active_storage_encryption 0.2.2 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 850bd7cbc71749f88f1a8e7c4305de38bfbb7c3641ee75864a34ce9f712af65a
-  data.tar.gz: 2ffa5b8c6abc2038395366138eb6f1d43dd4246f3d728e923a440805b7f53838
+  metadata.gz: 6f34184e53ab51b15143acc6fd7bbc2ea0e43a4cc4c0b0d87c065de2631298fb
+  data.tar.gz: 8329f26f7141a0762bb0488995bdf219ff01c00d9b374b4cdecc7af895bded11
 SHA512:
-  metadata.gz: 489bf8dbd01ee254354cf3dbcbedab9743f9f16f5b93c352cb234c8eef4f909c31916eef7187002eac8b0f66d476fd55d44cf31bd8320ea6fa275b36d62cb3b6
-  data.tar.gz: 746b6efed5b2e4819f280f511a1eb66882a257b173c6699b85a10606d1eac0210da92f6020c480e08de5e509a34f4eb7ff50f46c703609e5ed284ecd5cb0f23c
+  metadata.gz: 30d7ba6406ec77a7521cc47ea24b858e0de4502644516c3ea5a54b025e24ffe305b21f4fcf3244f1361c2fbedcc79f8dc8b8ce6a0e0e3558a202e1e21941a295
+  data.tar.gz: 71bf3a1c8ee30daee4bdb43bd8703b2c530e67fb0e68078fc07d208e266d1285c8f390392e6539afaaea839c3fa62e2b2cef46b8a863c4d57409d1ebe399c392

data/active_storage_encryption.gemspec

@@ -35,6 +35,7 @@ Gem::Specification.new do |spec|
   # Testing with cloud services
   spec.add_development_dependency "aws-sdk-s3"
   spec.add_development_dependency "net-http"
+  spec.add_development_dependency "google-cloud-storage"
 
   # Code formatting, linting and testing
   spec.add_development_dependency "sqlite3"
@@ -42,4 +43,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "appraisal"
   spec.add_development_dependency "magic_frozen_string_literal"
   spec.add_development_dependency "rake"
+  spec.add_development_dependency "pry"
 end

