aws-sdk-resources 2.11.501 → 3.71.0

data/lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb

@@ -1,174 +0,0 @@
-require 'base64'
-
-module Aws
-  module S3
-    module Encryption
-      # @api private
-      class DecryptHandler < Seahorse::Client::Handler
-
-        V1_ENVELOPE_KEYS = %w(
-          x-amz-key
-          x-amz-iv
-          x-amz-matdesc
-        )
-
-        V2_ENVELOPE_KEYS = %w(
-          x-amz-key-v2
-          x-amz-iv
-          x-amz-cek-alg
-          x-amz-wrap-alg
-          x-amz-matdesc
-        )
-
-        POSSIBLE_ENVELOPE_KEYS = (V1_ENVELOPE_KEYS + V2_ENVELOPE_KEYS).uniq
-
-        POSSIBLE_ENCRYPTION_FORMATS = %w(
-          AES/GCM/NoPadding
-          AES/CBC/PKCS5Padding
-        )
-
-        def call(context)
-          attach_http_event_listeners(context)
-          @handler.call(context)
-        end
-
-        private
-
-        def attach_http_event_listeners(context)
-
-          context.http_response.on_headers(200) do
-            cipher = decryption_cipher(context)
-            decrypter = body_contains_auth_tag?(context) ?
-              authenticated_decrypter(context, cipher) :
-              IODecrypter.new(cipher, context.http_response.body)
-            context.http_response.body = decrypter
-          end
-
-          context.http_response.on_success(200) do
-            decrypter = context.http_response.body
-            decrypter.finalize
-            decrypter.io.rewind if decrypter.io.respond_to?(:rewind)
-            context.http_response.body = decrypter.io
-          end
-
-          context.http_response.on_error do
-            if context.http_response.body.respond_to?(:io)
-              context.http_response.body = context.http_response.body.io
-            end
-          end
-        end
-
-        def decryption_cipher(context)
-          if envelope = get_encryption_envelope(context)
-            context[:encryption][:cipher_provider].decryption_cipher(envelope)
-          else
-            raise Errors::DecryptionError, "unable to locate encryption envelope"
-          end
-        end
-
-        def get_encryption_envelope(context)
-          if context[:encryption][:envelope_location] == :metadata
-            envelope_from_metadata(context) || envelope_from_instr_file(context)
-          else
-            envelope_from_instr_file(context) || envelope_from_metadata(context)
-          end
-        end
-
-        def envelope_from_metadata(context)
-          possible_envelope = {}
-          POSSIBLE_ENVELOPE_KEYS.each do |suffix|
-            if value = context.http_response.headers["x-amz-meta-#{suffix}"]
-              possible_envelope[suffix] = value
-            end
-          end
-          extract_envelope(possible_envelope)
-        end
-
-        def envelope_from_instr_file(context)
-          suffix = context[:encryption][:instruction_file_suffix]
-          possible_envelope = Json.load(context.client.get_object(
-            bucket: context.params[:bucket],
-            key: context.params[:key] + suffix
-          ).body.read)
-          extract_envelope(possible_envelope)
-        rescue S3::Errors::ServiceError, Json::ParseError
-          nil
-        end
-
-        def extract_envelope(hash)
-          return v1_envelope(hash) if hash.key?('x-amz-key')
-          return v2_envelope(hash) if hash.key?('x-amz-key-v2')
-          if hash.keys.any? { |key| key.match(/^x-amz-key-(.+)$/) }
-            msg = "unsupported envelope encryption version #{$1}"
-            raise Errors::DecryptionError, msg
-          else
-            nil # no envelope found
-          end
-        end
-
-        def v1_envelope(envelope)
-          envelope
-        end
-
-        def v2_envelope(envelope)
-          unless POSSIBLE_ENCRYPTION_FORMATS.include? envelope['x-amz-cek-alg']
-            alg = envelope['x-amz-cek-alg'].inspect
-            msg = "unsupported content encrypting key (cek) format: #{alg}"
-            raise Errors::DecryptionError, msg
-          end
-          unless envelope['x-amz-wrap-alg'] == 'kms'
-            # possible to support
-            #   RSA/ECB/OAEPWithSHA-256AndMGF1Padding
-            alg = envelope['x-amz-wrap-alg'].inspect
-            msg = "unsupported key wrapping algorithm: #{alg}"
-            raise Errors::DecryptionError, msg
-          end
-          unless V2_ENVELOPE_KEYS.sort == envelope.keys.sort
-            msg = "incomplete v2 encryption envelope:\n"
-            msg += "  expected: #{V2_ENVELOPE_KEYS.join(',')}\n"
-            msg += "  got: #{envelope_keys.join(', ')}"
-            raise Errors::DecryptionError, msg
-          end
-          envelope
-        end
-
-        # When the x-amz-meta-x-amz-tag-len header is present, it indicates
-        # that the body of this object has a trailing auth tag. The header
-        # indicates the length of that tag.
-        #
-        # This method fetches the tag from the end of the object by
-        # making a GET Object w/range request. This auth tag is used
-        # to initialize the cipher, and the decrypter truncates the
-        # auth tag from the body when writing the final bytes.
-        def authenticated_decrypter(context, cipher)
-          http_resp = context.http_response
-          content_length = http_resp.headers['content-length'].to_i
-          auth_tag_length = http_resp.headers['x-amz-meta-x-amz-tag-len']
-          auth_tag_length = auth_tag_length.to_i / 8
-
-          auth_tag = context.client.get_object(
-            bucket: context.params[:bucket],
-            key: context.params[:key],
-            range: "bytes=-#{auth_tag_length}"
-          ).body.read
-
-          cipher.auth_tag = auth_tag
-          cipher.auth_data = ''
-
-          # The encrypted object contains both the cipher text
-          # plus a trailing auth tag. This decrypter will the body
-          # expect for the trailing auth tag.
-          decrypter = IOAuthDecrypter.new(
-            io: http_resp.body,
-            encrypted_content_length: content_length - auth_tag_length,
-            cipher: cipher)
-        end
-
-        def body_contains_auth_tag?(context)
-          context.http_response.headers['x-amz-meta-x-amz-tag-len']
-        end
-
-      end
-    end
-  end
-end

