feat: add S3-compatible storage provider (MinIO, Ceph, R2, etc.)

Adds a new 'S3-Compatible Storage' provider that works with any S3-API-compatible object storage service, including MinIO, Ceph, Cloudflare R2, Backblaze B2, and others. Changes: - New provider class: classes/providers/storage/s3-compatible-provider.php - Provider key: s3compatible - Reads user-configured endpoint URL from settings - Uses path-style URL access (required by most S3-compatible services) - Supports credentials via AS3CF_S3COMPAT_ACCESS_KEY_ID / AS3CF_S3COMPAT_SECRET_ACCESS_KEY wp-config.php constants - Disables AWS-specific features (Block Public Access, Object Ownership) - New provider SVG icons (s3compatible.svg, -link.svg, -round.svg) - Registered provider in main plugin class with endpoint setting support - Updated StorageProviderSubPage to show endpoint URL input for S3-compatible - Built pro settings bundle with rollup (Svelte 4.2.19) - Added package.json and updated rollup.config.mjs for pro-only builds
2026-03-03 12:30:18 +01:00
commit 3248cbb029
2086 changed files with 359427 additions and 0 deletions
--- a/vendor/Aws3/Aws/S3/Crypto/S3EncryptionClientV2.php
+++ b/vendor/Aws3/Aws/S3/Crypto/S3EncryptionClientV2.php
@@ -0,0 +1,371 @@
+<?php
+
+namespace DeliciousBrains\WP_Offload_Media\Aws3\Aws\S3\Crypto;
+
+use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Crypto\DecryptionTraitV2;
+use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Exception\CryptoException;
+use DeliciousBrains\WP_Offload_Media\Aws3\Aws\HashingStream;
+use DeliciousBrains\WP_Offload_Media\Aws3\Aws\PhpHash;
+use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Crypto\AbstractCryptoClientV2;
+use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Crypto\EncryptionTraitV2;
+use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Crypto\MetadataEnvelope;
+use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Crypto\MaterialsProvider;
+use DeliciousBrains\WP_Offload_Media\Aws3\Aws\Crypto\Cipher\CipherBuilderTrait;
+use DeliciousBrains\WP_Offload_Media\Aws3\Aws\S3\S3Client;
+use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Promise;
+use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Promise\PromiseInterface;
+use DeliciousBrains\WP_Offload_Media\Aws3\GuzzleHttp\Psr7;
+/**
+ * Provides a wrapper for an S3Client that supplies functionality to encrypt
+ * data on putObject[Async] calls and decrypt data on getObject[Async] calls.
+ *
+ * AWS strongly recommends the upgrade to the S3EncryptionClientV2 (over the
+ * S3EncryptionClient), as it offers updated data security best practices to our
+ * customers who upgrade. S3EncryptionClientV2 contains breaking changes, so this
+ * will require planning by engineering teams to migrate. New workflows should
+ * just start with S3EncryptionClientV2.
+ *
+ * Note that for PHP versions of < 7.1, this class uses an AES-GCM polyfill
+ * for encryption since there is no native PHP support. The performance for large
+ * inputs will be a lot slower than for PHP 7.1+, so upgrading older PHP version
+ * environments may be necessary to use this effectively.
+ *
+ * Example write path:
+ *
+ * <code>
+ * use Aws\Crypto\KmsMaterialsProviderV2;
+ * use Aws\S3\Crypto\S3EncryptionClientV2;
+ * use Aws\S3\S3Client;
+ *
+ * $encryptionClient = new S3EncryptionClientV2(
+ *     new S3Client([
+ *         'region' => 'us-west-2',
+ *         'version' => 'latest'
+ *     ])
+ * );
+ * $materialsProvider = new KmsMaterialsProviderV2(
+ *     new KmsClient([
+ *         'profile' => 'default',
+ *         'region' => 'us-east-1',
+ *         'version' => 'latest',
+ *     ],
+ *    'your-kms-key-id'
+ * );
+ *
+ * $encryptionClient->putObject([
+ *     '@MaterialsProvider' => $materialsProvider,
+ *     '@CipherOptions' => [
+ *         'Cipher' => 'gcm',
+ *         'KeySize' => 256,
+ *     ],
+ *     '@KmsEncryptionContext' => ['foo' => 'bar'],
+ *     'Bucket' => 'your-bucket',
+ *     'Key' => 'your-key',
+ *     'Body' => 'your-encrypted-data',
+ * ]);
+ * </code>
+ *
+ * Example read call (using objects from previous example):
+ *
+ * <code>
+ * $encryptionClient->getObject([
+ *     '@MaterialsProvider' => $materialsProvider,
+ *     '@CipherOptions' => [
+ *         'Cipher' => 'gcm',
+ *         'KeySize' => 256,
+ *     ],
+ *     'Bucket' => 'your-bucket',
+ *     'Key' => 'your-key',
+ * ]);
+ * </code>
+ */
+class S3EncryptionClientV2 extends AbstractCryptoClientV2
+{
+    use CipherBuilderTrait;
+    use CryptoParamsTraitV2;
+    use DecryptionTraitV2;
+    use EncryptionTraitV2;
+    use UserAgentTrait;
+    const CRYPTO_VERSION = '2.1';
+    private $client;
+    private $instructionFileSuffix;
+    private $legacyWarningCount;
+    /**
+     * @param S3Client $client The S3Client to be used for true uploading and
+     *                         retrieving objects from S3 when using the
+     *                         encryption client.
