From 2a217b302a6c8a91155ae02751f1ca68454e8f01 Mon Sep 17 00:00:00 2001 From: Ryan Emery Date: Mon, 29 Sep 2025 14:40:31 -0700 Subject: [PATCH 01/11] add duvet everywhere --- .github/workflows/test.yml | 19 ++++ test-server/Makefile | 7 ++ test-server/cpp-v2-server/.duvet/.gitignore | 2 + test-server/cpp-v2-server/.duvet/config.toml | 20 ++++ test-server/cpp-v2-server/.duvet/snapshot.txt | 83 ++++++++++++++ test-server/cpp-v2-server/Makefile | 6 + test-server/go-v3-server/.duvet/.gitignore | 2 + test-server/go-v3-server/.duvet/config.toml | 17 +++ test-server/go-v3-server/.duvet/snapshot.txt | 83 ++++++++++++++ test-server/go-v3-server/Makefile | 6 + test-server/java-v3-server/.duvet/.gitignore | 2 + test-server/java-v3-server/.duvet/config.toml | 17 +++ .../java-v3-server/.duvet/snapshot.txt | 83 ++++++++++++++ test-server/java-v3-server/Makefile | 6 + ...amazon.smithy.java.core.schema.SchemaIndex | 1 + .../java-v3-server/bin/main/client.smithy | 37 +++++++ .../java-v3-server/bin/main/main.smithy | 34 ++++++ .../java-v3-server/bin/main/object.smithy | 103 ++++++++++++++++++ .../net-v2-v3-server/.duvet/.gitignore | 2 + .../net-v2-v3-server/.duvet/config.toml | 17 +++ .../net-v2-v3-server/.duvet/snapshot.txt | 83 ++++++++++++++ test-server/net-v2-v3-server/Makefile | 8 +- test-server/php-v2-server/.duvet/.gitignore | 2 + test-server/php-v2-server/.duvet/config.toml | 17 +++ test-server/php-v2-server/.duvet/snapshot.txt | 83 ++++++++++++++ test-server/php-v2-server/Makefile | 6 + test-server/php-v3-server/.duvet/.gitignore | 2 + test-server/php-v3-server/.duvet/config.toml | 17 +++ test-server/php-v3-server/.duvet/snapshot.txt | 83 ++++++++++++++ test-server/php-v3-server/Makefile | 6 + .../python-v3-server/.duvet/.gitignore | 2 + .../python-v3-server/.duvet/config.toml | 18 +++ .../python-v3-server/.duvet/snapshot.txt | 83 ++++++++++++++ test-server/ruby-v3-server/.duvet/.gitignore | 2 + test-server/ruby-v3-server/.duvet/config.toml | 18 +++ .../ruby-v3-server/.duvet/snapshot.txt | 83 ++++++++++++++ test-server/ruby-v3-server/Makefile | 6 + 37 files changed, 1065 insertions(+), 1 deletion(-) create mode 100644 test-server/cpp-v2-server/.duvet/.gitignore create mode 100644 test-server/cpp-v2-server/.duvet/config.toml create mode 100644 test-server/cpp-v2-server/.duvet/snapshot.txt create mode 100644 test-server/go-v3-server/.duvet/.gitignore create mode 100644 test-server/go-v3-server/.duvet/config.toml create mode 100644 test-server/go-v3-server/.duvet/snapshot.txt create mode 100644 test-server/java-v3-server/.duvet/.gitignore create mode 100644 test-server/java-v3-server/.duvet/config.toml create mode 100644 test-server/java-v3-server/.duvet/snapshot.txt create mode 100644 test-server/java-v3-server/bin/main/META-INF/services/software.amazon.smithy.java.core.schema.SchemaIndex create mode 100644 test-server/java-v3-server/bin/main/client.smithy create mode 100644 test-server/java-v3-server/bin/main/main.smithy create mode 100644 test-server/java-v3-server/bin/main/object.smithy create mode 100644 test-server/net-v2-v3-server/.duvet/.gitignore create mode 100644 test-server/net-v2-v3-server/.duvet/config.toml create mode 100644 test-server/net-v2-v3-server/.duvet/snapshot.txt create mode 100644 test-server/php-v2-server/.duvet/.gitignore create mode 100644 test-server/php-v2-server/.duvet/config.toml create mode 100644 test-server/php-v2-server/.duvet/snapshot.txt create mode 100644 test-server/php-v3-server/.duvet/.gitignore create mode 100644 test-server/php-v3-server/.duvet/config.toml create mode 100644 test-server/php-v3-server/.duvet/snapshot.txt create mode 100644 test-server/python-v3-server/.duvet/.gitignore create mode 100644 test-server/python-v3-server/.duvet/config.toml create mode 100644 test-server/python-v3-server/.duvet/snapshot.txt create mode 100644 test-server/ruby-v3-server/.duvet/.gitignore create mode 100644 test-server/ruby-v3-server/.duvet/config.toml create mode 100644 test-server/ruby-v3-server/.duvet/snapshot.txt diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a07c9a96..c01b9f06 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -114,6 +114,25 @@ jobs: TEST_SERVER_KMS_KEY_ARN: ${{ vars.TEST_SERVER_KMS_KEY_ARN }} GRADLE_OPTS: "-Dorg.gradle.daemon=true -Dorg.gradle.parallel=true -Dorg.gradle.caching=true" + - name: Setup Rust toolchain + uses: actions-rust-lang/setup-rust-toolchain@v1 + with: + toolchain: stable + + - name: Install Rust package + run: cargo install duvet + + - name: Run duvet + if: always() + run: cd test-server && make duvet + + - name: Upload duvet reports + if: always() + uses: actions/upload-artifact@v4 + with: + name: reports + path: test-server/*-server/.duvet/reports/report.html + - name: Upload results if: always() uses: actions/upload-artifact@v4 diff --git a/test-server/Makefile b/test-server/Makefile index 7fd66285..a5d83908 100644 --- a/test-server/Makefile +++ b/test-server/Makefile @@ -119,3 +119,10 @@ test-create-client: -H "User-Agent: smithy-java/0.0.3 ua/2.1 os/macos#15.5 lang/java#23.0.2" \ -d '{"config":{"enableLegacyUnauthenticatedModes":false,"enableDelayedAuthenticationMode":false,"enableLegacyWrappingAlgorithms":false,"keyMaterial":{"kmsKeyId":"arn:aws:kms:us-west-2:370957321024:alias/S3EC-Test-Server-Github-KMS-Key"}}}' \ http://localhost:$(PORT)/client + +duvet: + @echo "Running duvet reports..." + @for dir in $(SERVER_DIRS); do \ + echo "Running make duvet in $$dir..."; \ + $(MAKE) -C $$dir duvet; \ + done \ No newline at end of file diff --git a/test-server/cpp-v2-server/.duvet/.gitignore b/test-server/cpp-v2-server/.duvet/.gitignore new file mode 100644 index 00000000..0745fbc6 --- /dev/null +++ b/test-server/cpp-v2-server/.duvet/.gitignore @@ -0,0 +1,2 @@ +reports/ +requirements/ \ No newline at end of file diff --git a/test-server/cpp-v2-server/.duvet/config.toml b/test-server/cpp-v2-server/.duvet/config.toml new file mode 100644 index 00000000..343b6853 --- /dev/null +++ b/test-server/cpp-v2-server/.duvet/config.toml @@ -0,0 +1,20 @@ +'$schema' = "https://awslabs.github.io/duvet/config/v0.4.0.json" + +[[source]] +pattern = "aws-sdk-cpp/src/aws-cpp-sdk-s3-encryption/**/*.cpp" + +[[source]] +pattern = "aws-sdk-cpp/src/aws-cpp-sdk-s3-encryption/**/*.h" + +# Include required specifications here +[[specification]] +source = "../specification/s3-encryption/data-format/content-metadata.md" +[[specification]] +source = "../specification/s3-encryption/data-format/metadata-strategy.md" + +[report.html] +enabled = true + +# Enable snapshots to prevent requirement coverage regressions +[report.snapshot] +enabled = true diff --git a/test-server/cpp-v2-server/.duvet/snapshot.txt b/test-server/cpp-v2-server/.duvet/snapshot.txt new file mode 100644 index 00000000..9c23c073 --- /dev/null +++ b/test-server/cpp-v2-server/.duvet/snapshot.txt @@ -0,0 +1,83 @@ +SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) + SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) + TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. + TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. + TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. + TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. + + SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. + TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. + TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. + TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. + TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. + + SECTION: [V1/V2 Shared](#v1-v2-shared) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + + SECTION: [V3 Only](#v3-only) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. + TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). + TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. + TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. + +SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) + SECTION: [Object Metadata](#object-metadata) + TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. + TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". + TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. + + SECTION: [Instruction File](#instruction-file) + TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. + TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. + TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. + TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. + TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. + TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. + TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. + TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. + + SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) + TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. + + SECTION: [V3 Instruction Files](#v3-instruction-files) + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/cpp-v2-server/Makefile b/test-server/cpp-v2-server/Makefile index 9e0f04b1..cc562c1a 100644 --- a/test-server/cpp-v2-server/Makefile +++ b/test-server/cpp-v2-server/Makefile @@ -29,3 +29,9 @@ stop-server: wait-for-server: $(MAKE) -C .. wait-for-port PORT=$(PORT) + +duvet: + duvet report + +view-report-mac: + open .duvet/reports/report.html diff --git a/test-server/go-v3-server/.duvet/.gitignore b/test-server/go-v3-server/.duvet/.gitignore new file mode 100644 index 00000000..0745fbc6 --- /dev/null +++ b/test-server/go-v3-server/.duvet/.gitignore @@ -0,0 +1,2 @@ +reports/ +requirements/ \ No newline at end of file diff --git a/test-server/go-v3-server/.duvet/config.toml b/test-server/go-v3-server/.duvet/config.toml new file mode 100644 index 00000000..983be744 --- /dev/null +++ b/test-server/go-v3-server/.duvet/config.toml @@ -0,0 +1,17 @@ +'$schema' = "https://awslabs.github.io/duvet/config/v0.4.0.json" + +[[source]] +pattern = "**/*.go" + +# Include required specifications here +[[specification]] +source = "../specification/s3-encryption/data-format/content-metadata.md" +[[specification]] +source = "../specification/s3-encryption/data-format/metadata-strategy.md" + +[report.html] +enabled = true + +# Enable snapshots to prevent requirement coverage regressions +[report.snapshot] +enabled = true diff --git a/test-server/go-v3-server/.duvet/snapshot.txt b/test-server/go-v3-server/.duvet/snapshot.txt new file mode 100644 index 00000000..9c23c073 --- /dev/null +++ b/test-server/go-v3-server/.duvet/snapshot.txt @@ -0,0 +1,83 @@ +SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) + SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) + TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. + TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. + TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. + TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. + + SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. + TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. + TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. + TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. + TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. + + SECTION: [V1/V2 Shared](#v1-v2-shared) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + + SECTION: [V3 Only](#v3-only) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. + TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). + TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. + TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. + +SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) + SECTION: [Object Metadata](#object-metadata) + TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. + TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". + TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. + + SECTION: [Instruction