active_storage_encryption 0.1.0 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9c79ba1ae2b68a8d4e76c9d02092e426a41ddd414a968a082121cab647c2e239
-  data.tar.gz: ee60709d1843c4a814c52496a4fffcdec44b36bd3a48f18513fb0b56ba4a0c05
+  metadata.gz: 850bd7cbc71749f88f1a8e7c4305de38bfbb7c3641ee75864a34ce9f712af65a
+  data.tar.gz: 2ffa5b8c6abc2038395366138eb6f1d43dd4246f3d728e923a440805b7f53838
 SHA512:
-  metadata.gz: 2d73fa7ea374c47f4fea531791db5962d469c8e1a95e9e7f9b0f64b9904e1b5948fd298b788b2a6c93a2e8beff0d58fde6ba24aa00c3c852b316232780a4ba4e
-  data.tar.gz: 7a2427499a85bec52196dfbdf304193618febcf7c3ceb0eb0944a01452683dbbb2ff2304a716ae3694fb9f55f6683c337b4d19189f67ce034abe8a58e093a0f5
+  metadata.gz: 489bf8dbd01ee254354cf3dbcbedab9743f9f16f5b93c352cb234c8eef4f909c31916eef7187002eac8b0f66d476fd55d44cf31bd8320ea6fa275b36d62cb3b6
+  data.tar.gz: 746b6efed5b2e4819f280f511a1eb66882a257b173c6699b85a10606d1eac0210da92f6020c480e08de5e509a34f4eb7ff50f46c703609e5ed284ecd5cb0f23c

data/.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+- package-ecosystem: bundler
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10

data/.github/workflows/ci.yml

@@ -0,0 +1,75 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+
+jobs:
+  lint:
+    name: "Lint"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # Note: Appraisals for Rails 7 and Rails 8 differ in minimum Ruby version: 3.1.0+ vs 3.2.2+
+      # So the version of Ruby to use here is the version that is able to run all Appraisals
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.2.2
+          bundler-cache: true
+
+      - name: Lint code for consistent style
+        run: bundle exec standardrb
+
+  test_rails7:
+    name: "Tests (Rails 7)"
+    runs-on: ubuntu-latest
+    env:
+      BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/rails_7.gemfile
+    steps:
+      - name: Install packages
+        run: sudo apt-get update && sudo apt-get install --no-install-recommends -y curl libjemalloc2 sqlite3
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.2.2
+          bundler-cache: true
+
+      - name: Run tests
+        env:
+          RAILS_ENV: test
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: bin/rails app:test
+
+  test_rails_8:
+    name: "Tests (Rails 8)"
+    runs-on: ubuntu-latest
+    env:
+      BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/rails_8.gemfile
+    steps:
+      - name: Install packages
+        run: sudo apt-get update && sudo apt-get install --no-install-recommends -y curl libjemalloc2 sqlite3
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.2.2
+          bundler-cache: true
+
+      - name: Run tests
+        env:
+          RAILS_ENV: test
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: bin/rails app:test

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/doc/
+/log/*.log
+/pkg/
+/tmp/
+/test/dummy/db/*.sqlite3
+/test/dummy/db/*.sqlite3-*
+/test/dummy/log/*.log
+/test/dummy/storage/
+/test/dummy/tmp/
+
+# The Bundler lockfile should not be cached because its contents is arch-dependent
+Gemfile.lock
+.DS_Store

data/.ruby-version

@@ -0,0 +1 @@
+3.2.2

data/.standard.yml

@@ -0,0 +1 @@
+ruby_version: 3.1

data/Appraisals

@@ -1,7 +1,9 @@
 appraise "rails-7" do
   gem "rails", "< 8.0"
+  gem "stringio"
 end
 
 appraise "rails-8" do
   gem "rails", ">= 8.0"
+  gem "stringio"
 end

data/Gemfile

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in active_storage_encryption.gemspec.
+gemspec
+
+# Start debugger with binding.b [https://github.com/ruby/debug]
+# gem "debug", ">= 1.0.0"