data/gemfiles/rails_7.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    active_storage_encryption (0.2.2)
+    active_storage_encryption (0.3.0)
       activestorage
       block_cipher_kit (>= 0.0.4)
       rails (>= 7.2.2.1)
@@ -81,6 +81,8 @@ GEM
       minitest (>= 5.1)
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
     appraisal (2.5.0)
       bundler
       rake
@@ -108,14 +110,63 @@ GEM
     bigdecimal (3.1.9)
     block_cipher_kit (0.0.4)
     builder (3.3.0)
+    coderay (1.1.3)
     concurrent-ruby (1.3.5)
     connection_pool (2.5.0)
     crass (1.0.6)
     date (3.4.1)
+    declarative (0.0.20)
+    digest-crc (0.7.0)
+      rake (>= 12.0.0, < 14.0.0)
     drb (2.2.1)
     erubi (1.13.1)
+    faraday (2.13.0)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.0)
+      net-http (>= 0.5.0)
     globalid (1.2.1)
       activesupport (>= 6.1)
+    google-apis-core (0.16.0)
+      addressable (~> 2.5, >= 2.5.1)
+      googleauth (~> 1.9)
+      httpclient (>= 2.8.3, < 3.a)
+      mini_mime (~> 1.0)
+      mutex_m
+      representable (~> 3.0)
+      retriable (>= 2.0, < 4.a)
+    google-apis-iamcredentials_v1 (0.22.0)
+      google-apis-core (>= 0.15.0, < 2.a)
+    google-apis-storage_v1 (0.50.0)
+      google-apis-core (>= 0.15.0, < 2.a)
+    google-cloud-core (1.8.0)
+      google-cloud-env (>= 1.0, < 3.a)
+      google-cloud-errors (~> 1.0)
+    google-cloud-env (2.2.2)
+      base64 (~> 0.2)
+      faraday (>= 1.0, < 3.a)
+    google-cloud-errors (1.5.0)
+    google-cloud-storage (1.56.0)
+      addressable (~> 2.8)
+      digest-crc (~> 0.4)
+      google-apis-core (~> 0.13)
+      google-apis-iamcredentials_v1 (~> 0.18)
+      google-apis-storage_v1 (>= 0.42)
+      google-cloud-core (~> 1.6)
+      googleauth (~> 1.9)
+      mini_mime (~> 1.0)
+    google-logging-utils (0.1.0)
+    googleauth (1.14.0)
+      faraday (>= 1.0, < 3.a)
+      google-cloud-env (~> 2.2)
+      google-logging-utils (~> 0.1)
+      jwt (>= 1.4, < 3.0)
+      multi_json (~> 1.11)
+      os (>= 0.9, < 2.0)
+      signet (>= 0.16, < 2.a)
+    httpclient (2.9.0)
+      mutex_m
     i18n (1.14.7)
       concurrent-ruby (~> 1.0)
     io-console (0.8.0)
@@ -125,6 +176,8 @@ GEM
       reline (>= 0.4.2)
     jmespath (1.6.2)
     json (2.10.1)
+    jwt (2.10.1)
+      base64
     language_server-protocol (3.17.0.4)
     lint_roller (1.1.0)
     logger (1.6.6)
@@ -138,8 +191,11 @@ GEM
       net-pop
       net-smtp
     marcel (1.0.4)
+    method_source (1.1.0)
     mini_mime (1.1.5)
     minitest (5.25.4)
+    multi_json (1.15.0)
+    mutex_m (0.3.0)
     net-http (0.6.0)
       uri
     net-imap (0.5.6)
@@ -158,6 +214,7 @@ GEM
       racc (~> 1.4)
     nokogiri (1.18.3-x86_64-linux-gnu)
       racc (~> 1.4)
+    os (1.1.4)
     parallel (1.26.3)
     parser (3.3.7.1)
       ast (~> 2.4.1)
@@ -165,9 +222,13 @@ GEM
     pp (0.6.2)
       prettyprint
     prettyprint (0.2.0)
+    pry (0.15.2)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
     psych (5.2.3)
       date
       stringio
+    public_suffix (6.0.1)
     racc (1.8.1)
     rack (3.1.11)
     rack-session (2.1.0)
@@ -213,6 +274,11 @@ GEM
     regexp_parser (2.10.0)
     reline (0.6.0)
       io-console (~> 0.5)
+    representable (3.2.0)
+      declarative (< 0.1.0)
+      trailblazer-option (>= 0.1.1, < 0.2.0)
+      uber (< 0.2.0)
+    retriable (3.1.2)
     rubocop (1.71.2)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
@@ -232,6 +298,11 @@ GEM
     securerandom (0.4.1)
     serve_byte_range (1.0.0)
       rack (>= 1.0)
+    signet (0.19.0)
+      addressable (~> 2.8)
+      faraday (>= 0.17.5, < 3.a)
+      jwt (>= 1.5, < 3.0)
+      multi_json (~> 1.10)
     sqlite3 (2.6.0-arm64-darwin)
     sqlite3 (2.6.0-x86_64-darwin)
     sqlite3 (2.6.0-x86_64-linux-gnu)
@@ -250,8 +321,10 @@ GEM
     stringio (3.1.5)
     thor (1.3.2)
     timeout (0.4.3)
+    trailblazer-option (0.1.2)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
+    uber (0.1.0)
     unicode-display_width (3.1.4)
       unicode-emoji (~> 4.0, >= 4.0.4)
     unicode-emoji (4.0.4)
@@ -265,6 +338,7 @@ GEM
 
