Merge branch 'main' of github.com:aws/amazon-s3-encryption-client-java into inst-file-put

Author: kessplas

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [3.3.1](https://github.com/aws/aws-s3-encryption-client-java/compare/v3.3.0...v3.3.1) (2025-01-24)
+
+### Fixes
+
+* KMS Dependency is required ([44e9886](https://github.com/aws/aws-s3-encryption-client-java/commit/44e988677505bdc207936d0a981a0ca67dfd1a8a))
+* treat null matdesc as empty ([#448](https://github.com/aws/aws-s3-encryption-client-java/issues/448)) ([bcd711e](https://github.com/aws/aws-s3-encryption-client-java/commit/bcd711eb65707bac99775a011e3e159c6e3a79e6))
+* unbounded streams are not supported ([#422](https://github.com/aws/aws-s3-encryption-client-java/issues/422)) ([034bb89](https://github.com/aws/aws-s3-encryption-client-java/commit/034bb89ae5933b4d56e9892f19bb1e8f1f27010e))
+
 ## [3.3.0](https://github.com/aws/aws-s3-encryption-client-java/compare/v3.2.3...v3.3.0) (2024-10-30)
 
 ### Features

pom.xml

@@ -6,7 +6,7 @@
 
   <groupId>software.amazon.encryption.s3</groupId>
   <artifactId>amazon-s3-encryption-client-java</artifactId>
-  <version>3.3.0</version>
+  <version>3.3.1</version>
   <packaging>jar</packaging>
 
   <name>Amazon S3 Encryption Client</name>
@@ -56,7 +56,7 @@
       <dependency>
         <groupId>software.amazon.awssdk</groupId>
         <artifactId>bom</artifactId>
-        <version>2.28.28</version>
+        <version>2.30.38</version>
         <optional>true</optional>
         <type>pom</type>
         <scope>import</scope>
@@ -68,21 +68,21 @@
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>s3</artifactId>
-      <version>2.28.28</version>
+      <version>2.30.38</version>
     </dependency>
 
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>kms</artifactId>
-      <version>2.28.28</version>
+      <version>2.30.38</version>
     </dependency>
 
     <!-- Used when enableMultipartPutObject is configured -->
     <dependency>
       <groupId>software.amazon.awssdk.crt</groupId>
       <artifactId>aws-crt</artifactId>
       <optional>true</optional>
-      <version>0.31.3</version>
+      <version>0.36.3</version>
     </dependency>
 
     <dependency>
@@ -163,7 +163,7 @@
     <dependency>
       <groupId>software.amazon.awssdk</groupId>
       <artifactId>sts</artifactId>
-      <version>2.28.28</version>
+      <version>2.30.38</version>
       <optional>true</optional>
       <scope>test</scope>
     </dependency>

src/main/java/software/amazon/encryption/s3/S3EncryptionClientException.java

@@ -6,14 +6,65 @@
 
 public class S3EncryptionClientException extends SdkClientException {
 
+    private S3EncryptionClientException(Builder b) {
+        super(b);
+    }
+
     public S3EncryptionClientException(String message) {
-        super(SdkClientException.builder()
+        super(S3EncryptionClientException.builder()
                 .message(message));
     }
 
     public S3EncryptionClientException(String message, Throwable cause) {
-        super(SdkClientException.builder()
+        super(S3EncryptionClientException.builder()
                 .message(message)
                 .cause(cause));
     }
+
+    @Override
+    public Builder toBuilder() {
+        return new BuilderImpl(this);
+    }
+
+    public static Builder builder() {
+        return new BuilderImpl();
+    }
+
+    public interface Builder extends SdkClientException.Builder {
+        @Override
+        Builder message(String message);
+
+        @Override
+        Builder cause(Throwable cause);
+
+        @Override
+        S3EncryptionClientException build();
+    }
+
+    protected static final class BuilderImpl extends SdkClientException.BuilderImpl implements Builder {
+
+        protected BuilderImpl() {
+        }
+
+        protected BuilderImpl(S3EncryptionClientException ex) {
+            super(ex);
+        }
+
+        @Override
+        public Builder message(String message) {
+            this.message = message;
+            return this;
+        }
+
+        @Override
+        public Builder cause(Throwable cause) {
+            this.cause = cause;
+            return this;
+        }
+
+        @Override
+        public S3EncryptionClientException build() {
+            return new S3EncryptionClientException(this);
+        }
+    }
 }