data/README.md

@@ -1,6 +1,4 @@
-## What does this do?
-
-This library will enable the use of per-blob encryption keys with ActiveStorage. It enables file encryption with a separate encryption key generated for every `ActiveStorage::Blob`. It uses [CSEK](https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys) on Google Cloud, [SSE-C](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html#specifying-s3-c-encryption) on AWS, and [block_cipher_kit](https://rubygems.org/gems/block_cipher_kit) for files on disk to add a layer of encryption to every uploaded file. Every `Blob` gets its own, random encryption key.
+This library enables use of per-blob encryption keys with ActiveStorage, with a separate encryption key for every `Blob`. To implement encryption, it enables the use of  [CSEK](https://cloud.google.com/storage/docs/encryption/using-customer-supplied-keys) on Google Cloud, [SSE-C](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html#specifying-s3-c-encryption) on AWS, and [block_cipher_kit](https://rubygems.org/gems/block_cipher_kit) for files on disk.
 
 During streaming download, either the cloud provider or a Rails controller will decrypt the requested chunk of the file as it gets served to the client.
 
@@ -115,6 +113,8 @@ Implementation details:
   * `x-amz-server-side-encryption-customer-key`
   * `x-amz-server-side-encryption-customer-key-MD5`
 
+While S3 allows the `x-amz-server-side-encryption-customer-key-MD5` to be added to the signed URL for PUT, the value of that header gets removed from the signature due to the process called "hoisting" - which occurs during the signing of the URL. So your client _may_ override the encryption key you give it forcibly, by replacing the `x-amz-server-side-encryption-customer-key` and `x-amz-server-side-encryption-customer-key-MD5`. This can produce Blobs encrypted with a key you do not have. If you want to exclude the possibility of this, you need to perform an integrity check on your uploads. The integrity check will fail if the encryption key has been overridden in this manner, and you can then destroy the Blob. This problem has been reported to AWS.
+
 ### EncryptedDiskSevice - Filesystem
 
 Can be used instead of the cloud services in development, or on the server if desired. The service will use AES-256-GCM encryption, with a way to switch to a different/more modern encryption scheme in the future.
@@ -185,10 +185,31 @@ When we stream through the controller, we encrypt the token instead of just sign
 
 ## Direct uploads
 
+Our recommended setup is to have your encrypted ActiveStorage service as an additional service configuration in `service.yml`:
+
+```yaml
+development:
+  public: true
+  service: Disk
+  root: <%= Rails.root.join("storage") %>
+
+encrypted_disk:
+  service: EncryptedDisk
+  root: <%= Rails.root.join("storage", "encrypted") %>
+  private_url_policy: stream
+
+```
+
+To upload into a named service that is non-default, you will need to use a different method for generating your presigned upload URL, as the standard Rails controller that creates the `Blob` records prior to upload does not allow you to set it. If you follow the [officlal Rails guide](https://guides.rubyonrails.org/active_storage_overview.html#direct-uploads) you will need to use a different URL helper for generating a URL to create blobs, which _does_ accommodate the service name. The URL you need to use is `create_encrypted_blob_direct_upload_url` (instead of `rails_direct_uploads_url`).
+
+This is not going to be necessary once the corresponding [Rails issue](https://github.com/rails/rails/issues/38940) will get addressed.
+
 All supported services accept the encryption key as part of the headers for the PUT direct upload. The provided Service implementations will generate the correct headers for you. However, your upload client _must_ use the headers provided to you by the server, and not invent its own. The standard ActiveStorage JS bundles honor those headers - but if you use your own uploader you will need to ensure it honors and forwards the headers too.
 
 We also configure the services to generate _and_ require the `Content-MD5` header. The client doing the PUT will need to precompute the MD5 for the object before starting the PUT request or getting a PUT url (as the checksum gets signed by the cloud SDK or by our `EncryptedDiskService`). This is so that any data transmission errors can be intercepted early (we know of one case where a bug in Ruby, combined with a particular HTTP client library, led to bytes getting uploaded out of order).
 
