Merge branch 'rishav/go/ddb-nameChange' of https://github.com/aws/aws-database-encryption-sdk-dynamodb into rishav/go/ddb-nameChange

Author: rishav-karanjit

CHANGELOG.md

@@ -1,5 +1,26 @@
 # Changelog
 
+## [3.9.0](https://github.com/aws/aws-database-encryption-sdk-dynamodb/compare/v3.8.1...v3.9.0) (2025-06-25)
+
+This release is available in the following languages:
+
+- Java
+
+### Maintenance
+
+- **dafny:** Add ExecuteStatement test ([#1932](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1932)) ([66a19ab](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/66a19ab7d9ddea1018cbb01da053020148e4a1e7))
+- **dafny:** Add Update and delete test ([#1942](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1942)) ([3bd48ba](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/3bd48bacc6e9ca458931031062ee97f351f9de32))
+- **dafny:** change nat to uint64 in many places ([#1852](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1852)) ([ec22b7d](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/ec22b7d316678f4d836837e751bdfcf41f461441))
+- **dafny:** further performance enhancements ([#1834](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1834)) ([ea94693](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/ea9469327109a61e544425479dfb2c6be514ce5a))
+- **dafny:** improve performance ([#1900](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1900)) ([ccf61d6](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/ccf61d6a9c49385f1cccde0cda9c0609ba050455))
+- **dafny:** improve performance of searchable encryption ([#1931](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1931)) ([8b71004](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/8b710042e1bc0516b70a9f9674edab7f775d236f))
+- **dafny:** reduce use of BigInteger ([#1872](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1872)) ([eb7679a](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/eb7679afa9fb6383a76fd71f9e7a4e40bbe53c8a))
+- **dafny:** test ExecuteTransaction and BatchExecuteStatement ([#1941](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1941)) ([69c37c6](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/69c37c6a8491b2a5aadf74c4f80355b0593aed32))
+- **deps:** Bump MPL version to 1.11.0 ([#1945](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1945)) ([efdd373](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/efdd373ab91fc7465be0f0d05d8018f59131ee6f))
+- further performance improvements ([#1826](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1826)) ([3194054](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/3194054eea95c640d0ac469911e950fc76953dd6))
+- improve performance ([#1622](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1622)) ([8ca2883](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/8ca288345fe7371711c1c51e1d064538686e25f1))
+- update README for missing info ([#1939](https://github.com/aws/aws-database-encryption-sdk-dynamodb/issues/1939)) ([354f4f6](https://github.com/aws/aws-database-encryption-sdk-dynamodb/commit/354f4f6c48ed6c60914f5ce0feaba64de7ed2587))
+
 ## [3.8.1](https://github.com/aws/aws-database-encryption-sdk-dynamodb/compare/v3.8.0...v3.8.1) (2025-04-01)
 
 This release is available in the following languages:

DynamoDbEncryption/runtimes/java/build.gradle.kts

@@ -250,8 +250,8 @@ nexusPublishing {
     // https://github.com/gradle-nexus/publish-plugin/
     repositories {
         sonatype {
-            nexusUrl.set(uri("https://aws.oss.sonatype.org/service/local/"))
-            snapshotRepositoryUrl.set(uri("https://aws.oss.sonatype.org/content/repositories/snapshots/"))
+            nexusUrl.set(uri("https://ossrh-staging-api.central.sonatype.com/service/local/"))
+            snapshotRepositoryUrl.set(uri("https://central.sonatype.com/repository/maven-snapshots/"))
             username.set(System.getenv("SONA_USERNAME"))
             password.set(System.getenv("SONA_PASSWORD"))
         }

DynamoDbEncryption/runtimes/net/AssemblyInfo.cs

@@ -3,5 +3,5 @@
 [assembly: AssemblyTitle("AWS.Cryptography.DbEncryptionSDK.DynamoDb")]
 
 // This should be kept in sync with the version number in MPL.csproj
-[assembly: AssemblyVersion("3.8.1")]
+[assembly: AssemblyVersion("3.9.0")]
 

DynamoDbEncryption/runtimes/net/DynamoDbEncryption.csproj

@@ -5,7 +5,7 @@
     <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
     <IsPackable>true</IsPackable>
 
-    <Version>3.8.1</Version>
+    <Version>3.9.0</Version>
 
     <AssemblyName>AWS.Cryptography.DbEncryptionSDK.DynamoDb</AssemblyName>
     <PackageId>AWS.Cryptography.DbEncryptionSDK.DynamoDb</PackageId>

