m

Author: ajewellamz

DynamoDbEncryption/dafny/DynamoDbEncryption/Model/AwsCryptographyDbEncryptionSdkDynamoDbTypes.dfy

@@ -55,79 +55,6 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.internald
   predicate method IsValid_BeaconVersionList(x: seq<BeaconVersion>) {
     ( 1 <= |x| <= 1 )
   }
-  type PartitionCount = x: int32 | IsValid_PartitionCount(x) witness *
-  predicate method IsValid_PartitionCount(x: int32) {
-    ( 1 <= x <= 255 )
-  }
-  type PartitionNumber = x: int32 | IsValid_PartitionNumber(x) witness *
-  predicate method IsValid_PartitionNumber(x: int32) {
-    ( 0 <= x <= 254 )
-  }
-  class IPartitionSelectorCallHistory {
-    ghost constructor() {
-      GetPartitionNumber := [];
-    }
-    ghost var GetPartitionNumber: seq<DafnyCallEvent<GetPartitionNumberInput, Result<GetPartitionNumberOutput, Error>>>
-  }
-  trait {:termination false} IPartitionSelector
-  {
-    // Helper to define any additional modifies/reads clauses.
-    // If your operations need to mutate state,
-    // add it in your constructor function:
-    // Modifies := {your, fields, here, History};
-    // If you do not need to mutate anything:
-    // Modifies := {History};
-
-    ghost const Modifies: set<object>
-    // For an unassigned field defined in a trait,
-    // Dafny can only assign a value in the constructor.
-    // This means that for Dafny to reason about this value,
-    // it needs some way to know (an invariant),
-    // about the state of the object.
-    // This builds on the Valid/Repr paradigm
-    // To make this kind requires safe to add
-    // to methods called from unverified code,
-    // the predicate MUST NOT take any arguments.
-    // This means that the correctness of this requires
-    // MUST only be evaluated by the class itself.
-    // If you require any additional mutation,
-    // then you MUST ensure everything you need in ValidState.
-    // You MUST also ensure ValidState in your constructor.
-    predicate ValidState()
-      ensures ValidState() ==> History in Modifies
-    ghost const History: IPartitionSelectorCallHistory
-    predicate GetPartitionNumberEnsuresPublicly(input: GetPartitionNumberInput , output: Result<GetPartitionNumberOutput, Error>)
-    // The public method to be called by library consumers
-    method GetPartitionNumber ( input: GetPartitionNumberInput )
-      returns (output: Result<GetPartitionNumberOutput, Error>)
-      requires
-        && ValidState()
-      modifies Modifies - {History} ,
-               History`GetPartitionNumber
-      // Dafny will skip type parameters when generating a default decreases clause.
-      decreases Modifies - {History}
-      ensures
-        && ValidState()
-      ensures GetPartitionNumberEnsuresPublicly(input, output)
-      ensures History.GetPartitionNumber == old(History.GetPartitionNumber) + [DafnyCallEvent(input, output)]
-    {
-      output := GetPartitionNumber' (input);
-      History.GetPartitionNumber := History.GetPartitionNumber + [DafnyCallEvent(input, output)];
-    }
-    // The method to implement in the concrete class.
-    method GetPartitionNumber' ( input: GetPartitionNumberInput )
-      returns (output: Result<GetPartitionNumberOutput, Error>)
-      requires
-        && ValidState()
-      modifies Modifies - {History}
-      // Dafny will skip type parameters when generating a default decreases clause.
-      decreases Modifies - {History}
-      ensures
-        && ValidState()
-      ensures GetPartitionNumberEnsuresPublicly(input, output)
-      ensures unchanged(History)
-
-  }
   type Char = x: string | IsValid_Char(x) witness *
   predicate method IsValid_Char(x: string) {
     ( 1 <= |x| <= 1 )
@@ -348,14 +275,6 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.internald
   datatype GetBranchKeyIdFromDdbKeyOutput = | GetBranchKeyIdFromDdbKeyOutput (
     nameonly branchKeyId: string
   )
-  datatype GetPartitionNumberInput = | GetPartitionNumberInput (
-    nameonly item: ComAmazonawsDynamodbTypes.AttributeMap ,
-    nameonly numberOfPartitions: PartitionCount ,
-    nameonly logicalTableName: string
-  )
-  datatype GetPartitionNumberOutput = | GetPartitionNumberOutput (
-    nameonly partitionNumber: PartitionNumber
-  )
   datatype GetEncryptedDataKeyDescriptionInput = | GetEncryptedDataKeyDescriptionInput (