+Note that the encryption headers may require amending your CORS configuration - see the documentation per service regarding that.
+
 ## Security considerations / notes
 
 * It is imperative that you let the server generate the encryption key, and not generate one on the client. Where possible, we add the headers for the encryption key to the signed URL parameters, so client generated keys will deliberately _not_ function. Letting the client generate the keys can lead to key reuse (unintentional or - worse - intentional).

data/Rakefile

@@ -7,8 +7,6 @@ APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
 load "rails/tasks/engine.rake"
 load "rails/tasks/statistics.rake"
 
-require "bundler/gem_tasks"
-
 task :format do
   `bundle exec standardrb --fix`
   `bundle exec magic_frozen_string_literal .`

data/active_storage_encryption.gemspec

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require_relative "lib/active_storage_encryption/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "active_storage_encryption"
+  spec.version = ActiveStorageEncryption::VERSION
+  spec.authors = ["Julik Tarkhanov", "Sebastian van Hesteren"]
+  spec.email = ["me@julik.nl"]
+  spec.homepage = "https://github.com/cheddar-me/active_storage_encryption"
+  spec.summary = "Customer-supplied encryption key support for ActiveStorage blobs."
+  spec.description = "Adds customer-supplied encryption keys to storage services."
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 3.1.0"
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the "allowed_push_host"
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  spec.metadata["allowed_push_host"] = "https://rubygems.org"
+
+  # The homepage link on rubygems.org only appears if you add homepage_uri. Just spec.homepage is not enough.
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = spec.homepage
+  spec.metadata["changelog_uri"] = "#{spec.homepage}/blob/main/CHANGELOG.md"
+
+  # Do not remove any files from the gemspec - tests are useful because people can read them
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0")
+  end
+
+  spec.add_dependency "rails", ">= 7.2.2.1"
+  spec.add_dependency "block_cipher_kit", ">= 0.0.4"
+  spec.add_dependency "serve_byte_range", "~> 1.0"
+  spec.add_dependency "activestorage"
+
+  # Testing with cloud services
+  spec.add_development_dependency "aws-sdk-s3"
+  spec.add_development_dependency "net-http"
+
+  # Code formatting, linting and testing
+  spec.add_development_dependency "sqlite3"
+  spec.add_development_dependency "standard", ">= 1.35.1"
+  spec.add_development_dependency "appraisal"
+  spec.add_development_dependency "magic_frozen_string_literal"
+  spec.add_development_dependency "rake"
+end

data/config/routes.rb

@@ -2,6 +2,6 @@
 
 ActiveStorageEncryption::Engine.routes.draw do
   put "/blob/:token", to: "encrypted_blobs#update", as: "encrypted_blob_put"
-  get "/blob/:token/*filename(.:format)", to: "encrypted_blobs#show", as: "encrypted_blob_streaming_get"
   post "/blob/direct-uploads", to: "encrypted_blobs#create_direct_upload", as: "create_encrypted_blob_direct_upload"
+  get "/blob/:token/*filename(.:format)", to: "encrypted_blob_proxy#show", as: "encrypted_blob_streaming_get"
 end

data/gemfiles/rails_7.gemfile

@@ -3,5 +3,6 @@
 source "https://rubygems.org"
 
 gem "rails", "< 8.0"
+gem "stringio"
 
 gemspec path: "../"

data/gemfiles/rails_7.gemfile.lock

@@ -1,10 +1,11 @@
 PATH
   remote: ..
   specs:
-    active_storage_encryption (0.1.0)
+    active_storage_encryption (0.2.2)
       activestorage
       block_cipher_kit (>= 0.0.4)
       rails (>= 7.2.2.1)
+      serve_byte_range (~> 1.0)
 
 GEM
   remote: https://rubygems.org/
@@ -151,6 +152,8 @@ GEM
     net-smtp (0.5.1)
       net-protocol
     nio4r (2.7.4)
+    nokogiri (1.18.3-arm64-darwin)
+      racc (~> 1.4)
     nokogiri (1.18.3-x86_64-darwin)
       racc (~> 1.4)
     nokogiri (1.18.3-x86_64-linux-gnu)
@@ -227,6 +230,9 @@ GEM
       rubocop-ast (>= 1.31.1, < 2.0)
     ruby-progressbar (1.13.0)
     securerandom (0.4.1)
+    serve_byte_range (1.0.0)
+      rack (>= 1.0)
+    sqlite3 (2.6.0-arm64-darwin)
     sqlite3 (2.6.0-x86_64-darwin)
     sqlite3 (2.6.0-x86_64-linux-gnu)
     standard (1.45.0)
@@ -258,6 +264,8 @@ GEM
     zeitwerk (2.7.2)
 
