diff --git a/.github/actions/install_smithy_dafny_codegen_dependencies/action.yml b/.github/actions/install_smithy_dafny_codegen_dependencies/action.yml index 33aad451c..db52a17ed 100644 --- a/.github/actions/install_smithy_dafny_codegen_dependencies/action.yml +++ b/.github/actions/install_smithy_dafny_codegen_dependencies/action.yml @@ -22,7 +22,7 @@ runs: - name: Setup Python, black, and docformatter for code formatting uses: actions/setup-python@v6 with: - python-version: ${{ matrix.python-version }} + python-version: 3.11 architecture: x64 - shell: bash run: | diff --git a/.github/workflows/ci_test_go.yml b/.github/workflows/ci_test_go.yml index e9dc77a4a..93517d7cf 100644 --- a/.github/workflows/ci_test_go.yml +++ b/.github/workflows/ci_test_go.yml @@ -45,7 +45,7 @@ jobs: - name: Setup Docker if: matrix.os == 'macos-15-intel' && matrix.library == 'TestVectors' - uses: douglascamata/setup-docker-macos-action@v1.0.1 + uses: douglascamata/setup-docker-macos-action@v1.0.2 - name: Setup DynamoDB Local if: matrix.library == 'TestVectors' diff --git a/.github/workflows/ci_test_vector_java.yml b/.github/workflows/ci_test_vector_java.yml index 02b66f491..8b9186378 100644 --- a/.github/workflows/ci_test_vector_java.yml +++ b/.github/workflows/ci_test_vector_java.yml @@ -48,7 +48,7 @@ jobs: - name: Setup Docker if: matrix.os == 'macos-15-intel' && matrix.library == 'TestVectors' - uses: douglascamata/setup-docker-macos-action@v1.0.1 + uses: douglascamata/setup-docker-macos-action@v1.0.2 - name: Setup DynamoDB Local if: matrix.library == 'TestVectors' diff --git a/.github/workflows/ci_test_vector_net.yml b/.github/workflows/ci_test_vector_net.yml index d0597b399..c21e0487f 100644 --- a/.github/workflows/ci_test_vector_net.yml +++ b/.github/workflows/ci_test_vector_net.yml @@ -44,7 +44,7 @@ jobs: - name: Setup Docker if: matrix.os == 'macos-15-intel' && matrix.library == 'TestVectors' - uses: douglascamata/setup-docker-macos-action@v1.0.1 + uses: douglascamata/setup-docker-macos-action@v1.0.2 - name: Setup DynamoDB Local if: matrix.library == 'TestVectors' diff --git a/.github/workflows/library_rust_tests.yml b/.github/workflows/library_rust_tests.yml index fa5bb51d4..7d2ba4d3e 100644 --- a/.github/workflows/library_rust_tests.yml +++ b/.github/workflows/library_rust_tests.yml @@ -43,7 +43,7 @@ jobs: - name: Setup Docker if: matrix.os == 'macos-15-intel' && matrix.library == 'TestVectors' - uses: douglascamata/setup-docker-macos-action@v1.0.1 + uses: douglascamata/setup-docker-macos-action@v1.0.2 - name: Setup DynamoDB Local if: matrix.library == 'TestVectors' @@ -121,6 +121,13 @@ jobs: run: | make test_rust + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v5 + with: + aws-region: us-west-2 + role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2 + role-session-name: DDBEC-Dafny-Rust-Tests + - name: Test ${{ matrix.library }} Rust Fips shell: bash working-directory: ./${{ matrix.library }}/runtimes/rust/ diff --git a/.github/workflows/pull.yml b/.github/workflows/pull.yml index 0814af19c..e0d5b8f22 100644 --- a/.github/workflows/pull.yml +++ b/.github/workflows/pull.yml @@ -54,11 +54,11 @@ jobs: uses: ./.github/workflows/library_rust_tests.yml with: dafny: ${{needs.getVersion.outputs.version}} - pr-ci-go: - needs: getVersion - uses: ./.github/workflows/ci_test_go.yml - with: - dafny: ${{needs.getVersion.outputs.version}} + # pr-ci-go: + # needs: getVersion + # uses: ./.github/workflows/ci_test_go.yml + # with: + # dafny: ${{needs.getVersion.outputs.version}} pr-ci-net-test-vectors: needs: getVersion uses: ./.github/workflows/ci_test_vector_net.yml @@ -83,7 +83,7 @@ jobs: - pr-ci-java-examples - pr-ci-net - pr-ci-rust - - pr-ci-go + # - pr-ci-go - pr-ci-net-test-vectors - pr-ci-net-examples runs-on: ubuntu-22.04 diff --git a/DynamoDbEncryption/runtimes/rust/Cargo.toml b/DynamoDbEncryption/runtimes/rust/Cargo.toml index 76cd76570..d1273342a 100644 --- a/DynamoDbEncryption/runtimes/rust/Cargo.toml +++ b/DynamoDbEncryption/runtimes/rust/Cargo.toml @@ -1,8 +1,8 @@ [package] name = "aws-db-esdk" -version = "1.2.0" +version = "1.2.1" edition = "2021" -rust-version = "1.86.0" +rust-version = "1.88.0" keywords = ["cryptography", "security", "dynamodb", "encryption", "client-side"] license = "ISC AND (Apache-2.0 OR ISC)" description = "aws-db-esdk is a library for implementing client side encryption with DynamoDB." @@ -16,21 +16,21 @@ readme = "README.md" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] -aws-config = "1.8.5" -aws-lc-rs = {version = "1.13.3"} -aws-lc-sys = { version = "0.30", optional = true } +aws-config = "1.8.10" +aws-lc-rs = {version = "1.15.0"} +aws-lc-sys = { version = "0.33", optional = true } aws-lc-fips-sys = { version = "0.13", optional = true } -aws-sdk-dynamodb = "1.90.0" -aws-sdk-kms = "1.84.0" -aws-smithy-runtime-api = {version = "1.9.0", features = ["client"] } -aws-smithy-types = "1.3.2" -chrono = "0.4.41" +aws-sdk-dynamodb = "1.99.0" +aws-sdk-kms = "1.94.0" +aws-smithy-runtime-api = {version = "1.9.2", features = ["client"] } +aws-smithy-types = "1.3.4" +chrono = "0.4.42" cpu-time = "1.0.0" dafny_runtime = { path = "../../../submodules/smithy-dafny/TestModels/dafny-dependencies/dafny_runtime_rust", features = ["sync","small-int"] } dashmap = "6.1.0" -pem = "3.0.5" -tokio = {version = "1.47.1", features = ["full"] } -uuid = { version = "1.18.0", features = ["v4"] } +pem = "3.0.6" +tokio = {version = "1.48.0", features = ["full"] } +uuid = { version = "1.18.1", features = ["v4"] } [[example]] name = "main" diff --git a/DynamoDbEncryption/runtimes/rust/src/lib.rs b/DynamoDbEncryption/runtimes/rust/src/lib.rs index c6ba3e0a4..4a0ac4735 100644 --- a/DynamoDbEncryption/runtimes/rust/src/lib.rs +++ b/DynamoDbEncryption/runtimes/rust/src/lib.rs @@ -129,6 +129,7 @@ pub(crate) use crate::implementation_from_dafny::ECDH; pub(crate) use crate::implementation_from_dafny::HMAC; pub(crate) use crate::implementation_from_dafny::UTF8; pub(crate) use crate::implementation_from_dafny::UUID; +pub(crate) use crate::deps::com_amazonaws_kms::client::Client as KmsClient; pub(crate) mod conversions; pub(crate) mod deps; diff --git a/TestVectors/runtimes/rust/Cargo.toml b/TestVectors/runtimes/rust/Cargo.toml index c8c83153c..72e844e39 100644 --- a/TestVectors/runtimes/rust/Cargo.toml +++ b/TestVectors/runtimes/rust/Cargo.toml @@ -2,26 +2,26 @@ name = "aws-db-esdk-test-vectors" version = "0.1.0" edition = "2021" -rust-version = "1.86.0" +rust-version = "1.88.0" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] -aws-config = "1.8.5" -aws-lc-rs = {version = "1.13.3"} -aws-lc-sys = { version = "0.30", optional = true } +aws-config = "1.8.10" +aws-lc-rs = {version = "1.15.0"} +aws-lc-sys = { version = "0.33", optional = true } aws-lc-fips-sys = { version = "0.13", optional = true } -aws-sdk-dynamodb = "1.90.0" -aws-sdk-kms = "1.84.0" -aws-smithy-runtime-api = {version = "1.9.0", features = ["client"] } -aws-smithy-types = "1.3.2" -chrono = "0.4.41" +aws-sdk-dynamodb = "1.99.0" +aws-sdk-kms = "1.94.0" +aws-smithy-runtime-api = {version = "1.9.2", features = ["client"] } +aws-smithy-types = "1.3.4" +chrono = "0.4.42" cpu-time = "1.0.0" dafny_runtime = { path = "../../../submodules/smithy-dafny/TestModels/dafny-dependencies/dafny_runtime_rust", features = ["sync","small-int"] } dashmap = "6.1.0" -pem = "3.0.5" -tokio = {version = "1.47.1", features = ["full"] } -uuid = { version = "1.18.0", features = ["v4"] } +pem = "3.0.6" +tokio = {version = "1.48.0", features = ["full"] } +uuid = { version = "1.18.1", features = ["v4"] } [features] wrapped-client = [] diff --git a/TestVectors/runtimes/rust/src/lib.rs b/TestVectors/runtimes/rust/src/lib.rs index 99a1c0503..8c3fe29b7 100644 --- a/TestVectors/runtimes/rust/src/lib.rs +++ b/TestVectors/runtimes/rust/src/lib.rs @@ -50,6 +50,7 @@ pub(crate) use crate::implementation_from_dafny::ECDH; pub(crate) use crate::implementation_from_dafny::HMAC; pub(crate) use crate::implementation_from_dafny::UTF8; pub(crate) use crate::implementation_from_dafny::UUID; +pub(crate) use crate::deps::com_amazonaws_kms::client::Client as KmsClient; pub mod aes_gcm; pub mod aes_kdf_ctr; diff --git a/releases/rust/db_esdk/Cargo.toml b/releases/rust/db_esdk/Cargo.toml index b13bcf5b0..8ef8b3f39 100644 --- a/releases/rust/db_esdk/Cargo.toml +++ b/releases/rust/db_esdk/Cargo.toml @@ -1,8 +1,8 @@ [package] name = "aws-db-esdk" -version = "1.2.0" +version = "1.2.1" edition = "2021" -rust-version = "1.86.0" +rust-version = "1.88.0" keywords = ["cryptography", "security", "dynamodb", "encryption", "client-side"] license = "ISC AND (Apache-2.0 OR ISC)" description = "aws-db-esdk is a library for implementing client side encryption with DynamoDB." @@ -16,20 +16,20 @@ readme = "README.md" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] -aws-config = "1.8.5" -aws-lc-rs = {version = "1.13.3"} -aws-lc-sys = { version = "0.30", optional = true } +aws-config = "1.8.10" +aws-lc-rs = {version = "1.15.0"} +aws-lc-sys = { version = "0.33", optional = true } aws-lc-fips-sys = { version = "0.13", optional = true } -aws-sdk-dynamodb = "1.90.0" -aws-sdk-kms = "1.84.0" -aws-smithy-runtime-api = {version = "1.9.0", features = ["client"] } -aws-smithy-types = "1.3.2" -chrono = "0.4.41" +aws-sdk-dynamodb = "1.99.0" +aws-sdk-kms = "1.94.0" +aws-smithy-runtime-api = {version = "1.9.2", features = ["client"] } +aws-smithy-types = "1.3.4" +chrono = "0.4.42" cpu-time = "1.0.0" dashmap = "6.1.0" -pem = "3.0.5" -tokio = {version = "1.47.1", features = ["full"] } -uuid = { version = "1.18.0", features = ["v4"] } +pem = "3.0.6" +tokio = {version = "1.48.0", features = ["full"] } +uuid = { version = "1.18.1", features = ["v4"] } dafny-runtime = { version = "0.3.1", features = ["sync", "small-int"] } [[example]] diff --git a/releases/rust/db_esdk/examples/main.rs b/releases/rust/db_esdk/examples/main.rs index f82979bcb..cd3d5b9b5 100644 --- a/releases/rust/db_esdk/examples/main.rs +++ b/releases/rust/db_esdk/examples/main.rs @@ -11,6 +11,7 @@ pub mod create_keystore_key; pub mod get_encrypted_data_key_description; pub mod itemencryptor; pub mod keyring; +pub mod migration; pub mod multi_get_put_example; pub mod searchableencryption; pub mod test_utils; diff --git a/releases/rust/db_esdk/examples/test_utils.rs b/releases/rust/db_esdk/examples/test_utils.rs index 01b1eb012..52c845c30 100644 --- a/releases/rust/db_esdk/examples/test_utils.rs +++ b/releases/rust/db_esdk/examples/test_utils.rs @@ -44,3 +44,32 @@ pub const TEST_BRANCH_KEY_WRAPPING_KMS_KEY_ARN: &str = // Our tests require access to DDB Table with this name configured as a branch keystore pub const TEST_BRANCH_KEYSTORE_DDB_TABLE_NAME: &str = "KeyStoreDdbTable"; pub const TEST_COMPLEX_DDB_TABLE_NAME: &str = "ComplexBeaconTestTable"; + +// Helper method to clean up test items +pub async fn cleanup_items( + table_name: &str, + partition_key_value: &str, + sort_key_value: &str, +) -> Result<(), Box> { + let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await; + let ddb = aws_sdk_dynamodb::Client::new(&sdk_config); + + let key = std::collections::HashMap::from([ + ( + "partition_key".to_string(), + aws_sdk_dynamodb::types::AttributeValue::S(partition_key_value.to_string()), + ), + ( + "sort_key".to_string(), + aws_sdk_dynamodb::types::AttributeValue::N(sort_key_value.to_string()), + ), + ]); + + ddb.delete_item() + .table_name(table_name) + .set_key(Some(key)) + .send() + .await?; + + Ok(()) +} diff --git a/releases/rust/db_esdk/src/concurrent_call.rs b/releases/rust/db_esdk/src/concurrent_call.rs index 6bafd0c6a..545712e9b 100644 --- a/releases/rust/db_esdk/src/concurrent_call.rs +++ b/releases/rust/db_esdk/src/concurrent_call.rs @@ -10,23 +10,23 @@ pub mod ConcurrentCall { fn de_const( - p: *const dafny_runtime::Object<(dyn Callee + 'static)>, - ) -> *mut dafny_runtime::Object<(dyn Callee + 'static)> { + p: *const dafny_runtime::Object, + ) -> *mut dafny_runtime::Object { p as _ } pub struct FakeCallee { - callee: *const dafny_runtime::Object<(dyn Callee + 'static)>, + callee: *const dafny_runtime::Object, } impl FakeCallee { - fn new(callee: &dafny_runtime::Object<(dyn Callee + 'static)>) -> Self { + fn new(callee: &dafny_runtime::Object) -> Self { Self { callee: std::ptr::from_ref(callee), } } fn call(&self, x: u32, y: u32) { let mptr = de_const(self.callee); - let value: &mut dafny_runtime::Object<(dyn Callee + 'static)> = unsafe { &mut *mptr }; + let value: &mut dafny_runtime::Object = unsafe { &mut *mptr }; value.as_mut().call(x, y); } } @@ -37,7 +37,7 @@ pub mod ConcurrentCall { use crate::ConcurrentCall::Callee; impl _default { pub fn