active_storage_encryption 0.2.0 → 0.3.0

data/lib/active_storage_encryption/encrypted_gcs_service.rb

@@ -0,0 +1,158 @@
+# frozen_string_literal: true
+
+require "active_storage/service/gcs_service"
+require "google/cloud/storage/service"
+
+class ActiveStorageEncryption::EncryptedGCSService < ActiveStorage::Service::GCSService
+  include ActiveStorageEncryption::PrivateUrlPolicy
+  GCS_ENCRYPTION_KEY_LENGTH_BYTES = 32 # google wants to get a 32 byte key
+
+  def encrypted? = true
+
+  def public? = false
+
+  def service_name
+    # ActiveStorage::Service::DiskService => Disk
+    # Overridden because in Rails 8 this is "self.class.name.split("::").third.remove("Service")"
+    self.class.name.split("::").last.remove("Service")
+  end
+
+  def upload(key, io, encryption_key: nil, checksum: nil, content_type: nil, disposition: nil, filename: nil, custom_metadata: {})
+    instrument :upload, key: key, checksum: checksum do
+      # GCS's signed URLs don't include params such as response-content-type response-content_disposition
+      # in the signature, which means an attacker can modify them and bypass our effort to force these to
+      # binary and attachment when the file's content type requires it. The only way to force them is to
+      # store them as object's metadata.
+      content_disposition = content_disposition_with(type: disposition, filename: filename) if disposition && filename
+      bucket.create_file(io, key, md5: checksum, cache_control: @config[:cache_control], content_type: content_type, content_disposition: content_disposition, metadata: custom_metadata, encryption_key: derive_service_encryption_key(encryption_key))
+    rescue Google::Cloud::InvalidArgumentError => e
+      raise ActiveStorage::IntegrityError, e
+    end
+  end
+
+  def url_for_direct_upload(key, expires_in:, checksum:, encryption_key:, content_type: nil, custom_metadata: {}, filename: nil, **)
+    instrument :url, key: key do |payload|
+      headers = headers_for_direct_upload(key, checksum:, encryption_key:, content_type:, filename:, custom_metadata:)
+
+      version = :v4
+
+      args = {
+        content_md5: checksum,
+        expires: expires_in,
+        headers: headers,
+        method: "PUT",
+        version: version
+      }
+
+      if @config[:iam]
+        args[:issuer] = issuer
+        args[:signer] = signer
+      end
+
+      generated_url = bucket.signed_url(key, **args)
+
+      payload[:url] = generated_url
+
+      generated_url
+    end
+  end
+
+  def headers_for_direct_upload(key, checksum:, encryption_key:, filename: nil, disposition: nil, content_type: nil, custom_metadata: {}, **)
+    headers = {
+      "Content-Type" => content_type,
+      "Content-MD5" => checksum, # Not strictly required, but it ensures the file bytes we upload match what we want. This way google will error when we upload garbage.
+      **gcs_encryption_key_headers(derive_service_encryption_key(encryption_key)),
+      **custom_metadata_headers(custom_metadata)
+    }
+    headers["Content-Disposition"] = content_disposition_with(type: disposition, filename: filename) if filename
+
+    if @config[:cache_control].present?
+      headers["Cache-Control"] = @config[:cache_control]
+    end
+    headers
+  end
+
+  def download(key, encryption_key: nil, &block)
+    if block_given?