 PLATFORMS
+  arm64-darwin-21
+  arm64-darwin-24
   x86_64-darwin
   x86_64-linux
 
@@ -271,6 +279,7 @@ DEPENDENCIES
   rake
   sqlite3
   standard (>= 1.35.1)
+  stringio
 
 BUNDLED WITH
    2.5.11

data/gemfiles/rails_8.gemfile

@@ -3,5 +3,6 @@
 source "https://rubygems.org"
 
 gem "rails", ">= 8.0"
+gem "stringio"
 
 gemspec path: "../"

data/gemfiles/rails_8.gemfile.lock

@@ -1,10 +1,11 @@
 PATH
   remote: ..
   specs:
-    active_storage_encryption (0.1.0)
+    active_storage_encryption (0.2.2)
       activestorage
       block_cipher_kit (>= 0.0.4)
       rails (>= 7.2.2.1)
+      serve_byte_range (~> 1.0)
 
 GEM
   remote: https://rubygems.org/
@@ -151,6 +152,8 @@ GEM
     net-smtp (0.5.1)
       net-protocol
     nio4r (2.7.4)
+    nokogiri (1.18.3-arm64-darwin)
+      racc (~> 1.4)
     nokogiri (1.18.3-x86_64-darwin)
       racc (~> 1.4)
     nokogiri (1.18.3-x86_64-linux-gnu)
@@ -227,6 +230,9 @@ GEM
       rubocop-ast (>= 1.31.1, < 2.0)
     ruby-progressbar (1.13.0)
     securerandom (0.4.1)
+    serve_byte_range (1.0.0)
+      rack (>= 1.0)
+    sqlite3 (2.6.0-arm64-darwin)
     sqlite3 (2.6.0-x86_64-darwin)
     sqlite3 (2.6.0-x86_64-linux-gnu)
     standard (1.45.0)
@@ -258,6 +264,8 @@ GEM
     zeitwerk (2.7.2)
 
 PLATFORMS
+  arm64-darwin-21
+  arm64-darwin-24
   x86_64-darwin
   x86_64-linux
 
@@ -271,6 +279,7 @@ DEPENDENCIES
   rake
   sqlite3
   standard (>= 1.35.1)
+  stringio
 
