feat!: Updates to the S3 Encryption Client (#491)

BREAKING CHANGES:

The S3 Encryption Client now requires key committing algorithm suites by default.
See migration guide from 3.x to 4.x: [link](https://docs.aws.amazon.com/amazon-s3-encryption-client/latest/developerguide/java-v4-migration.html)

* `builder()` method has been removed; use `builderV4()` instead
* `builderV4()` now defaults to `commitmentPolicy` (REQUIRE_ENCRYPT_REQUIRE_DECRYPT) and `encryptionAlgorithm` (ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY)

* Updated expectations for custom implementations of the `CryptographicMaterialsManager` interface.
  * Custom implementations of the interface's `getEncryptionMaterials` method MUST set the `AlgorithmSuite` field on the returned `EncryptionMaterials`.
    * The provided `DefaultCryptoMaterialsManager`'s `getEncryptionMaterials` method sets this field from the `AlgorithmSuite` provided in the `EncryptionMaterialsRequest`.
    * If the custom implementation wraps the provided `DefaultCryptoMaterialsManager.getEncryptionMaterials` method, it's likely that no code updates are required. The provided logic has been updated with this change.
  * Custom implementations of the interface's `decryptMaterials` method MUST set the `KeyCommitment` field on the returned `DecryptionMaterials`.
    * The provided `DefaultCryptoMaterialsManager`'s `decryptMaterials` method sets this field from the `KeyCommitment` provided in the `DecryptMaterialsRequest`.
    * If the custom implementation wraps the provided `DefaultCryptoMaterialsManager.decryptMaterials` method, it's likely that no code updates are required. The provided logic has been updated with this change.

* Updated expectations for custom implementations of the `Keyring` interface.
  * Custom implementations of the interface's `onDecrypt` method MUST preserve the `KeyCommitment` field on the returned `DecryptionMaterials`.
    * The provided `S3Keyring`'s `onDecrypt` method (base class for all keyrings including `KmsKeyring`) preserves this field through the builder pattern when returning updated materials.
    * If the custom implementation wraps the provided `S3Keyring.onDecrypt` method or uses the builder pattern to return materials, it's likely that no code updates are required. The provided logic has been updated with this change.

Author: imabhichow

.github/workflows/build.yml

@@ -59,4 +59,4 @@ jobs:
       - name: Package JAR
         run: |
           mvn -B -ntp install -DskipTests
-        shell: bash
+        shell: bash

.github/workflows/ci-workflow.yml

@@ -22,3 +22,10 @@ jobs:
     with:
       version: ${{ matrix.version }}
       distribution: ${{ matrix.distribution }}
+
+  Examples:
+    uses: ./.github/workflows/examples.yml
+    secrets: inherit
+    with:
+      version: 17
+      distribution: corretto

.github/workflows/examples.yml

@@ -0,0 +1,53 @@
+name: Migration Examples
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        required: true
+        type: string
+      distribution:
+        required: true
+        type: string
+
+jobs:
+  MigrationExamples:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.CI_AWS_ACCOUNT_ID }}:role/service-role/${{ vars.CI_AWS_ROLE }}
+          role-session-name: S3EC-Github-CI-Tests
+          aws-region: ${{ vars.CI_AWS_REGION }}
+
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Setup JDK
+        uses: actions/setup-java@v3
+        with:
+          distribution: ${{ inputs.distribution }}
+          java-version: ${{ inputs.version}}
+          cache: 'maven'
+
+      - name: Install S3EC
+        run: |
+          mvn -B -ntp install -DskipTests
+        shell: bash
+
+      # TODO: Add step to run v3 examples once we have transitional version
+      #       cd migration_examples/v3-to-v4/v3
+      #       mvn -B -ntp test -DskipCompile
+      - name: Run Migration Examples
+        run: |
+          export AWS_S3EC_TEST_BUCKET=${{ vars.CI_S3_BUCKET }}
+          export AWS_S3EC_TEST_KMS_KEY_ID=arn:aws:kms:${{ vars.CI_AWS_REGION }}:${{ secrets.CI_AWS_ACCOUNT_ID }}:key/${{ vars.CI_KMS_KEY_ID }}
+          export AWS_REGION=${{ vars.CI_AWS_REGION }}
+          cd migration_examples/v3-to-v4/v4
+          mvn -B -ntp test -DskipCompile
+        shell: bash

