chore: add .NET release steps (#717)

* chore: add .NET release steps
* add ubuntu and windows

Author: josecorella

.github/workflows/ci_test_net.yml

@@ -36,6 +36,8 @@ jobs:
         dotnet-version: [ '6.0.x' ]
         os: [
           macos-latest,
+          ubuntu-latest,
+          windows-latest
         ]
     runs-on: ${{ matrix.os }}
     permissions:
@@ -45,6 +47,9 @@ jobs:
       DOTNET_CLI_TELEMETRY_OPTOUT: 1
       DOTNET_NOLOGO: 1
     steps:
+      - name: Support longpaths on Git checkout
+        run: |
+          git config --global core.longpaths true
       - uses: actions/checkout@v3
         with:
           submodules: recursive        
@@ -78,12 +83,24 @@ jobs:
           # This works because `node` is installed by default on GHA runners
           CORES=$(node -e 'console.log(os.cpus().length)')
           make transpile_net CORES=$CORES
-      - name: Test ${{ matrix.library }}
+      
+      - name: Test ${{ matrix.library }} net48
+        if: matrix.os == 'windows-latest'
+        working-directory: ./${{ matrix.library }}
+        shell: bash
+        run: |
+            dotnet restore runtimes/net/tests
+            dotnet build runtimes/net/tests
+            make test_net FRAMEWORK=net48
+      
+      - name: Test ${{ matrix.library }} net6.0
         working-directory: ./${{ matrix.library }}
         shell: bash
         run: |
+          dotnet restore runtimes/net/tests
+          dotnet build runtimes/net/tests
           if [ "$RUNNER_OS" == "macOS" ]; then
             make test_net_mac_intel
           else
-            make test_net
+            make test_net FRAMEWORK=net6.0
           fi

.github/workflows/ci_test_vector_net.yml

@@ -55,10 +55,11 @@ jobs:
           # This works because `node` is installed by default on GHA runners
           make transpile_net
 
-      - name: Test TestVectors
+      - name: Test TestVectors on .NET 6.0
         working-directory: ./TestVectors/runtimes/net
         run: |
           cp ../java/decrypt_java.json ../java/decrypt_dotnet.json .	
           dotnet run
           cp ../java/*.json .
-          dotnet run
+          dotnet run --framework net6.0
+

DynamoDbEncryption/codebuild/release-prod.yml

@@ -0,0 +1,38 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      dotnet: 6.0
+      python: 3.x
+    commands:
+      - cd ..
+      # Get Dafny
+      #- export `cat ./aws-database-encryption-sdk-dynamodb/project.properties`
+      - curl https://github.com/dafny-lang/dafny/releases/download/v$dafnyVersion/dafny-$dafnyVersion-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      # Switch back to the main directory
+      - cd aws-database-encryption-sdk-dynamodb
+  pre_build:
+    commands:
+      # UNIQUE_ID should be passed in as an environment variable. It is used to tie
+      # the different parts of the asynchronous signing process together
+      - echo "Using unique id for flow $UNIQUE_ID"
+      # Build unsigned source
+      - cd DynamoDbEncryption
+      - make transpile_net
+      - dotnet build runtimes/net /p:Configuration=Release -nowarn:CS0162,CS0168
+      # This step assumes signing has already happened and we just need to retrieve
+      # the signed artifacts
+      - export ASSEMBLY_NAME="AWS.Cryptography.DbEncryptionSDK.DynamoDb.dll"
+      - export BASE=../codebuild/net
+      - python $BASE/retrieve_signed_assembly.py --target net6.0 --unique-id $UNIQUE_ID
+      - python $BASE/retrieve_signed_assembly.py --target net48 --unique-id $UNIQUE_ID
+  build:
+    commands:
+      - mkdir build
+      - export VERSION=`grep '<Version>' runtimes/net/DynamoDbEncryption.csproj | sed 's/.*<Version>\(.*\)<\/Version>/\1/'`
+      - dotnet pack runtimes/net/DynamoDbEncryption.csproj --no-build /p:Configuration=Release --output build
+      - export API_ACCESS_KEY=$(python $BASE/retrieve_api_access_key.py)
+      - dotnet nuget push build/AWS.Cryptography.DbEncryptionSDK.DynamoDb.$VERSION.nupkg --api-key "$API_ACCESS_KEY" --source https://api.nuget.org/v3/index.json

