RubyGems - aws-sdk-s3 - Versions diffs - 1.10.0 → 1.208.0 - Mend

aws-sdk-s3 1.10.0 → 1.208.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (153) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +1517 -0
data/LICENSE.txt +202 -0
data/VERSION +1 -0
data/lib/aws-sdk-s3/access_grants_credentials.rb +57 -0
data/lib/aws-sdk-s3/access_grants_credentials_provider.rb +250 -0
data/lib/aws-sdk-s3/bucket.rb +1062 -99
data/lib/aws-sdk-s3/bucket_acl.rb +67 -17
data/lib/aws-sdk-s3/bucket_cors.rb +80 -17
data/lib/aws-sdk-s3/bucket_lifecycle.rb +71 -19
data/lib/aws-sdk-s3/bucket_lifecycle_configuration.rb +126 -20
data/lib/aws-sdk-s3/bucket_logging.rb +68 -18
data/lib/aws-sdk-s3/bucket_notification.rb +56 -20
data/lib/aws-sdk-s3/bucket_policy.rb +108 -17
data/lib/aws-sdk-s3/bucket_region_cache.rb +11 -5
data/lib/aws-sdk-s3/bucket_request_payment.rb +60 -15
data/lib/aws-sdk-s3/bucket_tagging.rb +71 -17
data/lib/aws-sdk-s3/bucket_versioning.rb +166 -17
data/lib/aws-sdk-s3/bucket_website.rb +78 -17
data/lib/aws-sdk-s3/client.rb +20068 -3879
data/lib/aws-sdk-s3/client_api.rb +1957 -209
data/lib/aws-sdk-s3/customizations/bucket.rb +57 -38
data/lib/aws-sdk-s3/customizations/errors.rb +40 -0
data/lib/aws-sdk-s3/customizations/multipart_upload.rb +2 -0
data/lib/aws-sdk-s3/customizations/object.rb +338 -68
data/lib/aws-sdk-s3/customizations/object_summary.rb +17 -0
data/lib/aws-sdk-s3/customizations/object_version.rb +13 -0
data/lib/aws-sdk-s3/customizations/types/list_object_versions_output.rb +2 -0
data/lib/aws-sdk-s3/customizations/types/permanent_redirect.rb +26 -0
data/lib/aws-sdk-s3/customizations.rb +30 -27
data/lib/aws-sdk-s3/default_executor.rb +103 -0
data/lib/aws-sdk-s3/encryption/client.rb +29 -8
data/lib/aws-sdk-s3/encryption/decrypt_handler.rb +71 -29
data/lib/aws-sdk-s3/encryption/default_cipher_provider.rb +45 -5
data/lib/aws-sdk-s3/encryption/default_key_provider.rb +2 -0
data/lib/aws-sdk-s3/encryption/encrypt_handler.rb +15 -2
data/lib/aws-sdk-s3/encryption/errors.rb +2 -0
data/lib/aws-sdk-s3/encryption/io_auth_decrypter.rb +11 -3
data/lib/aws-sdk-s3/encryption/io_decrypter.rb +11 -3
data/lib/aws-sdk-s3/encryption/io_encrypter.rb +2 -0
data/lib/aws-sdk-s3/encryption/key_provider.rb +2 -0
data/lib/aws-sdk-s3/encryption/kms_cipher_provider.rb +48 -11
data/lib/aws-sdk-s3/encryption/materials.rb +8 -6
data/lib/aws-sdk-s3/encryption/utils.rb +25 -0
data/lib/aws-sdk-s3/encryption.rb +4 -0
data/lib/aws-sdk-s3/encryptionV2/client.rb +645 -0
data/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb +68 -0
data/lib/aws-sdk-s3/encryptionV2/decryption.rb +205 -0
data/lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb +187 -0
data/lib/aws-sdk-s3/encryptionV2/default_key_provider.rb +40 -0
data/lib/aws-sdk-s3/encryptionV2/encrypt_handler.rb +67 -0
data/lib/aws-sdk-s3/encryptionV2/errors.rb +37 -0
data/lib/aws-sdk-s3/encryptionV2/io_auth_decrypter.rb +58 -0
data/lib/aws-sdk-s3/encryptionV2/io_decrypter.rb +37 -0
