private static void UnmarshallResult(XmlUnmarshallerContext context,GetObjectResponse response)
{
response.ResponseStream = context.Stream;
IWebResponseData responseData = context.ResponseData;
if (responseData.IsHeaderPresent("x-amz-delete-marker"))
response.DeleteMarker = S3Transforms.ToString(responseData.GetHeaderValue("x-amz-delete-marker"));
if (responseData.IsHeaderPresent("accept-ranges"))
response.AcceptRanges = S3Transforms.ToString(responseData.GetHeaderValue("accept-ranges"));
if (responseData.IsHeaderPresent("x-amz-expiration"))
response.Expiration = new Expiration(responseData.GetHeaderValue("x-amz-expiration"));
if (responseData.IsHeaderPresent("x-amz-restore"))
{
bool restoreInProgress;
DateTime? restoreExpiration;
AmazonS3Util.ParseAmzRestoreHeader(responseData.GetHeaderValue("x-amz-restore"), out restoreInProgress, out restoreExpiration);
response.RestoreInProgress = restoreInProgress;
response.RestoreExpiration = restoreExpiration;
}
if (responseData.IsHeaderPresent("Last-Modified"))
response.LastModified = S3Transforms.ToDateTime(responseData.GetHeaderValue("Last-Modified"));
if (responseData.IsHeaderPresent("ETag"))
response.ETag = S3Transforms.ToString(responseData.GetHeaderValue("ETag"));
if (responseData.IsHeaderPresent("x-amz-missing-meta"))
response.MissingMeta = S3Transforms.ToInt(responseData.GetHeaderValue("x-amz-missing-meta"));
if (responseData.IsHeaderPresent("x-amz-version-id"))
response.VersionId = S3Transforms.ToString(responseData.GetHeaderValue("x-amz-version-id"));
if (responseData.IsHeaderPresent("Cache-Control"))
response.Headers.CacheControl = S3Transforms.ToString(responseData.GetHeaderValue("Cache-Control"));
if (responseData.IsHeaderPresent("Content-Disposition"))
response.Headers.ContentDisposition = S3Transforms.ToString(responseData.GetHeaderValue("Content-Disposition"));
if (responseData.IsHeaderPresent("Content-Encoding"))
response.Headers.ContentEncoding = S3Transforms.ToString(responseData.GetHeaderValue("Content-Encoding"));
if (responseData.IsHeaderPresent("Content-Length"))
response.Headers.ContentLength = long.Parse(responseData.GetHeaderValue("Content-Length"), CultureInfo.InvariantCulture);
if (responseData.IsHeaderPresent("Content-Type"))
response.Headers.ContentType = S3Transforms.ToString(responseData.GetHeaderValue("Content-Type"));
if (responseData.IsHeaderPresent("Expires"))
response.Expires = S3Transforms.ToDateTime(responseData.GetHeaderValue("Expires"));
if (responseData.IsHeaderPresent("x-amz-website-redirect-location"))
response.WebsiteRedirectLocation = S3Transforms.ToString(responseData.GetHeaderValue("x-amz-website-redirect-location"));
if (responseData.IsHeaderPresent("x-amz-server-side-encryption"))
response.ServerSideEncryptionMethod = S3Transforms.ToString(responseData.GetHeaderValue("x-amz-server-side-encryption"));
if (responseData.IsHeaderPresent("x-amz-server-side-encryption-customer-algorithm"))
response.ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.FindValue(responseData.GetHeaderValue("x-amz-server-side-encryption-customer-algorithm"));
if (responseData.IsHeaderPresent(HeaderKeys.XAmzServerSideEncryptionAwsKmsKeyIdHeader))
response.ServerSideEncryptionKeyManagementServiceKeyId = S3Transforms.ToString(responseData.GetHeaderValue(HeaderKeys.XAmzServerSideEncryptionAwsKmsKeyIdHeader));
if (responseData.IsHeaderPresent("x-amz-replication-status"))
response.ReplicationStatus = S3Transforms.ToString(responseData.GetHeaderValue("x-amz-replication-status"));
foreach (var name in responseData.GetHeaderNames())
{
if (name.StartsWith("x-amz-meta-", StringComparison.OrdinalIgnoreCase))
response.Metadata[name] = responseData.GetHeaderValue(name);
}
return;
}
/// <summary>
/// Check if the file exists or not