DynamoDbEncryption/codebuild/release-staging.yml

@@ -0,0 +1,67 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      dotnet: 6.0
+      python: 3.x
+    commands:
+      - cd ..
+      # Get Dafny
+      #- export `cat ./aws-database-encryption-sdk-dynamodb/project.properties`
+      - curl https://github.com/dafny-lang/dafny/releases/download/v$dafnyVersion/dafny-$dafnyVersion-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      # Switch back to the main directory
+      - cd aws-database-encryption-sdk-dynamodb
+  pre_build:
+    commands:
+      # UNIQUE_ID should be passed in as an environment variable. It is used to tie
+      # the different parts of the asynchronous signing process together
+      - echo "Using unique id for flow $UNIQUE_ID"
+      # Build unsigned source
+      - cd DynamoDbEncryption
+      - make transpile_net
+      - dotnet build runtimes/net /p:Configuration=Release -nowarn:CS0162,CS0168
+      # This step assumes signing has already happened and we just need to retrieve
+      # the signed artifacts
+      - export ASSEMBLY_NAME="AWS.Cryptography.DbEncryptionSDK.DynamoDb.dll"
+      - export BASE=../codebuild/net
+      - python $BASE/retrieve_signed_assembly.py --target net6.0 --unique-id $UNIQUE_ID
+      - python $BASE/retrieve_signed_assembly.py --target net48 --unique-id $UNIQUE_ID
+  build:
+    commands:
+      - mkdir build
+      - >-
+        aws codeartifact login \
+          --tool dotnet \
+          --repository dbesdk-net-staging \
+          --domain crypto-tools-internal \
+          --domain-owner 587316601012 \
+          --region us-east-1
+      # Set a unique version for releasing to staging, because this may fail and we don't
+      # want to collide with previous runs
+      - export VERSION=`grep '<Version>' runtimes/net/DynamoDbEncryption.csproj | sed 's/.*<Version>\(.*\)<\/Version>/\1/'`
+      - dotnet pack runtimes/net/DynamoDbEncryption.csproj --no-build /p:Configuration=Release --output build
+      - dotnet nuget push build/AWS.Cryptography.DbEncryptionSDK.DynamoDb.$VERSION.nupkg --source crypto-tools-internal/dbesdk-net-staging
+      # Now validate we can run the tests
+      - sed -i.backup  "/\<ProjectReference Include=\"..\/DynamoDbEncryption.csproj\" \/>/d" runtimes/net/tests/Test-DynamoDbEncryption.csproj
+      - dotnet add runtimes/net/tests/Test-DynamoDbEncryption.csproj package AWS.Cryptography.DbEncryptionSDK.DynamoDb --version $VERSION
+
+      # run tests
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2" --role-session-name "CB-TestVectorResources")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+      - make test_net FRAMEWORK=net6.0
+
+      # run test vectors
+      - cd ../TestVectors
+      - sed -i.backup  "/\<ProjectReference Include=\"..\/..\/..\/DynamoDbEncryption\/runtimes\/net\/DynamoDbEncryption.csproj\" \/>/d" runtimes/net/DbEsdkTestVectors.csproj
+      - dotnet add runtimes/net/DbEsdkTestVectors.csproj package AWS.Cryptography.DbEncryptionSDK.DynamoDb --version $VERSION
+      - make transpile_net
+      - cd runtimes/net
+      - cp ../java/decrypt_java.json ../java/decrypt_dotnet.json .
+      - dotnet run --framework net6.0

