active_storage_encryption 0.1.0 → 0.2.2

data/lib/generators/install_generator.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+require "rails/generators/active_record"
+
+module ActiveStorageEncryption
+  # The generator is used to install ActiveStorageEncryption. It adds the `encryption_key`
+  # column to ActiveStorage::Blob.
+  # Run it with `bin/rails g active_storage_encryption:install` in your console.
+  class InstallGenerator < Rails::Generators::Base
+    include ActiveRecord::Generators::Migration
+
+    source_paths << File.join(File.dirname(__FILE__, 2))
+
+    # Generates monolithic migration file that contains all database changes.
+    def create_migration_file
+      # Adding a new migration to the gem is then just adding a file.
+      migration_file_paths_in_order = Dir.glob(__dir__ + "/*.rb.erb").sort
+      migration_file_paths_in_order.each do |migration_template_path|
+        untemplated_migration_filename = File.basename(migration_template_path).gsub(/\.erb$/, "")
+        migration_template(migration_template_path, File.join(db_migrate_path, untemplated_migration_filename))
+      end
+    end
+  end
+end

data/test/integration/encrypted_blob_proxy_controller_test.rb

@@ -0,0 +1,253 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class ActiveStorageEncryptionEncryptedBlobProxyControllerTest < ActionDispatch::IntegrationTest
+  setup do
+    @storage_dir = Dir.mktmpdir
+    @other_storage_dir = Dir.mktmpdir
+    @service = ActiveStorageEncryption::EncryptedDiskService.new(root: @storage_dir, private_url_policy: "stream")
+    @service.name = "amazing_encrypting_disk_service" # Needed for the controller and service lookup
+
+    # Hack: sneakily add our service to them configurations
+    # ActiveStorage::Blob.services.send(:services)["amazing_encrypting_disk_service"] = @service
+
+    # We need to set our service as the default, because the controller does lookup from the application config -
+    # which does not include the service we define here
+    @previous_default_service = ActiveStorage::Blob.service
+    @previous_services = ActiveStorage::Blob.services
+
+    # To catch potential issues where something goes to the default service by mistake, let's set a
+    # different Service as the default
+    @non_encrypted_default_service = ActiveStorage::Service::DiskService.new(root: @other_storage_dir)
+    ActiveStorage::Blob.service = @non_encrypted_default_service
+    ActiveStorage::Blob.services = {@service.name => @service} # That too
+
+    # This needs to be set
+    ActiveStorageEncryption::Engine.routes.default_url_options = {host: "www.example.com"}
+
+    # We need to use a hostname for ActiveStorage which is in the Rails authorized hosts.
+    # see https://stackoverflow.com/a/60573259/153886
+    ActiveStorage::Current.url_options = {
+      host: "www.example.com",
+      protocol: "https"
+    }
+    freeze_time # For testing expiring tokens
+    https! # So that all requests are simulated as SSL
+  end
+
+  def teardown
+    unfreeze_time
+    ActiveStorage::Blob.service = @previous_default_service
+    ActiveStorage::Blob.services = @previous_services
+    FileUtils.rm_rf(@storage_dir)
+    FileUtils.rm_rf(@other_storage_dir)
+  end
+
+  def engine_routes
+    ActiveStorageEncryption::Engine.routes.url_helpers
+  end
+
+  test "show() serves the complete decrypted blob body" do
+    rng = Random.new(Minitest.seed)
+    plaintext = rng.bytes(512)
+
+    blob = ActiveStorage::Blob.create_and_upload!(io: StringIO.new(plaintext), content_type: "x-office/severance", filename: "secret.bin", service_name: @service.name)
+    assert blob.encryption_key
+
+    streaming_url = blob.url(disposition: "inline") # This generates a URL with the byte size
+    get streaming_url
+
+    assert_response :success
+    assert_equal "x-office/severance", response.headers["content-type"]
