aws-sdk-s3 1.69.0 → 1.69.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/lib/aws-sdk-s3.rb +1 -1
  3. data/lib/aws-sdk-s3/client.rb +1 -1
  4. data/lib/aws-sdk-s3/encryptionV2/client.rb +10 -0
  5. data/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb +6 -2
  6. data/lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb +3 -4
  7. data/lib/aws-sdk-s3/encryptionV2/encrypt_handler.rb +4 -1
  8. data/lib/aws-sdk-s3/encryptionV2/io_decrypter.rb +1 -1
  9. data/lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb +25 -10
  10. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 42108655e1496a1ce6df9db9b19ea1733e1c2d3710b70d8a27bb6c8b562fb307
4
- data.tar.gz: 2b759d809937dc65075c1e193ce71972de3ce592ac7d6d01d782e1eb401e6b1e
3
+ metadata.gz: 71499a1c36cb061a8fb6b48a61fba9eec3985149a0e3effb810f8bf45e89f8db
4
+ data.tar.gz: 05e2a7de980f2c579b09688d1301326ce8a5df60bb9f3487a0ff21486afb58e6
5
5
  SHA512:
6
- metadata.gz: d0342f210f9a406650291b5cc4a27315d39c142d042609362bc16b3ef20eafa2915243a7f72dcd3a84a81bcdc0e1209f76b440cddf3acd88dc62ce66cc6f67fb
7
- data.tar.gz: e3090d0ea9210596cb6eaa93b95ad43fb8784de81b249ebe8e8db33fb97763e281192f593a0f07bf224fa820ec5d0ea5f225368d9e396982f10a9c3e8a528f91
6
+ metadata.gz: 522caf62fdf5130b9e8f19da2c06841074ea7da04c15c9e2731992cadc9fcd7372a0705db07902bd672ea48d7b47703876f0f679c402330f13fb33120f6e4478
7
+ data.tar.gz: 977b14327746226f9abb50cc7984f23abfa6526b6a3b10360c5e1827d4b38166c827290ca416e109a58bebf5debecdb4effc7dbc316c22e921a004720cad8e63
data/lib/aws-sdk-s3.rb CHANGED
@@ -68,6 +68,6 @@ require_relative 'aws-sdk-s3/event_streams'
68
68
  # @service
69
69
  module Aws::S3
70
70
 
71
- GEM_VERSION = '1.69.0'
71
+ GEM_VERSION = '1.69.1'
72
72
 
73
73
  end
data/lib/aws-sdk-s3/client.rb CHANGED
@@ -11670,7 +11670,7 @@ module Aws::S3
11670
11670
  params: params,
11671
11671
  config: config)
11672
11672
  context[:gem_name] = 'aws-sdk-s3'
11673
- context[:gem_version] = '1.69.0'
11673
+ context[:gem_version] = '1.69.1'
11674
11674
  Seahorse::Client::Request.new(handlers, context)
11675
11675
  end
11676
11676
 