 PLATFORMS
   arm64-darwin-21
+  arm64-darwin-23
   arm64-darwin-24
   x86_64-darwin
   x86_64-linux
@@ -273,8 +347,10 @@ DEPENDENCIES
   active_storage_encryption!
   appraisal
   aws-sdk-s3
+  google-cloud-storage
   magic_frozen_string_literal
   net-http
+  pry
   rails (< 8.0)
   rake
   sqlite3

data/gemfiles/rails_8.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    active_storage_encryption (0.2.2)
+    active_storage_encryption (0.3.0)
       activestorage
       block_cipher_kit (>= 0.0.4)
       rails (>= 7.2.2.1)
@@ -81,6 +81,8 @@ GEM
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
       uri (>= 0.13.1)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
     appraisal (2.5.0)
       bundler
       rake
@@ -108,14 +110,63 @@ GEM
     bigdecimal (3.1.9)
     block_cipher_kit (0.0.4)
     builder (3.3.0)
+    coderay (1.1.3)
     concurrent-ruby (1.3.5)
     connection_pool (2.5.0)
     crass (1.0.6)
     date (3.4.1)
+    declarative (0.0.20)
+    digest-crc (0.7.0)
+      rake (>= 12.0.0, < 14.0.0)
     drb (2.2.1)
     erubi (1.13.1)
+    faraday (2.13.0)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.0)
+      net-http (>= 0.5.0)
     globalid (1.2.1)
       activesupport (>= 6.1)
+    google-apis-core (0.16.0)
+      addressable (~> 2.5, >= 2.5.1)
+      googleauth (~> 1.9)
+      httpclient (>= 2.8.3, < 3.a)
+      mini_mime (~> 1.0)
+      mutex_m
+      representable (~> 3.0)
+      retriable (>= 2.0, < 4.a)
+    google-apis-iamcredentials_v1 (0.22.0)
+      google-apis-core (>= 0.15.0, < 2.a)
+    google-apis-storage_v1 (0.50.0)
+      google-apis-core (>= 0.15.0, < 2.a)
+    google-cloud-core (1.8.0)
+      google-cloud-env (>= 1.0, < 3.a)
+      google-cloud-errors (~> 1.0)
+    google-cloud-env (2.2.2)
+      base64 (~> 0.2)
+      faraday (>= 1.0, < 3.a)
+    google-cloud-errors (1.5.0)
+    google-cloud-storage (1.56.0)
+      addressable (~> 2.8)
+      digest-crc (~> 0.4)
+      google-apis-core (~> 0.13)
+      google-apis-iamcredentials_v1 (~> 0.18)
+      google-apis-storage_v1 (>= 0.42)
+      google-cloud-core (~> 1.6)
+      googleauth (~> 1.9)
+      mini_mime (~> 1.0)
+    google-logging-utils (0.1.0)
+    googleauth (1.14.0)
+      faraday (>= 1.0, < 3.a)
+      google-cloud-env (~> 2.2)
+      google-logging-utils (~> 0.1)
+      jwt (>= 1.4, < 3.0)
+      multi_json (~> 1.11)
+      os (>= 0.9, < 2.0)
+      signet (>= 0.16, < 2.a)
+    httpclient (2.9.0)
+      mutex_m
     i18n (1.14.7)
       concurrent-ruby (~> 1.0)
     io-console (0.8.0)
@@ -125,6 +176,8 @@ GEM
       reline (>= 0.4.2)
     jmespath (1.6.2)
     json (2.10.1)
+    jwt (2.10.1)
+      base64
     language_server-protocol (3.17.0.4)
     lint_roller (1.1.0)
     logger (1.6.6)
@@ -138,8 +191,11 @@ GEM
       net-pop
       net-smtp
     marcel (1.0.4)
+    method_source (1.1.0)
     mini_mime (1.1.5)
     minitest (5.25.4)
+    multi_json (1.15.0)
+    mutex_m (0.3.0)
     net-http (0.6.0)
       uri
     net-imap (0.5.6)
@@ -158,6 +214,7 @@ GEM
       racc (~> 1.4)
     nokogiri (1.18.3-x86_64-linux-gnu)
       racc (~> 1.4)
+    os (1.1.4)
     parallel (1.26.3)
     parser (3.3.7.1)
       ast (~> 2.4.1)
@@ -165,9 +222,13 @@ GEM
     pp (0.6.2)
       prettyprint
     prettyprint (0.2.0)
+    pry (0.15.2)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
     psych (5.2.3)
       date
       stringio
+    public_suffix (6.0.1)
     racc (1.8.1)
     rack (3.1.11)
     rack-session (2.1.0)
@@ -213,6 +274,11 @@ GEM
     regexp_parser (2.10.0)
     reline (0.6.0)
       io-console (~> 0.5)
+    representable (3.2.0)
+      declarative (< 0.1.0)
+      trailblazer-option (>= 0.1.1, < 0.2.0)
+      uber (< 0.2.0)
+    retriable (3.1.2)
     rubocop (1.71.2)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
@@ -232,6 +298,11 @@ GEM
     securerandom (0.4.1)
     serve_byte_range (1.0.0)
       rack (>= 1.0)
+    signet (0.19.0)
+      addressable (~> 2.8)
+      faraday (>= 0.17.5, < 3.a)
+      jwt (>= 1.5, < 3.0)
+      multi_json (~> 1.10)
     sqlite3 (2.6.0-arm64-darwin)
     sqlite3 (2.6.0-x86_64-darwin)
     sqlite3 (2.6.0-x86_64-linux-gnu)
@@ -250,8 +321,10 @@ GEM
     stringio (3.1.5)
     thor (1.3.2)
     timeout (0.4.3)
+    trailblazer-option (0.1.2)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
+    uber (0.1.0)
     unicode-display_width (3.1.4)
       unicode-emoji (~> 4.0, >= 4.0.4)
     unicode-emoji (4.0.4)
@@ -265,6 +338,7 @@ GEM
 