ConcurrentCall( - callee: &dafny_runtime::Object<(dyn Callee + 'static)>, + callee: &dafny_runtime::Object, serial_iters: u32, concurrent_iters: u32, ) { diff --git a/releases/rust/db_esdk/src/ecdh.rs b/releases/rust/db_esdk/src/ecdh.rs index ecadb87bb..0f3c8a34f 100644 --- a/releases/rust/db_esdk/src/ecdh.rs +++ b/releases/rust/db_esdk/src/ecdh.rs @@ -442,7 +442,7 @@ pub mod ECDH { &public_key, ); let shared: Vec = - aws_lc_rs::agreement::agree(&private_key, &public_key, "foo", |x| Ok(x.to_vec())) + aws_lc_rs::agreement::agree(&private_key, public_key, "foo", |x| Ok(x.to_vec())) .map_err(|_e| "Failure in aws_lc_rs::agreement::agree.".to_string())?; Ok(shared) } diff --git a/releases/rust/db_esdk/src/kms.rs b/releases/rust/db_esdk/src/kms.rs index 6778551e9..0bce667bf 100644 --- a/releases/rust/db_esdk/src/kms.rs +++ b/releases/rust/db_esdk/src/kms.rs @@ -5,9 +5,8 @@ #![deny(nonstandard_style)] #![deny(clippy::all)] -use aws_config::Region; +use aws_config::{AppName, Region, SdkConfig}; use std::sync::LazyLock; - static DAFNY_TOKIO_RUNTIME: LazyLock = LazyLock::new(|| { tokio::runtime::Builder::new_multi_thread() .enable_all() @@ -17,12 +16,7 @@ static DAFNY_TOKIO_RUNTIME: LazyLock = LazyLock::new(|| impl crate::r#software::amazon::cryptography::services::kms::internaldafny::_default { #[allow(non_snake_case)] - pub fn KMSClientForRegion(region: &::dafny_runtime::Sequence<::dafny_runtime::DafnyCharUTF16>) -> ::dafny_runtime::Rc, ::dafny_runtime::Rc>>{ - let region = - dafny_runtime::dafny_runtime_conversions::unicode_chars_false::dafny_string_to_string( - region, - ); - + fn CreateSdkConfig() -> SdkConfig { let shared_config = match tokio::runtime::Handle::try_current() { Ok(curr) => tokio::task::block_in_place(|| { curr.block_on(async { @@ -34,12 +28,23 @@ impl crate::r#software::amazon::cryptography::services::kms::internaldafny::_def )), }; + Self::AddUserAgentStringToConfig(&shared_config) + } + + #[allow(non_snake_case)] + pub fn KMSClientForRegion(region: &::dafny_runtime::Sequence<::dafny_runtime::DafnyCharUTF16>) -> ::dafny_runtime::Rc, ::dafny_runtime::Rc>>{ + let region = + dafny_runtime::dafny_runtime_conversions::unicode_chars_false::dafny_string_to_string( + region, + ); + + let shared_config = &Self::CreateSdkConfig(); let shared_config = shared_config .to_builder() .region(Region::new(region)) .build(); let inner = aws_sdk_kms::Client::new(&shared_config); - let client = crate::deps::com_amazonaws_kms::client::Client { inner }; + let client = crate::KmsClient { inner }; let dafny_client = ::dafny_runtime::upcast_object()(::dafny_runtime::object::new(client)); dafny_runtime::Rc::new(crate::r#_Wrappers_Compile::Result::Success { value: dafny_client, @@ -48,25 +53,41 @@ impl crate::r#software::amazon::cryptography::services::kms::internaldafny::_def #[allow(non_snake_case)] pub fn KMSClient() -> ::dafny_runtime::Rc, ::dafny_runtime::Rc>>{ - let shared_config = match tokio::runtime::Handle::try_current() { - Ok(curr) => tokio::task::block_in_place(|| { - curr.block_on(async { - aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await - }) - }), - Err(_) => DAFNY_TOKIO_RUNTIME.block_on(aws_config::load_defaults( - aws_config::BehaviorVersion::latest(), - )), - }; - - let inner = aws_sdk_kms::Client::new(&shared_config); - let client = crate::deps::com_amazonaws_kms::client::Client { inner }; + let shared_config = &Self::CreateSdkConfig(); + let inner = aws_sdk_kms::Client::new(shared_config); + let client = crate::KmsClient { inner }; let dafny_client = ::dafny_runtime::upcast_object()(::dafny_runtime::object::new(client)); dafny_runtime::Rc::new(crate::r#_Wrappers_Compile::Result::Success { value: dafny_client, }) } + #[allow(non_snake_case)] + fn AddUserAgentStringToConfig(sdkConfig: &SdkConfig) -> SdkConfig { + let runtime = "Rust".to_string(); + let runtime_msg = + dafny_runtime::dafny_runtime_conversions::unicode_chars_false::string_to_dafny_string( + &runtime, + ); + // sadly rust doesn't allow for '/' in the app name which the dafny function adds + // so we will replace '/' with '-' which is allowed + let user_agent_string = dafny_runtime::dafny_runtime_conversions::unicode_chars_false::dafny_string_to_string( + &crate::software::amazon::cryptography::services::kms::internaldafny::_default::DafnyUserAgentSuffix(&runtime_msg) + ); + let replaced_user_agent_string = user_agent_string.replace("/", "-"); + // To update the user agent string we take the application name and update it. + let current_app_name = sdkConfig + .app_name() + .map(|app_name| app_name.to_string()) + .unwrap_or_default(); + let new_app_name = if current_app_name.is_empty() { + replaced_user_agent_string.to_string() + } else { + format!("{} {} ", current_app_name, replaced_user_agent_string) + }; + let app_name = AppName::new(new_app_name).expect("Valid app name"); + sdkConfig.to_builder().app_name(app_name).build() + } #[allow(non_snake_case)] pub fn RegionMatch( kmsClient: &::dafny_runtime::Object, @@ -77,8 +98,7 @@ impl crate::r#software::amazon::cryptography::services::kms::internaldafny::_def region, ); let any = dafny_runtime::cast_any_object!(kmsClient); - let client = - dafny_runtime::cast_object!(any, crate::deps::com_amazonaws_kms::client::Client); + let client = dafny_runtime::cast_object!(any, crate::KmsClient); let flag = match client.as_ref().inner.config().region() { Some(r) => r.as_ref() == region, None => false, diff --git a/releases/rust/db_esdk/src/lib.rs b/releases/rust/db_esdk/src/lib.rs index c6ba3e0a4..49f8207ba 100644 --- a/releases/rust/db_esdk/src/lib.rs +++ b/releases/rust/db_esdk/src/lib.rs @@ -114,6 +114,7 @@ mod standard_library_externs; pub(crate) use crate::deps::aws_cryptography_primitives; pub(crate) mod implementation_from_dafny; +pub(crate) use crate::deps::com_amazonaws_kms::client::Client as KmsClient; pub(crate) use crate::implementation_from_dafny::_Wrappers_Compile; pub(crate) use crate::implementation_from_dafny::software; pub(crate) use crate::implementation_from_dafny::AesKdfCtr; diff --git a/submodules/MaterialProviders b/submodules/MaterialProviders index f41b3c45c..687837704 160000 --- a/submodules/MaterialProviders +++ b/submodules/MaterialProviders @@ -1 +1 @@ -Subproject commit f41b3c45c786a119952f0b35b311dbfad5fd3aa6 +Subproject commit 687837704534fccf7764767b7057a7b83a3f1a17