RubyGems - aws-sdk-resources - Versions diffs - 2.1.8 → 2.1.9 - Mend

aws-sdk-resources 2.1.8 → 2.1.9

Files changed (8) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a2cca81f17c1740c1dba2ccf904b439999dc6f73
-  data.tar.gz: 39b85f20fc0ca3e1bb74bb131a5e7824f29d0b3d
+  metadata.gz: f766ecda91727cde733f041b28aac6a40f7a52bd
+  data.tar.gz: 3686c5198e513ff7161b9dd81c9b6fd62b49479f
 SHA512:
-  metadata.gz: cd3c1b4b6c3efa37be65e615d6f5cb486a91dcbc95ada6400fa4931b1aab1caa98982e26ceae48434da434e14641ac8c053247e7721b7425842ffbd9b4efcd1d
-  data.tar.gz: e2b5472781093b043a3b15a73991a41f666e02ef2a52642989944ccf4281a1e93f8c1ece682a996a96d8032fb37f79de99a84639953559505a492f3567165069
+  metadata.gz: 0382c58d6ac0af454eb4a85ca4829ff9c2c6d319b564dee88d8fc3f3c86512a005cbf4910aeabf9b3b07fbd88b433de20aa69ac247f77a8e50b58841c28ccdb9
+  data.tar.gz: 416e650362af08992aa5e51bcb76b4bee40d7fb220c41c4aa1e4c86aa7fe43d925aba829dd7de7d316ef1ccd05167300cc5cc9236aa3e6ee9f0dad3538c90c86

data/lib/aws-sdk-resources/services/s3/encryption.rb CHANGED

@@ -4,12 +4,14 @@ module Aws
       autoload :Client, 'aws-sdk-resources/services/s3/encryption/client'
       autoload :DecryptHandler, 'aws-sdk-resources/services/s3/encryption/decrypt_handler'
+      autoload :DefaultCipherProvider, 'aws-sdk-resources/services/s3/encryption/default_cipher_provider'
       autoload :DefaultKeyProvider, 'aws-sdk-resources/services/s3/encryption/default_key_provider'
       autoload :EncryptHandler, 'aws-sdk-resources/services/s3/encryption/encrypt_handler'
       autoload :Errors, 'aws-sdk-resources/services/s3/encryption/errors'
       autoload :IOEncrypter, 'aws-sdk-resources/services/s3/encryption/io_encrypter'
       autoload :IODecrypter, 'aws-sdk-resources/services/s3/encryption/io_decrypter'
       autoload :KeyProvider, 'aws-sdk-resources/services/s3/encryption/key_provider'
+      autoload :KmsCipherProvider, 'aws-sdk-resources/services/s3/encryption/kms_cipher_provider'
       autoload :Materials, 'aws-sdk-resources/services/s3/encryption/materials'
       autoload :Utils, 'aws-sdk-resources/services/s3/encryption/utils'

