Add server side encryption with kms key for blob store (#74)

Author: sandeepvinayak

.gitignore

@@ -3,6 +3,7 @@ target/
 .classpath
 .project
 .idea/
+.claude/
 *.iml
 *.eml
 *.ipr
@@ -17,4 +18,4 @@ nb-configuration.xml
 nbactions.xml
 dependency-reduced-pom.xml
 .vscode
-.flattened-pom.xml
+.flattened-pom.xml

blob/blob-ali/src/main/java/com/salesforce/multicloudj/blob/ali/AliTransformer.java

@@ -74,6 +74,12 @@ protected ObjectMetadata generateObjectMetadata(UploadRequest uploadRequest) {
         ObjectMetadata metadata = new ObjectMetadata();
         metadata.setUserMetadata(uploadRequest.getMetadata());
         metadata.setObjectTagging(uploadRequest.getTags());
+
+        if (uploadRequest.getKmsKeyId() != null && !uploadRequest.getKmsKeyId().isEmpty()) {
+            metadata.setServerSideEncryption(ObjectMetadata.KMS_SERVER_SIDE_ENCRYPTION);
+            metadata.setHeader(OSSHeaders.OSS_SERVER_SIDE_ENCRYPTION_KEY_ID, uploadRequest.getKmsKeyId());
+        }
+
         return metadata;
     }
 

blob/blob-ali/src/test/java/com/salesforce/multicloudj/blob/ali/AliTransformerTest.java

@@ -38,6 +38,7 @@
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.mock;
@@ -82,6 +83,46 @@ void testToPutObjectRequest() {
         assertEquals(file, actual.getFile());
     }
 
+    @Test
+    void testToPutObjectRequestWithKmsKey() {
+        var key = "some-key";
+        var metadata = Map.of("some-key", "some-value");
+        var kmsKeyId = "alias/my-kms-key";
+
+        var request = UploadRequest
+                .builder()
+                .withKey(key)
+                .withMetadata(metadata)
+                .withKmsKeyId(kmsKeyId)
+                .build();
+        InputStream inputStream = mock(InputStream.class);
+
+        var actual = transformer.toPutObjectRequest(request, inputStream);
+        assertEquals(BUCKET, actual.getBucketName());
+        assertEquals(key, actual.getKey());
+        assertEquals(metadata, actual.getMetadata().getUserMetadata());
+        assertEquals(ObjectMetadata.KMS_SERVER_SIDE_ENCRYPTION, actual.getMetadata().getServerSideEncryption());
+    }
+
+    @Test
+    void testToPutObjectRequestWithoutKmsKey() {
+        var key = "some-key";
+        var metadata = Map.of("some-key", "some-value");
+
+        var request = UploadRequest
+                .builder()
+                .withKey(key)
+                .withMetadata(metadata)
+                .build();
+        InputStream inputStream = mock(InputStream.class);
+
+        var actual = transformer.toPutObjectRequest(request, inputStream);
+        assertEquals(BUCKET, actual.getBucketName());
+        assertEquals(key, actual.getKey());
+        assertEquals(metadata, actual.getMetadata().getUserMetadata());
+        assertNull(actual.getMetadata().getServerSideEncryption());
+    }
+
     @Test
     void testToUploadResponse() {
         UploadRequest request = UploadRequest

blob/blob-aws/src/main/java/com/salesforce/multicloudj/blob/aws/AwsTransformer.java

@@ -138,13 +138,19 @@ public PutObjectRequest toRequest(UploadRequest request) {
         List<Tag> tags = request.getTags().entrySet().stream()
                 .map(entry -> Tag.builder().key(entry.getKey()).value(entry.getValue()).build())
                 .collect(Collectors.toList());
-        return PutObjectRequest
+        PutObjectRequest.Builder builder = PutObjectRequest
                 .builder()
                 .bucket(getBucket())
                 .key(request.getKey())
                 .metadata(request.getMetadata())
-                .tagging(Tagging.builder().tagSet(tags).build())
-                .build();
+                .tagging(Tagging.builder().tagSet(tags).build());
+
+        if (request.getKmsKeyId() != null && !request.getKmsKeyId().isEmpty()) {
+            builder.serverSideEncryption("aws:kms")
+                   .ssekmsKeyId(request.getKmsKeyId());
+        }
+
+        return builder.build();
     }
 
     public GetObjectRequest toRequest(DownloadRequest request) {

blob/blob-aws/src/test/java/com/salesforce/multicloudj/blob/aws/AwsTransformerTest.java

@@ -103,6 +103,50 @@ void testUpload() {
         assertEquals(expected, transformer.toRequest(request));
     }
 
+    @Test
+    void testUploadWithKmsKey() {
+        var key = "some-key";
+        var metadata = Map.of("some-key", "some-value");
+        var tags = Map.of("tag-key", "tag-value");
+        var kmsKeyId = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012";
+
+        var request = UploadRequest
+                .builder()
+                .withKey(key)
+                .withMetadata(metadata)
+                .withTags(tags)
+                .withKmsKeyId(kmsKeyId)
+                .build();
+
+        var actual = transformer.toRequest(request);
+
+        assertEquals(BUCKET, actual.bucket());
+        assertEquals(key, actual.key());
+        assertEquals(metadata, actual.metadata());
+        assertEquals("aws:kms", actual.serverSideEncryptionAsString());
+        assertEquals(kmsKeyId, actual.ssekmsKeyId());
+    }
+
+    @Test
+    void testUploadWithoutKmsKey() {
+        var key = "some-key";
+        var metadata = Map.of("some-key", "some-value");
+
+        var request = UploadRequest
+                .builder()
+                .withKey(key)
+                .withMetadata(metadata)
+                .build();
+
+        var actual = transformer.toRequest(request);
+
+        assertEquals(BUCKET, actual.bucket());
+        assertEquals(key, actual.key());
+        assertEquals(metadata, actual.metadata());
+        assertNull(actual.serverSideEncryptionAsString());
+        assertNull(actual.ssekmsKeyId());
+    }
+
     @Test
     void testListBlobsBatch() {
         var prefixes = Arrays.asList("some/prefix", "some/other/prefix");

blob/blob-client/src/main/java/com/salesforce/multicloudj/blob/driver/DownloadRequest.java