data/lib/aws-sdk-s3/encryptionV2/io_encrypter.rb +75 -0
data/lib/aws-sdk-s3/encryptionV2/key_provider.rb +31 -0
data/lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb +181 -0
data/lib/aws-sdk-s3/encryptionV2/materials.rb +60 -0
data/lib/aws-sdk-s3/encryptionV2/utils.rb +108 -0
data/lib/aws-sdk-s3/encryptionV3/client.rb +885 -0
data/lib/aws-sdk-s3/encryptionV3/decrypt_handler.rb +98 -0
data/lib/aws-sdk-s3/encryptionV3/decryption.rb +244 -0
data/lib/aws-sdk-s3/encryptionV3/default_cipher_provider.rb +159 -0
data/lib/aws-sdk-s3/encryptionV3/default_key_provider.rb +35 -0
data/lib/aws-sdk-s3/encryptionV3/encrypt_handler.rb +98 -0
data/lib/aws-sdk-s3/encryptionV3/errors.rb +47 -0
data/lib/aws-sdk-s3/encryptionV3/io_auth_decrypter.rb +60 -0
data/lib/aws-sdk-s3/encryptionV3/io_decrypter.rb +35 -0
data/lib/aws-sdk-s3/encryptionV3/io_encrypter.rb +84 -0
data/lib/aws-sdk-s3/encryptionV3/key_provider.rb +28 -0
data/lib/aws-sdk-s3/encryptionV3/kms_cipher_provider.rb +159 -0
data/lib/aws-sdk-s3/encryptionV3/materials.rb +58 -0
data/lib/aws-sdk-s3/encryptionV3/utils.rb +321 -0
data/lib/aws-sdk-s3/encryption_v2.rb +24 -0
data/lib/aws-sdk-s3/encryption_v3.rb +24 -0
data/lib/aws-sdk-s3/endpoint_parameters.rb +181 -0
data/lib/aws-sdk-s3/endpoint_provider.rb +886 -0
data/lib/aws-sdk-s3/endpoints.rb +1544 -0
data/lib/aws-sdk-s3/errors.rb +181 -1
data/lib/aws-sdk-s3/event_streams.rb +69 -0
data/lib/aws-sdk-s3/express_credentials.rb +55 -0
data/lib/aws-sdk-s3/express_credentials_provider.rb +59 -0
data/lib/aws-sdk-s3/file_downloader.rb +261 -82
data/lib/aws-sdk-s3/file_part.rb +16 -13
data/lib/aws-sdk-s3/file_uploader.rb +37 -22
data/lib/aws-sdk-s3/legacy_signer.rb +19 -26
data/lib/aws-sdk-s3/multipart_download_error.rb +8 -0
data/lib/aws-sdk-s3/multipart_file_uploader.rb +142 -80
data/lib/aws-sdk-s3/multipart_stream_uploader.rb +191 -0
data/lib/aws-sdk-s3/multipart_upload.rb +342 -31
data/lib/aws-sdk-s3/multipart_upload_error.rb +5 -4
data/lib/aws-sdk-s3/multipart_upload_part.rb +387 -47
data/lib/aws-sdk-s3/object.rb +2733 -204
data/lib/aws-sdk-s3/object_acl.rb +112 -25
data/lib/aws-sdk-s3/object_copier.rb +9 -5
data/lib/aws-sdk-s3/object_multipart_copier.rb +50 -23
data/lib/aws-sdk-s3/object_summary.rb +2265 -181
data/lib/aws-sdk-s3/object_version.rb +542 -74
data/lib/aws-sdk-s3/plugins/accelerate.rb +17 -64
data/lib/aws-sdk-s3/plugins/access_grants.rb +178 -0
data/lib/aws-sdk-s3/plugins/arn.rb +70 -0
data/lib/aws-sdk-s3/plugins/bucket_dns.rb +7 -43
data/lib/aws-sdk-s3/plugins/bucket_name_restrictions.rb +20 -3
data/lib/aws-sdk-s3/plugins/checksum_algorithm.rb +31 -0
data/lib/aws-sdk-s3/plugins/dualstack.rb +7 -50
data/lib/aws-sdk-s3/plugins/endpoints.rb +86 -0
data/lib/aws-sdk-s3/plugins/expect_100_continue.rb +5 -4
data/lib/aws-sdk-s3/plugins/express_session_auth.rb +88 -0
data/lib/aws-sdk-s3/plugins/get_bucket_location_fix.rb +3 -1
data/lib/aws-sdk-s3/plugins/http_200_errors.rb +62 -17
