Add SSE for pre signed URLs for AWS/GCP/ALI (#75)

Author: sandeepvinayak

README.md

@@ -1,6 +1,8 @@
-# 
+#
 
-[![Build Status](https://github.com/salesforce/multicloudj/actions/workflows/build-test-codecov.yml/badge.svg)](https://github.com/salesforce/multicloudj/actions/workflows/build-test-codecov.yml)
+[![Java 11 Build](https://github.com/salesforce/multicloudj/actions/workflows/java11-build.yml/badge.svg)](https://github.com/salesforce/multicloudj/actions/workflows/java11-build.yml)
+[![Java 17 Build](https://github.com/salesforce/multicloudj/actions/workflows/java17-build.yml/badge.svg)](https://github.com/salesforce/multicloudj/actions/workflows/java17-build.yml)
+[![Java 21 Build](https://github.com/salesforce/multicloudj/actions/workflows/java21-build.yml/badge.svg)](https://github.com/salesforce/multicloudj/actions/workflows/java21-build.yml)
 [![codecov](https://codecov.io/gh/salesforce/multicloudj/branch/main/graph/badge.svg)](https://codecov.io/gh/salesforce/multicloudj)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Maven Central](https://img.shields.io/maven-central/v/com.salesforce.multicloudj/multicloudj-parent.svg?label=Maven%20Central)](https://central.sonatype.com/artifact/com.salesforce.multicloudj/multicloudj-parent)

blob/blob-ali/src/main/java/com/salesforce/multicloudj/blob/ali/AliTransformer.java

@@ -260,6 +260,13 @@ public GeneratePresignedUrlRequest toPresignedUrlUploadRequest(PresignedUrlReque
         if(encodedTagging instanceof String) {
             presignedUrlRequest.addHeader(OSSHeaders.OSS_TAGGING, (String)encodedTagging);
         }
+
+        // Add KMS encryption headers if KMS key is specified
+        if(request.getKmsKeyId() != null && !request.getKmsKeyId().isEmpty()) {
+            presignedUrlRequest.addHeader(OSSHeaders.OSS_SERVER_SIDE_ENCRYPTION, ObjectMetadata.KMS_SERVER_SIDE_ENCRYPTION);
+            presignedUrlRequest.addHeader(OSSHeaders.OSS_SERVER_SIDE_ENCRYPTION_KEY_ID, request.getKmsKeyId());
+        }
+
         return presignedUrlRequest;
     }
 

blob/blob-ali/src/test/java/com/salesforce/multicloudj/blob/ali/AliTransformerTest.java

@@ -504,6 +504,54 @@ void testToPresignedUrlUploadRequest() {
         assertNotNull(actual.getExpiration());
     }
 
+    @Test
+    void testToPresignedUrlUploadRequestWithKmsKey() {
+        Map<String, String> metadata = Map.of("key-1", "value-1");
+        String kmsKeyId = "alias/my-kms-key";
+        Duration duration = Duration.ofHours(12);
+        PresignedUrlRequest presignedUploadRequest = PresignedUrlRequest.builder()
+                .type(PresignedOperation.UPLOAD)
+                .key("object-1")
+                .metadata(metadata)
+                .kmsKeyId(kmsKeyId)
+                .duration(duration)
+                .build();
+
+        var actual = transformer.toPresignedUrlUploadRequest(presignedUploadRequest);
+
+        assertEquals(HttpMethod.PUT, actual.getMethod());
+        assertEquals(BUCKET, actual.getBucketName());
+        assertEquals("object-1", actual.getKey());
+        Map<String,String> headers = actual.getHeaders();
+        assertEquals(ObjectMetadata.KMS_SERVER_SIDE_ENCRYPTION, headers.get(OSSHeaders.OSS_SERVER_SIDE_ENCRYPTION));
+        assertEquals(kmsKeyId, headers.get(OSSHeaders.OSS_SERVER_SIDE_ENCRYPTION_KEY_ID));
+        assertEquals("value-1", actual.getUserMetadata().get("key-1"));
+        assertNotNull(actual.getExpiration());
+    }
+
+    @Test
+    void testToPresignedUrlUploadRequestWithoutKmsKey() {
+        Map<String, String> metadata = Map.of("key-1", "value-1");
+        Duration duration = Duration.ofHours(12);
+        PresignedUrlRequest presignedUploadRequest = PresignedUrlRequest.builder()
+                .type(PresignedOperation.UPLOAD)
+                .key("object-1")
+                .metadata(metadata)
+                .duration(duration)
+                .build();
+
+        var actual = transformer.toPresignedUrlUploadRequest(presignedUploadRequest);
+
+        assertEquals(HttpMethod.PUT, actual.getMethod());
+        assertEquals(BUCKET, actual.getBucketName());
+        assertEquals("object-1", actual.getKey());
+        Map<String,String> headers = actual.getHeaders();
+        assertNull(headers.get(OSSHeaders.OSS_SERVER_SIDE_ENCRYPTION));
+        assertNull(headers.get(OSSHeaders.OSS_SERVER_SIDE_ENCRYPTION_KEY_ID));
+        assertEquals("value-1", actual.getUserMetadata().get("key-1"));
+        assertNotNull(actual.getExpiration());
+    }
+
     @Test
     void testToPresignedUrlDownloadRequest() {
         Duration duration = Duration.ofHours(12);