data/lib/aws-sdk-s3/encryptionV2/client.rb CHANGED
@@ -252,16 +252,22 @@ module Aws
252
252
  # Uploads an object to Amazon S3, encrypting data client-side.
253
253
  # See {S3::Client#put_object} for documentation on accepted
254
254
  # request parameters.
255
+ # @option params [Hash] :kms_encryption_context Additional encryption
256
+ # context to use with KMS. Applies only when KMS is used. In order
257
+ # to decrypt the object you will need to provide the identical
258
+ # :kms_encryption_context to `get_object`.
255
259
  # @option (see S3::Client#put_object)
256
260
  # @return (see S3::Client#put_object)
257
261
  # @see S3::Client#put_object
258
262
  def put_object(params = {})
263
+ kms_encryption_context = params.delete(:kms_encryption_context)
259
264
  req = @client.build_request(:put_object, params)
260
265
  req.handlers.add(EncryptHandler, priority: 95)
261
266
  req.context[:encryption] = {
262
267
  cipher_provider: @cipher_provider,
263
268
  envelope_location: @envelope_location,
264
269
  instruction_file_suffix: @instruction_file_suffix,
270
+ kms_encryption_context: kms_encryption_context
265
271
  }
266
272
  req.send_request
267
273
  end
@@ -274,6 +280,8 @@ module Aws
274
280
  # envelope. You should not set this option when the envelope
275
281
  # is stored in the object metadata. Defaults to
276
282
  # {#instruction_file_suffix}.
283
+ # @option params [Hash] :kms_encryption_context Additional encryption
284
+ # context to use with KMS. Applies only when KMS is used.
277
285
  # @option params [String] :instruction_file_suffix
278
286
  # @option (see S3::Client#get_object)
279
287
  # @return (see S3::Client#get_object)
@@ -284,12 +292,14 @@ module Aws
284
292
  raise NotImplementedError, '#get_object with :range not supported'
285
293
  end
286
294
  envelope_location, instruction_file_suffix = envelope_options(params)
295
+ kms_encryption_context = params.delete(:kms_encryption_context)
287
296
  req = @client.build_request(:get_object, params)
288
297
  req.handlers.add(DecryptHandler)
289
298
  req.context[:encryption] = {
290
299
  cipher_provider: @cipher_provider,
291
300
  envelope_location: envelope_location,
292
301
  instruction_file_suffix: instruction_file_suffix,
302
+ kms_encryption_context: kms_encryption_context
293
303
  }
294
304
  req.send_request(target: block)
295
305
  end
data/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb CHANGED
@@ -72,8 +72,12 @@ module Aws
72
72
 
73
73
  def decryption_cipher(context)
74
74
  if envelope = get_encryption_envelope(context)
75
- [context[:encryption][:cipher_provider].decryption_cipher(envelope),
76
- envelope]
75
+ cipher = context[:encryption][:cipher_provider]
76
+ .decryption_cipher(
77
+ envelope,
78
+ kms_encryption_context: context[:encryption][:kms_encryption_context]
79
+ )
80
+ [cipher, envelope]
77
81
  else
78
82
  raise Errors::DecryptionError, "unable to locate encryption envelope"
79
83
  end
data/lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb CHANGED
@@ -12,7 +12,7 @@ module Aws
12
12
 
13
13
  # @return [Array<Hash,Cipher>] Creates an returns a new encryption
14
14
  # envelope and encryption cipher.
15
- def encryption_cipher
15
+ def encryption_cipher(options = {})
16
16
  cipher = Utils.aes_encryption_cipher(:GCM)
17
17
  cek_alg = 'AES/GCM/NoPadding'
18
18
  if @key_provider.encryption_materials.key.is_a? OpenSSL::PKey::RSA
@@ -36,15 +36,14 @@ module Aws
36
36
 
37
37
  # @return [Cipher] Given an encryption envelope, returns a
38
38
  # decryption cipher.
39
- def decryption_cipher(envelope)
39
+ def decryption_cipher(envelope, options = {})
40
+ master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
40
41
  if envelope.key? 'x-amz-key'
41
42
  # Support for decryption of legacy objects
42
- master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
43
43
  key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
44
44
  iv = decode64(envelope['x-amz-iv'])
45
45
  Utils.aes_decryption_cipher(:CBC, key, iv)
46
46
  else
47
- master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
48
47
  if envelope['x-amz-cek-alg'] != 'AES/GCM/NoPadding'
49
48
  raise ArgumentError, 'Unsupported cek-alg: ' \
50
49
  "#{envelope['x-amz-cek-alg']}"
data/lib/aws-sdk-s3/encryptionV2/encrypt_handler.rb CHANGED
@@ -11,7 +11,10 @@ module Aws
11
11
  raise "authenticated encryption not supported by OpenSSL in Ruby version ~> 1.9"
12
12
  raise Aws::Errors::NonSupportedRubyVersionError, msg
13
13
  end
14
- envelope, cipher = context[:encryption][:cipher_provider].encryption_cipher
14
+ envelope, cipher = context[:encryption][:cipher_provider]
15
+ .encryption_cipher(
16
+ kms_encryption_context: context[:encryption][:kms_encryption_context]
17
+ )
15
18
  context[:encryption][:cipher] = cipher
16
19
  apply_encryption_envelope(context, envelope)
17
20
  apply_encryption_cipher(context, cipher)
data/lib/aws-sdk-s3/encryptionV2/io_decrypter.rb CHANGED
@@ -7,7 +7,7 @@ module Aws
7
7
  # @param [OpenSSL::Cipher] cipher
8
8
  # @param [IO#write] io An IO-like object that responds to `#write`.
9
9
  def initialize(cipher, io)
10
- @cipher = cipher.clone
10
+ @cipher = cipher
11
11
  # Ensure that IO is reset between retries
12
12
  @io = io.tap { |io| io.truncate(0) if io.respond_to?(:truncate) }
13
13
  end
data/lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb CHANGED
@@ -13,15 +13,13 @@ module Aws
13
13
 
