m

ajewellamz · ajewellamz · commit a47d6f8080c8 · 2025-08-01T09:27:32.000-04:00
diff --git a/DynamoDbEncryption/dafny/DynamoDbEncryption/src/FilterExpr.dfy b/DynamoDbEncryption/dafny/DynamoDbEncryption/src/FilterExpr.dfy
@@ -44,6 +44,7 @@ module DynamoDBFilterExpr {
   import SE = AwsCryptographyDbEncryptionSdkStructuredEncryptionTypes
   import Norm = DynamoDbNormalizeNumber
   import StandardLibrary.Sequence
+  import SortedSets
 
   // extract all the attributes from a filter expression
   // except for those which do not need the attribute's value
@@ -1746,6 +1747,71 @@ module DynamoDBFilterExpr {
     names : Option<DDB.ExpressionAttributeNameMap>
   )
 
+  // transform index into character
+  function method AsChar(x : uint32) : (output : char)
+    requires x < 26
+    ensures 'A' <= output <= 'Z'
+  {
+    'A' + x as char
+  }
+
+  // try different prefixes on `prev` until something is found that is not in `values`
+  method MakeNewName(prev : string, values : DDB.ExpressionAttributeValueMap) returns (output : Result<string, Error>)
+    requires 0 < |prev|
+    ensures output.Success? ==>
+              && 0 < |output.value|
+              && prev < output.value
+              && output.value !in values
+  {
+    var ch : char := 'A';
+    for i : uint32 := 0 to 26 {
+      for j : uint32 := 0 to 26 {
+        var new_str := prev + [AsChar(i), AsChar(j)];
+        if new_str !in values {
+          return Success(new_str);
+        }
+      }
+    }
+    return Failure(E("Could not find new name"));
+  }
+
+  // Combine old_context and new_context, assuming that both came from Beaconize called with different bucket numbers
+  // this updates values and filterExpr, e.g
+  // old_context : filterExpr = "(X = :x)" values = {":x" := "aaa"}
+  // new_context : filterExpr = "X = :x" values = {":x" := "bbb"}
+  // output : filterExpr = "(X = :x) OR (X = :xAA)" values = {":x" := "aaa", "xAA" := "bbb"}
+  method AddContext(old_context : ExprContext, new_context : ExprContext) returns (output : Result<ExprContext, Error>)
+  {
+    if old_context.filterExpr.None? || new_context.filterExpr.None? || old_context.values.None? || new_context.values.None? || new_context.values == old_context.values {
+      return Success(old_context);
+    }
+    var result_values := old_context.values.value;
+    var result_filter := old_context.filterExpr.value;
+    var new_values := SortedSets.ComputeSetToSequence(new_context.values.value.Keys);
+    SequenceIsSafeBecauseItIsInMemory(new_values);
+    for i : uint64 := 0 to |new_values| as uint64
+    {
+      var key := new_values[i];
+      if key in old_context.values.value && new_context.values.value[key] != old_context.values.value[key] {
+        if old_context.keyExpr.Some? {
+          var keyInIndex := String.HasSubString(old_context.keyExpr.value, key);
+          if keyInIndex.Some? {
+            return Failure(E("The value " + key + " is referenced by both the KeyConditionExpression and the FilterExpression, which is not allowed."));
+          }
+        }
+        if 0 == |key| {
+          return Failure(E("Unexpected zero length key in ExpressionAttributeValueMap"));
+        }
+        var new_key :- MakeNewName(key, result_values);
+        result_values := result_values[new_key := new_context.values.value[key]];
+        var nFilter := String.SearchAndReplaceAll(new_context.filterExpr.value, key, new_key);
+        result_filter := result_filter + " OR (" + nFilter + ")";
+      }
+    }
+    return Success(old_context.(filterExpr := Some(result_filter), values := Some(result_values)));
+  }
+
+  // Call Beaconize, possibly multiple times if fewer queries than buckets
   method DoBeaconize(
     b : SI.BeaconVersion,
     context : ExprContext,
@@ -1760,40 +1826,28 @@ module DynamoDBFilterExpr {
     ensures b.ValidState()
     modifies b.Modifies()
   {
-    if queries.None? || queries.value == b.numBuckets || (b.numBuckets - bucket) <= queries.value {
+    if queries.None? || queries.value == b.numBuckets || (b.numBuckets - bucket) <= queries.value || context.filterExpr.None? {
       output := Beaconize(b, context, keyId, bucket);
     } else {
       var curr_bucket : BucketNumber := bucket;
-      var exprs : seq<string> := [];
-      var tmpOutput : ExprContext := ExprContext(None, None, None, None);
+      var tmpOutput : ExprContext := context;
       while curr_bucket < b.numBuckets
         invariant b.ValidState()
       {
-        tmpOutput :- Beaconize(b, context, keyId, curr_bucket);
-        if tmpOutput.filterExpr.Some? {
-          if tmpOutput.filterExpr.value !in exprs {
-            exprs := exprs + [tmpOutput.filterExpr.value];
-          }
+        var localOut :- Beaconize(b, context, keyId, curr_bucket);
+        if curr_bucket == bucket {
+          var old_filter := localOut.filterExpr.UnwrapOr("");
+          tmpOutput := localOut.(filterExpr := Some("(" + old_filter + ")"));
+        } else {
+          tmpOutput :- AddContext(tmpOutput, localOut);
         }
         if (b.numBuckets - curr_bucket) <= queries.value {
           break;
         } else {
           curr_bucket := curr_bucket + queries.value;
         }
       }
-      if |exprs| < 2 {
-        return Success(tmpOutput);
-      } else {
-        var new_filter : string := "";
-        SequenceIsSafeBecauseItIsInMemory(exprs);
-        for i : uint64 := 0 to |exprs| as uint64 {
-          if i != 0 {
-            new_filter := new_filter + " OR ";
-          }
-          new_filter := new_filter + "(" + exprs[i] + ")";
-        }
-        return Success(tmpOutput.(filterExpr := Some(new_filter)));
-      }
+      return Success(tmpOutput);
     }
   }
 