data/lib/aws-sdk-s3/plugins/iad_regional_endpoint.rb +44 -0
data/lib/aws-sdk-s3/plugins/location_constraint.rb +5 -1
data/lib/aws-sdk-s3/plugins/md5s.rb +14 -67
data/lib/aws-sdk-s3/plugins/redirects.rb +5 -1
data/lib/aws-sdk-s3/plugins/s3_host_id.rb +2 -0
data/lib/aws-sdk-s3/plugins/s3_signer.rb +67 -93
data/lib/aws-sdk-s3/plugins/sse_cpk.rb +3 -1
data/lib/aws-sdk-s3/plugins/streaming_retry.rb +137 -0
data/lib/aws-sdk-s3/plugins/url_encoded_keys.rb +4 -1
data/lib/aws-sdk-s3/presigned_post.rb +160 -99
data/lib/aws-sdk-s3/presigner.rb +178 -81
data/lib/aws-sdk-s3/resource.rb +164 -15
data/lib/aws-sdk-s3/transfer_manager.rb +303 -0
data/lib/aws-sdk-s3/types.rb +15981 -4168
data/lib/aws-sdk-s3/waiters.rb +67 -1
data/lib/aws-sdk-s3.rb +46 -31
data/sig/bucket.rbs +231 -0
data/sig/bucket_acl.rbs +78 -0
data/sig/bucket_cors.rbs +69 -0
data/sig/bucket_lifecycle.rbs +88 -0
data/sig/bucket_lifecycle_configuration.rbs +115 -0
data/sig/bucket_logging.rbs +76 -0
data/sig/bucket_notification.rbs +114 -0
data/sig/bucket_policy.rbs +59 -0
data/sig/bucket_request_payment.rbs +54 -0
data/sig/bucket_tagging.rbs +65 -0
data/sig/bucket_versioning.rbs +77 -0
data/sig/bucket_website.rbs +93 -0
data/sig/client.rbs +2612 -0
data/sig/customizations/bucket.rbs +19 -0
data/sig/customizations/object.rbs +38 -0
data/sig/customizations/object_summary.rbs +35 -0
data/sig/errors.rbs +44 -0
data/sig/multipart_upload.rbs +120 -0
data/sig/multipart_upload_part.rbs +109 -0
data/sig/object.rbs +464 -0
data/sig/object_acl.rbs +86 -0
data/sig/object_summary.rbs +347 -0
data/sig/object_version.rbs +143 -0
data/sig/resource.rbs +141 -0
data/sig/types.rbs +2899 -0
data/sig/waiters.rbs +95 -0
metadata +97 -14

data/lib/aws-sdk-s3/encryptionV2/io_decrypter.rb ADDED Viewed

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+module Aws
+  module S3
+    module EncryptionV2
+      # @api private
+      class IODecrypter
+        # @param [OpenSSL::Cipher] cipher
+        # @param [IO#write] io An IO-like object that responds to `#write`.
+        def initialize(cipher, io)
+          @cipher = cipher
+          # Ensure that IO is reset between retries
+          @io = io.tap { |io| io.truncate(0) if io.respond_to?(:truncate) }
+          @cipher_buffer = String.new
+        end
+        # @return [#write]
+        attr_reader :io
+        def write(chunk)
+          # decrypt and write
+          if @cipher.method(:update).arity == 1
+            @io.write(@cipher.update(chunk))
+          else
+            @io.write(@cipher.update(chunk, @cipher_buffer))
+          end
+        end
+        def finalize
+          @io.write(@cipher.final)
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryptionV2/io_encrypter.rb ADDED Viewed

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+require 'stringio'
+require 'tempfile'
+module Aws
+  module S3
+    module EncryptionV2
+      # Provides an IO wrapper encrypting a stream of data.