+      instrument :streaming_download, key: key do
+        stream(key, encryption_key: encryption_key, &block)
+      end
+    else
+      instrument :download, key: key do
+        file_for(key).download(encryption_key: derive_service_encryption_key(encryption_key)).string
+      rescue Google::Cloud::NotFoundError => e
+        raise ActiveStorage::FileNotFoundError, e
+      end
+    end
+  end
+
+  def download_chunk(key, range, encryption_key: nil)
+    instrument :download_chunk, key: key, range: range do
+      file_for(key).download(range: range, encryption_key: derive_service_encryption_key(encryption_key)).string
+    rescue Google::Cloud::NotFoundError => e
+      raise ActiveStorage::FileNotFoundError, e
+    end
+  end
+
+  # Reads the file for the given key in chunks, yielding each to the block.
+  def stream(key, encryption_key: nil)
+    file = file_for(key, skip_lookup: false)
+
+    chunk_size = 5.megabytes
+    offset = 0
+
+    raise ActiveStorage::FileNotFoundError unless file.present?
+
+    while offset < file.size
+      yield file.download(range: offset..(offset + chunk_size - 1), encryption_key: derive_service_encryption_key(encryption_key)).string
+      offset += chunk_size
+    end
+  end
+
+  def compose(source_keys, destination_key, encryption_key:, filename: nil, content_type: nil, disposition: nil, custom_metadata: {})
+    # Because we will always have a different encryption_key on a blob when created and google requires us to have the same encryption_keys on all source blobs
+    # we need to work this out a bit more. For now we don't need this and thus won't support it in this service.
+    raise NotImplementedError, "Currently composing files is not supported"
+  end
+
+  private
+
+  def private_url(key, expires_in:, filename:, content_type:, disposition:, encryption_key:, **remaining_options_for_streaming_url)
+    if private_url_policy == :require_headers
+      args = {
+        expires: expires_in,
+        query: {
+          "response-content-disposition" => content_disposition_with(type: disposition, filename: filename),
+          "response-content-type" => content_type
+        },
+        headers: gcs_encryption_key_headers(derive_service_encryption_key(encryption_key))
+      }
+
+      if @config[:iam]
+        args[:issuer] = issuer
+        args[:signer] = signer
+      end
+
+      file_for(key).signed_url(**args, version: :v4)
+    else
+      private_url_for_streaming_via_controller(key, expires_in:, filename:, content_type:, disposition:, encryption_key:, **remaining_options_for_streaming_url)
+    end
+  end
+
+  def public_url(key, filename:, encryption_key:, content_type: nil, disposition: :inline, **)
+    raise "Public URL's are disabled for this service"
+  end
+
+  def gcs_encryption_key_headers(key)
+    {
+      "x-goog-encryption-algorithm" => "AES256",
+      "x-goog-encryption-key" => Base64.strict_encode64(key),
+      "x-goog-encryption-key-sha256" => Digest::SHA256.base64digest(key)
+    }
+  end
+
+  def derive_service_encryption_key(blob_encryption_key)
+    raise ArgumentError, "The blob encryption_key must be at least #{GCS_ENCRYPTION_KEY_LENGTH_BYTES} bytes long" unless blob_encryption_key.bytesize >= GCS_ENCRYPTION_KEY_LENGTH_BYTES
+    blob_encryption_key[0...GCS_ENCRYPTION_KEY_LENGTH_BYTES]
+  end
+end

