RubyGems - aws-sdk-resources - Versions diffs - 2.1.8 → 2.1.9 - Mend

aws-sdk-resources 2.1.8 → 2.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a2cca81f17c1740c1dba2ccf904b439999dc6f73
-  data.tar.gz: 39b85f20fc0ca3e1bb74bb131a5e7824f29d0b3d
+  metadata.gz: f766ecda91727cde733f041b28aac6a40f7a52bd
+  data.tar.gz: 3686c5198e513ff7161b9dd81c9b6fd62b49479f
 SHA512:
-  metadata.gz: cd3c1b4b6c3efa37be65e615d6f5cb486a91dcbc95ada6400fa4931b1aab1caa98982e26ceae48434da434e14641ac8c053247e7721b7425842ffbd9b4efcd1d
-  data.tar.gz: e2b5472781093b043a3b15a73991a41f666e02ef2a52642989944ccf4281a1e93f8c1ece682a996a96d8032fb37f79de99a84639953559505a492f3567165069
+  metadata.gz: 0382c58d6ac0af454eb4a85ca4829ff9c2c6d319b564dee88d8fc3f3c86512a005cbf4910aeabf9b3b07fbd88b433de20aa69ac247f77a8e50b58841c28ccdb9
+  data.tar.gz: 416e650362af08992aa5e51bcb76b4bee40d7fb220c41c4aa1e4c86aa7fe43d925aba829dd7de7d316ef1ccd05167300cc5cc9236aa3e6ee9f0dad3538c90c86

data/lib/aws-sdk-resources/services/s3/encryption.rb CHANGED

@@ -4,12 +4,14 @@ module Aws
       autoload :Client, 'aws-sdk-resources/services/s3/encryption/client'
       autoload :DecryptHandler, 'aws-sdk-resources/services/s3/encryption/decrypt_handler'
+      autoload :DefaultCipherProvider, 'aws-sdk-resources/services/s3/encryption/default_cipher_provider'
       autoload :DefaultKeyProvider, 'aws-sdk-resources/services/s3/encryption/default_key_provider'
       autoload :EncryptHandler, 'aws-sdk-resources/services/s3/encryption/encrypt_handler'
       autoload :Errors, 'aws-sdk-resources/services/s3/encryption/errors'
       autoload :IOEncrypter, 'aws-sdk-resources/services/s3/encryption/io_encrypter'
       autoload :IODecrypter, 'aws-sdk-resources/services/s3/encryption/io_decrypter'
       autoload :KeyProvider, 'aws-sdk-resources/services/s3/encryption/key_provider'
+      autoload :KmsCipherProvider, 'aws-sdk-resources/services/s3/encryption/kms_cipher_provider'
       autoload :Materials, 'aws-sdk-resources/services/s3/encryption/materials'
       autoload :Utils, 'aws-sdk-resources/services/s3/encryption/utils'

