.github/workflows/ci_todos.yml || true; } | wc -l)
+          ALL_TODO_COUNT=$( { grep -r "TODO" . --exclude-dir=./releases --exclude-dir=./TestVectors/runtimes --exclude-dir=./submodules --exclude-dir=./.git --exclude=./.github/workflows/ci_todos.yml || true; } | wc -l)
+          GOOD_TODO_COUNT=$( { grep -r "TODO.*\(github.com\/.*issues.*\/[1-9][0-9]*\|CrypTool-[1-9][0-9]*\)" . --exclude-dir=./releases --exclude-dir=./submodules --exclude-dir=./.git  --exclude-dir=./TestVectors/runtimes --exclude=./.github/workflows/ci_todos.yml || true; } | wc -l)
           if [ "$ALL_TODO_COUNT" != "$GOOD_TODO_COUNT" ]; then
             exit 1;
           fi

.github/workflows/mpl_dependency_java_version.yml

@@ -0,0 +1,25 @@
+# This workflow reads the project.properties
+# into the environment variables
+# and then creates an output variable for `mplDependencyJavaVersion`
+name: MPL Dependency Java Version
+
+on:
+  workflow_call:
+    outputs:
+      version:
+        description: "The MPL Dependency Java version from project.properties"
+        value: ${{ jobs.getMplDependencyJavaVersion.outputs.version }}
+
+jobs:
+  getMplDependencyJavaVersion:
+    runs-on: ubuntu-22.04
+    outputs:
+      version: ${{ steps.read_property.outputs.mplDependencyJavaVersion }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Read version from Properties-file
+        id: read_property
+        uses: christian-draeger/[email protected]
+        with:
+          path: "./project.properties"
+          properties: "mplDependencyJavaVersion"

.github/workflows/mpl_head_version.yml

@@ -1,6 +1,6 @@
-# This workflow reads the project.properties
+# This workflow reads the project.properties in the MPL submodule
 # into the environment variables
-# and then creates an output variable for `dafnyVerifyVersion `
+# and then creates an output variable for `mplVersion`
 name: MPL HEAD Version
 
 on:
@@ -13,7 +13,7 @@ on:
         type: string
     outputs:
       version:
-        description: "The dafny version for verify"
+        description: "The MPL version"
         value: ${{ jobs.getMplHeadVersion.outputs.version }}
 
 jobs:

CHANGELOG.md

@@ -1,6 +1,6 @@
 # Changelog
 
-## [3.8.0](https://github.com/aws/aws-database-encryption-sdk-dynamodb/compare/v3.7.0...v3.8.0) (2025-01-27)
+## [3.8.0](https://github.com/aws/aws-database-encryption-sdk-dynamodb/compare/v3.7.0...v3.8.0) (2025-02-05)
 
 This release is available in the following languages:
 
@@ -9,6 +9,7 @@ This release is available in the following languages:
 ### Features
 
 - **SharedCache:** Shared Cache for Searchable Encryption ([#1476](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1476)) ([46076f8](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/46076f86aec77f7df204c1e06a8ecb2400f01b6f))
+- bump to dafny 4.9.0 and mpl 1.9.0 ([#1627](https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/1627))
 
 ### Fixes
 
@@ -21,6 +22,12 @@ This release is available in the following languages:
 
 ### Maintenance
 
+- make const policy an extern ([#1587](https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/1587)) ([be3b96e](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/be3b96e7d6c441aee3b87862a2989309560413ba))
+- mpl: Bump to 1.9.0 ([#1621](https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/1621)) ([04a8eb2](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/04a8eb2ec84e57b795562618331e9c7e6f0de0c4))
+- release Rust 1.0.0 ([#1612](https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/1612)) ([3392200](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/3392200e2c844710a2d1b6d9c9942c8b9769f71e))
+- remove unsafe from interceptor ([#1620](https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/1620)) ([f6ef3f4](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/f6ef3f4b05010aa06f5a0f7f0d48ca05db4f71f1))
+- TestVectors: Reuse single KeyVectors client across TestVectors ([#1577](https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/1577)) ([dabcaf1](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/dabcaf12c198bd3dda78996a42ae5a5682f2b88a))
+- update for async support ([#1560](https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/1560)) ([700f939](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/700f939e9e5c5e8ed7f7880ea74213231ab6e6ed))
 - add dependabot for rust ([#1481](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1481)) ([67f3d2e](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/67f3d2e567b513a53d208f60ec6991a0b6c825d0))
 - Add ECDH examples ([#1461](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1461)) ([cc937b4](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/cc937b41190c17e1087acbdcd524becc1a97e214))
 - add Rust release directory ([#1479](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1479)) ([97dde01](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/97dde01a3b6d9a33a8b60dcb6e63debc5329d691))

DynamoDbEncryption/dafny/DynamoDbEncryption/src/ConfigToInfo.dfy

@@ -176,7 +176,7 @@ module SearchConfigToInfo {
     var cache;
     if cacheType.Shared? {
       cache := cacheType.Shared;
-      reveal ValidSharedCache(config);
+      reveal ValidSharedCache();
     } else {
       //= specification/searchable-encryption/search-config.md#key-store-cache
       //# For a Beacon Key Source a [CMC](../../submodules/MaterialProviders/aws-encryption-sdk-specification/framework/cryptographic-materials-cache.md)

DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/InternalLegacyOverride.dfy

@@ -13,7 +13,7 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.itemencry
     static method {:extern} Build(encryptorConfig: Types.DynamoDbItemEncryptorConfig)
       returns (output: Result<Option<InternalLegacyOverride>, Types.Error>)
 
-    const policy: DDBE.LegacyPolicy
+    const {:extern} policy: DDBE.LegacyPolicy
 
     method {:extern} EncryptItem(input: Types.EncryptItemInput)
       returns (output: Result<Types.EncryptItemOutput, Types.Error>)

DynamoDbEncryption/runtimes/net/Extern/InternalLegacyConfig.cs

@@ -8,7 +8,18 @@ namespace software.amazon.cryptography.dbencryptionsdk.dynamodb.itemencryptor.in
 
   public partial class InternalLegacyOverride
   {
-
+    public software.amazon.cryptography.dbencryptionsdk.dynamodb.internaldafny.types._ILegacyPolicy _policy
+    {
+      get => software.amazon.cryptography.dbencryptionsdk.dynamodb.internaldafny.types.LegacyPolicy.create_FORBID__LEGACY__ENCRYPT__FORBID__LEGACY__DECRYPT();
+      set { }
+    }
+    public software.amazon.cryptography.dbencryptionsdk.dynamodb.internaldafny.types._ILegacyPolicy policy
+    {
+      get
+      {
+        return this._policy;
+      }
+    }
     public static Wrappers_Compile._IResult<
       Wrappers_Compile._IOption<InternalLegacyOverride>,
       _IError

DynamoDbEncryption/runtimes/rust/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "aws-db-esdk"
-version = "0.2.0"
+version = "1.0.0"
 edition = "2021"
 rust-version = "1.81.0"
 keywords = ["cryptography", "security", "dynamodb", "encryption", "client-side"]

DynamoDbEncryption/runtimes/rust/src/intercept.rs

@@ -91,9 +91,6 @@ impl DbEsdkInterceptor {
     }
 }
 
-unsafe impl Sync for DbEsdkInterceptor {}
-unsafe impl Send for DbEsdkInterceptor {}
-
 #[derive(Debug)]
 struct OriginalRequest(Input);