 PLATFORMS
   arm64-darwin-21
+  arm64-darwin-23
   arm64-darwin-24
   x86_64-darwin
   x86_64-linux
@@ -273,8 +347,10 @@ DEPENDENCIES
   active_storage_encryption!
   appraisal
   aws-sdk-s3
+  google-cloud-storage
   magic_frozen_string_literal
   net-http
+  pry
   rails (>= 8.0)
   rake
   sqlite3

data/lib/active_storage/service/encrypted_gcs_service.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+# Needed so that Rails can find our service definition. It will perform the following
+# steps. Given an "EncryptedDisk" value of the `service:` key in the YAML, it will:
+#
+# * Force-require a file at "active_storage/service/encrypted_disk", from any path on the $LOAD_PATH
+# * Instantiate a class called "ActiveStorage::Service::EncryptedDiskService"
+require_relative "../../active_storage_encryption"
+class ActiveStorage::Service::EncryptedGCSService < ActiveStorageEncryption::EncryptedGCSService
+end

data/lib/active_storage_encryption/encrypted_blob_proxy_controller.rb

@@ -105,7 +105,7 @@ class ActiveStorageEncryption::EncryptedBlobProxyController < ActionController::
     blob_etag = key.inspect # Strong ETags must be quoted
     status, headers, ranges_body = ServeByteRange.serve_ranges(request.env,
       resource_size: blob_byte_size,
-      etag: blob_etag, # TODO
+      etag: blob_etag,
       resource_content_type: type,
       &streaming_proc)
 