data/lib/active_storage_encryption/engine.rb

@@ -3,5 +3,9 @@
 module ActiveStorageEncryption
   class Engine < ::Rails::Engine
     isolate_namespace ActiveStorageEncryption
+
+    generators do
+      require "generators/install_generator"
+    end
   end
 end

data/lib/active_storage_encryption/overrides.rb

@@ -2,6 +2,9 @@
 
 module ActiveStorageEncryption
   module Overrides
+    class EncryptionKeyMissingError < StandardError
+    end
+
     module EncryptedBlobClassMethods
       def self.included base
         base.class_eval do
@@ -54,7 +57,7 @@ module ActiveStorageEncryption
               content_type ||= blobs.pluck(:content_type).compact.first
 
               new(key: key, filename: filename, content_type: content_type, metadata: metadata, byte_size: blobs.sum(&:byte_size), service_name:, encryption_key:).tap do |combined_blob|
-                combined_blob.compose(blobs.pluck(:key))
+                combined_blob.compose(blobs.pluck(:key), source_encryption_keys: blobs.pluck(:encryption_key))
                 combined_blob.save!
               end
             end
@@ -70,7 +73,8 @@ module ActiveStorageEncryption
 
       def service_url_for_direct_upload(expires_in: ActiveStorage.service_urls_expire_in)
         if service_encrypted?
-          raise "No encryption key present" unless encryption_key
+          ensure_encryption_key_set!
+
           service.url_for_direct_upload(key, expires_in: expires_in, content_type: content_type, content_length: byte_size, checksum: checksum, custom_metadata: custom_metadata, encryption_key: encryption_key)
         else
           super
@@ -78,6 +82,8 @@ module ActiveStorageEncryption
       end
 
       def open(tmpdir: nil, &block)
+        ensure_encryption_key_set! if service_encrypted?
+
         service.open(
           key,
           encryption_key: encryption_key,
@@ -91,6 +97,8 @@ module ActiveStorageEncryption
 
       def service_headers_for_direct_upload
         if service_encrypted?
+          ensure_encryption_key_set!
+
           service.headers_for_direct_upload(key, filename: filename, content_type: content_type, content_length: byte_size, checksum: checksum, custom_metadata: custom_metadata, encryption_key: encryption_key)
         else
           super
@@ -99,6 +107,8 @@ module ActiveStorageEncryption
 
       def upload_without_unfurling(io)
         if service_encrypted?
+          ensure_encryption_key_set!
+
           service.upload(key, io, checksum: checksum, encryption_key: encryption_key, **service_metadata)
         else
           super
@@ -109,6 +119,8 @@ module ActiveStorageEncryption
       # That'll use a lot of RAM for very large files. If a block is given, then the download is streamed and yielded in chunks.
       def download(&block)
         if service_encrypted?
+          ensure_encryption_key_set!
+
           service.download(key, encryption_key: encryption_key, &block)
         else
           super
@@ -117,23 +129,29 @@ module ActiveStorageEncryption
 
       def download_chunk(range)
         if service_encrypted?
+          ensure_encryption_key_set!
+
           service.download_chunk(key, range, encryption_key: encryption_key)
         else
           super
         end
       end
 
-      def compose(keys)
+      def compose(keys, source_encryption_keys: [])
         if service_encrypted?
+          ensure_encryption_key_set!
+
           self.composed = true
-          service.compose(keys, key, encryption_key: encryption_key, **service_metadata)
+          service.compose(keys, key, encryption_key: encryption_key, source_encryption_keys: source_encryption_keys, **service_metadata)
         else
-          super
+          super(keys)
         end
       end
 
       def url(expires_in: ActiveStorage.service_urls_expire_in, disposition: :inline, filename: nil, **options)
         if service_encrypted?
+          ensure_encryption_key_set!
+
           service.url(
             key, expires_in: expires_in, filename: ActiveStorage::Filename.wrap(filename || self.filename),
             encryption_key: encryption_key,
@@ -156,6 +174,12 @@ module ActiveStorageEncryption
         end
         super
       end
+
+      private
+
+      def ensure_encryption_key_set!
+        raise EncryptionKeyMissingError, "Encryption key must be present" unless encryption_key.present?
+      end
     end
 
     module BlobIdentifiableInstanceMethods
@@ -178,6 +202,8 @@ module ActiveStorageEncryption
 
     module DownloaderInstanceMethods
       def open(key, encryption_key: nil, checksum: nil, verify: true, name: "ActiveStorage-", tmpdir: nil, &blk)
+        raise EncryptionKeyMissingError, "An encryption key must be supplied when using an encrypted service" if !encryption_key && service.respond_to?(:encrypted?) && service.encrypted?
+
         open_tempfile(name, tmpdir) do |file|
           download(key, file, encryption_key: encryption_key)
           verify_integrity_of(file, checksum: checksum) if verify
@@ -189,6 +215,8 @@ module ActiveStorageEncryption
 
       def download(key, file, encryption_key: nil)
         if service.respond_to?(:encrypted?) && service.encrypted?
+          raise "An encryption key must be supplied when using an encrypted service" unless encryption_key
+
           file.binmode
           service.download(key, encryption_key: encryption_key) { |chunk| file.write(chunk) }
           file.flush

data/lib/active_storage_encryption/private_url_policy.rb

@@ -18,7 +18,7 @@ module ActiveStorageEncryption::PrivateUrlPolicy
     @private_url_policy
   end
 
