m

Author: ajewellamz

DynamoDbEncryption/codegen-patches/DynamoDbEncryptionTransforms/dotnet/dafny-4.8.0.patch

@@ -1,5 +1,5 @@
 diff --git b/DynamoDbEncryption/runtimes/net/Generated/DynamoDbEncryptionTransforms/TypeConversion.cs a/DynamoDbEncryption/runtimes/net/Generated/DynamoDbEncryptionTransforms/TypeConversion.cs
-index 024d2aeb..fae8db3b 100644
+index b7d2a823..0c973183 100644
 --- b/DynamoDbEncryption/runtimes/net/Generated/DynamoDbEncryptionTransforms/TypeConversion.cs
 +++ a/DynamoDbEncryption/runtimes/net/Generated/DynamoDbEncryptionTransforms/TypeConversion.cs
 @@ -7,10 +7,6 @@ namespace AWS.Cryptography.DbEncryptionSDK.DynamoDb.Transforms
@@ -10,6 +10,6 @@ index 024d2aeb..fae8db3b 100644
 -
 -    private const string ISO8601DateFormatNoMS = "yyyy-MM-dd\\THH:mm:ss\\Z";
 -
-     public static AWS.Cryptography.DbEncryptionSDK.DynamoDb.DynamoDbTablesEncryptionConfig FromDafny_N3_aws__N12_cryptography__N15_dbEncryptionSdk__N8_dynamoDb__S30_DynamoDbTablesEncryptionConfig(software.amazon.cryptography.dbencryptionsdk.dynamodb.internaldafny.types._IDynamoDbTablesEncryptionConfig value)
+     public static AWS.Cryptography.DbEncryptionSDK.DynamoDb.AsSet FromDafny_N3_aws__N12_cryptography__N15_dbEncryptionSdk__N8_dynamoDb__S5_AsSet(software.amazon.cryptography.dbencryptionsdk.dynamodb.internaldafny.types._IAsSet value)
      {
-       software.amazon.cryptography.dbencryptionsdk.dynamodb.internaldafny.types.DynamoDbTablesEncryptionConfig concrete = (software.amazon.cryptography.dbencryptionsdk.dynamodb.internaldafny.types.DynamoDbTablesEncryptionConfig)value; AWS.Cryptography.DbEncryptionSDK.DynamoDb.DynamoDbTablesEncryptionConfig converted = new AWS.Cryptography.DbEncryptionSDK.DynamoDb.DynamoDbTablesEncryptionConfig(); converted.TableEncryptionConfigs = (System.Collections.Generic.Dictionary<string, AWS.Cryptography.DbEncryptionSDK.DynamoDb.DynamoDbTableEncryptionConfig>)FromDafny_N3_aws__N12_cryptography__N15_dbEncryptionSdk__N8_dynamoDb__S30_DynamoDbTablesEncryptionConfig__M22_tableEncryptionConfigs(concrete._tableEncryptionConfigs); return converted;
+       software.amazon.cryptography.dbencryptionsdk.dynamodb.internaldafny.types.AsSet concrete = (software.amazon.cryptography.dbencryptionsdk.dynamodb.internaldafny.types.AsSet)value; AWS.Cryptography.DbEncryptionSDK.DynamoDb.AsSet converted = new AWS.Cryptography.DbEncryptionSDK.DynamoDb.AsSet(); return converted;

DynamoDbEncryption/codegen-patches/DynamoDbItemEncryptor/dotnet/dafny-4.8.0.patch

@@ -1,5 +1,5 @@
 diff --git b/DynamoDbEncryption/runtimes/net/Generated/DynamoDbItemEncryptor/TypeConversion.cs a/DynamoDbEncryption/runtimes/net/Generated/DynamoDbItemEncryptor/TypeConversion.cs
-index e8ca3ce8..35957991 100644
+index b4a90d1b..b5d5046a 100644
 --- b/DynamoDbEncryption/runtimes/net/Generated/DynamoDbItemEncryptor/TypeConversion.cs
 +++ a/DynamoDbEncryption/runtimes/net/Generated/DynamoDbItemEncryptor/TypeConversion.cs
 @@ -7,10 +7,6 @@ namespace AWS.Cryptography.DbEncryptionSDK.DynamoDb.ItemEncryptor
@@ -10,6 +10,6 @@ index e8ca3ce8..35957991 100644
 -
 -    private const string ISO8601DateFormatNoMS = "yyyy-MM-dd\\THH:mm:ss\\Z";
 -
-     public static AWS.Cryptography.Primitives.AwsCryptographicPrimitives FromDafny_N3_aws__N12_cryptography__N15_dbEncryptionSdk__N8_dynamoDb__N13_itemEncryptor__S25_AtomicPrimitivesReference(software.amazon.cryptography.primitives.internaldafny.types.IAwsCryptographicPrimitivesClient value)
+     public static System.Collections.Generic.Dictionary<string, AWS.Cryptography.DbEncryptionSDK.StructuredEncryption.CryptoAction> FromDafny_N3_aws__N12_cryptography__N15_dbEncryptionSdk__N8_dynamoDb__S16_AttributeActions(Dafny.IMap<Dafny.ISequence<char>, software.amazon.cryptography.dbencryptionsdk.structuredencryption.internaldafny.types._ICryptoAction> value)
      {
-       if (value is software.amazon.cryptography.primitives.internaldafny.types.IAwsCryptographicPrimitivesClient dafnyValue)
+       return value.ItemEnumerable.ToDictionary(pair => FromDafny_N3_aws__N12_cryptography__N15_dbEncryptionSdk__N8_dynamoDb__S16_AttributeActions__M3_key(pair.Car), pair => FromDafny_N3_aws__N12_cryptography__N15_dbEncryptionSdk__N8_dynamoDb__S16_AttributeActions__M5_value(pair.Cdr));

