gem init

.gitignore

@@ -0,0 +1,8 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in active_storage_client_side_encrypted.gemspec
+gemspec
+
+gem "rake", "~> 13.0"

LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 Stefan Wienert
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,60 @@
+# ActiveStorage ClientSideEncrypted
+
+**WIP: not on Rubygems yet. If you want to use it, point to this git.**
+
+Based upon https://ankane.org/aws-client-side-encryption but enhanced with. Implements Client-Side encryption and total proxying through Rails. So you might loose some performance, as all Storage requests will go through the Rails-stack.
+
+Fortunately, since 6.1 or so, Rails saves the `service_name` onto the Blob, so it is easy to migrate over one by one.
+
+What works:
+
+- [x] uses static string key (32 byte) with ``encryption_key: "xx"`` config.
+- [x] uses Aws::S3::EncryptionV2 interface
+- [x] supports "direct-upload" via Disk-Service controller. Important: If EncryptedS3 is not the default storage, than you need to patch/hack the ActiveStorage::Blob#direct_upload_url to handle a different service.
+- [x] supports linking via Proxy Routing
+- [x] Supports "chunked" downloading and range requests (not really - it will download the whole thing and decrypt it in memory - no other way, but still fullfils the API)
+- [x] Variants - Needs Rails7 for tracked variants, otherwise not possible via Proxy
+- [ ] Preview - not needed until now
+- [ ] Mirror - never used
+- [ ] Different Encryption Key formats - currently only static encryption key, but Aws-sdk also supports private/public key and more
+
+## Installation
+
+```ruby
+gem 'active_storage_client_side_encrypted', git: 'https://github.com/pludoni/active_storage_client_side_encrypted.git'
+```
+
+## Usage
+
+```yaml
+encrypted_amazon:
+  service: EncryptedS3  # <---- Important
+  access_key_id: <%= Rails.application.secrets.dig(:aws, :access_key_id) %>
+  secret_access_key: <%= Rails.application.secrets.dig(:aws, :secret_access_key) %>
+  region: <%= Rails.application.secrets.dig(:aws, :region) %>
+  bucket: <%= Rails.application.secrets.dig(:aws, :bucket) %>
+  # Static Encryption Key: 32 bytes
+  encryption_key: <%= Rails.application.secret_key_base[0..31] %>
+```
+
+### tell direct upload to use `encrypted_amazon` service
+
+- Unforunately, the Direct Upload will always use the default service. To pass a different service, you have to patch the `DirectUploadController#direct_upload_url` method.
+
+```ruby
+# config/initializers/active_storage_direct_upload_patch.rb
+module ASDirectUploadPatch
+  def blob_args
+    service_name = params[:service_name].presence
+    super.merge(service_name: service_name)
+  end
+end
+
+Rails.application.reloader.to_prepare do
+  ActiveStorage::DirectUploadsController.prepend ASDirectUploadPatch
+end
+```
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

Rakefile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+task default: %i[]

active_storage_client_side_encrypted.gemspec

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require_relative "lib/active_storage_client_side_encrypted/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "active_storage_client_side_encrypted"
+  spec.version = ActiveStorageClientSideEncrypted::VERSION
+  spec.authors = ["Stefan Wienert"]
+  spec.email = ["[email protected]"]
+
+  spec.summary = "ActiveStorage client side encrypted S3-Storage"
+  spec.description = "ActiveStorage client side encrypted S3-Storage"
+  spec.homepage = "https://github.com/pludoni/active_storage_client_side_encrypted"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 2.6.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = spec.homepage
+  #spec.metadata["changelog_uri"] = "TODO: Put your gem's CHANGELOG.md URL here."
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (File.expand_path(f) == __FILE__) ||
+        f.start_with?(*%w[bin/ test/ spec/ features/ .git .circleci appveyor Gemfile])
+    end
+  end
+  spec.bindir = "exe"
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  # Uncomment to register a new dependency of your gem
+  spec.add_dependency "activestorage", ">= 7.0.0"
+  spec.add_dependency "aws-sdk-s3", ">= 1.114.0"
+end

bin/console

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "active_storage_client_side_encrypted"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+require "irb"
+IRB.start(__FILE__)

bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

lib/active_storage/service/encrypted_s3_service.rb

@@ -0,0 +1,120 @@
+require "active_storage/service/s3_service"
+
+module ActiveStorage
+  class Service::EncryptedS3Service < Service::S3Service
+    attr_reader :encryption_client
+
+    def initialize(bucket:, upload: {}, **options)
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Encryption.html
+      super_options = options.except(:kms_key_id, :encryption_key, :encryption_key)
+      super(bucket: bucket, upload: upload, **super_options)
+
+      if options[:encryption_key].length > 32
+        # TODO: different Key Formats? Pub/Private?
+        options[:encryption_key] = options[:encryption_key][0..31]
+      end
+      @encryption_client = Aws::S3::EncryptionV2::Client.new(
+        options.merge(
+          key_wrap_schema: :aes_gcm,
+          content_encryption_schema: :aes_gcm_no_padding,
+          security_profile: :v2 # use :v2_and_legacy to allow reading/decrypting objects encrypted by the V1 encryption client
+        )
+      )
+    end
+
+    def upload(key, io, checksum: nil, filename: nil, content_type: nil, disposition: nil, custom_metadata: {}, **)
+      instrument :upload, key: key, checksum: checksum do
+        begin
+          encryption_client.put_object(
+            upload_options.merge(
+              body: io,
+              # Setting content_md5 on client side encrypted objects is deprecated#.
+              # content_md5: checksum,
+              bucket: bucket.name,
+              metadata: custom_metadata,
+              key: key
+            )
+          )
+        rescue Aws::S3::Errors::BadDigest
+          raise ActiveStorage::IntegrityError
+        end
+      end
+    end
+
+    def download(key, &block)
+      if block_given?
+        instrument :streaming_download, key: key do
+          blob = get_object_blob(key)
+          yield blob
+        end
+      else
+        instrument :download, key: key do
+          get_object_blob(key)
+        end
+      end
+    end
+
+    def download_chunk(key, range)
+      blob = StringIO.new(get_object_blob(key))
+      blob.seek(range.begin)
+      blob.read(range.size)
+    end
+
+    def url_for_direct_upload(key, expires_in:, content_type:, content_length:, checksum:, custom_metadata: {})
+      instrument :url, key: key do |payload|
+        verified_token_with_expiration = ActiveStorage.verifier.generate(
+          {
+            key: key,
+            content_type: content_type,
+            content_length: content_length,
+            checksum: checksum,
+            service_name: name
+          },
+          expires_in: expires_in,
+          purpose: :blob_token
+        )
+
+        generated_url = url_helpers.update_rails_disk_service_url(verified_token_with_expiration, host: current_host, protocol: 'https')
+
+        payload[:url] = generated_url
+
+        generated_url
+      end
+    end
+
+    def url_for(blob, expires_in:)
+      signed_id = ActiveStorage::Blob.signed_id_verifier.generate blob.id, expires_in: expires_in, purpose: :blob_id
+      url_helpers.rails_service_blob_proxy_url(signed_id, filename: blob.filename, host: current_host, protocol: 'https')
+    end
+
+    private
+
+    def current_host
+      ActiveStorage::Current.host || Rails.application.config.action_mailer.default_url_options[:host]
+    end
+
+    def private_url(key, expires_in:, filename:, content_type:, disposition:, **)
+      if key.start_with?('variants/')
+        raise ArgumentError, "Not Implemented for variants"
+      else
+        blob = ActiveStorage::Blob.find_by!(key: key, service_name: name)
+        url_for(blob, expires_in: expires_in)
+      end
+    end
+
+    def public_url(key, **)
+      private_url(key)
+    end
+
+    def get_object_blob(key)
+      encryption_client.get_object(
+        bucket: bucket.name,
+        key: key
+      ).body.string.force_encoding(Encoding::BINARY)
+    end
+
+    def url_helpers
+      @url_helpers ||= Rails.application.routes.url_helpers
+    end
+  end
+end

lib/active_storage_client_side_encrypted.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require_relative "active_storage_client_side_encrypted/version"
+require_relative 'active_storage/service/encrypted_s3_service'
+
+module ActiveStorageClientSideEncrypted
+  class Error < StandardError; end
+  # Your code goes here...
+end

lib/active_storage_client_side_encrypted/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module ActiveStorageClientSideEncrypted
+  VERSION = "0.1.0"
+end

sig/active_storage_client_side_encrypted.rbs

@@ -0,0 +1,4 @@
+module ActiveStorageClientSideEncrypted
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end