use async implementation for default api (#73)

kessplas · web-flow · commit 3ac4609b29e5 · 2023-02-07T09:58:42.000-08:00
* use async implementation for default api (putObject and uploadPart)
diff --git a/src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java b/src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java
@@ -3,10 +3,12 @@
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import software.amazon.awssdk.awscore.AwsRequestOverrideConfiguration;
 import software.amazon.awssdk.awscore.exception.AwsServiceException;
+import software.amazon.awssdk.core.async.AsyncRequestBody;
 import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.core.interceptor.ExecutionAttribute;
 import software.amazon.awssdk.core.sync.RequestBody;
 import software.amazon.awssdk.core.sync.ResponseTransformer;
+import software.amazon.awssdk.services.s3.S3AsyncClient;
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.model.AbortMultipartUploadRequest;
 import software.amazon.awssdk.services.s3.model.AbortMultipartUploadResponse;
@@ -48,8 +50,10 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
 import java.util.function.Consumer;
 
@@ -126,13 +130,14 @@ public PutObjectResponse putObject(PutObjectRequest putObjectRequest, RequestBod
                 throw new S3EncryptionClientException("Exception while performing Multipart Upload PutObject", e);
             }
         }
-
         PutEncryptedObjectPipeline pipeline = PutEncryptedObjectPipeline.builder()
-                .s3Client(_wrappedClient)
+                .s3AsyncClient(S3AsyncClient.create())
                 .cryptoMaterialsManager(_cryptoMaterialsManager)
                 .secureRandom(_secureRandom)
                 .build();
-        return pipeline.putObject(putObjectRequest, requestBody);
+
+        CompletableFuture<PutObjectResponse> futurePut = pipeline.putObject(putObjectRequest, AsyncRequestBody.fromInputStream(requestBody.contentStreamProvider().newStream(), requestBody.optionalContentLength().orElse(-1L), Executors.newSingleThreadExecutor()));
+        return futurePut.join();
     }
 
     @Override
diff --git a/src/main/java/software/amazon/encryption/s3/internal/CipherSubscriber.java b/src/main/java/software/amazon/encryption/s3/internal/CipherSubscriber.java
@@ -36,6 +36,12 @@ public void onNext(ByteBuffer byteBuffer) {
         if (amountToReadFromByteBuffer > 0) {
             byte[] buf = BinaryUtils.copyBytesFrom(byteBuffer, amountToReadFromByteBuffer);
             outputBuffer = cipher.update(buf, 0, amountToReadFromByteBuffer);
+            if (outputBuffer == null && amountToReadFromByteBuffer < cipher.getBlockSize()) {
+                // The underlying data is too short to fill in the block cipher
+                // This is true at the end of the file, so complete to get the final
+                // bytes
+                this.onComplete();
+            }
             wrappedSubscriber.onNext(ByteBuffer.wrap(outputBuffer));
         } else {
             // Do nothing
diff --git a/src/main/java/software/amazon/encryption/s3/internal/ContentEncryptionStrategy.java b/src/main/java/software/amazon/encryption/s3/internal/ContentEncryptionStrategy.java
diff --git a/src/main/java/software/amazon/encryption/s3/internal/MultipartUploadObjectPipeline.java b/src/main/java/software/amazon/encryption/s3/internal/MultipartUploadObjectPipeline.java
@@ -2,8 +2,10 @@
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import software.amazon.awssdk.awscore.exception.AwsServiceException;
+import software.amazon.awssdk.core.async.AsyncRequestBody;
 import software.amazon.awssdk.core.exception.SdkClientException;
 import software.amazon.awssdk.core.sync.RequestBody;
+import software.amazon.awssdk.services.s3.S3AsyncClient;
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.model.AbortMultipartUploadRequest;
 import software.amazon.awssdk.services.s3.model.AbortMultipartUploadResponse;
@@ -28,10 +30,12 @@
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.concurrent.Executors;
 
 public class MultipartUploadObjectPipeline {
 
     final private S3Client _s3Client;
+    final private S3AsyncClient _s3AsyncClient;
     final private CryptographicMaterialsManager _cryptoMaterialsManager;
     final private MultipartContentEncryptionStrategy _contentEncryptionStrategy;
     final private ContentMetadataEncodingStrategy _contentMetadataEncodingStrategy;
@@ -42,6 +46,7 @@ public class MultipartUploadObjectPipeline {
 
