Merge pull request #10 from imabhichow/main

Consolidate Metadata Strategies

Author: imabhichow

src/main/java/software/amazon/encryption/s3/internal/ContentMetadataDecodingStrategy.java

@@ -1,9 +1,10 @@
 package software.amazon.encryption.s3.internal;
 
-import java.util.Map;
+import software.amazon.awssdk.services.s3.S3Client;
+import software.amazon.awssdk.services.s3.model.GetObjectRequest;
 import software.amazon.awssdk.services.s3.model.GetObjectResponse;
 
 @FunctionalInterface
 public interface ContentMetadataDecodingStrategy {
-    ContentMetadata decodeMetadata(GetObjectResponse response);
+    ContentMetadata decodeMetadata(S3Client client, GetObjectRequest request, GetObjectResponse response);
 }

…3/internal/S3ObjectMetadataStrategy.java …s3/internal/ContentMetadataStrategy.javasrc/main/java/software/amazon/encryption/s3/internal/S3ObjectMetadataStrategy.java renamed to src/main/java/software/amazon/encryption/s3/internal/ContentMetadataStrategy.java src/main/java/software/amazon/encryption/s3/internal/S3ObjectMetadataStrategy.java renamed to src/main/java/software/amazon/encryption/s3/internal/ContentMetadataStrategy.java

@@ -5,10 +5,13 @@
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Map.Entry;
+import software.amazon.awssdk.core.ResponseInputStream;
 import software.amazon.awssdk.protocols.jsoncore.JsonNode;
 import software.amazon.awssdk.protocols.jsoncore.JsonNodeParser;
 import software.amazon.awssdk.protocols.jsoncore.JsonWriter;
 import software.amazon.awssdk.protocols.jsoncore.JsonWriter.JsonGenerationException;
+import software.amazon.awssdk.services.s3.S3Client;
+import software.amazon.awssdk.services.s3.model.GetObjectRequest;
 import software.amazon.awssdk.services.s3.model.GetObjectResponse;
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.encryption.s3.S3EncryptionClientException;
@@ -17,55 +20,71 @@
 import software.amazon.encryption.s3.materials.EncryptionMaterials;
 import software.amazon.encryption.s3.materials.S3Keyring;
 
-/**
- * This stores encryption metadata in the S3 object metadata.
- * The name is not a typo
- */
-public class S3ObjectMetadataStrategy implements ContentMetadataEncodingStrategy,
-        ContentMetadataDecodingStrategy {
-    private final Base64.Encoder _encoder;
-    private final Base64.Decoder _decoder;
-
-    private S3ObjectMetadataStrategy(Builder builder) {
-        this._encoder = builder._encoder;
-        this._decoder = builder._decoder;
-    }
+public abstract class ContentMetadataStrategy implements ContentMetadataEncodingStrategy, ContentMetadataDecodingStrategy {
+
+    private static final Base64.Encoder ENCODER = Base64.getEncoder();
+    private static final Base64.Decoder DECODER = Base64.getDecoder();
+
+    public static final ContentMetadataDecodingStrategy INSTRUCTION_FILE = new ContentMetadataDecodingStrategy() {
+
+        private static final String FILE_SUFFIX = ".instruction";
+
+        @Override
+        public ContentMetadata decodeMetadata(S3Client client, GetObjectRequest getObjectRequest, GetObjectResponse response) {
+            GetObjectRequest instructionGetObjectRequest = GetObjectRequest.builder()
+                    .bucket(getObjectRequest.bucket())
+                    .key(getObjectRequest.key() + FILE_SUFFIX)
+                    .build();
+            ResponseInputStream<GetObjectResponse> instruction = client.getObject(
+                    instructionGetObjectRequest);
 
