chore: proper duvet exceptions

.github/workflows/duvet.yml

@@ -19,15 +19,6 @@ jobs:
           submodules: true
           token: ${{ secrets.PAT_FOR_PRIVATE_RUBY }}
 
-      - name: Checkout CPP code for cpp-v2-transition
-        uses: actions/checkout@v5
-        with:
-          submodules: recursive
-          token: ${{ secrets.PAT_FOR_CPP }}
-          repository: awslabs/aws-sdk-cpp-staging
-          ref: fire-egg-dev
-          path: test-server/cpp-v2-transition-server/aws-sdk-cpp/
-
       - name: Checkout CPP code cpp-v3
         uses: actions/checkout@v5
         with:

test-server/cpp-v2-server/Makefile

@@ -29,6 +29,3 @@ stop-server:
 
 wait-for-server:
 	$(MAKE) -C .. wait-for-port PORT=$(PORT)
-
-view-report-mac:
-	open .duvet/reports/report.html

test-server/cpp-v2-transition-server/Makefile

@@ -27,9 +27,3 @@ stop-server:
 
 wait-for-server:
 	$(MAKE) -C .. wait-for-port PORT=$(PORT)
-
-duvet:
-	duvet report
-
-view-report-mac:
-	open .duvet/reports/report.html

test-server/cpp-v3-server/.duvet/config.toml

@@ -12,6 +12,12 @@ pattern = "aws-sdk-cpp/src/aws-cpp-sdk-core/include/aws/core/utils/crypto/*.h"
 [[source]]
 pattern = "aws-sdk-cpp/src/aws-cpp-sdk-core/include/aws/core/utils/crypto/*.cpp"
 
+[[source]]
+pattern = "aws-sdk-cpp/tests/aws-cpp-sdk-s3-encryption-tests/*.cpp"
+
+[[source]]
+pattern = "aws-sdk-cpp/tests/aws-cpp-sdk-s3-encryption-integration-tests/*.cpp"
+
 [[source]]
 pattern = "compliance.txt"
 

test-server/cpp-v3-server/compliance.txt

@@ -1,25 +1,106 @@
-We're not doing double encoding yet
-
+** We're not doing double encoding yet
 //= ../specification/s3-encryption/data-format/metadata-strategy.md#object-metadata
 //= type=exception
 //# The S3EC SHOULD support decoding the S3 Server's "double encoding".
 
+//= ../specification/s3-encryption/data-format/content-metadata.md#v3-only
+//= type=exception
+//# This material description string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server.
 
+//= ../specification/s3-encryption/data-format/content-metadata.md#v3-only
+//= type=exception
+//# This encryption context string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server.
 
-Yes, this is how we do prefixes. 
 
-//= ../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys
+** The C++ S3EC does not support key rings nor cmms
+//= ../specification/s3-encryption/client.md#cryptographic-materials
 //= type=exception
-//# The "x-amz-meta-" prefix is automatically added by the S3 server and MUST NOT be included in implementation code.
+//# The S3EC MUST accept either one CMM or one Keyring instance upon initialization.
+//# If both a CMM and a Keyring are provided, the S3EC MUST throw an exception.
+//# When a Keyring is provided, the S3EC MUST create an instance of the DefaultCMM using the provided Keyring.
+
+
+** The C++ S3EC does not support Delayed Authentication buffer size configuration
+//= ../specification/s3-encryption/client.md#set-buffer-size
+//= type=exception
+//# The S3EC SHOULD accept a configurable buffer size which refers to the maximum ciphertext length in bytes to store in memory when Delayed Authentication mode is disabled.
+//# If Delayed Authentication mode is enabled, and the buffer size has been set to a value other than its default, the S3EC MUST throw an exception.
+//# If Delayed Authentication mode is disabled, and no buffer size is provided, the S3EC MUST set the buffer size to a reasonable default.
+
 
