feat: test vectors (#704)

* feat: test vectors

Author: ajewellamz

.github/workflows/ci_test_vector_net.yml

@@ -59,6 +59,4 @@ jobs:
         working-directory: ./TestVectors/runtimes/net
         run: |
           cp ../java/*.json .
-          # dotnet run
-          echo can't build until we make type conversions public
-          echo can't run until we update MPL/ComAmazonawsDynamodb
+          dotnet run

DynamoDbEncryption/runtimes/java/src/test/java/software/amazon/cryptography/dbencryptionsdk/dynamodb/DynamoDbEncryptionInterceptorIntegrationTests.java

@@ -390,12 +390,18 @@ public void TestScan() {
                 .tableName(TEST_TABLE_NAME)
                 .filterExpression("partition_key = :val")
                 .expressionAttributeValues(attrValues)
-                .build();
-
-        ScanResponse scanResponse  = ddbKmsKeyring.scan(scanRequest);
-        assertEquals(200, scanResponse.sdkHttpResponse().statusCode());
-        assertEquals(2, (double) scanResponse.count());
-        Map<String, AttributeValue> item = scanResponse.items().get(0);
+                .consistentRead(true)
+                .build();
+        List<Map<String,AttributeValue>> results = new ArrayList<>();
+        ScanResponse scanResponse;
+	do {
+           scanResponse  = ddbKmsKeyring.scan(scanRequest);
+           assertEquals(200, scanResponse.sdkHttpResponse().statusCode());
+	   results.addAll(scanResponse.items());
+	   scanRequest = scanRequest.toBuilder().exclusiveStartKey(scanResponse.lastEvaluatedKey()).build();
+	} while (scanResponse.lastEvaluatedKey().size() > 0);
+        assertEquals(2, (double) results.size());
+        Map<String, AttributeValue> item = results.get(0);
         assertEquals(partitionValue, item.get(TEST_PARTITION_NAME).s());
         assertEquals(attrValue, item.get(TEST_ATTR_NAME).s());
     }

DynamoDbEncryption/runtimes/net/DynamoDbEncryption.csproj

@@ -34,7 +34,7 @@
   <ItemGroup>
     <PackageReference Include="AWSSDK.DynamoDBv2" Version="3.7.300.2"/>
     <PackageReference Include="AWSSDK.Core" Version="3.7.300.2"/>
-    <PackageReference Include="AWS.Cryptography.MaterialProviders" Version="1.0.0"/>
+    <ProjectReference Include="../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/runtimes/net/MPL.csproj"/>
     <!--
               System.Collections.Immutable can be removed once dafny.msbuild is updated with
               https://github.com/dafny-lang/dafny.msbuild/pull/10 and versioned

