cleanup

Author: kessplas

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java

@@ -205,6 +205,7 @@ public PutObjectResponse putObject(PutObjectRequest putObjectRequest, RequestBod
                 .s3AsyncClient(_wrappedAsyncClient)
                 .cryptoMaterialsManager(_cryptoMaterialsManager)
                 .secureRandom(_secureRandom)
+                .instructionFileConfig(_instructionFileConfig)
                 .build();
 
         ExecutorService singleThreadExecutor = Executors.newSingleThreadExecutor();

src/main/java/software/amazon/encryption/s3/internal/ContentMetadataDecodingStrategy.java

@@ -168,7 +168,6 @@ private ContentMetadata readFromMap(Map<String, String> metadata, GetObjectRespo
 
     public ContentMetadata decode(GetObjectRequest request, GetObjectResponse response) {
         Map<String, String> metadata = response.metadata();
-        ContentMetadataDecodingStrategy strategy;
         if (metadata != null
                 && metadata.containsKey(MetadataKeyConstants.CONTENT_IV)
                 && (metadata.containsKey(MetadataKeyConstants.ENCRYPTED_DATA_KEY_V1)

src/main/java/software/amazon/encryption/s3/internal/ContentMetadataEncodingStrategy.java

@@ -23,10 +23,9 @@ public ContentMetadataEncodingStrategy(InstructionFileConfig instructionFileConf
 
     public PutObjectRequest encodeMetadata(EncryptionMaterials materials, byte[] iv, PutObjectRequest putObjectRequest) {
         if (_instructionFileConfig.isInstructionFilePutEnabled()) {
-            // TODO: serialize inst file as string
             final String metadataString = metadataToString(materials, iv);
-            _instructionFileConfig.putInstructionFile(putObjectRequest, "");
-            // the original object is returned as-is
+            _instructionFileConfig.putInstructionFile(putObjectRequest, metadataString);
+            // the original request object is returned as-is
             return putObjectRequest;
         } else {
             Map<String, String> newMetadata = addMetadataToMap(putObjectRequest.metadata(), materials, iv);
@@ -45,7 +44,20 @@ public CreateMultipartUploadRequest encodeMetadata(EncryptionMaterials materials
 
     private String metadataToString(EncryptionMaterials materials, byte[] iv) {
         // this is just the metadata map serialized as JSON
-        return "";
+        // so first get the Map
+        final Map<String, String> metadataMap = addMetadataToMap(new HashMap<>(), materials, iv);
+        // then serialize it
+        try (JsonWriter jsonWriter = JsonWriter.create()) {
+            jsonWriter.writeStartObject();
+            for (Map.Entry<String, String> entry : metadataMap.entrySet()) {
+                jsonWriter.writeFieldName(entry.getKey()).writeValue(entry.getValue());
+            }
+            jsonWriter.writeEndObject();
+
+            return new String(jsonWriter.getBytes(), StandardCharsets.UTF_8);
+        } catch (JsonWriter.JsonGenerationException e) {
+            throw new S3EncryptionClientException("Cannot serialize materials to JSON.", e);
+        }
     }
 
     private Map<String, String> addMetadataToMap(Map<String, String> map, EncryptionMaterials materials, byte[] iv) {

src/main/java/software/amazon/encryption/s3/internal/InstructionFileConfig.java

@@ -12,6 +12,12 @@
 import software.amazon.awssdk.services.s3.model.PutObjectResponse;
 import software.amazon.encryption.s3.S3EncryptionClientException;
 