data/lib/aws-sdk-resources/services/s3/encryption/client.rb CHANGED

@@ -53,17 +53,42 @@ module Aws
     #
     # ## Keys
     #
-    # For client-side encryption to work, you must provide an encryption key:
+    # For client-side encryption to work, you must provide one of the following:
+    #
+    # * An encryption key
+    # * A {KeyProvider}
+    # * A KMS encryption key id
+    #
+    # ### An Encryption Key
+    #
+    # You can pass a single encryption key. This is used as a master key
+    # encrypting and decrypting all object keys.
     #
     #     key = OpenSSL::Cipher.new("AES-256-ECB").random_key # symmetric key
     #     key = OpenSSL::PKey::RSA.new(1024) # asymmetric key pair
     #
     #     s3 = Aws::S3::Encryption::Client.new(encryption_key: key)
     #
+    # ### Key Provider
+    #
     # Alternatively, you can use a {KeyProvider}. A key provider makes
     # it easy to work with multiple keys and simplifies key rotation.
     #
-    # ### Key Provider
+    # ### KMS Encryption Key Id
+    #
+    # If you pass the id to an AWS Key Management Service (KMS) key,
+    # then KMS will be used to generate, encrypt and decrypt object keys.
+    #
+    #     # keep track of the kms key id
+    #     kms = Aws::KMS::Client.new
+    #     key_id = kms.create_key.key_metadata.key_id
+    #
+    #     Aws::S3::Encryption::Client.new(
+    #       kms_key_id: key_id,
+    #       kms_client: kms,
+    #     )
+    #
+    # ## Custom Key Providers
     #
     # A {KeyProvider} is any object that responds to:
     #
@@ -150,14 +175,16 @@ module Aws
     # issuing concurrent PUT and GET requests to an encrypted object.**
     #
     module Encryption
       class Client
+        extend Deprecations
         # Creates a new encryption client. You must provide on of the following
         # options:
         #
-        # * `:key_provider`
         # * `:encryption_key`
+        # * `:kms_key_id`
+        # * `:key_provider`
         #
         # You may also pass any other options accepted by {S3::Client#initialize}.
         #
@@ -165,13 +192,19 @@ module Aws
         #   to make api calls. If a `:client` is not provided, a new {S3::Client}
         #   will be constructed.
         #
+        # @option options [OpenSSL::PKey::RSA, String] :encryption_key The master
+        #   key to use for encrypting/decrypting all objects.
+        #
+        # @option options [String] :kms_key_id When you provide a `:kms_key_id`,
+        #   then AWS Key Management Service (KMS) will be used to manage the
+        #   object encryption keys. By default a {KMS::Client} will be
+        #   constructed for KMS API calls. Alternatively, you can provide
+        #   your own via `:kms_client`.
+        #
         # @option options [#key_for] :key_provider Any object that responds
         #   to `#key_for`. This method should accept a materials description
         #   JSON document string and return return an encryption key.
         #
-        # @option options [OpenSSL::PKey::RSA, String] :encryption_key The master
-        #   key to use for encrypting/decrypting all objects.
-        #
         # @option options [Symbol] :envelope_location (:metadata) Where to
         #   store the envelope encryption keys. By default, the envelope is
         #   stored with the encrypted object. If you pass `:instruction_file`,
@@ -181,9 +214,12 @@ module Aws
         #   When `:envelope_location` is `:instruction_file` then the
         #   instruction file uses the object key with this suffix appended.
         #
+        # @option options [KMS::Client] :kms_client A default {KMS::Client}
+        #   is constructed when using KMS to manage encryption keys.
+        #
         def initialize(options = {})
           @client = extract_client(options)
-          @key_provider = extract_key_provider(options)
+          @cipher_provider = cipher_provider(options)
           @envelope_location = extract_location(options)
           @instruction_file_suffix = extract_suffix(options)
         end
@@ -191,7 +227,8 @@ module Aws
         # @return [S3::Client]
         attr_reader :client
-        # @return [KeyProvider]
+        # @return [KeyProvider, nil] Returns `nil` if you are using
+        #   AWS Key Management Service (KMS).
         attr_reader :key_provider
         # @return [Symbol<:metadata, :instruction_file>]
@@ -212,7 +249,7 @@ module Aws
           req = @client.build_request(:put_object, params)
           req.handlers.add(EncryptHandler, priority: 95)
           req.context[:encryption] = {
-            materials: @key_provider.encryption_materials,
+            cipher_provider: @cipher_provider,
             envelope_location: @envelope_location,
             instruction_file_suffix: @instruction_file_suffix,
           }
@@ -240,7 +277,7 @@ module Aws
           req = @client.build_request(:get_object, params)
           req.handlers.add(DecryptHandler)
           req.context[:encryption] = {
-            key_provider: @key_provider,
+            cipher_provider: @cipher_provider,
             envelope_location: envelope_location,
             instruction_file_suffix: instruction_file_suffix,
           }
@@ -252,6 +289,8 @@ module Aws
         def extract_client(options)
           options[:client] || begin
             options = options.dup
+            options.delete(:kms_key_id)
+            options.delete(:kms_client)
             options.delete(:key_provider)
             options.delete(:encryption_key)
             options.delete(:envelope_location)
@@ -260,13 +299,25 @@ module Aws
           end
         end
-        def envelope_options(params)
-          location = params.delete(:envelope_location) || @envelope_location
-          suffix = params.delete(:instruction_file_suffix)
-          if suffix
-            [:instruction_file, suffix]
+        def kms_client(options)
+          options[:kms_client] || begin
+            KMS::Client.new(
+              region: @client.config.region,
+              credentials: @client.config.credentials,
+            )
+          end
+        end
+        def cipher_provider(options)
+          if options[:kms_key_id]
+            KmsCipherProvider.new(
+              kms_key_id: options[:kms_key_id],
+              kms_client: kms_client(options),
+            )
           else
-            [location, @instruction_file_suffix]
+            # kept here for backwards compatability, {#key_provider} is deprecated
+            @key_provider = extract_key_provider(options)
+            DefaultCipherProvider.new(key_provider: @key_provider)
           end
         end
@@ -276,11 +327,21 @@ module Aws
           elsif options[:encryption_key]
             DefaultKeyProvider.new(options)
           else
-            msg = "you must pass a :key_provider or :encryption_key"
+            msg = "you must pass a :kms_key_id, :key_provider, or :encryption_key"
             raise ArgumentError, msg
           end
         end
+        def envelope_options(params)
+          location = params.delete(:envelope_location) || @envelope_location
+          suffix = params.delete(:instruction_file_suffix)
+          if suffix
+            [:instruction_file, suffix]
+          else
+            [location, @instruction_file_suffix]
+          end
+        end
         def extract_location(options)
           location = options[:envelope_location] || :metadata
           if [:metadata, :instruction_file].include?(location)