blob/blob-aws/src/main/java/com/salesforce/multicloudj/blob/aws/AwsTransformer.java

@@ -355,6 +355,9 @@ public PutObjectPresignRequest toPutObjectPresignRequest(PresignedUrlRequest req
         if(request.getTags() != null) {
             builder.withTags(request.getTags());
         }
+        if(request.getKmsKeyId() != null) {
+            builder.withKmsKeyId(request.getKmsKeyId());
+        }
         UploadRequest uploadRequest = builder.build();
 
         return PutObjectPresignRequest.builder()

blob/blob-aws/src/test/java/com/salesforce/multicloudj/blob/aws/AwsTransformerTest.java

@@ -494,6 +494,46 @@ void testToPutObjectPresignRequest() {
         assertEquals(Duration.ofHours(4), actualRequest.signatureDuration());
     }
 
+    @Test
+    void testToPutObjectPresignRequestWithKmsKey() {
+        Map<String, String> metadata = Map.of("some-key", "some-value");
+        Map<String, String> tags = Map.of("tag-key", "tag-value");
+        String kmsKeyId = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012";
+        PresignedUrlRequest presignedUrlRequest = PresignedUrlRequest.builder()
+                .type(PresignedOperation.UPLOAD)
+                .key("object-1")
+                .duration(Duration.ofHours(4))
+                .metadata(metadata)
+                .tags(tags)
+                .kmsKeyId(kmsKeyId)
+                .build();
+        PutObjectPresignRequest actualRequest = transformer.toPutObjectPresignRequest(presignedUrlRequest);
+        assertEquals(BUCKET, actualRequest.putObjectRequest().bucket());
+        assertEquals("object-1", actualRequest.putObjectRequest().key());
+        assertEquals(metadata, actualRequest.putObjectRequest().metadata());
+        assertEquals("tag-key=tag-value", actualRequest.putObjectRequest().tagging());
+        assertEquals(Duration.ofHours(4), actualRequest.signatureDuration());
+        assertEquals("aws:kms", actualRequest.putObjectRequest().serverSideEncryptionAsString());
+        assertEquals(kmsKeyId, actualRequest.putObjectRequest().ssekmsKeyId());
+    }
+
+    @Test
+    void testToPutObjectPresignRequestWithoutKmsKey() {
+        Map<String, String> metadata = Map.of("some-key", "some-value");
+        PresignedUrlRequest presignedUrlRequest = PresignedUrlRequest.builder()
+                .type(PresignedOperation.UPLOAD)
+                .key("object-1")
+                .duration(Duration.ofHours(4))
+                .metadata(metadata)
+                .build();
+        PutObjectPresignRequest actualRequest = transformer.toPutObjectPresignRequest(presignedUrlRequest);
+        assertEquals(BUCKET, actualRequest.putObjectRequest().bucket());
+        assertEquals("object-1", actualRequest.putObjectRequest().key());
+        assertEquals(metadata, actualRequest.putObjectRequest().metadata());
+        assertNull(actualRequest.putObjectRequest().serverSideEncryptionAsString());
+        assertNull(actualRequest.putObjectRequest().ssekmsKeyId());
+    }
+
     @Test
     void testToGetObjectPresignRequest() {
         PresignedUrlRequest presignedUrlRequest = PresignedUrlRequest.builder()

blob/blob-client/src/main/java/com/salesforce/multicloudj/blob/driver/PresignedUrlRequest.java

@@ -37,4 +37,9 @@ public class PresignedUrlRequest {
      * Optional: Specify the tags to be used in a presignedUrl upload
      */
     private final Map<String, String> tags;
+
+    /**
+     * Optional: Specify the KMS key ID to be used for encryption in a presignedUrl upload
+     */
+    private final String kmsKeyId;
 }

blob/blob-client/src/test/java/com/salesforce/multicloudj/blob/driver/PresignedUrlRequestTest.java

