def build_request_context(self, context):
cipher = context.get("cipher", None) or crypto.aes_cipher(mode="CBC")
cipher.iv = crypto.aes_iv()
cipher.key = crypto.aes_key()
context["body"] = cipher.encrypt(context["raw_body"])
context["envelope"] = self.build_envelope(cipher)
return context
def build_request_context(self, context):
cipher = context.get('cipher', None) or crypto.aes_cipher(mode='CBC')
cipher.iv = crypto.aes_iv()
cipher.key = crypto.aes_key()
context['body'] = cipher.encrypt(context['raw_body'])
context['envelope'] = self.build_envelope(cipher)
return context
def build_response_context(self, obj_metadata, context):
self.envelope = EncryptionEnvelope()
self.envelope.from_metadata(obj_metadata)
self.deconstruct_envelope()
cipher = crypto.aes_cipher(mode="CBC")
cipher.iv = self.envelope.iv
cipher.key = self.envelope.key
context["cipher"] = cipher
context["raw_body"] = cipher.decrypt(context["body"])
return context
def build_response_context(self, obj_metadata, context):
self.envelope = EncryptionEnvelope()
self.envelope.from_metadata(obj_metadata)
self.deconstruct_envelope()
cipher = crypto.aes_cipher(mode='CBC')
cipher.iv = self.envelope.iv
cipher.key = self.envelope.key
context['cipher'] = cipher
context['raw_body'] = cipher.decrypt(context['body'])
return context
def put_object(self, Bucket=None, Key=None, Body=None, ACL=None):
context = {'raw_body': Body, 'cipher': crypto.aes_cipher(mode='CBC')}
handler = EncryptionHandler(self.key_provider)
context = handler.build_request_context(context)
kwargs = {
'Bucket': Bucket,
'Key': Key,
'Body': context['body'],
'Metadata': context['envelope']
}
if ACL is not None:
kwargs['ACL'] = ACL
self.client.put_object(**kwargs)
def test_build_envelope(self):
from s3_encryption.handler import EncryptionHandler
from s3_encryption import crypto
cipher = crypto.aes_cipher(mode='CBC')
cipher.iv = crypto.aes_iv()
cipher.key = crypto.aes_key()
handler = EncryptionHandler(self.mock_provider)
envelope = handler.build_envelope(cipher)
assert_equal(envelope['x-amz-key'], self.encrypted_key)
assert_equal(envelope['x-amz-iv'], self.encode64(self.iv))
assert_equal(envelope['x-amz-matdesc'], self.matdesc)
def test_build_envelope(self):
from s3_encryption.handler import EncryptionHandler
from s3_encryption import crypto
cipher = crypto.aes_cipher(mode='CBC')
cipher.iv = crypto.aes_iv()
cipher.key = crypto.aes_key()
handler = EncryptionHandler(self.mock_provider)
envelope = handler.build_envelope(cipher)
assert_equal(envelope['x-amz-key'], self.encrypted_key)
assert_equal(envelope['x-amz-iv'], self.encode64(self.iv))
assert_equal(envelope['x-amz-matdesc'], self.matdesc)
def multipart_upload(self,
Bucket=None,
Key=None,
Body=None,
ACL=None,
part_size=None,
**kwargs):
context = {'raw_body': Body, 'cipher': crypto.aes_cipher(mode='CBC')}
handler = EncryptionHandler(self.key_provider)
context = handler.build_request_context(context)
if ACL is not None:
kwargs['ACL'] = ACL
bucket = self.resource.Object(Bucket, Key)
kwargs.update({'Metadata': context['envelope']})
multipart_upload = bucket.initiate_multipart_upload(**kwargs)
result = None
try:
f = io.BytesIO(context['body'])
parts = []
current_part = 0
chunk = f.read(part_size)
part = multipart_upload.Part(current_part)
response = part.upload(Body=chunk)
parts.append({
'PartNumber': current_part,
'ETag': response['ETag']
})
chunk = f.read(part_size)
while chunk:
current_part += 1
part = multipart_upload.Part(current_part)
response = part.upload(Body=chunk)
parts.append({
'PartNumber': current_part,
'ETag': response['ETag']
})
chunk = f.read(part_size)
result = multipart_upload.complete(
MultipartUpload={'Parts': parts.copy()})
except Exception as e:
response = multipart_upload.abort()
raise e
return result
def put_object(self, Bucket=None, Key=None, Body=None, ACL=None):
context = {
'raw_body': Body,
'cipher': crypto.aes_cipher(mode='CBC')
}
handler = EncryptionHandler(self.key_provider)
context = handler.build_request_context(context)
kwargs = {
'Bucket': Bucket,
'Key': Key,
'Body': context['body'],
'Metadata': context['envelope']
}
if ACL is not None:
kwargs['ACL'] = ACL
self.client.put_object(**kwargs)