src/main/java/software/amazon/encryption/s3/internal/CipherAsyncRequestBody.java

@@ -4,6 +4,7 @@
 
 import org.reactivestreams.Subscriber;
 import software.amazon.awssdk.core.async.AsyncRequestBody;
+import software.amazon.encryption.s3.S3EncryptionClientException;
 import software.amazon.encryption.s3.materials.CryptographicMaterials;
 
 import java.nio.ByteBuffer;
@@ -35,7 +36,9 @@ public CipherAsyncRequestBody(final AsyncRequestBody wrappedAsyncRequestBody, fi
 
     @Override
     public void subscribe(Subscriber<? super ByteBuffer> subscriber) {
-        wrappedAsyncRequestBody.subscribe(new CipherSubscriber(subscriber, contentLength().orElse(-1L), materials, iv));
+        wrappedAsyncRequestBody.subscribe(new CipherSubscriber(subscriber,
+                contentLength().orElseThrow(() -> new S3EncryptionClientException("Unbounded streams are currently not supported.")),
+                materials, iv));
     }
 
     @Override

src/main/java/software/amazon/encryption/s3/internal/ContentMetadataDecodingStrategy.java

@@ -138,7 +138,8 @@ private ContentMetadata readFromMap(Map<String, String> metadata, GetObjectRespo
 
         // Get encrypted data key encryption context
         final Map<String, String> encryptionContext = new HashMap<>();
-        final String jsonEncryptionContext = metadata.get(MetadataKeyConstants.ENCRYPTED_DATA_KEY_CONTEXT);
+        // The V2 client treats null value here as empty, do the same to avoid incompatibility
+        String jsonEncryptionContext = metadata.getOrDefault(MetadataKeyConstants.ENCRYPTED_DATA_KEY_CONTEXT, "{}");
         // When the encryption context contains non-US-ASCII characters,
         // the S3 server applies an esoteric encoding to the object metadata.
         // Reverse that, to allow decryption.

src/main/java/software/amazon/encryption/s3/internal/PutEncryptedObjectPipeline.java

@@ -51,7 +51,7 @@ public CompletableFuture<PutObjectResponse> putObject(PutObjectRequest request,
                 contentLength = request.contentLength();
             }
         } else {
-            contentLength = requestBody.contentLength().orElse(-1L);
+            contentLength = requestBody.contentLength().orElseThrow(() -> new S3EncryptionClientException("Unbounded streams are currently not supported."));
         }
 
         if (contentLength > AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF.cipherMaxContentLengthBytes()) {

src/test/java/software/amazon/encryption/s3/S3EncryptionClientCompatibilityTest.java

@@ -25,6 +25,7 @@
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.model.GetObjectRequest;
 import software.amazon.awssdk.services.s3.model.GetObjectResponse;
+import software.amazon.awssdk.services.s3.model.MetadataDirective;
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.encryption.s3.internal.InstructionFileConfig;
 
@@ -168,6 +169,7 @@ public void AesGcmV2toV3() {
         // Cleanup
         deleteObject(BUCKET, objectKey, v3Client);
         v3Client.close();
+
     }
 
