Added overload to GetObject in encryption client to provide encryption context.

ajewellamz · web-flow · commit c111f0563cef · 2025-09-23T12:44:42.000-04:00
Added overload to GetObject in encryption client to provide encryption context. If the supplied encryption context does not exactly match the encryption context used for PutObject, the operation will fail.
diff --git a/src/aws-cpp-sdk-s3-encryption/include/aws/s3-encryption/S3EncryptionClient.h b/src/aws-cpp-sdk-s3-encryption/include/aws/s3-encryption/S3EncryptionClient.h
@@ -92,9 +92,23 @@ namespace Aws
             */
             S3EncryptionGetObjectOutcome GetObject(const Aws::S3::Model::GetObjectRequest& request) const;
 
+            /*
+            * Function to get an object decrypted from S3. Fails if stored Materials Description does not exactly match supplied contextMap
+            *
+            * Range gets using this method are deprecated. Please see
+            * <https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html> for more information
+            */
+            S3EncryptionGetObjectOutcome GetObject(const Aws::S3::Model::GetObjectRequest& request, const Aws::Map<Aws::String, Aws::String>& contextMap) const;
+
             inline bool MultipartUploadSupported() const { return false; }
 
         protected:
+            /*
+	     * GetObject with optional contextMap.
+	     * Fail if contextMap is supplied and does not exactly match stored Materials Description
+	     */
+            S3EncryptionGetObjectOutcome GetObjectInner(const Aws::S3::Model::GetObjectRequest& request, const Aws::Map<Aws::String, Aws::String> * contextMap) const;
+
             /*
             * Function to get the instruction file object of a encrypted object from S3. This instruction file object will be used to assist decryption.
             */
diff --git a/src/aws-cpp-sdk-s3-encryption/source/s3-encryption/S3EncryptionClient.cpp b/src/aws-cpp-sdk-s3-encryption/source/s3-encryption/S3EncryptionClient.cpp
@@ -63,7 +63,38 @@ namespace Aws
             return module->PutObjectSecurely(request, putObjectFunction, contextMap);
         }
 
-        S3EncryptionGetObjectOutcome S3EncryptionClientBase::GetObject(const Aws::S3::Model::GetObjectRequest & request) const
+      bool MapsEqual(const Aws::Map<Aws::String, Aws::String>& passed, const Aws::Map<Aws::String, Aws::String>& stored)
+      {
+        // everything in passed must be in stored, withthe same value.
+        auto stored_end = stored.end();
+        auto passed_end = passed.end();
+        for (const auto& pair : passed) {
+            auto it = stored.find(pair.first);
+            if (it == stored_end) return false;
+            if (it->second != pair.second) return false;
+        }
+
+        // everything in stored, if it does not begin with 'amz:' must be in passed.
+        // if it is, then we already checked the value
+        for (const auto& pair : stored) {
+          if (strcmp(pair.first.c_str(),  Materials::kmsEncryptionContextKey)
+              && strcmp(pair.first.c_str(),Materials::cmkID_Identifier)) {
+            auto it = passed.find(pair.first);
+            if (it == passed_end) return false;
+          }
+        }
+        return true;
+      }
+
+      S3EncryptionGetObjectOutcome S3EncryptionClientBase::GetObject(const Aws::S3::Model::GetObjectRequest & request) const
+      {
+        return GetObjectInner(request, nullptr);
+      }
+      S3EncryptionGetObjectOutcome S3EncryptionClientBase::GetObject(const Aws::S3::Model::GetObjectRequest & request, const Aws::Map<Aws::String, Aws::String>& contextMap) const
+      {
+        return GetObjectInner(request, &contextMap);
+      }
+      S3EncryptionGetObjectOutcome S3EncryptionClientBase::GetObjectInner(const Aws::S3::Model::GetObjectRequest & request, const Aws::Map<Aws::String, Aws::String> * contextMap) const
         {
             Aws::S3::Model::HeadObjectRequest headRequest;
             headRequest.WithBucket(request.GetBucket());
@@ -100,6 +131,12 @@ namespace Aws
                 Handlers::MetadataHandler handler;
                 contentCryptoMaterial = handler.ReadContentCryptoMaterial(headOutcome.GetResult());
             }
+            if (contextMap && !MapsEqual(*contextMap, contentCryptoMaterial.GetMaterialsDescription()))
+            {
+               return S3EncryptionGetObjectOutcome(BuildS3EncryptionError(AWSError<S3Errors>(
+                  S3Errors::INVALID_ACTION, "MaterialsDescriptionMismatch",
+                  "Provided encryption context does not match information retrieved from S3", false/*not retryable*/)));
+            }
 