data/lib/active_storage_encryption/encrypted_gcs_service.rb

@@ -0,0 +1,158 @@
+# frozen_string_literal: true
+
+require "active_storage/service/gcs_service"
+require "google/cloud/storage/service"
+
+class ActiveStorageEncryption::EncryptedGCSService < ActiveStorage::Service::GCSService
+  include ActiveStorageEncryption::PrivateUrlPolicy
+  GCS_ENCRYPTION_KEY_LENGTH_BYTES = 32 # google wants to get a 32 byte key
+
+  def encrypted? = true
+
+  def public? = false
+
+  def service_name
+    # ActiveStorage::Service::DiskService => Disk
+    # Overridden because in Rails 8 this is "self.class.name.split("::").third.remove("Service")"
+    self.class.name.split("::").last.remove("Service")
+  end
+
+  def upload(key, io, encryption_key: nil, checksum: nil, content_type: nil, disposition: nil, filename: nil, custom_metadata: {})
+    instrument :upload, key: key, checksum: checksum do
+      # GCS's signed URLs don't include params such as response-content-type response-content_disposition
+      # in the signature, which means an attacker can modify them and bypass our effort to force these to
+      # binary and attachment when the file's content type requires it. The only way to force them is to
+      # store them as object's metadata.
+      content_disposition = content_disposition_with(type: disposition, filename: filename) if disposition && filename
+      bucket.create_file(io, key, md5: checksum, cache_control: @config[:cache_control], content_type: content_type, content_disposition: content_disposition, metadata: custom_metadata, encryption_key: derive_service_encryption_key(encryption_key))
+    rescue Google::Cloud::InvalidArgumentError => e
+      raise ActiveStorage::IntegrityError, e
+    end
+  end
+
+  def url_for_direct_upload(key, expires_in:, checksum:, encryption_key:, content_type: nil, custom_metadata: {}, filename: nil, **)
+    instrument :url, key: key do |payload|
+      headers = headers_for_direct_upload(key, checksum:, encryption_key:, content_type:, filename:, custom_metadata:)
+
+      version = :v4
+
+      args = {
+        content_md5: checksum,
+        expires: expires_in,
+        headers: headers,
+        method: "PUT",
+        version: version
+      }
+
+      if @config[:iam]
+        args[:issuer] = issuer
+        args[:signer] = signer
+      end
+
+      generated_url = bucket.signed_url(key, **args)
+
+      payload[:url] = generated_url
+
+      generated_url
+    end
+  end
+
+  def headers_for_direct_upload(key, checksum:, encryption_key:, filename: nil, disposition: nil, content_type: nil, custom_metadata: {}, **)
+    headers = {
+      "Content-Type" => content_type,
+      "Content-MD5" => checksum, # Not strictly required, but it ensures the file bytes we upload match what we want. This way google will error when we upload garbage.
+      **gcs_encryption_key_headers(derive_service_encryption_key(encryption_key)),
+      **custom_metadata_headers(custom_metadata)
+    }
+    headers["Content-Disposition"] = content_disposition_with(type: disposition, filename: filename) if filename
+
+    if @config[:cache_control].present?
+      headers["Cache-Control"] = @config[:cache_control]
+    end
+    headers
+  end
+
+  def download(key, encryption_key: nil, &block)
+    if block_given?
+      instrument :streaming_download, key: key do
+        stream(key, encryption_key: encryption_key, &block)
+      end
+    else
+      instrument :download, key: key do
+        file_for(key).download(encryption_key: derive_service_encryption_key(encryption_key)).string
+      rescue Google::Cloud::NotFoundError => e
+        raise ActiveStorage::FileNotFoundError, e
+      end
+    end
+  end
+
+  def download_chunk(key, range, encryption_key: nil)
+    instrument :download_chunk, key: key, range: range do
+      file_for(key).download(range: range, encryption_key: derive_service_encryption_key(encryption_key)).string
+    rescue Google::Cloud::NotFoundError => e
+      raise ActiveStorage::FileNotFoundError, e
+    end
+  end
+
+  # Reads the file for the given key in chunks, yielding each to the block.
+  def stream(key, encryption_key: nil)
+    file = file_for(key, skip_lookup: false)
+
+    chunk_size = 5.megabytes
+    offset = 0
+
+    raise ActiveStorage::FileNotFoundError unless file.present?
+
+    while offset < file.size
+      yield file.download(range: offset..(offset + chunk_size - 1), encryption_key: derive_service_encryption_key(encryption_key)).string
+      offset += chunk_size
+    end
+  end
+
+  def compose(source_keys, destination_key, encryption_key:, filename: nil, content_type: nil, disposition: nil, custom_metadata: {})
+    # Because we will always have a different encryption_key on a blob when created and google requires us to have the same encryption_keys on all source blobs
+    # we need to work this out a bit more. For now we don't need this and thus won't support it in this service.
+    raise NotImplementedError, "Currently composing files is not supported"
+  end
+
+  private
+
+  def private_url(key, expires_in:, filename:, content_type:, disposition:, encryption_key:, **remaining_options_for_streaming_url)
+    if private_url_policy == :require_headers
+      args = {
+        expires: expires_in,
+        query: {
+          "response-content-disposition" => content_disposition_with(type: disposition, filename: filename),
+          "response-content-type" => content_type
+        },
+        headers: gcs_encryption_key_headers(derive_service_encryption_key(encryption_key))
+      }
+
+      if @config[:iam]
+        args[:issuer] = issuer
+        args[:signer] = signer
+      end
+
+      file_for(key).signed_url(**args, version: :v4)
+    else
+      private_url_for_streaming_via_controller(key, expires_in:, filename:, content_type:, disposition:, encryption_key:, **remaining_options_for_streaming_url)
+    end
+  end
+
+  def public_url(key, filename:, encryption_key:, content_type: nil, disposition: :inline, **)
+    raise "Public URL's are disabled for this service"
+  end
+
+  def gcs_encryption_key_headers(key)
+    {
+      "x-goog-encryption-algorithm" => "AES256",
+      "x-goog-encryption-key" => Base64.strict_encode64(key),
+      "x-goog-encryption-key-sha256" => Digest::SHA256.base64digest(key)
+    }
+  end
+
+  def derive_service_encryption_key(blob_encryption_key)
+    raise ArgumentError, "The blob encryption_key must be at least #{GCS_ENCRYPTION_KEY_LENGTH_BYTES} bytes long" unless blob_encryption_key.bytesize >= GCS_ENCRYPTION_KEY_LENGTH_BYTES
+    blob_encryption_key[0...GCS_ENCRYPTION_KEY_LENGTH_BYTES]
+  end
+end