+      # @api private
+      class IOEncrypter
+        # @api private
+        ONE_MEGABYTE = 1024 * 1024
+        def initialize(cipher, io)
+          @encrypted = io.size <= ONE_MEGABYTE ?
+            encrypt_to_stringio(cipher, io.read) :
+            encrypt_to_tempfile(cipher, io)
+          @size = @encrypted.size
+        end
+        # @return [Integer]
+        attr_reader :size
+        def read(bytes = nil, output_buffer = nil)
+          if @encrypted.is_a?(Tempfile) && @encrypted.closed?
+            @encrypted.open
+            @encrypted.binmode
+          end
+          @encrypted.read(bytes, output_buffer)
+        end
+        def rewind
+          @encrypted.rewind
+        end
+        # @api private
+        def close
+          @encrypted.close if @encrypted.is_a?(Tempfile)
+        end
+        private
+        def encrypt_to_stringio(cipher, plain_text)
+          ##= ../specification/s3-encryption/encryption.md#alg-aes-256-gcm-iv12-tag16-no-kdf
+          ##% The client MUST append the GCM auth tag to the ciphertext if the underlying crypto provider does not do so automatically.
+          if plain_text.empty?
+            StringIO.new(cipher.final + cipher.auth_tag)
+          else
+            StringIO.new(cipher.update(plain_text) + cipher.final + cipher.auth_tag)
+          end
+        end
+        def encrypt_to_tempfile(cipher, io)
+          encrypted = Tempfile.new(self.object_id.to_s)
+          encrypted.binmode
+          while chunk = io.read(ONE_MEGABYTE, read_buffer ||= String.new)
+            if cipher.method(:update).arity == 1
+              encrypted.write(cipher.update(chunk))
+            else
+              encrypted.write(cipher.update(chunk, cipher_buffer ||= String.new))
+            end
+          end
+          encrypted.write(cipher.final)
+          encrypted.write(cipher.auth_tag)
+          encrypted.rewind
+          encrypted
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryptionV2/key_provider.rb ADDED Viewed

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+module Aws
+  module S3
+    module EncryptionV2
+      # This module defines the interface required for a {Client#key_provider}.
+      # A key provider is any object that:
+      #
+      # * Responds to {#encryption_materials} with an {Materials} object.
+      #
+      # * Responds to {#key_for}, receiving a JSON document String,
+      #   returning an encryption key. The returned encryption key
+      #   must be one of:
+      #
+      #   * `OpenSSL::PKey::RSA` - for asymmetric encryption
+      #   * `String` - 32, 24, or 16 bytes long, for symmetric encryption
+      #
+      module KeyProvider
+        # @return [Materials]
+        def encryption_materials; end
+        # @param [String<JSON>] materials_description
+        # @return [OpenSSL::PKey::RSA, String] encryption_key
+        def key_for(materials_description); end
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb ADDED Viewed

@@ -0,0 +1,181 @@
+# frozen_string_literal: true
+require 'base64'
+module Aws
+  module S3
+    module EncryptionV2
+      # @api private
+      class KmsCipherProvider
+        def initialize(options = {})
+          @kms_key_id = validate_kms_key(options[:kms_key_id])
+          @kms_client = options[:kms_client]
+          @key_wrap_schema = validate_key_wrap(
+            options[:key_wrap_schema]
+          )
+          @content_encryption_schema = validate_cek(
+            options[:content_encryption_schema]
+          )
+        end
+        # @return [Array<Hash,Cipher>] Creates and returns a new encryption
+        #   envelope and encryption cipher.
+        def encryption_cipher(options = {})
+          validate_key_for_encryption
+          encryption_context = build_encryption_context(@content_encryption_schema, options)
+          key_data = Aws::Plugins::UserAgent.metric('S3_CRYPTO_V2') do
+            @kms_client.generate_data_key(
+              key_id: @kms_key_id,
+              encryption_context: encryption_context,
+              key_spec: 'AES_256'
+            )
+          end
+          cipher = Utils.aes_encryption_cipher(:GCM)
+          cipher.key = key_data.plaintext
+          ##= ../specification/s3-encryption/data-format/content-metadata.md#algorithm-suite-and-message-format-version-compatibility
+          ##% Objects encrypted with ALG_AES_256_GCM_IV12_TAG16_NO_KDF MUST use the V2 message format version only.