diff --git a/TestVectors/dafny/DDBEncryption/src/TestVectors.dfy b/TestVectors/dafny/DDBEncryption/src/TestVectors.dfy
@@ -184,11 +184,11 @@ module {:options "-functionSyntax:4"} DdbEncryptionTestVectors {
       ]
     }
 
-    method DoBucketQuery(client : DDB.IDynamoDBClient, bucket : nat, query : DDB.QueryInput, counts : array<int>, queryName : string, custom : bool, numBuckets : nat)
+    method DoBucketQuery(client : DDB.IDynamoDBClient, bucket : nat, query : DDB.QueryInput, counts : array<int>, queryName : string, custom : bool, filtered : bool, numQueries : nat)
       requires counts.Length == 100
       requires client.ValidState()
       requires client.Modifies !! {counts}
-      requires 0 < numBuckets
+      requires 0 < numQueries
       ensures client.ValidState()
       modifies client.Modifies
       modifies counts
@@ -201,7 +201,12 @@ module {:options "-functionSyntax:4"} DdbEncryptionTestVectors {
       {
         var bucketNumber := DDB.AttributeValue.N(String.Base10Int2String(bucket));
         var values : DDB.ExpressionAttributeValueMap := query.ExpressionAttributeValues.UnwrapOr(map[]);
-        var q := query.(ExclusiveStartKey := lastKey, ExpressionAttributeValues := Some(values[":aws_dbe_bucket" := bucketNumber]));
+        values := values[":aws_dbe_bucket" := bucketNumber];
+        if filtered {
+          var bucketQueries := DDB.AttributeValue.N(String.Base10Int2String(numQueries));
+          values := values[":aws_dbe_bucket_queries" := bucketQueries];
+        }
+        var q := query.(ExclusiveStartKey := lastKey, ExpressionAttributeValues := Some(values));
         var result :- expect client.Query(q);
         if result.Items.Some? {
           numReturned := numReturned + |result.Items.value|;
@@ -220,7 +225,7 @@ module {:options "-functionSyntax:4"} DdbEncryptionTestVectors {
               expect "PreferredBucket" in item;
               expect item["PreferredBucket"].N?;
               var stored_bucket :- expect StrToInt(item["PreferredBucket"].N);
-              expect bucket == stored_bucket % numBuckets;
+              expect bucket == stored_bucket % numQueries;
             }
           }
         }
@@ -236,15 +241,15 @@ module {:options "-functionSyntax:4"} DdbEncryptionTestVectors {
       }
     }
 