-  def private_url_for_streaming_via_controller(key, blob_byte_size:, expires_in:, filename:, content_type:, disposition:, encryption_key:)
+  def private_url_for_streaming_via_controller(key, expires_in:, filename:, content_type:, disposition:, encryption_key:, blob_byte_size:)
     if private_url_policy == :disable
       raise ActiveStorageEncryption::StreamingDisabled, <<~EOS
         Requested a signed GET URL for #{key.inspect} on service #{name}. This service

data/lib/active_storage_encryption/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ActiveStorageEncryption
-  VERSION = "0.2.0"
+  VERSION = "0.3.0"
 end

data/lib/active_storage_encryption.rb

@@ -10,6 +10,7 @@ module ActiveStorageEncryption
   autoload :EncryptedDiskService, __dir__ + "/active_storage_encryption/encrypted_disk_service.rb"
   autoload :EncryptedMirrorService, __dir__ + "/active_storage_encryption/encrypted_mirror_service.rb"
   autoload :EncryptedS3Service, __dir__ + "/active_storage_encryption/encrypted_s3_service.rb"
+  autoload :EncryptedGCSService, __dir__ + "/active_storage_encryption/encrypted_gcs_service.rb"
   autoload :Overrides, __dir__ + "/active_storage_encryption/overrides.rb"
 
   class IncorrectEncryptionKey < ArgumentError

data/lib/generators/add_encryption_key_to_active_storage_blobs.rb.erb

@@ -0,0 +1,9 @@
+class AddEncryptionKeyToActiveStorageBlobs < ActiveRecord::Migration[7.2]
+  def change
+    # You _must_ use attribute encryption for this column. Rails uses base64 and JSON encoding
+    # for encrypted attributes, so they can be stored as a string. The "raw" encryption key
+    # that active_storage_encryption will generate and assign to the Blob is going to be
+    # binary, however.
+    add_column :active_storage_blobs, :encryption_key, :string, if_not_exists: true
+  end
+end

data/lib/generators/install_generator.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+require "rails/generators/active_record"
+
+module ActiveStorageEncryption
+  # The generator is used to install ActiveStorageEncryption. It adds the `encryption_key`
+  # column to ActiveStorage::Blob.
+  # Run it with `bin/rails g active_storage_encryption:install` in your console.
+  class InstallGenerator < Rails::Generators::Base
+    include ActiveRecord::Generators::Migration
+
+    source_paths << File.join(File.dirname(__FILE__, 2))
+
+    # Generates monolithic migration file that contains all database changes.
+    def create_migration_file
+      # Adding a new migration to the gem is then just adding a file.
+      migration_file_paths_in_order = Dir.glob(__dir__ + "/*.rb.erb").sort
+      migration_file_paths_in_order.each do |migration_template_path|
+        untemplated_migration_filename = File.basename(migration_template_path).gsub(/\.erb$/, "")
+        migration_template(migration_template_path, File.join(db_migrate_path, untemplated_migration_filename))
+      end
+    end
+  end
+end

data/test/dummy/app/models/user.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class User < ApplicationRecord
+  has_one_attached :file, service: :encrypted_disk
+end

data/test/dummy/config/environments/test.rb

@@ -42,6 +42,8 @@ Rails.application.configure do
   # Tell Active Support which deprecation messages to disallow.
   config.active_support.disallowed_deprecation_warnings = []
 
