aws-sdk-s3 1.75.0

data/lib/aws-sdk-s3/encryption/decrypt_handler.rb

@@ -0,0 +1,190 @@
+# frozen_string_literal: true
+
+require 'base64'
+
+module Aws
+  module S3
+    module Encryption
+      # @api private
+      class DecryptHandler < Seahorse::Client::Handler
+
+        V1_ENVELOPE_KEYS = %w(
+          x-amz-key
+          x-amz-iv
+          x-amz-matdesc
+        )
+
+        V2_ENVELOPE_KEYS = %w(
+          x-amz-key-v2
+          x-amz-iv
+          x-amz-cek-alg
+          x-amz-wrap-alg
+          x-amz-matdesc
+        )
+
+        POSSIBLE_ENVELOPE_KEYS = (V1_ENVELOPE_KEYS + V2_ENVELOPE_KEYS).uniq
+
+        POSSIBLE_ENCRYPTION_FORMATS = %w(
+          AES/GCM/NoPadding
+          AES/CBC/PKCS5Padding
+          AES/CBC/PKCS7Padding
+        )
+
+        def call(context)
+          attach_http_event_listeners(context)
+          apply_cse_user_agent(context)
+          @handler.call(context)
+        end
+
+        private
+
+        def attach_http_event_listeners(context)
+
+          context.http_response.on_headers(200) do
+            cipher = decryption_cipher(context)
+            decrypter = body_contains_auth_tag?(context) ?
+              authenticated_decrypter(context, cipher) :
+              IODecrypter.new(cipher, context.http_response.body)
+            context.http_response.body = decrypter
+          end
+
+          context.http_response.on_success(200) do
+            decrypter = context.http_response.body
+            decrypter.finalize
+            decrypter.io.rewind if decrypter.io.respond_to?(:rewind)
+            context.http_response.body = decrypter.io
+          end
+
+          context.http_response.on_error do
+            if context.http_response.body.respond_to?(:io)
+              context.http_response.body = context.http_response.body.io
+            end
+          end
+        end
+
+        def decryption_cipher(context)
+          if envelope = get_encryption_envelope(context)
+            context[:encryption][:cipher_provider].decryption_cipher(envelope)
+          else
+            raise Errors::DecryptionError, "unable to locate encryption envelope"
+          end
+        end
+
+        def get_encryption_envelope(context)
+          if context[:encryption][:envelope_location] == :metadata
+            envelope_from_metadata(context) || envelope_from_instr_file(context)
+          else
+            envelope_from_instr_file(context) || envelope_from_metadata(context)
+          end
+        end
+
+        def envelope_from_metadata(context)
+          possible_envelope = {}
+          POSSIBLE_ENVELOPE_KEYS.each do |suffix|
+            if value = context.http_response.headers["x-amz-meta-#{suffix}"]
+              possible_envelope[suffix] = value
+            end
+          end
+          extract_envelope(possible_envelope)
+        end
+
+        def envelope_from_instr_file(context)
+          suffix = context[:encryption][:instruction_file_suffix]
+          possible_envelope = Json.load(context.client.get_object(
+            bucket: context.params[:bucket],
+            key: context.params[:key] + suffix
+          ).body.read)
+          extract_envelope(possible_envelope)
+        rescue S3::Errors::ServiceError, Json::ParseError
+          nil
+        end
+
+        def extract_envelope(hash)
+          return v1_envelope(hash) if hash.key?('x-amz-key')
+          return v2_envelope(hash) if hash.key?('x-amz-key-v2')
+          if hash.keys.any? { |key| key.match(/^x-amz-key-(.+)$/) }
+            msg = "unsupported envelope encryption version #{$1}"
+            raise Errors::DecryptionError, msg
+          else
+            nil # no envelope found
+          end
+        end
+
+        def v1_envelope(envelope)
+          envelope
+        end
+
+        def v2_envelope(envelope)
+          unless POSSIBLE_ENCRYPTION_FORMATS.include? envelope['x-amz-cek-alg']
+            alg = envelope['x-amz-cek-alg'].inspect
+            msg = "unsupported content encrypting key (cek) format: #{alg}"
+            raise Errors::DecryptionError, msg
+          end
+          unless envelope['x-amz-wrap-alg'] == 'kms'
+            # possible to support
+            #   RSA/ECB/OAEPWithSHA-256AndMGF1Padding
+            alg = envelope['x-amz-wrap-alg'].inspect
+            msg = "unsupported key wrapping algorithm: #{alg}"
+            raise Errors::DecryptionError, msg
+          end
+          unless V2_ENVELOPE_KEYS.sort == envelope.keys.sort
+            msg = "incomplete v2 encryption envelope:\n"
+            msg += "  expected: #{V2_ENVELOPE_KEYS.join(',')}\n"
+            msg += "  got: #{envelope_keys.join(', ')}"
+            raise Errors::DecryptionError, msg
+          end
+          envelope
+        end
+
+        # When the x-amz-meta-x-amz-tag-len header is present, it indicates
+        # that the body of this object has a trailing auth tag. The header
+        # indicates the length of that tag.