TestVectors/dafny/DDBEncryption/src/DecryptManifest.dfy

@@ -0,0 +1,157 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+include "JsonConfig.dfy"
+include "WriteManifest.dfy"
+include "../../../../DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/Index.dfy"
+
+module {:options "-functionSyntax:4"} DecryptManifest {
+  import opened Wrappers
+  import opened StandardLibrary
+  import opened StandardLibrary.UInt
+  import opened JSON.Values
+  import opened WriteManifest
+  import JSON.API
+  import JSON.Errors
+  import DdbItemJson
+  import StandardLibrary.String
+  import FileIO
+  import opened JSONHelpers
+  import JsonConfig
+  import ENC = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes
+
+  method OnePositiveTest(name : string, config : JSON, encrypted : JSON, plaintext : JSON) returns (output : Result<bool, string>)
+  {
+    var enc :- JsonConfig.GetRecord(encrypted);
+    var plain :- JsonConfig.GetRecord(plaintext);
+    var encryptor :- JsonConfig.GetItemEncryptor(name, config);
+    var decrypted :- expect encryptor.DecryptItem(
+      ENC.DecryptItemInput(
+        encryptedItem:=enc.item
+      )
+    );
+    expect DdbItemJson.NormalizeItem(decrypted.plaintextItem) == DdbItemJson.NormalizeItem(plain.item);
+
+   return Success(true);
+  }
+
+  method OneNegativeTest(name : string, config : JSON, encrypted : JSON) returns (output : Result<bool, string>)
+  {
+    var enc :- JsonConfig.GetRecord(encrypted);
+    var encryptor :- JsonConfig.GetItemEncryptor(name, config);
+    var decrypted := encryptor.DecryptItem(
+      ENC.DecryptItemInput(
+        encryptedItem:=enc.item
+      )
+    );
+    if decrypted.Success? {
+      return Failure("Failed to fail to decrypt " + name);
+    }
+   return Success(true);
+  }
+
+  method OneTest(name : string, value : JSON) returns (output : Result<bool, string>)
+  {
+    :- Need(value.Object?, "Test must be an object");
+    print "Decrypting ", name, "\n";
+
+    var types : Option<string> := None;
+    var description : Option<string> := None;
+    var config : Option<JSON> := None;
+    var encrypted : Option<JSON> := None;
+    var plaintext : Option<JSON> := None;
+
+    for i := 0 to |value.obj| {
+      var obj := value.obj[i];
+      match obj.0 {
+        case "type" =>
+          :- Need(obj.1.String?, "Value of 'type' must be a string.");
+          types := Some(obj.1.str);
+        case "description" =>
+          :- Need(obj.1.String?, "Value of 'description' must be a string.");
+          description := Some(obj.1.str);
+        case "config" =>
+          :- Need(obj.1.Object?, "Value of 'config' must be an object.");
+          config := Some(obj.1);
+        case "encrypted" =>
+          :- Need(obj.1.Object?, "Value of 'record' must be an object.");
+          encrypted := Some(obj.1);
+        case "plaintext" =>
+          :- Need(obj.1.Object?, "Value of 'record' must be an object.");
+          plaintext := Some(obj.1);
+        case _ => return Failure("Unknown test member : " + obj.0 + " in " + name);
+      }
+    }
+    :- Need(types.Some?, "Test requires a 'type' member.");
+    :- Need(description.Some?, "Test requires a 'description' member.");
+    :- Need(config.Some?, "Test requires a 'config' member.");
+    :- Need(encrypted.Some?, "Test requires a 'encrypted' member.");
+
+    if types.value == "positive-decrypt" {
+      :- Need(plaintext.Some?, "positive-decrypt Test requires a 'plaintext' member.");
+      output := OnePositiveTest(name, config.value, encrypted.value, plaintext.value);
+    } else if types.value == "negative-decrypt" {
+      output := OneNegativeTest(name, config.value, encrypted.value);
+    } else {
+      return Failure("Invalid encrypt type : '" + types.value + "'.");
+    }
+  }
+
+  method Decrypt(inFile : string) returns (output : Result<bool, string>)
+  {
+    var configBv :- expect FileIO.ReadBytesFromFile(inFile);
+    var configBytes := BvToBytes(configBv);
+    var json :- expect API.Deserialize(configBytes);
+
+    :- Need(json.Object?, "Decrypt file must contain a JSON object.");
+    var keys : Option<string> := None;
+    var client : Option<seq<(string, JSON)>> := None;
+    var manifest : Option<seq<(string, JSON)>> := None;
+    var tests : Option<seq<(string, JSON)>> := None;
+
+    for i := 0 to |json.obj| {
+      var obj := json.obj[i];
+      match obj.0 {
+        case "keys" =>
+          :- Need(obj.1.String?, "Value of 'keys' must be a string.");
+          keys := Some(obj.1.str);
+        case "client" =>
+          :- Need(obj.1.Object?, "Value of 'client' must be an Object.");
+          client := Some(obj.1.obj);
+        case "manifest" =>
+          :- Need(obj.1.Object?, "Value of 'manifest' must be an object.");
+          manifest := Some(obj.1.obj);
+        case "tests" =>
+          :- Need(obj.1.Object?, "Value of 'tests' must be an object.");
+          tests := Some(obj.1.obj);
+        case _ => return Failure("Unknown top level encrypt tag : " + obj.0);
+      }
+    }
+    :- Need(keys.Some?, "Decrypt manifest requires a 'keys' member.");
+    :- Need(client.Some?, "Decrypt manifest requires a 'client' member.");
+    :- Need(manifest.Some?, "Decrypt manifest requires a 'manifest' member.");
+    :- Need(tests.Some?, "Decrypt manifest requires a 'tests' member.");
+
+    for i := 0 to |manifest.value| {
+      var obj := manifest.value[i];
+      match obj.0 {
+        case "type" =>
+          :- Need(obj.1.String?, "Value of 'type' must be a string.");
+          :- Need(obj.1.str == DECRYPT_TYPE, "Value of 'type' must be '" + DECRYPT_TYPE + "'.");
+        case "version" =>
+          :- Need(obj.1.String?, "Value of 'version' must be a string.");
+          :- Need(obj.1.str == "1", "Value of 'version' must be '1'");
+        case _ => return Failure("Unknown manifest member : " + obj.0);
+      }
+    }
+
+    for i := 0 to |tests.value| {
+      var obj := tests.value[i];
+      :- Need(obj.1.Object?, "Value of test '" + obj.0 + "' must be an Object.");
+      var _ :- OneTest(obj.0, obj.1);
+    }
+
+    return Success(true);
+  }
+
+}

