refactor!: Change MultiKeyring.children to a seq<Keyring> #223
Conversation
Add UTF8 encoding/decoding (#74)
First blocker: Valid() is not compilable AFAICT so you can’t test it dynamically
Deals with subtypes in externs as well (those should be forbidden by the compiler as well)
… into extern-soundness
… into extern-soundness # Conflicts: # src/SDK/Keyring/Defs.dfy # src/SDK/Keyring/KMSKeyring.dfy # src/SDK/Keyring/MultiKeyring.dfy # src/api/dotnet/Keyrings.cs
…even though it’s cheating because it can’t call Valid() in compiled code :)
Lemmas to the rescue!
… into extern-soundness # Conflicts: # test/api/dotnet/ClientTests.cs
… into extern-soundness # Conflicts: # test/SDK/Client.dfy
Allows the progress so far to be committed
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
… into multi-keyring-children-as-sequence # Conflicts: # src/extern/dotnet/RSAEncryption.cs # test/api/dotnet/ClientTests.cs
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Note that all of the |
src/SDK/Keyring/KMSKeyring.dfy
Outdated
| var _ :- FailUnless(clientSupplier != null, "Client supplier is required"); | ||
| var _ :- FailUnless(|grantTokens| <= KMSUtils.MAX_GRANT_TOKENS, "Too many grant tokens"); | ||
| var keyIDsNoBlanks := Filter(keyIDs, keyID => keyID != ""); | ||
| var _ :- FailUnless(forall keyID :: keyID in keyIDsNoBlanks ==> KMSUtils.ValidFormatCMK(keyID), "Invalid CMK(s)"); |
There was a problem hiding this comment.
I suspect that this has the potential to be an incredibly slow line. (speaking as the person who wrote ValidFormatCMK)
We should have an issue to make that function ghost, and back it with a compiled non-recursive method.
There was a problem hiding this comment.
I actually intended to delay these changes to the next PR :) I'm going to remove them from this one.
But since you mention it, it's a good point that we're going to have a lot of lurking performance issues as we add more dynamic execution of requirements. I mentioned to Rustan that we could really use tail recursion for functions, so hopefully we could tackle it that way. I worry more about stack overflow errors than performance personally.
src/SDK/Keyring/KMSKeyring.dfy
Outdated
| if |generator| == 0 { | ||
| generatorOption := None; | ||
| } else { | ||
| var _ :- FailUnless(KMSUtils.ValidFormatCMK(generator), "Invalid generator CMK(s)"); |
There was a problem hiding this comment.
Only one generator CMK, also it would be nice to include the invalid string in the error message.
There was a problem hiding this comment.
See above, will move to the next PR and fix there.
src/SDK/Keyring/KMSKeyring.dfy
Outdated
| var _ :- FailUnless(KMSUtils.ValidFormatCMK(generator), "Invalid generator CMK(s)"); | ||
| generatorOption := Some(generator); | ||
| } | ||
| var _ :- FailUnless(forall grantToken :: grantToken in grantTokens ==> 0 < |grantToken| <= 8192, "Invalid grant token(s)"); |
There was a problem hiding this comment.
The bounds for the GrantToken type were written before we standardized on the Valid() ValidWitness() pattern. It should be brought inline with the new pattern, instead of using the raw integer here.
There was a problem hiding this comment.
See above, will move to the next PR and fix there.
src/extern/dotnet/StandardLibrary.cs
Outdated
| } | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Thanks, punting this to the next PR anyway
test/api/dotnet/ClientTests.cs
Outdated
| private static string SUCCESS = "SUCCESS"; | ||
|
|
||
| // MakeKMSKeyring is a helper method that creates a KMS Keyring for unit testing | ||
| private Keyring MakeKMSKeyring() | ||
| private Keyring MakeKMSKeyring() |
src/SDK/CMM/DefaultCMM.dfy
Outdated
| @@ -55,6 +55,7 @@ module {:extern "DefaultCMMDef"} DefaultCMMDef { | |||
| case None => true | |||
| case Some(sigType) => | |||
| res.value.signingKey.Some? | |||
| decreases * | |||
There was a problem hiding this comment.
Add TODO here too
Is there an issue for the dafny change to prove some termination? Is there any corresponding issue esdk side?
There was a problem hiding this comment.