+  config.active_storage.service = :test
+
   # Raises error for missing translations.
   # config.i18n.raise_on_missing_translations = true
 

data/test/dummy/config/storage.yml

@@ -19,3 +19,6 @@ encrypted_mirror:
     - encrypted_disk
   mirrors:
     - test
+
+encrypted_gcs_service:
+  service: EncryptedGCS

data/test/dummy/db/migrate/20250428093315_create_users.rb

@@ -0,0 +1,7 @@
+class CreateUsers < ActiveRecord::Migration[7.2]
+  def change
+    create_table :users do |t|
+      t.timestamps
+    end
+  end
+end

data/test/dummy/db/schema.rb

@@ -1,5 +1,3 @@
-# frozen_string_literal: true
-
 # This file is auto-generated from the current state of the database. Instead
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
@@ -12,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2025_03_04_023853) do
+ActiveRecord::Schema[7.2].define(version: 2025_04_28_093315) do
   create_table "active_storage_attachments", force: :cascade do |t|
     t.string "name", null: false
     t.string "record_type", null: false
@@ -42,6 +40,11 @@ ActiveRecord::Schema[7.2].define(version: 2025_03_04_023853) do
     t.index ["blob_id", "variation_digest"], name: "index_active_storage_variant_records_uniqueness", unique: true
   end
 
+  create_table "users", force: :cascade do |t|
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
+
   add_foreign_key "active_storage_attachments", "active_storage_blobs", column: "blob_id"
   add_foreign_key "active_storage_variant_records", "active_storage_blobs", column: "blob_id"
 end