+          envelope = {
+            'x-amz-key-v2' => encode64(key_data.ciphertext_blob),
+            'x-amz-iv' => encode64(cipher.iv = cipher.random_iv),
+            'x-amz-cek-alg' => @content_encryption_schema,
+            'x-amz-tag-len' => (AES_GCM_TAG_LEN_BYTES * 8).to_s,
+            'x-amz-wrap-alg' => @key_wrap_schema,
+            'x-amz-matdesc' => Json.dump(encryption_context)
+          }
+          cipher.auth_data = '' # auth_data must be set after key and iv
+          [envelope, cipher]
+        end
+        # @return [Cipher] Given an encryption envelope, returns a
+        #   decryption cipher.
+        def decryption_cipher(envelope, options = {})
+          encryption_context = Json.load(envelope['x-amz-matdesc'])
+          cek_alg = envelope['x-amz-cek-alg']
+          case envelope['x-amz-wrap-alg']
+          when 'kms'
+            ##= ../specification/s3-encryption/client.md#enable-legacy-wrapping-algorithms
+            ##% The S3EC MUST support the option to enable or disable legacy wrapping algorithms.
+            unless options[:security_profile] == :v2_and_legacy
+              ##= ../specification/s3-encryption/client.md#enable-legacy-wrapping-algorithms
+              ##% When disabled, the S3EC MUST NOT decrypt objects encrypted using legacy wrapping algorithms; it MUST throw an exception when attempting to decrypt an object encrypted with a legacy wrapping algorithm.
+              raise Errors::LegacyDecryptionError
+            end
+            ##= ../specification/s3-encryption/client.md#enable-legacy-wrapping-algorithms
+            ##% When enabled, the S3EC MUST be able to decrypt objects encrypted with all supported wrapping algorithms (both legacy and fully supported).
+          when 'kms+context'
+            if cek_alg != encryption_context['aws:x-amz-cek-alg']
+              raise Errors::CEKAlgMismatchError
+            end
+            if encryption_context != build_encryption_context(cek_alg, options)
+              raise Errors::DecryptionError, 'Value of encryption context from'\
+                ' envelope does not match the provided encryption context'
+            end
+          when 'AES/GCM'
+            raise ArgumentError, 'Key mismatch - Client is configured' \
+                    ' with a KMS key and the x-amz-wrap-alg is AES/GCM.'
+          when 'RSA-OAEP-SHA1'
+            raise ArgumentError, 'Key mismatch - Client is configured' \
+                    ' with a KMS key and the x-amz-wrap-alg is RSA-OAEP-SHA1.'
+          else
+            raise ArgumentError, 'Unsupported wrap-alg: ' \
+                "#{envelope['x-amz-wrap-alg']}"
+          end
+          any_cmk_mode = false || options[:kms_allow_decrypt_with_any_cmk]
+          decrypt_options = {
+            ciphertext_blob: decode64(envelope['x-amz-key-v2']),
+            encryption_context: encryption_context
+          }
+          unless any_cmk_mode
+            decrypt_options[:key_id] = @kms_key_id
+          end
+          key = Aws::Plugins::UserAgent.metric('S3_CRYPTO_V2') do
+            @kms_client.decrypt(decrypt_options).plaintext
+          end
+          iv = decode64(envelope['x-amz-iv'])
+          block_mode =
+            case cek_alg
+            when 'AES/CBC/PKCS5Padding'
+              :CBC
+            when 'AES/CBC/PKCS7Padding'
+              :CBC
+            when 'AES/GCM/NoPadding'
+              :GCM
+            else
+              type = envelope['x-amz-cek-alg'].inspect
+              msg = "unsupported content encrypting key (cek) format: #{type}"
+              raise Errors::DecryptionError, msg
+            end
+          Utils.aes_decryption_cipher(block_mode, key, iv)
+        end
+        private
+        def validate_key_wrap(key_wrap_schema)
+          case key_wrap_schema
+          when :kms_context then 'kms+context'
+          else
+            raise ArgumentError, "Unsupported key_wrap_schema: #{key_wrap_schema}"
+          end
+        end
+        def validate_cek(content_encryption_schema)
+          case content_encryption_schema
+          when :aes_gcm_no_padding
+            "AES/GCM/NoPadding"
+          else
+            raise ArgumentError, "Unsupported content_encryption_schema: #{content_encryption_schema}"
+          end
+        end
+        def validate_kms_key(kms_key_id)
+          if kms_key_id.nil? || kms_key_id.length.zero?