     @Test
@@ -905,4 +907,62 @@ public void AesWrapV1toV3FailsWhenLegacyModeDisabled() {
         deleteObject(BUCKET, objectKey, v3Client);
         v3Client.close();
     }
+
+    @Test
+    public void nullMaterialDescriptionV3() {
+        final String objectKey = appendTestSuffix("null-matdesc-v3");
+
+        // V2 Client
+        EncryptionMaterialsProvider materialsProvider =
+          new StaticEncryptionMaterialsProvider(new EncryptionMaterials(AES_KEY));
+        AmazonS3EncryptionV2 v2Client = AmazonS3EncryptionClientV2.encryptionBuilder()
+          .withEncryptionMaterialsProvider(materialsProvider)
+          .build();
+
+        // V3 Client
+        S3Client v3Client = S3EncryptionClient.builder()
+          .aesKey(AES_KEY)
+          .build();
+
+        // Asserts
+        final String input = "AesGcmWithNullMatDesc";
+        v2Client.putObject(BUCKET, objectKey, input);
+
+        ResponseBytes<GetObjectResponse> objectResponse = v3Client.getObjectAsBytes(builder -> builder
+          .bucket(BUCKET)
+          .key(objectKey));
+        String output = objectResponse.asUtf8String();
+        assertEquals(input, output);
+
+        // Now remove MatDesc - this must be done via CopyObject
+        final String copyKey = objectKey + "copied";
+        Map<String, String> modMd = new HashMap<>(objectResponse.response().metadata());
+        modMd.remove("x-amz-meta-x-amz-matdesc");
+        modMd.remove("x-amz-matdesc");
+        v3Client.copyObject(builder -> builder
+          .sourceBucket(BUCKET)
+          .destinationBucket(BUCKET)
+          .sourceKey(objectKey)
+          .destinationKey(copyKey)
+          .metadataDirective(MetadataDirective.REPLACE)
+          .metadata(modMd)
+          .build());
+
+        // V2
+        String v2CopyOut = v2Client.getObjectAsString(BUCKET, copyKey);
+        assertEquals(input, v2CopyOut);
+
+        // V3
+        ResponseBytes<GetObjectResponse> objectResponseCopy = v3Client.getObjectAsBytes(builder -> builder
+          .bucket(BUCKET)
+          .key(copyKey));
+        String outputCopy = objectResponseCopy.asUtf8String();
+        assertEquals(input, outputCopy);
+
+        // Cleanup
+        deleteObject(BUCKET, objectKey, v3Client);
+        deleteObject(BUCKET, copyKey, v3Client);
+        v3Client.close();
+
+    }
 }

src/test/java/software/amazon/encryption/s3/S3EncryptionClientStreamTest.java

@@ -17,15 +17,16 @@
 import software.amazon.awssdk.core.ResponseInputStream;
 import software.amazon.awssdk.core.async.AsyncRequestBody;
 import software.amazon.awssdk.core.async.AsyncResponseTransformer;
+import software.amazon.awssdk.core.async.BlockingInputStreamAsyncRequestBody;
 import software.amazon.awssdk.core.sync.RequestBody;
 import software.amazon.awssdk.services.s3.S3AsyncClient;
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.model.GetObjectResponse;
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.awssdk.services.s3.model.PutObjectResponse;
 import software.amazon.awssdk.utils.IoUtils;
-import software.amazon.encryption.s3.utils.BoundedStreamBufferer;
 import software.amazon.encryption.s3.utils.BoundedInputStream;
+import software.amazon.encryption.s3.utils.BoundedStreamBufferer;
 import software.amazon.encryption.s3.utils.MarkResetBoundedZerosInputStream;
 import software.amazon.encryption.s3.utils.S3EncryptionClientTestResources;
 
@@ -135,6 +136,63 @@ public void ordinaryInputStreamV3Encrypt() throws IOException {
         v3Client.close();
     }
 
