wip - instruction file puts

Author: kessplas

src/main/java/software/amazon/encryption/s3/internal/ContentMetadataEncodingStrategy.java

@@ -1,14 +1,74 @@
-// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
 package software.amazon.encryption.s3.internal;
 
+import software.amazon.awssdk.protocols.jsoncore.JsonWriter;
 import software.amazon.awssdk.services.s3.model.CreateMultipartUploadRequest;
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
+import software.amazon.encryption.s3.S3EncryptionClientException;
+import software.amazon.encryption.s3.materials.EncryptedDataKey;
 import software.amazon.encryption.s3.materials.EncryptionMaterials;
 
-public interface ContentMetadataEncodingStrategy {
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Map;
 
-    PutObjectRequest encodeMetadata(EncryptionMaterials materials, byte[] iv, PutObjectRequest putObjectRequest);
-    CreateMultipartUploadRequest encodeMetadata(EncryptionMaterials materials, byte[] iv, CreateMultipartUploadRequest createMultipartUploadRequest);
+public class ContentMetadataEncodingStrategy {
 
+    private static final Base64.Encoder ENCODER = Base64.getEncoder();
+    private final InstructionFileConfig _instructionFileConfig;
+
+    public ContentMetadataEncodingStrategy(InstructionFileConfig instructionFileConfig) {
+        _instructionFileConfig = instructionFileConfig;
+    }
+
+    public PutObjectRequest encodeMetadata(EncryptionMaterials materials, byte[] iv, PutObjectRequest putObjectRequest) {
+        if (_instructionFileConfig.isInstructionFilePutEnabled()) {
+            // TODO: serialize inst file as string
+            final String metadataString = metadataToString(materials, iv);
+            _instructionFileConfig.putInstructionFile(putObjectRequest, "");
+            // the original object is returned as-is
+            return putObjectRequest;
+        } else {
+            Map<String, String> newMetadata = addMetadataToMap(putObjectRequest.metadata(), materials, iv);
+            return putObjectRequest.toBuilder()
+                    .metadata(newMetadata)
+                    .build();
+        }
+    }
+
+    public CreateMultipartUploadRequest encodeMetadata(EncryptionMaterials materials, byte[] iv, CreateMultipartUploadRequest createMultipartUploadRequest) {
+        Map<String, String> newMetadata = addMetadataToMap(createMultipartUploadRequest.metadata(), materials, iv);
+        return createMultipartUploadRequest.toBuilder()
+                .metadata(newMetadata)
+                .build();
+    }
+
+    private String metadataToString(EncryptionMaterials materials, byte[] iv) {
+        // this is just the metadata map serialized as JSON
+        return "";
+    }
+
+    private Map<String, String> addMetadataToMap(Map<String, String> map, EncryptionMaterials materials, byte[] iv) {
+        Map<String, String> metadata = new HashMap<>(map);
+        EncryptedDataKey edk = materials.encryptedDataKeys().get(0);
+        metadata.put(MetadataKeyConstants.ENCRYPTED_DATA_KEY_V2, ENCODER.encodeToString(edk.encryptedDatakey()));
+        metadata.put(MetadataKeyConstants.CONTENT_IV, ENCODER.encodeToString(iv));
+        metadata.put(MetadataKeyConstants.CONTENT_CIPHER, materials.algorithmSuite().cipherName());
+        metadata.put(MetadataKeyConstants.CONTENT_CIPHER_TAG_LENGTH, Integer.toString(materials.algorithmSuite().cipherTagLengthBits()));
+        metadata.put(MetadataKeyConstants.ENCRYPTED_DATA_KEY_ALGORITHM, new String(edk.keyProviderInfo(), StandardCharsets.UTF_8));
+
+        try (JsonWriter jsonWriter = JsonWriter.create()) {
+            jsonWriter.writeStartObject();
+            for (Map.Entry<String, String> entry : materials.encryptionContext().entrySet()) {
+                jsonWriter.writeFieldName(entry.getKey()).writeValue(entry.getValue());
+            }
+            jsonWriter.writeEndObject();
+
+            String jsonEncryptionContext = new String(jsonWriter.getBytes(), StandardCharsets.UTF_8);
+            metadata.put(MetadataKeyConstants.ENCRYPTED_DATA_KEY_CONTEXT, jsonEncryptionContext);
+        } catch (JsonWriter.JsonGenerationException e) {
+            throw new S3EncryptionClientException("Cannot serialize encryption context to JSON.", e);
+        }
+        return metadata;
+    }
 }

src/main/java/software/amazon/encryption/s3/internal/InstructionFileConfig.java

@@ -1,11 +1,15 @@
 package software.amazon.encryption.s3.internal;
 
 import software.amazon.awssdk.core.ResponseInputStream;
+import software.amazon.awssdk.core.async.AsyncRequestBody;
 import software.amazon.awssdk.core.async.AsyncResponseTransformer;
+import software.amazon.awssdk.core.sync.RequestBody;
 import software.amazon.awssdk.services.s3.S3AsyncClient;
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.model.GetObjectRequest;
 import software.amazon.awssdk.services.s3.model.GetObjectResponse;
+import software.amazon.awssdk.services.s3.model.PutObjectRequest;
+import software.amazon.awssdk.services.s3.model.PutObjectResponse;
 import software.amazon.encryption.s3.S3EncryptionClientException;
 