data/lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb CHANGED

@@ -6,6 +6,22 @@ module Aws
       # @api private
       class DecryptHandler < Seahorse::Client::Handler
+        V1_ENVELOPE_KEYS = %w(
+          x-amz-key
+          x-amz-iv
+          x-amz-matdesc
+        )
+        V2_ENVELOPE_KEYS = %w(
+          x-amz-key-v2
+          x-amz-iv
+          x-amz-cek-alg
+          x-amz-wrap-alg
+          x-amz-matdesc
+        )
+        POSSIBLE_ENVELOPE_KEYS = (V1_ENVELOPE_KEYS + V2_ENVELOPE_KEYS).uniq
         def call(context)
           attach_http_event_listeners(context)
           @handler.call(context)
@@ -36,11 +52,7 @@ module Aws
         def decryption_cipher(context)
           if envelope = get_encryption_envelope(context)
-            key_provider = context[:encryption][:key_provider]
-            key = key_provider.key_for(envelope['x-amz-matdesc'])
-            envelope_key = Utils.decrypt(key, decode64(envelope['x-amz-key']))
-            envelope_iv = decode64(envelope['x-amz-iv'])
-            Utils.aes_decryption_cipher(:CBC, envelope_key, envelope_iv)
+            context[:encryption][:cipher_provider].decryption_cipher(envelope)
           else
             raise Errors::DecryptionError, "unable to locate encyrption envelope"
           end
@@ -55,27 +67,61 @@ module Aws
         end
         def envelope_from_metadata(context)
-          keys = %w(x-amz-key x-amz-iv x-amz-matdesc)
-          envelope = keys.each.with_object({}) do |key, hash|
-            if value = context.http_response.headers["x-amz-meta-#{key}"]
-              hash[key] = value
+          possible_envelope = {}
+          POSSIBLE_ENVELOPE_KEYS.each do |suffix|
+            if value = context.http_response.headers["x-amz-meta-#{suffix}"]
+              possible_envelope[suffix] = value
             end
           end
-          envelope.keys == keys ? envelope : nil
+          extract_envelope(possible_envelope)
         end
         def envelope_from_instr_file(context)
           suffix = context[:encryption][:instruction_file_suffix]
-          Json.load(context.client.get_object(
+          possible_envelope = Json.load(context.client.get_object(
             bucket: context.params[:bucket],
             key: context.params[:key] + suffix
           ).body.read)
+          extract_envelope(possible_envelope)
         rescue S3::Errors::ServiceError, Json::ParseError
           nil
         end
-        def decode64(str)
-          Base64.decode64(str)
+        def extract_envelope(hash)
+          return v1_envelope(hash) if hash.key?('x-amz-key')
+          return v2_envelope(hash) if hash.key?('x-amz-key-v2')
+          if hash.keys.any? { |key| key.match(/^x-amz-key-(.+)$/) }
+            msg = "unsupported envelope encryption version #{$1}"
+            raise Errors::DecryptionError, msg
+          else
+            nil # no envelope found
+          end
+        end
+        def v1_envelope(envelope)
+          envelope
+        end
+        def v2_envelope(envelope)
+          unless envelope['x-amz-cek-alg'] == 'AES/CBC/PKCS5Padding'
+            alg = envelope['x-amz-cek-alg'].inspect
+            msg = "unsupported content encrypting key (cek) format: #{alg}"
+            raise Errors::DecryptionError, msg
+          end
+          unless envelope['x-amz-wrap-alg'] == 'kms'
+            # possible to support
+            #   RSA/ECB/OAEPWithSHA-256AndMGF1Padding
+            alg = envelope['x-amz-wrap-alg'].inspect
+            msg = "unsupported key wrapping algorithm: #{alg}"
+            raise Errors::DecryptionError, msg
+          end
+          unless V2_ENVELOPE_KEYS.sort == envelope.keys.sort
+            msg = "incomplete v2 encryption envelope:\n"
+            msg += "  expected: #{V2_ENVELOPE_KEYS.join(',')}\n"
+            msg += "  got: #{envelope_keys.join(', ')}"
+            raise Errors::DecryptionError, msg
+          end
+          envelope
         end
       end