data/test/lib/encrypted_gcs_service_test.rb

@@ -0,0 +1,201 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class ActiveStorageEncryption::EncryptedGCSServiceTest < ActiveSupport::TestCase
+  def config
+    {
+      project_id: "sandbox-ci-25b8",
+      bucket: "sandbox-ci-testing-secure-documents",
+      private_url_policy: "stream"
+    }
+  end
+
+  setup do
+    if ENV["GOOGLE_APPLICATION_CREDENTIALS"].blank?
+      skip "You need GOOGLE_APPLICATION_CREDENTIALS set in your env and it needs to point to the JSON keyfile for GCS"
+    end
+
+    @textfile = StringIO.new("Secure document that needs to be stored encrypted.")
+    @textfile2 = StringIO.new("While being neatly organized all in a days work aat the job.")
+    @service = ActiveStorageEncryption::EncryptedGCSService.new(**config)
+    @service.name = "encrypted_gcs_service"
+
+    @encryption_key = ActiveStorage::Blob.generate_random_encryption_key
+    @gcs_key_length_range = (0...ActiveStorageEncryption::EncryptedGCSService::GCS_ENCRYPTION_KEY_LENGTH_BYTES) # 32 bytes
+  end
+
+  def run_id
+    # We use a shared GCS bucket, and multiple runs of the test suite may write into it at the same time.
+    # To prevent clobbering and conflicts, assign a "test run ID" and mix it into the object keys. Keep that
+    # value stable across the test suite.
+    @test_suite_run_id ||= SecureRandom.base36(10)
+  end
+
+  def test_encrypted_question_method
+    assert @service.encrypted?
+  end
+
+  def test_forbids_private_urls_with_disabled_policy
+    @service.private_url_policy = :disable
+
+    rng = Random.new(Minitest.seed)
+    key = "#{run_id}-streamed-key-#{rng.hex(4)}"
+    encryption_key = Random.bytes(68)
+    plaintext_upload_bytes = rng.bytes(425)
+    @service.upload(key, StringIO.new(plaintext_upload_bytes), encryption_key:)
+
+    # ActiveStorage wraps the passed filename in a wrapper thingy
+    filename_with_sanitization = ActiveStorage::Filename.new("temp.bin")
+
+    assert_raises(ActiveStorageEncryption::StreamingDisabled) do
+      @service.url(key, filename: filename_with_sanitization, blob_byte_size: plaintext_upload_bytes.bytesize, content_type: "binary/octet-stream", disposition: "inline", encryption_key:, expires_in: 10.seconds)
+    end
+  end
+
+  def test_exists
+    rng = Random.new(Minitest.seed)
+
+    key = "#{run_id}-encrypted-exists-key-#{rng.hex(4)}"
+    encryption_key = rng.bytes(47) # Make it bigger than required, to ensure the service truncates it
+    plaintext_upload_bytes = rng.bytes(1024)
+
+    assert_nothing_raised { @service.upload(key, StringIO.new(plaintext_upload_bytes), encryption_key:) }
+    refute @service.exist?(key + "-definitely-not-present")
+    assert @service.exist?(key)
+  end
+
+  def test_generates_private_streaming_urls_with_streaming_policy
+    @service.private_url_policy = :stream
+
+    rng = Random.new(Minitest.seed)
+    key = "#{run_id}-streamed-key-#{rng.hex(4)}"
+    encryption_key = Random.bytes(68)
+    plaintext_upload_bytes = rng.bytes(425)
+    @service.upload(key, StringIO.new(plaintext_upload_bytes), encryption_key:)
+
+    # The streaming URL generation uses Rails routing, so it needs
+    # ActiveStorage::Current.url_options to be set
+    # We need to use a hostname for ActiveStorage which is in the Rails authorized hosts.
+    # see https://stackoverflow.com/a/60573259/153886
+    ActiveStorage::Current.url_options = {
+      host: "www.example.com",
+      protocol: "https"
+    }
+
+    # ActiveStorage wraps the passed filename in a wrapper thingy
+    filename_with_sanitization = ActiveStorage::Filename.new("temp.bin")
+    url = @service.url(key, blob_byte_size: plaintext_upload_bytes.bytesize,
+      filename: filename_with_sanitization, content_type: "binary/octet-stream",
+      disposition: "inline", encryption_key:, expires_in: 10.seconds)
+    assert url.include?("/active-storage-encryption/blob/")
+  end
+
+  def test_generates_private_urls_with_require_headers_policy
+    @service.private_url_policy = :require_headers
+
+    rng = Random.new(Minitest.seed)
+    key = "#{run_id}-streamed-key-#{rng.hex(4)}"
+    encryption_key = Random.bytes(68)
+    plaintext_upload_bytes = rng.bytes(425)
+    @service.upload(key, StringIO.new(plaintext_upload_bytes), encryption_key:)
+
+    # ActiveStorage wraps the passed filename in a wrapper thingy
+    filename_with_sanitization = ActiveStorage::Filename.new("temp.bin")
+    url = @service.url(key, blob_byte_size: plaintext_upload_bytes.bytesize,
+      filename: filename_with_sanitization, content_type: "binary/octet-stream",