data/lib/aws-sdk-resources/services/s3/encryption/client.rb CHANGED

@@ -53,17 +53,42 @@ module Aws
     #
     # ## Keys
     #
-    # For client-side encryption to work, you must provide an encryption key:
+    # For client-side encryption to work, you must provide one of the following:
+    #
+    # * An encryption key
+    # * A {KeyProvider}
+    # * A KMS encryption key id
+    #
+    # ### An Encryption Key
+    #
+    # You can pass a single encryption key. This is used as a master key
+    # encrypting and decrypting all object keys.
     #
     #     key = OpenSSL::Cipher.new("AES-256-ECB").random_key # symmetric key
     #     key = OpenSSL::PKey::RSA.new(1024) # asymmetric key pair
     #
     #     s3 = Aws::S3::Encryption::Client.new(encryption_key: key)
     #
+    # ### Key Provider
+    #
     # Alternatively, you can use a {KeyProvider}. A key provider makes
     # it easy to work with multiple keys and simplifies key rotation.
     #
-    # ### Key Provider
+    # ### KMS Encryption Key Id
+    #
+    # If you pass the id to an AWS Key Management Service (KMS) key,
+    # then KMS will be used to generate, encrypt and decrypt object keys.
+    #
+    #     # keep track of the kms key id
+    #     kms = Aws::KMS::Client.new
+    #     key_id = kms.create_key.key_metadata.key_id
+    #
+    #     Aws::S3::Encryption::Client.new(
+    #       kms_key_id: key_id,
+    #       kms_client: kms,
+    #     )
+    #
+    # ## Custom Key Providers
     #
     # A {KeyProvider} is any object that responds to:
     #
@@ -150,14 +175,16 @@ module Aws
     # issuing concurrent PUT and GET requests to an encrypted object.**
     #
     module Encryption
       class Client
+        extend Deprecations
         # Creates a new encryption client. You must provide on of the following
         # options:
         #
-        # * `:key_provider`
         # * `:encryption_key`
+        # * `:kms_key_id`
+        # * `:key_provider`
         #
         # You may also pass any other options accepted by {S3::Client#initialize}.
         #
@@ -165,13 +192,19 @@ module Aws
         #   to make api calls. If a `:client` is not provided, a new {S3::Client}
         #   will be constructed.
         #
+        # @option options [OpenSSL::PKey::RSA, String] :encryption_key The master
+        #   key to use for encrypting/decrypting all objects.
+        #
+        # @option options [String] :kms_key_id When you provide a `:kms_key_id`,
+        #   then AWS Key Management Service (KMS) will be used to manage the
+        #   object encryption keys. By default a {KMS::Client} will be
+        #   constructed for KMS API calls. Alternatively, you can provide
+        #   your own via `:kms_client`.
+        #
         # @option options [#key_for] :key_provider Any object that responds
         #   to `#key_for`. This method should accept a materials description
         #   JSON document string and return return an encryption key.
         #
-        # @option options [OpenSSL::PKey::RSA, String] :encryption_key The master
-        #   key to use for encrypting/decrypting all objects.
-        #
         # @option options [Symbol] :envelope_location (:metadata) Where to
         #   store the envelope encryption keys. By default, the envelope is
         #   stored with the encrypted object. If you pass `:instruction_file`,
@@ -181,9 +214,12 @@ module Aws
         #   When `:envelope_location` is `:instruction_file` then the
         #   instruction file uses the object key with this suffix appended.
         #
+        # @option options [KMS::Client] :kms_client A default {KMS::Client}
+        #   is constructed when using KMS to manage encryption keys.
+        #
         def initialize(options = {})
           @client = extract_client(options)
-          @key_provider = extract_key_provider(options)
+          @cipher_provider = cipher_provider(options)
           @envelope_location = extract_location(options)
           @instruction_file_suffix = extract_suffix(options)
         end
@@ -191,7 +227,8 @@ module Aws
         # @return [S3::Client]
         attr_reader :client
-        # @return [KeyProvider]
+        # @return [KeyProvider, nil] Returns `nil` if you are using
+        #   AWS Key Management Service (KMS).
         attr_reader :key_provider
         # @return [Symbol<:metadata, :instruction_file>]
@@ -212,7 +249,7 @@ module Aws
           req = @client.build_request(:put_object, params)
           req.handlers.add(EncryptHandler, priority: 95)
           req.context[:encryption] = {
-            materials: @key_provider.encryption_materials,
+            cipher_provider: @cipher_provider,
             envelope_location: @envelope_location,
             instruction_file_suffix: @instruction_file_suffix,
           }
@@ -240,7 +277,7 @@ module Aws
           req = @client.build_request(:get_object, params)
           req.handlers.add(DecryptHandler)
           req.context[:encryption] = {
-            key_provider: @key_provider,
+            cipher_provider: @cipher_provider,
             envelope_location: envelope_location,
             instruction_file_suffix: instruction_file_suffix,
           }
@@ -252,6 +289,8 @@ module Aws
         def extract_client(options)
           options[:client] || begin
             options = options.dup
+            options.delete(:kms_key_id)
+            options.delete(:kms_client)
             options.delete(:key_provider)
             options.delete(:encryption_key)
             options.delete(:envelope_location)
@@ -260,13 +299,25 @@ module Aws
           end
         end
-        def envelope_options(params)
-          location = params.delete(:envelope_location) || @envelope_location
-          suffix = params.delete(:instruction_file_suffix)
-          if suffix
-            [:instruction_file, suffix]
+        def kms_client(options)
+          options[:kms_client] || begin
+            KMS::Client.new(
+              region: @client.config.region,
+              credentials: @client.config.credentials,
+            )
+          end
+        end
+        def cipher_provider(options)
+          if options[:kms_key_id]
+            KmsCipherProvider.new(
+              kms_key_id: options[:kms_key_id],
+              kms_client: kms_client(options),
+            )
           else
-            [location, @instruction_file_suffix]
+            # kept here for backwards compatability, {#key_provider} is deprecated
+            @key_provider = extract_key_provider(options)
+            DefaultCipherProvider.new(key_provider: @key_provider)
           end
         end
@@ -276,11 +327,21 @@ module Aws
           elsif options[:encryption_key]
             DefaultKeyProvider.new(options)
           else
-            msg = "you must pass a :key_provider or :encryption_key"
+            msg = "you must pass a :kms_key_id, :key_provider, or :encryption_key"
             raise ArgumentError, msg
           end
         end
+        def envelope_options(params)
+          location = params.delete(:envelope_location) || @envelope_location
+          suffix = params.delete(:instruction_file_suffix)
+          if suffix
+            [:instruction_file, suffix]
+          else
+            [location, @instruction_file_suffix]
+          end
+        end
         def extract_location(options)
           location = options[:envelope_location] || :metadata
           if [:metadata, :instruction_file].include?(location)