data/lib/active_storage_encryption/overrides.rb

@@ -2,6 +2,9 @@
 
 module ActiveStorageEncryption
   module Overrides
+    class EncryptionKeyMissingError < StandardError
+    end
+
     module EncryptedBlobClassMethods
       def self.included base
         base.class_eval do
@@ -54,7 +57,7 @@ module ActiveStorageEncryption
               content_type ||= blobs.pluck(:content_type).compact.first
 
               new(key: key, filename: filename, content_type: content_type, metadata: metadata, byte_size: blobs.sum(&:byte_size), service_name:, encryption_key:).tap do |combined_blob|
-                combined_blob.compose(blobs.pluck(:key))
+                combined_blob.compose(blobs.pluck(:key), source_encryption_keys: blobs.pluck(:encryption_key))
                 combined_blob.save!
               end
             end
@@ -70,7 +73,8 @@ module ActiveStorageEncryption
 
       def service_url_for_direct_upload(expires_in: ActiveStorage.service_urls_expire_in)
         if service_encrypted?
-          raise "No encryption key present" unless encryption_key
+          ensure_encryption_key_set!
+
           service.url_for_direct_upload(key, expires_in: expires_in, content_type: content_type, content_length: byte_size, checksum: checksum, custom_metadata: custom_metadata, encryption_key: encryption_key)
         else
           super
@@ -78,6 +82,8 @@ module ActiveStorageEncryption
       end
 
       def open(tmpdir: nil, &block)
+        ensure_encryption_key_set! if service_encrypted?
+
         service.open(
           key,
           encryption_key: encryption_key,
@@ -91,6 +97,8 @@ module ActiveStorageEncryption
 