+      disposition: "inline", encryption_key:, expires_in: 240.seconds)
+
+    query_params_hash = URI.decode_www_form(URI.parse(url).query).to_h
+
+    # Downcased header names for this test since that's what we get back from signing process.
+    expected_headers = ["x-goog-encryption-algorithm", "x-goog-encryption-key", "x-goog-encryption-key-sha256"]
+    signed_headers = query_params_hash["X-Goog-SignedHeaders"].split(";")
+    assert expected_headers.all? { |header| header.in?(signed_headers) }
+
+    uri = URI(url)
+    req = Net::HTTP::Get.new(uri)
+    res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") { |http|
+      http.request(req)
+    }
+    assert_equal "400", res.code
+
+    # TODO make this a headers_for_private_download like in the s3 service
+    download_headers = {
+      "content-type" => "binary/octet-stream",
+      "Content-Disposition" => "inline; filename=\"temp.bin\"; filename*=UTF-8''temp.bin",
+      "x-goog-encryption-algorithm" => "AES256",
+      "x-goog-encryption-key" => Base64.strict_encode64(encryption_key[@gcs_key_length_range]),
+      "x-goog-encryption-key-sha256" => Digest::SHA256.base64digest(encryption_key[@gcs_key_length_range])
+    }
+    download_headers.each_pair { |key, value| req[key] = value }
+
+    res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") { |http|
+      http.request(req)
+    }
+    assert_equal "200", res.code
+    assert_equal plaintext_upload_bytes, res.body
+  end
+
+  def test_basic_gcs_readback
+    rng = Random.new(Minitest.seed)
+
+    key = "#{run_id}-encrypted-key-#{rng.hex(4)}"
+    encryption_key = rng.bytes(47) # Make it bigger than required, to ensure the service truncates it
+    plaintext_upload_bytes = rng.bytes(1024)
+
+    assert_nothing_raised do
+      @service.upload(key, StringIO.new(plaintext_upload_bytes), encryption_key:)
+    end
+    readback = @service.download(key, encryption_key:)
+    assert_equal readback, plaintext_upload_bytes
+  end
+
+  def test_accepts_direct_upload_with_signature_and_headers
+    rng = Random.new(Minitest.seed)
+
+    key = "#{run_id}-encrypted-key-direct-upload-#{rng.hex(4)}"
+    encryption_key = rng.bytes(47) # Make it bigger than required, to ensure the service truncates it
+    plaintext_upload_bytes = rng.bytes(1024)
+
+    url = @service.url_for_direct_upload(key,
+      encryption_key:,
+      expires_in: 5.minutes.to_i,
+      content_type: "binary/octet-stream",
+      content_length: plaintext_upload_bytes.bytesize,
+      checksum: Digest::MD5.base64digest(plaintext_upload_bytes))
+
+    query_params_hash = URI.decode_www_form(URI.parse(url).query).to_h
+
+    # Downcased header names for this test since that's what we get back from signing process.
+    expected_headers = ["content-md5", "x-goog-encryption-algorithm", "x-goog-encryption-key", "x-goog-encryption-key-sha256"]
+    signed_headers = query_params_hash["X-Goog-SignedHeaders"].split(";")
+    assert expected_headers.all? { |header| header.in?(signed_headers) }
+
+    assert_equal "300", query_params_hash["X-Goog-Expires"]
+
+    should_be_headers = {
+      "Content-Type" => "binary/octet-stream",
+      "Content-MD5" => Digest::MD5.base64digest(plaintext_upload_bytes),
+      "x-goog-encryption-algorithm" => "AES256",
+      "x-goog-encryption-key" => Base64.strict_encode64(encryption_key[@gcs_key_length_range]),
+      "x-goog-encryption-key-sha256" => Digest::SHA256.base64digest(encryption_key[@gcs_key_length_range])
+    }
+
+    headers = @service.headers_for_direct_upload(key,
+      encryption_key:,
+      content_type: "binary/octet-stream",
+      content_length: plaintext_upload_bytes.bytesize,
+      checksum: Digest::MD5.base64digest(plaintext_upload_bytes))
+
+    assert_equal should_be_headers.sort, headers.sort
+
+    res = Net::HTTP.put(URI(url), plaintext_upload_bytes, headers)
+    assert_equal "200", res.code
+
+    assert_equal plaintext_upload_bytes, @service.download(key, encryption_key:)
+
+    @service.delete(key)
+    refute @service.exist?(key)
+  end
+end

data/test/lib/encrypted_s3_service_test.rb

@@ -235,7 +235,10 @@ class ActiveStorageEncryption::EncryptedS3ServiceTest < ActiveSupport::TestCase
   # Read the objects from something slow, so that threads may switch between one another
   class SnoozyStringIO < StringIO
     def read(n = nil, outbuf = nil)
-      sleep(rand((0.1..0.2)))
+      sleep_from = 0.1
+      sleep_to = 0.2
+      delay_s = rand(sleep_from..sleep_to)
+      sleep(delay_s)
       super
     end
   end