data/lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb CHANGED

@@ -6,6 +6,22 @@ module Aws
       # @api private
       class DecryptHandler < Seahorse::Client::Handler
+        V1_ENVELOPE_KEYS = %w(
+          x-amz-key
+          x-amz-iv
+          x-amz-matdesc
+        )
+        V2_ENVELOPE_KEYS = %w(
+          x-amz-key-v2
+          x-amz-iv
+          x-amz-cek-alg
+          x-amz-wrap-alg
+          x-amz-matdesc
+        )
+        POSSIBLE_ENVELOPE_KEYS = (V1_ENVELOPE_KEYS + V2_ENVELOPE_KEYS).uniq
         def call(context)
           attach_http_event_listeners(context)
           @handler.call(context)
@@ -36,11 +52,7 @@ module Aws
         def decryption_cipher(context)
           if envelope = get_encryption_envelope(context)
-            key_provider = context[:encryption][:key_provider]
-            key = key_provider.key_for(envelope['x-amz-matdesc'])
-            envelope_key = Utils.decrypt(key, decode64(envelope['x-amz-key']))
-            envelope_iv = decode64(envelope['x-amz-iv'])
-            Utils.aes_decryption_cipher(:CBC, envelope_key, envelope_iv)
+            context[:encryption][:cipher_provider].decryption_cipher(envelope)
           else
             raise Errors::DecryptionError, "unable to locate encyrption envelope"
           end
@@ -55,27 +67,61 @@ module Aws
         end
         def envelope_from_metadata(context)
-          keys = %w(x-amz-key x-amz-iv x-amz-matdesc)
-          envelope = keys.each.with_object({}) do |key, hash|
-            if value = context.http_response.headers["x-amz-meta-#{key}"]
-              hash[key] = value
+          possible_envelope = {}
+          POSSIBLE_ENVELOPE_KEYS.each do |suffix|
+            if value = context.http_response.headers["x-amz-meta-#{suffix}"]
+              possible_envelope[suffix] = value
             end
           end
-          envelope.keys == keys ? envelope : nil
+          extract_envelope(possible_envelope)
         end
         def envelope_from_instr_file(context)
           suffix = context[:encryption][:instruction_file_suffix]
-          Json.load(context.client.get_object(
+          possible_envelope = Json.load(context.client.get_object(
             bucket: context.params[:bucket],
             key: context.params[:key] + suffix
           ).body.read)
+          extract_envelope(possible_envelope)
         rescue S3::Errors::ServiceError, Json::ParseError
           nil
         end
-        def decode64(str)
-          Base64.decode64(str)
+        def extract_envelope(hash)
+          return v1_envelope(hash) if hash.key?('x-amz-key')
+          return v2_envelope(hash) if hash.key?('x-amz-key-v2')
+          if hash.keys.any? { |key| key.match(/^x-amz-key-(.+)$/) }
+            msg = "unsupported envelope encryption version #{$1}"
+            raise Errors::DecryptionError, msg
+          else
+            nil # no envelope found
+          end
+        end
+        def v1_envelope(envelope)
+          envelope
+        end
+        def v2_envelope(envelope)
+          unless envelope['x-amz-cek-alg'] == 'AES/CBC/PKCS5Padding'
+            alg = envelope['x-amz-cek-alg'].inspect
+            msg = "unsupported content encrypting key (cek) format: #{alg}"
+            raise Errors::DecryptionError, msg
+          end
+          unless envelope['x-amz-wrap-alg'] == 'kms'
+            # possible to support
+            #   RSA/ECB/OAEPWithSHA-256AndMGF1Padding
+            alg = envelope['x-amz-wrap-alg'].inspect
+            msg = "unsupported key wrapping algorithm: #{alg}"
+            raise Errors::DecryptionError, msg
+          end
+          unless V2_ENVELOPE_KEYS.sort == envelope.keys.sort
+            msg = "incomplete v2 encryption envelope:\n"
+            msg += "  expected: #{V2_ENVELOPE_KEYS.join(',')}\n"
+            msg += "  got: #{envelope_keys.join(', ')}"
+            raise Errors::DecryptionError, msg
+          end
+          envelope
         end
       end