+    assert_equal blob.key.inspect, response.headers["etag"]
+    assert_equal plaintext, response.body
+  end
+
+  test "show() serves a blob of 0 size" do
+    Random.new(Minitest.seed)
+    plaintext = "".b
+
+    blob = ActiveStorage::Blob.create_and_upload!(io: StringIO.new(plaintext), content_type: "x-office/severance", filename: "secret.bin", service_name: @service.name)
+    assert blob.encryption_key
+
+    streaming_url = blob.url(disposition: "inline") # This generates a URL with the byte size
+    get streaming_url
+
+    assert_response :success
+    assert response.body.empty?
+  end
+
+  test "show() returns a 404 when the blob no longer exists on the service" do
+    Random.new(Minitest.seed)
+    plaintext = "hello"
+
+    blob = ActiveStorage::Blob.create_and_upload!(io: StringIO.new(plaintext), content_type: "x-office/severance", filename: "secret.bin", service_name: @service.name)
+    assert blob.encryption_key
+
+    streaming_url = blob.url(disposition: "inline") # This generates a URL with the byte size
+    blob.service.delete(blob.key)
+
+    get streaming_url
+
+    assert_response :not_found
+  end
+
+  test "show() serves HTTP ranges" do
+    rng = Random.new(Minitest.seed)
+    plaintext = rng.bytes(5.megabytes + 13)
+
+    blob = ActiveStorage::Blob.create_and_upload!(io: StringIO.new(plaintext), content_type: "x-office/severance", filename: "secret.bin", service_name: @service.name)
+    assert blob.encryption_key
+
+    streaming_url = blob.url(disposition: "inline") # This generates a URL with the byte size
+    get streaming_url, headers: {"Range" => "bytes=0-0"}
+
+    assert_response :partial_content
+    assert_equal "1", response.headers["content-length"]
+    assert_equal "bytes 0-0/5242893", response.headers["content-range"]
+    assert_equal "x-office/severance", response.headers["content-type"]
+    assert_equal plaintext[0..0], response.body
+
+    get streaming_url, headers: {"Range" => "bytes=1-2"}
+
+    assert_response :partial_content
+    assert_equal "2", response.headers["content-length"]
+    assert_equal "bytes 1-2/5242893", response.headers["content-range"]
+    assert_equal "x-office/severance", response.headers["content-type"]
+    assert_equal plaintext[1..2], response.body
+
+    get streaming_url, headers: {"Range" => "bytes=1-2,8-10,12-23"}
+
+    assert_response :partial_content
+    assert response.headers["content-type"].start_with?("multipart/byteranges; boundary=")
+    assert_nil response.headers["content-range"]
+    assert_equal 350, response.body.bytesize
+
+    get streaming_url, headers: {"Range" => "bytes=99999999999999999-99999999999999999"}
+    assert_response :range_not_satisfiable
+  end
+
+  test "show() refuses a request which goes to a non-encrypted Service" do
+    rng = Random.new(Minitest.seed)
+
+    key = SecureRandom.base36(12)
+    encryption_key = rng.bytes(32)
+    plaintext = rng.bytes(512)
+    @service.upload(key, StringIO.new(plaintext).binmode, encryption_key: encryption_key)
+
+    streaming_url = @service.url(key, encryption_key: encryption_key, filename: ActiveStorage::Filename.new("private.doc"),
+      expires_in: 30.seconds, disposition: "inline", content_type: "x-office/severance",
+      blob_byte_size: plaintext.bytesize)
+
+    # Sneak in a non-encrypted service under the same key
+    ActiveStorage::Blob.services[@service.name] = @non_encrypted_default_service
+
+    get streaming_url
+    assert_response :forbidden
+  end
+
+  test "show() refuses a request which has an incorrect encryption key" do
+    rng = Random.new(Minitest.seed)
+
+    key = SecureRandom.base36(12)
+    encryption_key = rng.bytes(32)
+    plaintext = rng.bytes(512)
+    @service.upload(key, StringIO.new(plaintext).binmode, encryption_key: encryption_key)
+
+    another_encryption_key = rng.bytes(32)
+    refute_equal encryption_key, another_encryption_key
+
+    streaming_url = @service.url(key, encryption_key: another_encryption_key,