+import java.util.HashMap;
+import java.util.Map;
+
+import static software.amazon.encryption.s3.S3EncryptionClientUtilities.INSTRUCTION_FILE_SUFFIX;
+import static software.amazon.encryption.s3.internal.MetadataKeyConstants.INSTRUCTION_FILE;
+
 /**
  * Provides configuration options for instruction file behaviors.
  */
@@ -49,11 +55,23 @@ PutObjectResponse putInstructionFile(PutObjectRequest request, String instructio
         if (!_enableInstructionFilePut) {
             throw new S3EncryptionClientException("Enable Instruction File Put must be set to true in order to call PutObject with an instruction file!");
         }
+
+        // Instruction file DOES NOT contain the same metadata as the actual object
+        Map<String, String> instFileMetadata = new HashMap<>(1);
+        // It contains a key with no value identifying it as an instruction file
+        instFileMetadata.put(INSTRUCTION_FILE, "");
+
+        // In a future release, non-default suffixes will be supported.
+        // Use toBuilder to keep all other fields the same as the actual request
+        final PutObjectRequest instPutRequest = request.toBuilder()
+                .key(request.key() + INSTRUCTION_FILE_SUFFIX)
+                .metadata(instFileMetadata)
+                .build();
         switch (_clientType) {
             case SYNCHRONOUS:
-                return _s3Client.putObject(request, RequestBody.fromString(instructionFileContent));
+                return _s3Client.putObject(instPutRequest, RequestBody.fromString(instructionFileContent));
             case ASYNC:
-                return _s3AsyncClient.putObject(request, AsyncRequestBody.fromString(instructionFileContent)).join();
+                return _s3AsyncClient.putObject(instPutRequest, AsyncRequestBody.fromString(instructionFileContent)).join();
             case DISABLED:
                 // this should never happen because we check enablePut first
                 throw new S3EncryptionClientException("Instruction File has been disabled!");

src/main/java/software/amazon/encryption/s3/internal/MetadataKeyConstants.java

@@ -13,4 +13,6 @@ public class MetadataKeyConstants {
     // This is usually an actual Java cipher e.g. AES/GCM/NoPadding
     public static final String CONTENT_CIPHER = "x-amz-cek-alg";
     public static final String CONTENT_CIPHER_TAG_LENGTH = "x-amz-tag-len";
+    // Only used in instruction files to identify them as such
+    public static final String INSTRUCTION_FILE = "x-amz-crypto-instr-file";
 }

src/main/java/software/amazon/encryption/s3/internal/MultipartUploadObjectPipeline.java

@@ -216,12 +216,13 @@ public void putLocalObject(RequestBody requestBody, String uploadId, OutputStrea
     public static class Builder {
         private final Map<String, MultipartUploadMaterials> _multipartUploadMaterials =
                 Collections.synchronizedMap(new HashMap<>());
-        private final ContentMetadataEncodingStrategy _contentMetadataEncodingStrategy = new ContentMetadataEncodingStrategy();
+        private ContentMetadataEncodingStrategy _contentMetadataEncodingStrategy;
         private S3AsyncClient _s3AsyncClient;
         private CryptographicMaterialsManager _cryptoMaterialsManager;
         private SecureRandom _secureRandom;
         // To Create Cipher which is used in during uploadPart requests.
         private MultipartContentEncryptionStrategy _contentEncryptionStrategy;
+        private InstructionFileConfig _instructionFileConfig;
 
         private Builder() {
         }
@@ -246,6 +247,11 @@ public Builder secureRandom(SecureRandom secureRandom) {
             return this;
         }
 
+        public Builder instructionFileConfig(InstructionFileConfig instructionFileConfig) {
+            this._instructionFileConfig = instructionFileConfig;
+            return this;
+        }
+
         public MultipartUploadObjectPipeline build() {
             // Default to AesGcm since it is the only active (non-legacy) content encryption strategy
             if (_contentEncryptionStrategy == null) {
@@ -254,6 +260,7 @@ public MultipartUploadObjectPipeline build() {
                         .secureRandom(_secureRandom)
                         .build();
             }
+            _contentMetadataEncodingStrategy = new ContentMetadataEncodingStrategy(_instructionFileConfig);
             return new MultipartUploadObjectPipeline(this);
         }
     }

src/test/java/software/amazon/encryption/s3/S3EncryptionClientCompatibilityTest.java

@@ -561,6 +561,7 @@ public void KmsV1toV3() {
 
         CryptoConfiguration v1Config =
                 new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)
+                        .withStorageMode(CryptoStorageMode.InstructionFile)
                         .withAwsKmsRegion(KMS_REGION);
 
         AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
@@ -585,7 +586,7 @@ public void KmsV1toV3() {
         assertEquals(input, output);
 
         // Cleanup
-        deleteObject(BUCKET, objectKey, v3Client);
+//        deleteObject(BUCKET, objectKey, v3Client);
         v3Client.close();
     }
 
@@ -596,8 +597,10 @@ public void KmsContextV2toV3() {
         // V2 Client
         EncryptionMaterialsProvider materialsProvider = new KMSEncryptionMaterialsProvider(KMS_KEY_ID);
 
