From 4e5cda58b0156ad21d0fb6c17b7e965f8fe7736f Mon Sep 17 00:00:00 2001 From: Alex Woods Date: Fri, 7 Aug 2020 17:46:22 -0700 Subject: [PATCH 1/3] Fix Jruby issue --- .../services/s3/encryption/decrypt_handler.rb | 16 ++++++++++++++-- .../services/s3/encryption/io_decrypter.rb | 13 +++++++------ .../spec/services/s3/encryption/client_spec.rb | 5 +---- 3 files changed, 22 insertions(+), 12 deletions(-) diff --git a/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb b/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb index 077188fda62..ff36f3f6566 100644 --- a/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb +++ b/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb @@ -7,6 +7,7 @@ module S3 module Encryption # @api private class DecryptHandler < Seahorse::Client::Handler + @@warned_response_target_proc = false V1_ENVELOPE_KEYS = %w( x-amz-key @@ -45,6 +46,17 @@ class DecryptHandler < Seahorse::Client::Handler def call(context) attach_http_event_listeners(context) apply_cse_user_agent(context) + + if context[:response_target].is_a?(Proc) && !@@warned_response_target_proc + @@warned_response_target_proc = true + warn(':response_target is a Proc, or a block was provided. ' \ + 'Read the entire object to the ' \ + 'end before you start using the decrypted data. This is to ' \ + 'verify that the object has not been modified since it ' \ + 'was encrypted.') + + end + @handler.call(context) end @@ -75,11 +87,11 @@ def attach_http_event_listeners(context) end def decryption_cipher(context) - if envelope = get_encryption_envelope(context) + if (envelope = get_encryption_envelope(context)) cipher = context[:encryption][:cipher_provider] .decryption_cipher( envelope, - kms_encryption_context: context[:encryption][:kms_encryption_context] + context[:encryption] ) [cipher, envelope] else diff --git a/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/io_decrypter.rb b/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/io_decrypter.rb index 32e59f6ff82..2e439179780 100644 --- a/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/io_decrypter.rb +++ b/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/io_decrypter.rb @@ -9,9 +9,10 @@ class IODecrypter # @param [OpenSSL::Cipher] cipher # @param [IO#write] io An IO-like object that responds to `#write`. def initialize(cipher, io) - @cipher = cipher.clone + @cipher = cipher # Ensure that IO is reset between retries @io = io.tap { |io| io.truncate(0) if io.respond_to?(:truncate) } + @cipher_buffer = String.new end # @return [#write] @@ -19,17 +20,17 @@ def initialize(cipher, io) def write(chunk) # decrypt and write - @io.write(@cipher.update(chunk)) + if @cipher.method(:update).arity == 1 + @io.write(@cipher.update(chunk)) + else + @io.write(@cipher.update(chunk, @cipher_buffer)) + end end def finalize @io.write(@cipher.final) end - def size - @io.size - end - end end end diff --git a/aws-sdk-resources/spec/services/s3/encryption/client_spec.rb b/aws-sdk-resources/spec/services/s3/encryption/client_spec.rb index 3994f438e7a..04b8669445d 100644 --- a/aws-sdk-resources/spec/services/s3/encryption/client_spec.rb +++ b/aws-sdk-resources/spec/services/s3/encryption/client_spec.rb @@ -608,11 +608,8 @@ def stub_encrypted_get_with_instruction_file(sfx = '.instruction') "\x8E\x0E\xC0\xD5\x1A\x88\xAF2\xB1\xEEg#\x15" end - if !ENV['TRAVIS'] && RUBY_VERSION > '1.9.3' + if !ENV['TRAVIS'] && RUBY_VERSION > '1.9.3' && OpenSSL::Cipher.ciphers.include?('aes-256-gcm') it 'supports decryption via KMS w/ GCM' do - unless OpenSSL::Cipher.ciphers.include?('aes-256-gcm') - pending('aes-256-gcm not supported') - end kms_client.stub_responses( :decrypt, plaintext: plaintext_object_key ) From af8f62fb25d3d003947acf362f846bb8166b3b23 Mon Sep 17 00:00:00 2001 From: Alex Woods Date: Fri, 7 Aug 2020 18:05:17 -0700 Subject: [PATCH 2/3] Fix docs formatting --- .../aws-sdk-resources/services/s3/encryption/decrypt_handler.rb | 1 - .../lib/aws-sdk-resources/services/s3/encryptionV2/client.rb | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb b/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb index ff36f3f6566..10d638978ac 100644 --- a/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb +++ b/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb @@ -54,7 +54,6 @@ def call(context) 'end before you start using the decrypted data. This is to ' \ 'verify that the object has not been modified since it ' \ 'was encrypted.') - end @handler.call(context) diff --git a/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryptionV2/client.rb b/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryptionV2/client.rb index d17bc952239..9e23d39f749 100644 --- a/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryptionV2/client.rb +++ b/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryptionV2/client.rb @@ -234,6 +234,7 @@ class Client def_delegators :@client, :config, :delete_object, :head_object, :build_request # Creates a new encryption client. You must configure all of the following: + # # * a key or key provider - The key provided also determines the key wrapping # schema(s) supported for both encryption and decryption. # * `key_wrap_schema` - The key wrapping schema. It must match the type of key configured. From ffafe10aebd1e8fd5d2aaead1ead5413e41bbcaf Mon Sep 17 00:00:00 2001 From: Alex Woods Date: Fri, 7 Aug 2020 18:09:28 -0700 Subject: [PATCH 3/3] More doc formats --- .../lib/aws-sdk-resources/services/s3/encryptionV2/client.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryptionV2/client.rb b/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryptionV2/client.rb index 9e23d39f749..4fb2b645f85 100644 --- a/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryptionV2/client.rb +++ b/aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryptionV2/client.rb @@ -71,6 +71,7 @@ module S3 # ## Required Configuration # # You must configure all of the following: + # # * a key or key provider - See the Keys section below. The key provided determines # the key wrapping schema(s) supported for both encryption and decryption. # * `key_wrap_schema` - The key wrapping schema. It must match the type of key configured. @@ -388,7 +389,7 @@ def put_object(params = {}) # @option (see S3::Client#get_object) # @return (see S3::Client#get_object) # @see S3::Client#get_object - # @note The `:range` request parameter is not yet supported. + # @note The `:range` request parameter is not supported. def get_object(params = {}, &block) if params[:range] raise NotImplementedError, '#get_object with :range not supported'