File](#instruction-file) + TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. + TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. + TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. + TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. + TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. + TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. + TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. + TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. + + SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) + TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. + + SECTION: [V3 Instruction Files](#v3-instruction-files) + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/go-v3-server/Makefile b/test-server/go-v3-server/Makefile index 0ab142de..fb61e578 100644 --- a/test-server/go-v3-server/Makefile +++ b/test-server/go-v3-server/Makefile @@ -23,3 +23,9 @@ stop-server: wait-for-server: $(MAKE) -C .. wait-for-port PORT=$(PORT) + +duvet: + duvet report + +view-report-mac: + open .duvet/reports/report.html diff --git a/test-server/java-v3-server/.duvet/.gitignore b/test-server/java-v3-server/.duvet/.gitignore new file mode 100644 index 00000000..0745fbc6 --- /dev/null +++ b/test-server/java-v3-server/.duvet/.gitignore @@ -0,0 +1,2 @@ +reports/ +requirements/ \ No newline at end of file diff --git a/test-server/java-v3-server/.duvet/config.toml b/test-server/java-v3-server/.duvet/config.toml new file mode 100644 index 00000000..063c6d3d --- /dev/null +++ b/test-server/java-v3-server/.duvet/config.toml @@ -0,0 +1,17 @@ +'$schema' = "https://awslabs.github.io/duvet/config/v0.4.0.json" + +[[source]] +pattern = "**/*.java" + +# Include required specifications here +[[specification]] +source = "../specification/s3-encryption/data-format/content-metadata.md" +[[specification]] +source = "../specification/s3-encryption/data-format/metadata-strategy.md" + +[report.html] +enabled = true + +# Enable snapshots to prevent requirement coverage regressions +[report.snapshot] +enabled = true diff --git a/test-server/java-v3-server/.duvet/snapshot.txt b/test-server/java-v3-server/.duvet/snapshot.txt new file mode 100644 index 00000000..9c23c073 --- /dev/null +++ b/test-server/java-v3-server/.duvet/snapshot.txt @@ -0,0 +1,83 @@ +SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) + SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) + TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. + TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. + TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. + TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. + + SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. + TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. + TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. + TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. + TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. + + SECTION: [V1/V2 Shared](#v1-v2-shared) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + + SECTION: [V3 Only](#v3-only) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. + TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). + TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. + TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. + +SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) + SECTION: [Object Metadata](#object-metadata) + TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. + TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". + TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. + + SECTION: [Instruction File](#instruction-file) + TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. + TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. + TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. + TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. + TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. + TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. + TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. + TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. + + SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) + TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. + + SECTION: [V3 Instruction Files](#v3-instruction-files) + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/java-v3-server/Makefile b/test-server/java-v3-server/Makefile index 1e0dc763..445be2ac 100644 --- a/test-server/java-v3-server/Makefile +++ b/test-server/java-v3-server/Makefile @@ -22,3 +22,9 @@ stop-server: wait-for-server: $(MAKE) -C .. wait-for-port PORT=$(PORT) + +duvet: + duvet report + +view-report-mac: + open .duvet/reports/report.html diff --git a/test-server/java-v3-server/bin/main/META-INF/services/software.amazon.smithy.java.core.schema.SchemaIndex b/test-server/java-v3-server/bin/main/META-INF/services/software.amazon.smithy.java.core.schema.SchemaIndex new file mode 100644 index 00000000..19360b77 --- /dev/null +++ b/test-server/java-v3-server/bin/main/META-INF/services/software.amazon.smithy.java.core.schema.SchemaIndex @@ -0,0 +1 @@ +software.amazon.encryption.s3.model.GeneratedSchemaIndex diff --git a/test-server/java-v3-server/bin/main/client.smithy b/test-server/java-v3-server/bin/main/client.smithy new file mode 100644 index 00000000..4de56b5b --- /dev/null +++ b/test-server/java-v3-server/bin/main/client.smithy @@ -0,0 +1,37 @@ +$version: "2.0" + +namespace software.amazon.encryption.s3 + +/// Client Creation/Configuration +@http(method: "POST", uri: "/client") +operation CreateClient { + input: CreateClientInput, + output: CreateClientOutput, +} + +@input +structure CreateClientInput { + config: S3ECConfig, +} + +@output +structure CreateClientOutput { + clientId: String, +} + +/// Since it's possible to pass this directly, include it separately +/// Probably also need a Keyring structure to signal when to create Keyrings directly +/// Or maybe KeyringConfig +structure KeyMaterial { + rsaKey: Blob, + aesKey: Blob, + kmsKeyId: String +} + +structure S3ECConfig { + enableLegacyUnauthenticatedModes: Boolean = false, + enableDelayedAuthenticationMode: Boolean = false, + enableLegacyWrappingAlgorithms: Boolean = false, + setBufferSize: Long, + keyMaterial: KeyMaterial +} diff --git a/test-server/java-v3-server/bin/main/main.smithy b/test-server/java-v3-server/bin/main/main.smithy new file mode 100644 index 00000000..0f7611b5 --- /dev/null +++ b/test-server/java-v3-server/bin/main/main.smithy @@ -0,0 +1,34 @@ +$version: "2" + +namespace software.amazon.encryption.s3 + +use aws.protocols#restJson1 + +@title("S3 Encryption Client Test Service") +@restJson1 +service S3ECTestServer { + version: "2024-08-23" + operations: [ + CreateClient + ] + resources: [ + Object + ] + errors: [GenericServerError, S3EncryptionClientError] +} + +/// Used for "internal" errors, e.g. problems with the test server itself +/// Tests MUST NOT expect this error in negative tests. +@error("server") +structure GenericServerError { + @required + message: String +} + +/// Used for modeled errors, e.g. errors thrown by the S3EC +/// Tests SHOULD expect this error in negative tests. +@error("server") +structure S3EncryptionClientError { + @required + message: String +} diff --git a/test-server/java-v3-server/bin/main/object.smithy b/test-server/java-v3-server/bin/main/object.smithy new file mode 100644 index 00000000..623d8ed3 --- /dev/null +++ b/test-server/java-v3-server/bin/main/object.smithy @@ -0,0 +1,103 @@ +$version: "2.0" + +namespace software.amazon.encryption.s3 + +/// Represents an S3-like bucket +///resource Bucket { +/// identifiers: { +/// bucketName: String +/// } +///} + +/// Represents an S3-like object +resource Object { + identifiers: { + bucket: String + key: String + } + properties: { + body: StreamingBlob + metadata: ObjectMetadata + } + read: GetObject + put: PutObject +} + +@idempotent +@http(method: "PUT", uri: "/object/{bucket}/{key}") +operation PutObject { + input := for Object { + @httpLabel + @required + $bucket + + @httpLabel + @required + $key + + @httpHeader("Content-Metadata") + $metadata + + @required + @httpPayload + $body + + @httpHeader("ClientID") + @required + @notProperty + clientID: String + } + + output := for Object { + @required + $bucket + + @required + $key + + @required + $metadata + } +} + +@readonly +@http(method: "GET", uri: "/object/{bucket}/{key}") +operation GetObject { + input := for Object { + @httpLabel + @required + $bucket + + @httpLabel + @required + $key + + /// Should probably be renamed to be EC specific + @httpHeader("Content-Metadata") + $metadata + + @httpHeader("ClientID") + @required + @notProperty + clientID: String + } + + output := for Object { + @httpHeader("Content-Metadata") + @required + $metadata + + @required + @httpPayload + $body + } +} + +/// Smithy does not know how to serialize a map +list ObjectMetadata { + member: String +} + +/// Seems like Streaming is broken in Java. +///@streaming +blob StreamingBlob diff --git a/test-server/net-v2-v3-server/.duvet/.gitignore b/test-server/net-v2-v3-server/.duvet/.gitignore new file mode 100644 index 00000000..0745fbc6 --- /dev/null +++ b/test-server/net-v2-v3-server/.duvet/.gitignore @@ -0,0 +1,2 @@ +reports/ +requirements/ \ No newline at end of file diff --git a/test-server/net-v2-v3-server/.duvet/config.toml b/test-server/net-v2-v3-server/.duvet/config.toml new file mode 100644 index 00000000..8c394316 --- /dev/null +++ b/test-server/net-v2-v3-server/.duvet/config.toml @@ -0,0 +1,17 @@ +'$schema' = "https://awslabs.github.io/duvet/config/v0.4.0.json" + +[[source]] +pattern = "**/*.cs" + +# Include required specifications here +[[specification]] +source = "../specification/s3-encryption/data-format/content-metadata.md" +[[specification]] +source = "../specification/s3-encryption/data-format/metadata-strategy.md" + +[report.html] +enabled = true + +# Enable snapshots to prevent requirement coverage regressions +[report.snapshot] +enabled = true diff --git a/test-server/net-v2-v3-server/.duvet/snapshot.txt b/test-server/net-v2-v3-server/.duvet/snapshot.txt new file mode 100644 index 00000000..9c23c073 --- /dev/null +++ b/test-server/net-v2-v3-server/.duvet/snapshot.txt @@ -0,0 +1,83 @@ +SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) + SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) + TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. + TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. + TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. + TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. + + SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. + TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. + TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. + TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. + TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. + + SECTION: [V1/V2 Shared](#v1-v2-shared) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + + SECTION: [V3 Only](#v3-only) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. + TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). + TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. + TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. + +SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) + SECTION: [Object Metadata](#object-metadata) + TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. + TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". + TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. + + SECTION: [Instruction File](#instruction-file) + TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. + TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. + TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. + TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. + TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. + TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. + TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. + TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. + + SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) + TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. + + SECTION: [V3 Instruction Files](#v3-instruction-files) + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/net-v2-v3-server/Makefile b/test-server/net-v2-v3-server/Makefile index f5b18688..a16ff57e 100644 --- a/test-server/net-v2-v3-server/Makefile +++ b/test-server/net-v2-v3-server/Makefile @@ -52,4 +52,10 @@ start-net-v3-server: wait-for-server: $(MAKE) -C .. wait-for-port PORT=$(PORT_NET_V2) \ - $(MAKE) -C .. wait-for-port PORT=$(PORT_NET_V3) \ No newline at end of file + $(MAKE) -C .. wait-for-port PORT=$(PORT_NET_V3) + +duvet: + duvet report + +view-report-mac: + open .duvet/reports/report.html diff --git a/test-server/php-v2-server/.duvet/.gitignore b/test-server/php-v2-server/.duvet/.gitignore new file mode 100644 index 00000000..0745fbc6 --- /dev/null +++ b/test-server/php-v2-server/.duvet/.gitignore @@ -0,0 +1,2 @@ +reports/ +requirements/ \ No newline at end of file diff --git a/test-server/php-v2-server/.duvet/config.toml b/test-server/php-v2-server/.duvet/config.toml new file mode 100644 index 00000000..eb6481ae --- /dev/null +++ b/test-server/php-v2-server/.duvet/config.toml @@ -0,0 +1,17 @@ +'$schema' = "https://awslabs.github.io/duvet/config/v0.4.0.json" + +[[source]] +pattern = "local-php-sdk/src/S3/**/*.php" + +# Include required specifications here +[[specification]] +source = "../specification/s3-encryption/data-format/content-metadata.md" +[[specification]] +source = "../specification/s3-encryption/data-format/metadata-strategy.md" + +[report.html] +enabled = true + +# Enable snapshots to prevent requirement coverage regressions +[report.snapshot] +enabled = true diff --git a/test-server/php-v2-server/.duvet/snapshot.txt b/test-server/php-v2-server/.duvet/snapshot.txt new file mode 100644 index 00000000..9c23c073 --- /dev/null +++ b/test-server/php-v2-server/.duvet/snapshot.txt @@ -0,0 +1,83 @@ +SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) + SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) + TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. + TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. + TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. + TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. + + SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. + TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. + TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. + TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. + TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. + + SECTION: [V1/V2 Shared](#v1-v2-shared) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + + SECTION: [V3 Only](#v3-only) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. + TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). + TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. + TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. + +SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) + SECTION: [Object Metadata](#object-metadata) + TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. + TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". + TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. + + SECTION: [Instruction File](#instruction-file) + TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. + TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. + TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. + TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. + TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. + TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. + TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. + TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. + + SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) + TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. + + SECTION: [V3 Instruction Files](#v3-instruction-files) + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/php-v2-server/Makefile b/test-server/php-v2-server/Makefile index 6962ce5e..adb63258 100644 --- a/test-server/php-v2-server/Makefile +++ b/test-server/php-v2-server/Makefile @@ -22,3 +22,9 @@ stop-server: wait-for-server: $(MAKE) -C .. wait-for-port PORT=$(PORT) + +duvet: + duvet report + +view-report-mac: + open .duvet/reports/report.html diff --git a/test-server/php-v3-server/.duvet/.gitignore b/test-server/php-v3-server/.duvet/.gitignore new file mode 100644 index 00000000..0745fbc6 --- /dev/null +++ b/test-server/php-v3-server/.duvet/.gitignore @@ -0,0 +1,2 @@ +reports/ +requirements/ \ No newline at end of file diff --git a/test-server/php-v3-server/.duvet/config.toml b/test-server/php-v3-server/.duvet/config.toml new file mode 100644 index 00000000..eb6481ae --- /dev/null +++ b/test-server/php-v3-server/.duvet/config.toml @@ -0,0 +1,17 @@ +'$schema' = "https://awslabs.github.io/duvet/config/v0.4.0.json" + +[[source]] +pattern = "local-php-sdk/src/S3/**/*.php" + +# Include required specifications here +[[specification]] +source = "../specification/s3-encryption/data-format/content-metadata.md" +[[specification]] +source = "../specification/s3-encryption/data-format/metadata-strategy.md" + +[report.html] +enabled = true + +# Enable snapshots to prevent requirement coverage regressions +[report.snapshot] +enabled = true diff --git a/test-server/php-v3-server/.duvet/snapshot.txt b/test-server/php-v3-server/.duvet/snapshot.txt new file mode 100644 index 00000000..9c23c073 --- /dev/null +++ b/test-server/php-v3-server/.duvet/snapshot.txt @@ -0,0 +1,83 @@ +SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) + SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) + TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. + TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. + TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. + TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. + + SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. + TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. + TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. + TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. + TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. + + SECTION: [V1/V2 Shared](#v1-v2-shared) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + + SECTION: [V3 Only](#v3-only) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. + TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). + TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. + TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. + +SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) + SECTION: [Object Metadata](#object-metadata) + TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. + TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". + TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. + + SECTION: [Instruction File](#instruction-file) + TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. + TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. + TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. + TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. + TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. + TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. + TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. + TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. + + SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) + TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. + + SECTION: [V3 Instruction Files](#v3-instruction-files) + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/php-v3-server/Makefile b/test-server/php-v3-server/Makefile index d62be452..7b386f71 100644 --- a/test-server/php-v3-server/Makefile +++ b/test-server/php-v3-server/Makefile @@ -22,3 +22,9 @@ stop-server: wait-for-server: $(MAKE) -C .. wait-for-port PORT=$(PORT) + +duvet: + duvet report + +view-report-mac: + open .duvet/reports/report.html diff --git a/test-server/python-v3-server/.duvet/.gitignore b/test-server/python-v3-server/.duvet/.gitignore new file mode 100644 index 00000000..0745fbc6 --- /dev/null +++ b/test-server/python-v3-server/.duvet/.gitignore @@ -0,0 +1,2 @@ +reports/ +requirements/ \ No newline at end of file diff --git a/test-server/python-v3-server/.duvet/config.toml b/test-server/python-v3-server/.duvet/config.toml new file mode 100644 index 00000000..f0c374b9 --- /dev/null +++ b/test-server/python-v3-server/.duvet/config.toml @@ -0,0 +1,18 @@ +'$schema' = "https://awslabs.github.io/duvet/config/v0.4.0.json" + +[[source]] +pattern = "**/*.py" +comment-style = { meta = "##=", content = "##%" } + +# Include required specifications here +[[specification]] +source = "../specification/s3-encryption/data-format/content-metadata.md" +[[specification]] +source = "../specification/s3-encryption/data-format/metadata-strategy.md" + +[report.html] +enabled = true + +# Enable snapshots to prevent requirement coverage regressions +[report.snapshot] +enabled = true diff --git a/test-server/python-v3-server/.duvet/snapshot.txt b/test-server/python-v3-server/.duvet/snapshot.txt new file mode 100644 index 00000000..9c23c073 --- /dev/null +++ b/test-server/python-v3-server/.duvet/snapshot.txt @@ -0,0 +1,83 @@ +SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) + SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) + TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. + TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. + TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. + TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. + + SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. + TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. + TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. + TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. + TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. + + SECTION: [V1/V2 Shared](#v1-v2-shared) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + + SECTION: [V3 Only](#v3-only) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. + TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). + TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. + TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. + +SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) + SECTION: [Object Metadata](#object-metadata) + TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. + TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". + TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. + + SECTION: [Instruction File](#instruction-file) + TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. + TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. + TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. + TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. + TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. + TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. + TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. + TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. + + SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) + TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. + + SECTION: [V3 Instruction Files](#v3-instruction-files) + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/ruby-v3-server/.duvet/.gitignore b/test-server/ruby-v3-server/.duvet/.gitignore new file mode 100644 index 00000000..0745fbc6 --- /dev/null +++ b/test-server/ruby-v3-server/.duvet/.gitignore @@ -0,0 +1,2 @@ +reports/ +requirements/ \ No newline at end of file diff --git a/test-server/ruby-v3-server/.duvet/config.toml b/test-server/ruby-v3-server/.duvet/config.toml new file mode 100644 index 00000000..0bb7d893 --- /dev/null +++ b/test-server/ruby-v3-server/.duvet/config.toml @@ -0,0 +1,18 @@ +'$schema' = "https://awslabs.github.io/duvet/config/v0.4.0.json" + +[[source]] +pattern = "local-ruby-sdk/gems/aws-sdk-s3/lib/**/*.rb" +comment-style = { meta = "##=", content = "##%" } + +# Include required specifications here +[[specification]] +source = "../specification/s3-encryption/data-format/content-metadata.md" +[[specification]] +source = "../specification/s3-encryption/data-format/metadata-strategy.md" + +[report.html] +enabled = true + +# Enable snapshots to prevent requirement coverage regressions +[report.snapshot] +enabled = true diff --git a/test-server/ruby-v3-server/.duvet/snapshot.txt b/test-server/ruby-v3-server/.duvet/snapshot.txt new file mode 100644 index 00000000..9c23c073 --- /dev/null +++ b/test-server/ruby-v3-server/.duvet/snapshot.txt @@ -0,0 +1,83 @@ +SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) + SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) + TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. + TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. + TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. + TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. + TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. + TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. + TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. + TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. + TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. + + SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. + TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. + TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. + TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. + TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. + TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. + + SECTION: [V1/V2 Shared](#v1-v2-shared) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + + SECTION: [V3 Only](#v3-only) + TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. + TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. + TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). + TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. + TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. + TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. + +SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) + SECTION: [Object Metadata](#object-metadata) + TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. + TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". + TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. + + SECTION: [Instruction File](#instruction-file) + TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. + TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. + TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. + TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. + TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. + TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. + TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. + TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. + + SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) + TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. + + SECTION: [V3 Instruction Files](#v3-instruction-files) + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. + TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. + TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/ruby-v3-server/Makefile b/test-server/ruby-v3-server/Makefile index e4492423..6e62e785 100644 --- a/test-server/ruby-v3-server/Makefile +++ b/test-server/ruby-v3-server/Makefile @@ -27,3 +27,9 @@ stop-server: wait-for-server: $(MAKE) -C .. wait-for-port PORT=$(PORT) + +duvet: + duvet report + +view-report-mac: + open .duvet/reports/report.html From 12b8d7462c45ef235a3015f2321abdc39712e551 Mon Sep 17 00:00:00 2001 From: Ryan Emery Date: Mon, 29 Sep 2025 15:30:09 -0700 Subject: [PATCH 02/11] update gitignore --- test-server/cpp-v2-server/.duvet/.gitignore | 3 ++- test-server/go-v3-server/.duvet/.gitignore | 3 ++- test-server/java-v3-server/.duvet/.gitignore | 3 ++- test-server/net-v2-v3-server/.duvet/.gitignore | 3 ++- test-server/php-v2-server/.duvet/.gitignore | 3 ++- test-server/php-v3-server/.duvet/.gitignore | 3 ++- test-server/python-v3-server/.duvet/.gitignore | 3 ++- test-server/ruby-v2-server/.duvet/.gitignore | 3 ++- test-server/ruby-v3-server/.duvet/.gitignore | 3 ++- 9 files changed, 18 insertions(+), 9 deletions(-) diff --git a/test-server/cpp-v2-server/.duvet/.gitignore b/test-server/cpp-v2-server/.duvet/.gitignore index 0745fbc6..93956e36 100644 --- a/test-server/cpp-v2-server/.duvet/.gitignore +++ b/test-server/cpp-v2-server/.duvet/.gitignore @@ -1,2 +1,3 @@ reports/ -requirements/ \ No newline at end of file +requirements/ +specification/ \ No newline at end of file diff --git a/test-server/go-v3-server/.duvet/.gitignore b/test-server/go-v3-server/.duvet/.gitignore index 0745fbc6..93956e36 100644 --- a/test-server/go-v3-server/.duvet/.gitignore +++ b/test-server/go-v3-server/.duvet/.gitignore @@ -1,2 +1,3 @@ reports/ -requirements/ \ No newline at end of file +requirements/ +specification/ \ No newline at end of file diff --git a/test-server/java-v3-server/.duvet/.gitignore b/test-server/java-v3-server/.duvet/.gitignore index 0745fbc6..93956e36 100644 --- a/test-server/java-v3-server/.duvet/.gitignore +++ b/test-server/java-v3-server/.duvet/.gitignore @@ -1,2 +1,3 @@ reports/ -requirements/ \ No newline at end of file +requirements/ +specification/ \ No newline at end of file diff --git a/test-server/net-v2-v3-server/.duvet/.gitignore b/test-server/net-v2-v3-server/.duvet/.gitignore index 0745fbc6..93956e36 100644 --- a/test-server/net-v2-v3-server/.duvet/.gitignore +++ b/test-server/net-v2-v3-server/.duvet/.gitignore @@ -1,2 +1,3 @@ reports/ -requirements/ \ No newline at end of file +requirements/ +specification/ \ No newline at end of file diff --git a/test-server/php-v2-server/.duvet/.gitignore b/test-server/php-v2-server/.duvet/.gitignore index 0745fbc6..93956e36 100644 --- a/test-server/php-v2-server/.duvet/.gitignore +++ b/test-server/php-v2-server/.duvet/.gitignore @@ -1,2 +1,3 @@ reports/ -requirements/ \ No newline at end of file +requirements/ +specification/ \ No newline at end of file diff --git a/test-server/php-v3-server/.duvet/.gitignore b/test-server/php-v3-server/.duvet/.gitignore index 0745fbc6..93956e36 100644 --- a/test-server/php-v3-server/.duvet/.gitignore +++ b/test-server/php-v3-server/.duvet/.gitignore @@ -1,2 +1,3 @@ reports/ -requirements/ \ No newline at end of file +requirements/ +specification/ \ No newline at end of file diff --git a/test-server/python-v3-server/.duvet/.gitignore b/test-server/python-v3-server/.duvet/.gitignore index 0745fbc6..93956e36 100644 --- a/test-server/python-v3-server/.duvet/.gitignore +++ b/test-server/python-v3-server/.duvet/.gitignore @@ -1,2 +1,3 @@ reports/ -requirements/ \ No newline at end of file +requirements/ +specification/ \ No newline at end of file diff --git a/test-server/ruby-v2-server/.duvet/.gitignore b/test-server/ruby-v2-server/.duvet/.gitignore index 0745fbc6..93956e36 100644 --- a/test-server/ruby-v2-server/.duvet/.gitignore +++ b/test-server/ruby-v2-server/.duvet/.gitignore @@ -1,2 +1,3 @@ reports/ -requirements/ \ No newline at end of file +requirements/ +specification/ \ No newline at end of file diff --git a/test-server/ruby-v3-server/.duvet/.gitignore b/test-server/ruby-v3-server/.duvet/.gitignore index 0745fbc6..93956e36 100644 --- a/test-server/ruby-v3-server/.duvet/.gitignore +++ b/test-server/ruby-v3-server/.duvet/.gitignore @@ -1,2 +1,3 @@ reports/ -requirements/ \ No newline at end of file +requirements/ +specification/ \ No newline at end of file From 480e2c3549514d05028a624ea358cdee079027e2 Mon Sep 17 00:00:00 2001 From: Ryan Emery Date: Mon, 29 Sep 2025 15:33:57 -0700 Subject: [PATCH 03/11] get the right branch --- .gitmodules | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitmodules b/.gitmodules index 9af1f468..30ad972d 100644 --- a/.gitmodules +++ b/.gitmodules @@ -15,3 +15,4 @@ [submodule "test-server/specification"] path = test-server/specification url = git@github.com:awslabs/private-aws-encryption-sdk-specification-staging.git + branch = fire-egg-staging From 09e5c71376c9728b3b171ac963471914ab88df9c Mon Sep 17 00:00:00 2001 From: Ryan Emery Date: Mon, 29 Sep 2025 15:43:16 -0700 Subject: [PATCH 04/11] run it as its own test woops try it now try it now this too try it like this ? this update PHP why? asdf WHAT this? run on latest --- .github/workflows/duvet.yml | 39 +++++++++ .github/workflows/main.yml | 5 ++ .github/workflows/test.yml | 19 ----- test-server/cpp-v2-server/.duvet/config.toml | 2 +- test-server/cpp-v2-server/.duvet/snapshot.txt | 83 ------------------- test-server/go-v3-server/.duvet/config.toml | 2 +- test-server/go-v3-server/.duvet/snapshot.txt | 83 ------------------- test-server/java-v3-server/.duvet/config.toml | 2 +- .../java-v3-server/.duvet/snapshot.txt | 83 ------------------- .../net-v2-v3-server/.duvet/config.toml | 2 +- .../net-v2-v3-server/.duvet/snapshot.txt | 83 ------------------- test-server/php-v2-server/.duvet/config.toml | 5 +- test-server/php-v2-server/.duvet/snapshot.txt | 83 ------------------- test-server/php-v3-server/.duvet/config.toml | 5 +- test-server/php-v3-server/.duvet/snapshot.txt | 83 ------------------- .../python-v3-server/.duvet/config.toml | 2 +- .../python-v3-server/.duvet/snapshot.txt | 83 ------------------- test-server/python-v3-server/Makefile | 6 ++ test-server/ruby-v2-server/.duvet/config.toml | 2 +- .../ruby-v2-server/.duvet/snapshot.txt | 83 ------------------- test-server/ruby-v3-server/.duvet/config.toml | 2 +- .../ruby-v3-server/.duvet/snapshot.txt | 83 ------------------- 22 files changed, 65 insertions(+), 775 deletions(-) create mode 100644 .github/workflows/duvet.yml delete mode 100644 test-server/cpp-v2-server/.duvet/snapshot.txt delete mode 100644 test-server/go-v3-server/.duvet/snapshot.txt delete mode 100644 test-server/java-v3-server/.duvet/snapshot.txt delete mode 100644 test-server/net-v2-v3-server/.duvet/snapshot.txt delete mode 100644 test-server/php-v2-server/.duvet/snapshot.txt delete mode 100644 test-server/php-v3-server/.duvet/snapshot.txt delete mode 100644 test-server/python-v3-server/.duvet/snapshot.txt delete mode 100644 test-server/ruby-v2-server/.duvet/snapshot.txt delete mode 100644 test-server/ruby-v3-server/.duvet/snapshot.txt diff --git a/.github/workflows/duvet.yml b/.github/workflows/duvet.yml new file mode 100644 index 00000000..03247470 --- /dev/null +++ b/.github/workflows/duvet.yml @@ -0,0 +1,39 @@ +name: Run Tests + +on: + workflow_call: + # Optional inputs that can be provided when calling this workflow + +jobs: + test: + runs-on: macos-latest + permissions: + id-token: write + contents: read + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + submodules: true + token: ${{ secrets.PAT_FOR_PRIVATE_RUBY }} + + - name: Setup Rust toolchain + uses: actions-rust-lang/setup-rust-toolchain@v1 + with: + toolchain: stable + + - name: Install Rust package + run: cargo install duvet + + - name: Run duvet + if: always() + run: cd test-server && make duvet + + - name: Upload duvet reports + if: always() + uses: actions/upload-artifact@v4 + with: + name: reports + include-hidden-files: true + path: test-server/*-server/.duvet/reports/report.html diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e10b7d0d..691144d8 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,3 +23,8 @@ jobs: with: python-version: ${{ inputs.python-version || '3.11' }} secrets: inherit + + run-duvet: + name: Run Duvet + uses: ./.github/workflows/duvet.yml + secrets: inherit diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c01b9f06..a07c9a96 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -114,25 +114,6 @@ jobs: TEST_SERVER_KMS_KEY_ARN: ${{ vars.TEST_SERVER_KMS_KEY_ARN }} GRADLE_OPTS: "-Dorg.gradle.daemon=true -Dorg.gradle.parallel=true -Dorg.gradle.caching=true" - - name: Setup Rust toolchain - uses: actions-rust-lang/setup-rust-toolchain@v1 - with: - toolchain: stable - - - name: Install Rust package - run: cargo install duvet - - - name: Run duvet - if: always() - run: cd test-server && make duvet - - - name: Upload duvet reports - if: always() - uses: actions/upload-artifact@v4 - with: - name: reports - path: test-server/*-server/.duvet/reports/report.html - - name: Upload results if: always() uses: actions/upload-artifact@v4 diff --git a/test-server/cpp-v2-server/.duvet/config.toml b/test-server/cpp-v2-server/.duvet/config.toml index 343b6853..6afdb7a4 100644 --- a/test-server/cpp-v2-server/.duvet/config.toml +++ b/test-server/cpp-v2-server/.duvet/config.toml @@ -17,4 +17,4 @@ enabled = true # Enable snapshots to prevent requirement coverage regressions [report.snapshot] -enabled = true +enabled = false diff --git a/test-server/cpp-v2-server/.duvet/snapshot.txt b/test-server/cpp-v2-server/.duvet/snapshot.txt deleted file mode 100644 index 9c23c073..00000000 --- a/test-server/cpp-v2-server/.duvet/snapshot.txt +++ /dev/null @@ -1,83 +0,0 @@ -SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) - SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) - TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. - TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. - TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. - TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. - - SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. - TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. - TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. - TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. - TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. - - SECTION: [V1/V2 Shared](#v1-v2-shared) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - - SECTION: [V3 Only](#v3-only) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. - TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). - TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. - TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. - -SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) - SECTION: [Object Metadata](#object-metadata) - TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. - TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". - TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. - - SECTION: [Instruction File](#instruction-file) - TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. - TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. - TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. - TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. - TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. - TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. - TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. - TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. - - SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) - TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. - - SECTION: [V3 Instruction Files](#v3-instruction-files) - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/go-v3-server/.duvet/config.toml b/test-server/go-v3-server/.duvet/config.toml index 983be744..cfb23be5 100644 --- a/test-server/go-v3-server/.duvet/config.toml +++ b/test-server/go-v3-server/.duvet/config.toml @@ -14,4 +14,4 @@ enabled = true # Enable snapshots to prevent requirement coverage regressions [report.snapshot] -enabled = true +enabled = false diff --git a/test-server/go-v3-server/.duvet/snapshot.txt b/test-server/go-v3-server/.duvet/snapshot.txt deleted file mode 100644 index 9c23c073..00000000 --- a/test-server/go-v3-server/.duvet/snapshot.txt +++ /dev/null @@ -1,83 +0,0 @@ -SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) - SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) - TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. - TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. - TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. - TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. - - SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. - TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. - TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. - TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. - TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. - - SECTION: [V1/V2 Shared](#v1-v2-shared) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - - SECTION: [V3 Only](#v3-only) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. - TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). - TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. - TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. - -SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) - SECTION: [Object Metadata](#object-metadata) - TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. - TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". - TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. - - SECTION: [Instruction File](#instruction-file) - TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. - TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. - TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. - TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. - TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. - TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. - TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. - TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. - - SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) - TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. - - SECTION: [V3 Instruction Files](#v3-instruction-files) - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/java-v3-server/.duvet/config.toml b/test-server/java-v3-server/.duvet/config.toml index 063c6d3d..28392e9c 100644 --- a/test-server/java-v3-server/.duvet/config.toml +++ b/test-server/java-v3-server/.duvet/config.toml @@ -14,4 +14,4 @@ enabled = true # Enable snapshots to prevent requirement coverage regressions [report.snapshot] -enabled = true +enabled = false diff --git a/test-server/java-v3-server/.duvet/snapshot.txt b/test-server/java-v3-server/.duvet/snapshot.txt deleted file mode 100644 index 9c23c073..00000000 --- a/test-server/java-v3-server/.duvet/snapshot.txt +++ /dev/null @@ -1,83 +0,0 @@ -SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) - SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) - TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. - TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. - TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. - TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. - - SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. - TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. - TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. - TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. - TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. - - SECTION: [V1/V2 Shared](#v1-v2-shared) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - - SECTION: [V3 Only](#v3-only) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. - TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). - TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. - TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. - -SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) - SECTION: [Object Metadata](#object-metadata) - TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. - TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". - TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. - - SECTION: [Instruction File](#instruction-file) - TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. - TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. - TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. - TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. - TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. - TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. - TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. - TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. - - SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) - TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. - - SECTION: [V3 Instruction Files](#v3-instruction-files) - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/net-v2-v3-server/.duvet/config.toml b/test-server/net-v2-v3-server/.duvet/config.toml index 8c394316..bb3f4cfd 100644 --- a/test-server/net-v2-v3-server/.duvet/config.toml +++ b/test-server/net-v2-v3-server/.duvet/config.toml @@ -14,4 +14,4 @@ enabled = true # Enable snapshots to prevent requirement coverage regressions [report.snapshot] -enabled = true +enabled = false diff --git a/test-server/net-v2-v3-server/.duvet/snapshot.txt b/test-server/net-v2-v3-server/.duvet/snapshot.txt deleted file mode 100644 index 9c23c073..00000000 --- a/test-server/net-v2-v3-server/.duvet/snapshot.txt +++ /dev/null @@ -1,83 +0,0 @@ -SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) - SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) - TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. - TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. - TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. - TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. - - SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. - TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. - TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. - TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. - TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. - - SECTION: [V1/V2 Shared](#v1-v2-shared) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - - SECTION: [V3 Only](#v3-only) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. - TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). - TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. - TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. - -SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) - SECTION: [Object Metadata](#object-metadata) - TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. - TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". - TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. - - SECTION: [Instruction File](#instruction-file) - TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. - TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. - TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. - TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. - TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. - TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. - TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. - TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. - - SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) - TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. - - SECTION: [V3 Instruction Files](#v3-instruction-files) - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/php-v2-server/.duvet/config.toml b/test-server/php-v2-server/.duvet/config.toml index eb6481ae..5076f582 100644 --- a/test-server/php-v2-server/.duvet/config.toml +++ b/test-server/php-v2-server/.duvet/config.toml @@ -3,6 +3,9 @@ [[source]] pattern = "local-php-sdk/src/S3/**/*.php" +[[source]] +pattern = "local-php-sdk/src/Crypto/**/*.php" + # Include required specifications here [[specification]] source = "../specification/s3-encryption/data-format/content-metadata.md" @@ -14,4 +17,4 @@ enabled = true # Enable snapshots to prevent requirement coverage regressions [report.snapshot] -enabled = true +enabled = false diff --git a/test-server/php-v2-server/.duvet/snapshot.txt b/test-server/php-v2-server/.duvet/snapshot.txt deleted file mode 100644 index 9c23c073..00000000 --- a/test-server/php-v2-server/.duvet/snapshot.txt +++ /dev/null @@ -1,83 +0,0 @@ -SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) - SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) - TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. - TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. - TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. - TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. - - SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. - TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. - TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. - TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. - TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. - - SECTION: [V1/V2 Shared](#v1-v2-shared) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - - SECTION: [V3 Only](#v3-only) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. - TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). - TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. - TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. - -SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) - SECTION: [Object Metadata](#object-metadata) - TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. - TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". - TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. - - SECTION: [Instruction File](#instruction-file) - TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. - TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. - TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. - TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. - TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. - TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. - TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. - TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. - - SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) - TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. - - SECTION: [V3 Instruction Files](#v3-instruction-files) - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/php-v3-server/.duvet/config.toml b/test-server/php-v3-server/.duvet/config.toml index eb6481ae..5076f582 100644 --- a/test-server/php-v3-server/.duvet/config.toml +++ b/test-server/php-v3-server/.duvet/config.toml @@ -3,6 +3,9 @@ [[source]] pattern = "local-php-sdk/src/S3/**/*.php" +[[source]] +pattern = "local-php-sdk/src/Crypto/**/*.php" + # Include required specifications here [[specification]] source = "../specification/s3-encryption/data-format/content-metadata.md" @@ -14,4 +17,4 @@ enabled = true # Enable snapshots to prevent requirement coverage regressions [report.snapshot] -enabled = true +enabled = false diff --git a/test-server/php-v3-server/.duvet/snapshot.txt b/test-server/php-v3-server/.duvet/snapshot.txt deleted file mode 100644 index 9c23c073..00000000 --- a/test-server/php-v3-server/.duvet/snapshot.txt +++ /dev/null @@ -1,83 +0,0 @@ -SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) - SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) - TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. - TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. - TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. - TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. - - SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. - TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. - TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. - TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. - TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. - - SECTION: [V1/V2 Shared](#v1-v2-shared) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - - SECTION: [V3 Only](#v3-only) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. - TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). - TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. - TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. - -SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) - SECTION: [Object Metadata](#object-metadata) - TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. - TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". - TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. - - SECTION: [Instruction File](#instruction-file) - TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. - TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. - TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. - TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. - TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. - TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. - TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. - TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. - - SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) - TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. - - SECTION: [V3 Instruction Files](#v3-instruction-files) - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/python-v3-server/.duvet/config.toml b/test-server/python-v3-server/.duvet/config.toml index f0c374b9..2523bc1b 100644 --- a/test-server/python-v3-server/.duvet/config.toml +++ b/test-server/python-v3-server/.duvet/config.toml @@ -15,4 +15,4 @@ enabled = true # Enable snapshots to prevent requirement coverage regressions [report.snapshot] -enabled = true +enabled = false diff --git a/test-server/python-v3-server/.duvet/snapshot.txt b/test-server/python-v3-server/.duvet/snapshot.txt deleted file mode 100644 index 9c23c073..00000000 --- a/test-server/python-v3-server/.duvet/snapshot.txt +++ /dev/null @@ -1,83 +0,0 @@ -SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) - SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) - TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. - TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. - TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. - TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. - - SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. - TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. - TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. - TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. - TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. - - SECTION: [V1/V2 Shared](#v1-v2-shared) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - - SECTION: [V3 Only](#v3-only) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. - TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). - TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. - TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. - -SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) - SECTION: [Object Metadata](#object-metadata) - TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. - TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". - TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. - - SECTION: [Instruction File](#instruction-file) - TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. - TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. - TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. - TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. - TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. - TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. - TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. - TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. - - SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) - TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. - - SECTION: [V3 Instruction Files](#v3-instruction-files) - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/python-v3-server/Makefile b/test-server/python-v3-server/Makefile index e6e9d509..0468dc87 100644 --- a/test-server/python-v3-server/Makefile +++ b/test-server/python-v3-server/Makefile @@ -26,3 +26,9 @@ stop-server: wait-for-server: $(MAKE) -C .. wait-for-port PORT=$(PORT) + +duvet: + duvet report + +view-report-mac: + open .duvet/reports/report.html diff --git a/test-server/ruby-v2-server/.duvet/config.toml b/test-server/ruby-v2-server/.duvet/config.toml index 0bb7d893..3c0ac627 100644 --- a/test-server/ruby-v2-server/.duvet/config.toml +++ b/test-server/ruby-v2-server/.duvet/config.toml @@ -15,4 +15,4 @@ enabled = true # Enable snapshots to prevent requirement coverage regressions [report.snapshot] -enabled = true +enabled = false diff --git a/test-server/ruby-v2-server/.duvet/snapshot.txt b/test-server/ruby-v2-server/.duvet/snapshot.txt deleted file mode 100644 index 9c23c073..00000000 --- a/test-server/ruby-v2-server/.duvet/snapshot.txt +++ /dev/null @@ -1,83 +0,0 @@ -SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) - SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) - TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. - TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. - TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. - TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. - - SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. - TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. - TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. - TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. - TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. - - SECTION: [V1/V2 Shared](#v1-v2-shared) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - - SECTION: [V3 Only](#v3-only) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. - TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). - TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. - TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. - -SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) - SECTION: [Object Metadata](#object-metadata) - TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. - TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". - TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. - - SECTION: [Instruction File](#instruction-file) - TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. - TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. - TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. - TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. - TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. - TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. - TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. - TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. - - SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) - TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. - - SECTION: [V3 Instruction Files](#v3-instruction-files) - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. diff --git a/test-server/ruby-v3-server/.duvet/config.toml b/test-server/ruby-v3-server/.duvet/config.toml index 0bb7d893..3c0ac627 100644 --- a/test-server/ruby-v3-server/.duvet/config.toml +++ b/test-server/ruby-v3-server/.duvet/config.toml @@ -15,4 +15,4 @@ enabled = true # Enable snapshots to prevent requirement coverage regressions [report.snapshot] -enabled = true +enabled = false diff --git a/test-server/ruby-v3-server/.duvet/snapshot.txt b/test-server/ruby-v3-server/.duvet/snapshot.txt deleted file mode 100644 index 9c23c073..00000000 --- a/test-server/ruby-v3-server/.duvet/snapshot.txt +++ /dev/null @@ -1,83 +0,0 @@ -SPECIFICATION: [Content Metadata](../specification/s3-encryption/data-format/content-metadata.md) - SECTION: [Content Metadata MapKeys](#content-metadata-mapkeys) - TEXT[!MUST]: The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code. - TEXT[!MUST]: The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys. - TEXT[!SHOULD]: - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V1 format objects. - TEXT[!MUST]: - The mapkey "x-amz-key-v2" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-matdesc" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-iv" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-wrap-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-cek-alg" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-tag-len" MUST