def build_header(self, headers=None, multipart_context=None):
if not isinstance(headers, CaseInsensitiveDict):
headers = CaseInsensitiveDict(headers)
if 'content-md5' in headers:
headers[
OSS_CLIENT_SIDE_ENCRYPTION_UNENCRYPTED_CONTENT_MD5] = headers[
'content-md5']
del headers['content-md5']
if 'content-length' in headers:
headers[
OSS_CLIENT_SIDE_ENCRYPTION_UNENCRYPTED_CONTENT_LENGTH] = headers[
'content-length']
del headers['content-length']
headers[OSS_CLIENT_SIDE_ENCRYPTION_KEY] = b64encode_as_string(
self.public_key.encrypt(self.plain_key))
headers[OSS_CLIENT_SIDE_ENCRYPTION_START] = b64encode_as_string(
self.public_key.encrypt(to_bytes(str(self.plain_iv))))
headers[OSS_CLIENT_SIDE_ENCRYPTION_CEK_ALG] = self.cipher.ALGORITHM
headers[OSS_CLIENT_SIDE_ENCRYPTION_WRAP_ALG] = 'custom'
# multipart file build header
if multipart_context:
headers[OSS_CLIENT_SIDE_ENCRYPTION_DATA_SIZE] = str(
multipart_context.data_size)
headers[OSS_CLIENT_SIDE_ENCRYPTION_PART_SIZE] = str(
multipart_context.part_size)
self.plain_key = None
self.plain_iv = None
return headers
def build_header(self, headers=None):
if not isinstance(headers, CaseInsensitiveDict):
headers = CaseInsensitiveDict(headers)
if 'content-md5' in headers:
headers['x-oss-meta-unencrypted-content-md5'] = headers[
'content-md5']
del headers['content-md5']
if 'content-length' in headers:
headers['x-oss-meta-unencrypted-content-length'] = headers[
'content-length']
del headers['content-length']
headers['x-oss-meta-oss-crypto-key'] = b64encode_as_string(
self.public_key.encrypt(self.plain_key))
headers['x-oss-meta-oss-crypto-start'] = b64encode_as_string(
self.public_key.encrypt(to_bytes(str(self.plain_start))))
headers['x-oss-meta-oss-cek-alg'] = self.cipher.ALGORITHM
headers['x-oss-meta-oss-wrap-alg'] = 'custom'
self.plain_key = None
self.plain_start = None
return headers
def make_get_encrypted_object(key,
content,
content_crypto_material,
invalid_cek_alg='',
ranges=None):
request_text = '''GET /{0} HTTP/1.1
Host: ming-oss-share.oss-cn-hangzhou.aliyuncs.com
Accept-Encoding: identity
Connection: keep-alive
date: Sat, 12 Dec 2015 00:35:53 GMT
User-Agent: aliyun-sdk-python/2.0.2(Windows/7/;3.3.3)
Accept: */*
authorization: OSS ZCDmm7TPZKHtx77j:PAedG7U86ZxQ2WTB+GdpSltoiTI='''.format(key)
encrypted_key = utils.b64encode_as_string(
content_crypto_material.encrypted_key)
encrypted_iv = utils.b64encode_as_string(
content_crypto_material.encrypted_iv)
wrap_alg = content_crypto_material.wrap_alg
cek_alg = content_crypto_material.cek_alg
if invalid_cek_alg:
cek_alg = invalid_cek_alg
cipher = content_crypto_material.cipher
encrypted_content = cipher.encrypt(content)
response_text = '''HTTP/1.1 200 OK
Server: AliyunOSS
Date: Sat, 12 Dec 2015 00:35:53 GMT
Content-Type: text/plain
Content-Length: {0}
Connection: keep-alive
x-oss-request-id: 566B6BE93A7B8CFD53D4BAA3
Accept-Ranges: bytes
ETag: "D80CF0E5BE2436514894D64B2BCFB2AE"
x-oss-meta-client-side-encryption-wrap-alg: {1}
x-oss-meta-client-side-encryption-cek-alg: {2}
x-oss-meta-client-side-encryption-key: {3}
x-oss-meta-client-side-encryption-start: {4}
x-oss-meta-unencrypted-content-length: {5}
Last-Modified: Sat, 12 Dec 2015 00:35:53 GMT
x-oss-object-type: Normal{6}
'''.format(len(encrypted_content), wrap_alg, cek_alg, encrypted_key,
encrypted_iv, len(content),
'\nContent-Range: {0}'.format(ranges) if ranges else '')
io = BytesIO()
io.write(oss2.to_bytes(response_text))
io.write(encrypted_content)
response_text = io.getvalue()
return request_text, response_text
def __make_signature(self, req, bucket_name, key):
string_to_sign = self.__get_string_to_sign(req, bucket_name, key)
logging.debug('string_to_sign={0}'.format(string_to_sign))
h = hmac.new(to_bytes(self.oss_secret_key), to_bytes(string_to_sign),
hashlib.sha1)
return utils.b64encode_as_string(h.digest())
def make_put_encrypted_object(key, content, content_crypto_material):
cipher = content_crypto_material.cipher
encrypted_key = utils.b64encode_as_string(
content_crypto_material.encrypted_key)
encrypted_iv = utils.b64encode_as_string(
content_crypto_material.encrypted_iv)
encrypted_content = cipher.encrypt(content)
wrap_alg = content_crypto_material.wrap_alg
cek_alg = content_crypto_material.cek_alg
request_text = '''PUT /{0} HTTP/1.1