     private MultipartUploadObjectPipeline(Builder builder) {
         this._s3Client = builder._s3Client;
+        this._s3AsyncClient = S3AsyncClient.create(); // TODO plumbing
         this._cryptoMaterialsManager = builder._cryptoMaterialsManager;
         this._contentEncryptionStrategy = builder._contentEncryptionStrategy;
         this._contentMetadataEncodingStrategy = builder._contentMetadataEncodingStrategy;
@@ -76,38 +81,37 @@ public UploadPartResponse uploadPart(UploadPartRequest request, RequestBody requ
             throws AwsServiceException, SdkClientException {
         final AlgorithmSuite algorithmSuite = AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF;
         final int blockSize = algorithmSuite.cipherBlockSizeBytes();
-        final String uploadId = request.uploadId();
         final long partSize = requestBody.optionalContentLength().orElse(-1L);
         final int cipherTagLength = isLastPart ? algorithmSuite.cipherTagLengthBytes() : 0;
+        final long ciphertextLength = partSize + cipherTagLength;
         final boolean partSizeMultipleOfCipherBlockSize = 0 == (partSize % blockSize);
+
         if (!isLastPart && !partSizeMultipleOfCipherBlockSize) {
-            throw new S3EncryptionClientException(
-                    "Invalid part size: part sizes for encrypted multipart uploads must be multiples "
-                            + "of the cipher block size ("
-                            + blockSize
-                            + ") with the exception of the last part.");
+            throw new S3EncryptionClientException("Invalid part size: part sizes for encrypted multipart uploads must " +
+                    "be multiples of the cipher block size (" + blockSize + ") with the exception of the last part.");
         }
+
+        final String uploadId = request.uploadId();
         final MultipartUploadContext uploadContext = _multipartUploadContexts.get(uploadId);
         if (uploadContext == null) {
-            throw new S3EncryptionClientException(
-                    "No client-side information available on upload ID " + uploadId);
+            throw new S3EncryptionClientException("No client-side information available on upload ID " + uploadId);
         }
         final UploadPartResponse response;
         // Checks the parts are uploaded in series
         uploadContext.beginPartUpload(request.partNumber());
         Cipher cipher = uploadContext.getCipher();
         try {
-            final InputStream cipherInputStream = new AuthenticatedCipherInputStream(requestBody.contentStreamProvider().newStream(), cipher, true, isLastPart);
+            final AsyncRequestBody cipherAsyncRequestBody = new CipherAsyncRequestBody(cipher, AsyncRequestBody.fromInputStream(requestBody.contentStreamProvider().newStream(), request.contentLength(), Executors.newSingleThreadExecutor()), ciphertextLength);
             // The last part of the multipart upload will contain an extra
             // 16-byte mac
             if (isLastPart) {
                 if (uploadContext.hasFinalPartBeenSeen()) {
-                    throw new S3EncryptionClientException(
-                            "This part was specified as the last part in a multipart upload, but a previous part was already marked as the last part.  "
-                                    + "Only the last part of the upload should be marked as the last part.");
+                    throw new S3EncryptionClientException("This part was specified as the last part in a multipart " +
+                            "upload, but a previous part was already marked as the last part. Only the last part of the " +
+                            "upload should be marked as the last part.");
                 }
             }
-            response = _s3Client.uploadPart(request, RequestBody.fromInputStream(cipherInputStream, partSize + cipherTagLength));
+            response =  _s3AsyncClient.uploadPart(request, cipherAsyncRequestBody).join();
         } finally {
             uploadContext.endPartUpload();
         }
diff --git a/src/main/java/software/amazon/encryption/s3/internal/PutEncryptedObjectPipeline.java b/src/main/java/software/amazon/encryption/s3/internal/PutEncryptedObjectPipeline.java
@@ -2,9 +2,7 @@
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import software.amazon.awssdk.core.async.AsyncRequestBody;
-import software.amazon.awssdk.core.sync.RequestBody;
 import software.amazon.awssdk.services.s3.S3AsyncClient;
-import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.awssdk.services.s3.model.PutObjectResponse;
 import software.amazon.encryption.s3.materials.CryptographicMaterialsManager;
@@ -18,22 +16,18 @@
 
 public class PutEncryptedObjectPipeline {
 
-    final private S3Client _s3Client;
     final private S3AsyncClient _s3AsyncClient;
     final private CryptographicMaterialsManager _cryptoMaterialsManager;
     final private AsyncContentEncryptionStrategy _asyncContentEncryptionStrategy;
-    final private ContentEncryptionStrategy _contentEncryptionStrategy;
     final private ContentMetadataEncodingStrategy _contentMetadataEncodingStrategy;
 
     public static Builder builder() {
         return new Builder();
     }
 
     private PutEncryptedObjectPipeline(Builder builder) {
-        this._s3Client = builder._s3Client;
         this._s3AsyncClient = builder._s3AsyncClient;
         this._cryptoMaterialsManager = builder._cryptoMaterialsManager;
-        this._contentEncryptionStrategy = builder._contentEncryptionStrategy;
         this._asyncContentEncryptionStrategy = builder._asyncContentEncryptionStrategy;
         this._contentMetadataEncodingStrategy = builder._contentMetadataEncodingStrategy;
     }
@@ -53,52 +47,23 @@ public CompletableFuture<PutObjectResponse> putObject(PutObjectRequest request,
         return _s3AsyncClient.putObject(encryptedPutRequest, encryptedContent.getAsyncCiphertext());
     }
 