DynamoDbEncryption/codebuild/release.yml

@@ -0,0 +1,39 @@
+version: 0.2
+
+batch:
+  fast-fail: true
+  build-graph:
+    - identifier: sign
+      buildspec: DynamoDbEncryption/codebuild/sign.yml
+      env:
+        type: LINUX_CONTAINER
+        image: aws/codebuild/standard:6.0
+    - identifier: verify
+      buildspec: DynamoDbEncryption/codebuild/verify.yml
+      env:
+        type: WINDOWS_SERVER_2019_CONTAINER
+        image: aws/codebuild/windows-base:2019-2.0
+      depend-on:
+        - sign
+    - identifier: release_staging
+      buildspec: DynamoDbEncryption/codebuild/release-staging.yml
+      env:
+        type: LINUX_CONTAINER
+        image: aws/codebuild/standard:6.0
+      depend-on:
+        - verify
+    - identifier: release_prod
+      buildspec: DynamoDbEncryption/codebuild/release-prod.yml
+      env:
+        type: LINUX_CONTAINER
+        image: aws/codebuild/standard:6.0
+      depend-on:
+        - verify
+        - release_staging
+    - identifier: test_prod
+      buildspec: DynamoDbEncryption/codebuild/test-prod.yml
+      env:
+        type: LINUX_CONTAINER
+        image: aws/codebuild/standard:6.0
+      depend-on:
+        - release_prod

DynamoDbEncryption/codebuild/sign.yml

@@ -0,0 +1,46 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      dotnet: 6.0
+      python: 3.x
+    commands:
+      - cd ..
+      # Get Dafny
+      #- export `cat ./aws-database-encryption-sdk-dynamodb/project.properties`
+      - curl https://github.com/dafny-lang/dafny/releases/download/v$dafnyVersion/dafny-$dafnyVersion-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      # Switch back to the main directory
+      - cd aws-database-encryption-sdk-dynamodb
+  pre_build:
+    commands:
+      # UNIQUE_ID should be passed in as an environment variable. It is used to tie
+      # the different parts of the asynchronous signing process together
+      - echo "Using unique id for flow $UNIQUE_ID"
+  build:
+    commands:
+      ## Build Library from Source
+      - cd DynamoDbEncryption
+      - make transpile_net
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2" --role-session-name "CB-TestVectorResources")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+      - make test_net FRAMEWORK=net6.0
+
+      ## Unset temp creds so that we get dropped back into the aws codebuild service role
+      - unset AWS_ACCESS_KEY_ID; unset AWS_SECRET_ACCESS_KEY; unset AWS_SESSION_TOKEN;
+
+      - dotnet build runtimes/net /p:Configuration=Release -nowarn:CS0162,CS0168
+      - export ASSEMBLY_NAME="AWS.Cryptography.DbEncryptionSDK.DynamoDb.dll"
+      - export BASE=../codebuild/net
+      - python $BASE/upload_assembly.py --target net6.0 --unique-id $UNIQUE_ID
+      - python $BASE/upload_assembly.py --target net48 --unique-id $UNIQUE_ID
+      ## Retrieve the signed assembly. We're not going to use it, but this
+      ## ensures that the signing process is complete
+      - python $BASE/retrieve_signed_assembly.py --target net6.0 --unique-id $UNIQUE_ID
+      - python $BASE/retrieve_signed_assembly.py --target net48 --unique-id $UNIQUE_ID

DynamoDbEncryption/codebuild/test-prod.yml

@@ -0,0 +1,43 @@
+version: 0.2
+
+phases:
+  install:
+    runtime-versions:
+      dotnet: 6.0
+      python: 3.x
+    commands:
+      - cd ..
+      # Get Dafny
+      #- export `cat ./aws-database-encryption-sdk-dynamodb/project.properties`
+      - curl https://github.com/dafny-lang/dafny/releases/download/v$dafnyVersion/dafny-$dafnyVersion-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      # Switch back to the main directory
+      - cd aws-database-encryption-sdk-dynamodb
+  pre_build:
+    commands:
+      - cd DynamoDbEncryption
+      - make transpile_net
+  build:
+    commands:
+      - export VERSION=`grep '<Version>' runtimes/net/DynamoDbEncryption.csproj | sed 's/.*<Version>\(.*\)<\/Version>/\1/'`
+      - sed -i.backup  "/\<ProjectReference Include=\"..\/DynamoDbEncryption.csproj\" \/>/d" runtimes/net/tests/Test-DynamoDbEncryption.csproj
+      - dotnet add runtimes/net/tests/Test-DynamoDbEncryption.csproj package AWS.Cryptography.DbEncryptionSDK.DynamoDb --version $VERSION
+
+        # run tests
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2" --role-session-name "CB-TestVectorResources")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+      - make test_net FRAMEWORK=net6.0
+
+      # run test vectors
+      - cd ../TestVectors
+      - sed -i.backup  "/\<ProjectReference Include=\"..\/..\/..\/DynamoDbEncryption\/runtimes\/net\/DynamoDbEncryption.csproj\" \/>/d" runtimes/net/DbEsdkTestVectors.csproj
+      - dotnet add runtimes/net/DbEsdkTestVectors.csproj package AWS.Cryptography.DbEncryptionSDK.DynamoDb --version $VERSION
+      - make transpile_net
+      - cd runtimes/net
+      - cp ../java/decrypt_java.json ../java/decrypt_dotnet.json .
+      - dotnet run --framework net6.0