/// </summary>
/// <param name="fileName"></param>
/// <returns></returns>
public bool Exists(string fileName)
{
Amazon.S3.Model.GetObjectResponse res = Get(fileName);
if (res == null)
{
return(false);
}
return(true);
}
public override AmazonWebServiceResponse Unmarshall(XmlUnmarshallerContext context)
{
GetObjectResponse response = new GetObjectResponse();
UnmarshallResult(context,response);
return response;
}
public S3VirtualFile Init(GetObjectResponse response)
{
FilePath = response.Key;
ContentType = response.Headers.ContentType;
FileLastModified = response.LastModified;
ContentLength = response.Headers.ContentLength;
Etag = response.ETag;
Stream = response.ResponseStream;
return this;
}
/// <summary>
/// Check if the file exists or not
/// </summary>
/// <param name="fileName"></param>
/// <returns></returns>
public bool Exists(string fileUrl)
{
string key = GetKeyNameFromUrl(fileUrl);
Amazon.S3.Model.GetObjectResponse res = Get(key);
if (res == null)
{
return(false);
}
return(true);
}
/// <summary>
/// Constructs a <see cref="FileResource.FileInputPipe"/>.
/// </summary>
/// <param name="response">The <see cref="GetObjectResponse"/>.</param>
/// <param name="path">The <see cref="IResourcePath"/>.</param>
public S3InputPipe(GetObjectResponse response, IResourcePath path)
{
// validate arguments
if (response == null)
throw new ArgumentNullException("response");
if (path == null)
throw new ArgumentNullException("path");
// set values
this.response = response;
reader = new StreamReader(response.ResponseStream);
}
/// <summary>
/// Updates object where the object input stream contains the decrypted contents.
/// </summary>
/// <param name="getObjectResponse">The getObject response whose contents are to be decrypted.</param>
/// <param name="decryptedEnvelopeKeyKMS">The decrypted envelope key to be use if KMS key wrapping is being used. Or null if non-KMS key wrapping is being used.</param>
protected void DecryptObjectUsingMetadata(GetObjectResponse getObjectResponse, byte[] decryptedEnvelopeKeyKMS)
{
// Create an instruction object from the object metadata
EncryptionInstructions instructions = EncryptionUtils.BuildInstructionsFromObjectMetadata(getObjectResponse, EncryptionClient.EncryptionMaterials, decryptedEnvelopeKeyKMS);
if (decryptedEnvelopeKeyKMS != null)
{
if (getObjectResponse.Metadata[EncryptionUtils.XAmzCekAlg] != null &&
instructions.MaterialsDescription.ContainsKey(EncryptionUtils.XAmzEncryptionContextCekAlg))
{
if (EncryptionUtils.XAmzAesGcmCekAlgValue.Equals(getObjectResponse.Metadata[EncryptionUtils.XAmzCekAlg]) &&
EncryptionUtils.XAmzAesGcmCekAlgValue.Equals(instructions.MaterialsDescription[EncryptionUtils.XAmzEncryptionContextCekAlg]))
{
// Decrypt the object with V2 instruction
EncryptionUtils.DecryptObjectUsingInstructionsV2(getObjectResponse, instructions);
}
else
{
throw new AmazonCryptoException($"The content encryption algorithm used at encryption time does not match the algorithm stored for decryption time." +
" The object may be altered or corrupted.");
}
}
else if (EncryptionUtils.XAmzAesCbcPaddingCekAlgValue.Equals(instructions.CekAlgorithm))
{
ThrowIfLegacyReadIsDisabled();
// Decrypt the object with V1 instruction
EncryptionUtils.DecryptObjectUsingInstructions(getObjectResponse, instructions);
}
else
{
throw new AmazonCryptoException($"The content encryption algorithm used at encryption time does not match the algorithm stored for decryption time." +
" The object may be altered or corrupted.");
}
}
else if (EncryptionUtils.XAmzAesGcmCekAlgValue.Equals(getObjectResponse.Metadata[EncryptionUtils.XAmzCekAlg]))
{
// Decrypt the object with V2 instruction
EncryptionUtils.DecryptObjectUsingInstructionsV2(getObjectResponse, instructions);