data/lib/aws-sdk-resources/services/s3/encryption/default_cipher_provider.rb ADDED

@@ -0,0 +1,63 @@
+require 'base64'
+module Aws
+  module S3
+    module Encryption
+      # @api private
+      class DefaultCipherProvider
+        def initialize(options = {})
+          @key_provider = options[:key_provider]
+        end
+        # @return [Array<Hash,Cipher>] Creates an returns a new encryption
+        #   envelope and encryption cipher.
+        def encryption_cipher
+          cipher = Utils.aes_encryption_cipher(:CBC)
+          envelope = {
+            'x-amz-key' => encode64(encrypt(envelope_key(cipher))),
+            'x-amz-iv' => encode64(envelope_iv(cipher)),
+            'x-amz-matdesc' => materials_description,
+          }
+          [envelope, cipher]
+        end
+        # @return [Cipher] Given an encryption envelope, returns a
+        #   decryption cipher.
+        def decryption_cipher(envelope)
+          master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
+          key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
+          iv = decode64(envelope['x-amz-iv'])
+          Utils.aes_decryption_cipher(:CBC, key, iv)
+        end
+        private
+        def envelope_key(cipher)
+          cipher.key = cipher.random_key
+        end
+        def envelope_iv(cipher)
+          cipher.iv = cipher.random_iv
+        end
+        def encrypt(data)
+          Utils.encrypt(@key_provider.encryption_materials.key, data)
+        end
+        def materials_description
+          @key_provider.encryption_materials.description
+        end
+        def encode64(str)
+          Base64.encode64(str).split("\n") * ""
+        end
+        def decode64(str)
+          Base64.decode64(str)
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-resources/services/s3/encryption/encrypt_handler.rb CHANGED

@@ -7,21 +7,16 @@ module Aws
       class EncryptHandler < Seahorse::Client::Handler
         def call(context)
-          cipher = Utils.aes_encryption_cipher(:CBC)
-          context[:encryption][:cipher] = cipher
-          envelope = {
-            'x-amz-key' => encode64(encrypt(context, envelope_key(cipher))),
-            'x-amz-iv' => encode64(envelope_iv(cipher)),
-            'x-amz-matdesc' => context[:encryption][:materials].description,
-          }
-          apply_encryption_envelope(context, envelope)
+          envelope, cipher = context[:encryption][:cipher_provider].encryption_cipher
+          apply_encryption_envelope(context, envelope, cipher)
           apply_encryption_cipher(context, cipher)
           @handler.call(context)
         end
         private
-        def apply_encryption_envelope(context, envelope)
+        def apply_encryption_envelope(context, envelope, cipher)
+          context[:encryption][:cipher] = cipher
           if context[:encryption][:envelope_location] == :metadata
             context.params[:metadata] ||= {}
             context.params[:metadata].update(envelope)
@@ -49,22 +44,6 @@ module Aws
           end
         end
-        def envelope_key(cipher)
-          cipher.key = cipher.random_key
-        end
-        def envelope_iv(cipher)
-          cipher.iv = cipher.random_iv
-        end
-        def encode64(str)
-          Base64.encode64(str).split("\n") * ""
-        end
-        def encrypt(context, data)
-          Utils.encrypt(context[:encryption][:materials].key, data)
-        end
       end
     end
   end

