feat: add S3-compatible storage provider (MinIO, Ceph, R2, etc.)

Adds a new 'S3-Compatible Storage' provider that works with any S3-API-compatible object storage service, including MinIO, Ceph, Cloudflare R2, Backblaze B2, and others. Changes: - New provider class: classes/providers/storage/s3-compatible-provider.php - Provider key: s3compatible - Reads user-configured endpoint URL from settings - Uses path-style URL access (required by most S3-compatible services) - Supports credentials via AS3CF_S3COMPAT_ACCESS_KEY_ID / AS3CF_S3COMPAT_SECRET_ACCESS_KEY wp-config.php constants - Disables AWS-specific features (Block Public Access, Object Ownership) - New provider SVG icons (s3compatible.svg, -link.svg, -round.svg) - Registered provider in main plugin class with endpoint setting support - Updated StorageProviderSubPage to show endpoint URL input for S3-compatible - Built pro settings bundle with rollup (Svelte 4.2.19) - Added package.json and updated rollup.config.mjs for pro-only builds
2026-03-03 12:30:18 +01:00
commit 3248cbb029
2086 changed files with 359427 additions and 0 deletions
--- a/vendor/Aws3/Aws/Crypto/KmsMaterialsProvider.php
+++ b/vendor/Aws3/Aws/Crypto/KmsMaterialsProvider.php
@@ -0,0 +1,90 @@
+<?php
+
+namespace DeliciousBrains\WP_Offload_Media\Aws3\Aws\Crypto;
+
+use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Kms\KmsClient;
+/**
+ * Uses KMS to supply materials for encrypting and decrypting data.
+ *
+ * Legacy implementation that supports legacy S3EncryptionClient and
+ * S3EncryptionMultipartUploader, which use an older encryption workflow. Use
+ * KmsMaterialsProviderV2 with S3EncryptionClientV2 or
+ * S3EncryptionMultipartUploaderV2 if possible.
+ *
+ * @deprecated
+ */
+class KmsMaterialsProvider extends MaterialsProvider implements MaterialsProviderInterface
+{
+    const WRAP_ALGORITHM_NAME = 'kms';
+    private $kmsClient;
+    private $kmsKeyId;
+    /**
+     * @param KmsClient $kmsClient A KMS Client for use encrypting and
+     *                             decrypting keys.
+     * @param string $kmsKeyId The private KMS key id to be used for encrypting
+     *                         and decrypting keys.
+     */
+    public function __construct(KmsClient $kmsClient, $kmsKeyId = null)
+    {
+        $this->kmsClient = $kmsClient;
+        $this->kmsKeyId = $kmsKeyId;
+    }
+    public function fromDecryptionEnvelope(MetadataEnvelope $envelope)
+    {
+        if (empty($envelope[MetadataEnvelope::MATERIALS_DESCRIPTION_HEADER])) {
+            throw new \RuntimeException('Not able to detect the materials description.');
+        }
+        $materialsDescription = \json_decode($envelope[MetadataEnvelope::MATERIALS_DESCRIPTION_HEADER], \true);
+        if (empty($materialsDescription['kms_cmk_id']) && empty($materialsDescription['aws:x-amz-cek-alg'])) {
+            throw new \RuntimeException('Not able to detect kms_cmk_id (legacy' . ' implementation) or aws:x-amz-cek-alg (current implementation)' . ' from kms materials description.');
+        }
+        return new self($this->kmsClient, isset($materialsDescription['kms_cmk_id']) ? $materialsDescription['kms_cmk_id'] : null);
+    }
+    /**
+     * The KMS key id for use in matching this Provider to its keys,
+     * consistently with other SDKs as 'kms_cmk_id'.
+     *
+     * @return array
+     */
+    public function getMaterialsDescription()
+    {
+        return ['kms_cmk_id' => $this->kmsKeyId];
+    }
+    public function getWrapAlgorithmName()
+    {
+        return self::WRAP_ALGORITHM_NAME;
+    }
+    /**
+     * Takes a content encryption key (CEK) and description to return an encrypted
+     * key by using KMS' Encrypt API.
+     *
+     * @param string $unencryptedCek Key for use in encrypting other data
+     *                               that itself needs to be encrypted by the
+     *                               Provider.
+     * @param string $materialDescription Material Description for use in
+     *                                    encrypting the $cek.
+     *
+     * @return string
+     */
+    public function encryptCek($unencryptedCek, $materialDescription)
+    {
+        $encryptedDataKey = $this->kmsClient->encrypt(['Plaintext' => $unencryptedCek, 'KeyId' => $this->kmsKeyId, 'EncryptionContext' => $materialDescription]);
+        return \base64_encode($encryptedDataKey['CiphertextBlob']);
+    }
+    /**
+     * Takes an encrypted content encryption key (CEK) and material description
+     * for use decrypting the key by using KMS' Decrypt API.
+     *
+     * @param string $encryptedCek Encrypted key to be decrypted by the Provider
+     *                             for use decrypting other data.
+     * @param string $materialDescription Material Description for use in
+     *                                    encrypting the $cek.
+     *
+     * @return string
+     */
+    public function decryptCek($encryptedCek, $materialDescription)
+    {
+        $result = $this->kmsClient->decrypt(['CiphertextBlob' => $encryptedCek, 'EncryptionContext' => $materialDescription]);
+        return $result['Plaintext'];
+    }
+}