Merge ffafe10 into 47179a6

aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/decrypt_handler.rb

@@ -7,6 +7,7 @@ module S3
     module Encryption
       # @api private
       class DecryptHandler < Seahorse::Client::Handler
+        @@warned_response_target_proc = false
 
         V1_ENVELOPE_KEYS = %w(
           x-amz-key
@@ -45,6 +46,16 @@ class DecryptHandler < Seahorse::Client::Handler
         def call(context)
           attach_http_event_listeners(context)
           apply_cse_user_agent(context)
+
+          if context[:response_target].is_a?(Proc) && !@@warned_response_target_proc
+            @@warned_response_target_proc = true
+            warn(':response_target is a Proc, or a block was provided. ' \
+              'Read the entire object to the ' \
+              'end before you start using the decrypted data. This is to ' \
+              'verify that the object has not been modified since it ' \
+              'was encrypted.')
+          end
+
           @handler.call(context)
         end
 
@@ -75,11 +86,11 @@ def attach_http_event_listeners(context)
         end
 
         def decryption_cipher(context)
-          if envelope = get_encryption_envelope(context)
+          if (envelope = get_encryption_envelope(context))
             cipher = context[:encryption][:cipher_provider]
                      .decryption_cipher(
                        envelope,
-                       kms_encryption_context: context[:encryption][:kms_encryption_context]
+                       context[:encryption]
                      )
             [cipher, envelope]
           else

aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryption/io_decrypter.rb

@@ -9,27 +9,28 @@ class IODecrypter
         # @param [OpenSSL::Cipher] cipher
         # @param [IO#write] io An IO-like object that responds to `#write`.
         def initialize(cipher, io)
-          @cipher = cipher.clone
+          @cipher = cipher
           # Ensure that IO is reset between retries
           @io = io.tap { |io| io.truncate(0) if io.respond_to?(:truncate) }
+          @cipher_buffer = String.new
         end
 
         # @return [#write]
         attr_reader :io
 
         def write(chunk)
           # decrypt and write
-          @io.write(@cipher.update(chunk))
+          if @cipher.method(:update).arity == 1
+            @io.write(@cipher.update(chunk))
+          else
+            @io.write(@cipher.update(chunk, @cipher_buffer))
+          end
         end
 
         def finalize
           @io.write(@cipher.final)
         end
 
-        def size
-          @io.size
-        end
-
       end
     end
   end

aws-sdk-resources/lib/aws-sdk-resources/services/s3/encryptionV2/client.rb

@@ -71,6 +71,7 @@ module S3
     # ## Required Configuration
     #
     # You must configure all of the following:
+    #
     # * a key or key provider - See the Keys section below. The key provided determines
     #   the key wrapping schema(s) supported for both encryption and decryption.
     # * `key_wrap_schema` - The key wrapping schema. It must match the type of key configured.
@@ -234,6 +235,7 @@ class Client
         def_delegators :@client, :config, :delete_object, :head_object, :build_request
 
         # Creates a new encryption client. You must configure all of the following:
+        #
         # * a key or key provider - The key provided also determines the key wrapping
         #   schema(s) supported for both encryption and decryption.
         # * `key_wrap_schema` - The key wrapping schema. It must match the type of key configured.
@@ -387,7 +389,7 @@ def put_object(params = {})
         # @option (see S3::Client#get_object)
         # @return (see S3::Client#get_object)
         # @see S3::Client#get_object
-        # @note The `:range` request parameter is not yet supported.
+        # @note The `:range` request parameter is not supported.
         def get_object(params = {}, &block)
           if params[:range]
             raise NotImplementedError, '#get_object with :range not supported'

aws-sdk-resources/spec/services/s3/encryption/client_spec.rb

@@ -608,11 +608,8 @@ def stub_encrypted_get_with_instruction_file(sfx = '.instruction')
             "\x8E\x0E\xC0\xD5\x1A\x88\xAF2\xB1\xEEg#\x15"
           end
 
-          if !ENV['TRAVIS'] && RUBY_VERSION > '1.9.3'
+          if !ENV['TRAVIS'] && RUBY_VERSION > '1.9.3' && OpenSSL::Cipher.ciphers.include?('aes-256-gcm')
             it 'supports decryption via KMS w/ GCM' do
-              unless OpenSSL::Cipher.ciphers.include?('aes-256-gcm')
-                pending('aes-256-gcm not supported')
-              end
               kms_client.stub_responses(
                 :decrypt, plaintext: plaintext_object_key
               )