Merge branch 'main' into tony/fix-kms-non-optional

Author: texastony

CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## [3.3.0](https://github.com/aws/aws-s3-encryption-client-java/compare/v3.2.3...v3.3.0) (2024-10-30)
+
+### Features
+
+* allow configuration of instruction file client, add new top-level client options, disable wrapped multipart upload ([#387](https://github.com/aws/aws-s3-encryption-client-java/issues/387)) ([37e772f](https://github.com/aws/aws-s3-encryption-client-java/commit/37e772f06230efcae618b31767dbd4c59c54a6d4))
+
+### Maintenance
+
+* add ListBucket permission to release role ([#391](https://github.com/aws/aws-s3-encryption-client-java/issues/391)) ([fa1e6cc](https://github.com/aws/aws-s3-encryption-client-java/commit/fa1e6cc981c0ecfef5c5b5c8e65472beedfddf66))
+* **deps-dev:** bump commons-io:commons-io from 2.11.0 to 2.14.0 ([#381](https://github.com/aws/aws-s3-encryption-client-java/issues/381)) ([5e03842](https://github.com/aws/aws-s3-encryption-client-java/commit/5e038421e0757a72590aa6409932abb0f377ba9c))
+
 ## [3.2.3](https://github.com/aws/aws-s3-encryption-client-java/compare/v3.2.2...v3.2.3) (2024-10-04)
 
 ### Fixes

cfn/S3EC-GitHub-CF-Template.yml

@@ -76,6 +76,11 @@ Resources:
       PolicyDocument:
         Version: 2012-10-17
         Statement:
+          - Effect: Allow
+            Action:
+              - 's3:ListBucket'
+            Resource:
+              - !GetAtt S3ECGitHubTestS3Bucket.Arn
           - Effect: Allow
             Action:
               - 's3:PutObject'

cfn/release.yml

@@ -339,6 +339,7 @@ Resources:
             Action:
               - 's3:ListBucket'
             Resource:
+              - !GetAtt S3ECReleaseTestS3Bucket.Arn
               - !GetAtt S3ECReleaseTestS3BucketTestVectors.Arn
 
   S3ECReleaseTestS3BucketAlternate:

pom.xml

@@ -6,7 +6,7 @@
 
   <groupId>software.amazon.encryption.s3</groupId>
   <artifactId>amazon-s3-encryption-client-java</artifactId>
-  <version>3.2.3</version>
+  <version>3.3.0</version>
   <packaging>jar</packaging>
 
   <name>Amazon S3 Encryption Client</name>
@@ -56,7 +56,7 @@
       <dependency>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>bom</artifactId>
-        <version>2.20.38</version>
+        <version>2.28.28</version>
         <optional>true</optional>
         <type>pom</type>
         <scope>import</scope>
@@ -68,7 +68,7 @@
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>s3</artifactId>
-      <version>2.20.38</version>
+      <version>2.28.28</version>
     </dependency>
 
     <dependency>
@@ -81,8 +81,8 @@
     <dependency>
       <groupId>software.amazon.awssdk.crt</groupId>
       <artifactId>aws-crt</artifactId>
-      <version>0.29.24</version>
       <optional>true</optional>
+      <version>0.31.3</version>
     </dependency>
 
     <dependency>
@@ -163,7 +163,7 @@
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>sts</artifactId>
-      <version>2.20.38</version>
+      <version>2.28.28</version>
       <optional>true</optional>
       <scope>test</scope>
     </dependency>