Makefile

@@ -51,7 +51,7 @@ format_java_misc-check: setup_prettier
 	npx prettier --plugin=prettier-plugin-java . --check
 
 setup_prettier:
-	npm i --no-save prettier@3 [email protected]
+	npm i --no-save prettier@3.5.3 [email protected]
 
 # Generate the top-level project.properties file using smithy-dafny.
 # This is for the benefit of the nightly Dafny CI,

TestVectors/dafny/DDBEncryption/src/TestVectors.dfy

@@ -397,6 +397,12 @@ module {:options "-functionSyntax:4"} DdbEncryptionTestVectors {
         BasicIoTestBatchWriteItem(c1, c2, globalRecords);
         BasicIoTestPutItem(c1, c2, globalRecords);
         BasicIoTestTransactWriteItems(c1, c2, globalRecords);
+        BasicIoTestUpdateItem(c1, c2, globalRecords, "One");
+        BasicIoTestUpdateItem(c1, c2, globalRecords, "Two");
+        BasicIoTestDeleteItem(c1, c2, globalRecords, "One", "Uno");
+        BasicIoTestDeleteItem(c1, c2, globalRecords, "Two", "Dos");
+        BasicIoTestDeleteItemWithoutConditionExpression(c1, c2, globalRecords, "One", "Uno");
+        BasicIoTestDeleteItemWithoutConditionExpression(c1, c2, globalRecords, "Two", "Dos");
         BasicIoTestExecuteStatement(c1, c2);
         BasicIoTestExecuteTransaction(c1, c2);
         BasicIoTestBatchExecuteStatement(c1, c2);
@@ -844,6 +850,108 @@ module {:options "-functionSyntax:4"} DdbEncryptionTestVectors {
       BasicIoTestTransactGetItems(rClient, records);
     }
 
