chore: add .NET release steps

Author: josecorella

.github/workflows/ci_test_vector_net.yml

@@ -14,7 +14,7 @@ jobs:
         dotnet-version: [ '6.0.x' ]
         os: [
           # Run on ubuntu image that comes pre-configured with docker
-          ubuntu-latest
+          ubuntu-latest, windows-latest, macos-latest
         ]
     runs-on: ${{ matrix.os }}
     permissions:
@@ -55,10 +55,18 @@ jobs:
           # This works because `node` is installed by default on GHA runners
           make transpile_net
 
-      - name: Test TestVectors
+      - name: Test TestVectors on .NET 6.0
         working-directory: ./TestVectors/runtimes/net
         run: |
           cp ../java/decrypt_java.json ../java/decrypt_dotnet.json .	
           dotnet run
           cp ../java/*.json .
-          dotnet run
+          dotnet run --framework net6.0
+      
+      - name: Test TestVectors on .NET 48
+        if: matrix.os == 'windows-latest'
+        working-directory: ./TestVectors/runtimes/net
+        run: |
+          cp ../java/*.json .
+          dotnet run --framework net48
+

DynamoDbEncryption/codebuild/release-prod.yml

@@ -0,0 +1,39 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      dotnet: 6.0
+      python: 3.x
+    commands:
+      - cd ..
+      # Get Dafny
+      ## TODO FIX ME
+      #- export `cat ./aws-database-encryption-sdk-dynamodb/project.properties`
+      - curl https://github.com/dafny-lang/dafny/releases/download/v$dafnyVersion/dafny-$dafnyVersion-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      # Switch back to the main directory
+      - cd aws-database-encryption-sdk-dynamodb
+  pre_build:
+    commands:
+      # UNIQUE_ID should be passed in as an environment variable. It is used to tie
+      # the different parts of the asynchronous signing process together
+      - echo "Using unique id for flow $UNIQUE_ID"
+      # Build unsigned source
+      - cd DynamoDbEncryption
+      - make transpile_net
+      - dotnet build runtimes/net /p:Configuration=Release -nowarn:CS0162,CS0168
+      # This step assumes signing has already happened and we just need to retrieve
+      # the signed artifacts
+      - export ASSEMBLY_NAME="AWS.Cryptography.DbEncryptionSDK.DynamoDb.dll"
+      - export BASE=../codebuild/net
+      - python $BASE/retrieve_signed_assembly.py --target net6.0 --unique-id $UNIQUE_ID
+      - python $BASE/retrieve_signed_assembly.py --target net48 --unique-id $UNIQUE_ID
+  build:
+    commands:
+      - mkdir build
+      - export VERSION=`grep '<Version>' runtimes/net/DynamoDbEncryption.csproj | sed 's/.*<Version>\(.*\)<\/Version>/\1/'`
+      - dotnet pack runtimes/net/DynamoDbEncryption.csproj --no-build /p:Configuration=Release --output build
+      - export API_ACCESS_KEY=$(python $BASE/retrieve_api_access_key.py)
+      - dotnet nuget push build/AWS.Cryptography.DbEncryptionSDK.DynamoDb.$VERSION.nupkg --api-key "$API_ACCESS_KEY" --source https://api.nuget.org/v3/index.json