src/main/java/software/amazon/encryption/s3/S3AsyncEncryptionClient.java

@@ -30,7 +30,9 @@
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.awssdk.services.s3.model.PutObjectResponse;
 import software.amazon.awssdk.services.s3.model.S3Request;
+import software.amazon.awssdk.services.s3.multipart.MultipartConfiguration;
 import software.amazon.encryption.s3.internal.GetEncryptedObjectPipeline;
+import software.amazon.encryption.s3.internal.InstructionFileConfig;
 import software.amazon.encryption.s3.internal.NoRetriesAsyncRequestBody;
 import software.amazon.encryption.s3.internal.PutEncryptedObjectPipeline;
 import software.amazon.encryption.s3.materials.AesKeyring;
@@ -71,6 +73,7 @@ public class S3AsyncEncryptionClient extends DelegatingS3AsyncClient {
     private final boolean _enableDelayedAuthenticationMode;
     private final boolean _enableMultipartPutObject;
     private final long _bufferSize;
+    private InstructionFileConfig _instructionFileConfig;
 
     private S3AsyncEncryptionClient(Builder builder) {
         super(builder._wrappedClient);
@@ -81,6 +84,7 @@ private S3AsyncEncryptionClient(Builder builder) {
         _enableDelayedAuthenticationMode = builder._enableDelayedAuthenticationMode;
         _enableMultipartPutObject = builder._enableMultipartPutObject;
         _bufferSize = builder._bufferSize;
+        _instructionFileConfig = builder._instructionFileConfig;
     }
 
     /**
@@ -147,16 +151,16 @@ public CompletableFuture<PutObjectResponse> putObject(PutObjectRequest putObject
     }
 
     private CompletableFuture<PutObjectResponse> multipartPutObject(PutObjectRequest putObjectRequest, AsyncRequestBody requestBody) {
-        S3AsyncClient crtClient;
+        S3AsyncClient mpuClient;
         if (_wrappedClient instanceof S3CrtAsyncClient) {
             // if the wrappedClient is a CRT, use it
-            crtClient = _wrappedClient;
+            mpuClient = _wrappedClient;
         } else {
-            // else create a default one
-            crtClient = S3AsyncClient.crtCreate();
+            // else create a default CRT client
+            mpuClient = S3AsyncClient.crtCreate();
         }
         PutEncryptedObjectPipeline pipeline = PutEncryptedObjectPipeline.builder()
-                .s3AsyncClient(crtClient)
+                .s3AsyncClient(mpuClient)
                 .cryptoMaterialsManager(_cryptoMaterialsManager)
                 .secureRandom(_secureRandom)
                 .build();
@@ -198,6 +202,7 @@ public <T> CompletableFuture<T> getObject(GetObjectRequest getObjectRequest,
                 .enableLegacyUnauthenticatedModes(_enableLegacyUnauthenticatedModes)
                 .enableDelayedAuthentication(_enableDelayedAuthenticationMode)
                 .bufferSize(_bufferSize)
+                .instructionFileConfig(_instructionFileConfig)
                 .build();
 
         return pipeline.getObject(getObjectRequest, asyncResponseTransformer);
@@ -257,6 +262,7 @@ public CompletableFuture<DeleteObjectsResponse> deleteObjects(DeleteObjectsReque
     @Override
     public void close() {
         _wrappedClient.close();
+        _instructionFileConfig.closeClient();
     }
 
     // This is very similar to the S3EncryptionClient builder
@@ -275,6 +281,7 @@ public static class Builder implements S3AsyncClientBuilder {
         private Provider _cryptoProvider = null;
         private SecureRandom _secureRandom = new SecureRandom();
         private long _bufferSize = -1L;
+        private InstructionFileConfig _instructionFileConfig = null;
 
         // generic AwsClient configuration to be shared by default clients
         private AwsCredentialsProvider _awsCredentialsProvider = null;
@@ -291,8 +298,12 @@ public static class Builder implements S3AsyncClientBuilder {
         private S3Configuration _serviceConfiguration = null;
         private Boolean _accelerate = null;
         private Boolean _disableMultiRegionAccessPoints = null;
+        private Boolean _disableS3ExpressSessionAuth = null;
         private Boolean _forcePathStyle = null;
         private Boolean _useArnRegion = null;
+        private Boolean _crossRegionAccessEnabled = null;
+        // private Boolean _multipartEnabled = null;
+        // private MultipartConfiguration _multipartConfiguration = null;
 
         private Builder() {
         }
@@ -518,6 +529,18 @@ public Builder secureRandom(SecureRandom secureRandom) {
             return this;
         }
 