TestVectors/dafny/DDBEncryption/src/EncryptManifest.dfy

@@ -0,0 +1,197 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+include "JsonConfig.dfy"
+include "WriteManifest.dfy"
+include "../../../../DynamoDbEncryption/dafny/DynamoDbItemEncryptor/src/Index.dfy"
+
+module {:options "-functionSyntax:4"} EncryptManifest {
+  import opened Wrappers
+  import opened StandardLibrary
+  import opened StandardLibrary.UInt
+  import opened JSON.Values
+  import opened WriteManifest
+  import JSON.API
+  import JSON.Errors
+  import opened DynamoDbEncryptionUtil
+  import DdbItemJson
+  import StandardLibrary.String
+  import FileIO
+  import opened JSONHelpers
+  import JsonConfig
+  import ENC = AwsCryptographyDbEncryptionSdkDynamoDbItemEncryptorTypes
+
+  function Manifest() : (string, JSON)
+  {
+    var result : seq<(string, JSON)> :=
+      [
+        ("type", String(DECRYPT_TYPE)),
+        ("version", String("1"))
+      ];
+    ("manifest", Object(result))
+  }
+
+  function Client(lang : string, version : string) : (string, JSON)
+  {
+    var result : seq<(string, JSON)> :=
+      [
+        ("name", String(LIB_PREFIX + lang)),
+        ("version", String(version))
+      ];
+    ("client", Object(result))
+  }
+
+  method OnePositiveTest(name : string, theType : string, desc : string, config : JSON, decryptConfig : Option<JSON>, record : JSON) returns (output : Result<(string, JSON), string>)
+  {
+    var rec :- JsonConfig.GetRecord(record);
+    var encryptor :- JsonConfig.GetItemEncryptor(name, config);
+    var encrypted :- expect encryptor.EncryptItem(
+      ENC.EncryptItemInput(
+        plaintextItem:=rec.item
+      )
+    );
+    var item :- expect DdbItemJson.DdbItemToJson(encrypted.encryptedItem);
+
+    var result : seq<(string, JSON)> :=
+      [
+        ("type", String(theType)),
+        ("description", String(desc)),
+        ("config", if decryptConfig.Some? then decryptConfig.value else config),
+        ("plaintext", record),
+        ("encrypted", item)
+      ];
+    return Success((name, Object(result)));
+  }
+
+  method OneNegativeTest(name : string, config : JSON, record : JSON) returns (output : Result<bool, string>)
+  {
+    var rec :- JsonConfig.GetRecord(record);
+    var encryptor :- JsonConfig.GetItemEncryptor(name, config);
+    var encrypted := encryptor.EncryptItem(
+      ENC.EncryptItemInput(
+        plaintextItem:=rec.item
+      )
+    );
+    if encrypted.Success? {
+      return Failure("Test " + name + " failed to fail to encrypt.");
+    }
+    return Success(true);
+  }
+
+
+  method OneTest(name : string, value : JSON) returns (output : Result<Option<(string, JSON)>, string>)
+  {
+    :- Need(value.Object?, "Test must be an object");
+    print "Examining ", name, "\n";
+
+    var types : Option<string> := None;
+    var description : Option<string> := None;
+    var config : Option<JSON> := None;
+    var decryptConfig : Option<JSON> := None;
+    var record : Option<JSON> := None;
+
+    for i := 0 to |value.obj| {
+      var obj := value.obj[i];
+      match obj.0 {
+        case "type" =>
+          :- Need(obj.1.String?, "Value of 'type' must be a string.");
+          types := Some(obj.1.str);
+        case "description" =>
+          :- Need(obj.1.String?, "Value of 'description' must be a string.");
+          description := Some(obj.1.str);
+        case "config" =>
+          :- Need(obj.1.Object?, "Value of 'config' must be an object.");
+          config := Some(obj.1);
+        case "decryptConfig" =>
+          :- Need(obj.1.Object?, "Value of 'decryptConfig' must be an object.");
+          decryptConfig := Some(obj.1);
+        case "record" =>
