aws · josecorella · Oct 3, 2025 · Oct 3, 2025 · Oct 3, 2025 · Oct 3, 2025
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -5,8 +5,8 @@ on:
     # Optional inputs that can be provided when calling this workflow
     inputs:
       python-version:
-        description: 'Python version to use'
-        default: '3.11'
+        description: "Python version to use"
+        default: "3.11"
         required: false
         type: string
 
@@ -16,7 +16,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
@@ -32,7 +32,7 @@ jobs:
           repository: awslabs/aws-sdk-cpp-staging
           ref: fire-egg-dev
           path: test-server/cpp-v2-transition-server/aws-sdk-cpp/
-      
+
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
@@ -41,23 +41,28 @@ jobs:
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '3.4'
-      
+          ruby-version: "3.4"
+
       - name: Set up PHP with Composer
         uses: shivammathur/setup-php@verbose
         with:
-          php-version: '8.1'
-      
+          php-version: "8.1"
+
       - name: Install PHP V2 dependencies
         working-directory: ./test-server/php-v2-server
         shell: bash
         run: composer install
 
+      - name: Install PHP V2 Transition dependencies
+        working-directory: ./test-server/php-v2-transition-server
+        shell: bash
+        run: composer install
+
       - name: Install PHP V3 dependencies
         working-directory: ./test-server/php-v3-server
         shell: bash
         run: composer install
-      
+
       - name: Install Go
         uses: actions/setup-go@v5
         with:
@@ -71,10 +76,10 @@ jobs:
           key: ${{ runner.os }}-uv-${{ hashFiles('**/pyproject.toml') }}
           restore-keys: |
             ${{ runner.os }}-uv-
-          
+
       - name: Install Uv
         run: pip install uv
-      
+
       # Cache Gradle dependencies and build outputs
       - name: Cache Gradle packages
         uses: actions/cache@v4
@@ -87,25 +92,25 @@ jobs:
           key: ${{ runner.os }}-gradle-${{ hashFiles('test-server/java-v3-server/**/*.gradle*', 'test-server/java-tests/**/gradle-wrapper.properties', 'test-server/java-tests/**/*.gradle*', 'test-server/java-v3-server/**/gradle-wrapper.properties') }}
           restore-keys: |
             ${{ runner.os }}-gradle-
-          
+
       - name: Install dependencies
         run: make install
-        
+
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::370957321024:role/S3EC-Python-Github-test-role
           aws-region: us-west-2
-          
+
       - name: Run unit tests
         run: make test-unit
-        
+
       - name: Run integration tests
         run: make test-integration
         env:
           CI_S3_BUCKET: ${{ vars.CI_S3_BUCKET }}
           CI_KMS_KEY_ALIAS: ${{ vars.CI_KMS_KEY_ALIAS }}
-          
+
       - name: Run test-server tests
         run: cd test-server && make ci
         env:

diff --git a/.gitmodules b/.gitmodules
@@ -7,7 +7,7 @@
 [submodule "test-server/php-v2-server/local-php-sdk"]
 	path = test-server/php-v2-server/local-php-sdk
 	url = git@github.com:aws/private-aws-sdk-php-staging.git
-	branch = s3ec/transitional
+	branch = master
 [submodule "test-server/php-v3-server/local-php-sdk"]
 	path = test-server/php-v3-server/local-php-sdk
 	url = git@github.com:aws/private-aws-sdk-php-staging.git
@@ -24,3 +24,7 @@
 	path = test-server/specification
 	url = git@github.com:awslabs/private-aws-encryption-sdk-specification-staging.git
 	branch = fire-egg-staging
+[submodule "test-server/php-v2-transition-server/local-php-sdk"]
+	path = test-server/php-v2-transition-server/local-php-sdk
+	url = git@github.com:aws/private-aws-sdk-php-staging.git
+	branch = s3ec/transitional
diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java
@@ -75,7 +75,7 @@ public class TestUtils {
 