 BUNDLED WITH
    2.5.11

data/lib/active_storage_encryption/encrypted_blob_proxy_controller.rb

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+
+require "serve_byte_range"
+
+# This controller is analogous to the ActiveStorage::ProxyController
+class ActiveStorageEncryption::EncryptedBlobProxyController < ActionController::Base
+  include ActiveStorage::SetCurrent
+
+  class InvalidParams < StandardError
+  end
+
+  DEFAULT_BLOB_STREAMING_DISPOSITION = "inline"
+
+  self.etag_with_template_digest = false
+  skip_forgery_protection
+
+  # Streams the decrypted contents of an encrypted blob
+  def show
+    params = read_params_from_token_and_headers_for_get
+    service = lookup_service(params[:service_name])
+    raise InvalidParams, "#{service.name} does not allow private URLs" if service.private_url_policy == :disable
+
+    # Test the encryption key beforehand, so that the exception does not get raised when serving the actual body
+    service.download_chunk(params[:key], 0..0, encryption_key: params[:encryption_key])
+
+    stream_blob(service:,
+      key: params[:key],
+      encryption_key: params[:encryption_key],
+      blob_byte_size: params[:blob_byte_size],
+      filename: params[:filename],
+      disposition: params[:disposition] || DEFAULT_BLOB_STREAMING_DISPOSITION,
+      type: params[:content_type])
+  rescue ActiveStorage::FileNotFoundError
+    head :not_found
+  rescue InvalidParams, ActiveStorageEncryption::StreamingTokenInvalidOrExpired, ActiveSupport::MessageEncryptor::InvalidMessage, ActiveStorageEncryption::IncorrectEncryptionKey
+    head :forbidden
+  end
+
+  private
+
+  def read_params_from_token_and_headers_for_get
+    token_str = params.require(:token)
+
+    # The token params for GET / private_url download are encrypted, as they contain the object encryption key.
+    token_params = ActiveStorageEncryption.token_encryptor.decrypt_and_verify(token_str, purpose: :encrypted_get).symbolize_keys
+    encryption_key = Base64.decode64(token_params.fetch(:encryption_key))
+    service = lookup_service(token_params.fetch(:service_name))
+
+    # To be more like cloud services: verify presence of headers, if we were asked to (but this is optional)
+    if service.private_url_policy == :require_headers
+      b64_encryption_key = request.headers["x-active-storage-encryption-key"]
+      raise InvalidParams, "x-active-storage-encryption-key header is missing" if b64_encryption_key.blank?
+      raise InvalidParams, "Incorrect encryption key supplied via header" unless Rack::Utils.secure_compare(Base64.decode64(b64_encryption_key), encryption_key)
+    end
+
+    {
+      key: token_params.fetch(:key),
+      service_name: token_params.fetch(:service_name),
+      disposition: token_params.fetch(:disposition),
+      content_type: token_params.fetch(:content_type),
+      encryption_key: Base64.decode64(token_params.fetch(:encryption_key)),
+      blob_byte_size: token_params.fetch(:blob_byte_size)
+    }
+  end
+
+  def lookup_service(name)
+    service = ActiveStorage::Blob.services.fetch(name) { ActiveStorage::Blob.service }
+    raise InvalidParams, "No ActiveStorage default service defined and service #{name.inspect} was not found" unless service
+    raise InvalidParams, "#{service.name} is not providing file encryption" unless service.try(:encrypted?)
+    service
+  end
+
+  def stream_blob(service:, key:, blob_byte_size:, encryption_key:, filename:, disposition:, type:)
+    # The ActiveStorage::ProxyController buffers the entire response into memory
+    # when serving multipart byte ranges, which is extremely inefficient. We use our own thing
+    # which can actually stream from the Service directly, using byte ranges. This limits the
+    # amount of data buffered to 5 megabytes. There can be a better scheme with pagewise caching
+    # in tempfiles, but that's for later.
+    streaming_proc = ->(client_requested_range, response_io) {
+      chunk_size = 5.megabytes
+      client_requested_range.begin.step(client_requested_range.end, chunk_size) do |subrange_start|
+        chunk_end = subrange_start + chunk_size - 1
+        subrange_end = (chunk_end > client_requested_range.end) ? client_requested_range.end : chunk_end
+        range_on_service = subrange_start..subrange_end
+        response_io.write(service.download_chunk(key, range_on_service, encryption_key:))
+      end
+    }
+
+    # A few header things for streaming:
+    # 1. We need to ensure Rack::ETag does not suddenly start buffering us, for that either
+    # the ETag header or the Last-Modified header must be set. We set an ETag from the blob key,
+    # so nothing to do here.
+    # 2. Disable buffering for both nginx and Google Load Balancer, see
+    # https://cloud.google.com/appengine/docs/flexible/how-requests-are-handled?tab=python#x-accel-buffering
+    response.headers["X-Accel-Buffering"] = "no"
+    # 3. Make sure Rack::Deflater does not touch our response body either, see
+    # https://github.com/felixbuenemann/xlsxtream/issues/14#issuecomment-529569548
+    response.headers["Content-Encoding"] = "identity"
+
+    # Range requests use ETags to ensure that if a client goes to download a range of a resource
+    # it has already has some data of, it either gets the full resource - if it changed - or
+    # the bytes the client requested. An ActiveStorage blob never changes once it has been uploaded -
+    # it stays on the service "just as it was" until it gets deleted, so we can reliably use the key
+    # of the blob as the ETag.
+    blob_etag = key.inspect # Strong ETags must be quoted
+    status, headers, ranges_body = ServeByteRange.serve_ranges(request.env,
+      resource_size: blob_byte_size,
+      etag: blob_etag, # TODO
+      resource_content_type: type,
+      &streaming_proc)
+
+    response.status = status
+    headers.each { |(header, value)| response.headers[header] = value }
+    self.response_body = ranges_body
+  end
+end

data/lib/active_storage_encryption/encrypted_blobs_controller.rb

@@ -3,10 +3,6 @@
 class ActiveStorageEncryption::EncryptedBlobsController < ActionController::Base
   include ActiveStorage::SetCurrent
 