+      filename: ActiveStorage::Filename.new("private.doc"), expires_in: 30.seconds,
+      disposition: "inline", content_type: "x-office/severance", blob_byte_size: plaintext.bytesize)
+    get streaming_url
+
+    assert_response :forbidden
+  end
+
+  test "show() refuses a request with a garbage token" do
+    get engine_routes.encrypted_blob_streaming_get_path(token: "garbage", filename: "exfil.bin")
+    assert_response :forbidden
+  end
+
+  test "show() refuses a request with a token that has been encrypted using an incorrect encryption key" do
+    https!
+    rng = Random.new(Minitest.seed)
+    encryptor_key = rng.bytes(32)
+    other_encryptor = ActiveStorageEncryption::TokenEncryptor.new(encryptor_key, url_safe: encryptor_key)
+
+    key = SecureRandom.base36(12)
+    encryption_key = rng.bytes(32)
+    @service.upload(key, StringIO.new(rng.bytes(512)).binmode, encryption_key: encryption_key)
+
+    streaming_url = ActiveStorageEncryption.stub(:token_encryptor, -> { other_encryptor }) do
+      @service.url(key, encryption_key: encryption_key,
+        filename: ActiveStorage::Filename.new("private.doc"), expires_in: 3.seconds,
+        disposition: "inline", content_type: "binary/octet-stream",
+        blob_byte_size: 512)
+    end
+
+    get streaming_url
+    assert_response :forbidden
+  end
+
+  test "show() refuses a request with a token that has expired" do
+    rng = Random.new(Minitest.seed)
+
+    key = SecureRandom.base36(12)
+    encryption_key = rng.bytes(32)
+    @service.upload(key, StringIO.new(rng.bytes(512)).binmode, encryption_key: encryption_key)
+
+    streaming_url = @service.url(key, encryption_key: encryption_key,
+      filename: ActiveStorage::Filename.new("private.doc"), expires_in: 3.seconds,
+      disposition: "inline", content_type: "binary/octet-stream",
+      blob_byte_size: 512)
+    travel 5.seconds
+
+    get streaming_url
+    assert_response :forbidden
+  end
+
+  test "show() requires headers if the private_url_policy of the service is set to :require_headers" do
+    rng = Random.new(Minitest.seed)
+
+    key = SecureRandom.base36(12)
+    encryption_key = rng.bytes(32)
+    plaintext = rng.bytes(512)
+    @service.upload(key, StringIO.new(plaintext).binmode, encryption_key: encryption_key)
+
+    # The policy needs to be set before we generate the token (the token includes require_headers)
+    @service.private_url_policy = :require_headers
+    streaming_url = @service.url(key, encryption_key: encryption_key,
+      filename: ActiveStorage::Filename.new("private.doc"), expires_in: 30.seconds, disposition: "inline",
+      content_type: "x-office/severance", blob_byte_size: plaintext.bytesize)
+
+    get streaming_url
+    assert_response :forbidden # Without headers
+
+    get streaming_url, headers: {"HTTP_X_ACTIVE_STORAGE_ENCRYPTION_KEY" => Base64.strict_encode64(encryption_key)}
+    assert_response :success
+    assert_equal "x-office/severance", response.headers["content-type"]
+    assert_equal plaintext, response.body
+  end
+
+  test "show() refuses a request if the service no longer permits private URLs, even if the URL was generated when it used to permit them" do
+    rng = Random.new(Minitest.seed)
+
+    SecureRandom.base36(12)
+    plaintext = rng.bytes(512)
+
+    blob = ActiveStorage::Blob.create_and_upload!(io: StringIO.new(plaintext), content_type: "x-office/severance", filename: "secret.bin", service_name: @service.name)
+    assert blob.encryption_key
+    streaming_url = blob.url(disposition: "inline", content_type: "x-office/severance")
+
+    @service.private_url_policy = :disable
+
+    get streaming_url
+    assert_response :forbidden # Without headers
+
+    get streaming_url, headers: {"HTTP_X_ACTIVE_STORAGE_ENCRYPTION_KEY" => Base64.strict_encode64(blob.encryption_key)}
+    assert_response :forbidden # With headers
+  end
+end