Host: ming-oss-share.oss-cn-hangzhou.aliyuncs.com
Accept-Encoding: identity
Connection: keep-alive
Content-Length: {1}
x-oss-meta-client-side-encryption-wrap-alg: {2}
x-oss-meta-client-side-encryption-cek-alg: {3}
x-oss-meta-client-side-encryption-key: {4}
x-oss-meta-client-side-encryption-start: {5}
x-oss-meta-unencrypted-content-length: {6}
date: Sat, 12 Dec 2015 00:35:53 GMT
User-Agent: aliyun-sdk-python/2.0.2(Windows/7/;3.3.3)
authorization: OSS ZCDmm7TPZKHtx77j:W6whAowN4aImQ0dfbMHyFfD0t1g=
Accept: */*
'''.format(key, len(content), wrap_alg, cek_alg, encrypted_key, encrypted_iv,
len(encrypted_content))
io = BytesIO()
io.write(oss2.to_bytes(request_text))
io.write(encrypted_content)
request_text = io.getvalue()
response_text = '''HTTP/1.1 200 OK
Server: AliyunOSS
Date: Sat, 12 Dec 2015 00:35:53 GMT
Content-Length: {0}
Connection: keep-alive
x-oss-request-id: 566B6BE93A7B8CFD53D4BAA3
x-oss-hash-crc64ecma: {1}
ETag: "D80CF0E5BE2436514894D64B2BCFB2AE"'''.format(
len(content), unittests.common.calc_crc(encrypted_content))
return request_text, response_text
def _rebuild_record(self, filename, store, bucket, key, upload_id, part_size=None, upload_context=None):
abspath = os.path.abspath(filename)
mtime = os.path.getmtime(filename)
size = os.path.getsize(filename)
record = {'op_type': 'ResumableUpload', 'upload_id': upload_id, 'file_path': abspath, 'size': size,
'mtime': mtime, 'bucket': bucket.bucket_name, 'key': key, 'part_size': part_size}
if upload_context:
material = upload_context.content_crypto_material
material_record = {'wrap_alg': material.wrap_alg, 'cek_alg': material.cek_alg,
'encrypted_key': utils.b64encode_as_string(material.encrypted_key),
'encrypted_iv': utils.b64encode_as_string(material.encrypted_iv),
'mat_desc': material.mat_desc}
record['content_crypto_material'] = material_record
store_key = store.make_store_key(bucket.bucket_name, key, abspath)
store.put(store_key, record)
def test_crypto_get(self, do_request):
content = unittests.common.random_bytes(1023)
key = random_string(10)
provider = oss2.RsaProvider(key_pair=key_pair)
content_crypto_material = provider.create_content_material()
request_text, response_text = make_get_encrypted_object(
key, content, content_crypto_material)
req_info = unittests.common.mock_response(do_request, response_text)
result = unittests.common.bucket(provider).get_object(key)
encrypted_key = utils.b64encode_as_string(
content_crypto_material.encrypted_key)
encrypted_iv = utils.b64encode_as_string(
content_crypto_material.encrypted_iv)
wrap_alg = content_crypto_material.wrap_alg
cek_alg = content_crypto_material.cek_alg
self.assertRequest(req_info, request_text)
self.assertEqual(
int(result.headers['x-oss-meta-unencrypted-content-length']),
len(content))
self.assertEqual(result.status, 200)
self.assertEqual(result.request_id, '566B6BE93A7B8CFD53D4BAA3')
self.assertEqual(result.object_type, 'Normal')
self.assertEqual(result.content_type, 'text/plain')
self.assertEqual(result.etag, 'D80CF0E5BE2436514894D64B2BCFB2AE')
self.assertEqual(result.last_modified, 1449880553)
self.assertEqual(
result.headers['x-oss-meta-client-side-encryption-key'],
encrypted_key)
self.assertEqual(
result.headers['x-oss-meta-client-side-encryption-start'],
encrypted_iv)
self.assertEqual(
result.headers['x-oss-meta-client-side-encryption-cek-alg'],
cek_alg)
self.assertEqual(
result.headers['x-oss-meta-client-side-encryption-wrap-alg'],
wrap_alg)
self.assertEqual(result.read(), content)
def build_header(self, headers=None):
if not isinstance(headers, CaseInsensitiveDict):
headers = CaseInsensitiveDict(headers)
if 'content-md5' in headers:
headers['x-oss-meta-unencrypted-content-md5'] = headers['content-md5']
del headers['content-md5']
if 'content-length' in headers:
headers['x-oss-meta-unencrypted-content-length'] = headers['content-length']
del headers['content-length']
headers['x-oss-meta-oss-crypto-key'] = b64encode_as_string(self.__encrypt_obj.encrypt(self.plain_key))
headers['x-oss-meta-oss-crypto-start'] = b64encode_as_string(self.__encrypt_obj.encrypt(to_bytes(str(self.plain_start))))
headers['x-oss-meta-oss-cek-alg'] = self.cipher.ALGORITHM
headers['x-oss-meta-oss-wrap-alg'] = 'rsa'
self.plain_key = None
self.plain_start = None
return headers