be present for V2 format objects. - TEXT[!MUST]: - The mapkey "x-amz-c" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-c") SHOULD be represented by a constant named "CONTENT_CIPHER_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-3" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-3") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-m" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-m") SHOULD be represented by a constant named "MAT_DESC_V3" or similar in the implementation code. - TEXT[!SHOULD]: - The mapkey "x-amz-t" SHOULD be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-t") SHOULD be represented by a constant named "ENCRYPTION_CONTEXT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-w" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-w") SHOULD be represented by a constant named "ENCRYPTED_DATA_KEY_ALGORITHM_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-d" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-d") SHOULD be represented by a constant named "KEY_COMMITMENT_V3" or similar in the implementation code. - TEXT[!MUST]: - The mapkey "x-amz-i" MUST be present for V3 format objects. - TEXT[!SHOULD]: - This mapkey ("x-amz-i") SHOULD be represented by a constant named "MESSAGE_ID_V3" or similar in the implementation code. - TEXT[!MUST]: In the V3 format, the mapkeys "x-amz-c", "x-amz-d", and "x-amz-i" MUST be stored exclusively in the Object Metadata. - - SECTION: [Determining S3EC Object Status](#determining-s3ec-object-status) - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-key" then the object MUST be considered as an S3EC-encrypted object using the V1 format. - TEXT[!MUST]: - If the metadata contains "x-amz-iv" and "x-amz-metadata-x-amz-key-v2" then the object MUST be considered as an S3EC-encrypted object using the V2 format. - TEXT[!MUST]: - If the metadata contains "x-amz-3" and "x-amz-d" and "x-amz-i" then the object MUST be considered an S3EC-encrypted object using the V3 format. - TEXT[!MUST]: If the object matches none of the V1/V2/V3 formats, the S3EC MUST attempt to get the instruction file. - TEXT[!SHOULD]: If there are multiple mapkeys which are meant to be exclusive, such as "x-amz-key", "x-amz-key-v2", and "x-amz-3" then the S3EC SHOULD throw an exception. - TEXT[!SHOULD]: In general, if there is any deviation from the above format, with the exception of additional unrelated mapkeys, then the S3EC SHOULD throw an exception. - - SECTION: [V1/V2 Shared](#v1-v2-shared) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - - SECTION: [V3 Only](#v3-only) - TEXT[!MAY]: This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server. - TEXT[!MUST]: The Material Description MUST only be read when there is no Encryption Context. - TEXT[!MUST]: The default Material Description value MUST be set to an empty map (`{}`). - TEXT[!MUST]: The Encryption Context value MUST take precedence over Material Description when decoding. - TEXT[!MUST]: - The wrapping algorithm value "01" MUST be translated to AESWrap upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "02" MUST be translated to AES/GCM upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "11" MUST be translated to kms upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "12" MUST be translated to kms+context upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "21" MUST be translated to RSA/ECB/OAEPWithSHA-256AndMGF1Padding upon retrieval, and vice versa on write. - TEXT[!MUST]: - The wrapping algorithm value "22" MUST be translated to RSA-OAEP-SHA1 upon retrieval, and vice versa on write. - -SPECIFICATION: [Content Metadata Strategy](../specification/s3-encryption/data-format/metadata-strategy.md) - SECTION: [Object Metadata](#object-metadata) - TEXT[!MUST]: By default, the S3EC MUST store content metadata in the S3 Object Metadata. - TEXT[!SHOULD]: The S3EC SHOULD support decoding the S3 Server's "double encoding". - TEXT[!MUST]: If the S3EC does not support decoding the S3 Server's "double encoding" then it MUST return the content metadata untouched. - - SECTION: [Instruction File](#instruction-file) - TEXT[!MUST]: The S3EC MUST support writing some or all (depending on format) content metadata to an Instruction File. - TEXT[!MUST]: The content metadata stored in the Instruction File MUST be serialized to a JSON string. - TEXT[!MUST]: The serialized JSON string MUST be the only contents of the Instruction File. - TEXT[!MUST]: Instruction File writes MUST NOT be enabled by default. - TEXT[!MUST]: Instruction File writes MUST be optionally configured during client creation or on each PutObject request. - TEXT[!MAY]: The S3EC MAY support re-encryption/key rotation via Instruction Files. - TEXT[!MUST]: The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption. - TEXT[!SHOULD]: The S3EC SHOULD support providing a custom Instruction File suffix on GetObject requests, regardless of whether or not re-encryption is supported. - - SECTION: [V1/V2 Instruction Files](#v1-v2-instruction-files) - TEXT[!MUST]: In the V1/V2 message format, all of the content metadata MUST be stored in the Instruction File. - - SECTION: [V3 Instruction Files](#v3-instruction-files) - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-c" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-c" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-d" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-d" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-i" and its value in the Object Metadata when writing with an Instruction File. - TEXT[!MUST]: - The V3 message format MUST NOT store the mapkey "x-amz-i" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-3" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-w" and its value in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-m" and its value (when present in the content metadata) in the Instruction File. - TEXT[!MUST]: - The V3 message format MUST store the mapkey "x-amz-t" and its value (when present in the content metadata) in the Instruction File. From ffece3ee869a4ef063805c6253dcd53bef1d00c6 Mon Sep 17 00:00:00 2001 From: Ryan Emery Date: Tue, 30 Sep 2025 11:03:14 -0700 Subject: [PATCH 05/11] remove --- ...amazon.smithy.java.core.schema.SchemaIndex | 1 - .../java-v3-server/bin/main/client.smithy | 37 ------- .../java-v3-server/bin/main/main.smithy | 34 ------ .../java-v3-server/bin/main/object.smithy | 103 ------------------ 4 files changed, 175 deletions(-) delete mode 100644 test-server/java-v3-server/bin/main/META-INF/services/software.amazon.smithy.java.core.schema.SchemaIndex delete mode 100644 test-server/java-v3-server/bin/main/client.smithy delete mode 100644 test-server/java-v3-server/bin/main/main.smithy delete mode 100644 test-server/java-v3-server/bin/main/object.smithy diff --git a/test-server/java-v3-server/bin/main/META-INF/services/software.amazon.smithy.java.core.schema.SchemaIndex b/test-server/java-v3-server/bin/main/META-INF/services/software.amazon.smithy.java.core.schema.SchemaIndex deleted file mode 100644 index 19360b77..00000000 --- a/test-server/java-v3-server/bin/main/META-INF/services/software.amazon.smithy.java.core.schema.SchemaIndex +++ /dev/null @@ -1 +0,0 @@ -software.amazon.encryption.s3.model.GeneratedSchemaIndex diff --git a/test-server/java-v3-server/bin/main/client.smithy b/test-server/java-v3-server/bin/main/client.smithy deleted file mode 100644 index 4de56b5b..00000000 --- a/test-server/java-v3-server/bin/main/client.smithy +++ /dev/null @@ -1,37 +0,0 @@ -$version: "2.0" - -namespace software.amazon.encryption.s3 - -/// Client Creation/Configuration -@http(method: "POST", uri: "/client") -operation CreateClient { - input: CreateClientInput, - output: CreateClientOutput, -} - -@input -structure CreateClientInput { - config: S3ECConfig, -} - -@output -structure CreateClientOutput { - clientId: String, -} - -/// Since it's possible to pass this directly, include it separately -/// Probably also need a Keyring structure to signal when to create Keyrings directly -/// Or maybe KeyringConfig -structure KeyMaterial { - rsaKey: Blob, - aesKey: Blob, - kmsKeyId: String -} - -structure S3ECConfig { - enableLegacyUnauthenticatedModes: Boolean = false, - enableDelayedAuthenticationMode: Boolean = false, - enableLegacyWrappingAlgorithms: Boolean = false, - setBufferSize: Long, - keyMaterial: KeyMaterial -} diff --git a/test-server/java-v3-server/bin/main/main.smithy b/test-server/java-v3-server/bin/main/main.smithy deleted file mode 100644 index 0f7611b5..00000000 --- a/test-server/java-v3-server/bin/main/main.smithy +++ /dev/null @@ -1,34 +0,0 @@ -$version: "2" - -namespace software.amazon.encryption.s3 - -use aws.protocols#restJson1 - -@title("S3 Encryption Client Test Service") -@restJson1 -service S3ECTestServer { - version: "2024-08-23" - operations: [ - CreateClient - ] - resources: [ - Object - ] - errors: [GenericServerError, S3EncryptionClientError] -} - -/// Used for "internal" errors, e.g. problems with the test server itself -/// Tests MUST NOT expect this error in negative tests. -@error("server") -structure GenericServerError { - @required - message: String -} - -/// Used for modeled errors, e.g. errors thrown by the S3EC -/// Tests SHOULD expect this error in negative tests. -@error("server") -structure S3EncryptionClientError { - @required - message: String -} diff --git a/test-server/java-v3-server/bin/main/object.smithy b/test-server/java-v3-server/bin/main/object.smithy deleted file mode 100644 index 623d8ed3..00000000 --- a/test-server/java-v3-server/bin/main/object.smithy +++ /dev/null @@ -1,103 +0,0 @@ -$version: "2.0" - -namespace software.amazon.encryption.s3 - -/// Represents an S3-like bucket -///resource Bucket { -/// identifiers: { -/// bucketName: String -/// } -///} - -/// Represents an S3-like object -resource Object { - identifiers: { - bucket: String - key: String - } - properties: { - body: StreamingBlob - metadata: ObjectMetadata - } - read: GetObject - put: PutObject -} - -@idempotent -@http(method: "PUT", uri: "/object/{bucket}/{key}") -operation PutObject { - input := for Object { - @httpLabel - @required - $bucket - - @httpLabel - @required - $key - - @httpHeader("Content-Metadata") - $metadata - - @required - @httpPayload - $body - - @httpHeader("ClientID") - @required - @notProperty - clientID: String - } - - output := for Object { - @required - $bucket - - @required - $key - - @required - $metadata - } -} - -@readonly -@http(method: "GET", uri: "/object/{bucket}/{key}") -operation GetObject { - input := for Object { - @httpLabel - @required - $bucket - - @httpLabel - @required - $key - - /// Should probably be renamed to be EC specific - @httpHeader("Content-Metadata") - $metadata - - @httpHeader("ClientID") - @required - @notProperty - clientID: String - } - - output := for Object { - @httpHeader("Content-Metadata") - @required - $metadata - - @required - @httpPayload - $body - } -} - -/// Smithy does not know how to serialize a map -list ObjectMetadata { - member: String -} - -/// Seems like Streaming is broken in Java. -///@streaming -blob StreamingBlob From e1dfa857d3d519f362739fad062dd0a3874c59f3 Mon Sep 17 00:00:00 2001 From: Ryan Emery Date: Tue, 30 Sep 2025 11:03:26 -0700 Subject: [PATCH 06/11] ignore bin --- test-server/java-v3-server/.gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 test-server/java-v3-server/.gitignore diff --git a/test-server/java-v3-server/.gitignore b/test-server/java-v3-server/.gitignore new file mode 100644 index 00000000..e660fd93 --- /dev/null +++ b/test-server/java-v3-server/.gitignore @@ -0,0 +1 @@ +bin/ From 7d3addb30f195ec606777453af04d21fcf3233e3 Mon Sep 17 00:00:00 2001 From: Ryan Emery Date: Tue, 30 Sep 2025 11:10:35 -0700 Subject: [PATCH 07/11] Latest