Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DecryptionClient.GetObjectRequest suggests that decryption happens automatically, but it does not #5018

Closed
gjtorikian opened this issue Oct 12, 2023 · 3 comments
Assignees
Labels
documentation This is a problem with documentation. p3 This is a minor priority issue

Comments

@gjtorikian
Copy link

gjtorikian commented Oct 12, 2023

Describe the issue

The doc currently says:

GetObjectRequest will make a request to s3 and retrieve the object. In this process decryption will be done. The SDK only supports V2 reads of KMS and GCM.

After much trial and error, I finally discovered that the documentation is wrong. I was able to retrieve my encrypted file by using DecryptionClient.GetObject directly.

Edit: of course, right after I posted this issue, I discovered the real problem:

s3req, out := decryptionClient.GetObjectRequest

I had been operating on s3req.HTTPResponse.Body, which is the encrypted file contents. I needed to work with out, which truly represents the GetObjectOutput. Still, I think the docs could have some improvement here. Given how much of the decryption was handled for me, I had expected the response body to be decrypted.

Links

https://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3crypto/#DecryptionClient.GetObjectRequest

@gjtorikian gjtorikian added documentation This is a problem with documentation. needs-triage This issue or PR still needs to be triaged. labels Oct 12, 2023
@RanVaknin
Copy link
Contributor

Hi @gjtorikian,

The v1 of the Go SDK has a consistent paradigm with operation names. Each operation has 3 forms:
OperationNameRequest ,OperationName and OperationNameWithContext.

From our developer guide:

Calling Operations with the Request Form

Calling the request form of a service operation, which follows the naming pattern OperationNameRequest, provides a simple way to control when a request is built, signed, and sent. Calling the request
form immediately returns a request object. The request object output is a struct pointer that is not valid
until the request is sent and returned successfully.
Calling the request form can be useful when you want to construct a number of pre-signed requests,
such as pre-signed Amazon S3 URLs. You can also use the request form to modify how the SDK sends a
request.
The following example calls the request form of the GetObject method. The Send method signs the
request before sending it.

req, result := s3Svc.GetObjectRequest(&s3.GetObjectInput{...})
// result is a *s3.GetObjectOutput struct pointer, not populated until req.Send() returns
// req is a *aws.Request struct pointer. Used to Send request.
if err := req.Send(); err != nil {
 // process error
 return
}
// Process result

So instead of using the request form (GetObjectRequest), you should be using the non-request form GetObject as it returns (out , err) which is the more Golang idiomatic way of programming.

I still see how a documentation update could benefit some use cases, but at this point the team is directing their effort to enhancing the v2 SDK so this documentation issue is unlikely to get prioritized. When the Crypto client will get ported to v2, it won't have this problem since in v2 we don't have the request form at all. Instead we use middleware to hook into the request and response lifecycle.

I will keep this open for visibility.

Thanks again,
Ran~

@RanVaknin RanVaknin self-assigned this Oct 12, 2023
@RanVaknin RanVaknin added p3 This is a minor priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Oct 12, 2023
@gjtorikian
Copy link
Author

Ah, sorry, this was meant for the v2 client: https://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3crypto/#DecryptionClientV2.GetObjectRequest

GetObjectRequest will make a request to s3 and retrieve the object. In this process decryption will be done. The SDK only supports V2 reads of KMS and GCM.

Your explanation makes perfect sense. I just misinterpreted how the response body was coming back.

Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation This is a problem with documentation. p3 This is a minor priority issue
Projects
None yet
Development

No branches or pull requests

2 participants