data/test/integration/encrypted_blobs_controller_test.rb

@@ -9,9 +9,6 @@ class ActiveStorageEncryptionEncryptedBlobsControllerTest < ActionDispatch::Inte
     @service = ActiveStorageEncryption::EncryptedDiskService.new(root: @storage_dir, private_url_policy: "stream")
     @service.name = "amazing_encrypting_disk_service" # Needed for the controller and service lookup
 
-    # Hack: sneakily add our service to them configurations
-    # ActiveStorage::Blob.services.send(:services)["amazing_encrypting_disk_service"] = @service
-
     # We need to set our service as the default, because the controller does lookup from the application config -
     # which does not include the service we define here
     @previous_default_service = ActiveStorage::Blob.service
@@ -48,133 +45,6 @@ class ActiveStorageEncryptionEncryptedBlobsControllerTest < ActionDispatch::Inte
     ActiveStorageEncryption::Engine.routes.url_helpers
   end
 
-  test "show() returns the decrypted blob body" do
-    rng = Random.new(Minitest.seed)
-
-    key = SecureRandom.base36(12)
-    encryption_key = rng.bytes(32)
-    plaintext = rng.bytes(512)
-    @service.upload(key, StringIO.new(plaintext).binmode, encryption_key: encryption_key)
-
-    streaming_url = @service.url(key, encryption_key: encryption_key, filename: ActiveStorage::Filename.new("private.doc"), expires_in: 30.seconds, disposition: "inline", content_type: "x-office/severance")
-    get streaming_url
-
-    assert_response :success
-    assert_equal "x-office/severance", response.headers["content-type"]
-    assert_equal plaintext, response.body
-  end
-
-  test "show() refuses a request which goes to a non-encrypted Service" do
-    rng = Random.new(Minitest.seed)
-
-    key = SecureRandom.base36(12)
-    encryption_key = rng.bytes(32)
-    plaintext = rng.bytes(512)
-    @service.upload(key, StringIO.new(plaintext).binmode, encryption_key: encryption_key)
-
-    streaming_url = @service.url(key, encryption_key: encryption_key, filename: ActiveStorage::Filename.new("private.doc"), expires_in: 30.seconds, disposition: "inline", content_type: "x-office/severance")
-
-    # Sneak in a non-encrypted service under the same key
-    ActiveStorage::Blob.services[@service.name] = @non_encrypted_default_service
-
-    get streaming_url
-    assert_response :forbidden
-  end
-
-  test "show() refuses a request which has an incorrect encryption key" do
-    rng = Random.new(Minitest.seed)
-
-    key = SecureRandom.base36(12)
-    encryption_key = rng.bytes(32)
-    plaintext = rng.bytes(512)
-    @service.upload(key, StringIO.new(plaintext).binmode, encryption_key: encryption_key)
-
-    another_encryption_key = rng.bytes(32)
-    refute_equal encryption_key, another_encryption_key
-
-    streaming_url = @service.url(key, encryption_key: another_encryption_key, filename: ActiveStorage::Filename.new("private.doc"), expires_in: 30.seconds, disposition: "inline", content_type: "x-office/severance")
-    get streaming_url
-
-    assert_response :forbidden
-  end
-
-  test "show() refuses a request with a garbage token" do
-    get engine_routes.encrypted_blob_streaming_get_path(token: "garbage", filename: "exfil.bin")
-    assert_response :forbidden
-  end
-
-  test "show() refuses a request with a token that has been encrypted using an incorrect encryption key" do
-    https!
-    rng = Random.new(Minitest.seed)
-    encryptor_key = rng.bytes(32)
-    other_encryptor = ActiveStorageEncryption::TokenEncryptor.new(encryptor_key, url_safe: encryptor_key)
-
-    key = SecureRandom.base36(12)
-    encryption_key = rng.bytes(32)
-    @service.upload(key, StringIO.new(rng.bytes(512)).binmode, encryption_key: encryption_key)
-
-    streaming_url = ActiveStorageEncryption.stub(:token_encryptor, -> { other_encryptor }) do
-      @service.url(key, encryption_key: encryption_key, filename: ActiveStorage::Filename.new("private.doc"), expires_in: 3.seconds, disposition: "inline", content_type: "binary/octet-stream")
-    end
-
-    get streaming_url
-    assert_response :forbidden
-  end
-
-  test "show() refuses a request with a token that has expired" do
-    rng = Random.new(Minitest.seed)
-
-    key = SecureRandom.base36(12)
-    encryption_key = rng.bytes(32)
-    @service.upload(key, StringIO.new(rng.bytes(512)).binmode, encryption_key: encryption_key)
-
-    streaming_url = @service.url(key, encryption_key: encryption_key, filename: ActiveStorage::Filename.new("private.doc"), expires_in: 3.seconds, disposition: "inline", content_type: "binary/octet-stream")
-    travel 5.seconds
-
-    get streaming_url
-    assert_response :forbidden
-  end
-
-  test "show() requires headers if the private_url_policy of the service is set to :require_headers" do
-    rng = Random.new(Minitest.seed)
-
-    key = SecureRandom.base36(12)
-    encryption_key = rng.bytes(32)
-    plaintext = rng.bytes(512)
-    @service.upload(key, StringIO.new(plaintext).binmode, encryption_key: encryption_key)
-
-    # The policy needs to be set before we generate the token (the token includes require_headers)
-    @service.private_url_policy = :require_headers
-    streaming_url = @service.url(key, encryption_key: encryption_key, filename: ActiveStorage::Filename.new("private.doc"), expires_in: 30.seconds, disposition: "inline", content_type: "x-office/severance")
-
-    get streaming_url
-    assert_response :forbidden # Without headers
-
-    get streaming_url, headers: {"HTTP_X_ACTIVE_STORAGE_ENCRYPTION_KEY" => Base64.strict_encode64(encryption_key)}
-    assert_response :success
-    assert_equal "x-office/severance", response.headers["content-type"]
-    assert_equal plaintext, response.body
-  end
-
-  test "show() refuses a request if the service no longer permits private URLs" do
-    rng = Random.new(Minitest.seed)
-
-    key = SecureRandom.base36(12)
-    encryption_key = rng.bytes(32)
-    plaintext = rng.bytes(512)
-    @service.upload(key, StringIO.new(plaintext).binmode, encryption_key: encryption_key)
-
-    streaming_url = @service.url(key, encryption_key: encryption_key, filename: ActiveStorage::Filename.new("private.doc"), expires_in: 30.seconds, disposition: "inline", content_type: "x-office/severance")
-
-    @service.private_url_policy = :disable
-
-    get streaming_url
-    assert_response :forbidden # Without headers
-
-    get streaming_url, headers: {"HTTP_X_ACTIVE_STORAGE_ENCRYPTION_KEY" => Base64.strict_encode64(encryption_key)}
-    assert_response :forbidden # Without headers
-  end
-
   test "create_direct_upload creates a blob and returns the headers and the URL to start the upload, which are for the correct service name" do
     rng = Random.new(Minitest.seed)
     plaintext = rng.bytes(512)