.releaserc

@@ -1,64 +1,84 @@
 ## Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 ## SPDX-License-Identifier: Apache-2.0
 {
-    "branches": ["main"],
-    "plugins": [
-          ["@semantic-release/commit-analyzer", {
-            "preset": "conventionalcommits",
-            "parserOpts": {
-                "noteKeywords": ["BREAKING CHANGE", "BREAKING CHANGES"]
-            },
-            "presetConfig": {
-                "types": [
-                    {"type": "feat", "section": "Features"},
-                    {"type": "fix", "section": "Fixes"},
-                    {"type": "chore", "section": "Maintenance"},
-                    {"type": "docs", "section": "Maintenance"},
-                    {"type": "revert", "section": "Fixes"},
-                    {"type": "style", "hidden": true},
-                    {"type": "refactor", "hidden": true},
-                    {"type": "perf", "hidden": true},
-                    {"type": "test", "hidden": true}
-                ]
-            },
-            "releaseRules": [
-                {"type": "docs", "release": "patch"},
-                {"type": "revert", "release": "patch"},
-                {"type": "chore", "release": "patch"}
-            ]
-          }],
-          ["@semantic-release/release-notes-generator", {
-            "preset": "conventionalcommits",
-            "parserOpts": {
-                "noteKeywords": ["BREAKING CHANGE", "BREAKING CHANGES"]
-            },
-            "presetConfig": {
-                "types": [
-                    {"type": "feat", "section": "Features"},
-                    {"type": "fix", "section": "Fixes"},
-                    {"type": "chore", "section": "Maintenance"},
-                    {"type": "docs", "section": "Maintenance"},
-                    {"type": "revert", "section": "Fixes"},
-                    {"type": "style", "hidden": true},
-                    {"type": "refactor", "hidden": true},
-                    {"type": "perf", "hidden": true},
-                    {"type": "test", "hidden": true}
-                ]
-            }
-          }],
-          ["@semantic-release/changelog", {
-            "changelogFile": "./CHANGELOG.md",
-            "changelogTitle": "# Changelog"
-          }],
-          ["@semantic-release/exec", {
-            "prepareCmd": "mvn versions:set -DnewVersion=${nextRelease.version} \
-                    -DautoVersionSubmodules=true && find README.md -type f \
-                    -exec sed -i 's/<version>.*<\\/version>/<version>${nextRelease.version}<\\/version>/g' {} \\;"
-          }],
-          ["@semantic-release/git", {
-            "assets": ["./CHANGELOG.md", "./pom.xml", "./README.md"],
-            "message": "Amazon S3 Encryption Client ${nextRelease.version} Release -- ${new Date().toISOString().slice(0, 10)} \n\n${nextRelease.notes}"
-          }],
+  "branches": ["main"],
+  "plugins": [
+    [
+      "@semantic-release/commit-analyzer",
+      {
+        "preset": "conventionalcommits",
+        "parserOpts": {
+          "noteKeywords": ["BREAKING CHANGE", "BREAKING CHANGES"]
+        },
+        "presetConfig": {
+          "types": [
+            {"type": "feat", "section": "Features"},
+            {"type": "fix", "section": "Fixes"},
+            {"type": "chore", "section": "Maintenance"},
+            {"type": "docs", "section": "Maintenance"},
+            {"type": "revert", "section": "Fixes"},
+            {"type": "style", "hidden": true},
+            {"type": "refactor", "hidden": true},
+            {"type": "perf", "hidden": true},
+            {"type": "test", "hidden": true}
+          ]
+        },
+        "releaseRules": [
+          {"type": "docs", "release": "patch"},
+          {"type": "revert", "release": "patch"},
+          {"type": "chore", "release": "patch"}
+        ]
+      }
     ],
-    "repositoryUrl": "https://github.com/aws/amazon-s3-encryption-client-java",
+    [
+      "@semantic-release/release-notes-generator",
+      {
+        "preset": "conventionalcommits",
+        "parserOpts": {
+          "noteKeywords": ["BREAKING CHANGE", "BREAKING CHANGES"]
+        },
+        "presetConfig": {
+          "types": [
+            {"type": "feat", "section": "Features"},
+            {"type": "fix", "section": "Fixes"},
+            {"type": "chore", "section": "Maintenance"},
+            {"type": "docs", "section": "Maintenance"},
+            {"type": "revert", "section": "Fixes"},
+            {"type": "style", "hidden": true},
+            {"type": "refactor", "hidden": true},
+            {"type": "perf", "hidden": true},
+            {"type": "test", "hidden": true}
+          ]
+        }
+      }
+    ],
+    [
+      "@semantic-release/changelog",
+      {
+        "changelogFile": "./CHANGELOG.md",
+        "changelogTitle": "# Changelog"
+      }
+    ],
+    [
+      "@semantic-release/exec",
+      {
+        "prepareCmd": "bash ./release-prepare.sh ${nextRelease.version}"
+      }
+    ],
+    [
+      "@semantic-release/git",
+      {
+        "assets": [
+          "./CHANGELOG.md",
+          "./pom.xml",
+          "./README.md",
+          "./migration_examples/v3-to-v4/v4/pom.xml",
+          "./src/main/java/software/amazon/encryption/s3/internal/ApiNameVersion.java",
+          "./src/test/java/software/amazon/encryption/s3/internal/ApiNameVersionTest.java"
+        ],
+        "message": "Amazon S3 Encryption Client ${nextRelease.version} Release -- ${new Date().toISOString().slice(0, 10)} \n\n${nextRelease.notes}"
+      }
+    ]
+  ],
+  "repositoryUrl": "https://github.com/aws/aws-s3-encryption-client-java"
 }

README.md

@@ -53,7 +53,36 @@ You can configure each client independently, or apply a "top-level" configuratio
 Refer to the Client Configuration Example in the [Examples directory](https://github.com/aws/amazon-s3-encryption-client-java/tree/main/src/examples/java/software/amazon/encryption/s3/examples) for examples of each configuration method.
 