DynamoDbEncryption/codegen-patches/StructuredEncryption/dotnet/dafny-4.8.0.patch

@@ -1,5 +1,5 @@
 diff --git b/DynamoDbEncryption/runtimes/net/Generated/StructuredEncryption/TypeConversion.cs a/DynamoDbEncryption/runtimes/net/Generated/StructuredEncryption/TypeConversion.cs
-index b01717ff..02de5d49 100644
+index df81f311..ac28fc2a 100644
 --- b/DynamoDbEncryption/runtimes/net/Generated/StructuredEncryption/TypeConversion.cs
 +++ a/DynamoDbEncryption/runtimes/net/Generated/StructuredEncryption/TypeConversion.cs
 @@ -7,10 +7,6 @@ namespace AWS.Cryptography.DbEncryptionSDK.StructuredEncryption
@@ -10,6 +10,6 @@ index b01717ff..02de5d49 100644
 -
 -    private const string ISO8601DateFormatNoMS = "yyyy-MM-dd\\THH:mm:ss\\Z";
 -
-     public static AWS.Cryptography.Primitives.AwsCryptographicPrimitives FromDafny_N3_aws__N12_cryptography__N15_dbEncryptionSdk__N20_structuredEncryption__S25_AtomicPrimitivesReference(software.amazon.cryptography.primitives.internaldafny.types.IAwsCryptographicPrimitivesClient value)
+     public static AWS.Cryptography.Primitives.AtomicPrimitives FromDafny_N3_aws__N12_cryptography__N15_dbEncryptionSdk__N20_structuredEncryption__S25_AtomicPrimitivesReference(software.amazon.cryptography.primitives.internaldafny.types.IAwsCryptographicPrimitivesClient value)
      {
        if (value is software.amazon.cryptography.primitives.internaldafny.types.IAwsCryptographicPrimitivesClient dafnyValue)

DynamoDbEncryption/dafny/DynamoDbEncryption/src/DDBSupport.dfy

@@ -236,6 +236,20 @@ module DynamoDBSupport {
       Failure(E("Value of " + name + " is not numeric (i.e. 'N')"))
   }
 
+  // Unlike Query, Scan must not specify BucketName nor BucketQueriesName
+  function method TestBucketForScan(names : Option<DDB.ExpressionAttributeValueMap>)
+    : Result<bool, Error>
+  {
+    if names.None? then
+      Success(true)
+    else if BucketName in names.value then
+      Failure(E("A value for " + BucketName + " must not be specified for Scan operations."))
+    else if BucketQueriesName in names.value then
+      Failure(E("A value for " + BucketQueriesName + " must not be specified for Scan operations."))
+    else
+      Success(true)
+  }
+
   // If names[":aws_dbe_bucket"] holds S(N)' return (Some(names - {":aws_dbe_bucket"}), Some(N))
   // else return (None, None)
   function method ExtractBucketNumber(names : Option<DDB.ExpressionAttributeValueMap>)
@@ -400,10 +414,11 @@ module DynamoDBSupport {
       return Success(req);
     } else {
       var keyId :- Filter.GetBeaconKeyId(search.value.curr(), None, req.FilterExpression, req.ExpressionAttributeValues, req.ExpressionAttributeNames);
-      var foo :- ExtractBucket(search.value.curr(), req.FilterExpression, None, req.ExpressionAttributeNames, req.ExpressionAttributeValues, actions);
-      var (newValues, bucket, bucket_queries) := foo;
-      var context := Filter.ExprContext(None, req.FilterExpression, newValues, req.ExpressionAttributeNames);
-      var newContext :- Filter.DoBeaconize(search.value.curr(), context, keyId, bucket, bucket_queries);
+      var _ :- TestBucketForScan(req.ExpressionAttributeValues);
+      var context := Filter.ExprContext(None, req.FilterExpression, req.ExpressionAttributeValues, req.ExpressionAttributeNames);
+      // For Scan, we always treat it as {:aws_dbe_bucket := 0, :aws_dbe_bucket_queries := 1}
+      var numQueries := if search.value.curr().numBuckets == 1 then None else Some(1);
+      var newContext :- Filter.DoBeaconize(search.value.curr(), context, keyId, 0, Some(1));
       return Success(req.(
                      FilterExpression := newContext.filterExpr,
                      ExpressionAttributeNames := newContext.names,