There will definitely be an issue, yes. On sober second thought I'm going to delay these changes as well so they're in context for why we need them.
src/SDK/Keyring/Defs.dfy
Outdated
| @@ -10,8 +10,8 @@ module {:extern "KeyringDefs"} KeyringDefs { | |||
| import AlgorithmSuite | |||
|
|
|||
| trait {:termination false} Keyring { | |||
| ghost var Repr : set<object> | |||
| predicate Valid() reads this, Repr | |||
| ghost const Repr : set<object> | |||
There was a problem hiding this comment.
Is this requiring that all implemented keyrings not maintain any changeable state? And if so, doesn't that limit the range of behavior that the spec currently allows in Keyrings? e.g. There could be some user out there that has already created their own keyring in Java/Python/JS that won't be able to create their keyring in C#.
Why is this change necessary? I'm guessing it's needed to prove something about the Multikeyring, but maybe we need to examine what the implication of that proof is, and how important it actually is.
There was a problem hiding this comment.
It's more related to the next change, which provides a way for the control flow from external code to ensure that any object is ever Valid(). I think I will again punt this to the next change for better context.
It doesn't mean no changeable state at all, but it does mean no change in the set of objects that make up Repr. So a Keyring could certainly have some fields that are allowed to change.
There was a problem hiding this comment.
Got it, I'm still concerned about how that might limit behavior, but we can discuss that in the next PR.
src/SDK/Keyring/KMSKeyring.dfy
Outdated
| @@ -109,6 +135,7 @@ module {:extern "KMSKeyringDef"} KMSKeyringDef { | |||
| && materials.encryptedDataKeys <= res.value.encryptedDataKeys | |||
| && materials.signingKey == res.value.signingKey | |||
| ensures isDiscovery ==> res.Success? && res.value == materials | |||
| decreases Repr | |||
There was a problem hiding this comment.
Why was this not needed before but is needed now?
| ensures Valid() | ||
| { | ||
| generator := g; | ||
| children := c; | ||
| Repr := {this} + (if g != null then {g} + g.Repr else {}) + {children} + childrenRepr(c[..]); | ||
| Repr := {this} + (if g != null then {g} + g.Repr else {}) + childrenRepr(c); |
There was a problem hiding this comment.
Why remove {children}? Is there anything other than idiom that enforces that Repr contains this?
There was a problem hiding this comment.
Because children is now a sequence and therefore not an object, so it can't be part of Repr any more! :)
src/api/dotnet/Client.cs
Outdated
| using byteseq = Dafny.Sequence<byte>; | ||
| using icharseq = Dafny.ISequence<char>; | ||
| using charseq = Dafny.Sequence<char>; |
There was a problem hiding this comment.
Remove byteseq and charseq here and in other files (unless I missed somewhere where they are still used)
There was a problem hiding this comment.
Good catch - annoying that Rider doesn't seem to detect unused usings :)
| @@ -18,6 +18,8 @@ module {:extern "STL"} StandardLibrary { | |||
| } | |||
| } | |||
|
|
|||
| method {:extern} As<T>(x: object) returns (r: Option<T>) | |||
There was a problem hiding this comment.
Does this need to be added as part of this PR? I don't see where it is currently used.
src/SDK/Materials.dfy
Outdated
| @@ -131,6 +131,13 @@ module {:extern "Materials"} Materials { | |||
|
|
|||
| type ValidEncryptionMaterials = i: EncryptionMaterials | i.Valid() witness EncryptionMaterials.ValidWitness() | |||
|
|
|||
| class {:extern} ExternalEncryptionMaterials { | |||
There was a problem hiding this comment.
Same here, why is this added in this PR?
There was a problem hiding this comment.
Another accidentally change along for the ride, removing
robin-aws
changed the title
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Apologies for the messy PR - I didn't look closely enough at what I'd failed to remove. :) |
…ws#223) Co-authored-by: lavaleri <49660121+lavaleri@users.noreply.github.com> Co-authored-by: seebees <ryanemer@amazon.com>
…223) Co-authored-by: lavaleri <49660121+lavaleri@users.noreply.github.com> Co-authored-by: seebees <ryanemer@amazon.com>
…223) Co-authored-by: lavaleri <49660121+lavaleri@users.noreply.github.com> Co-authored-by: seebees <ryanemer@amazon.com>
…223) Co-authored-by: lavaleri <49660121+lavaleri@users.noreply.github.com> Co-authored-by: seebees <ryanemer@amazon.com>
Resolves #222
BREAKING CHANGE: Changes the signature of constructing a
MultiKeyringBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.