Skip to content

Commit d71adc3

Browse files
stobrien89Sean O'Brien
stobrien89
and
Sean O'Brien
authored
chore: add deprecation notices to legacy s3 crypto clients (#3238)
Co-authored-by: Sean O'Brien <obrien.sean.dev@gmail.com>
1 parent 7cb4827 commit d71adc3

File tree

8 files changed

+74
-52
lines changed

8 files changed

+74
-52
lines changed

.changes/nextrelease/crypto-deprecations.json

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
[
2+
{
3+
"type": "enhancement",
4+
"category": "S3",
5+
"description": "Adds deprecation notices to `S3EncryptionClient` and `S3EncryptionClientV2`"
6+
}
7+
]

src/S3/Crypto/S3EncryptionClient.php

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,14 @@ public function __construct(
5454
S3Client $client,
5555
$instructionFileSuffix = null
5656
) {
57+
trigger_error(
58+
'S3EncryptionClient is deprecated and will be removed in a future ' .
59+
'release due to security vulnerabilities. Please migrate to ' .
60+
'S3EncryptionClientV3 as soon as possible.' . "\n" .
61+
'See https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/' .
62+
'security.html for upgrade guidance.',
63+
E_USER_DEPRECATED
64+
);
5765
$this->client = $client;
5866
$this->instructionFileSuffix = $instructionFileSuffix;
5967
MetricsBuilder::appendMetricsCaptureMiddleware(

src/S3/Crypto/S3EncryptionClientV2.php

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,14 @@ public function __construct(
107107
S3Client $client,
108108
$instructionFileSuffix = null
109109
) {
110+
trigger_error(
111+
'S3EncryptionClientV2 will be deprecated soon and will be removed in a future ' .
112+
'release due to security vulnerabilities (CVE-2024-56473). Please ' .
113+
'migrate to S3EncryptionClientV3 as soon as possible.' . "\n" .
114+
'See https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/' .
115+
'security.html for upgrade guidance.',
116+
E_USER_DEPRECATED
117+
);
110118
$this->client = $client;
111119
$this->instructionFileSuffix = $instructionFileSuffix;
112120
$this->legacyWarningCount = 0;

tests/Integ/S3EncryptionContext.php

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -130,7 +130,7 @@ public function iUploadLanguageDataWithFolder($language, $folder)
130130
'region' => $this->region,
131131
'version' => 'latest'
132132
]);
133-
$s3EncryptionClient = new S3EncryptionClient($s3Client);
133+
$s3EncryptionClient = @new S3EncryptionClient($s3Client);
134134

135135
foreach ($this->plaintexts as $fileKeyPart => $plaintext) {
136136
$params = $this->operationParams[$fileKeyPart];
@@ -160,7 +160,7 @@ public function iDecryptEachFixtureAgainstLanguageEncryptionVersion($language, $
160160
'region' => $this->region,
161161
'version' => 'latest'
162162
]);
163-
$s3EncryptionClient = new S3EncryptionClient($s3Client);
163+
$s3EncryptionClient = @new S3EncryptionClient($s3Client);
164164

165165
$fileKeyParts = array_keys($this->plaintexts);
166166
foreach ($fileKeyParts as $fileKeyPart) {
@@ -227,4 +227,3 @@ private function getKmsArnFromAlias(KmsClient $kmsClient, $alias)
227227
return '';
228228
}
229229
}
230-

tests/Integ/S3EncryptionContextV2.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,7 @@ public function iUploadLanguageDataWithFolder($language, $folder)
129129
'region' => $this->region,
130130
'version' => 'latest'
131131
]);
132-
$s3EncryptionClient = new S3EncryptionClientV2($s3Client);
132+
$s3EncryptionClient = @new S3EncryptionClientV2($s3Client);
133133