     // Sets of unsupported features by language
     public static final Set<String> ENCRYPTION_CONTEXT_ON_DECRYPT_UNSUPPORTED =
-        Set.of(GO_V3_CURRENT, PHP_V2_CURRENT, PHP_V3, NET_V2_CURRENT, NET_V3);
+        Set.of(GO_V3_CURRENT, PHP_V2_CURRENT, PHP_V2_TRANSITION, PHP_V3, NET_V2_CURRENT, NET_V3);
 
     public static final Set<String> ENCRYPTION_CONTEXT_ON_ENCRYPT_UNSUPPORTED =
         Set.of(NET_V2_CURRENT, NET_V3);
@@ -131,7 +131,7 @@ public class TestUtils {
         // servers.put(NET_V2_TRANSITION, new LanguageServerTarget(NET_V2_TRANSITION, "8096"));
         servers.put(CPP_V2_TRANSITION, new LanguageServerTarget(CPP_V2_TRANSITION, "8097"));
         // servers.put(RUBY_V2_TRANSITION, new LanguageServerTarget(RUBY_V2_TRANSITION, "8098"));
-        // servers.put(PHP_V2_TRANSITION, new LanguageServerTarget(PHP_V2_TRANSITION, "8099"));
+        servers.put(PHP_V2_TRANSITION, new LanguageServerTarget(PHP_V2_TRANSITION, "8099"));
         servers.put(JAVA_V4, new LanguageServerTarget(JAVA_V4, "8090"));
         serverMap = filterServers(servers);
     }