+     * @param string|null $instructionFileSuffix Suffix for a client wide
+     *                                           default when using instruction
+     *                                           files for metadata storage.
+     */
+    public function __construct(S3Client $client, $instructionFileSuffix = null)
+    {
+        $this->appendUserAgent($client, 'feat/s3-encrypt/' . self::CRYPTO_VERSION);
+        $this->client = $client;
+        $this->instructionFileSuffix = $instructionFileSuffix;
+        $this->legacyWarningCount = 0;
+    }
+    private static function getDefaultStrategy()
+    {
+        return new HeadersMetadataStrategy();
+    }
+    /**
+     * Encrypts the data in the 'Body' field of $args and promises to upload it
+     * to the specified location on S3.
+     *
+     * Note that for PHP versions of < 7.1, this operation uses an AES-GCM
+     * polyfill for encryption since there is no native PHP support. The
+     * performance for large inputs will be a lot slower than for PHP 7.1+, so
+     * upgrading older PHP version environments may be necessary to use this
+     * effectively.
+     *
+     * @param array $args Arguments for encrypting an object and uploading it
+     *                    to S3 via PutObject.
+     *
+     * The required configuration arguments are as follows:
+     *
+     * - @MaterialsProvider: (MaterialsProviderV2) Provides Cek, Iv, and Cek
+     *   encrypting/decrypting for encryption metadata.
+     * - @CipherOptions: (array) Cipher options for encrypting data. Only the
+     *   Cipher option is required. Accepts the following:
+     *       - Cipher: (string) gcm
+     *            See also: AbstractCryptoClientV2::$supportedCiphers
+     *       - KeySize: (int) 128|256
+     *            See also: MaterialsProvider::$supportedKeySizes
+     *       - Aad: (string) Additional authentication data. This option is
+     *            passed directly to OpenSSL when using gcm. Note if you pass in
+     *            Aad, the PHP SDK will be able to decrypt the resulting object,
+     *            but other AWS SDKs may not be able to do so.
+     * - @KmsEncryptionContext: (array) Only required if using
+     *   KmsMaterialsProviderV2. An associative array of key-value
+     *   pairs to be added to the encryption context for KMS key encryption. An
+     *   empty array may be passed if no additional context is desired.
+     *
+     * The optional configuration arguments are as follows:
+     *
+     * - @MetadataStrategy: (MetadataStrategy|string|null) Strategy for storing
+     *   MetadataEnvelope information. Defaults to using a
+     *   HeadersMetadataStrategy. Can either be a class implementing
+     *   MetadataStrategy, a class name of a predefined strategy, or empty/null
+     *   to default.
+     * - @InstructionFileSuffix: (string|null) Suffix used when writing to an
+     *   instruction file if using an InstructionFileMetadataHandler.
+     *
+     * @return PromiseInterface
+     *
+     * @throws \InvalidArgumentException Thrown when arguments above are not
+     *                                   passed or are passed incorrectly.
+     */
+    public function putObjectAsync(array $args)
+    {
+        $provider = $this->getMaterialsProvider($args);
+        unset($args['@MaterialsProvider']);
+        $instructionFileSuffix = $this->getInstructionFileSuffix($args);
+        unset($args['@InstructionFileSuffix']);
+        $strategy = $this->getMetadataStrategy($args, $instructionFileSuffix);
+        unset($args['@MetadataStrategy']);
+        $envelope = new MetadataEnvelope();
+        return Promise\Create::promiseFor($this->encrypt(Psr7\Utils::streamFor($args['Body']), $args, $provider, $envelope))->then(function ($encryptedBodyStream) use($args) {
+            $hash = new PhpHash('sha256');
+            $hashingEncryptedBodyStream = new HashingStream($encryptedBodyStream, $hash, self::getContentShaDecorator($args));
+            return [$hashingEncryptedBodyStream, $args];
+        })->then(function ($putObjectContents) use($strategy, $envelope) {
+            list($bodyStream, $args) = $putObjectContents;
+            if ($strategy === null) {
+                $strategy = self::getDefaultStrategy();
+            }
+            $updatedArgs = $strategy->save($envelope, $args);
+            $updatedArgs['Body'] = $bodyStream;
+            return $updatedArgs;
+        })->then(function ($args) {
+            unset($args['@CipherOptions']);
+            return $this->client->putObjectAsync($args);
+        });
+    }
+    private static function getContentShaDecorator(&$args)
+    {
+        return function ($hash) use(&$args) {
+            $args['ContentSHA256'] = \bin2hex($hash);
+        };
+    }
+    /**
+     * Encrypts the data in the 'Body' field of $args and uploads it to the
+     * specified location on S3.