 /**
@@ -22,6 +26,7 @@ private InstructionFileConfig(final Builder builder) {
         _clientType = builder._clientType;
         _s3Client = builder._s3Client;
         _s3AsyncClient = builder._s3AsyncClient;
+        _enableInstructionFilePut = builder._enableInstructionFilePut;
     }
 
     public static Builder builder() {
@@ -34,6 +39,30 @@ public enum InstructionFileClientType {
         ASYNC
     }
 
+    boolean isInstructionFilePutEnabled() {
+        return _enableInstructionFilePut;
+    }
+
+    PutObjectResponse putInstructionFile(PutObjectRequest request, String instructionFileContent) {
+        // This shouldn't happen in practice because the metadata strategy will evaluate
+        // if instruction file Puts are enabled before calling this method; check again anyway for robustness
+        if (!_enableInstructionFilePut) {
+            throw new S3EncryptionClientException("Enable Instruction File Put must be set to true in order to call PutObject with an instruction file!");
+        }
+        switch (_clientType) {
+            case SYNCHRONOUS:
+                return _s3Client.putObject(request, RequestBody.fromString(instructionFileContent));
+            case ASYNC:
+                return _s3AsyncClient.putObject(request, AsyncRequestBody.fromString(instructionFileContent)).join();
+            case DISABLED:
+                // this should never happen because we check enablePut first
+                throw new S3EncryptionClientException("Instruction File has been disabled!");
+            default:
+                // this should never happen
+                throw new S3EncryptionClientException("Unknown Instruction File Type");
+        }
+    }
+
     ResponseInputStream<GetObjectResponse> getInstructionFile(GetObjectRequest request) {
         switch (_clientType) {
             case SYNCHRONOUS:
@@ -65,6 +94,7 @@ public static class Builder {
         private boolean _disableInstructionFile;
         private S3AsyncClient _s3AsyncClient;
         private S3Client _s3Client;
+        private boolean _enableInstructionFilePut;
 
         /**
          * When set to true, the S3 Encryption Client will not attempt to get instruction files.
@@ -76,6 +106,11 @@ public Builder disableInstructionFile(boolean disableInstructionFile) {
             return this;
         }
 
+        public Builder enableInstructionFilePutObject(boolean enableInstructionFilePutObject) {
+            _enableInstructionFilePut = enableInstructionFilePutObject;
+            return this;
+        }
+
         /**
          * Sets the S3 client to use to retrieve instruction files.
          * @param instructionFileClient
@@ -95,13 +130,17 @@ public Builder instructionFileAsyncClient(S3AsyncClient instructionFileAsyncClie
             _s3AsyncClient = instructionFileAsyncClient;
             return this;
         }
+
         public InstructionFileConfig build() {
             if ((_s3AsyncClient != null || _s3Client != null) && _disableInstructionFile) {
                 throw new S3EncryptionClientException("Instruction Files have been disabled but a client has been passed!");
             }
             if (_disableInstructionFile) {
                 // We know both clients are null, so carry on.
                 this._clientType = InstructionFileClientType.DISABLED;
+                if (_enableInstructionFilePut) {
+                    throw new S3EncryptionClientException("Instruction Files must be enabled to enable Instruction Files for PutObject.");
+                }
                 return new InstructionFileConfig(this);
             }
             if (_s3Client != null && _s3AsyncClient != null) {

src/main/java/software/amazon/encryption/s3/internal/MultipartUploadObjectPipeline.java

@@ -216,7 +216,7 @@ public void putLocalObject(RequestBody requestBody, String uploadId, OutputStrea
     public static class Builder {
         private final Map<String, MultipartUploadMaterials> _multipartUploadMaterials =
                 Collections.synchronizedMap(new HashMap<>());
-        private final ContentMetadataEncodingStrategy _contentMetadataEncodingStrategy = new ObjectMetadataEncodingStrategy();
+        private final ContentMetadataEncodingStrategy _contentMetadataEncodingStrategy = new ContentMetadataEncodingStrategy();
         private S3AsyncClient _s3AsyncClient;
         private CryptographicMaterialsManager _cryptoMaterialsManager;
         private SecureRandom _secureRandom;

src/main/java/software/amazon/encryption/s3/internal/ObjectMetadataEncodingStrategy.java

@@ -81,7 +81,8 @@ public static class Builder {
         private CryptographicMaterialsManager _cryptoMaterialsManager;
         private SecureRandom _secureRandom;
         private AsyncContentEncryptionStrategy _asyncContentEncryptionStrategy;
-        private final ContentMetadataEncodingStrategy _contentMetadataEncodingStrategy = new ObjectMetadataEncodingStrategy();
+        private InstructionFileConfig _instructionFileConfig;
+        private ContentMetadataEncodingStrategy _contentMetadataEncodingStrategy;
 
         private Builder() {
         }
@@ -106,6 +107,11 @@ public Builder secureRandom(SecureRandom secureRandom) {
             return this;
         }
 
+        public Builder instructionFileConfig(InstructionFileConfig instructionFileConfig) {
+            this._instructionFileConfig = instructionFileConfig;
+            return this;
+        }
+
         public PutEncryptedObjectPipeline build() {
             // Default to AesGcm since it is the only active (non-legacy) content encryption strategy
             if (_asyncContentEncryptionStrategy == null) {
@@ -114,6 +120,8 @@ public PutEncryptedObjectPipeline build() {
                         .secureRandom(_secureRandom)
                         .build();
             }
+            _contentMetadataEncodingStrategy = new ContentMetadataEncodingStrategy(_instructionFileConfig);
+
             return new PutEncryptedObjectPipeline(this);
         }
     }