     nameonly input: GetEncryptedDataKeyDescriptionUnion
   )
@@ -365,6 +284,14 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.internald
   datatype GetEncryptedDataKeyDescriptionUnion =
     | header(header: seq<uint8>)
     | item(item: ComAmazonawsDynamodbTypes.AttributeMap)
+  datatype GetPartitionNumberInput = | GetPartitionNumberInput (
+    nameonly item: ComAmazonawsDynamodbTypes.AttributeMap ,
+    nameonly numberOfPartitions: PartitionCount ,
+    nameonly logicalTableName: string
+  )
+  datatype GetPartitionNumberOutput = | GetPartitionNumberOutput (
+    nameonly partitionNumber: PartitionNumber
+  )
   datatype GetPrefix = | GetPrefix (
     nameonly length: int32
   )
@@ -441,6 +368,79 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.internald
     nameonly cache: Option<AwsCryptographyMaterialProvidersTypes.CacheType> := Option.None ,
     nameonly partitionId: Option<string> := Option.None
   )
+  type PartitionCount = x: int32 | IsValid_PartitionCount(x) witness *
+  predicate method IsValid_PartitionCount(x: int32) {
+    ( 1 <= x <= 255 )
+  }
+  type PartitionNumber = x: int32 | IsValid_PartitionNumber(x) witness *
+  predicate method IsValid_PartitionNumber(x: int32) {
+    ( 0 <= x <= 254 )
+  }
+  class IPartitionSelectorCallHistory {
+    ghost constructor() {
+      GetPartitionNumber := [];
+    }
+    ghost var GetPartitionNumber: seq<DafnyCallEvent<GetPartitionNumberInput, Result<GetPartitionNumberOutput, Error>>>
+  }
+  trait {:termination false} IPartitionSelector
+  {
+    // Helper to define any additional modifies/reads clauses.
+    // If your operations need to mutate state,
+    // add it in your constructor function:
+    // Modifies := {your, fields, here, History};
+    // If you do not need to mutate anything:
+    // Modifies := {History};
+
+    ghost const Modifies: set<object>
+    // For an unassigned field defined in a trait,
+    // Dafny can only assign a value in the constructor.
+    // This means that for Dafny to reason about this value,
+    // it needs some way to know (an invariant),
+    // about the state of the object.
+    // This builds on the Valid/Repr paradigm
+    // To make this kind requires safe to add
+    // to methods called from unverified code,
+    // the predicate MUST NOT take any arguments.
+    // This means that the correctness of this requires
+    // MUST only be evaluated by the class itself.
+    // If you require any additional mutation,
+    // then you MUST ensure everything you need in ValidState.
+    // You MUST also ensure ValidState in your constructor.
+    predicate ValidState()
+      ensures ValidState() ==> History in Modifies
+    ghost const History: IPartitionSelectorCallHistory
+    predicate GetPartitionNumberEnsuresPublicly(input: GetPartitionNumberInput , output: Result<GetPartitionNumberOutput, Error>)
+    // The public method to be called by library consumers
+    method GetPartitionNumber ( input: GetPartitionNumberInput )
+      returns (output: Result<GetPartitionNumberOutput, Error>)
+      requires
+        && ValidState()
+      modifies Modifies - {History} ,
+               History`GetPartitionNumber
+      // Dafny will skip type parameters when generating a default decreases clause.
+      decreases Modifies - {History}
+      ensures
+        && ValidState()
+      ensures GetPartitionNumberEnsuresPublicly(input, output)
+      ensures History.GetPartitionNumber == old(History.GetPartitionNumber) + [DafnyCallEvent(input, output)]
+    {
+      output := GetPartitionNumber' (input);
+      History.GetPartitionNumber := History.GetPartitionNumber + [DafnyCallEvent(input, output)];
+    }
+    // The method to implement in the concrete class.
+    method GetPartitionNumber' ( input: GetPartitionNumberInput )
+      returns (output: Result<GetPartitionNumberOutput, Error>)
+      requires
+        && ValidState()
+      modifies Modifies - {History}
+      // Dafny will skip type parameters when generating a default decreases clause.
+      decreases Modifies - {History}
+      ensures
+        && ValidState()
+      ensures GetPartitionNumberEnsuresPublicly(input, output)
+      ensures unchanged(History)
+
+  }
   datatype PartOnly = | PartOnly (
 