data/test/lib/encrypted_disk_service_test.rb

@@ -91,95 +91,15 @@ class ActiveStorageEncryption::EncryptedDiskServiceTest < ActiveSupport::TestCas
     assert_equal Digest::SHA256.hexdigest(plaintext_upload_bytes), Digest::SHA256.hexdigest(readback_bytes)
   end
 
-  def test_get_with_headers_always_succeeds
-    @service.private_url_policy = :require_headers
-
-    key = "key-1"
-    k = Random.bytes(68)
-    plaintext_upload_bytes = generate_random_binary_string
-    @service.upload(key, StringIO.new(plaintext_upload_bytes), encryption_key: k)
-
-    ActiveStorage::Blob.service = @service # So that the controller can find it
-
-    # ActiveStorage wraps the passed filename in a wrapper thingy
-    filename_with_sanitization = ActiveStorage::Filename.new("temp.bin")
-    url = @service.url(key, filename: filename_with_sanitization, content_type: "binary/octet-stream", disposition: "inline", encryption_key: k, expires_in: 10.seconds)
-    assert url.include?("/active-storage-encryption/blob/")
-
-    uri = URI.parse(url)
-
-    # Do a super-minimalistic test on the DiskController. ActionController is actually a Rack app (or, rather: every controller action is a Rack app).
-    # It can thus be called with a minimal Rack env. For the definition of "minimal", see https://github.com/rack/rack/blob/main/SPEC.rdoc#the-environment-
-    rack_env = {
-      "SCRIPT_NAME" => "",
-      "PATH_INFO" => uri.path,
-      "QUERY_STRING" => uri.query,
-      "REQUEST_METHOD" => "GET",
-      "SERVER_NAME" => uri.host,
-      "HTTP_X_ACTIVE_STORAGE_ENCRYPTION_KEY" => Base64.strict_encode64(k),
-      "rack.input" => StringIO.new(""),
-      "action_dispatch.request.parameters" => {
-        # The controller expects the Rails router to have injected this param by extracting
-        # it from the route path. The upload param is mapped to :encoded_token, the download param is
-        # mapped to :encoded_key - likely because there was an exploit with ActiveStorage where keys
-        # generated for download could be used for uploading (and thus - overwriting)
-        "token" => uri.path.split("/")[-2] # For "show", the last path param is actually the filename - this is because Content-Disposition can be unreliable for download filename
-      }
-    }
-    action_app = ActiveStorageEncryption::EncryptedBlobsController.action(:show)
-    status, _headers, body = action_app.call(rack_env)
-
-    assert_equal 200, status
-
-    readback_bytes = (+"").b.tap do |buf|
-      body.each { |chunk| buf << chunk }
-    end
-    assert_equal Digest::SHA256.hexdigest(plaintext_upload_bytes), Digest::SHA256.hexdigest(readback_bytes)
-  end
-
-  def test_get_without_headers_succeeds_if_service_permits
+  def test_private_url
     @service.private_url_policy = :stream
 