             // security check
             if (request.RangeHasBeenSet() && m_cryptoConfig.GetUnAuthenticatedRangeGet() == RangeGetMode::DISABLED)
diff --git a/tests/aws-cpp-sdk-s3-encryption-integration-tests/LiveClientTests.cpp b/tests/aws-cpp-sdk-s3-encryption-integration-tests/LiveClientTests.cpp
@@ -198,6 +198,43 @@ TEST_F(LiveClientTest, TestEOMode)
     AWS_EXPECT_SUCCESS(deleteResult);
 }
 
+TEST_F(LiveClientTest, TestEncryptionContextEmpty)
+{
+    ClientConfiguration s3ClientConfig;
+    s3ClientConfig.region = AWS_TEST_REGION;
+
+    auto key = SymmetricCipher::GenerateKey();
+    auto simpleEncryptionMaterials = Aws::MakeShared<Materials::SimpleEncryptionMaterialsWithGCMAAD>(ALLOCATION_TAG, key);
+    CryptoConfigurationV2 configuration(simpleEncryptionMaterials);
+
+    static const char* objectKey = "TestEncryptionContextEmptyKey";
+
+    S3EncryptionClientV2 client(configuration, s3ClientConfig);
+
+    Model::PutObjectRequest putObjectRequest;
+    putObjectRequest.WithBucket(BucketName.c_str())
+        .WithKey(objectKey);
+
+    auto ss = Aws::MakeShared<Aws::StringStream>(ALLOCATION_TAG);
+    *ss << TEST_STRING;
+    ss->flush();
+
+    putObjectRequest.SetBody(ss);
+
+    auto putObjectResult = client.PutObject(putObjectRequest, {});
+    AWS_ASSERT_SUCCESS(putObjectResult);
+
+    Model::GetObjectRequest getObjectRequest;
+    getObjectRequest.WithBucket(BucketName.c_str()).WithKey(objectKey);
+
+    auto getObjectResult = client.GetObject(getObjectRequest);
+    AWS_EXPECT_SUCCESS(getObjectResult);
+    getObjectResult = client.GetObject(getObjectRequest, {});
+    AWS_EXPECT_SUCCESS(getObjectResult);
+    getObjectResult = client.GetObject(getObjectRequest, {{"foo", "bar"}});
+    EXPECT_FALSE(getObjectResult.IsSuccess());
+}
+
 TEST_F(LiveClientTest, TestAEMode)
 {
     CryptoConfiguration configuration;
diff --git a/tools/scripts/run_integration_tests.py b/tools/scripts/run_integration_tests.py
@@ -49,7 +49,7 @@ def main():
         "aws-cpp-sdk-lambda-integration-tests",
         "aws-cpp-sdk-cognitoidentity-integration-tests",
         #"aws-cpp-sdk-transfer-tests",
-        #"aws-cpp-sdk-s3-encryption-integration-tests",
+        "aws-cpp-sdk-s3-encryption-integration-tests",
         "aws-cpp-sdk-kinesis-integration-tests",
         "aws-cpp-sdk-logs-integration-tests",
         "aws-cpp-sdk-monitoring-integration-tests",