}
// It is safe to assume, this is either non KMS encryption with V1 client or AES CBC
// We don't need to check cek algorithm to be AES CBC, because non KMS encryption with V1 client doesn't set it
else
{
ThrowIfLegacyReadIsDisabled();
EncryptionUtils.DecryptObjectUsingInstructions(getObjectResponse, instructions);
}
}
/// <summary>
///
/// </summary>
/// <param name="key"></param>
/// <returns></returns>
public Amazon.S3.Model.GetObjectResponse Get(string key)
{
try
{
Amazon.S3.AmazonS3Client client = new Amazon.S3.AmazonS3Client(AWAPI_File_AmazonS3_AccessKey, AWAPI_File_AmazonS3_SecretKey);
Amazon.S3.Model.GetObjectRequest req = new Amazon.S3.Model.GetObjectRequest();
req.BucketName = AWAPI_File_AmazonS3_BucketName;
req.Key = key;
Amazon.S3.Model.GetObjectResponse res = client.GetObject(req);
return(res);
}
catch (Exception ex)
{
}
return(null);
}
/// <summary>
/// Updates object where the object input stream contains the decrypted contents.
/// </summary>
/// <param name="getObjectResponse">The getObject response of InstructionFile.</param>
/// <param name="instructionFileResponse">The getObject response whose contents are to be decrypted.</param>
protected void DecryptObjectUsingInstructionFile(GetObjectResponse getObjectResponse, GetObjectResponse instructionFileResponse)
{
// Create an instruction object from the instruction file response
var instructions = EncryptionUtils.BuildInstructionsUsingInstructionFileV2(instructionFileResponse, EncryptionClient.EncryptionMaterials);
if (EncryptionUtils.XAmzAesGcmCekAlgValue.Equals(instructions.CekAlgorithm))
{
// Decrypt the object with V2 instructions
EncryptionUtils.DecryptObjectUsingInstructionsV2(getObjectResponse, instructions);
}
else
{
ThrowIfLegacyReadIsDisabled();
// Decrypt the object with V1 instructions
EncryptionUtils.DecryptObjectUsingInstructions(getObjectResponse, instructions);
}
}
/// <summary>
/// Check if the file exists or not
/// </summary>
/// <param name="fileName"></param>
/// <returns></returns>
public Amazon.S3.Model.GetObjectResponse Get(string fileName)
{
try
{
Amazon.S3.AmazonS3Client client = new Amazon.S3.AmazonS3Client(ConfigurationLibrary.Config.fileAmazonS3AccessKey,
ConfigurationLibrary.Config.fileAmazonS3SecreyKey);
Amazon.S3.Model.GetObjectRequest req = new Amazon.S3.Model.GetObjectRequest();
req.BucketName = GetBucketNameFromUrl(fileName); // ConfigurationLibrary.Config.fileAmazonS3BucketName;
req.Key = fileName;
Amazon.S3.Model.GetObjectResponse res = client.GetObject(req);
return(res);
}
catch (Exception ex)
{
}
return(null);
}
//--- Methods ---
public async Task FunctionHandler(S3Event uploadEvent, ILambdaContext context)
{
string bucket = uploadEvent.Records[0].S3.Bucket.Name;
string objectKey = uploadEvent.Records[0].S3.Object.Key;
using (var client = new AmazonS3Client(Amazon.RegionEndpoint.USEast1)) {
S3Model.GetObjectRequest request = new S3Model.GetObjectRequest {
BucketName = bucket,
Key = objectKey
};
using (S3Model.GetObjectResponse response = await client.GetObjectAsync(request))
using (Stream responseStream = response.ResponseStream)
using (StreamReader reader = new StreamReader(responseStream)) {
while (reader.Peek() >= 0)
{
LambdaLogger.Log($"{reader.ReadLine().Replace("\t", " | ")}");
}
}
}
}
/// <summary>
/// Find mode of encryption and decrypt GetObjectResponse
/// </summary>
/// <param name="decryptedEnvelopeKeyKMS">decrypted envelope key for KMS</param>
/// <param name="getObjectResponse">GetObjectResponse which needs to be decrypted</param>
/// <returns></returns>
/// <exception cref="AmazonServiceException">Exception thrown if GetObjectResponse decryption fails</exception>
protected void DecryptObject(byte[] decryptedEnvelopeKeyKMS, GetObjectResponse getObjectResponse)
