add index-level-encryption support for snapshots and remote-store

Signed-off-by: Uday Bhaskar <[email protected]>

Author: Uday Bhaskar

plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3BlobContainer.java

@@ -32,6 +32,8 @@
 
 package org.opensearch.repositories.s3;
 
+import org.opensearch.cluster.metadata.CryptoMetadata;
+import org.opensearch.repositories.s3.utils.SseKmsUtil;
 import software.amazon.awssdk.core.ResponseInputStream;
 import software.amazon.awssdk.core.async.AsyncResponseTransformer;
 import software.amazon.awssdk.core.exception.SdkException;
@@ -191,7 +193,7 @@ public void writeBlob(String blobName, InputStream inputStream, long blobSize, b
     }
 
     /**
-     * Write blob with its object metadata.
+     * Write blob with its object metadata and optional encryption settings.
      */
     @ExperimentalApi
     @Override
@@ -200,21 +202,66 @@ public void writeBlobWithMetadata(
         InputStream inputStream,
         long blobSize,
         boolean failIfAlreadyExists,
-        @Nullable Map<String, String> metadata
+        @Nullable Map<String, String> metadata,
+        @Nullable CryptoMetadata cryptoMetadata
     ) throws IOException {
+        final String indexKmsKey;
+        final String indexEncContext;
+
+        if (cryptoMetadata != null && "aws-kms".equals(cryptoMetadata.keyProviderType())) {
+            // Extract index-level SSE-KMS key and context from CryptoMetadata.settings()
+            // Note: Index stores as "index.store.crypto.kms.*" → becomes "kms.*" in settings
+            indexKmsKey = cryptoMetadata.settings().get("kms.key_arn");
+            indexEncContext = cryptoMetadata.settings().get("kms.encryption_context");
+        } else {
+            indexKmsKey = null;
+            indexEncContext = null;
+        }
+
         assert inputStream.markSupported() : "No mark support on inputStream breaks the S3 SDK's ability to retry requests";
         SocketAccess.doPrivilegedIOException(() -> {
             if (blobSize <= getLargeBlobThresholdInBytes()) {
-                executeSingleUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata);
+                executeSingleUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata, indexKmsKey, indexEncContext);
             } else {
-                executeMultipartUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata);
+                executeMultipartUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata, indexKmsKey, indexEncContext);
             }
             return null;
         });
     }
 
+    /**
+     * Write blob with its object metadata.
+     */
+    @ExperimentalApi
+    @Override
+    public void writeBlobWithMetadata(
+        String blobName,
+        InputStream inputStream,
+        long blobSize,
+        boolean failIfAlreadyExists,
+        @Nullable Map<String, String> metadata
+    ) throws IOException {
+        // Delegate to crypto-aware version with null CryptoMetadata
+        writeBlobWithMetadata(blobName, inputStream, blobSize, failIfAlreadyExists, metadata, null);
+    }
+
     @Override
     public void asyncBlobUpload(WriteContext writeContext, ActionListener<Void> completionListener) throws IOException {
+        // Extract index-level SSE-KMS settings from WriteContext CryptoMetadata
+        String indexKmsKey = null;
+        String indexEncContext = null;
+
+        CryptoMetadata crypto = writeContext.getCryptoMetadata();
+        if (crypto != null && "aws-kms".equals(crypto.keyProviderType())) {
+            indexKmsKey = crypto.settings().get("kms.key_arn");
+            indexEncContext = crypto.settings().get("kms.encryption_context");
+        }
+
+        // MERGE encryption contexts
+        String mergeEncContext = SseKmsUtil.mergeAndEncodeEncryptionContexts(indexEncContext,
+            blobStore.serverSideEncryptionEncryptionContext()
+        );
+
         UploadRequest uploadRequest = new UploadRequest(
             blobStore.bucket(),
             buildKey(writeContext.getFileName()),
@@ -226,9 +273,9 @@ public void asyncBlobUpload(WriteContext writeContext, ActionListener<Void> comp
             blobStore.isUploadRetryEnabled(),
             writeContext.getMetadata(),
             blobStore.serverSideEncryptionType(),
-            blobStore.serverSideEncryptionKmsKey(),
+            indexKmsKey != null ? indexKmsKey : blobStore.serverSideEncryptionKmsKey(),
             blobStore.serverSideEncryptionBucketKey(),
-            blobStore.serverSideEncryptionEncryptionContext(),
+            mergeEncContext,
             blobStore.expectedBucketOwner()
         );
         try {
@@ -250,7 +297,9 @@ public void asyncBlobUpload(WriteContext writeContext, ActionListener<Void> comp
                         uploadRequest.getKey(),
                         inputStream.getInputStream(),
                         uploadRequest.getContentLength(),
-                        uploadRequest.getMetadata()
+                        uploadRequest.getMetadata(),
+                        indexKmsKey,
+                        indexEncContext
                     );
                     completionListener.onResponse(null);
                 } catch (Exception ex) {
@@ -536,8 +585,9 @@ void executeSingleUpload(
         final String blobName,
         final InputStream input,
         final long blobSize,
-        final Map<String, String> metadata
-    ) throws IOException {
+        final Map<String, String> metadata,
+        String indexKmsKey,
+        String indexEncContext) throws IOException {
 