-  # Below similar to ActiveStorage::Streaming but ActionController::Live is meh.
-  include ActionController::DataStreaming
-  include ActionController::Live
-
   class InvalidParams < StandardError
   end
 
@@ -32,24 +28,6 @@ class ActiveStorageEncryption::EncryptedBlobsController < ActionController::Base
     head :unprocessable_entity
   end
 
-  # Streams the decrypted contents of an encrypted blob
-  def show
-    params = read_params_from_token_and_headers_for_get
-    service = lookup_service(params[:service_name])
-    raise InvalidParams, "#{service.name} does not allow private URLs" if service.private_url_policy == :disable
-
-    key = params[:key]
-    encryption_key = params[:encryption_key]
-
-    send_stream(filename: params[:filename], disposition: params[:disposition] || DEFAULT_BLOB_STREAMING_DISPOSITION, type: params[:content_type]) do |stream|
-      service.download(key, encryption_key: encryption_key) do |chunk|
-        stream.write chunk
-      end
-    end
-  rescue InvalidParams, ActiveStorageEncryption::StreamingTokenInvalidOrExpired, ActiveSupport::MessageEncryptor::InvalidMessage, ActiveStorageEncryption::IncorrectEncryptionKey
-    head :forbidden
-  end
-
   # Creates a Blob record with a random encryption key and returns the details for PUTing it
   # This is only necessary because in Rails there is some disagreement regarding the service_name parameter.
   # See https://github.com/rails/rails/issues/38940
@@ -111,35 +89,6 @@ class ActiveStorageEncryption::EncryptedBlobsController < ActionController::Base
     }
   end
 
-  def read_params_from_token_and_headers_for_get
-    token_str = params.require(:token)
-
-    # The token params for GET / private_url download are encrypted, as they contain the object encryption key.
-    token_params = ActiveStorageEncryption.token_encryptor.decrypt_and_verify(token_str, purpose: :encrypted_get).symbolize_keys
-    encryption_key = Base64.decode64(token_params.fetch(:encryption_key))
-
-    service = lookup_service(token_params.fetch(:service_name))
-
-    # To be more like cloud services: verify presence of headers, if we were asked to (but this is optional)
-    if service.private_url_policy == :require_headers
-      b64_encryption_key = request.headers["x-active-storage-encryption-key"]
-      raise InvalidParams, "x-active-storage-encryption-key header is missing" if b64_encryption_key.blank?
-      raise InvalidParams, "Incorrect encryption key supplied via header" unless Rack::Utils.secure_compare(Base64.decode64(b64_encryption_key), encryption_key)
-    end
-
-    # Verify the SHA of the encryption key
-    encryption_key_b64sha = Digest::SHA256.base64digest(encryption_key)
-    raise InvalidParams, "Incorrect encryption key supplied via token" unless Rack::Utils.secure_compare(encryption_key_b64sha, token_params.fetch(:encryption_key_sha256))
-
-    {
-      key: token_params.fetch(:key),
-      encryption_key: encryption_key,
-      service_name: token_params.fetch(:service_name),
-      disposition: token_params.fetch(:disposition),
-      content_type: token_params.fetch(:content_type)
-    }
-  end
-
   def lookup_service(name)
     service = ActiveStorage::Blob.services.fetch(name) { ActiveStorage::Blob.service }
     raise InvalidParams, "#{service.name} is not providing file encryption" unless service.try(:encrypted?)