@@ -0,0 +1,97 @@
+package com.salesforce.multicloudj.blob.driver;
+
+import org.junit.jupiter.api.Test;
+
+import java.time.Duration;
+import java.util.Map;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+
+public class PresignedUrlRequestTest {
+
+    @Test
+    void testBuilderWithAllFields() {
+        String key = "test-key";
+        Duration duration = Duration.ofHours(1);
+        PresignedOperation type = PresignedOperation.UPLOAD;
+        Map<String, String> metadata = Map.of("key1", "value1");
+        Map<String, String> tags = Map.of("tag1", "tagValue1");
+        String kmsKeyId = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012";
+
+        PresignedUrlRequest request = PresignedUrlRequest.builder()
+                .key(key)
+                .duration(duration)
+                .type(type)
+                .metadata(metadata)
+                .tags(tags)
+                .kmsKeyId(kmsKeyId)
+                .build();
+
+        assertEquals(key, request.getKey());
+        assertEquals(duration, request.getDuration());
+        assertEquals(type, request.getType());
+        assertEquals(metadata, request.getMetadata());
+        assertEquals(tags, request.getTags());
+        assertEquals(kmsKeyId, request.getKmsKeyId());
+    }
+
+    @Test
+    void testBuilderWithNullKmsKey() {
+        String key = "test-key";
+        Duration duration = Duration.ofHours(1);
+        PresignedOperation type = PresignedOperation.DOWNLOAD;
+
+        PresignedUrlRequest request = PresignedUrlRequest.builder()
+                .key(key)
+                .duration(duration)
+                .type(type)
+                .kmsKeyId(null)
+                .build();
+
+        assertEquals(key, request.getKey());
+        assertEquals(duration, request.getDuration());
+        assertEquals(type, request.getType());
+        assertNull(request.getKmsKeyId());
+    }
+
+    @Test
+    void testBuilderWithEmptyKmsKey() {
+        String key = "test-key";
+        Duration duration = Duration.ofHours(1);
+        PresignedOperation type = PresignedOperation.UPLOAD;
+
+        PresignedUrlRequest request = PresignedUrlRequest.builder()
+                .key(key)
+                .duration(duration)
+                .type(type)
+                .kmsKeyId("")
+                .build();
+
+        assertEquals(key, request.getKey());
+        assertEquals(duration, request.getDuration());
+        assertEquals(type, request.getType());
+        assertEquals("", request.getKmsKeyId());
+    }
+
+    @Test
+    void testBuilderWithoutKmsKey() {
+        String key = "test-key";
+        Duration duration = Duration.ofHours(1);
+        PresignedOperation type = PresignedOperation.UPLOAD;
+        Map<String, String> metadata = Map.of("key1", "value1");
+
+        PresignedUrlRequest request = PresignedUrlRequest.builder()
+                .key(key)
+                .duration(duration)
+                .type(type)
+                .metadata(metadata)
+                .build();
+
+        assertEquals(key, request.getKey());
+        assertEquals(duration, request.getDuration());
+        assertEquals(type, request.getType());
+        assertEquals(metadata, request.getMetadata());
+        assertNull(request.getKmsKeyId());
+    }
+}

blob/blob-gcp/src/main/java/com/salesforce/multicloudj/blob/gcp/GcpBlobStore.java

@@ -62,6 +62,7 @@
 import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
@@ -373,11 +374,21 @@ protected URL doGeneratePresignedUrl(PresignedUrlRequest request) {
                 httpMethod = HttpMethod.GET;
                 break;
         }
+        List<Storage.SignUrlOption> options = new ArrayList<>();
+        options.add(Storage.SignUrlOption.httpMethod(httpMethod));
+        options.add(Storage.SignUrlOption.withV4Signature());
+
+        // Add KMS encryption header if specified
+        if (request.getKmsKeyId() != null && !request.getKmsKeyId().isEmpty()) {
+            Map<String, String> extHeaders = new HashMap<>();
+            extHeaders.put("x-goog-encryption-kms-key-name", request.getKmsKeyId());
+            options.add(Storage.SignUrlOption.withExtHeaders(extHeaders));
+        }
+
         return storage.signUrl(blobInfo,
                 request.getDuration().toMillis(),
                 TimeUnit.MILLISECONDS,
-                Storage.SignUrlOption.httpMethod(httpMethod),
-                Storage.SignUrlOption.withV4Signature());
+                options.toArray(new Storage.SignUrlOption[0]));
     }
 
     @Override