things --- test-server/cpp-v2-server/.duvet/config.toml | 4 ++++ test-server/go-v3-server/.duvet/config.toml | 4 ++++ test-server/java-v3-server/.duvet/config.toml | 4 ++++ test-server/net-v2-v3-server/.duvet/config.toml | 4 ++++ test-server/php-v2-server/.duvet/config.toml | 4 ++++ test-server/php-v3-server/.duvet/config.toml | 4 ++++ test-server/python-v3-server/.duvet/config.toml | 4 ++++ test-server/ruby-v2-server/.duvet/config.toml | 4 ++++ test-server/ruby-v3-server/.duvet/config.toml | 4 ++++ test-server/specification | 2 +- 10 files changed, 37 insertions(+), 1 deletion(-) diff --git a/test-server/cpp-v2-server/.duvet/config.toml b/test-server/cpp-v2-server/.duvet/config.toml index 6afdb7a4..88bb7213 100644 --- a/test-server/cpp-v2-server/.duvet/config.toml +++ b/test-server/cpp-v2-server/.duvet/config.toml @@ -11,6 +11,10 @@ pattern = "aws-sdk-cpp/src/aws-cpp-sdk-s3-encryption/**/*.h" source = "../specification/s3-encryption/data-format/content-metadata.md" [[specification]] source = "../specification/s3-encryption/data-format/metadata-strategy.md" +[[specification]] +source = "../specification/s3-encryption/encryption.md" +[[specification]] +source = "../specification/s3-encryption/key-derivation.md" [report.html] enabled = true diff --git a/test-server/go-v3-server/.duvet/config.toml b/test-server/go-v3-server/.duvet/config.toml index cfb23be5..4729a668 100644 --- a/test-server/go-v3-server/.duvet/config.toml +++ b/test-server/go-v3-server/.duvet/config.toml @@ -8,6 +8,10 @@ pattern = "**/*.go" source = "../specification/s3-encryption/data-format/content-metadata.md" [[specification]] source = "../specification/s3-encryption/data-format/metadata-strategy.md" +[[specification]] +source = "../specification/s3-encryption/encryption.md" +[[specification]] +source = "../specification/s3-encryption/key-derivation.md" [report.html] enabled = true diff --git a/test-server/java-v3-server/.duvet/config.toml b/test-server/java-v3-server/.duvet/config.toml index 28392e9c..b38762ab 100644 --- a/test-server/java-v3-server/.duvet/config.toml +++ b/test-server/java-v3-server/.duvet/config.toml @@ -8,6 +8,10 @@ pattern = "**/*.java" source = "../specification/s3-encryption/data-format/content-metadata.md" [[specification]] source = "../specification/s3-encryption/data-format/metadata-strategy.md" +[[specification]] +source = "../specification/s3-encryption/encryption.md" +[[specification]] +source = "../specification/s3-encryption/key-derivation.md" [report.html] enabled = true diff --git a/test-server/net-v2-v3-server/.duvet/config.toml b/test-server/net-v2-v3-server/.duvet/config.toml index bb3f4cfd..04d2e812 100644 --- a/test-server/net-v2-v3-server/.duvet/config.toml +++ b/test-server/net-v2-v3-server/.duvet/config.toml @@ -8,6 +8,10 @@ pattern = "**/*.cs" source = "../specification/s3-encryption/data-format/content-metadata.md" [[specification]] source = "../specification/s3-encryption/data-format/metadata-strategy.md" +[[specification]] +source = "../specification/s3-encryption/encryption.md" +[[specification]] +source = "../specification/s3-encryption/key-derivation.md" [report.html] enabled = true diff --git a/test-server/php-v2-server/.duvet/config.toml b/test-server/php-v2-server/.duvet/config.toml index 5076f582..64b00927 100644 --- a/test-server/php-v2-server/.duvet/config.toml +++ b/test-server/php-v2-server/.duvet/config.toml @@ -11,6 +11,10 @@ pattern = "local-php-sdk/src/Crypto/**/*.php" source = "../specification/s3-encryption/data-format/content-metadata.md" [[specification]] source = "../specification/s3-encryption/data-format/metadata-strategy.md" +[[specification]] +source = "../specification/s3-encryption/encryption.md" +[[specification]] +source = "../specification/s3-encryption/key-derivation.md" [report.html] enabled = true diff --git a/test-server/php-v3-server/.duvet/config.toml b/test-server/php-v3-server/.duvet/config.toml index 5076f582..64b00927 100644 --- a/test-server/php-v3-server/.duvet/config.toml +++ b/test-server/php-v3-server/.duvet/config.toml @@ -11,6 +11,10 @@ pattern = "local-php-sdk/src/Crypto/**/*.php" source = "../specification/s3-encryption/data-format/content-metadata.md" [[specification]] source = "../specification/s3-encryption/data-format/metadata-strategy.md" +[[specification]] +source = "../specification/s3-encryption/encryption.md" +[[specification]] +source = "../specification/s3-encryption/key-derivation.md" [report.html] enabled = true diff --git a/test-server/python-v3-server/.duvet/config.toml b/test-server/python-v3-server/.duvet/config.toml index 2523bc1b..09dbe6d3 100644 --- a/test-server/python-v3-server/.duvet/config.toml +++ b/test-server/python-v3-server/.duvet/config.toml @@ -9,6 +9,10 @@ comment-style = { meta = "##=", content = "##%" } source = "../specification/s3-encryption/data-format/content-metadata.md" [[specification]] source = "../specification/s3-encryption/data-format/metadata-strategy.md" +[[specification]] +source = "../specification/s3-encryption/encryption.md" +[[specification]] +source = "../specification/s3-encryption/key-derivation.md" [report.html] enabled = true diff --git a/test-server/ruby-v2-server/.duvet/config.toml b/test-server/ruby-v2-server/.duvet/config.toml index 3c0ac627..7118cd70 100644 --- a/test-server/ruby-v2-server/.duvet/config.toml +++ b/test-server/ruby-v2-server/.duvet/config.toml @@ -9,6 +9,10 @@ comment-style = { meta = "##=", content = "##%" } source = "../specification/s3-encryption/data-format/content-metadata.md" [[specification]] source = "../specification/s3-encryption/data-format/metadata-strategy.md" +[[specification]] +source = "../specification/s3-encryption/encryption.md" +[[specification]] +source = "../specification/s3-encryption/key-derivation.md" [report.html] enabled = true diff --git a/test-server/ruby-v3-server/.duvet/config.toml b/test-server/ruby-v3-server/.duvet/config.toml index 3c0ac627..7118cd70 100644 --- a/test-server/ruby-v3-server/.duvet/config.toml +++ b/test-server/ruby-v3-server/.duvet/config.toml @@ -9,6 +9,10 @@ comment-style = { meta = "##=", content = "##%" } source = "../specification/s3-encryption/data-format/content-metadata.md" [[specification]] source = "../specification/s3-encryption/data-format/metadata-strategy.md" +[[specification]] +source = "../specification/s3-encryption/encryption.md" +[[specification]] +source = "../specification/s3-encryption/key-derivation.md" [report.html] enabled = true diff --git a/test-server/specification b/test-server/specification index e82ef6b9..c534aee8 160000 --- a/test-server/specification +++ b/test-server/specification @@ -1 +1 @@ -Subproject commit e82ef6b9c29a550f89b76cd790381743b8c07ad5 +Subproject commit c534aee8c2d34c462dfac6ab21ae59467dcedd68 From f3d4b5bb8f88c826461c5aec05a9a51b45555679 Mon Sep 17 00:00:00 2001 From: Ryan Emery Date: Tue, 30 Sep 2025 11:16:22 -0700 Subject: [PATCH 08/11] adding duvet instructions --- test-server/README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/test-server/README.md b/test-server/README.md index 4f43f1bf..b3a8f101 100644 --- a/test-server/README.md +++ b/test-server/README.md @@ -62,3 +62,21 @@ Performance optimizations have been implemented to speed up the test-server CI p - JVM optimizations For detailed information about the optimizations, see [OPTIMIZATION.md](./OPTIMIZATION.md). + +### Duvet + +To check duvet you need to install Rust. +Then run `cargo install duvet`. + +Inside each test server directory there is a `.duvet` directory that contains a `config.toml`. +This is the best way to configure `duvet`. + +You can adjust the source pattern or comment style as needed. +Examples: + +- `ruby-v2-server/.duvet/config.toml` +- `php-v2-server/.duvet/config.toml` + +There are Makefile targets, +but you can just run `make duvet` or `duvet report` inside a server directory to run the report. +To view the report `make view-report-mac` or `open .duvet/reports/report.html` From 881b20d28951e4db00a28021714661d6992e43fc Mon Sep 17 00:00:00 2001 From: Ryan Emery Date: Tue, 30 Sep 2025 11:40:32 -0700 Subject: [PATCH 09/11] updates --- .github/workflows/duvet.yml | 10 ++++++++-- test-server/README.md | 8 +++++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/.github/workflows/duvet.yml b/.github/workflows/duvet.yml index 03247470..9f6befd4 100644 --- a/.github/workflows/duvet.yml +++ b/.github/workflows/duvet.yml @@ -23,8 +23,14 @@ jobs: with: toolchain: stable - - name: Install Rust package - run: cargo install duvet + - name: Clone duvet repository + run: git clone https://github.com/awslabs/duvet.git /tmp/duvet + + - name: Build duvet assets + run: cd /tmp/duvet && cargo xtask build + + - name: Install duvet + run: cd /tmp/duvet && cargo install --path . - name: Run duvet if: always() diff --git a/test-server/README.md b/test-server/README.md index b3a8f101..ca4d9731 100644 --- a/test-server/README.md +++ b/test-server/README.md @@ -66,7 +66,13 @@ For detailed information about the optimizations, see [OPTIMIZATION.md](./OPTIMI ### Duvet To check duvet you need to install Rust. -Then run `cargo install duvet`. +Until the latest version of Duvet is release + +```bash + git clone https://github.com/awslabs/duvet.git /tmp/duvet + cd /tmp/duvet && cargo xtask build + cargo install --path . +``` Inside each test server directory there is a `.duvet` directory that contains a `config.toml`. This is the best way to configure `duvet`. From afd449ea099a1086e8e9e95f96f8552be807a0d4 Mon Sep 17 00:00:00 2001 From: Ryan Emery Date: Tue, 30 Sep 2025 11:53:14 -0700 Subject: [PATCH 10/11] instructions --- .github/workflows/duvet.yml | 2 +- test-server/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/duvet.yml b/.github/workflows/duvet.yml index 9f6befd4..679fba4b 100644 --- a/.github/workflows/duvet.yml +++ b/.github/workflows/duvet.yml @@ -30,7 +30,7 @@ jobs: run: cd /tmp/duvet && cargo xtask build - name: Install duvet - run: cd /tmp/duvet && cargo install --path . + run: cd /tmp/duvet && cargo install --path ./duvet - name: Run duvet if: always() diff --git a/test-server/README.md b/test-server/README.md index ca4d9731..fcdd7cdb 100644 --- a/test-server/README.md +++ b/test-server/README.md @@ -71,7 +71,7 @@ Until the latest version of Duvet is release ```bash git clone https://github.com/awslabs/duvet.git /tmp/duvet cd /tmp/duvet && cargo xtask build - cargo install --path . + cargo install --path ./duvet ``` Inside each test server directory there is a `.duvet` directory that contains a `config.toml`. From dafb98af5626484f20ddf9b1fa2e85367bcc5e95 Mon Sep 17 00:00:00 2001 From: Ryan Emery Date: Tue, 30 Sep 2025 12:02:35 -0700 Subject: [PATCH 11/11] Nice update --- .github/workflows/duvet.yml | 10 +++++----- test-server/README.md | 4 +++- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/duvet.yml b/.github/workflows/duvet.yml index 679fba4b..5727c38e 100644 --- a/.github/workflows/duvet.yml +++ b/.github/workflows/duvet.yml @@ -26,11 +26,11 @@ jobs: - name: Clone duvet repository run: git clone https://github.com/awslabs/duvet.git /tmp/duvet - - name: Build duvet assets - run: cd /tmp/duvet && cargo xtask build - - - name: Install duvet - run: cd /tmp/duvet && cargo install --path ./duvet + - name: Build and install duvet + run: | + cd /tmp/duvet + cargo xtask build + cargo install --path ./duvet - name: Run duvet if: always() diff --git a/test-server/README.md b/test-server/README.md index fcdd7cdb..818e8ded 100644 --- a/test-server/README.md +++ b/test-server/README.md @@ -70,8 +70,10 @@ Until the latest version of Duvet is release ```bash git clone https://github.com/awslabs/duvet.git /tmp/duvet - cd /tmp/duvet && cargo xtask build + pushd /tmp/duvet + cargo xtask build cargo install --path ./duvet + popd rm -rf /tmp/duvet ``` Inside each test server directory there is a `.duvet` directory that contains a `config.toml`.