{
if (EncryptionUtils.IsEncryptionInfoInMetadata(getObjectResponse))
{
DecryptObjectUsingMetadata(getObjectResponse, decryptedEnvelopeKeyKMS);
}
else
{
GetObjectResponse instructionFileResponse = null;
try
{
var instructionFileRequest = EncryptionUtils.GetInstructionFileRequest(getObjectResponse, EncryptionUtils.EncryptionInstructionFileV2Suffix);
instructionFileResponse = GetInstructionFile(instructionFileRequest);
}
catch (AmazonS3Exception amazonS3Exception) when(amazonS3Exception.ErrorCode == EncryptionUtils.NoSuchKey)
{
Logger.InfoFormat($"New instruction file with suffix {EncryptionUtils.EncryptionInstructionFileV2Suffix} doesn't exist. " +
$"Try to get old instruction file with suffix {EncryptionUtils.EncryptionInstructionFileSuffix}. {amazonS3Exception.Message}");
try
{
var instructionFileRequest = EncryptionUtils.GetInstructionFileRequest(getObjectResponse, EncryptionUtils.EncryptionInstructionFileSuffix);
instructionFileResponse = GetInstructionFile(instructionFileRequest);
}
catch (AmazonServiceException ace)
{
throw new AmazonServiceException($"Unable to decrypt data for object {getObjectResponse.Key} in bucket {getObjectResponse.BucketName}", ace);
}
}
catch (AmazonServiceException ace)
{
throw new AmazonServiceException($"Unable to decrypt data for object {getObjectResponse.Key} in bucket {getObjectResponse.BucketName}", ace);
}
DecryptObjectUsingInstructionFile(getObjectResponse, instructionFileResponse);
}
}
/// <summary>
/// Updates object where the object input stream contains the decrypted contents.
/// </summary>
/// <param name="objectResponse">
/// The getObject response whose contents are to be decrypted.
/// </param>
private void DecryptObjectUsingMetadata(GetObjectResponse objectResponse)
{
// Create an instruction object from the object metadata
EncryptionInstructions instructions = EncryptionUtils.BuildInstructionsFromObjectMetadata(objectResponse, this.encryptionMaterials);
// Decrypt the object with the instruction
EncryptionUtils.DecryptObjectUsingInstructions(objectResponse, instructions);
}
/// <summary>
/// Updates object where the object input stream contains the decrypted contents.
/// </summary>
/// <param name="instructionFileResponse">
/// The getObject response of InstructionFile.
/// </param>
/// <param name="response">
/// The getObject response whose contents are to be decrypted.
/// </param>
private void DecryptObjectUsingInstructionFile(GetObjectResponse response, GetObjectResponse instructionFileResponse)
{
// Create an instruction object from the instruction file response
EncryptionInstructions instructions = EncryptionUtils.BuildInstructionsUsingInstructionFile(instructionFileResponse, this.encryptionMaterials);
// Decrypt the object with the instructions
EncryptionUtils.DecryptObjectUsingInstructions(response, instructions);
}
/// <summary>
/// checks if encryption credentials are in the instructionfile
/// </summary>
/// <param name="response">Instruction file response that contains encryption information</param>
/// <returns></returns>
internal static bool IsEncryptionInfoInInstructionFile(GetObjectResponse response)
{
MetadataCollection metadata = response.Metadata;
if (metadata[instructionFileInfo] != null)
return true;
else
return false;
}
/// <summary>
/// checks if encryption credentials are in object metadata
/// </summary>
/// <param name="response">Response of the object</param>
/// <returns></returns>
internal static bool IsEncryptionInfoInMetadata(GetObjectResponse response)
{
MetadataCollection metadata = response.Metadata;
if (metadata[keyInMetadata] != null && metadata[initVectorInMetadata] != null)
return true;
else
return false;
}
/// <summary>
/// Builds an instruction object from the instruction file.