         // Extra safety checks
         if (blobSize > MAX_FILE_SIZE.getBytes()) {
@@ -559,7 +609,8 @@ void executeSingleUpload(
         if (CollectionUtils.isNotEmpty(metadata)) {
             putObjectRequestBuilder = putObjectRequestBuilder.metadata(metadata);
         }
-        configureEncryptionSettings(putObjectRequestBuilder, blobStore);
+
+        configureEncryptionSettings(putObjectRequestBuilder, blobStore, indexKmsKey, indexEncContext);
 
         PutObjectRequest putObjectRequest = putObjectRequestBuilder.build();
         try (AmazonS3Reference clientReference = blobStore.clientReference()) {
@@ -585,8 +636,8 @@ void executeMultipartUpload(
         final String blobName,
         final InputStream input,
         final long blobSize,
-        final Map<String, String> metadata
-    ) throws IOException {
+        final Map<String, String> metadata,
+        String indexKmsKey, String indexEncContext) throws IOException {
 
         ensureMultiPartUploadSize(blobSize);
         final long partSize = blobStore.bufferSizeInBytes();
@@ -616,7 +667,7 @@ void executeMultipartUpload(
             createMultipartUploadRequestBuilder.metadata(metadata);
         }
 
-        configureEncryptionSettings(createMultipartUploadRequestBuilder, blobStore);
+        configureEncryptionSettings(createMultipartUploadRequestBuilder, blobStore, indexKmsKey, indexEncContext);
 
         final InputStream requestInputStream;
         if (blobStore.isUploadRetryEnabled()) {

plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/utils/EncryptionContextUtils.java

@@ -0,0 +1,4 @@
+package org.opensearch.repositories.s3.utils;
+
+public class EncryptionContextUtils {
+}

plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/utils/SseKmsUtil.java

@@ -8,6 +8,7 @@
 
 package org.opensearch.repositories.s3.utils;
 
+import org.opensearch.common.Nullable;
 import software.amazon.awssdk.services.s3.model.CreateMultipartUploadRequest;
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.awssdk.services.s3.model.ServerSideEncryption;
@@ -16,29 +17,84 @@
 import org.opensearch.repositories.s3.async.UploadRequest;
 
 public class SseKmsUtil {
+    /**
+     * Merges index-level and repository-level encryption contexts, converts to JSON format if needed,
+     * and Base64 encodes for S3.
+     * <p>
+     * Delegates to centralized EncryptionContextUtils for consistent behavior.
+     *
+     * @param indexEncContext Index-level encryption context - can be cryptofs or JSON format
+     * @param repoEncContext  Repository-level encryption context - already Base64 encoded JSON
+     * @return Base64 encoded merged JSON encryption context, or null if both are null
+     */
+    public static String mergeAndEncodeEncryptionContexts(
+        @Nullable String indexEncContext,
+        @Nullable String repoEncContext
+    ) {
+        return org.opensearch.repositories.blobstore.EncryptionContextUtils.mergeAndEncodeEncryptionContexts(
+            indexEncContext,
+            repoEncContext
+        );
+    }
 
-    public static void configureEncryptionSettings(CreateMultipartUploadRequest.Builder builder, S3BlobStore blobStore) {
+    // CreateMultipartUploadRequest with S3BlobStore (with index override)
+    public static void configureEncryptionSettings(
+        CreateMultipartUploadRequest.Builder builder,
+        S3BlobStore blobStore,
+        @Nullable String indexKmsKey,
+        @Nullable String indexEncContext
+    ) {
         if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AES256.toString())) {
             builder.serverSideEncryption(ServerSideEncryption.AES256);
         } else if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AWS_KMS.toString())) {
+            // Priority: index key → repo key
+            String kmsKey = (indexKmsKey != null) ? indexKmsKey : blobStore.serverSideEncryptionKmsKey();
+
+            // MERGE encryption contexts: EncA (index) + EncB (repository)
+            // This ensures KMS grants work correctly with combined context
+            String encContext = mergeAndEncodeEncryptionContexts(
+                indexEncContext,
+                blobStore.serverSideEncryptionEncryptionContext()
+            );
+
             builder.serverSideEncryption(ServerSideEncryption.AWS_KMS);
-            builder.ssekmsKeyId(blobStore.serverSideEncryptionKmsKey());
+            builder.ssekmsKeyId(kmsKey);
             builder.bucketKeyEnabled(blobStore.serverSideEncryptionBucketKey());
-            builder.ssekmsEncryptionContext(blobStore.serverSideEncryptionEncryptionContext());
+            builder.ssekmsEncryptionContext(encContext);
         }
     }
 
