feat: add S3-compatible storage provider (MinIO, Ceph, R2, etc.)
Adds a new 'S3-Compatible Storage' provider that works with any
S3-API-compatible object storage service, including MinIO, Ceph,
Cloudflare R2, Backblaze B2, and others.
Changes:
- New provider class: classes/providers/storage/s3-compatible-provider.php
- Provider key: s3compatible
- Reads user-configured endpoint URL from settings
- Uses path-style URL access (required by most S3-compatible services)
- Supports credentials via AS3CF_S3COMPAT_ACCESS_KEY_ID /
AS3CF_S3COMPAT_SECRET_ACCESS_KEY wp-config.php constants
- Disables AWS-specific features (Block Public Access, Object Ownership)
- New provider SVG icons (s3compatible.svg, -link.svg, -round.svg)
- Registered provider in main plugin class with endpoint setting support
- Updated StorageProviderSubPage to show endpoint URL input for S3-compatible
- Built pro settings bundle with rollup (Svelte 4.2.19)
- Added package.json and updated rollup.config.mjs for pro-only builds
This commit is contained in:
69
vendor/Aws3/Aws/Crypto/KmsMaterialsProviderV2.php
vendored
Normal file
69
vendor/Aws3/Aws/Crypto/KmsMaterialsProviderV2.php
vendored
Normal file
@@ -0,0 +1,69 @@
|
||||
<?php
|
||||
|
||||
namespace DeliciousBrains\WP_Offload_Media\Aws3\Aws\Crypto;
|
||||
|
||||
use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Exception\CryptoException;
|
||||
use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Kms\KmsClient;
|
||||
/**
|
||||
* Uses KMS to supply materials for encrypting and decrypting data. This
|
||||
* V2 implementation should be used with the V2 encryption clients (i.e.
|
||||
* S3EncryptionClientV2).
|
||||
*/
|
||||
class KmsMaterialsProviderV2 extends MaterialsProviderV2 implements MaterialsProviderInterfaceV2
|
||||
{
|
||||
const WRAP_ALGORITHM_NAME = 'kms+context';
|
||||
private $kmsClient;
|
||||
private $kmsKeyId;
|
||||
/**
|
||||
* @param KmsClient $kmsClient A KMS Client for use encrypting and
|
||||
* decrypting keys.
|
||||
* @param string $kmsKeyId The private KMS key id to be used for encrypting
|
||||
* and decrypting keys.
|
||||
*/
|
||||
public function __construct(KmsClient $kmsClient, $kmsKeyId = null)
|
||||
{
|
||||
$this->kmsClient = $kmsClient;
|
||||
$this->kmsKeyId = $kmsKeyId;
|
||||
}
|
||||
/**
|
||||
* @inheritDoc
|
||||
*/
|
||||
public function getWrapAlgorithmName()
|
||||
{
|
||||
return self::WRAP_ALGORITHM_NAME;
|
||||
}
|
||||
/**
|
||||
* @inheritDoc
|
||||
*/
|
||||
public function decryptCek($encryptedCek, $materialDescription, $options)
|
||||
{
|
||||
$params = ['CiphertextBlob' => $encryptedCek, 'EncryptionContext' => $materialDescription];
|
||||
if (empty($options['@KmsAllowDecryptWithAnyCmk'])) {
|
||||
if (empty($this->kmsKeyId)) {
|
||||
throw new CryptoException('KMS CMK ID was not specified and the' . ' operation is not opted-in to attempting to use any valid' . ' CMK it discovers. Please specify a CMK ID, or explicitly' . ' enable attempts to use any valid KMS CMK with the' . ' @KmsAllowDecryptWithAnyCmk option.');
|
||||
}
|
||||
$params['KeyId'] = $this->kmsKeyId;
|
||||
}
|
||||
$result = $this->kmsClient->decrypt($params);
|
||||
return $result['Plaintext'];
|
||||
}
|
||||
/**
|
||||
* @inheritDoc
|
||||
*/
|
||||
public function generateCek($keySize, $context, $options)
|
||||
{
|
||||
if (empty($this->kmsKeyId)) {
|
||||
throw new CryptoException('A KMS key id is required for encryption' . ' with KMS keywrap. Use a KmsMaterialsProviderV2 that has been' . ' instantiated with a KMS key id.');
|
||||
}
|
||||
$options = \array_change_key_case($options);
|
||||
if (!isset($options['@kmsencryptioncontext']) || !\is_array($options['@kmsencryptioncontext'])) {
|
||||
throw new CryptoException("'@KmsEncryptionContext' is a" . " required argument when using KmsMaterialsProviderV2, and" . " must be an associative array (or empty array).");
|
||||
}
|
||||
if (isset($options['@kmsencryptioncontext']['aws:x-amz-cek-alg'])) {
|
||||
throw new CryptoException("Conflict in reserved @KmsEncryptionContext" . " key aws:x-amz-cek-alg. This value is reserved for the S3" . " Encryption Client and cannot be set by the user.");
|
||||
}
|
||||
$context = \array_merge($options['@kmsencryptioncontext'], $context);
|
||||
$result = $this->kmsClient->generateDataKey(['KeyId' => $this->kmsKeyId, 'KeySpec' => "AES_{$keySize}", 'EncryptionContext' => $context]);
|
||||
return ['Plaintext' => $result['Plaintext'], 'Ciphertext' => \base64_encode($result['CiphertextBlob']), 'UpdatedContext' => $context];
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user