aws-sdk-s3 1.69.0 → 1.69.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 42108655e1496a1ce6df9db9b19ea1733e1c2d3710b70d8a27bb6c8b562fb307
-  data.tar.gz: 2b759d809937dc65075c1e193ce71972de3ce592ac7d6d01d782e1eb401e6b1e
+  metadata.gz: 71499a1c36cb061a8fb6b48a61fba9eec3985149a0e3effb810f8bf45e89f8db
+  data.tar.gz: 05e2a7de980f2c579b09688d1301326ce8a5df60bb9f3487a0ff21486afb58e6
 SHA512:
-  metadata.gz: d0342f210f9a406650291b5cc4a27315d39c142d042609362bc16b3ef20eafa2915243a7f72dcd3a84a81bcdc0e1209f76b440cddf3acd88dc62ce66cc6f67fb
-  data.tar.gz: e3090d0ea9210596cb6eaa93b95ad43fb8784de81b249ebe8e8db33fb97763e281192f593a0f07bf224fa820ec5d0ea5f225368d9e396982f10a9c3e8a528f91
+  metadata.gz: 522caf62fdf5130b9e8f19da2c06841074ea7da04c15c9e2731992cadc9fcd7372a0705db07902bd672ea48d7b47703876f0f679c402330f13fb33120f6e4478
+  data.tar.gz: 977b14327746226f9abb50cc7984f23abfa6526b6a3b10360c5e1827d4b38166c827290ca416e109a58bebf5debecdb4effc7dbc316c22e921a004720cad8e63

data/lib/aws-sdk-s3.rb

@@ -68,6 +68,6 @@ require_relative 'aws-sdk-s3/event_streams'
 # @service
 module Aws::S3
 
-  GEM_VERSION = '1.69.0'
+  GEM_VERSION = '1.69.1'
 
 end

data/lib/aws-sdk-s3/client.rb

@@ -11670,7 +11670,7 @@ module Aws::S3
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-s3'
-      context[:gem_version] = '1.69.0'
+      context[:gem_version] = '1.69.1'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-s3/encryptionV2/client.rb

@@ -252,16 +252,22 @@ module Aws
         # Uploads an object to Amazon S3, encrypting data client-side.
         # See {S3::Client#put_object} for documentation on accepted
         # request parameters.
+        # @option params [Hash] :kms_encryption_context Additional encryption
+        #   context to use with KMS.  Applies only when KMS is used. In order
+        #   to decrypt the object you will need to provide the identical
+        #   :kms_encryption_context to `get_object`.
         # @option (see S3::Client#put_object)
         # @return (see S3::Client#put_object)
         # @see S3::Client#put_object
         def put_object(params = {})
+          kms_encryption_context = params.delete(:kms_encryption_context)
           req = @client.build_request(:put_object, params)
           req.handlers.add(EncryptHandler, priority: 95)
           req.context[:encryption] = {
             cipher_provider: @cipher_provider,
             envelope_location: @envelope_location,
             instruction_file_suffix: @instruction_file_suffix,
+            kms_encryption_context: kms_encryption_context
           }
           req.send_request
         end
@@ -274,6 +280,8 @@ module Aws
         #   envelope. You should not set this option when the envelope
         #   is stored in the object metadata. Defaults to
         #   {#instruction_file_suffix}.
+        # @option params [Hash] :kms_encryption_context Additional encryption
+        #   context to use with KMS.  Applies only when KMS is used.
         # @option params [String] :instruction_file_suffix
         # @option (see S3::Client#get_object)
         # @return (see S3::Client#get_object)
@@ -284,12 +292,14 @@ module Aws
             raise NotImplementedError, '#get_object with :range not supported'
           end
           envelope_location, instruction_file_suffix = envelope_options(params)
+          kms_encryption_context = params.delete(:kms_encryption_context)
           req = @client.build_request(:get_object, params)
           req.handlers.add(DecryptHandler)
           req.context[:encryption] = {
             cipher_provider: @cipher_provider,
             envelope_location: envelope_location,
             instruction_file_suffix: instruction_file_suffix,
+            kms_encryption_context: kms_encryption_context
           }
           req.send_request(target: block)
         end

data/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb

@@ -72,8 +72,12 @@ module Aws
 
         def decryption_cipher(context)
           if envelope = get_encryption_envelope(context)
-            [context[:encryption][:cipher_provider].decryption_cipher(envelope),
-             envelope]
+            cipher = context[:encryption][:cipher_provider]
+             .decryption_cipher(
+               envelope,
+               kms_encryption_context: context[:encryption][:kms_encryption_context]
+             )
+            [cipher, envelope]
           else
             raise Errors::DecryptionError, "unable to locate encryption envelope"
           end

data/lib/aws-sdk-s3/encryptionV2/default_cipher_provider.rb

@@ -12,7 +12,7 @@ module Aws
 
         # @return [Array<Hash,Cipher>] Creates an returns a new encryption
         #   envelope and encryption cipher.
-        def encryption_cipher
+        def encryption_cipher(options = {})
           cipher = Utils.aes_encryption_cipher(:GCM)
           cek_alg = 'AES/GCM/NoPadding'
           if @key_provider.encryption_materials.key.is_a? OpenSSL::PKey::RSA
@@ -36,15 +36,14 @@ module Aws
 