-    public static void configureEncryptionSettings(PutObjectRequest.Builder builder, S3BlobStore blobStore) {
+    // PutObjectRequest with S3BlobStore (with index override)
+    public static void configureEncryptionSettings(
+        PutObjectRequest.Builder builder,
+        S3BlobStore blobStore,
+        @Nullable String indexKmsKey,
+        @Nullable String indexEncContext
+    ) {
         if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AES256.toString())) {
             builder.serverSideEncryption(ServerSideEncryption.AES256);
         } else if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AWS_KMS.toString())) {
+            // Priority: index key > repo key
+            String kmsKey = (indexKmsKey != null) ? indexKmsKey : blobStore.serverSideEncryptionKmsKey();
+
+            // MERGE encryption contexts: index + repository
+            // This ensures KMS grants work correctly with combined context
+            String encContext = mergeAndEncodeEncryptionContexts(
+                indexEncContext,
+                blobStore.serverSideEncryptionEncryptionContext()
+            );
+
             builder.serverSideEncryption(ServerSideEncryption.AWS_KMS);
-            builder.ssekmsKeyId(blobStore.serverSideEncryptionKmsKey());
+            builder.ssekmsKeyId(kmsKey);
             builder.bucketKeyEnabled(blobStore.serverSideEncryptionBucketKey());
-            builder.ssekmsEncryptionContext(blobStore.serverSideEncryptionEncryptionContext());
+            builder.ssekmsEncryptionContext(encContext);
         }
     }
 
+    public static void configureEncryptionSettings(PutObjectRequest.Builder builder, S3BlobStore blobStore) {
+        configureEncryptionSettings(builder, blobStore, null, null);
+    }
+
     public static void configureEncryptionSettings(CreateMultipartUploadRequest.Builder builder, UploadRequest uploadRequest) {
         if (uploadRequest.getServerSideEncryptionType().equals(ServerSideEncryption.AES256.toString())) {
             builder.serverSideEncryption(ServerSideEncryption.AES256);

plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobContainerEncryptionTests.java

@@ -0,0 +1,44 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.repositories.s3;
+
+import org.opensearch.cluster.metadata.CryptoMetadata;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.repositories.s3.utils.SseKmsUtil;
+import org.opensearch.test.OpenSearchTestCase;
+
+import java.util.Base64;
+
+public class S3BlobContainerEncryptionTests extends OpenSearchTestCase {
+
+    public void testEncryptionContextMerging() {
+        String indexContext = "tenant=acme,classification=confidential";
+        String repoContext = Base64.getEncoder().encodeToString("{\"repo\":\"test\",\"env\":\"prod\"}".getBytes());
+
+        String merged = SseKmsUtil.mergeAndEncodeEncryptionContexts(indexContext, repoContext);
+        assertNotNull(merged);
+
+        String decoded = new String(Base64.getDecoder().decode(merged));
+        assertTrue(decoded.contains("\"tenant\":\"acme\""));
+        assertTrue(decoded.contains("\"classification\":\"confidential\""));
+        assertTrue(decoded.contains("\"repo\":\"test\""));
+        assertTrue(decoded.contains("\"env\":\"prod\""));
+    }
+
+    public void testCryptoMetadataExtraction() {
+        Settings cryptoSettings = Settings.builder()
+            .put("kms.key_arn", "arn:aws:kms:us-east-1:123456789:key/index-key")
+            .put("kms.encryption_context", "tenant=acme,env=staging")
+            .build();
+        CryptoMetadata cryptoMetadata = new CryptoMetadata("index-provider", "aws-kms", cryptoSettings);
+
+        assertEquals("arn:aws:kms:us-east-1:123456789:key/index-key", cryptoMetadata.settings().get("kms.key_arn"));
+        assertEquals("tenant=acme,env=staging", cryptoMetadata.settings().get("kms.encryption_context"));
+    }
+}

plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobContainerMockClientTests.java