+            raise ArgumentError, 'KMS CMK ID was not specified. ' \
+              'Please specify a CMK ID, ' \
+              'or set kms_key_id: :kms_allow_decrypt_with_any_cmk to use ' \
+              'any valid CMK from the object.'
+          end
+          if kms_key_id.is_a?(Symbol) && kms_key_id != :kms_allow_decrypt_with_any_cmk
+            raise ArgumentError, 'kms_key_id must be a valid KMS CMK or be ' \
+              'set to :kms_allow_decrypt_with_any_cmk'
+          end
+          kms_key_id
+        end
+        def build_encryption_context(cek_alg, options = {})
+          kms_context = (options[:kms_encryption_context] || {})
+            .each_with_object({}) { |(k, v), h| h[k.to_s] = v }
+          if kms_context.include? 'aws:x-amz-cek-alg'
+            raise ArgumentError, 'Conflict in reserved KMS Encryption Context ' \
+              'key aws:x-amz-cek-alg. This value is reserved for the S3 ' \
+              'Encryption Client and cannot be set by the user.'
+          end
+          {
+            'aws:x-amz-cek-alg' => cek_alg
+          }.merge(kms_context)
+        end
+        def encode64(str)
+          Base64.encode64(str).split("\n") * ""
+        end
+        def decode64(str)
+          Base64.decode64(str)
+        end
+        def validate_key_for_encryption
+          if @kms_key_id == :kms_allow_decrypt_with_any_cmk
+            raise ArgumentError, 'Unable to encrypt/write objects with '\
+              'kms_key_id = :kms_allow_decrypt_with_any_cmk.  Provide ' \
+              'a valid kms_key_id on client construction.'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryptionV2/materials.rb ADDED Viewed

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+require 'base64'
+module Aws
+  module S3
+    module EncryptionV2
+      class Materials
+        # @option options [required, OpenSSL::PKey::RSA, String] :key
+        #   The master key to use for encrypting/decrypting all objects.
+        #
+        # @option options [String<JSON>] :description ('{}')
+        #   The encryption materials description. This is must be
+        #   a JSON document string.
+        #
+        def initialize(options = {})
+          @key = validate_key(options[:key])
+          @description = validate_desc(options[:description])
+        end
+        # @return [OpenSSL::PKey::RSA, String]
+        attr_reader :key
+        # @return [String<JSON>]
+        attr_reader :description
+        private
+        def validate_key(key)
+          case key
+          when OpenSSL::PKey::RSA then key
+          when String
+            if [32, 24, 16].include?(key.bytesize)
+              key
+            else
+              msg = 'invalid key, symmetric key required to be 16, 24, or '\
+                    '32 bytes in length, saw length ' + key.bytesize.to_s
+              raise ArgumentError, msg
+            end
+          else
+            msg = 'invalid encryption key, expected an OpenSSL::PKey::RSA key '\
+                  '(for asymmetric encryption) or a String (for symmetric '\
+                  'encryption).'