diff --git a/test-server/php-v2-transition-server/.duvet/.gitignore b/test-server/php-v2-transition-server/.duvet/.gitignore
@@ -0,0 +1,3 @@
+reports/
+requirements/
+specification/
diff --git a/test-server/php-v2-transition-server/.duvet/config.toml b/test-server/php-v2-transition-server/.duvet/config.toml
@@ -0,0 +1,24 @@
+'$schema' = "https://awslabs.github.io/duvet/config/v0.4.0.json"
+
+[[source]]
+pattern = "local-php-sdk/src/S3/**/*.php"
+
+[[source]]
+pattern = "local-php-sdk/src/Crypto/**/*.php"
+
+# Include required specifications here
+[[specification]]
+source = "../specification/s3-encryption/data-format/content-metadata.md"
+[[specification]]
+source = "../specification/s3-encryption/data-format/metadata-strategy.md"
+[[specification]]
+source = "../specification/s3-encryption/encryption.md"
+[[specification]]
+source = "../specification/s3-encryption/key-derivation.md"
+
+[report.html]
+enabled = true
+
+# Enable snapshots to prevent requirement coverage regressions
+[report.snapshot]
+enabled = false
diff --git a/test-server/php-v2-transition-server/.gitignore b/test-server/php-v2-transition-server/.gitignore
@@ -0,0 +1,4 @@
+vendor/*
+cookies.txt
+server.pid
+composer.lock
diff --git a/test-server/php-v2-transition-server/Makefile b/test-server/php-v2-transition-server/Makefile
@@ -0,0 +1,30 @@
+# Makefile for S3 Encryption Client Testing
+
+.PHONY: start-server stop-server wait-for-server
+
+PID_FILE := server.pid
+PORT := 8099
+
+start-server:
+	@echo "Starting PHP V2 server..."
+	AWS_ACCESS_KEY_ID="$$AWS_ACCESS_KEY_ID" \
+	AWS_SECRET_ACCESS_KEY="$$AWS_SECRET_ACCESS_KEY" \
+	AWS_SESSION_TOKEN="$$AWS_SESSION_TOKEN" \
+	AWS_REGION="us-west-2" \
+	composer run start & echo $$! > $(PID_FILE)
+	@echo "PHP V2 server starting..."
+
+stop-server:
+	@if [ -f $(PID_FILE) ]; then \
+		kill $$(cat $(PID_FILE)) 2>/dev/null || true; \
+		rm $(PID_FILE); \
+	fi
+
+wait-for-server:
+	$(MAKE) -C .. wait-for-port PORT=$(PORT)
+
+duvet:
+	duvet report
+
+view-report-mac:
+	open .duvet/reports/report.html
diff --git a/test-server/php-v2-transition-server/composer.json b/test-server/php-v2-transition-server/composer.json
@@ -0,0 +1,36 @@
+{
+    "name": "aws/s3ec-php-v2-transition-test-server",
+    "description": "PHP V2 Transition implementation of the S3EC Test Server framework",
+    "type": "project",
+    "license": "Apache-2.0",
+    "repositories": [
+        {
+            "type": "path",
+            "url": "./local-php-sdk",
+            "options": {
+                "symlink": true
+            }
+        }
+    ],
+    "require": {
+        "php": ">=7.4",
+        "aws/aws-sdk-php": "@dev",
+        "ramsey/uuid": "^4.9"
+    },
+    "autoload": {
+        "psr-4": {
+            "S3EC\\PhpV2Server\\": "src/"
+        }
+    },
+    "scripts": {
+        "start": [
+            "php -S 0.0.0.0:8099 src/index.php"
+        ]
+    },
+    "config": {
+        "optimize-autoloader": true,
+        "platform": {
+            "php": "8.1"
+        }
+    }
+}
diff --git a/test-server/php-v2-transition-server/local-php-sdk b/test-server/php-v2-transition-server/local-php-sdk
diff --git a/test-server/php-v2-transition-server/src/client.php b/test-server/php-v2-transition-server/src/client.php
@@ -0,0 +1,68 @@
+<?php
+
+require_once __DIR__ . '/errors.php';
+
+use Ramsey\Uuid\Uuid;
+
+function handleCreateClient()
+{
+    // Get the raw request body
+    $rawBody = file_get_contents('php://input');
+
+    // Parse JSON if the body contains JSON
+    $requestData = json_decode($rawBody, true);
+    if (json_last_error() !== JSON_ERROR_NONE) {
+        return GenericServerError("Invalid JSON in request body", 400);
+    }
+    $configData = $requestData['config'] ?? [];
+    $keyMaterial = $configData["keyMaterial"] ?? null;
+    $legacyAlgorithms = $configData["enableLegacyWrappingAlgorithms"] ?? false;
+    $clientId = Uuid::uuid4()->toString();
+    $kmsKeyId = $keyMaterial["kmsKeyId"] ?? null;
+
+    if ($configData == []) {
+        return GenericServerError("Invalid config in request body", 400);
+    }
+    if (($keyMaterial || $kmsKeyId) === null) {
+        return GenericServerError("Invalid keyMaterial in config", 400);
+    }
+
+    // Store client configuration instead of objects (AWS objects can't be serialized)
+    $_SESSION['s3ecCache'][$clientId] = [
+        's3Config' => [
+            'region' => 'us-west-2',
+            'version' => 'latest',
+            'http' => [
+                'debug' => false,
+                'verify' => true,
+                'curl' => [
+                    CURLOPT_VERBOSE => false,
+                    CURLOPT_NOPROGRESS => true
+                ]
+            ]
+        ],
+        'kmsConfig' => [
+            'region' => 'us-west-2',
+            'version' => 'latest',
+            'http' => [
+                'debug' => false,
+                'verify' => true,
+                'curl' => [
+                    CURLOPT_VERBOSE => false,
+                    CURLOPT_NOPROGRESS => true
+                ]
+            ]
+        ],
+        'kmsKeyId' => $kmsKeyId,
+        'legacy' => $legacyAlgorithms,
+        'created' => time()
+    ];
+
+    // Auto-update cookies.txt with current session ID so tests can access cached clients
+    writeSessionIdToCookiesFile(session_id());
+
+    header("Content-Type: application/json");
+    return json_encode([
+        'clientId' => $clientId,
+    ]);
+}
diff --git a/test-server/php-v2-transition-server/src/errors.php b/test-server/php-v2-transition-server/src/errors.php
@@ -0,0 +1,42 @@
+<?php
+
+/**
+ * Used for "internal" errors, e.g. problems with the test server itself
+ * Tests MUST NOT expect this error in negative tests.
+ * 
+ * @param string $message The error message to include in the response
+ * @param int $code The error code to set in the response
+ * @return string JSON-encoded error response
+ */
+function GenericServerError($message, $code = 500)
+{
+    http_response_code(500);
+    header('Content-Type: application/json');
+
+    $errorResponse = [
+        'error' => 'GenericServerError',
+        'message' => $message
+    ];
+
+    return json_encode($errorResponse);
+}
+
+/**
+ * Used for modeled errors, e.g. errors thrown by the S3EC
+ * Tests SHOULD expect this error in negative tests.
+ * 
+ * @param string $message The error message to include in the response
+ * @return string JSON-encoded error response
+ */
+function S3EncryptionClientError($message)
+{
+    http_response_code(500);
+    header('Content-Type: application/json');
+
+    $errorResponse = [
+        "__type" => "software.amazon.encryption.s3#S3EncryptionClientError",
+        'message' => $message
+    ];
+
+    return json_encode($errorResponse);
+}