DynamoDbEncryption/codebuild/release-staging.yml

@@ -0,0 +1,68 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      dotnet: 6.0
+      python: 3.x
+    commands:
+      - cd ..
+      # Get Dafny
+      ## TODO FIX ME
+      #- export `cat ./aws-database-encryption-sdk-dynamodb/project.properties`
+      - curl https://github.com/dafny-lang/dafny/releases/download/v$dafnyVersion/dafny-$dafnyVersion-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      # Switch back to the main directory
+      - cd aws-database-encryption-sdk-dynamodb
+  pre_build:
+    commands:
+      # UNIQUE_ID should be passed in as an environment variable. It is used to tie
+      # the different parts of the asynchronous signing process together
+      - echo "Using unique id for flow $UNIQUE_ID"
+      # Build unsigned source
+      - cd DynamoDbEncryption
+      - make transpile_net
+      - dotnet build runtimes/net /p:Configuration=Release -nowarn:CS0162,CS0168
+      # This step assumes signing has already happened and we just need to retrieve
+      # the signed artifacts
+      - export ASSEMBLY_NAME="AWS.Cryptography.DbEncryptionSDK.DynamoDb.dll"
+      - export BASE=../codebuild/net
+      - python $BASE/retrieve_signed_assembly.py --target net6.0 --unique-id $UNIQUE_ID
+      - python $BASE/retrieve_signed_assembly.py --target net48 --unique-id $UNIQUE_ID
+  build:
+    commands:
+      - mkdir build
+      - >-
+        aws codeartifact login \
+          --tool dotnet \
+          --repository dbesdk-net-staging \
+          --domain crypto-tools-internal \
+          --domain-owner 587316601012 \
+          --region us-east-1
+      # Set a unique version for releasing to staging, because this may fail and we don't
+      # want to collide with previous runs
+      - export VERSION=`grep '<Version>' runtimes/net/DynamoDbEncryption.csproj | sed 's/.*<Version>\(.*\)<\/Version>/\1/'`
+      - dotnet pack runtimes/net/DynamoDbEncryption.csproj --no-build /p:Configuration=Release --output build
+      - dotnet nuget push build/AWS.Cryptography.DbEncryptionSDK.DynamoDb.$VERSION.nupkg --source crypto-tools-internal/dbesdk-net-staging
+      # Now validate we can run the tests
+      - sed -i.backup  "/\<ProjectReference Include=\"..\/DynamoDbEncryption.csproj\" \/>/d" runtimes/net/tests/Test-DynamoDbEncryption.csproj
+      - dotnet add runtimes/net/tests/Test-DynamoDbEncryption.csproj package AWS.Cryptography.DbEncryptionSDK.DynamoDb --version $VERSION
+
+      # run tests
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2" --role-session-name "CB-TestVectorResources")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+      - make test_net FRAMEWORK=net6.0
+
+      # run test vectors
+      - cd ../TestVectors
+      - sed -i.backup  "/\<ProjectReference Include=\"..\/..\/..\/DynamoDbEncryption\/runtimes\/net\/DynamoDbEncryption.csproj\" \/>/d" runtimes/net/DbEsdkTestVectors.csproj
+      - dotnet add runtimes/net/DbEsdkTestVectors.csproj package AWS.Cryptography.DbEncryptionSDK.DynamoDb --version $VERSION
+      - make transpile_net
+      - cd runtimes/net
+      - cp ../java/decrypt_java.json ../java/decrypt_dotnet.json .
+      - dotnet run --framework net6.0

DynamoDbEncryption/codebuild/release.yml

@@ -0,0 +1,39 @@
+version: 0.2
+
+batch:
+  fast-fail: true
+  build-graph:
+    - identifier: sign
+      buildspec: DynamoDbEncryption/codebuild/sign.yml
+      env:
+        type: LINUX_CONTAINER
+        image: aws/codebuild/standard:6.0
+    - identifier: verify
+      buildspec: DynamoDbEncryption/codebuild/verify.yml
+      env:
+        type: WINDOWS_SERVER_2019_CONTAINER
+        image: aws/codebuild/windows-base:2019-2.0
+      depend-on:
+        - sign
+    - identifier: release_staging
+      buildspec: DynamoDbEncryption/codebuild/release-staging.yml
+      env:
+        type: LINUX_CONTAINER
+        image: aws/codebuild/standard:6.0
+      depend-on:
+        - verify
+    - identifier: release_prod
+      buildspec: DynamoDbEncryption/codebuild/release-prod.yml
+      env:
+        type: LINUX_CONTAINER
+        image: aws/codebuild/standard:6.0
+      depend-on:
+        - verify
+        - release_staging
+    - identifier: test_prod
+      buildspec: DynamoDbEncryption/codebuild/test-prod.yml
+      env:
+        type: LINUX_CONTAINER
+        image: aws/codebuild/standard:6.0
+      depend-on:
+        - release_prod