                       )

DynamoDbEncryption/dafny/DynamoDbEncryption/src/ConfigToInfo.dfy

@@ -333,7 +333,7 @@ module SearchConfigToInfo {
               && fresh(output.value.partitionSelector.Modifies)
   {
     var maxPartitions : PartitionCount := config.maximumNumberOfPartitions.UnwrapOr(1);
-    :- Need(0 <= maxPartitions as nat < MAX_BUCKET_COUNT, E("Invalid maximumNumberOfPartitions specified, " + Base10Int2String(maxPartitions as int) + ", must be 0 < maximumNumberOfPartitions <= 255."));
+    :- Need(0 <= maxPartitions as nat < MAX_PARTITION_COUNT, E("Invalid maximumNumberOfPartitions specified, " + Base10Int2String(maxPartitions as int) + ", must be 0 < maximumNumberOfPartitions <= 255."));
     // Zero is invalid, but in Java we can't distinguish None from Some(0)
     if maxPartitions == 0 {
       maxPartitions := 1;

DynamoDbEncryption/dafny/DynamoDbEncryption/src/Util.dfy

@@ -81,10 +81,10 @@ module DynamoDbEncryptionUtil {
     }
   }
 
-  const MAX_BUCKET_COUNT : nat := 255
+  const MAX_PARTITION_COUNT : nat := 255
 
   type PartitionBytes = x: seq<uint8> | Valid_PartitionBytes(x) witness []
-  newtype OptPartitionCount  = x: int | 0 <= x <= MAX_BUCKET_COUNT
+  newtype OptPartitionCount  = x: int | 0 <= x <= MAX_PARTITION_COUNT
 
   function method PartitionBytesToNumber(x : PartitionBytes) : PartitionNumber
   {
@@ -115,7 +115,7 @@ module DynamoDbEncryptionUtil {
   predicate method Valid_PartitionBytes(x : seq<uint8>)
   {
     && |x| <= 1
-    && (|x| == 1 ==> (0 < x[0] < (MAX_BUCKET_COUNT as uint8)))
+    && (|x| == 1 ==> (0 < x[0] < (MAX_PARTITION_COUNT as uint8)))
   }
 
   function printFromFunction<T>(x: T): () {

DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/Model/AwsCryptographyDbEncryptionSdkDynamoDbTransformsTypes.dfy