data/lib/aws-sdk-resources/services/s3/encryption/default_cipher_provider.rb

@@ -1,63 +0,0 @@
-require 'base64'
-
-module Aws
-  module S3
-    module Encryption
-      # @api private
-      class DefaultCipherProvider
-
-        def initialize(options = {})
-          @key_provider = options[:key_provider]
-        end
-
-        # @return [Array<Hash,Cipher>] Creates an returns a new encryption
-        #   envelope and encryption cipher.
-        def encryption_cipher
-          cipher = Utils.aes_encryption_cipher(:CBC)
-          envelope = {
-            'x-amz-key' => encode64(encrypt(envelope_key(cipher))),
-            'x-amz-iv' => encode64(envelope_iv(cipher)),
-            'x-amz-matdesc' => materials_description,
-          }
-          [envelope, cipher]
-        end
-
-        # @return [Cipher] Given an encryption envelope, returns a
-        #   decryption cipher.
-        def decryption_cipher(envelope)
-          master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
-          key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
-          iv = decode64(envelope['x-amz-iv'])
-          Utils.aes_decryption_cipher(:CBC, key, iv)
-        end
-
-        private
-
-        def envelope_key(cipher)
-          cipher.key = cipher.random_key
-        end
-
-        def envelope_iv(cipher)
-          cipher.iv = cipher.random_iv
-        end
-
-        def encrypt(data)
-          Utils.encrypt(@key_provider.encryption_materials.key, data)
-        end
-
-        def materials_description
-          @key_provider.encryption_materials.description
-        end
-
-        def encode64(str)
-          Base64.encode64(str).split("\n") * ""
-        end
-
-        def decode64(str)
-          Base64.decode64(str)
-        end
-
-      end
-    end
-  end
-end