+        #
+        # This method fetches the tag from the end of the object by
+        # making a GET Object w/range request. This auth tag is used
+        # to initialize the cipher, and the decrypter truncates the
+        # auth tag from the body when writing the final bytes.
+        def authenticated_decrypter(context, cipher)
+          if RUBY_VERSION.match(/1.9/)
+            raise "authenticated decryption not supported by OpeenSSL in Ruby version ~> 1.9"
+            raise Aws::Errors::NonSupportedRubyVersionError, msg
+          end
+          http_resp = context.http_response
+          content_length = http_resp.headers['content-length'].to_i
+          auth_tag_length = http_resp.headers['x-amz-meta-x-amz-tag-len']
+          auth_tag_length = auth_tag_length.to_i / 8
+
+          auth_tag = context.client.get_object(
+            bucket: context.params[:bucket],
+            key: context.params[:key],
+            range: "bytes=-#{auth_tag_length}"
+          ).body.read
+
+          cipher.auth_tag = auth_tag
+          cipher.auth_data = ''
+
+          # The encrypted object contains both the cipher text
+          # plus a trailing auth tag. This decrypter will the body
+          # expect for the trailing auth tag.
+          IOAuthDecrypter.new(
+            io: http_resp.body,
+            encrypted_content_length: content_length - auth_tag_length,
+            cipher: cipher)
+        end
+
+        def body_contains_auth_tag?(context)
+          context.http_response.headers['x-amz-meta-x-amz-tag-len']
+        end
+
+        def apply_cse_user_agent(context)
+          if context.config.user_agent_suffix.nil?
+            context.config.user_agent_suffix = 'CSE_V1'
+          elsif !context.config.user_agent_suffix.include? 'CSE_V1'
+            context.config.user_agent_suffix += ' CSE_V1'
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryption/default_cipher_provider.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'base64'
+
+module Aws
+  module S3
+    module Encryption
+      # @api private
+      class DefaultCipherProvider
+
+        def initialize(options = {})
+          @key_provider = options[:key_provider]
+        end
+
+        # @return [Array<Hash,Cipher>] Creates an returns a new encryption
+        #   envelope and encryption cipher.
+        def encryption_cipher
+          cipher = Utils.aes_encryption_cipher(:CBC)
+          envelope = {
+            'x-amz-key' => encode64(encrypt(envelope_key(cipher))),
+            'x-amz-iv' => encode64(envelope_iv(cipher)),
+            'x-amz-matdesc' => materials_description,
+          }
+          [envelope, cipher]
+        end
+
+        # @return [Cipher] Given an encryption envelope, returns a
+        #   decryption cipher.
+        def decryption_cipher(envelope)
+          master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
+          key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
+          iv = decode64(envelope['x-amz-iv'])
+          Utils.aes_decryption_cipher(:CBC, key, iv)
+        end
+
+        private
+
+        def envelope_key(cipher)
+          cipher.key = cipher.random_key
+        end
+
+        def envelope_iv(cipher)
+          cipher.iv = cipher.random_iv
+        end
+
+        def encrypt(data)
+          Utils.encrypt(@key_provider.encryption_materials.key, data)
+        end
+
+        def materials_description
+          @key_provider.encryption_materials.description
+        end
+
+        def encode64(str)
+          Base64.encode64(str).split("\n") * ""
+        end
+
+        def decode64(str)
+          Base64.decode64(str)
+        end
+
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryption/default_key_provider.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Aws
+  module S3
+    module Encryption
+
+      # The default key provider is constructed with a single key
+      # that is used for both encryption and decryption, ignoring
+      # the possible per-object envelope encryption materials description.
+      # @api private
+      class DefaultKeyProvider
+
+        include KeyProvider
+
+        # @option options [required, OpenSSL::PKey::RSA, String] :encryption_key
+        #   The master key to use for encrypting objects.
+        # @option options [String<JSON>] :materials_description ('{}')
+        #   A description of the encryption key.
+        def initialize(options = {})
+          @encryption_materials = Materials.new(
+            key: options[:encryption_key],
+            description: options[:materials_description] || '{}'
+          )
+        end
+
+        # @return [Materials]
+        def encryption_materials
+          @encryption_materials
+        end
+
+        # @param [String<JSON>] materials_description
+        # @return Returns the key given in the constructor.