@@ -625,7 +625,7 @@ module {:extern "software.amazon.cryptography.dbencryptionsdk.dynamodb.transform
     nameonly input: ComAmazonawsDynamodbTypes.QueryInput
   )
   datatype GetNumberOfQueriesOutput = | GetNumberOfQueriesOutput (
-    nameonly numberOfQueries: AwsCryptographyDbEncryptionSdkDynamoDbTypes.BucketCount
+    nameonly numberOfQueries: AwsCryptographyDbEncryptionSdkDynamoDbTypes.PartitionCount
   )
   datatype PutItemInputTransformInput = | PutItemInputTransformInput (
     nameonly sdkInput: ComAmazonawsDynamodbTypes.PutItemInput
@@ -796,8 +796,8 @@ abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbTransformsService
                               tmp5.search.Some? ==>
                                 var tmps6 := set t6 | t6 in tmp5.search.value.versions;
                                 forall tmp6 :: tmp6 in tmps6 ==>
-                                                 tmp6.bucketSelector.Some? ==>
-                                                   tmp6.bucketSelector.value.ValidState()
+                                                 tmp6.partitionSelector.Some? ==>
+                                                   tmp6.partitionSelector.value.ValidState()
     requires var tmps7 := set t7 | t7 in config.tableEncryptionConfigs.Values;
              forall tmp7 :: tmp7 in tmps7 ==>
                               tmp7.search.Some? ==>
@@ -836,8 +836,8 @@ abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbTransformsService
     modifies set tmps16 <- set t16 <- config.tableEncryptionConfigs.Values | true
                                                                              && t16.search.Some?
                              , t17 <- t16.search.value.versions | true
-                                                                  && t17.bucketSelector.Some?
-                             :: t17.bucketSelector.value,
+                                                                  && t17.partitionSelector.Some?
+                             :: t17.partitionSelector.value,
                obj <- tmps16.Modifies | obj in tmps16.Modifies :: obj
     modifies set tmps18 <- set t18 <- config.tableEncryptionConfigs.Values | true
                                                                              && t18.search.Some?
@@ -878,8 +878,8 @@ abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbTransformsService
                        ) - ( set tmps27 <- set t27 <- config.tableEncryptionConfigs.Values | true
                                                                                              && t27.search.Some?
                                              , t28 <- t27.search.value.versions | true
-                                                                                  && t28.bucketSelector.Some?
-                                             :: t28.bucketSelector.value,
+                                                                                  && t28.partitionSelector.Some?
+                                             :: t28.partitionSelector.value,
                                obj <- tmps27.Modifies | obj in tmps27.Modifies :: obj
                        ) - ( set tmps29 <- set t29 <- config.tableEncryptionConfigs.Values | true
                                                                                              && t29.search.Some?
@@ -923,8 +923,8 @@ abstract module AbstractAwsCryptographyDbEncryptionSdkDynamoDbTransformsService
                               tmp38.search.Some? ==>
                                 var tmps39 := set t39 | t39 in tmp38.search.value.versions;
                                 forall tmp39 :: tmp39 in tmps39 ==>
-                                                  tmp39.bucketSelector.Some? ==>
-                                                    tmp39.bucketSelector.value.ValidState()
+                                                  tmp39.partitionSelector.Some? ==>
+                                                    tmp39.partitionSelector.value.ValidState()
     ensures var tmps40 := set t40 | t40 in config.tableEncryptionConfigs.Values;
             forall tmp40 :: tmp40 in tmps40 ==>
                               tmp40.search.Some? ==>

DynamoDbEncryption/dafny/DynamoDbEncryptionTransforms/Model/DynamoDbEncryptionTransforms.smithy

@@ -14,7 +14,7 @@ use aws.cryptography.dbEncryptionSdk.dynamoDb.itemEncryptor#DynamoDbItemEncrypto
 use aws.cryptography.dbEncryptionSdk.dynamoDb#VersionNumber
 use aws.cryptography.dbEncryptionSdk.structuredEncryption#StructuredEncryption
 use aws.cryptography.materialProviders#AwsCryptographicMaterialProviders
-use aws.cryptography.dbEncryptionSdk.dynamoDb#BucketCount
+use aws.cryptography.dbEncryptionSdk.dynamoDb#PartitionCount
 
 use aws.polymorph#localService
 use aws.polymorph#javadoc
@@ -76,7 +76,7 @@ map StringMap {
   value : String
 }
 
-@javadoc("Return the necessary number of query operations for this query, based on bucket usage.")
+@javadoc("Return the necessary number of query operations for this query, based on partition usage.")
 operation GetNumberOfQueries {
     input: GetNumberOfQueriesInput,
     output: GetNumberOfQueriesOutput,
@@ -95,7 +95,7 @@ structure GetNumberOfQueriesInput {
 //# This operation MUST return the number of queries necessary.
 structure GetNumberOfQueriesOutput {
     @required
-    numberOfQueries: BucketCount
+    numberOfQueries: PartitionCount
 }