cpp-v3 test server

.github/workflows/test.yml

@@ -27,7 +27,7 @@ jobs:
           # ask Ryan to edit this PAT's permissions to add access to a new private repo.
           token: ${{ secrets.PAT_FOR_PRIVATE_RUBY }}
 
-      - name: Checkout CPP code
+      - name: Checkout CPP code for cpp-v2-transition
         uses: actions/checkout@v5
         with:
           submodules: recursive
@@ -36,6 +36,15 @@ jobs:
           ref: fire-egg-dev
           path: test-server/cpp-v2-transition-server/aws-sdk-cpp/
 
+      - name: Checkout CPP code cpp-v3
+        uses: actions/checkout@v5
+        with:
+          submodules: recursive
+          token: ${{ secrets.PAT_FOR_CPP }}
+          repository: awslabs/aws-sdk-cpp-staging
+          ref: fire-egg-dev
+          path: test-server/cpp-v3-server/aws-sdk-cpp/
+
       - name: Checkout .NET V2 code
         uses: actions/checkout@v5
         with:
@@ -94,7 +103,7 @@ jobs:
         uses: actions/cache@v3
         with:
           path: ~/.cache/uv
-          key: ${{ runner.os }}-uv-${{ hashFiles('**/pyproject.toml') }}
+          key: ${{ runner.os }}-uv-${{ hashFiles('./test-server/python-v3-server/**/pyproject.toml') }}
           restore-keys: |
             ${{ runner.os }}-uv-
 

test-server/Makefile

@@ -3,10 +3,10 @@
 .PHONY: all start-servers run-tests stop-servers clean ci check-env help
 
 # Default target
-all: start-all-servers run-tests
+all: start-all-servers wait-all-servers run-tests
 
 # CI target for GitHub Actions
-ci: start-all-servers run-tests stop-servers
+ci: start-all-servers wait-all-servers run-tests stop-servers
 
 SERVER_DIRS := $(shell find . -maxdepth 1 -type d -name '*-server' | sed 's|^\./||' | $(if $(FILTER),grep -E "$$(echo '$(FILTER)' | sed 's/,/|/g')",cat) | sort)
 

test-server/cpp-v2-server/.duvet/config.toml

@@ -14,7 +14,12 @@ source = "../specification/s3-encryption/data-format/metadata-strategy.md"
 [[specification]]
 source = "../specification/s3-encryption/encryption.md"
 [[specification]]
+source = "../specification/s3-encryption/decryption.md"
+[[specification]]
 source = "../specification/s3-encryption/key-derivation.md"
+[[specification]]
+source = "../specification/s3-encryption/key-commitment.md"
+
 
 [report.html]
 enabled = true

test-server/cpp-v2-transition-server/.duvet/.gitignore

@@ -0,0 +1,3 @@
+reports/
+requirements/
+specification/

test-server/cpp-v2-transition-server/.duvet/config.toml

@@ -14,7 +14,12 @@ source = "../specification/s3-encryption/data-format/metadata-strategy.md"
 [[specification]]
 source = "../specification/s3-encryption/encryption.md"
 [[specification]]
+source = "../specification/s3-encryption/decryption.md"
+[[specification]]
 source = "../specification/s3-encryption/key-derivation.md"
+[[specification]]
+source = "../specification/s3-encryption/key-commitment.md"
+
 
 [report.html]
 enabled = true

test-server/cpp-v2-transition-server/main.cpp

@@ -50,10 +50,35 @@ std::string make_error(const std::string &message, int status_code) {
          message + "\"}";
 }
 
+bool unsupported(std::string& commitmentPolicy, std::string& encryptionAlgorithm)
+{
+  if (encryptionAlgorithm == "ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY") return true;
+  if (commitmentPolicy == "REQUIRE_ENCRYPT_REQUIRE_DECRYPT") return true;
+  if (commitmentPolicy == "REQUIRE_ENCRYPT_ALLOW_DECRYPT") return true;
+  return false;
+}
+
+std::string get_config(json & request, const char * x)
+{
+  if (!request.contains("config")) return "";
+  auto config = request["config"];
+  if (config.contains(x))
+    return config[x];
+  return "";
+}
+
 MHD_Result handle_create_client(struct MHD_Connection *connection,
                                 const std::string &body) {
   try {
     json request = json::parse(body);
+    std::string commitmentPolicy = get_config(request, "commitmentPolicy");
+    std::string encryptionAlgorithm = get_config(request, "encryptionAlgorithm");
+
+    if (unsupported(commitmentPolicy, encryptionAlgorithm)) {
+      send_response(connection, 404, "{\"error\":\"Unsupported Option.\"}");
+      return MHD_YES;
+    }
+
     std::string kms_key_id = request["config"]["keyMaterial"]["kmsKeyId"];
     bool legacy1 = request["config"]["enableLegacyWrappingAlgorithms"];
     bool legacy2 = request["config"]["enableLegacyUnauthenticatedModes"];