+        CryptoConfigurationV2 config = new CryptoConfigurationV2(CryptoMode.StrictAuthenticatedEncryption);
         AmazonS3EncryptionV2 v2Client = AmazonS3EncryptionClientV2.encryptionBuilder()
                 .withEncryptionMaterialsProvider(materialsProvider)
+                .withCryptoConfiguration(config)
                 .build();
 
         // V3 Client

src/test/java/software/amazon/encryption/s3/S3EncryptionClientTest.java

@@ -1102,6 +1102,81 @@ public void testInstructionFileConfig() {
         s3Client.close();
     }
 
+    @Test
+    public void testPutWithInstructionFile() {
+        final String objectKey = appendTestSuffix("instruction-file-put-object");
+        final String objectKeyV2 = appendTestSuffix("instruction-file-put-object-v2");
+        final String input = "SimpleTestOfV3EncryptionClient";
+        S3Client wrappedClient = S3Client.create();
+        S3Client s3Client = S3EncryptionClient.builder()
+                .instructionFileConfig(InstructionFileConfig.builder()
+                        .instructionFileClient(wrappedClient)
+                        .enableInstructionFilePutObject(true)
+                        .build())
+                .kmsKeyId(KMS_KEY_ID)
+                .build();
+
+        s3Client.putObject(builder -> builder
+                .bucket(BUCKET)
+                .key(objectKey)
+                .build(), RequestBody.fromString(input));
+
+        // Disabled client should fail
+        S3Client s3ClientDisabledInstructionFile = S3EncryptionClient.builder()
+                .wrappedClient(wrappedClient)
+                .instructionFileConfig(InstructionFileConfig.builder()
+                        .disableInstructionFile(true)
+                        .build())
+                .kmsKeyId(KMS_KEY_ID)
+                .build();
+
+        try {
+            s3ClientDisabledInstructionFile.getObjectAsBytes(builder -> builder
+                    .bucket(BUCKET)
+                    .key(objectKey)
+                    .build());
+            fail("expected exception");
+        } catch (S3EncryptionClientException exception) {
+            assertTrue(exception.getMessage().contains("Exception encountered while fetching Instruction File."));
+        }
+
+        // Get the instruction file separately using a default client
+        S3Client defaultClient = S3Client.create();
+        ResponseBytes<GetObjectResponse> directInstGetResponse = defaultClient.getObjectAsBytes(builder -> builder
+                .bucket(BUCKET)
+                .key(objectKey + ".instruction")
+                .build());
+        assertTrue(directInstGetResponse.response().metadata().containsKey("x-amz-crypto-instr-file"));
+
+        ResponseBytes<GetObjectResponse> objectResponse = s3Client.getObjectAsBytes(builder -> builder
+                .bucket(BUCKET)
+                .key(objectKey)
+                .build());
+        String output = objectResponse.asUtf8String();
+        assertEquals(input, output);
+
+
+        // Temporary - Generate an instruction file in V2 to compare against V3
+        // TODO: do this for other keyrings as well
+        EncryptionMaterialsProvider materialsProvider =
+                new StaticEncryptionMaterialsProvider(new KMSEncryptionMaterials(KMS_KEY_ID));
+        CryptoConfigurationV2 cryptoConfig =
+                new CryptoConfigurationV2(CryptoMode.StrictAuthenticatedEncryption)
+                        .withStorageMode(CryptoStorageMode.InstructionFile);
+
+        AmazonS3EncryptionV2 v2Client = AmazonS3EncryptionClientV2.encryptionBuilder()
+                .withCryptoConfiguration(cryptoConfig)
+                .withEncryptionMaterialsProvider(materialsProvider)
+                .build();
+
+        v2Client.putObject(BUCKET, objectKeyV2, input);
+
+        // Cleanup
+//        deleteObject(BUCKET, objectKey, s3Client);
+        s3ClientDisabledInstructionFile.close();
+        s3Client.close();
+    }
+
     /**
      * A simple, reusable round-trip (encryption + decryption) using a given
      * S3Client. Useful for testing client configuration.
@@ -1124,4 +1199,4 @@ private void simpleV3RoundTrip(final S3Client v3Client, final String objectKey)
         String output = objectResponse.asUtf8String();
         assertEquals(input, output);
     }
-}
+}