chore: bring in latest main changes

Author: josecorella

AwsCryptographicMaterialProviders/dafny/AwsCryptographicMaterialProviders/src/Keyrings/AwsKms/AwsKmsKeyring.dfy

@@ -457,60 +457,60 @@ module AwsKmsKeyring {
           && AlgorithmSuites.GetEncryptKeyLength(input.materials.algorithmSuite) as nat == |res.value.materials.plaintextDataKey.value|
           && var LastDecrypt := Last(client.History.Decrypt);
           && LastDecrypt.output.Success?
-          && (
-               exists edk
-                 // , returnedEncryptionAlgorithm
-                 | edk in input.encryptedDataKeys
-                 ::
-                   //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
-                   //= type=implication
-                   //# - Its provider ID MUST exactly match the value “aws-kms”.
-                   && var maybeWrappedMaterial :=
-                     EdkWrapping.GetProviderWrappedMaterial(edk.ciphertext, input.materials.algorithmSuite);
-                   && maybeWrappedMaterial.Success?
-                   && edk.keyProviderId == PROVIDER_ID
-                   && KMS.IsValid_CiphertextType(maybeWrappedMaterial.value)
-                      //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
-                      //= type=implication
-                      //# When calling [AWS KMS Decrypt]
-                      //# (https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html),
-                      //# the keyring MUST call with a request constructed
-                      //# as follows:
-                   && KMS.DecryptRequest(
-                        //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
-                        //= type=implication
-                        //# - `KeyId` MUST be the configured AWS KMS key identifier.
-                        KeyId := Some(awsKmsKey),
-                        //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
-                        //= type=implication
-                        //# - `CiphertextBlob` MUST be the [encrypted data key ciphertext]
-                        //# (../structures.md#ciphertext).
-                        CiphertextBlob := maybeWrappedMaterial.value,
-                        //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
-                        //= type=implication
-                        //# - `EncryptionContext` MUST be the [encryption context]
-                        //# (../structures.md#encryption-context) included in the input
-                        //# [decryption materials](../structures.md#decryption-materials).
-                        EncryptionContext := Some(maybeStringifiedEncCtx.value),
-                        //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
-                        //= type=implication
-                        //# - `GrantTokens` MUST be this keyring's [grant tokens]
-                        //# (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).
-                        GrantTokens := Some(grantTokens),
-                        EncryptionAlgorithm := None
-                      )
-                      //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
-                      //= type=implication
-                      //# To attempt to decrypt a particular [encrypted data key]
-                      //# (../structures.md#encrypted-data-key), OnDecrypt MUST call [AWS KMS
-                      //# Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)
-                      //# with the configured AWS KMS client.
-                      == LastDecrypt.input
-                      //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
-                      //= type=implication
-                      //# - The `KeyId` field in the response MUST equal the configured AWS
-                      //# KMS key identifier.
-                   && LastDecrypt.output.value.KeyId == Some(awsKmsKey)
+          && OkForDecrypt(awsKmsArn, awsKmsKey).Pass?
+          && (exists edk
+                // , returnedEncryptionAlgorithm
+                | edk in input.encryptedDataKeys
+                ::
+                  //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
+                  //= type=implication
+                  //# - Its provider ID MUST exactly match the value “aws-kms”.
+                  && var maybeWrappedMaterial :=
+                    EdkWrapping.GetProviderWrappedMaterial(edk.ciphertext, input.materials.algorithmSuite);
+                  && maybeWrappedMaterial.Success?
+                  && edk.keyProviderId == PROVIDER_ID
+                  && KMS.IsValid_CiphertextType(maybeWrappedMaterial.value)
+                     //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
+                     //= type=implication
+                     //# When calling [AWS KMS Decrypt]
+                     //# (https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html),
+                     //# the keyring MUST call with a request constructed
+                     //# as follows:
+                  && KMS.DecryptRequest(
+                       //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
+                       //= type=implication
+                       //# - `KeyId` MUST be the configured AWS KMS key identifier.
+                       KeyId := Some(awsKmsKey),
+                       //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
+                       //= type=implication
+                       //# - `CiphertextBlob` MUST be the [encrypted data key ciphertext]
+                       //# (../structures.md#ciphertext).
+                       CiphertextBlob := maybeWrappedMaterial.value,
+                       //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
+                       //= type=implication
+                       //# - `EncryptionContext` MUST be the [encryption context]
+                       //# (../structures.md#encryption-context) included in the input
+                       //# [decryption materials](../structures.md#decryption-materials).
+                       EncryptionContext := Some(maybeStringifiedEncCtx.value),
+                       //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
+                       //= type=implication
+                       //# - `GrantTokens` MUST be this keyring's [grant tokens]
+                       //# (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).
+                       GrantTokens := Some(grantTokens),
+                       EncryptionAlgorithm := None
+                     )
+                     //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
+                     //= type=implication
+                     //# To attempt to decrypt a particular [encrypted data key]
+                     //# (../structures.md#encrypted-data-key), OnDecrypt MUST call [AWS KMS
+                     //# Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)
+                     //# with the configured AWS KMS client.
+                     == LastDecrypt.input
+                     //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
+                     //= type=implication
+                     //# - The `KeyId` field in the response MUST equal the configured AWS
+                     //# KMS key identifier.
+                  && LastDecrypt.output.value.KeyId == Some(awsKmsKey)
              )
              //= aws-encryption-sdk-specification/framework/aws-kms/aws-kms-keyring.md#ondecrypt
              //= type=implication

AwsCryptographicMaterialProviders/runtimes/python/src/aws_cryptographic_material_providers/smithygenerated/aws_cryptography_keystoreadmin/dafny_to_smithy.py

@@ -485,3 +485,11 @@ def aws_cryptography_keystoreadmin_KeyStoreReference(dafny_input):
 
 def aws_cryptography_keystoreadmin_KmsClientReference(dafny_input):
     return dafny_input._impl
+
+
+def aws_cryptography_keystoreadmin_PrimitivesReference(dafny_input):
+    from aws_cryptography_primitives.smithygenerated.aws_cryptography_primitives.client import (
+        AwsCryptographicPrimitives,
+    )
+
+    return AwsCryptographicPrimitives(config=None, dafny_client=dafny_input)

AwsCryptographicMaterialProviders/runtimes/python/src/aws_cryptographic_material_providers/smithygenerated/aws_cryptography_keystoreadmin/smithy_to_dafny.py

@@ -754,3 +754,7 @@ def aws_cryptography_keystoreadmin_KmsClientReference(native_input):
     )
     client.value.impl = native_input
     return client.value
+
+
+def aws_cryptography_keystoreadmin_PrimitivesReference(native_input):
+    return native_input._config.dafnyImplInterface.impl