data/lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb ADDED

@@ -0,0 +1,60 @@
+require 'base64'
+module Aws
+  module S3
+    module Encryption
+      # @api private
+      class KmsCipherProvider
+        def initialize(options = {})
+          @kms_key_id = options[:kms_key_id]
+          @kms_client = options[:kms_client]
+        end
+        # @return [Array<Hash,Cipher>] Creates an returns a new encryption
+        #   envelope and encryption cipher.
+        def encryption_cipher
+          encryption_context = { "kms_cmk_id" => @kms_key_id }
+          key_data = @kms_client.generate_data_key(
+            key_id: @kms_key_id,
+            encryption_context: encryption_context,
+            key_spec: 'AES_256',
+          )
+          cipher = Utils.aes_encryption_cipher(:CBC)
+          cipher.key = key_data.plaintext
+          envelope = {
+            'x-amz-key-v2' => encode64(key_data.ciphertext_blob),
+            'x-amz-iv' => encode64(cipher.iv = cipher.random_iv),
+            'x-amz-cek-alg' => 'AES/CBC/PKCS5Padding',
+            'x-amz-wrap-alg' => 'kms',
+            'x-amz-matdesc' => Json.dump(encryption_context)
+          }
+          [envelope, cipher]
+        end
+        # @return [Cipher] Given an encryption envelope, returns a
+        #   decryption cipher.
+        def decryption_cipher(envelope)
+          encryption_context = Json.load(envelope['x-amz-matdesc'])
+          key = @kms_client.decrypt(
+            ciphertext_blob: decode64(envelope['x-amz-key-v2']),
+            encryption_context: encryption_context,
+          ).plaintext
+          iv = decode64(envelope['x-amz-iv'])
+          Utils.aes_decryption_cipher(:CBC, key, iv)
+        end
+        private
+        def encode64(str)
+          Base64.encode64(str).split("\n") * ""
+        end
+        def decode64(str)
+          Base64.decode64(str)
+        end
+      end
+    end
+  end
+end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-resources
 version: !ruby/object:Gem::Version
-  version: 2.1.8
+  version: 2.1.9
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-07-23 00:00:00.000000000 Z
+date: 2015-07-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.1.8
+        version: 2.1.9
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.1.8
+        version: 2.1.9
 description: Provides resource oriented interfaces and other higher-level abstractions
   for many AWS services. This gem is part of the official AWS SDK for Ruby.
 email:
@@ -61,12 +61,14 @@ files:
 - lib/aws-sdk-resources/services/s3/encryption.rb
 - lib/aws-sdk-resources/services/s3/encryption/client.rb
 - lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb
+- lib/aws-sdk-resources/services/s3/encryption/default_cipher_provider.rb
 - lib/aws-sdk-resources/services/s3/encryption/default_key_provider.rb
 - lib/aws-sdk-resources/services/s3/encryption/encrypt_handler.rb
 - lib/aws-sdk-resources/services/s3/encryption/errors.rb
 - lib/aws-sdk-resources/services/s3/encryption/io_decrypter.rb
 - lib/aws-sdk-resources/services/s3/encryption/io_encrypter.rb
 - lib/aws-sdk-resources/services/s3/encryption/key_provider.rb
+- lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
 - lib/aws-sdk-resources/services/s3/encryption/materials.rb
 - lib/aws-sdk-resources/services/s3/encryption/utils.rb
 - lib/aws-sdk-resources/services/s3/file_part.rb