DynamoDbEncryption/dafny/DynamoDbEncryption/src/FilterExpr.dfy

@@ -1789,6 +1789,18 @@ module DynamoDBFilterExpr {
     var result_filter := old_context.filterExpr.value;
     var new_values := SortedSets.ComputeSetToSequence(new_context.values.value.Keys);
     SequenceIsSafeBecauseItIsInMemory(new_values);
+    var allUnchanged := true;
+    for i : uint64 := 0 to |new_values| as uint64
+    {
+      if new_values[i] !in old_context.values.value {
+        allUnchanged := false;
+        break;
+      }
+    }
+    if allUnchanged {
+      return Success(old_context);
+    }
+
     for i : uint64 := 0 to |new_values| as uint64
     {
       var key := new_values[i];

DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/src/Index.dfy

@@ -310,6 +310,7 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.transform
 
     constructor {:vcs_split_on_every_assert} (config: Operations.InternalConfig)
     {
+      assert Operations.ValidInternalConfig?(config);
       this.config := config;
       History := new IDynamoDbEncryptionTransformsClientCallHistory();
       Modifies := Operations.ModifiesInternalConfig(config) + {History};

TestVectors/dafny/DDBEncryption/src/TestVectors.dfy

@@ -80,7 +80,6 @@ module {:options "-functionSyntax:4"} DdbEncryptionTestVectors {
       ensures GetBucketNumberEnsuresPublicly(input, output)
       ensures unchanged(History)
     {
-      // print "\nGetBucketNumber\n", input.item, "\n";
       expect "PreferredBucket" in input.item;
       expect input.item["PreferredBucket"].N?;
       var bucket :- expect StrToInt(input.item["PreferredBucket"].N);
@@ -241,8 +240,30 @@ module {:options "-functionSyntax:4"} DdbEncryptionTestVectors {
       }
     }
 
-    method TestBucketQueries(client : DDB.IDynamoDBClient, numQueries : nat, q : DDB.QueryInput, queryName : string, custom : bool := false, filtered : bool := false)
+    method TestBucketQueryFailure(client : DDB.IDynamoDBClient, bucket : nat, query : DDB.QueryInput, counts : array<int>, queryName : string, custom : bool, filtered : bool, numQueries : nat)
+      requires counts.Length == 100
+      requires client.ValidState()
+      requires client.Modifies !! {counts}
       requires 0 < numQueries
+      ensures client.ValidState()
+      modifies client.Modifies
+      modifies counts
+    {
+      var bucketNumber := DDB.AttributeValue.N(String.Base10Int2String(bucket));
+      var values : DDB.ExpressionAttributeValueMap := query.ExpressionAttributeValues.UnwrapOr(map[]);
+      values := values[":aws_dbe_bucket" := bucketNumber];
+      if filtered {
+        var bucketQueries := DDB.AttributeValue.N(String.Base10Int2String(numQueries));
+        values := values[":aws_dbe_bucket_queries" := bucketQueries];
+      }
+      var q := query.(ExpressionAttributeValues := Some(values));
+      var result := client.Query(q);
+      // expect result.Failure?;
+    }
+
+
+    method TestBucketQueries(client : DDB.IDynamoDBClient, numQueries : nat, q : DDB.QueryInput, queryName : string, custom : bool := false, filtered : bool := false)
+      requires 0 < numQueries <= 5
       requires client.ValidState()
       ensures client.ValidState()
       modifies client.Modifies
@@ -251,6 +272,10 @@ module {:options "-functionSyntax:4"} DdbEncryptionTestVectors {
       for i := 0 to numQueries {
         DoBucketQuery(client, i, q, counts, queryName, custom, filtered, numQueries);
       }
+      for i := numQueries to 5 {
+        TestBucketQueryFailure(client, i, q, counts, queryName, custom, filtered, numQueries);
+      }
+
       var wasBad : bool := false;
       for i := 0 to 100 {
         if counts[i] == 0 {