+** In the C++ S3EC, there is no connection between the S3 client and any potential KMS clients
+//= ../specification/s3-encryption/client.md#inherited-sdk-configuration
+//= type=exception
+//# If the S3EC accepts SDK client configuration, the configuration MUST be applied to all wrapped SDK clients including the KMS client.
+
+
+** In the C++ S3EC, the encryption algorithm is uniquely determined by the client version and the CommitmentPolicy
+
+//= ../specification/s3-encryption/client.md#encryption-algorithm
+//= type=exception
+//# The S3EC MUST support configuration of the encryption algorithm (or algorithm suite) during its initialization.
+//# The S3EC MUST validate that the configured encryption algorithm is not legacy.
+//# If the configured encryption algorithm is legacy, then the S3EC MUST throw an exception.
+
+//= ../specification/s3-encryption/client.md#key-commitment
+//= type=exception
+//# The S3EC MUST validate the configured Encryption Algorithm against the provided key commitment policy.
+//# If the configured Encryption Algorithm is incompatible with the key commitment policy, then it MUST throw an exception.
+
+
+** The C++ S3EC does not accept a source of randomness during client initialization
+//= ../specification/s3-encryption/client.md#randomness
+//= type=exception
+//# The S3EC MAY accept a source of randomness during client initialization.
+
+
+** This is silly, and I don't want to do it 
+//= ../specification/s3-encryption/encryption.md#cipher-initialization
+//= type=exception
+//# The client SHOULD validate that the generated IV or Message ID is not zeros.
+
+** The C++ S3EC does not support custom materials.
+** The built in Raw Keyring always has an empty Materials Description
+** Therefore "x-amz-m" will never be written.
 //= ../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys
 //= type=exception
-//# The "x-amz-" prefix denotes that the metadata is owned by an Amazon product and MUST be prepended to all S3EC metadata mapkeys.
+//# - The mapkey "x-amz-m" SHOULD be present for V3 format objects that use Raw Keyring Material Description.
 
 
+** The C++ S3EC only implements GetObject and PutObject **
 
-We do not support  a custom Instruction File suffix under any circumstances.
+//= ../specification/s3-encryption/client.md#aws-sdk-compatibility
+//= type=exception
+//# The S3EC MUST adhere to the same interface for API operations as the conventional AWS SDK S3 client.
+
+//= ../specification/s3-encryption/client.md#aws-sdk-compatibility
+//= type=exception
+//# The S3EC SHOULD support invoking operations unrelated to client-side encryption e.g.
+
+//= ../specification/s3-encryption/client.md#required-api-operations
+//= type=exception
+//# - DeleteObject MUST be implemented by the S3EC.
+//# - DeleteObject MUST delete the given object key.
+//# - DeleteObject MUST delete the associated instruction file using the default instruction file suffix.
+//# - DeleteObjects MUST be implemented by the S3EC.
+//# - DeleteObjects MUST delete each of the given objects.
+//# - DeleteObjects MUST delete each of the corresponding instruction files using the default instruction file suffix.
+
+//= ../specification/s3-encryption/client.md#optional-api-operations
+//= type=exception
+//# - CreateMultipartUpload MAY be implemented by the S3EC.
+//# - If implemented, CreateMultipartUpload MUST initiate a multipart upload.
+//# - UploadPart MAY be implemented by the S3EC.
+//# - UploadPart MUST encrypt each part.
+//# - Each part MUST be encrypted in sequence.
+//# - Each part MUST be encrypted using the same cipher instance for each part.
+//# - CompleteMultipartUpload MAY be implemented by the S3EC.
+//# - CompleteMultipartUpload MUST complete the multipart upload.
+//# - AbortMultipartUpload MAY be implemented by the S3EC.
+//# - AbortMultipartUpload MUST abort the multipart upload.
 
-//= ../specification/s3-encryption/data-format/metadata-strategy.md#instruction-file
+//= ../specification/s3-encryption/client.md#optional-api-operations
 //= type=exception
-//# The S3EC MUST NOT support providing a custom Instruction File suffix on ordinary writes; custom suffixes MUST only be used during re-encryption.
+//# - ReEncryptInstructionFile MAY be implemented by the S3EC.
+//# - ReEncryptInstructionFile MUST decrypt the instruction file's encrypted data key for the given object using the client's CMM.
+//# - ReEncryptInstructionFile MUST re-encrypt the plaintext data key with a provided keyring.