data/lib/aws-sdk-resources/services/s3/encryption/default_key_provider.rb

@@ -1,38 +0,0 @@
-module Aws
-  module S3
-    module Encryption
-
-      # The default key provider is constructed with a single key
-      # that is used for both encryption and decryption, ignoring
-      # the possible per-object envelope encryption materials description.
-      # @api private
-      class DefaultKeyProvider
-
-        include KeyProvider
-
-        # @option options [required, OpenSSL::PKey::RSA, String] :encryption_key
-        #   The master key to use for encrypting objects.
-        # @option options [String<JSON>] :materials_description ('{}')
-        #   A description of the encryption key.
-        def initialize(options = {})
-          @encryption_materials = Materials.new(
-            key: options[:encryption_key],
-            description: options[:materials_description] || '{}'
-          )
-        end
-
-        # @return [Materials]
-        def encryption_materials
-          @encryption_materials
-        end
-
-        # @param [String<JSON>] materials_description
-        # @return Returns the key given in the constructor.
-        def key_for(materials_description)
-          @encryption_materials.key
-        end
-
-      end
-    end
-  end
-end

data/lib/aws-sdk-resources/services/s3/encryption/encrypt_handler.rb

@@ -1,50 +0,0 @@
-require 'base64'
-
-module Aws
-  module S3
-    module Encryption
-      # @api private
-      class EncryptHandler < Seahorse::Client::Handler
-
-        def call(context)
-          envelope, cipher = context[:encryption][:cipher_provider].encryption_cipher
-          apply_encryption_envelope(context, envelope, cipher)
-          apply_encryption_cipher(context, cipher)
-          @handler.call(context)
-        end
-
-        private
-
-        def apply_encryption_envelope(context, envelope, cipher)
-          context[:encryption][:cipher] = cipher
-          if context[:encryption][:envelope_location] == :metadata
-            context.params[:metadata] ||= {}
-            context.params[:metadata].update(envelope)
-          else # :instruction_file
-            suffix = context[:encryption][:instruction_file_suffix]
-            context.client.put_object(
-              bucket: context.params[:bucket],
-              key: context.params[:key] + suffix,
-              body: Json.dump(envelope)
-            )
-          end
-        end
-
-        def apply_encryption_cipher(context, cipher)
-          io = context.params[:body] || ''
-          io = StringIO.new(io) if String === io
-          context.params[:body] = IOEncrypter.new(cipher, io)
-          context.params[:metadata] ||= {}
-          context.params[:metadata]['x-amz-unencrypted-content-length'] = io.size
-          if md5 = context.params.delete(:content_md5)
-            context.params[:metadata]['x-amz-unencrypted-content-md5'] = md5
-          end
-          context.http_response.on_headers do
-            context.params[:body].close
-          end
-        end
-
-      end
-    end
-  end
-end

data/lib/aws-sdk-resources/services/s3/encryption/errors.rb

@@ -1,13 +0,0 @@
-module Aws
-  module S3
-    module Encryption
-      module Errors
-
-        class DecryptionError < RuntimeError; end
-
-        class EncryptionError < RuntimeError; end
-
-      end
-    end
-  end
-end