         # @return [Cipher] Given an encryption envelope, returns a
         #   decryption cipher.
-        def decryption_cipher(envelope)
+        def decryption_cipher(envelope, options = {})
+          master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
           if envelope.key? 'x-amz-key'
             # Support for decryption of legacy objects
-            master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
             key = Utils.decrypt(master_key, decode64(envelope['x-amz-key']))
             iv = decode64(envelope['x-amz-iv'])
             Utils.aes_decryption_cipher(:CBC, key, iv)
           else
-            master_key = @key_provider.key_for(envelope['x-amz-matdesc'])
             if envelope['x-amz-cek-alg'] != 'AES/GCM/NoPadding'
               raise ArgumentError, 'Unsupported cek-alg: ' \
                 "#{envelope['x-amz-cek-alg']}"

data/lib/aws-sdk-s3/encryptionV2/encrypt_handler.rb

@@ -11,7 +11,10 @@ module Aws
             raise "authenticated encryption not supported by OpenSSL in Ruby version ~> 1.9"
             raise Aws::Errors::NonSupportedRubyVersionError, msg
           end
-          envelope, cipher = context[:encryption][:cipher_provider].encryption_cipher
+          envelope, cipher = context[:encryption][:cipher_provider]
+           .encryption_cipher(
+             kms_encryption_context: context[:encryption][:kms_encryption_context]
+           )
           context[:encryption][:cipher] = cipher
           apply_encryption_envelope(context, envelope)
           apply_encryption_cipher(context, cipher)

data/lib/aws-sdk-s3/encryptionV2/io_decrypter.rb

@@ -7,7 +7,7 @@ module Aws
         # @param [OpenSSL::Cipher] cipher
         # @param [IO#write] io An IO-like object that responds to `#write`.
         def initialize(cipher, io)
-          @cipher = cipher.clone
+          @cipher = cipher
           # Ensure that IO is reset between retries
           @io = io.tap { |io| io.truncate(0) if io.respond_to?(:truncate) }
         end

data/lib/aws-sdk-s3/encryptionV2/kms_cipher_provider.rb

@@ -13,15 +13,13 @@ module Aws
 
         # @return [Array<Hash,Cipher>] Creates and returns a new encryption
         #   envelope and encryption cipher.
-        def encryption_cipher
+        def encryption_cipher(options = {})
           cek_alg = 'AES/GCM/NoPadding'
-          encryption_context = {
-            'aws:x-amz-cek-alg' => cek_alg
-          }
+          encryption_context = build_encryption_context(cek_alg, options)
           key_data = @kms_client.generate_data_key(
             key_id: @kms_key_id,
             encryption_context: encryption_context,
-            key_spec: 'AES_256',
+            key_spec: 'AES_256'
           )
           cipher = Utils.aes_encryption_cipher(:GCM)
           cipher.key = key_data.plaintext
@@ -39,18 +37,27 @@ module Aws
 
         # @return [Cipher] Given an encryption envelope, returns a
         #   decryption cipher.
-        def decryption_cipher(envelope)
+        def decryption_cipher(envelope, options={})
           encryption_context = Json.load(envelope['x-amz-matdesc'])
-          key = @kms_client.decrypt(
-            ciphertext_blob: decode64(envelope['x-amz-key-v2']),
-            encryption_context: encryption_context
-          ).plaintext
           cek_alg = envelope['x-amz-wrap-alg'] == 'kms+context' ?
             encryption_context['aws:x-amz-cek-alg'] : envelope['x-amz-cek-alg']
           if cek_alg != envelope['x-amz-cek-alg']
             raise Errors::DecryptionError, 'Value of cek-alg from envelope'\
               ' does not match the value in the encryption context'
           end
+
+          if envelope['x-amz-wrap-alg'] == 'kms+context' &&
+            encryption_context != build_encryption_context(cek_alg, options)
+            raise Errors::DecryptionError, 'Value of encryption context from'\
+              ' envelope does not match the provided encryption context'
+          end
+
+          key = @kms_client.decrypt(
+            ciphertext_blob: decode64(envelope['x-amz-key-v2']),
+            encryption_context: encryption_context
+          ).plaintext
+
+
           iv = decode64(envelope['x-amz-iv'])
           block_mode =
             case cek_alg
@@ -70,6 +77,14 @@ module Aws
 
         private
 
+        def build_encryption_context(cek_alg, options = {})
+          kms_context = (options[:kms_encryption_context] || {})
+            .each_with_object({}) { |(k, v), h| h[k.to_s] = v }
+          {
+            'aws:x-amz-cek-alg' => cek_alg
+          }.merge(kms_context)
+        end
+
         def encode64(str)
           Base64.encode64(str).split("\n") * ""
         end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-s3
 version: !ruby/object:Gem::Version
-  version: 1.69.0
+  version: 1.69.1
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-18 00:00:00.000000000 Z
+date: 2020-06-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-kms