data/lib/aws-sdk-resources/services/s3/encryption/default_cipher_provider.rb ADDED

@@ -0,0 +1,63 @@
+require 'base64'
+module Aws
+  module S3
+    module Encryption
+      # @api private
+      class DefaultCipherProvider
+        def initialize(options = {})
+          @key_provider = options[:key_provider]
+        end
+        # @return [Array<Hash,Cipher>] Creates an returns a new encryption
+        #   envelope and encryption cipher.
+        def encryption_cipher
+          cipher = Utils.aes_encryption_cipher(:CBC)
+          envelope = {
+            'x-amz-key' => encode64(encrypt(envelope_key(cipher))),
+            'x-amz-iv' => encode64(envelope_iv(cipher)),
+            'x-amz-matdesc' => materials_description,
+          }
+          [envelope, cipher]
+        end
+        # @return [Cipher] Given an encryption envelope, returns a
+        #   decryption cipher.
+        def decryption_cipher(envelope)
+          master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
+          key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
+          iv = decode64(envelope['x-amz-iv'])
+          Utils.aes_decryption_cipher(:CBC, key, iv)
+        end
+        private
+        def envelope_key(cipher)
+          cipher.key = cipher.random_key
+        end
+        def envelope_iv(cipher)
+          cipher.iv = cipher.random_iv
+        end
+        def encrypt(data)
+          Utils.encrypt(@key_provider.encryption_materials.key, data)
+        end
+        def materials_description
+          @key_provider.encryption_materials.description
+        end
+        def encode64(str)
+          Base64.encode64(str).split("\n") * ""
+        end
+        def decode64(str)
+          Base64.decode64(str)
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-resources/services/s3/encryption/encrypt_handler.rb CHANGED

@@ -7,21 +7,16 @@ module Aws
       class EncryptHandler < Seahorse::Client::Handler
         def call(context)
-          cipher = Utils.aes_encryption_cipher(:CBC)
-          context[:encryption][:cipher] = cipher
-          envelope = {
-            'x-amz-key' => encode64(encrypt(context, envelope_key(cipher))),
-            'x-amz-iv' => encode64(envelope_iv(cipher)),
-            'x-amz-matdesc' => context[:encryption][:materials].description,
-          }
-          apply_encryption_envelope(context, envelope)
+          envelope, cipher = context[:encryption][:cipher_provider].encryption_cipher
+          apply_encryption_envelope(context, envelope, cipher)
           apply_encryption_cipher(context, cipher)
           @handler.call(context)
         end
         private
-        def apply_encryption_envelope(context, envelope)
+        def apply_encryption_envelope(context, envelope, cipher)
+          context[:encryption][:cipher] = cipher
           if context[:encryption][:envelope_location] == :metadata
             context.params[:metadata] ||= {}
             context.params[:metadata].update(envelope)
@@ -49,22 +44,6 @@ module Aws
           end
         end
-        def envelope_key(cipher)
-          cipher.key = cipher.random_key
-        end
-        def envelope_iv(cipher)
-          cipher.iv = cipher.random_iv
-        end
-        def encode64(str)
-          Base64.encode64(str).split("\n") * ""
-        end
-        def encrypt(context, data)
-          Utils.encrypt(context[:encryption][:materials].key, data)
-        end
       end
     end
   end