-    key = "key-1"
-    k = Random.bytes(68)
-    plaintext_upload_bytes = generate_random_binary_string
-    @service.upload(key, StringIO.new(plaintext_upload_bytes), encryption_key: k)
-
-    ActiveStorage::Blob.service = @service # So that the controller can find it
-
     # ActiveStorage wraps the passed filename in a wrapper thingy
     filename_with_sanitization = ActiveStorage::Filename.new("temp.bin")
-    url = @service.url(key, filename: filename_with_sanitization, content_type: "binary/octet-stream", disposition: "inline", encryption_key: k, expires_in: 10.seconds)
+    key = "key-1"
+    encryption_key = Random.bytes(32)
+    url = @service.url(key, blob_byte_size: 14, filename: filename_with_sanitization, content_type: "binary/octet-stream", disposition: "inline", encryption_key:, expires_in: 10.seconds)
     assert url.include?("/active-storage-encryption/blob/")
-
-    uri = URI.parse(url)
-
-    # Do a super-minimalistic test on the DiskController. ActionController is actually a Rack app (or, rather: every controller action is a Rack app).
-    # It can thus be called with a minimal Rack env. For the definition of "minimal", see https://github.com/rack/rack/blob/main/SPEC.rdoc#the-environment-
-    rack_env = {
-      "SCRIPT_NAME" => "",
-      "PATH_INFO" => uri.path,
-      "QUERY_STRING" => uri.query,
-      "REQUEST_METHOD" => "GET",
-      "SERVER_NAME" => uri.host,
-      "rack.input" => StringIO.new(""),
-      "action_dispatch.request.parameters" => {
-        # The controller expects the Rails router to have injected this param by extracting
-        # it from the route path. The upload param is mapped to :encoded_token, the download param is
-        # mapped to :encoded_key - likely because there was an exploit with ActiveStorage where keys
-        # generated for download could be used for uploading (and thus - overwriting)
-        "token" => uri.path.split("/")[-2] # For "show", the last path param is actually the filename - this is because Content-Disposition can be unreliable for download filename
-      }
-    }
-    action_app = ActiveStorageEncryption::EncryptedBlobsController.action(:show)
-    status, _headers, body = action_app.call(rack_env)
-
-    assert_equal 200, status
-
-    readback_bytes = (+"").b.tap do |buf|
-      body.each { |chunk| buf << chunk }
-    end
-    assert_equal Digest::SHA256.hexdigest(plaintext_upload_bytes), Digest::SHA256.hexdigest(readback_bytes)
   end
 
   def test_generating_url_fails_if_streaming_is_off_for_the_service
@@ -193,44 +113,10 @@ class ActiveStorageEncryption::EncryptedDiskServiceTest < ActiveSupport::TestCas
     # ActiveStorage wraps the passed filename in a wrapper thingy
     filename_with_sanitization = ActiveStorage::Filename.new("temp.bin")
     assert_raises ActiveStorageEncryption::StreamingDisabled do
-      @service.url(key, filename: filename_with_sanitization, content_type: "binary/octet-stream", disposition: "inline", encryption_key: k, expires_in: 10.seconds)
+      @service.url(key, blob_byte_size: 12, filename: filename_with_sanitization, content_type: "binary/octet-stream", disposition: "inline", encryption_key: k, expires_in: 10.seconds)
     end
   end
 