-    public static Builder builder() { return new Builder(); }
-
-    @Override
-    public PutObjectRequest encodeMetadata(
-            EncryptionMaterials materials,
-            EncryptedContent encryptedContent,
-            PutObjectRequest request) {
-        Map<String,String> metadata = new HashMap<>(request.metadata());
-        EncryptedDataKey edk = materials.encryptedDataKeys().get(0);
-        metadata.put(MetadataKeyConstants.ENCRYPTED_DATA_KEY_V2, _encoder.encodeToString(edk.ciphertext()));
-        metadata.put(MetadataKeyConstants.CONTENT_NONCE, _encoder.encodeToString(encryptedContent.nonce));
-        metadata.put(MetadataKeyConstants.CONTENT_CIPHER, materials.algorithmSuite().cipherName());
-        metadata.put(MetadataKeyConstants.CONTENT_CIPHER_TAG_LENGTH, Integer.toString(materials.algorithmSuite().cipherTagLengthBits()));
-        metadata.put(MetadataKeyConstants.ENCRYPTED_DATA_KEY_ALGORITHM, new String(edk.keyProviderInfo(), StandardCharsets.UTF_8));
-
-        try (JsonWriter jsonWriter = JsonWriter.create()) {
-            jsonWriter.writeStartObject();
-            for (Entry<String,String> entry : materials.encryptionContext().entrySet()) {
-                jsonWriter.writeFieldName(entry.getKey()).writeValue(entry.getValue());
+            Map<String, String> metadata = new HashMap<>();
+            JsonNodeParser parser = JsonNodeParser.create();
+            JsonNode objectNode = parser.parse(instruction);
+            for (Map.Entry<String, JsonNode> entry : objectNode.asObject().entrySet()) {
+                metadata.put(entry.getKey(), entry.getValue().asString());
             }
-            jsonWriter.writeEndObject();
 
-            String jsonEncryptionContext = new String(jsonWriter.getBytes(), StandardCharsets.UTF_8);
-            metadata.put(MetadataKeyConstants.ENCRYPTED_DATA_KEY_CONTEXT, jsonEncryptionContext);
-        } catch (JsonGenerationException e) {
-            throw new S3EncryptionClientException("Cannot serialize encryption context to JSON.", e);
+            return ContentMetadataStrategy.readFromMap(metadata);
         }
+    };
+
+    public static final ContentMetadataStrategy OBJECT_METADATA = new ContentMetadataStrategy() {
+
+        @Override
+        public PutObjectRequest encodeMetadata(EncryptionMaterials materials,
+                EncryptedContent encryptedContent, PutObjectRequest request) {
+            Map<String,String> metadata = new HashMap<>(request.metadata());
+            EncryptedDataKey edk = materials.encryptedDataKeys().get(0);
+            metadata.put(MetadataKeyConstants.ENCRYPTED_DATA_KEY_V2, ENCODER.encodeToString(edk.ciphertext()));
+            metadata.put(MetadataKeyConstants.CONTENT_NONCE, ENCODER.encodeToString(encryptedContent.nonce));
+            metadata.put(MetadataKeyConstants.CONTENT_CIPHER, materials.algorithmSuite().cipherName());
+            metadata.put(MetadataKeyConstants.CONTENT_CIPHER_TAG_LENGTH, Integer.toString(materials.algorithmSuite().cipherTagLengthBits()));
+            metadata.put(MetadataKeyConstants.ENCRYPTED_DATA_KEY_ALGORITHM, new String(edk.keyProviderInfo(), StandardCharsets.UTF_8));
+
+            try (JsonWriter jsonWriter = JsonWriter.create()) {
+                jsonWriter.writeStartObject();
+                for (Entry<String,String> entry : materials.encryptionContext().entrySet()) {
+                    jsonWriter.writeFieldName(entry.getKey()).writeValue(entry.getValue());
+                }
+                jsonWriter.writeEndObject();
 
-        return request.toBuilder().metadata(metadata).build();
-    }
+                String jsonEncryptionContext = new String(jsonWriter.getBytes(), StandardCharsets.UTF_8);
+                metadata.put(MetadataKeyConstants.ENCRYPTED_DATA_KEY_CONTEXT, jsonEncryptionContext);
+            } catch (JsonGenerationException e) {
+                throw new S3EncryptionClientException("Cannot serialize encryption context to JSON.", e);
+            }
 
-    @Override
-    public ContentMetadata decodeMetadata(GetObjectResponse response) {
-        Map<String, String> metadata = response.metadata();
+            return request.toBuilder().metadata(metadata).build();
+        }
 
+        @Override
+        public ContentMetadata decodeMetadata(S3Client client, GetObjectRequest request, GetObjectResponse response) {
+            return ContentMetadataStrategy.readFromMap(response.metadata());
+        }
+    };
+
+    private static ContentMetadata readFromMap(Map<String, String> metadata) {
         // Get algorithm suite
         final String contentEncryptionAlgorithm = metadata.get(MetadataKeyConstants.CONTENT_CIPHER);
         AlgorithmSuite algorithmSuite;
@@ -89,7 +108,7 @@ public ContentMetadata decodeMetadata(GetObjectResponse response) {
         switch (algorithmSuite) {
             case ALG_AES_256_CBC_IV16_NO_KDF:
                 // Extract encrypted data key ciphertext
-                edkCiphertext = _decoder.decode(metadata.get(MetadataKeyConstants.ENCRYPTED_DATA_KEY_V1));
+                edkCiphertext = DECODER.decode(metadata.get(MetadataKeyConstants.ENCRYPTED_DATA_KEY_V1));
 