134134
foreach ($this->plaintexts as $fileKeyPart => $plaintext) {
135135
if (empty($this->operationParams[$fileKeyPart])) {
@@ -163,7 +163,7 @@ public function iDecryptEachFixtureAgainstLanguageEncryptionVersion($language, $
163163
'region' => $this->region,
164164
'version' => 'latest'
165165
]);
166-
$s3EncryptionClient = new S3EncryptionClientV2($s3Client);
166+
$s3EncryptionClient = @new S3EncryptionClientV2($s3Client);
167167

168168
$fileKeyParts = array_keys($this->plaintexts);
169169
foreach ($fileKeyParts as $fileKeyPart) {

tests/S3/Crypto/S3EncryptionClientTest.php

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,7 @@ public function testPutObjectTakesValidMaterialsProviders(
8282
new Result(['CiphertextBlob' => 'encrypted'])
8383
]);
8484

85-
$client = new S3EncryptionClient($s3);
85+
$client = @new S3EncryptionClient($s3);
8686
$client->putObject([
8787
'Bucket' => 'foo',
8888
'Key' => 'bar',
@@ -108,7 +108,7 @@ public function testPutObjectRejectsInvalidMaterialsProviders(
108108

109109
$s3 = $this->getS3Client();
110110

111-
$client = new S3EncryptionClient($s3);
111+
$client = @new S3EncryptionClient($s3);
112112
$client->putObject([
113113
'Bucket' => 'foo',
114114
'Key' => 'bar',
@@ -147,7 +147,7 @@ public function testPutObjectTakesValidMetadataStrategy(
147147
new Result(['CiphertextBlob' => 'encrypted'])
148148
]);
149149

150-
$client = new S3EncryptionClient($s3);
150+
$client = @new S3EncryptionClient($s3);
151151
$client->putObject([
152152
'Bucket' => 'foo',
153153
'Key' => 'bar',
@@ -176,7 +176,7 @@ public function testPutObjectRejectsInvalidMetadataStrategy($strategy, $exceptio
176176
$keyId = '11111111-2222-3333-4444-555555555555';
177177
$provider = new KmsMaterialsProvider($kms, $keyId);
178178

179-
$client = new S3EncryptionClient($s3);
179+
$client = @new S3EncryptionClient($s3);
180180
$client->putObject([
181181
'Bucket' => 'foo',
182182
'Key' => 'bar',
@@ -204,7 +204,7 @@ public function testPutObjectWithClientInstructionFileSuffix()
204204
new Result(['CiphertextBlob' => 'encrypted'])
205205
]);
206206

207-
$client = new S3EncryptionClient(
207+
$client = @new S3EncryptionClient(
208208
$s3,
209209
InstructionFileMetadataStrategy::DEFAULT_FILE_SUFFIX
210210
);
@@ -235,7 +235,7 @@ public function testPutObjectWithOperationInstructionFileSuffix()
235235
new Result(['CiphertextBlob' => 'encrypted'])
236236
]);
237237

238-
$client = new S3EncryptionClient($s3);
238+
$client = @new S3EncryptionClient($s3);
239239
$client->putObject([
240240
'Bucket' => 'foo',
241241
'Key' => 'bar',
@@ -274,7 +274,7 @@ public function testPutObjectValidatesCipher(
274274
new Result(['CiphertextBlob' => 'encrypted'])
275275
]);
276276

277-
$client = new S3EncryptionClient($s3);
277+
$client = @new S3EncryptionClient($s3);
278278
$client->putObject([
279279
'Bucket' => 'foo',
280280
'Key' => 'bar',
@@ -318,7 +318,7 @@ public function testPutObjectValidatesKeySize(
318318
new Result(['CiphertextBlob' => 'encrypted'])
319319
]);
320320

321-
$client = new S3EncryptionClient($s3);
321+
$client = @new S3EncryptionClient($s3);
322322
$client->putObject([
323323
'Bucket' => 'foo',
324324
'Key' => 'bar',
@@ -363,7 +363,7 @@ public function testPutObjectWrapsBodyInAesEncryptingStream()
363363
new Result(['CiphertextBlob' => 'encrypted'])
364364
]);
365365