DynamoDbEncryption/codebuild/sign.yml

@@ -0,0 +1,47 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      dotnet: 6.0
+      python: 3.x
+    commands:
+      - cd ..
+      # Get Dafny
+      ## TODO FIX ME
+      #- export `cat ./aws-database-encryption-sdk-dynamodb/project.properties`
+      - curl https://github.com/dafny-lang/dafny/releases/download/v$dafnyVersion/dafny-$dafnyVersion-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      # Switch back to the main directory
+      - cd aws-database-encryption-sdk-dynamodb
+  pre_build:
+    commands:
+      # UNIQUE_ID should be passed in as an environment variable. It is used to tie
+      # the different parts of the asynchronous signing process together
+      - echo "Using unique id for flow $UNIQUE_ID"
+  build:
+    commands:
+      ## Build Library from Source
+      - cd DynamoDbEncryption
+      - make transpile_net
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2" --role-session-name "CB-TestVectorResources")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+      - make test_net FRAMEWORK=net6.0
+
+      ## Unset temp creds so that we get dropped back into the aws codebuild service role
+      - unset AWS_ACCESS_KEY_ID; unset AWS_SECRET_ACCESS_KEY; unset AWS_SESSION_TOKEN;
+
+      - dotnet build runtimes/net /p:Configuration=Release -nowarn:CS0162,CS0168
+      - export ASSEMBLY_NAME="AWS.Cryptography.DbEncryptionSDK.DynamoDb.dll"
+      - export BASE=../codebuild/net
+      - python $BASE/upload_assembly.py --target net6.0 --unique-id $UNIQUE_ID
+      - python $BASE/upload_assembly.py --target net48 --unique-id $UNIQUE_ID
+      ## Retrieve the signed assembly. We're not going to use it, but this
+      ## ensures that the signing process is complete
+      - python $BASE/retrieve_signed_assembly.py --target net6.0 --unique-id $UNIQUE_ID
+      - python $BASE/retrieve_signed_assembly.py --target net48 --unique-id $UNIQUE_ID

DynamoDbEncryption/codebuild/test-prod.yml

@@ -0,0 +1,44 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      dotnet: 6.0
+      python: 3.x
+    commands:
+      - cd ..
+      # Get Dafny
+      ## TODO FIX ME
+      #- export `cat ./aws-database-encryption-sdk-dynamodb/project.properties`
+      - curl https://github.com/dafny-lang/dafny/releases/download/v$dafnyVersion/dafny-$dafnyVersion-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      # Switch back to the main directory
+      - cd aws-database-encryption-sdk-dynamodb
+  pre_build:
+    commands:
+      - cd DynamoDbEncryption
+      - make transpile_net
+  build:
+    commands:
+      - export VERSION=`grep '<Version>' runtimes/net/DynamoDbEncryption.csproj | sed 's/.*<Version>\(.*\)<\/Version>/\1/'`
+      - sed -i.backup  "/\<ProjectReference Include=\"..\/DynamoDbEncryption.csproj\" \/>/d" runtimes/net/tests/Test-DynamoDbEncryption.csproj
+      - dotnet add runtimes/net/tests/Test-DynamoDbEncryption.csproj package AWS.Cryptography.DbEncryptionSDK.DynamoDb --version $VERSION
+
+        # run tests
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2" --role-session-name "CB-TestVectorResources")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+      - make test_net FRAMEWORK=net6.0
+
+      # run test vectors
+      - cd ../TestVectors
+      - sed -i.backup  "/\<ProjectReference Include=\"..\/..\/..\/DynamoDbEncryption\/runtimes\/net\/DynamoDbEncryption.csproj\" \/>/d" runtimes/net/DbEsdkTestVectors.csproj
+      - dotnet add runtimes/net/DbEsdkTestVectors.csproj package AWS.Cryptography.DbEncryptionSDK.DynamoDb --version $VERSION
+      - make transpile_net
+      - cd runtimes/net
+      - cp ../java/decrypt_java.json ../java/decrypt_dotnet.json .
+      - dotnet run --framework net6.0

DynamoDbEncryption/codebuild/verify.yml

@@ -0,0 +1,23 @@
+version: 0.2
+
+env:
+  variables:
+    FILE_NAME: "AWS.Cryptography.DbEncryptionSDK.DynamoDb.dll"
+    ASSEMBLY_NAME: "AWS.Cryptography.DbEncryptionSDK.DynamoDb.dll"
+
+phases:
+  install:
+    runtime-versions:
+      dotnet: 6.0
+      python: 3.x
+  build:
+    commands:
+      - mkdir net48
+      - python codebuild/net/retrieve_signed_assembly.py --target net48 --unique-id $Env:UNIQUE_ID --output net48
+      - $sig = Get-AuthenticodeSignature -FilePath net48/$Env:FILE_NAME
+      - $sig | Format-List -Property *
+      # Check signature on net6.0 dll
+      - mkdir net6.0
+      - python codebuild/net/retrieve_signed_assembly.py --target net6.0 --unique-id $Env:UNIQUE_ID --output net6.0
+      - $sig = Get-AuthenticodeSignature -FilePath net6.0/$Env:FILE_NAME
+      - $sig | Format-List -Property *