       def service_headers_for_direct_upload
         if service_encrypted?
+          ensure_encryption_key_set!
+
           service.headers_for_direct_upload(key, filename: filename, content_type: content_type, content_length: byte_size, checksum: checksum, custom_metadata: custom_metadata, encryption_key: encryption_key)
         else
           super
@@ -99,6 +107,8 @@ module ActiveStorageEncryption
 
       def upload_without_unfurling(io)
         if service_encrypted?
+          ensure_encryption_key_set!
+
           service.upload(key, io, checksum: checksum, encryption_key: encryption_key, **service_metadata)
         else
           super
@@ -109,6 +119,8 @@ module ActiveStorageEncryption
       # That'll use a lot of RAM for very large files. If a block is given, then the download is streamed and yielded in chunks.
       def download(&block)
         if service_encrypted?
+          ensure_encryption_key_set!
+
           service.download(key, encryption_key: encryption_key, &block)
         else
           super
@@ -117,23 +129,29 @@ module ActiveStorageEncryption
 
       def download_chunk(range)
         if service_encrypted?
+          ensure_encryption_key_set!
+
           service.download_chunk(key, range, encryption_key: encryption_key)
         else
           super
         end
       end
 
-      def compose(keys)
+      def compose(keys, source_encryption_keys: [])
         if service_encrypted?
+          ensure_encryption_key_set!
+
           self.composed = true
-          service.compose(keys, key, encryption_key: encryption_key, **service_metadata)
+          service.compose(keys, key, encryption_key: encryption_key, source_encryption_keys: source_encryption_keys, **service_metadata)
         else
-          super
+          super(keys)
         end
       end
 
       def url(expires_in: ActiveStorage.service_urls_expire_in, disposition: :inline, filename: nil, **options)
         if service_encrypted?
+          ensure_encryption_key_set!
+
           service.url(
             key, expires_in: expires_in, filename: ActiveStorage::Filename.wrap(filename || self.filename),
             encryption_key: encryption_key,
@@ -156,6 +174,12 @@ module ActiveStorageEncryption
         end
         super
       end
+
+      private
+
+      def ensure_encryption_key_set!
+        raise EncryptionKeyMissingError, "Encryption key must be present" unless encryption_key.present?
+      end
     end
 
     module BlobIdentifiableInstanceMethods
@@ -178,6 +202,8 @@ module ActiveStorageEncryption
 
     module DownloaderInstanceMethods
       def open(key, encryption_key: nil, checksum: nil, verify: true, name: "ActiveStorage-", tmpdir: nil, &blk)
+        raise EncryptionKeyMissingError, "An encryption key must be supplied when using an encrypted service" if !encryption_key && service.respond_to?(:encrypted?) && service.encrypted?
+
         open_tempfile(name, tmpdir) do |file|
           download(key, file, encryption_key: encryption_key)
           verify_integrity_of(file, checksum: checksum) if verify
@@ -189,6 +215,8 @@ module ActiveStorageEncryption
 
       def download(key, file, encryption_key: nil)
         if service.respond_to?(:encrypted?) && service.encrypted?
+          raise "An encryption key must be supplied when using an encrypted service" unless encryption_key
+
           file.binmode
           service.download(key, encryption_key: encryption_key) { |chunk| file.write(chunk) }
           file.flush

data/lib/active_storage_encryption/private_url_policy.rb

@@ -18,7 +18,7 @@ module ActiveStorageEncryption::PrivateUrlPolicy
     @private_url_policy
   end
 
-  def private_url_for_streaming_via_controller(key, blob_byte_size:, expires_in:, filename:, content_type:, disposition:, encryption_key:)
+  def private_url_for_streaming_via_controller(key, expires_in:, filename:, content_type:, disposition:, encryption_key:, blob_byte_size:)
     if private_url_policy == :disable
       raise ActiveStorageEncryption::StreamingDisabled, <<~EOS
         Requested a signed GET URL for #{key.inspect} on service #{name}. This service

data/lib/active_storage_encryption/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ActiveStorageEncryption
-  VERSION = "0.2.2"
+  VERSION = "0.3.0"
 end