+            raise ArgumentError, msg
+          end
+        end
+        def validate_desc(description)
+          Json.load(description)
+          description
+        rescue Json::ParseError, EncodingError
+          msg = 'expected description to be a valid JSON document string'
+          raise ArgumentError, msg
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryptionV2/utils.rb ADDED Viewed

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+require 'openssl'
+module Aws
+  module S3
+    module EncryptionV2
+      # @api private
+      module Utils
+        class << self
+          def encrypt_aes_gcm(key, data, auth_data)
+            cipher = aes_encryption_cipher(:GCM, key)
+            cipher.iv = (iv = cipher.random_iv)
+            cipher.auth_data = auth_data
+            iv + cipher.update(data) + cipher.final + cipher.auth_tag
+          end
+          def encrypt_rsa(key, data, auth_data)
+            # Plaintext must be KeyLengthInBytes (1 Byte) + DataKey + AuthData
+            buf = [data.bytesize] + data.unpack('C*') + auth_data.unpack('C*')
+            key.public_encrypt(buf.pack('C*'), OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+          end
+          def decrypt(key, data)
+            begin
+              case key
+              when OpenSSL::PKey::RSA # asymmetric decryption
+                key.private_decrypt(data)
+              when String # symmetric Decryption
+                cipher = aes_cipher(:decrypt, :ECB, key, nil)
+                cipher.update(data) + cipher.final
+              end
+            rescue OpenSSL::Cipher::CipherError
+              msg = 'decryption failed, possible incorrect key'
+              raise Errors::DecryptionError, msg
+            end
+          end
+          def decrypt_aes_gcm(key, data, auth_data)
+            # data is iv (12B) + key + tag (16B)
+            buf = data.unpack('C*')
+            iv = buf[0,12].pack('C*') # iv will always be 12 bytes
+            tag = buf[-16, 16].pack('C*') # tag is 16 bytes
+            enc_key = buf[12, buf.size - (12+16)].pack('C*')
+            cipher = aes_cipher(:decrypt, :GCM, key, iv)
+            cipher.auth_tag = tag
+            cipher.auth_data = auth_data
+            cipher.update(enc_key) + cipher.final
+          end
+          # returns the decrypted data + auth_data
+          def decrypt_rsa(key, enc_data)
+            # Plaintext must be KeyLengthInBytes (1 Byte) + DataKey + AuthData
+            buf = key.private_decrypt(enc_data, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING).unpack('C*')
+            key_length = buf[0]
+            data = buf[1, key_length].pack('C*')
+            auth_data = buf[key_length+1, buf.length - key_length].pack('C*')
+            [data, auth_data]
+          end
+          # @param [String] block_mode "CBC" or "ECB"
+          # @param [OpenSSL::PKey::RSA, String, nil] key
+          # @param [String, nil] iv The initialization vector
+          def aes_encryption_cipher(block_mode, key = nil, iv = nil)
+            aes_cipher(:encrypt, block_mode, key, iv)
+          end
+          # @param [String] block_mode "CBC" or "ECB"
+          # @param [OpenSSL::PKey::RSA, String, nil] key
+          # @param [String, nil] iv The initialization vector
+          def aes_decryption_cipher(block_mode, key = nil, iv = nil)
+            aes_cipher(:decrypt, block_mode, key, iv)
+          end
+          # @param [String] mode "encrypt" or "decrypt"
+          # @param [String] block_mode "CBC" or "ECB"
+          # @param [OpenSSL::PKey::RSA, String, nil] key
+          # @param [String, nil] iv The initialization vector
+          def aes_cipher(mode, block_mode, key, iv)
+            ##= ../specification/s3-encryption/encryption.md#alg-aes-256-gcm-iv12-tag16-no-kdf
+            ##% The client MUST initialize the cipher,
+            ##% or call an AES-GCM encryption API, with the plaintext data key, the generated IV,
+            ##% and the tag length defined in the Algorithm Suite
+            ##% when encrypting with ALG_AES_256_GCM_IV12_TAG16_NO_KDF.
+            cipher = key ?
+              OpenSSL::Cipher.new("aes-#{cipher_size(key)}-#{block_mode.downcase}") :
+              OpenSSL::Cipher.new("aes-256-#{block_mode.downcase}")
+            cipher.send(mode) # encrypt or decrypt
+            cipher.key = key if key
+            cipher.iv = iv if iv
+            cipher
+          end
+          # @param [String] key
+          # @return [Integer]
+          # @raise ArgumentError
+          def cipher_size(key)
+            key.bytesize * 8
+          end
+        end
+      end
+    end
+  end
+end