-    method TestBucketQueries(client : DDB.IDynamoDBClient, numBuckets : nat, q : DDB.QueryInput, queryName : string, custom : bool := false)
-      requires 0 < numBuckets
+    method TestBucketQueries(client : DDB.IDynamoDBClient, numQueries : nat, q : DDB.QueryInput, queryName : string, custom : bool := false, filtered : bool := false)
+      requires 0 < numQueries
       requires client.ValidState()
       ensures client.ValidState()
       modifies client.Modifies
     {
       var counts: array<int> := new int[100](i => 0);
-      for i := 0 to numBuckets {
-        DoBucketQuery(client, i, q, counts, queryName, custom, numBuckets);
+      for i := 0 to numQueries {
+        DoBucketQuery(client, i, q, counts, queryName, custom, filtered, numQueries);
       }
       var wasBad : bool := false;
       for i := 0 to 100 {
@@ -279,6 +284,56 @@ module {:options "-functionSyntax:4"} DdbEncryptionTestVectors {
         ExpressionAttributeValues := Some(map[":attr1" := DDB.AttributeValue.S("AAAA"), ":attr5" := DDB.AttributeValue.S("EEEE")])
       )
     }
+    function GetBucketQuery15F() : DDB.QueryInput
+    {
+      DDB.QueryInput(
+        TableName := TableName,
+        IndexName := Some("ATTR_INDEX1"),
+        FilterExpression := Some("Attr5 = :attr5"),
+        KeyConditionExpression := Some("Attr1 = :attr1"),
+        ExpressionAttributeValues := Some(map[":attr1" := DDB.AttributeValue.S("AAAA"), ":attr5" := DDB.AttributeValue.S("EEEE")])
+      )
+    }
+    function GetBucketQuery25F() : DDB.QueryInput
+    {
+      DDB.QueryInput(
+        TableName := TableName,
+        IndexName := Some("ATTR_INDEX2"),
+        FilterExpression := Some("Attr5 = :attr5"),
+        KeyConditionExpression := Some("Attr2 = :attr2"),
+        ExpressionAttributeValues := Some(map[":attr2" := DDB.AttributeValue.S("BBBB"), ":attr5" := DDB.AttributeValue.S("EEEE")])
+      )
+    }
+    function GetBucketQuery35F() : DDB.QueryInput
+    {
+      DDB.QueryInput(
+        TableName := TableName,
+        IndexName := Some("ATTR_INDEX3"),
+        FilterExpression := Some("Attr5 = :attr5"),
+        KeyConditionExpression := Some("Attr3 = :attr3"),
+        ExpressionAttributeValues := Some(map[":attr3" := DDB.AttributeValue.S("CCCC"), ":attr5" := DDB.AttributeValue.S("EEEE")])
+      )
+    }
+    function GetBucketQuery45F() : DDB.QueryInput
+    {
+      DDB.QueryInput(
+        TableName := TableName,
+        IndexName := Some("ATTR_INDEX4"),
+        FilterExpression := Some("Attr5 = :attr5"),
+        KeyConditionExpression := Some("Attr4 = :attr4"),
+        ExpressionAttributeValues := Some(map[":attr4" := DDB.AttributeValue.S("DDDD"), ":attr5" := DDB.AttributeValue.S("EEEE")])
+      )
+    }
+    function GetBucketQuery23() : DDB.QueryInput
+    {
+      DDB.QueryInput(
+        TableName := TableName,
+        IndexName := Some("ATTR_INDEX23"),
+        FilterExpression := None,
+        KeyConditionExpression := Some("Attr2 = :attr2 and Attr3 = :attr3"),
+        ExpressionAttributeValues := Some(map[":attr2" := DDB.AttributeValue.S("BBBB"), ":attr3" := DDB.AttributeValue.S("CCCC")])
+      )
+    }
     function GetBucketQuery51() : DDB.QueryInput
     {
       DDB.QueryInput(
@@ -360,8 +415,15 @@ module {:options "-functionSyntax:4"} DdbEncryptionTestVectors {
       TestBucketQueries(rClient, 3, GetBucketQuery3(), "bucket query 3");
       TestBucketQueries(rClient, 2, GetBucketQuery2(), "bucket query 2");
       TestBucketQueries(rClient, 1, GetBucketQuery1(), "bucket query 1");
-      TestBucketQueries(rClient, 5, GetBucketQuery15(), "bucket query 5");
-      TestBucketQueries(rClient, 5, GetBucketQuery51(), "bucket query 5");
+
+      TestBucketQueries(rClient, 5, GetBucketQuery15(), "bucket query 15");
+      TestBucketQueries(rClient, 5, GetBucketQuery51(), "bucket query 51");
+      TestBucketQueries(rClient, 5, GetBucketQuery23(), "bucket query 23");
+
+      TestBucketQueries(rClient, 1, GetBucketQuery15F(), "bucket query 15F", false, true);
+      TestBucketQueries(rClient, 2, GetBucketQuery25F(), "bucket query 25F", false, true);
+      TestBucketQueries(rClient, 3, GetBucketQuery35F(), "bucket query 35F", false, true);
+      TestBucketQueries(rClient, 4, GetBucketQuery45F(), "bucket query 45F", false, true);
     }
 
     // As BucketTest1, but with custom bucket selector
@@ -388,8 +450,15 @@ module {:options "-functionSyntax:4"} DdbEncryptionTestVectors {
       TestBucketQueries(rClient, 3, GetBucketQuery3(), "bucket query 3", true);
       TestBucketQueries(rClient, 2, GetBucketQuery2(), "bucket query 2", true);
       TestBucketQueries(rClient, 1, GetBucketQuery1(), "bucket query 1", true);
-      TestBucketQueries(rClient, 5, GetBucketQuery15(), "bucket query 5", true);
-      TestBucketQueries(rClient, 5, GetBucketQuery51(), "bucket query 5", true);
+
+      TestBucketQueries(rClient, 5, GetBucketQuery15(), "bucket query 15", true);
+      TestBucketQueries(rClient, 5, GetBucketQuery51(), "bucket query 51", true);
+      TestBucketQueries(rClient, 5, GetBucketQuery23(), "bucket query 23", true);
+
+      TestBucketQueries(rClient, 1, GetBucketQuery15F(), "bucket query 15F", true, true);
+      TestBucketQueries(rClient, 2, GetBucketQuery25F(), "bucket query 25F", true, true);
+      TestBucketQueries(rClient, 3, GetBucketQuery35F(), "bucket query 35F", true, true);
+      TestBucketQueries(rClient, 4, GetBucketQuery45F(), "bucket query 45F", true, true);
     }
 
     function NewOrderRecord(i : nat, str : string) : Record