@@ -757,8 +757,8 @@ private void testLargeFilesRedirectedToSlowSyncClient(boolean expectException, W
             anyString(),
             any(InputStream.class),
             anyLong(),
-            anyMap()
-        );
+            anyMap(),
+            null, null);
 
         if (expectException) {
             verify(client, times(1)).abortMultipartUpload(any(AbortMultipartUploadRequest.class));

plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobStoreContainerTests.java

@@ -134,7 +134,7 @@ public void testExecuteSingleUploadBlobSizeTooLarge() {
 
         final IllegalArgumentException e = expectThrows(
             IllegalArgumentException.class,
-            () -> blobContainer.executeSingleUpload(blobStore, randomAlphaOfLengthBetween(1, 10), null, blobSize, null)
+            () -> blobContainer.executeSingleUpload(blobStore, randomAlphaOfLengthBetween(1, 10), null, blobSize, null, null, null)
         );
         assertEquals("Upload request size [" + blobSize + "] can't be larger than 5gb", e.getMessage());
     }
@@ -153,8 +153,8 @@ public void testExecuteSingleUploadBlobSizeLargerThanBufferSize() {
                 blobName,
                 new ByteArrayInputStream(new byte[0]),
                 ByteSizeUnit.MB.toBytes(2),
-                null
-            )
+                null,
+                null, null)
         );
         assertEquals("Upload request size [2097152] can't be larger than buffer size", e.getMessage());
     }
@@ -665,7 +665,7 @@ public void testExecuteSingleUpload() throws IOException {
         when(client.putObject(putReqCaptor.capture(), bodyCaptor.capture())).thenReturn(PutObjectResponse.builder().build());
 
         // Pass the known-length stream + tell the code the exact size
-        blobContainer.executeSingleUpload(blobStore, blobName, inputStream, blobSize, metadata);
+        blobContainer.executeSingleUpload(blobStore, blobName, inputStream, blobSize, metadata, null, null);
 
         final PutObjectRequest request = putReqCaptor.getValue();
         final RequestBody requestBody = bodyCaptor.getValue();
@@ -703,7 +703,7 @@ public void testExecuteMultipartUploadBlobSizeTooLarge() {
 
         final IllegalArgumentException e = expectThrows(
             IllegalArgumentException.class,
-            () -> blobContainer.executeMultipartUpload(blobStore, randomAlphaOfLengthBetween(1, 10), null, blobSize, null)
+            () -> blobContainer.executeMultipartUpload(blobStore, randomAlphaOfLengthBetween(1, 10), null, blobSize, null, null, null)
         );
         assertEquals("Multipart upload request size [" + blobSize + "] can't be larger than 5tb", e.getMessage());
     }
@@ -715,7 +715,7 @@ public void testExecuteMultipartUploadBlobSizeTooSmall() {
 
         final IllegalArgumentException e = expectThrows(
             IllegalArgumentException.class,
-            () -> blobContainer.executeMultipartUpload(blobStore, randomAlphaOfLengthBetween(1, 10), null, blobSize, null)
+            () -> blobContainer.executeMultipartUpload(blobStore, randomAlphaOfLengthBetween(1, 10), null, blobSize, null, null, null)
         );
         assertEquals("Multipart upload request size [" + blobSize + "] can't be smaller than 5mb", e.getMessage());
     }
@@ -803,7 +803,7 @@ public void testExecuteMultipartUpload() throws IOException {
 
         final ByteArrayInputStream inputStream = new ByteArrayInputStream(new byte[0]);
         final S3BlobContainer blobContainer = new S3BlobContainer(blobPath, blobStore);
-        blobContainer.executeMultipartUpload(blobStore, blobName, inputStream, blobSize, metadata);
+        blobContainer.executeMultipartUpload(blobStore, blobName, inputStream, blobSize, metadata, null, null);
 
         final CreateMultipartUploadRequest initRequest = createMultipartUploadRequestArgumentCaptor.getValue();
         assertEquals(bucketName, initRequest.bucket());
@@ -933,7 +933,7 @@ public void testExecuteMultipartUploadAborted() {
 
         final IOException e = expectThrows(IOException.class, () -> {
             final S3BlobContainer blobContainer = new S3BlobContainer(blobPath, blobStore);
-            blobContainer.executeMultipartUpload(blobStore, blobName, new ByteArrayInputStream(new byte[0]), blobSize, null);
+            blobContainer.executeMultipartUpload(blobStore, blobName, new ByteArrayInputStream(new byte[0]), blobSize, null, null, null);
         });
 
         assertEquals("Unable to upload object [" + blobName + "] using multipart upload", e.getMessage());