366-
$client = new S3EncryptionClient($s3);
366+
$client = @new S3EncryptionClient($s3);
367367
$client->putObject([
368368
'Bucket' => 'foo',
369369
'Key' => 'bar',
@@ -401,7 +401,7 @@ public function testPutObjectWrapsBodyInAesGcmEncryptingStream()
401401
new Result(['CiphertextBlob' => 'encrypted'])
402402
]);
403403

404-
$client = new S3EncryptionClient($s3);
404+
$client = @new S3EncryptionClient($s3);
405405
$client->putObject([
406406
'Bucket' => 'foo',
407407
'Key' => 'bar',
@@ -438,7 +438,7 @@ public function testGetObjectThrowsOnInvalidCipher()
438438
},
439439
]);
440440

441-
$client = new S3EncryptionClient($s3);
441+
$client = @new S3EncryptionClient($s3);
442442
$result = $client->getObject([
443443
'Bucket' => 'foo',
444444
'Key' => 'bar',
@@ -494,7 +494,7 @@ public function testGetObjectWithMetadataStrategy()
494494
},
495495
]);
496496

497-
$client = new S3EncryptionClient($s3);
497+
$client = @new S3EncryptionClient($s3);
498498
$result = $client->getObject([
499499
'Bucket' => 'foo',
500500
'Key' => 'bar',
@@ -538,7 +538,7 @@ public function testGetObjectWithClientInstructionFileSuffix()
538538
},
539539
]);
540540

541-
$client = new S3EncryptionClient(
541+
$client = @new S3EncryptionClient(
542542
$s3,
543543
InstructionFileMetadataStrategy::DEFAULT_FILE_SUFFIX
544544
);
@@ -585,7 +585,7 @@ public function testGetObjectWithOperationInstructionFileSuffix()
585585
},
586586
]);
587587

588-
$client = new S3EncryptionClient($s3);
588+
$client = @new S3EncryptionClient($s3);
589589
$result = $client->getObject([
590590
'Bucket' => 'foo',
591591
'Key' => 'bar',
@@ -630,7 +630,7 @@ public function testGetObjectWithV2GcmMetadata()
630630
]);
631631

632632
$provider = new KmsMaterialsProvider($kms);
633-
$client = new S3EncryptionClient($s3);
633+
$client = @new S3EncryptionClient($s3);
634634
$result = $client->getObject([
635635
'Bucket' => 'foo',
636636
'Key' => 'bar',
@@ -661,7 +661,7 @@ public function testGetObjectWrapsBodyInAesGcmDecryptingStream()
661661
},
662662
]);
663663

664-
$client = new S3EncryptionClient($s3);
664+
$client = @new S3EncryptionClient($s3);
665665
$result = $client->getObject([
666666
'Bucket' => 'foo',
667667
'Key' => 'bar',
@@ -693,7 +693,7 @@ public function testGetObjectSavesFile()
693693
},
694694
]);
695695

696-
$client = new S3EncryptionClient($s3);
696+
$client = @new S3EncryptionClient($s3);
697697
$result = $client->getObject([
698698
'Bucket' => 'foo',
699699
'Key' => 'bar',
@@ -734,7 +734,7 @@ public function testTriggersWarningForGcmEncryptionWithAad()
734734
])
735735
]);
736736

737-
$client = new S3EncryptionClient($s3);
737+
$client = @new S3EncryptionClient($s3);
738738
$client->putObject([
739739
'Bucket' => 'foo',
740740
'Key' => 'bar',
@@ -777,7 +777,7 @@ public function testAppendsMetricsCaptureMiddleware()
777777
},
778778
]);
779779

780-
$client = new S3EncryptionClient($s3);
780+
$client = @new S3EncryptionClient($s3);
781781
$client->getObject([
782782
'Bucket' => 'foo',
783783
'Key' => 'bar',

0 commit comments

Comments
 (0)