+     *
+     * Note that for PHP versions of < 7.1, this operation uses an AES-GCM
+     * polyfill for encryption since there is no native PHP support. The
+     * performance for large inputs will be a lot slower than for PHP 7.1+, so
+     * upgrading older PHP version environments may be necessary to use this
+     * effectively.
+     *
+     * @param array $args Arguments for encrypting an object and uploading it
+     *                    to S3 via PutObject.
+     *
+     * The required configuration arguments are as follows:
+     *
+     * - @MaterialsProvider: (MaterialsProvider) Provides Cek, Iv, and Cek
+     *   encrypting/decrypting for encryption metadata.
+     * - @CipherOptions: (array) Cipher options for encrypting data. A Cipher
+     *   is required. Accepts the following options:
+     *       - Cipher: (string) gcm
+     *            See also: AbstractCryptoClientV2::$supportedCiphers
+     *       - KeySize: (int) 128|256
+     *            See also: MaterialsProvider::$supportedKeySizes
+     *       - Aad: (string) Additional authentication data. This option is
+     *            passed directly to OpenSSL when using gcm. Note if you pass in
+     *            Aad, the PHP SDK will be able to decrypt the resulting object,
+     *            but other AWS SDKs may not be able to do so.
+     * - @KmsEncryptionContext: (array) Only required if using
+     *   KmsMaterialsProviderV2. An associative array of key-value
+     *   pairs to be added to the encryption context for KMS key encryption. An
+     *   empty array may be passed if no additional context is desired.
+     *
+     * The optional configuration arguments are as follows:
+     *
+     * - @MetadataStrategy: (MetadataStrategy|string|null) Strategy for storing
+     *   MetadataEnvelope information. Defaults to using a
+     *   HeadersMetadataStrategy. Can either be a class implementing
+     *   MetadataStrategy, a class name of a predefined strategy, or empty/null
+     *   to default.
+     * - @InstructionFileSuffix: (string|null) Suffix used when writing to an
+     *   instruction file if an using an InstructionFileMetadataHandler was
+     *   determined.
+     *
+     * @return \Aws\Result PutObject call result with the details of uploading
+     *                     the encrypted file.
+     *
+     * @throws \InvalidArgumentException Thrown when arguments above are not
+     *                                   passed or are passed incorrectly.
+     */
+    public function putObject(array $args)
+    {
+        return $this->putObjectAsync($args)->wait();
+    }
+    /**
+     * Promises to retrieve an object from S3 and decrypt the data in the
+     * 'Body' field.
+     *
+     * @param array $args Arguments for retrieving an object from S3 via
+     *                    GetObject and decrypting it.
+     *
+     * The required configuration argument is as follows:
+     *
+     * - @MaterialsProvider: (MaterialsProviderInterface) Provides Cek, Iv, and Cek
+     *   encrypting/decrypting for decryption metadata. May have data loaded
+     *   from the MetadataEnvelope upon decryption.
+     * - @SecurityProfile: (string) Must be set to 'V2' or 'V2_AND_LEGACY'.
+     *      - 'V2' indicates that only objects encrypted with S3EncryptionClientV2
+     *        content encryption and key wrap schemas are able to be decrypted.
+     *      - 'V2_AND_LEGACY' indicates that objects encrypted with both
+     *        S3EncryptionClientV2 and older legacy encryption clients are able
+     *        to be decrypted.
+     *
+     * The optional configuration arguments are as follows:
+     *
+     * - SaveAs: (string) The path to a file on disk to save the decrypted
+     *   object data. This will be handled by file_put_contents instead of the
+     *   Guzzle sink.
+     *
+     * - @MetadataStrategy: (MetadataStrategy|string|null) Strategy for reading
+     *   MetadataEnvelope information. Defaults to determining based on object
+     *   response headers. Can either be a class implementing MetadataStrategy,
+     *   a class name of a predefined strategy, or empty/null to default.
+     * - @InstructionFileSuffix: (string) Suffix used when looking for an
+     *   instruction file if an InstructionFileMetadataHandler is being used.