-    public PutObjectResponse putObject(PutObjectRequest request, RequestBody requestBody) {
-        EncryptionMaterialsRequest.Builder requestBuilder = EncryptionMaterialsRequest.builder()
-                .s3Request(request)
-                .plaintextLength(requestBody.optionalContentLength().orElse(-1L));
-
-        EncryptionMaterials materials = _cryptoMaterialsManager.getEncryptionMaterials(requestBuilder.build());
-
-        EncryptedContent encryptedContent = _contentEncryptionStrategy.encryptContent(materials, requestBody.contentStreamProvider().newStream());
-
-        Map<String, String> metadata = new HashMap<>(request.metadata());
-        metadata = _contentMetadataEncodingStrategy.encodeMetadata(materials, encryptedContent.getNonce(), metadata);
-        request = request.toBuilder().metadata(metadata).build();
-
-        return _s3Client.putObject(request, RequestBody.fromInputStream(encryptedContent.getCiphertext(), encryptedContent.getCiphertextLength()));
-    }
-
     public static class Builder {
-        private S3Client _s3Client;
         private S3AsyncClient _s3AsyncClient;
         private CryptographicMaterialsManager _cryptoMaterialsManager;
         private SecureRandom _secureRandom;
         private AsyncContentEncryptionStrategy _asyncContentEncryptionStrategy;
-        private ContentEncryptionStrategy _contentEncryptionStrategy;
         private final ContentMetadataEncodingStrategy _contentMetadataEncodingStrategy = ContentMetadataStrategy.OBJECT_METADATA;
 
 
         private Builder() {
         }
 
-        /**
-         * Note that this does NOT create a defensive clone of S3Client. Any modifications made to the wrapped
-         * S3Client will be reflected in this Builder.
-         */
-        @SuppressFBWarnings(value = "EI_EXPOSE_REP2", justification = "Pass mutability into wrapping client")
-        public Builder s3Client(S3Client s3Client) {
-            this._s3Client = s3Client;
-            return this;
-        }
-
         /**
          * Note that this does NOT create a defensive clone of S3Client. Any modifications made to the wrapped
          * S3Client will be reflected in this Builder.
          */
         @SuppressFBWarnings(value = "EI_EXPOSE_REP2", justification = "Pass mutability into wrapping client")
         public Builder s3AsyncClient(S3AsyncClient s3AsyncClient) {
-            // TODO: This needs similar "onlyOneOrNull" logic
             this._s3AsyncClient = s3AsyncClient;
             return this;
         }
@@ -115,12 +80,6 @@ public Builder secureRandom(SecureRandom secureRandom) {
 
         public PutEncryptedObjectPipeline build() {
             // Default to AesGcm since it is the only active (non-legacy) content encryption strategy
-            if (_contentEncryptionStrategy == null) {
-                _contentEncryptionStrategy = StreamingAesGcmContentStrategy
-                        .builder()
-                        .secureRandom(_secureRandom)
-                        .build();
-            }
             if (_asyncContentEncryptionStrategy == null) {
                 _asyncContentEncryptionStrategy = StreamingAesGcmContentStrategy
                         .builder()
diff --git a/src/main/java/software/amazon/encryption/s3/internal/StreamingAesGcmContentStrategy.java b/src/main/java/software/amazon/encryption/s3/internal/StreamingAesGcmContentStrategy.java
@@ -15,7 +15,7 @@
 import java.security.GeneralSecurityException;
 import java.security.SecureRandom;
 
-public class StreamingAesGcmContentStrategy implements ContentEncryptionStrategy, ContentDecryptionStrategy, AsyncContentEncryptionStrategy, MultipartContentEncryptionStrategy {
+public class StreamingAesGcmContentStrategy implements ContentDecryptionStrategy, AsyncContentEncryptionStrategy, MultipartContentEncryptionStrategy {
 
     final private SecureRandom _secureRandom;
 
@@ -27,14 +27,6 @@ public static Builder builder() {
         return new Builder();
     }
 
-    @Override
-    public EncryptedContent encryptContent(EncryptionMaterials materials, InputStream content) {
-        final byte[] nonce = new byte[materials.algorithmSuite().nonceLengthBytes()];
-        final Cipher cipher = prepareCipher(materials, nonce);
-        final InputStream ciphertext = new AuthenticatedCipherInputStream(content, cipher);
-        return new EncryptedContent(nonce, ciphertext, materials.getCiphertextLength());
-    }
-
     @Override
     public EncryptedContent initMultipartEncryption(EncryptionMaterials materials) {
         final byte[] nonce = new byte[materials.algorithmSuite().nonceLengthBytes()];
@@ -45,6 +37,11 @@ public EncryptedContent initMultipartEncryption(EncryptionMaterials materials) {
 
     @Override
     public EncryptedContent encryptContent(EncryptionMaterials materials, AsyncRequestBody content) {
+        if (materials.getPlaintextLength() > AlgorithmSuite.ALG_AES_256_GCM_IV12_TAG16_NO_KDF.cipherMaxContentLengthBytes()) {
+            throw new S3EncryptionClientException("The contentLength of the object you are attempting to encrypt exceeds" +
+                    "the maximum length allowed for GCM encryption.");
+        }
+
         final byte[] nonce = new byte[materials.algorithmSuite().nonceLengthBytes()];
         final Cipher cipher = prepareCipher(materials, nonce);
 