-  def test_get_without_headers_fails_if_service_does_not_permit
-    @service.private_url_policy = :require_headers
-
-    key = "key-1"
-    k = Random.bytes(68)
-    plaintext_upload_bytes = generate_random_binary_string
-    @service.upload(key, StringIO.new(plaintext_upload_bytes), encryption_key: k)
-
-    ActiveStorage::Blob.service = @service # So that the controller can find it
-
-    # ActiveStorage wraps the passed filename in a wrapper thingy
-    filename_with_sanitization = ActiveStorage::Filename.new("temp.bin")
-    url = @service.url(key, filename: filename_with_sanitization, content_type: "binary/octet-stream", disposition: "inline", encryption_key: k, expires_in: 10.seconds)
-    uri = URI.parse(url)
-
-    # Do a super-minimalistic test on the DiskController. ActionController is actually a Rack app (or, rather: every controller action is a Rack app).
-    # It can thus be called with a minimal Rack env. For the definition of "minimal", see https://github.com/rack/rack/blob/main/SPEC.rdoc#the-environment-
-    rack_env = {
-      "SCRIPT_NAME" => "",
-      "PATH_INFO" => uri.path,
-      "QUERY_STRING" => uri.query,
-      "REQUEST_METHOD" => "GET",
-      "SERVER_NAME" => uri.host,
-      "rack.input" => StringIO.new(""),
-      # Omit x-disk-encryption-key
-      "action_dispatch.request.parameters" => {
-        "token" => uri.path.split("/")[-2] # For "show", the last path param is actually the filename - this is because Content-Disposition can be unreliable for download filename
-      }
-    }
-    action_app = ActiveStorageEncryption::EncryptedBlobsController.action(:show)
-    status, _headers, _body = action_app.call(rack_env)
-    assert_equal 403, status
-  end
-
   def test_upload_then_download_using_correct_key
     storage_blob_key = "key-1"
     k = Random.bytes(68)

data/test/lib/encrypted_mirror_service_test.rb

@@ -119,7 +119,7 @@ class ActiveStorageEncryption::EncryptedMirrorServiceTest < ActiveSupport::TestC
 
     # ActiveStorage wraps the passed filename in a wrapper thingy
     filename_with_sanitization = ActiveStorage::Filename.new("temp.bin")
-    url = @service.url(key, filename: filename_with_sanitization, content_type: "binary/octet-stream", disposition: "inline", encryption_key: k, expires_in: 10.seconds)
+    url = @service.url(key, blob_byte_size: 13, filename: filename_with_sanitization, content_type: "binary/octet-stream", disposition: "inline", encryption_key: k, expires_in: 10.seconds)
     assert url.include?("/active-storage-encryption/blob/")
   end
 

data/test/lib/encrypted_s3_service_test.rb

@@ -73,7 +73,9 @@ class ActiveStorageEncryption::EncryptedS3ServiceTest < ActiveSupport::TestCase
 
     # ActiveStorage wraps the passed filename in a wrapper thingy
     filename_with_sanitization = ActiveStorage::Filename.new("temp.bin")
-    url = @service.url(key, filename: filename_with_sanitization, content_type: "binary/octet-stream", disposition: "inline", encryption_key: k, expires_in: 10.seconds)
+    url = @service.url(key, blob_byte_size: plaintext_upload_bytes.bytesize,
+      filename: filename_with_sanitization, content_type: "binary/octet-stream",
+      disposition: "inline", encryption_key: k, expires_in: 10.seconds)
     assert url.include?("/active-storage-encryption/blob/")
   end
 
@@ -88,7 +90,8 @@ class ActiveStorageEncryption::EncryptedS3ServiceTest < ActiveSupport::TestCase
 
     # ActiveStorage wraps the passed filename in a wrapper thingy
     filename_with_sanitization = ActiveStorage::Filename.new("temp.bin")
-    url = @service.url(key, filename: filename_with_sanitization, content_type: "binary/octet-stream", disposition: "inline", encryption_key: k, expires_in: 240.seconds)
+    url = @service.url(key, blob_byte_size: plaintext_upload_bytes.bytesize,
+      filename: filename_with_sanitization, content_type: "binary/octet-stream", disposition: "inline", encryption_key: k, expires_in: 240.seconds)
 
     assert url.include?("x-amz-server-side-encryption-customer-algorithm")
     refute url.include?("x-amz-server-side-encryption-customer-key=") # The key should not be in the URL