Fix issue when decrypting noncurrent versions (#2867)

alextwoods · web-flow · commit 11653f6c74c3 · 2023-06-12T09:50:03.000-07:00
diff --git a/gems/aws-sdk-s3/CHANGELOG.md b/gems/aws-sdk-s3/CHANGELOG.md
@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Issue - Fix issue when decrypting noncurrent versions of objects when using client side encryption (#2866). 
+
 1.123.1 (2023-06-02)
 ------------------
 
diff --git a/gems/aws-sdk-s3/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb b/gems/aws-sdk-s3/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb
@@ -173,6 +173,7 @@ def authenticated_decrypter(context, cipher, envelope)
           auth_tag = context.client.get_object(
             bucket: context.params[:bucket],
             key: context.params[:key],
+            version_id: context.params[:version_id],
             range: "bytes=-#{auth_tag_length}"
           ).body.read
 
diff --git a/gems/aws-sdk-s3/spec/encryptionV2/client_functional_spec.rb b/gems/aws-sdk-s3/spec/encryptionV2/client_functional_spec.rb
@@ -434,6 +434,41 @@ def stub_decrypt(kms_client, opts)
             expect(decrypted).to eq(plaintext)
           end
 
+          it 'can encrypt and decrypt non-current versions' do
+            client = Aws::S3::EncryptionV2::Client.new(options)
+
+            data = stub_put(s3_client)
+
+            kms_client.stub_responses(
+              :generate_data_key,
+              {
+                key_id: kms_key_id,
+                ciphertext_blob: kms_ciphertext_blob,
+                plaintext: kms_plaintext
+              }
+            )
+            client.put_object(bucket: test_bucket, key: test_object, body: plaintext)
+            expect(data[:metadata]['x-amz-cek-alg']).to eq('AES/GCM/NoPadding')
+            expect(data[:metadata]['x-amz-wrap-alg']).to eq('kms+context')
+
+            stub_get(s3_client, data, true)
+
+            stub_decrypt(kms_client, any_kms_key: false, response:
+              {
+                key_id: kms_key_id,
+                plaintext: kms_plaintext,
+                encryption_algorithm: "SYMMETRIC_DEFAULT"
+              })
+
+            expect(s3_client).to receive(:get_object)
+                                   .with(hash_including(version_id: 'version_id'))
+                                   .and_call_original
+
+            decrypted = client.get_object(bucket: test_bucket, key: test_object,
+                                          version_id: 'version_id').body.read
+            expect(decrypted).to eq(plaintext)
+          end
+
           context 'security_profile: v2' do
             it 'raises a DecryptionError when reading a legacy object' do
               client_v1 = Aws::S3::Encryption::Client.new(