data/lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb ADDED

@@ -0,0 +1,60 @@
+require 'base64'
+module Aws
+  module S3
+    module Encryption
+      # @api private
+      class KmsCipherProvider
+        def initialize(options = {})
+          @kms_key_id = options[:kms_key_id]
+          @kms_client = options[:kms_client]
+        end
+        # @return [Array<Hash,Cipher>] Creates an returns a new encryption
+        #   envelope and encryption cipher.
+        def encryption_cipher
+          encryption_context = { "kms_cmk_id" => @kms_key_id }
+          key_data = @kms_client.generate_data_key(
+            key_id: @kms_key_id,
+            encryption_context: encryption_context,
+            key_spec: 'AES_256',
+          )
+          cipher = Utils.aes_encryption_cipher(:CBC)
+          cipher.key = key_data.plaintext
+          envelope = {
+            'x-amz-key-v2' => encode64(key_data.ciphertext_blob),
+            'x-amz-iv' => encode64(cipher.iv = cipher.random_iv),
+            'x-amz-cek-alg' => 'AES/CBC/PKCS5Padding',
+            'x-amz-wrap-alg' => 'kms',
+            'x-amz-matdesc' => Json.dump(encryption_context)
+          }
+          [envelope, cipher]
+        end
+        # @return [Cipher] Given an encryption envelope, returns a
+        #   decryption cipher.
+        def decryption_cipher(envelope)
+          encryption_context = Json.load(envelope['x-amz-matdesc'])
+          key = @kms_client.decrypt(
+            ciphertext_blob: decode64(envelope['x-amz-key-v2']),
+            encryption_context: encryption_context,
+          ).plaintext
+          iv = decode64(envelope['x-amz-iv'])
+          Utils.aes_decryption_cipher(:CBC, key, iv)
+        end
+        private
+        def encode64(str)
+          Base64.encode64(str).split("\n") * ""
+        end
+        def decode64(str)
+          Base64.decode64(str)
+        end
+      end
+    end
+  end
+end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-resources
 version: !ruby/object:Gem::Version
-  version: 2.1.8
+  version: 2.1.9
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-07-23 00:00:00.000000000 Z
+date: 2015-07-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.1.8
+        version: 2.1.9
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.1.8
+        version: 2.1.9
 description: Provides resource oriented interfaces and other higher-level abstractions
   for many AWS services. This gem is part of the official AWS SDK for Ruby.
 email:
@@ -61,12 +61,14 @@ files:
 - lib/aws-sdk-resources/services/s3/encryption.rb
 - lib/aws-sdk-resources/services/s3/encryption/client.rb
 - lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb
+- lib/aws-sdk-resources/services/s3/encryption/default_cipher_provider.rb
 - lib/aws-sdk-resources/services/s3/encryption/default_key_provider.rb
 - lib/aws-sdk-resources/services/s3/encryption/encrypt_handler.rb
 - lib/aws-sdk-resources/services/s3/encryption/errors.rb
 - lib/aws-sdk-resources/services/s3/encryption/io_decrypter.rb
 - lib/aws-sdk-resources/services/s3/encryption/io_encrypter.rb
 - lib/aws-sdk-resources/services/s3/encryption/key_provider.rb
+- lib/aws-sdk-resources/services/s3/encryption/kms_cipher_provider.rb
 - lib/aws-sdk-resources/services/s3/encryption/materials.rb
 - lib/aws-sdk-resources/services/s3/encryption/utils.rb
 - lib/aws-sdk-resources/services/s3/file_part.rb