+    method BasicIoTestUpdateItem(writeConfig : TableConfig, readConfig : TableConfig, records : seq<Record>, attributeToUpdate: DDB.AttributeName)
+    {
+      var wClient, rClient := SetupTestTable(writeConfig, readConfig);
+      WriteAllRecords(wClient, records);
+      // Update each record by appending "updated" to the partition key
+      for i := 0 to |records| {
+        var newValue := "updated";
+        // Create an update expression to update the partition key
+        var updateExpr := "SET #att = :val";
+        expect attributeToUpdate in writeConfig.config.attributeActionsOnEncrypt, "`attributeToUpdate` not in attributeActionsOnEncrypt";
+        var exprAttrNames := map["#att" := attributeToUpdate];
+        var exprAttrValues := map[":val" := DDB.AttributeValue.S(newValue)];
+        expect HashName in records[i].item, "`HashName` is not in records.";
+        var updateInput := DDB.UpdateItemInput(
+          TableName := TableName,
+          Key := map[HashName := records[i].item[HashName]],
+          UpdateExpression := Some(updateExpr),
+          ExpressionAttributeNames := Some(exprAttrNames),
+          ExpressionAttributeValues := Some(exprAttrValues),
+          ReturnValues := None,
+          ReturnConsumedCapacity := None,
+          ReturnItemCollectionMetrics := None,
+          ConditionExpression := None
+        );
+        var updateResult := wClient.UpdateItem(updateInput);
+        if writeConfig.config.attributeActionsOnEncrypt[attributeToUpdate] == SE.ENCRYPT_AND_SIGN || writeConfig.config.attributeActionsOnEncrypt[attributeToUpdate] == SE.SIGN_ONLY {
+          expect updateResult.Failure?, "UpdateItem should have failed for signed item.";
+          // This error is of type DynamoDbEncryptionTransformsException
+          // but AWS SDK wraps it into its own type for which customers should be unwrapping.
+          // In test vectors, we still have to change the error from AWS SDK to dafny so it turns out to be OpaqueWithText.
+          expect updateResult.error.OpaqueWithText?, "Error should have been of type OpaqueWithText";
+          var hasDynamoDbEncryptionTransformsException? := String.HasSubString(updateResult.error.objMessage, "Update Expressions forbidden on signed attributes");
+          expect hasDynamoDbEncryptionTransformsException?.Some?, "Error might is not be of type DynamoDbEncryptionTransformsException";
+        } else {
+          expect updateResult.Success?;
+        }
+      }
+    }
+
+    method BasicIoTestDeleteItem(writeConfig : TableConfig, readConfig : TableConfig, records : seq<Record>, attributeToDelete: DDB.AttributeName, expectedAttributeValue: string)
+    {
+      var wClient, rClient := SetupTestTable(writeConfig, readConfig);
+      WriteAllRecords(wClient, records);
+      // Try to delete records with a condition expression with condition to
+      // delete records if the record has an attribute attributeToDelete with value expectedAttributeValue
+      for i := 0 to |records| {
+        // Set up condition expression to only delete if Two = expectedAttributeValue
+        var conditionExpr := "#attr = :val";
+        var exprAttrNames := map["#attr" := attributeToDelete];
+        var exprAttrValues := map[":val" := DDB.AttributeValue.S(expectedAttributeValue)];
+        expect HashName in records[i].item, "`HashName` is not in records.";
+        var deleteInput := DDB.DeleteItemInput(
+          TableName := TableName,
+          Key := map[HashName := records[i].item[HashName]],
+          ConditionExpression := Some(conditionExpr),
+          ExpressionAttributeNames := Some(exprAttrNames),
+          ExpressionAttributeValues := Some(exprAttrValues),
+          ReturnValues := Some(DDB.ReturnValue.ALL_OLD)
+        );
+        var deleteResult := wClient.DeleteItem(deleteInput);
+        expect attributeToDelete in writeConfig.config.attributeActionsOnEncrypt, "`attributeToDelete` not found in attributeActionsOnEncrypt of config.";
+        if writeConfig.config.attributeActionsOnEncrypt[attributeToDelete] == SE.ENCRYPT_AND_SIGN {
+          expect deleteResult.Failure?, "DeleteItem should have failed.";
+          // This error is of type DynamoDbEncryptionTransformsException
+          // but AWS SDK wraps it into its own type for which customers should be unwrapping.
+          // In test vectors, we still have to change the error from AWS SDK to dafny so it turns out to be OpaqueWithText.
+          expect deleteResult.error.OpaqueWithText?, "Error should have been of type OpaqueWithText";
+          var hasDynamoDbEncryptionTransformsException? := String.HasSubString(deleteResult.error.objMessage, "Condition Expressions forbidden on encrypted attributes");
+          expect hasDynamoDbEncryptionTransformsException?.Some?, "Error might is not be of type DynamoDbEncryptionTransformsException";
+        } else if attributeToDelete in records[i].item && records[i].item[attributeToDelete].S? && records[i].item[attributeToDelete].S == expectedAttributeValue {
+          expect deleteResult.Success?, "DeleteItem should have succeeded.";
+          expect deleteResult.value.Attributes.Some?, "DeleteItemOutput should have had some attribute because ReturnValues was set as `ALL_OLD` in DeleteItemInput";
+          expect HashName in deleteResult.value.Attributes.value, "Deleted item does not have right partition key:" + HashName;
+          expect deleteResult.value.Attributes.value[HashName] == records[i].item[HashName], "Wrong item was deleted.";
+        } else {
+          expect deleteResult.Failure?, "DeleteItem should have failed.";
+          expect deleteResult.error.ConditionalCheckFailedException?, "DeleteItem should have failed with ConditionalCheckFailedException";
+        }
+      }
+    }
+
+    method BasicIoTestDeleteItemWithoutConditionExpression(writeConfig : TableConfig, readConfig : TableConfig, records : seq<Record>, attributeToDelete: DDB.AttributeName, expectedAttributeValue: string)
+    {
+      var wClient, rClient := SetupTestTable(writeConfig, readConfig);
+      WriteAllRecords(wClient, records);
+      for i := 0 to |records| {
+        expect HashName in records[i].item, "`HashName` is not in records.";
+        var deleteInputWithoutConditionExpression := DDB.DeleteItemInput(
+          TableName := TableName,
+          Key := map[HashName := records[i].item[HashName]],
+          ReturnValues := Some(DDB.ReturnValue.ALL_OLD)
+        );
+        var deleteResultForWithoutConditionExpressionCase := wClient.DeleteItem(deleteInputWithoutConditionExpression);
+        expect deleteResultForWithoutConditionExpressionCase.Success?, "DeleteItem should have succeeded.";
+        expect deleteResultForWithoutConditionExpressionCase.value.Attributes.Some?, "DeleteItemOutput should have had some attribute because ReturnValues was set as `ALL_OLD` in DeleteItemInput";
+        if attributeToDelete in records[i].item {
+          expect HashName in deleteResultForWithoutConditionExpressionCase.value.Attributes.value, "Deleted item does not have right partition key:" + HashName;
+          expect deleteResultForWithoutConditionExpressionCase.value.Attributes.value[HashName] == records[i].item[HashName], "Wrong item was deleted.";
+        }
+      }
+    }
+
     method BasicIoTestExecuteStatement(writeConfig : TableConfig, readConfig : TableConfig)
     {
       var wClient, rClient := SetupTestTable(writeConfig, readConfig);