+        def key_for(materials_description)
+          @encryption_materials.key
+        end
+
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryption/encrypt_handler.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require 'base64'
+
+module Aws
+  module S3
+    module Encryption
+      # @api private
+      class EncryptHandler < Seahorse::Client::Handler
+
+        def call(context)
+          envelope, cipher = context[:encryption][:cipher_provider].encryption_cipher
+          apply_encryption_envelope(context, envelope, cipher)
+          apply_encryption_cipher(context, cipher)
+          apply_cse_user_agent(context)
+          @handler.call(context)
+        end
+
+        private
+
+        def apply_encryption_envelope(context, envelope, cipher)
+          context[:encryption][:cipher] = cipher
+          if context[:encryption][:envelope_location] == :metadata
+            context.params[:metadata] ||= {}
+            context.params[:metadata].update(envelope)
+          else # :instruction_file
+            suffix = context[:encryption][:instruction_file_suffix]
+            context.client.put_object(
+              bucket: context.params[:bucket],
+              key: context.params[:key] + suffix,
+              body: Json.dump(envelope)
+            )
+          end
+        end
+
+        def apply_encryption_cipher(context, cipher)
+          io = context.params[:body] || ''
+          io = StringIO.new(io) if String === io
+          context.params[:body] = IOEncrypter.new(cipher, io)
+          context.params[:metadata] ||= {}
+          context.params[:metadata]['x-amz-unencrypted-content-length'] = io.size
+          if md5 = context.params.delete(:content_md5)
+            context.params[:metadata]['x-amz-unencrypted-content-md5'] = md5
+          end
+          context.http_response.on_headers do
+            context.params[:body].close
+          end
+        end
+
+        def apply_cse_user_agent(context)
+          if context.config.user_agent_suffix.nil?
+            context.config.user_agent_suffix = 'CSE_V1'
+          elsif !context.config.user_agent_suffix.include? 'CSE_V1'
+            context.config.user_agent_suffix += ' CSE_V1'
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryption/errors.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Aws
+  module S3
+    module Encryption
+      module Errors
+
+        class DecryptionError < RuntimeError; end
+
+        class EncryptionError < RuntimeError; end
+
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryption/io_auth_decrypter.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Aws
+  module S3
+    module Encryption
+      # @api private
+      class IOAuthDecrypter
+
+        # @option options [required, IO#write] :io
+        #   An IO-like object that responds to {#write}.
+        # @option options [required, Integer] :encrypted_content_length
+        #   The number of bytes to decrypt from the `:io` object.
+        #   This should be the total size of `:io` minus the length of
+        #   the cipher auth tag.
+        # @option options [required, OpenSSL::Cipher] :cipher An initialized
+        #   cipher that can be used to decrypt the bytes as they are
+        #   written to the `:io` object. The cipher should already have
+        #   its `#auth_tag` set.
+        def initialize(options = {})
+          @decrypter = IODecrypter.new(options[:cipher], options[:io])
+          @max_bytes = options[:encrypted_content_length]
+          @bytes_written = 0
+        end
+
+        def write(chunk)
+          chunk = truncate_chunk(chunk)
+          if chunk.bytesize > 0
+            @bytes_written += chunk.bytesize
+            @decrypter.write(chunk)
+          end
+        end
+
+        def finalize
+          @decrypter.finalize
+        end
+
+        def io
+          @decrypter.io
+        end
+
+        private
+
+        def truncate_chunk(chunk)
+          if chunk.bytesize + @bytes_written <= @max_bytes
+            chunk
+          elsif @bytes_written < @max_bytes
+            chunk[0..(@max_bytes - @bytes_written - 1)]
+          else
+            # If the tag was sent over after the full body has been read,
+            # we don't want to accidentally append it.
+            ""
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryption/io_decrypter.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Aws
+  module S3
+    module Encryption
+      # @api private
+      class IODecrypter
+
+        # @param [OpenSSL::Cipher] cipher
+        # @param [IO#write] io An IO-like object that responds to `#write`.
+        def initialize(cipher, io)
+          @cipher = cipher.clone
+          # Ensure that IO is reset between retries
+          @io = io.tap { |io| io.truncate(0) if io.respond_to?(:truncate) }
+        end
+
+        # @return [#write]
+        attr_reader :io
+
+        def write(chunk)
+          # decrypt and write
+          @io.write(@cipher.update(chunk))
+        end
+
+        def finalize
+          @io.write(@cipher.final)
+        end
+
+        def size
+          @io.size
+        end
+
+      end
+    end
+  end
+end