+          :- Need(obj.1.Object?, "Value of 'record' must be an object.");
+          record := Some(obj.1);
+        case _ => return Failure("Unknown test member : " + obj.0 + " in " + name);
+      }
+    }
+    :- Need(types.Some?, "Test requires a 'type' member.");
+    :- Need(description.Some?, "Test requires a 'description' member.");
+    :- Need(config.Some?, "Test requires a 'config' member.");
+    :- Need(record.Some?, "Test requires a 'record' member.");
+
+    if types.value == "positive-encrypt" {
+      var x :- OnePositiveTest(name, "positive-decrypt", description.value, config.value, decryptConfig, record.value);
+      return Success(Some(x));
+    } else if types.value == "negative-decrypt" {
+      var x :- OnePositiveTest(name, "negative-decrypt", description.value, config.value, decryptConfig, record.value);
+      return Success(Some(x));
+    } else if types.value == "negative-encrypt" {
+      var _ := OneNegativeTest(name, config.value, record.value);
+      return Success(None);
+    } else {
+      return Failure("Invalid encrypt type : '" + types.value + "'.");
+    }
+  }
+
+  method Encrypt(inFile : string, outFile : string, lang : string, version : string) returns (output : Result<bool, string>)
+  {
+    var configBv :- expect FileIO.ReadBytesFromFile(inFile);
+    var configBytes := BvToBytes(configBv);
+    var json :- expect API.Deserialize(configBytes);
+
+    :- Need(json.Object?, "Encrypt file must contain a JSON object.");
+    var keys : Option<string> := None;
+    var manifest : Option<seq<(string, JSON)>> := None;
+    var tests : Option<seq<(string, JSON)>> := None;
+
+    for i := 0 to |json.obj| {
+      var obj := json.obj[i];
+      match obj.0 {
+        case "keys" =>
+          :- Need(obj.1.String?, "Value of 'keys' must be a string.");
+          keys := Some(obj.1.str);
+        case "manifest" =>
+          :- Need(obj.1.Object?, "Value of 'manifest' must be an object.");
+          manifest := Some(obj.1.obj);
+        case "tests" =>
+          :- Need(obj.1.Object?, "Value of 'tests' must be an object.");
+          tests := Some(obj.1.obj);
+        case _ => return Failure("Unknown top level encrypt tag : " + obj.0);
+      }
+    }
+    :- Need(keys.Some?, "Encrypt manifest requires a 'keys' member.");
+    :- Need(manifest.Some?, "Encrypt manifest requires a 'manifest' member.");
+    :- Need(tests.Some?, "Encrypt manifest requires a 'tests' member.");
+
+    for i := 0 to |manifest.value| {
+      var obj := manifest.value[i];
+      match obj.0 {
+        case "type" =>
+          :- Need(obj.1.String?, "Value of 'type' must be a string.");
+          :- Need(obj.1.str == ENCRYPT_TYPE, "Value of 'type' must be '" + ENCRYPT_TYPE + "'.");
+        case "version" =>
+          :- Need(obj.1.String?, "Value of 'version' must be a string.");
+          :- Need(obj.1.str == "1", "Value of 'version' must be '1'");
+        case _ => return Failure("Unknown manifest member : " + obj.0);
+      }
+    }
+
+    var result : seq<(string, JSON)> :=
+      [Manifest(), Client(lang, version), ("keys", String("file://keys.json"))];
+
+    var test : seq<(string, JSON)> := [];
+
+    for i := 0 to |tests.value| {
+      var obj := tests.value[i];
+      :- Need(obj.1.Object?, "Value of test '" + obj.0 + "' must be an Object.");
+      var newTest :- OneTest(obj.0, obj.1);
+      if newTest.Some? {
+        test := test + [newTest.value];
+      }
+    }
+
+    var final := Object(result + [("tests", Object(test))]);
+    var jsonBytes :- expect API.Serialize(final);
+    var jsonBv := BytesBv(jsonBytes);
+    var x :- expect FileIO.WriteBytesToFile(outFile, jsonBv);
+    return Success(true);
+  }
+
+}