cfn/CB-Staging.yml

@@ -55,7 +55,7 @@ Resources:
         Type: NO_CACHE
       Environment:
         ComputeType: BUILD_GENERAL1_LARGE
-        Image: "aws/codebuild/standard:5.0"
+        Image: "aws/codebuild/standard:6.0"
         ImagePullCredentialsType: CODEBUILD
         PrivilegedMode: true
         Type: LINUX_CONTAINER
@@ -239,6 +239,7 @@ Resources:
                 "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-haLIjZ",
                 "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-Credentials-WgJanS",
                 "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-User-Token-zK61bM",
+                "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Central-Portal-XrYUs2",
                 "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Github/aws-crypto-tools-ci-bot-AGUB3U"
               ],
               "Action": "secretsmanager:GetSecretValue"

codebuild/release/release-prod.yml

@@ -9,13 +9,14 @@ env:
   secrets-manager:
     GPG_KEY: Maven-GPG-Keys-Release-Credentials:Keyname
     GPG_PASS: Maven-GPG-Keys-Release-Credentials:Passphrase
-    SONA_USERNAME: Sonatype-User-Token:username
-    SONA_PASSWORD: Sonatype-User-Token:password
+    SONA_USERNAME: Sonatype-Central-Portal:Username
+    SONA_PASSWORD: Sonatype-Central-Portal:Password
 
 phases:
   install:
     runtime-versions:
       java: corretto8
+      dotnet: 6.0
     commands:
       - cd ..
       # Get Dafny
@@ -27,6 +28,7 @@ phases:
       - unzip -qq gradle.zip && rm gradle.zip
       - export PATH="$PWD/gradle-7.6/bin:$PATH"
       - cd  aws-database-encryption-sdk-dynamodb/
+      - make -C submodules/MaterialProviders/StandardLibrary setup_net
   pre_build:
     commands:
       - aws secretsmanager get-secret-value --region us-west-2 --secret-id Maven-GPG-Keys-Release --query SecretBinary --output text | base64 -d > ~/mvn_gpg.tgz

codebuild/release/release.yml

@@ -13,7 +13,7 @@ batch:
         variables:
           JAVA_ENV_VERSION: corretto8
           JAVA_NUMERIC_VERSION: 8
-        image: aws/codebuild/standard:5.0
+        image: aws/codebuild/standard:6.0
 
     - identifier: validate_staging_corretto8
       depend-on:
@@ -23,7 +23,7 @@ batch:
         variables:
           JAVA_ENV_VERSION: corretto8
           JAVA_NUMERIC_VERSION: 8
-        image: aws/codebuild/standard:5.0
+        image: aws/codebuild/standard:6.0
 
     - identifier: validate_staging_corretto11
       depend-on:
@@ -33,7 +33,7 @@ batch:
         variables:
           JAVA_ENV_VERSION: corretto11
           JAVA_NUMERIC_VERSION: 11
-        image: aws/codebuild/standard:5.0
+        image: aws/codebuild/standard:6.0
 
     - identifier: validate_staging_corretto17
       depend-on:
@@ -55,7 +55,7 @@ batch:
         variables:
           JAVA_ENV_VERSION: corretto8
           JAVA_NUMERIC_VERSION: 8
-        image: aws/codebuild/standard:5.0
+        image: aws/codebuild/standard:6.0
 
     ## The following steps are expected to fail; since maven central takes time to
     ## update its index. For now, a manual download of the jar is needed to assert artifacts are
@@ -68,7 +68,7 @@ batch:
         variables:
           JAVA_ENV_VERSION: corretto8
           JAVA_NUMERIC_VERSION: 8
-        image: aws/codebuild/standard:5.0
+        image: aws/codebuild/standard:6.0
 
     - identifier: validate_release_corretto11
       depend-on:
@@ -78,7 +78,7 @@ batch:
         variables:
           JAVA_ENV_VERSION: corretto11
           JAVA_NUMERIC_VERSION: 11
-        image: aws/codebuild/standard:5.0
+        image: aws/codebuild/standard:6.0
 
     - identifier: validate_release_corretto17
       depend-on:

codebuild/release/validate-release.yml

@@ -11,6 +11,7 @@ phases:
   install:
     runtime-versions:
       java: $JAVA_ENV_VERSION
+      dotnet: 6.0
     commands:
       - cd ..
       # Get Dafny
@@ -22,6 +23,7 @@ phases:
       - unzip -qq gradle.zip && rm gradle.zip
       - export PATH="$PWD/gradle-7.6/bin:$PATH"
       - cd  aws-database-encryption-sdk-dynamodb/
+      - make -C submodules/MaterialProviders/StandardLibrary setup_net
   pre_build:
     commands:
       # Get CI Creds to be able to call DBESDK TestVectors