14
14
  # @return [Array<Hash,Cipher>] Creates and returns a new encryption
15
15
  # envelope and encryption cipher.
16
- def encryption_cipher
16
+ def encryption_cipher(options = {})
17
17
  cek_alg = 'AES/GCM/NoPadding'
18
- encryption_context = {
19
- 'aws:x-amz-cek-alg' => cek_alg
20
- }
18
+ encryption_context = build_encryption_context(cek_alg, options)
21
19
  key_data = @kms_client.generate_data_key(
22
20
  key_id: @kms_key_id,
23
21
  encryption_context: encryption_context,
24
- key_spec: 'AES_256',
22
+ key_spec: 'AES_256'
25
23
  )
26
24
  cipher = Utils.aes_encryption_cipher(:GCM)
27
25
  cipher.key = key_data.plaintext
@@ -39,18 +37,27 @@ module Aws
39
37
 
40
38
  # @return [Cipher] Given an encryption envelope, returns a
41
39
  # decryption cipher.
42
- def decryption_cipher(envelope)
40
+ def decryption_cipher(envelope, options={})
43
41
  encryption_context = Json.load(envelope['x-amz-matdesc'])
44
- key = @kms_client.decrypt(
45
- ciphertext_blob: decode64(envelope['x-amz-key-v2']),
46
- encryption_context: encryption_context
47
- ).plaintext
48
42
  cek_alg = envelope['x-amz-wrap-alg'] == 'kms+context' ?
49
43
  encryption_context['aws:x-amz-cek-alg'] : envelope['x-amz-cek-alg']
50
44
  if cek_alg != envelope['x-amz-cek-alg']
51
45
  raise Errors::DecryptionError, 'Value of cek-alg from envelope'\
52
46
  ' does not match the value in the encryption context'
53
47
  end
48
+
49
+ if envelope['x-amz-wrap-alg'] == 'kms+context' &&
50
+ encryption_context != build_encryption_context(cek_alg, options)
51
+ raise Errors::DecryptionError, 'Value of encryption context from'\
52
+ ' envelope does not match the provided encryption context'
53
+ end
54
+
55
+ key = @kms_client.decrypt(
56
+ ciphertext_blob: decode64(envelope['x-amz-key-v2']),
57
+ encryption_context: encryption_context
58
+ ).plaintext
59
+
60
+
54
61
  iv = decode64(envelope['x-amz-iv'])
55
62
  block_mode =
56
63
  case cek_alg
@@ -70,6 +77,14 @@ module Aws
70
77
 
71
78
  private
72
79
 
80
+ def build_encryption_context(cek_alg, options = {})
81
+ kms_context = (options[:kms_encryption_context] || {})
82
+ .each_with_object({}) { |(k, v), h| h[k.to_s] = v }
83
+ {
84
+ 'aws:x-amz-cek-alg' => cek_alg
85
+ }.merge(kms_context)
86
+ end
87
+
73
88
  def encode64(str)
74
89
  Base64.encode64(str).split("\n") * ""
75
90
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aws-sdk-s3
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.69.0
4
+ version: 1.69.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Amazon Web Services
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-06-18 00:00:00.000000000 Z
11
+ date: 2020-06-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk-kms