DynamoDbEncryption/runtimes/java/build.gradle.kts

@@ -138,7 +138,7 @@ publishing {
             pom {
                 name.set("AWS Database Encryption SDK for DynamoDB")
                 description.set("AWS Database Encryption SDK for DynamoDB in Java")
-                url.set("https://github.com/aws/aws-database-encryption-sdk-dynamodb-java")
+                url.set("https://github.com/aws/aws-database-encryption-sdk-dynamodb")
                 licenses {
                     license {
                         name.set("Apache License 2.0")
@@ -155,7 +155,7 @@ publishing {
                     }
                 }
                 scm {
-                    url.set("https://github.com/aws/aws-database-encryption-sdk-dynamodb-java.git")
+                    url.set("https://github.com/aws/aws-database-encryption-sdk-dynamodb.git")
                 }
             }
         }

DynamoDbEncryption/runtimes/net/AssemblyInfo.cs

@@ -0,0 +1,7 @@
+using System.Reflection;
+
+[assembly: AssemblyTitle("AWS.Cryptography.DbEncryptionSDK.DynamoDb")]
+
+// This should be kept in sync with the version number in MPL.csproj
+[assembly: AssemblyVersion("3.2.0")]
+

codebuild/net/signing_lib.py

@@ -62,7 +62,7 @@ def assume_artifact_access_role():
     creds = sts.assume_role(
         RoleArn=ARTIFACT_ACCESS_ROLE_ARN,
         RoleSessionName="CodeBuildRelease",
-        ExternalId="MPLNetCodeSigning",
+        ExternalId="DbEsdkNetCodeSigning",
     )
 
     return creds

codebuild/release/release-prod.yml

@@ -26,7 +26,7 @@ phases:
       - curl https://services.gradle.org/distributions/gradle-7.6-all.zip -L -o gradle.zip
       - unzip -qq gradle.zip && rm gradle.zip
       - export PATH="$PWD/gradle-7.6/bin:$PATH"
-      - cd  aws-database-encryption-sdk-dynamodb-java/
+      - cd  aws-database-encryption-sdk-dynamodb/
   pre_build:
     commands:
       - aws secretsmanager get-secret-value --region us-west-2 --secret-id Maven-GPG-Keys-Release --query SecretBinary --output text | base64 -d > ~/mvn_gpg.tgz

codebuild/release/validate-release.yml

@@ -21,7 +21,7 @@ phases:
       - curl https://services.gradle.org/distributions/gradle-7.6-all.zip -L -o gradle.zip
       - unzip -qq gradle.zip && rm gradle.zip
       - export PATH="$PWD/gradle-7.6/bin:$PATH"
-      - cd  aws-database-encryption-sdk-dynamodb-java/
+      - cd  aws-database-encryption-sdk-dynamodb/
   pre_build:
     commands:
       # Get CI Creds to be able to call DBESDK TestVectors

codebuild/staging/release-staging.yml

@@ -28,7 +28,7 @@ phases:
       - curl https://services.gradle.org/distributions/gradle-7.6-all.zip -L -o gradle.zip
       - unzip -qq gradle.zip && rm gradle.zip
       - export PATH="$PWD/gradle-7.6/bin:$PATH"
-      - cd  aws-database-encryption-sdk-dynamodb-java/
+      - cd  aws-database-encryption-sdk-dynamodb/
   pre_build:
     commands:
       - export CODEARTIFACT_TOKEN=$(aws codeartifact get-authorization-token --domain crypto-tools-internal --domain-owner 587316601012 --region us-east-1 --query authorizationToken --output text)

codebuild/staging/validate-staging.yml

@@ -25,7 +25,7 @@ phases:
       - curl https://services.gradle.org/distributions/gradle-7.6-all.zip -L -o gradle.zip
       - unzip -qq gradle.zip && rm gradle.zip
       - export PATH="$PWD/gradle-7.6/bin:$PATH"
-      - cd  aws-database-encryption-sdk-dynamodb-java/
+      - cd  aws-database-encryption-sdk-dynamodb/
   pre_build:
     commands:
       # Get published CA DBESDK jar