/* * Copyright 2014-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). * You may not use this file except in compliance with the License. * A copy of the License is located at * * http://aws.amazon.com/apache2.0 * * or in the "license" file accompanying this file. This file is distributed * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either * express or implied. See the License for the specific language governing * permissions and limitations under the License. */ package com.amazonaws.services.s3.model; import java.io.Serializable; import static com.amazonaws.services.s3.model.ExtraMaterialsDescription.NONE; import java.util.Map; import com.amazonaws.services.s3.AmazonS3Client; import com.amazonaws.services.s3.AmazonS3EncryptionClient; import com.amazonaws.services.s3.KeyWrapException; /** * <p> * An extension of {@link GetObjectRequest} to allow additional encryption * material description to be specified on a per-request basis. In particular, * {@link EncryptedGetObjectRequest} is only recognized by * {@link AmazonS3EncryptionClient}. * </p> * <p> * If {@link EncryptedGetObjectRequest} is used against the non-encrypting * {@link AmazonS3Client}, the additional attributes will be ignored. * </p> * <p> * The additional material description must not conflict with the existing one * saved in S3 or else will cause the get request to fail fast later on. */ public class EncryptedGetObjectRequest extends GetObjectRequest implements Serializable { /** * Request specific additional material description; never null. */ private ExtraMaterialsDescription supplemental = NONE; /** * Used to retrieve the S3 encrypted object via instruction file with * an explicit suffix. Applicable only if specified (which means non-null * and non-blank.) */ private String instructionFileSuffix; /** * True if the retrieval of the encrypted object expects the CEK to have * been key-wrapped; Default is false. * <p> * Note, however, that if {@link CryptoMode#StrictAuthenticatedEncryption} * is in use, key wrapping is always expected for the CEK regardless. */ private boolean keyWrapExpected; public EncryptedGetObjectRequest(String bucketName, String key) { this(bucketName, key, null); } public EncryptedGetObjectRequest(String bucketName, String key, String versionId) { super(bucketName, key, versionId); setKey(key); setVersionId(versionId); } public EncryptedGetObjectRequest(S3ObjectId s3ObjectId) { super(s3ObjectId); } public EncryptedGetObjectRequest(String bucketName, String key, boolean isRequesterPays) { super(bucketName, key, isRequesterPays); } /** * Returns the supplemental material description to be used for retrieving * the encryption materials. * * @return the supplemental material description; never null. */ public ExtraMaterialsDescription getExtraMaterialDescription() { return supplemental; } /** * Sets the supplemental materials description for the encryption materials * to be used with the current request. * * @param supplemental * the materialsDescription to set; must not conflict with the * existing one saved in S3 or else will cause the get request to * fail fast later on */ public void setExtraMaterialDescription( ExtraMaterialsDescription supplemental) { this.supplemental = supplemental == null ? NONE : supplemental; } /** * Sets the supplemental materials description for the encryption materials * to be used with the current request. * * @param supplemental * the materialsDescription to set; must not conflict with the * existing one saved in S3 or else will cause the get request to * fail fast later on */ public EncryptedGetObjectRequest withExtraMaterialsDescription( ExtraMaterialsDescription supplemental) { setExtraMaterialDescription(supplemental); return this; } /** * Fluent API to set the supplemental materials description for the * encryption materials to be used with the current request. * * @param supplemental * the materialsDescription to set; must not conflict with the * existing one saved in S3 or else will cause the get request to * fail fast later on */ public EncryptedGetObjectRequest withExtraMaterialsDescription( Map<String, String> supplemental) { setExtraMaterialDescription(supplemental == null ? null : new ExtraMaterialsDescription(supplemental)); return this; } public String getInstructionFileSuffix() { return instructionFileSuffix; } /** * Explicitly sets the suffix of an instruction file to be used to retrieve * the S3 encrypted object. Typically this is for more advanced use cases * where multiple crypto instruction files have been created for the same S3 * object. Each instruction file contains the same CEK encrypted under a * different KEK, the IV, and other meta information (aka material * description). * * @param instructionFileSuffix * suffix of the instruction file to be used. * * @see AmazonS3EncryptionClient#putInstructionFile(PutInstructionFileRequest) */ public void setInstructionFileSuffix(String instructionFileSuffix) { this.instructionFileSuffix = instructionFileSuffix; } /** * Fluent API to explicitly sets the suffix of an instruction file to be * used to retrieve the S3 encrypted object. Typically this is for more * advanced use cases where multiple crypto instruction files have been * created for the same S3 object. Each instruction file contains the same * CEK encrypted under a different KEK, the IV, and other meta information * (aka material description). * * @param instructionFileSuffix * suffix of the instruction file to be used. * * @see AmazonS3EncryptionClient#putInstructionFile(PutInstructionFileRequest) */ public EncryptedGetObjectRequest withInstructionFileSuffix( String instructionFileSuffix) { this.instructionFileSuffix = instructionFileSuffix; return this; } /** * Returns true if key wrapping is expected; false otherwise. Note, however, * that if {@link CryptoMode#StrictAuthenticatedEncryption} or KMS is in * use, key wrapping is always expected for the CEK regardless. */ public boolean isKeyWrapExpected() { return keyWrapExpected; } /** * @param keyWrapExpected * true if key wrapping is expected for the CEK; false otherwse. * Note, however, that if * {@link CryptoMode#StrictAuthenticatedEncryption} or KMS is in * use, key wrapping is always expected for the CEK regardless. * <p> * If keyWrapExpected is set to true but the CEK is found to be * not key-wrapped, it would cause a {@link KeyWrapException} to * be thrown. */ public void setKeyWrapExpected(boolean keyWrapExpected) { this.keyWrapExpected = keyWrapExpected; } /** * Fluent API for {@link #setKeyWrapExpected(boolean)}. */ public EncryptedGetObjectRequest withKeyWrapExpected(boolean keyWrapExpected) { this.keyWrapExpected = keyWrapExpected; return this; } }