                 // Hardcode the key provider id to match what V1 does
                 keyProviderInfo = "AES";
@@ -105,7 +124,7 @@ public ContentMetadata decodeMetadata(GetObjectResponse response) {
                 }
 
                 // Extract encrypted data key ciphertext and provider id
-                edkCiphertext = _decoder.decode(metadata.get(MetadataKeyConstants.ENCRYPTED_DATA_KEY_V2));
+                edkCiphertext = DECODER.decode(metadata.get(MetadataKeyConstants.ENCRYPTED_DATA_KEY_V2));
                 keyProviderInfo = metadata.get(MetadataKeyConstants.ENCRYPTED_DATA_KEY_ALGORITHM);
 
                 break;
@@ -136,7 +155,7 @@ public ContentMetadata decodeMetadata(GetObjectResponse response) {
         }
 
         // Get content nonce
-        byte[] nonce = _decoder.decode(metadata.get(MetadataKeyConstants.CONTENT_NONCE));
+        byte[] nonce = DECODER.decode(metadata.get(MetadataKeyConstants.CONTENT_NONCE));
 
         return ContentMetadata.builder()
                 .algorithmSuite(algorithmSuite)
@@ -146,22 +165,18 @@ public ContentMetadata decodeMetadata(GetObjectResponse response) {
                 .build();
     }
 
-    public static class Builder {
-        private Base64.Encoder _encoder = Base64.getEncoder();
-        private  Base64.Decoder _decoder = Base64.getDecoder();
-
-        public Builder base64Encoder(Base64.Encoder encoder) {
-            this._encoder = encoder;
-            return this;
-        }
-
-        public Builder base64Decoder(Base64.Decoder decoder) {
-            this._decoder = decoder;
-            return this;
+    public static ContentMetadata decode(S3Client client, GetObjectRequest request, GetObjectResponse response) {
+        Map<String, String> metadata = response.metadata();
+        ContentMetadataDecodingStrategy strategy;
+        if (metadata != null
+            && metadata.containsKey(MetadataKeyConstants.CONTENT_NONCE)
+            && (metadata.containsKey(MetadataKeyConstants.ENCRYPTED_DATA_KEY_V1)
+                || metadata.containsKey(MetadataKeyConstants.ENCRYPTED_DATA_KEY_V2))) {
+            strategy = OBJECT_METADATA;
+        } else {
+            strategy = INSTRUCTION_FILE;
         }
 
-        public S3ObjectMetadataStrategy build() {
-            return new S3ObjectMetadataStrategy(this);
-        }
+        return strategy.decodeMetadata(client, request, response);
     }
 }

src/main/java/software/amazon/encryption/s3/internal/GetEncryptedObjectPipeline.java

@@ -4,6 +4,7 @@
 import java.io.IOException;
 import java.util.Collections;
 import java.util.List;
+
 import software.amazon.awssdk.core.ResponseInputStream;
 import software.amazon.awssdk.core.sync.ResponseTransformer;
 import software.amazon.awssdk.http.AbortableInputStream;
@@ -42,14 +43,8 @@ public <T> T getObject(GetObjectRequest getObjectRequest,
             throw new RuntimeException(e);
         }
 
-        GetObjectResponse response = objectStream.response();
-
-        // TODO: Need to differentiate metadata decoding strategy here
-        ContentMetadataDecodingStrategy contentMetadataDecodingStrategy = S3ObjectMetadataStrategy
-                .builder()
-                .build();
-
-        ContentMetadata contentMetadata = contentMetadataDecodingStrategy.decodeMetadata(response);
+        GetObjectResponse getObjectResponse = objectStream.response();
+        ContentMetadata contentMetadata = ContentMetadataStrategy.decode(_s3Client, getObjectRequest, getObjectResponse);
 