test-server/cpp-v3-server/.duvet/.gitignore

@@ -0,0 +1,3 @@
+reports/
+requirements/
+specification/

test-server/cpp-v3-server/.duvet/config.toml

@@ -0,0 +1,29 @@
+'$schema' = "https://awslabs.github.io/duvet/config/v0.4.0.json"
+
+[[source]]
+pattern = "aws-sdk-cpp/src/aws-cpp-sdk-s3-encryption/**/*.cpp"
+
+[[source]]
+pattern = "aws-sdk-cpp/src/aws-cpp-sdk-s3-encryption/**/*.h"
+
+# Include required specifications here
+[[specification]]
+source = "../specification/s3-encryption/data-format/content-metadata.md"
+[[specification]]
+source = "../specification/s3-encryption/data-format/metadata-strategy.md"
+[[specification]]
+source = "../specification/s3-encryption/encryption.md"
+[[specification]]
+source = "../specification/s3-encryption/decryption.md"
+[[specification]]
+source = "../specification/s3-encryption/key-derivation.md"
+[[specification]]
+source = "../specification/s3-encryption/key-commitment.md"
+
+
+[report.html]
+enabled = true
+
+# Enable snapshots to prevent requirement coverage regressions
+[report.snapshot]
+enabled = false

test-server/cpp-v3-server/CMakeLists.txt

@@ -0,0 +1,39 @@
+cmake_minimum_required(VERSION 3.16)
+project(s3ec-cpp-v2-server)
+
+set(CMAKE_CXX_STANDARD 17)
+
+# Configure AWS SDK build options
+set(BUILD_ONLY "kms;s3;s3-encryption" CACHE STRING "Build only KMS, S3, and S3-encryption components")
+set(ENABLE_TESTING OFF CACHE BOOL "Disable testing")
+set(BUILD_SHARED_LIBS OFF CACHE BOOL "Build static libraries")
+
+# Add AWS SDK as subdirectory
+add_subdirectory(aws-sdk-cpp)
+
+find_package(PkgConfig REQUIRED)
+pkg_check_modules(LIBMICROHTTPD REQUIRED libmicrohttpd)
+
+find_package(nlohmann_json REQUIRED)
+
+add_executable(s3ec-server main.cpp)
+
+target_include_directories(s3ec-server PRIVATE 
+    ${LIBMICROHTTPD_INCLUDE_DIRS}
+    /opt/homebrew/include
+)
+
+target_link_directories(s3ec-server PRIVATE 
+    ${LIBMICROHTTPD_LIBRARY_DIRS}
+    /opt/homebrew/lib
+)
+
+target_link_libraries(s3ec-server 
+    ${LIBMICROHTTPD_LIBRARIES}
+    aws-cpp-sdk-core
+    aws-cpp-sdk-kms
+    aws-cpp-sdk-s3
+    aws-cpp-sdk-s3-encryption
+    nlohmann_json::nlohmann_json
+    uuid
+)

test-server/cpp-v3-server/Makefile

@@ -0,0 +1,35 @@
+# Makefile for S3 Encryption Client Testing
+
+.PHONY: start-server stop-server wait-for-server
+
+PID_FILE := server.pid
+PORT := 8091
+
+build/s3ec-server: 
+	brew install libmicrohttpd nlohmann-json ossp-uuid
+	mkdir -p build && cd build && cmake ..
+
+start-server: | build/s3ec-server
+	@echo "Starting Cpp V2 server..."
+	cd build && make && \
+	AWS_ACCESS_KEY_ID="$$AWS_ACCESS_KEY_ID" \
+	AWS_SECRET_ACCESS_KEY="$$AWS_SECRET_ACCESS_KEY" \
+	AWS_SESSION_TOKEN="$$AWS_SESSION_TOKEN" \
+	AWS_REGION="us-west-2" \
+	./s3ec-server & echo $$! > $(PID_FILE)
+	@echo "Cpp V2 server starting..."
+
+stop-server:
+	@if [ -f $(PID_FILE) ]; then \
+		kill $$(cat $(PID_FILE)) 2>/dev/null || true; \
+		rm $(PID_FILE); \
+	fi
+
+wait-for-server:
+	$(MAKE) -C .. wait-for-port PORT=$(PORT)
+
+duvet:
+	duvet report
+
+view-report-mac:
+	open .duvet/reports/report.html

test-server/cpp-v3-server/README.md

@@ -0,0 +1,37 @@
+# C++ S3 Encryption Test Server
+
+Minimal C++ implementation of the S3 Encryption test server.
+
+## Dependencies
+
+- libmicrohttpd
+- AWS SDK for C++
+- nlohmann/json
+- uuid
+
+On MacOS you can
+```bash
+brew install libmicrohttpd nlohmann-json ossp-uuid
+```
+
+## Build
+
+```bash
+mkdir build && cd build
+cmake ..
+make
+```
+
+## Run
+
+```bash
+./s3ec-server
+```
+
+Server runs on localhost:8085
+
+## API Endpoints
+
+- `POST /client` - Create S3 encryption client
+- `GET /object/{bucket}/{key}` - Get encrypted object  
+- `PUT /object/{bucket}/{key}` - Put encrypted object