+        /**
+         * Sets the Instruction File configuration for the S3 Encryption Client.
+         * The InstructionFileConfig can be used to specify an S3 client to use for retrieval of Instruction files,
+         * or to disable GetObject requests for the instruction file.
+         * @param instructionFileConfig
+         * @return
+         */
+        public Builder instructionFileConfig(InstructionFileConfig instructionFileConfig) {
+            _instructionFileConfig = instructionFileConfig;
+            return this;
+        }
+
         /**
          * The credentials provider to use for all inner clients, including KMS, if a KMS key ID is provided.
          * Note that if a wrapped client is configured, the wrapped client will take precedence over this option.
@@ -696,6 +719,16 @@ public Builder disableMultiRegionAccessPoints(Boolean disableMultiRegionAccessPo
             return this;
         }
 
+        /**
+         * Disables this client's usage of Session Auth for S3Express buckets and reverts to using conventional SigV4 for
+         * those.
+         */
+        @Override
+        public Builder disableS3ExpressSessionAuth(Boolean disableS3ExpressSessionAuth) {
+            _disableS3ExpressSessionAuth = disableS3ExpressSessionAuth;
+            return this;
+        }
+
         /**
          * Forces this client to use path-style addressing for buckets.
          *
@@ -719,6 +752,35 @@ public Builder useArnRegion(Boolean useArnRegion) {
             return this;
         }
 
+        /**
+         * Multipart via the wrapped client is currently NOT supported by the S3 Encryption Client.
+         * Use the {@link Builder#enableMultipartPutObject(boolean)} option instead for high-level multipart uploads.
+         * Multipart downloads are currently NOT supported.
+         */
+        @Override
+        public Builder multipartEnabled(Boolean enabled) {
+            throw new UnsupportedOperationException("The S3 Encryption Client does not support wrapped clients with automatic multipart enabled.");
+        }
+
+        /**
+         * Multipart via the wrapped client is currently NOT supported by the S3 Encryption Client.
+         * Use the {@link Builder#enableMultipartPutObject(boolean)} option instead for high-level multipart uploads.
+         * Multipart downloads are currently NOT supported.
+         */
+        @Override
+        public Builder multipartConfiguration(MultipartConfiguration multipartConfiguration) {
+            throw new UnsupportedOperationException("The S3 Encryption Client does not support wrapped clients with automatic multipart enabled.");
+        }
+
+        /**
+         * Enables cross-region bucket access for this client
+         */
+        @Override
+        public Builder crossRegionAccessEnabled(Boolean crossRegionAccessEnabled) {
+            _crossRegionAccessEnabled = crossRegionAccessEnabled;
+            return this;
+        }
+
         /**
          * Validates and builds the S3AsyncEncryptionClient according
          * to the configuration options passed to the Builder object.
@@ -751,8 +813,21 @@ public S3AsyncEncryptionClient build() {
                         .serviceConfiguration(_serviceConfiguration)
                         .accelerate(_accelerate)
                         .disableMultiRegionAccessPoints(_disableMultiRegionAccessPoints)
+                        .disableS3ExpressSessionAuth(_disableS3ExpressSessionAuth)
                         .forcePathStyle(_forcePathStyle)
                         .useArnRegion(_useArnRegion)
+                        .crossRegionAccessEnabled(_crossRegionAccessEnabled)
+                        // If either of these are null, the AWS SDK will throw an exception.
+                        // Since there is no way to set them without an exception being thrown,
+                        // this would always result in an exception.
+                        // .multipartEnabled(_multipartEnabled)
+                        // .multipartConfiguration(_multipartConfiguration)
+                        .build();
+            }
+
+            if (_instructionFileConfig == null) {
+                _instructionFileConfig = InstructionFileConfig.builder()
+                        .instructionFileAsyncClient(_wrappedClient)
                         .build();
             }