data/lib/aws-sdk-resources/services/s3/encryption/io_auth_decrypter.rb

@@ -1,56 +0,0 @@
-module Aws
-  module S3
-    module Encryption
-      # @api private
-      class IOAuthDecrypter
-
-        # @option options [required, IO#write] :io
-        #   An IO-like object that responds to {#write}.
-        # @option options [required, Integer] :encrypted_content_length
-        #   The number of bytes to decrypt from the `:io` object.
-        #   This should be the total size of `:io` minus the length of
-        #   the cipher auth tag.
-        # @option options [required, OpenSSL::Cipher] :cipher An initialized
-        #   cipher that can be used to decrypt the bytes as they are
-        #   written to the `:io` object. The cipher should already have
-        #   its `#auth_tag` set.
-        def initialize(options = {})
-          @decrypter = IODecrypter.new(options[:cipher], options[:io])
-          @max_bytes = options[:encrypted_content_length]
-          @bytes_written = 0
-        end
-
-        def write(chunk)
-          chunk = truncate_chunk(chunk)
-          if chunk.bytesize > 0
-            @bytes_written += chunk.bytesize
-            @decrypter.write(chunk)
-          end
-        end
-
-        def finalize
-          @decrypter.finalize
-        end
-
-        def io
-          @decrypter.io
-        end
-
-        private
-
-        def truncate_chunk(chunk)
-          if chunk.bytesize + @bytes_written <= @max_bytes
-            chunk
-          elsif @bytes_written < @max_bytes
-            chunk[0..(@max_bytes - @bytes_written - 1)]
-          else
-            # If the tag was sent over after the full body has been read,
-            # we don't want to accidentally append it.
-            ""
-          end
-        end
-
-      end
-    end
-  end
-end

data/lib/aws-sdk-resources/services/s3/encryption/io_decrypter.rb

@@ -1,29 +0,0 @@
-module Aws
-  module S3
-    module Encryption
-      # @api private
-      class IODecrypter
-
-        # @param [OpenSSL::Cipher] cipher
-        # @param [IO#write] io An IO-like object that responds to `#write`.
-        def initialize(cipher, io)
-          @cipher = cipher.clone
-          @io = io
-        end
-
-        # @return [#write]
-        attr_reader :io
-
-        def write(chunk)
-          # decrypt and write
-          @io.write(@cipher.update(chunk))
-        end
-
-        def finalize
-          @io.write(@cipher.final)
-        end
-
-      end
-    end
-  end
-end

data/lib/aws-sdk-resources/services/s3/encryption/io_encrypter.rb

@@ -1,69 +0,0 @@
-require 'stringio'
-require 'tempfile'
-
-module Aws
-  module S3
-    module Encryption
-
-      # Provides an IO wrapper encrpyting a stream of data.
-      # It is possible to use this same object for decrypting. You must
-      # initialize it with a decryptiion cipher in that case and the
-      # IO object must contain cipher text instead of plain text.
-      # @api private
-      class IOEncrypter
-
-        # @api private
-        ONE_MEGABYTE = 1024 * 1024
-
-        def initialize(cipher, io)
-          @encrypted = io.size <= ONE_MEGABYTE ?
-            encrypt_to_stringio(cipher, io.read) :
-            encrypt_to_tempfile(cipher, io)
-          @size = @encrypted.size
-        end
-
-        # @return [Integer]
-        attr_reader :size
-
-        def read(bytes =  nil, output_buffer = nil)
-          if Tempfile === @encrypted && @encrypted.closed?
-            @encrypted.open
-            @encrypted.binmode
-          end
-          @encrypted.read(bytes, output_buffer)
-        end
-
-        def rewind
-          @encrypted.rewind
-        end
-
-        # @api private
-        def close
-          @encrypted.close if Tempfile === @encrypted
-        end
-
-        private
-
-        def encrypt_to_stringio(cipher, plain_text)
-          if plain_text.empty?
-            StringIO.new(cipher.final)
-          else
-            StringIO.new(cipher.update(plain_text) + cipher.final)
-          end
-        end
-
-        def encrypt_to_tempfile(cipher, io)
-          encrypted = Tempfile.new(self.object_id.to_s)
-          encrypted.binmode
-          while chunk = io.read(ONE_MEGABYTE)
-            encrypted.write(cipher.update(chunk))
-          end
-          encrypted.write(cipher.final)
-          encrypted.rewind
-          encrypted
-        end
-
-      end
-    end
-  end
-end