/// </summary>
/// <param name="response"> Instruction file GetObject response</param>
/// <param name="materials">
/// The non-null encryption materials to be used to encrypt and decrypt Envelope key.
/// </param>
/// <returns>
/// A non-null instruction object containing encryption information.
/// </returns>
internal static EncryptionInstructions BuildInstructionsUsingInstructionFile(GetObjectResponse response, EncryptionMaterials materials)
{
using (TextReader textReader = new StreamReader(response.ResponseStream))
{
JsonData jsonData = JsonMapper.ToObject(textReader);
var base64EncodedEncryptedEnvelopeKey = jsonData["EncryptedEnvelopeKey"];
byte[] encryptedEvelopeKey = Convert.FromBase64String((string)base64EncodedEncryptedEnvelopeKey);
byte[] decryptedEnvelopeKey = DecryptEnvelopeKey(encryptedEvelopeKey, materials);
var base64EncodedIV = jsonData["IV"];
byte[] IV = Convert.FromBase64String((string)base64EncodedIV);
return new EncryptionInstructions(EncryptionMaterials.EmptyMaterialsDescription, decryptedEnvelopeKey, IV);
}
}
/// <summary>
/// Builds an instruction object from the object metadata.
/// </summary>
/// <param name="response">
/// A non-null object response that contains encryption information in its metadata.
/// </param>
/// <param name="materials">
/// The non-null encryption materials to be used to encrypt and decrypt Envelope key.
/// </param>
/// <returns>
/// </returns>
internal static EncryptionInstructions BuildInstructionsFromObjectMetadata(GetObjectResponse response, EncryptionMaterials materials)
{
MetadataCollection metadata = response.Metadata;
string base64EncodedEncryptedEnvelopeKey = metadata[keyInMetadata];
byte[] encryptedEvelopeKey = Convert.FromBase64String(base64EncodedEncryptedEnvelopeKey);
byte[] decryptedEnvelopeKey = DecryptEnvelopeKey(encryptedEvelopeKey, materials);
string base64EncodedIV = metadata[initVectorInMetadata];
byte[] IV = Convert.FromBase64String(base64EncodedIV);
return new EncryptionInstructions(EncryptionMaterials.EmptyMaterialsDescription, decryptedEnvelopeKey, encryptedEvelopeKey, IV);
}
internal static GetObjectRequest GetInstructionFileRequest(GetObjectResponse response)
{
GetObjectRequest request = new GetObjectRequest
{
BucketName = response.BucketName,
Key = response.Key + instructionfileSuffix
};
return request;
}
public ResponseStreamWrapper(GetObjectResponse response)
{
if (response == null) throw new ArgumentNullException("response");
this.response = response;
}
public DisposableS3ResponseStream(GetObjectResponse response)
{
this.response = response;
}
/// <summary>
/// Updates object where the object
/// input stream contains the decrypted contents.
/// </summary>
/// <param name="response">
/// The getObject response whose contents are to be decrypted.
/// </param>
/// <param name="instructions">
/// The instruction that will be used to encrypt the object data.
/// </param>
internal static void DecryptObjectUsingInstructions(GetObjectResponse response, EncryptionInstructions instructions)
{
response.ResponseStream = DecryptStream(response.ResponseStream, instructions);
}
public void OpenFileWithBucketPrefix()
{
//Arrange
var stream = new MemoryStream(Encoding.UTF8.GetBytes("Test123"));
var response = new GetObjectResponse
{
ResponseStream = stream
};
var clientMock = new Mock<IAmazonS3>();
clientMock.Setup(p => p.GetObject(It.Is<GetObjectRequest>(req => req.Key == "media/1001/media.jpg")))
.Returns(response);
var provider = CreateProvider(clientMock);
//Act
var actual = provider.OpenFile("/media/1001/media.jpg");
//Assert
Assert.AreEqual(new StreamReader(actual).ReadToEnd(), "Test123");
clientMock.VerifyAll();
}