 ### Examples
-#### V2 KMS Materials Provider to V3
+#### V3 to V4 Migration
+
+V4 introduces enhanced security with commitment policies. To migrate from V3:
+
+```java
+class Example {
+    public static void main(String[] args) {
+        KeyGenerator keyGen = KeyGenerator.getInstance("AES");
+        keyGen.init(256);
+        SecretKey aesKey = keyGen.generateKey();
+        
+        // V3
+        S3Client v3Client = S3EncryptionClient.builder()
+                .aesKey(aesKey)
+                .build();
+        
+        // V4
+        S3Client v4Client = S3EncryptionClient.builderV4()
+                .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
+                .encryptionAlgorithm(AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF)
+                .aesKey(aesKey)
+                .build();
+    }
+}
+```
+
+For detailed migration guidance and step-by-step examples, refer to the [Migration Examples](migration_examples/v3-to-v4/README.md). For more information, refer to the <a href="https://docs.aws.amazon.com/amazon-s3-encryption-client/latest/developerguide/java-v4-migration.html">Developer Guide</a>.
+
+
+#### V2 KMS Materials Provider to V4
 ```java
 class Example {
     public static void main(String[] args) {
@@ -63,15 +92,17 @@ class Example {
                 .withEncryptionMaterialsProvider(materialsProvider)
                 .build();
 
-        // V3
-        S3Client v3Client = S3EncryptionClient.builder()
+        // V4
+        S3Client v4Client = S3EncryptionClient.builderV4()
+                .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
+                .encryptionAlgorithm(AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF)
                 .kmsKeyId(KMS_WRAPPING_KEY_ID)
                 .build();
     }
 }
 ```
 
-#### V2 AES Key Materials Provider to V3
+#### V2 AES Key Materials Provider to V4
 ```java
 class Example {
     public static void main(String[] args) {
@@ -85,15 +116,17 @@ class Example {
                 .withEncryptionMaterialsProvider(materialsProvider)
                 .build();
 
-        // V3
-        S3Client v3Client = S3EncryptionClient.builder()
+        // V4
+        S3Client v4Client = S3EncryptionClient.builderV4()
+                .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
+                .encryptionAlgorithm(AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF)
                 .aesKey(aesKey)
                 .build();
     }
 }
 ```
 
-#### V2 RSA Key Materials Provider to V3
+#### V2 RSA Key Materials Provider to V4
 ```java
 class Example {
     public static void main(String[] args) {
@@ -107,15 +140,17 @@ class Example {
                 .withEncryptionMaterialsProvider(materialsProvider)
                 .build();
 
-        // V3
-        S3Client v3Client = S3EncryptionClient.builder()
+        // V4
+        S3Client v4Client = S3EncryptionClient.builderV4()
+                .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
+                .encryptionAlgorithm(AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF)
                 .rsaKeyPair(rsaKey)
                 .build();
     }
 }
 ```
 
-#### V1 Key Materials Provider to V3
+#### V1 Key Materials Provider to V4
 To allow legacy modes (for decryption only), you must explicitly allow them
 ```java
 class Example {
@@ -130,8 +165,10 @@ class Example {
                 .withEncryptionMaterials(materialsProvider)
                 .build();
 
-        // V3
-        S3Client v3Client = S3EncryptionClient.builder()
+        // V4
+        S3Client v4Client = S3EncryptionClient.builderV4()
+                .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
+                .encryptionAlgorithm(AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF)
                 .aesKey(aesKey)
                 .enableLegacyUnauthenticatedModes(true) // for enabling legacy content decryption modes
                 .enableLegacyWrappingAlgorithms(true) // for enabling legacy key wrapping modes 
@@ -149,8 +186,6 @@ class Example {
 * RSA-OAEP w/MGF-1 and SHA-256
 * RSA
 * KMS (without context)
-#### Encryption Metadata Storage
-* Instruction File
 
 ## Security
 

SUPPORT_POLICY.rst

@@ -30,6 +30,10 @@ This table describes the current support status of each major version of the Ama
       - End of Support
       - EOY 2025
     * - 3.x
+      - Maintenance Mode
+      -
+      -
+    * - 4.x
       - Generally Available
       -
       -