DynamoDbEncryption/codebuild/verify.yml

@@ -0,0 +1,23 @@
+version: 0.2
+
+env:
+  variables:
+    FILE_NAME: "AWS.Cryptography.DbEncryptionSDK.DynamoDb.dll"
+    ASSEMBLY_NAME: "AWS.Cryptography.DbEncryptionSDK.DynamoDb.dll"
+
+phases:
+  install:
+    runtime-versions:
+      dotnet: 6.0
+      python: 3.x
+  build:
+    commands:
+      - mkdir net48
+      - python codebuild/net/retrieve_signed_assembly.py --target net48 --unique-id $Env:UNIQUE_ID --output net48
+      - $sig = Get-AuthenticodeSignature -FilePath net48/$Env:FILE_NAME
+      - $sig | Format-List -Property *
+      # Check signature on net6.0 dll
+      - mkdir net6.0
+      - python codebuild/net/retrieve_signed_assembly.py --target net6.0 --unique-id $Env:UNIQUE_ID --output net6.0
+      - $sig = Get-AuthenticodeSignature -FilePath net6.0/$Env:FILE_NAME
+      - $sig | Format-List -Property *

DynamoDbEncryption/runtimes/java/build.gradle.kts

@@ -138,7 +138,7 @@ publishing {
             pom {
                 name.set("AWS Database Encryption SDK for DynamoDB")
                 description.set("AWS Database Encryption SDK for DynamoDB in Java")
-                url.set("https://github.com/aws/aws-database-encryption-sdk-dynamodb-java")
+                url.set("https://github.com/aws/aws-database-encryption-sdk-dynamodb")
                 licenses {
                     license {
                         name.set("Apache License 2.0")
@@ -155,7 +155,7 @@ publishing {
                     }
                 }
                 scm {
-                    url.set("https://github.com/aws/aws-database-encryption-sdk-dynamodb-java.git")
+                    url.set("https://github.com/aws/aws-database-encryption-sdk-dynamodb.git")
                 }
             }
         }

DynamoDbEncryption/runtimes/net/AssemblyInfo.cs

@@ -0,0 +1,7 @@
+using System.Reflection;
+
+[assembly: AssemblyTitle("AWS.Cryptography.DbEncryptionSDK.DynamoDb")]
+
+// This should be kept in sync with the version number in MPL.csproj
+[assembly: AssemblyVersion("3.2.0")]
+

DynamoDbEncryption/runtimes/net/DynamoDbEncryption.csproj

@@ -34,6 +34,7 @@
   <ItemGroup>
     <PackageReference Include="AWSSDK.DynamoDBv2" Version="3.7.300.2"/>
     <PackageReference Include="AWSSDK.Core" Version="3.7.300.2"/>
+    <PackageReference Include="DafnyRuntime" Version="4.2.0" />
     <ProjectReference Include="../../../submodules/MaterialProviders/AwsCryptographicMaterialProviders/runtimes/net/MPL.csproj"/>
     <!--
               System.Collections.Immutable can be removed once dafny.msbuild is updated with

DynamoDbEncryption/runtimes/net/tests/Test-DynamoDbEncryption.csproj

@@ -4,7 +4,7 @@
     <RootNamespace>TEST_AWS Cryptography DynamoDb Encryption</RootNamespace>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>disable</Nullable>
-    <TargetFrameworks>net6.0</TargetFrameworks>
+    <TargetFrameworks>net6.0;net48</TargetFrameworks>
     <LangVersion>10</LangVersion>
     <OutputType>Exe</OutputType>
     <EnableDefaultCompileItems>false</EnableDefaultCompileItems>