         AlgorithmSuite algorithmSuite = contentMetadata.algorithmSuite();
         List<EncryptedDataKey> encryptedDataKeys = Collections.singletonList(contentMetadata.encryptedDataKey());
@@ -74,7 +69,7 @@ public <T> T getObject(GetObjectRequest getObjectRequest,
         byte[] plaintext = contentDecryptionStrategy.decryptContent(contentMetadata, materials, ciphertext);
 
         try {
-            return responseTransformer.transform(response,
+            return responseTransformer.transform(getObjectResponse,
                     AbortableInputStream.create(new ByteArrayInputStream(plaintext)));
         } catch (Exception e) {
             throw new S3EncryptionClientException("Unable to transform response.", e);

src/main/java/software/amazon/encryption/s3/internal/PutEncryptedObjectPipeline.java

@@ -53,10 +53,7 @@ public static class Builder {
                 AesGcmContentStrategy
                         .builder()
                         .build();
-        private ContentMetadataEncodingStrategy _contentMetadataEncodingStrategy =
-                S3ObjectMetadataStrategy
-                        .builder()
-                        .build();
+        private ContentMetadataEncodingStrategy _contentMetadataEncodingStrategy = ContentMetadataStrategy.OBJECT_METADATA;
 
         private Builder() {}
 

src/test/java/S3EncryptionClientTest.java

@@ -6,15 +6,8 @@
 import com.amazonaws.services.s3.AmazonS3EncryptionClient;
 import com.amazonaws.services.s3.AmazonS3EncryptionClientV2;
 import com.amazonaws.services.s3.AmazonS3EncryptionV2;
-import com.amazonaws.services.s3.model.CryptoConfiguration;
-import com.amazonaws.services.s3.model.CryptoConfigurationV2;
-import com.amazonaws.services.s3.model.CryptoMode;
-import com.amazonaws.services.s3.model.EncryptedPutObjectRequest;
-import com.amazonaws.services.s3.model.EncryptionMaterials;
-import com.amazonaws.services.s3.model.EncryptionMaterialsProvider;
-import com.amazonaws.services.s3.model.KMSEncryptionMaterialsProvider;
-import com.amazonaws.services.s3.model.ObjectMetadata;
-import com.amazonaws.services.s3.model.StaticEncryptionMaterialsProvider;
+import com.amazonaws.services.s3.model.*;
+
 import java.io.ByteArrayInputStream;
 import java.nio.charset.StandardCharsets;
 import java.security.KeyPair;
@@ -119,12 +112,44 @@ public void AesWrapV1toV3() {
 
     @Test
     public void AesGcmV2toV3() {
-        final String BUCKET_KEY = "aes-gcm-v3-to-v2";
+        final String BUCKET_KEY = "aes-gcm-v2-to-v3";
+
+        // V2 Client
+        EncryptionMaterialsProvider materialsProvider =
+                new StaticEncryptionMaterialsProvider(new EncryptionMaterials(AES_KEY));
+        AmazonS3EncryptionV2 v2Client = AmazonS3EncryptionClientV2.encryptionBuilder()
+                .withEncryptionMaterialsProvider(materialsProvider)
+                .build();
+
+        // V3 Client
+        S3Client v3Client = S3EncryptionClient.builder()
+                .aesKey(AES_KEY)
+                .build();
+
+        // Asserts
+        final String input = "AesGcmV2toV3";
+        v2Client.putObject(BUCKET, BUCKET_KEY, input);
+
+        ResponseBytes<GetObjectResponse> objectResponse = v3Client.getObjectAsBytes(
+                GetObjectRequest.builder()
+                        .bucket(BUCKET)
+                        .key(BUCKET_KEY).build());
+        String output = objectResponse.asUtf8String();
+        assertEquals(input, output);
+    }
+
+    @Test
+    public void AesGcmV2toV3WithInstructionFile() {
+        final String BUCKET_KEY = "aes-gcm-v2-to-v3-with-instruction-file";
 
         // V2 Client
         EncryptionMaterialsProvider materialsProvider =
                 new StaticEncryptionMaterialsProvider(new EncryptionMaterials(AES_KEY));
+        CryptoConfigurationV2 cryptoConfig =
+                new CryptoConfigurationV2(CryptoMode.StrictAuthenticatedEncryption)
+                        .withStorageMode(CryptoStorageMode.InstructionFile);
         AmazonS3EncryptionV2 v2Client = AmazonS3EncryptionClientV2.encryptionBuilder()
+                .withCryptoConfiguration(cryptoConfig)
                 .withEncryptionMaterialsProvider(materialsProvider)
                 .build();