data/lib/active_storage_encryption/encrypted_s3_service.rb

@@ -183,6 +183,7 @@ class ActiveStorageEncryption::EncryptedS3Service < ActiveStorage::Service::S3Se
       sse_options_for_presigned_url.delete(:sse_customer_key)
 
       options_for_super = options.merge(sse_options_for_presigned_url) # The "rest" kwargs for super are the `client_options`
+      options_for_super.delete(:blob_byte_size) # This is not a valid S3 option
       super(key, **options_for_super)
     end
   end

data/lib/active_storage_encryption/engine.rb

@@ -3,5 +3,9 @@
 module ActiveStorageEncryption
   class Engine < ::Rails::Engine
     isolate_namespace ActiveStorageEncryption
+
+    generators do
+      require "generators/install_generator"
+    end
   end
 end

data/lib/active_storage_encryption/overrides.rb

@@ -138,6 +138,7 @@ module ActiveStorageEncryption
             key, expires_in: expires_in, filename: ActiveStorage::Filename.wrap(filename || self.filename),
             encryption_key: encryption_key,
             content_type: content_type_for_serving, disposition: forced_disposition_for_serving || disposition,
+            blob_byte_size: byte_size,
             **options
           )
         else

data/lib/active_storage_encryption/private_url_policy.rb

@@ -18,14 +18,15 @@ module ActiveStorageEncryption::PrivateUrlPolicy
     @private_url_policy
   end
 
-  def private_url_for_streaming_via_controller(key, expires_in:, filename:, content_type:, disposition:, encryption_key:)
+  def private_url_for_streaming_via_controller(key, blob_byte_size:, expires_in:, filename:, content_type:, disposition:, encryption_key:)
     if private_url_policy == :disable
       raise ActiveStorageEncryption::StreamingDisabled, <<~EOS
         Requested a signed GET URL for #{key.inspect} on service #{name}. This service
         has disabled presigned URLs (private_url_policy: disable), you have to use `Blob#download` instead.
       EOS
     end
-
+    # This method requires the "blob_byte_size" because it is needed for HTTP ranges (you need to know the range of a resource),
+    # The ActiveStorage::ProxyController retrieves the blob from the DB for that, but we can embed it right in the token.
     content_disposition = content_disposition_with(type: disposition, filename: filename)
     verified_key_with_expiration = ActiveStorageEncryption.token_encryptor.encrypt_and_sign(
       {
@@ -34,6 +35,7 @@ module ActiveStorageEncryption::PrivateUrlPolicy
         encryption_key_sha256: Digest::SHA256.base64digest(encryption_key),
         content_type: content_type,
         service_name: name,
+        blob_byte_size: blob_byte_size,
         encryption_key: Base64.strict_encode64(encryption_key)
       },
       expires_in: expires_in,

data/lib/active_storage_encryption/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ActiveStorageEncryption
-  VERSION = "0.1.0"
+  VERSION = "0.2.2"
 end

data/lib/active_storage_encryption.rb

@@ -6,6 +6,7 @@ require "active_storage_encryption/engine"
 module ActiveStorageEncryption
   autoload :PrivateUrlPolicy, __dir__ + "/active_storage_encryption/private_url_policy.rb"
   autoload :EncryptedBlobsController, __dir__ + "/active_storage_encryption/encrypted_blobs_controller.rb"
+  autoload :EncryptedBlobProxyController, __dir__ + "/active_storage_encryption/encrypted_blob_proxy_controller.rb"
   autoload :EncryptedDiskService, __dir__ + "/active_storage_encryption/encrypted_disk_service.rb"
   autoload :EncryptedMirrorService, __dir__ + "/active_storage_encryption/encrypted_mirror_service.rb"
   autoload :EncryptedS3Service, __dir__ + "/active_storage_encryption/encrypted_s3_service.rb"

data/lib/generators/add_encryption_key_to_active_storage_blobs.rb.erb

@@ -0,0 +1,9 @@
+class AddEncryptionKeyToActiveStorageBlobs < ActiveRecord::Migration[7.2]
+  def change
+    # You _must_ use attribute encryption for this column. Rails uses base64 and JSON encoding
+    # for encrypted attributes, so they can be stored as a string. The "raw" encryption key
+    # that active_storage_encryption will generate and assign to the Blob is going to be
+    # binary, however.
+    add_column :active_storage_blobs, :encryption_key, :string, if_not_exists: true
+  end
+end