+    @Test
+    public void ordinaryInputStreamV3UnboundedAsync() {
+        try (S3AsyncClient s3AsyncEncryptionClient = S3AsyncEncryptionClient.builder().aesKey(AES_KEY).build()) {
+            final String objectKey = appendTestSuffix("ordinaryInputStreamV3UnboundedAsync");
+            BlockingInputStreamAsyncRequestBody body =
+                    AsyncRequestBody.forBlockingInputStream(null);
+            try {
+                s3AsyncEncryptionClient.putObject(r -> r.bucket(BUCKET).key(objectKey), body);
+                fail("Expected exception!");
+            } catch (S3EncryptionClientException exception) {
+                // expected
+                assertTrue(exception.getMessage().contains("Unbounded streams are currently not supported"));
+            }
+        }
+    }
+
+    @Test
+    public void ordinaryInputStreamV3UnboundedMultipartAsync() {
+        try (S3AsyncClient s3AsyncEncryptionClient = S3AsyncEncryptionClient.builder()
+                .aesKey(AES_KEY)
+                .enableMultipartPutObject(true)
+                .build()) {
+            final String objectKey = appendTestSuffix("ordinaryInputStreamV3UnboundedAsync");
+            BlockingInputStreamAsyncRequestBody body =
+                    AsyncRequestBody.forBlockingInputStream(null);
+            try {
+                s3AsyncEncryptionClient.putObject(r -> r.bucket(BUCKET).key(objectKey), body);
+                fail("Expected exception!");
+            } catch (S3EncryptionClientException exception) {
+                // expected
+                assertTrue(exception.getMessage().contains("Unbounded streams are currently not supported"));
+            }
+        }
+    }
+
+    @Test
+    public void ordinaryInputStreamV3UnboundedCrt() {
+        try (S3AsyncClient s3CrtAsyncClient = S3AsyncClient.crtCreate()) {
+            try (S3AsyncClient s3AsyncEncryptionClient = S3AsyncEncryptionClient.builder()
+                    .aesKey(AES_KEY)
+                    .enableMultipartPutObject(true)
+                    .wrappedClient(s3CrtAsyncClient)
+                    .build()) {
+                final String objectKey = appendTestSuffix("ordinaryInputStreamV3UnboundedCrt");
+                BlockingInputStreamAsyncRequestBody body =
+                        AsyncRequestBody.forBlockingInputStream(null);
+                try {
+                    s3AsyncEncryptionClient.putObject(r -> r.bucket(BUCKET).key(objectKey), body);
+                    fail("Expected exception!");
+                } catch (S3EncryptionClientException exception) {
+                    // expected
+                    assertTrue(exception.getMessage().contains("Unbounded streams are currently not supported"));
+                }
+            }
+        }
+    }
+
     @Test
     public void ordinaryInputStreamV3Decrypt() throws IOException {
         final String objectKey = appendTestSuffix("ordinaryInputStreamV3Decrypt");
@@ -274,9 +332,9 @@ public void customSetBufferSizeWithLargeObject() throws IOException {
         final long fileSizeExceedingDefaultLimit = 1024 * 1024 * 32 + 1;
         final InputStream largeObjectStream = new BoundedInputStream(fileSizeExceedingDefaultLimit);
         v3ClientWithBuffer32MiB.putObject(PutObjectRequest.builder()
-                                   .bucket(BUCKET)
-                                   .key(objectKey)
-                                   .build(), RequestBody.fromInputStream(largeObjectStream, fileSizeExceedingDefaultLimit));
+                .bucket(BUCKET)
+                .key(objectKey)
+                .build(), RequestBody.fromInputStream(largeObjectStream, fileSizeExceedingDefaultLimit));
 
         largeObjectStream.close();
 
@@ -327,9 +385,9 @@ public void customSetBufferSizeWithLargeObjectAsyncClient() throws IOException {
         final InputStream largeObjectStream = new BoundedInputStream(fileSizeExceedingDefaultLimit);
         ExecutorService singleThreadExecutor = Executors.newSingleThreadExecutor();
         CompletableFuture<PutObjectResponse> futurePut = v3ClientWithBuffer32MiB.putObject(PutObjectRequest.builder()
-                                                                                           .bucket(BUCKET)
-                                                                                           .key(objectKey)
-                                                                                           .build(), AsyncRequestBody.fromInputStream(largeObjectStream, fileSizeExceedingDefaultLimit, singleThreadExecutor));
+                .bucket(BUCKET)
+                .key(objectKey)
+                .build(), AsyncRequestBody.fromInputStream(largeObjectStream, fileSizeExceedingDefaultLimit, singleThreadExecutor));
 
         futurePut.join();
         largeObjectStream.close();
@@ -387,7 +445,7 @@ public void delayedAuthModeWithLargeObject() throws IOException {
         assertThrows(S3EncryptionClientException.class, () -> v3Client.getObjectAsBytes(builder -> builder
                 .bucket(BUCKET)
                 .key(objectKey)));
-                
+
         S3Client v3ClientWithDelayedAuth = S3EncryptionClient.builder()
                 .aesKey(AES_KEY)
                 .enableDelayedAuthenticationMode(true)