@@ -12,12 +12,14 @@ public class DownloadRequest {
     private final String versionId;
     private final Long start;
     private final Long end;
+    private final String kmsKeyId;
 
     private DownloadRequest(Builder builder) {
         this.key = builder.key;
         this.versionId = builder.versionId;
         this.start = builder.start;
         this.end = builder.end;
+        this.kmsKeyId = builder.kmsKeyId;
     }
 
     public static Builder builder() {
@@ -29,6 +31,7 @@ public static class Builder {
         private String versionId;
         private Long start;
         private Long end;
+        private String kmsKeyId;
 
         /**
          * Specifies the key of the Blob to download.
@@ -78,6 +81,15 @@ public Builder withRange(Long start, Long end) {
             return this;
         }
 
+        /**
+         * (Optional) Specifies the KMS key ID or ARN to use for decrypting the blob.
+         * This is only needed if the blob was encrypted with a customer-managed KMS key.
+         */
+        public Builder withKmsKeyId(String kmsKeyId) {
+            this.kmsKeyId = kmsKeyId;
+            return this;
+        }
+
         public DownloadRequest build() {
             return new DownloadRequest(this);
         }

blob/blob-client/src/main/java/com/salesforce/multicloudj/blob/driver/UploadRequest.java

@@ -31,12 +31,17 @@ public class UploadRequest {
      * (Optional parameter) The map of tagName->tagValue to be associated with the blob
      */
     private final Map<String, String> tags;
+    /**
+     * (Optional parameter) The KMS key ID or ARN to use for server-side encryption
+     */
+    private final String kmsKeyId;
 
     private UploadRequest(Builder builder) {
         this.key = builder.key;
         this.contentLength = builder.contentLength;
         this.metadata = builder.metadata;
         this.tags = builder.tags;
+        this.kmsKeyId = builder.kmsKeyId;
     }
 
     public Map<String, String> getMetadata() {
@@ -52,6 +57,7 @@ public static class Builder {
         private long contentLength;
         private Map<String, String> metadata = Collections.emptyMap();
         private Map<String, String> tags = Collections.emptyMap();
+        private String kmsKeyId;
 
         public Builder withKey(String key) {
             this.key = key;
@@ -73,6 +79,11 @@ public Builder withTags(Map<String, String> tags) {
             return this;
         }
 
+        public Builder withKmsKeyId(String kmsKeyId) {
+            this.kmsKeyId = kmsKeyId;
+            return this;
+        }
+
         public UploadRequest build() {
             return new UploadRequest(this);
         }

blob/blob-client/src/test/java/com/salesforce/multicloudj/blob/driver/DownloadRequestTest.java

@@ -0,0 +1,101 @@
+package com.salesforce.multicloudj.blob.driver;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+
+public class DownloadRequestTest {
+
+    @Test
+    void testBuilder_WithAllFields() {
+        // Given
+        String key = "test-key";
+        String versionId = "v1";
+        Long start = 0L;
+        Long end = 100L;
+        String kmsKeyId = "arn:aws:kms:us-east-1:123456789012:key/test-key-id";
+
+        // When
+        DownloadRequest request = DownloadRequest.builder()
+                .withKey(key)
+                .withVersionId(versionId)
+                .withRange(start, end)
+                .withKmsKeyId(kmsKeyId)
+                .build();
+
+        // Then
+        assertEquals(key, request.getKey());
+        assertEquals(versionId, request.getVersionId());
+        assertEquals(start, request.getStart());
+        assertEquals(end, request.getEnd());
+        assertEquals(kmsKeyId, request.getKmsKeyId());
+    }
+
+    @Test
+    void testBuilder_WithoutKmsKeyId() {
+        // Given
+        String key = "test-key";
+
+        // When
+        DownloadRequest request = DownloadRequest.builder()
+                .withKey(key)
+                .build();
+
+        // Then
+        assertEquals(key, request.getKey());
+        assertNull(request.getKmsKeyId());
+    }
+
+    @Test
+    void testBuilder_WithEmptyKmsKeyId() {
+        // Given
+        String key = "test-key";
+        String kmsKeyId = "";
+
+        // When
+        DownloadRequest request = DownloadRequest.builder()
+                .withKey(key)
+                .withKmsKeyId(kmsKeyId)
+                .build();
+
+        // Then
+        assertEquals(key, request.getKey());
+        assertEquals(kmsKeyId, request.getKmsKeyId());
+    }
+
+    @Test
+    void testBuilder_MinimalFields() {
+        // Given
+        String key = "test-key";
+
+        // When
+        DownloadRequest request = DownloadRequest.builder()
+                .withKey(key)
+                .build();
+
+        // Then
+        assertNotNull(request);
+        assertEquals(key, request.getKey());
+    }
+
+    @Test
+    void testBuilder_WithRange() {
+        // Given
+        String key = "test-key";
+        Long start = 100L;
+        Long end = 200L;
+
+        // When
+        DownloadRequest request = DownloadRequest.builder()
+                .withKey(key)
+                .withRange(start, end)
+                .build();
+
+        // Then
+        assertEquals(key, request.getKey());
+        assertEquals(start, request.getStart());
+        assertEquals(end, request.getEnd());
+    }
+}