+     * - @CipherOptions: (array) Cipher options for decrypting data. A Cipher
+     *   is required. Accepts the following options:
+     *       - Aad: (string) Additional authentication data. This option is
+     *            passed directly to OpenSSL when using gcm. It is ignored when
+     *            using cbc.
+     * - @KmsAllowDecryptWithAnyCmk: (bool) This allows decryption with
+     *   KMS materials for any KMS key ID, instead of needing the KMS key ID to
+     *   be specified and provided to the decrypt operation. Ignored for non-KMS
+     *   materials providers. Defaults to false.
+     *
+     * @return PromiseInterface
+     *
+     * @throws \InvalidArgumentException Thrown when required arguments are not
+     *                                   passed or are passed incorrectly.
+     */
+    public function getObjectAsync(array $args)
+    {
+        $provider = $this->getMaterialsProvider($args);
+        unset($args['@MaterialsProvider']);
+        $instructionFileSuffix = $this->getInstructionFileSuffix($args);
+        unset($args['@InstructionFileSuffix']);
+        $strategy = $this->getMetadataStrategy($args, $instructionFileSuffix);
+        unset($args['@MetadataStrategy']);
+        if (!isset($args['@SecurityProfile']) || !\in_array($args['@SecurityProfile'], self::$supportedSecurityProfiles)) {
+            throw new CryptoException("@SecurityProfile is required and must be" . " set to 'V2' or 'V2_AND_LEGACY'");
+        }
+        // Only throw this legacy warning once per client
+        if (\in_array($args['@SecurityProfile'], self::$legacySecurityProfiles) && $this->legacyWarningCount < 1) {
+            $this->legacyWarningCount++;
+            \trigger_error("This S3 Encryption Client operation is configured to" . " read encrypted data with legacy encryption modes. If you" . " don't have objects encrypted with these legacy modes," . " you should disable support for them to enhance security. ", \E_USER_WARNING);
+        }
+        $saveAs = null;
+        if (!empty($args['SaveAs'])) {
+            $saveAs = $args['SaveAs'];
+        }
+        $promise = $this->client->getObjectAsync($args)->then(function ($result) use($provider, $instructionFileSuffix, $strategy, $args) {
+            if ($strategy === null) {
+                $strategy = $this->determineGetObjectStrategy($result, $instructionFileSuffix);
+            }
+            $envelope = $strategy->load($args + ['Metadata' => $result['Metadata']]);
+            $result['Body'] = $this->decrypt($result['Body'], $provider, $envelope, $args);
+            return $result;
+        })->then(function ($result) use($saveAs) {
+            if (!empty($saveAs)) {
+                \file_put_contents($saveAs, (string) $result['Body'], \LOCK_EX);
+            }
+            return $result;
+        });
+        return $promise;
+    }
+    /**
+     * Retrieves an object from S3 and decrypts the data in the 'Body' field.
+     *
+     * @param array $args Arguments for retrieving an object from S3 via
+     *                    GetObject and decrypting it.
+     *
+     * The required configuration argument is as follows:
+     *
+     * - @MaterialsProvider: (MaterialsProviderInterface) Provides Cek, Iv, and Cek
+     *   encrypting/decrypting for decryption metadata. May have data loaded
+     *   from the MetadataEnvelope upon decryption.
+     * - @SecurityProfile: (string) Must be set to 'V2' or 'V2_AND_LEGACY'.
+     *      - 'V2' indicates that only objects encrypted with S3EncryptionClientV2
+     *        content encryption and key wrap schemas are able to be decrypted.
+     *      - 'V2_AND_LEGACY' indicates that objects encrypted with both
+     *        S3EncryptionClientV2 and older legacy encryption clients are able
+     *        to be decrypted.
+     *
+     * The optional configuration arguments are as follows:
+     *
+     * - SaveAs: (string) The path to a file on disk to save the decrypted
+     *   object data. This will be handled by file_put_contents instead of the
+     *   Guzzle sink.
+     * - @InstructionFileSuffix: (string|null) Suffix used when looking for an
+     *   instruction file if an InstructionFileMetadataHandler was detected.
+     * - @CipherOptions: (array) Cipher options for encrypting data. A Cipher
+     *   is required. Accepts the following options:
+     *       - Aad: (string) Additional authentication data. This option is
+     *            passed directly to OpenSSL when using gcm. It is ignored when
+     *            using cbc.
+     * - @KmsAllowDecryptWithAnyCmk: (bool) This allows decryption with
+     *   KMS materials for any KMS key ID, instead of needing the KMS key ID to
+     *   be specified and provided to the decrypt operation. Ignored for non-KMS
+     *   materials providers. Defaults to false.
+     *
+     * @return \Aws\Result GetObject call result with the 'Body' field
+     *                     wrapped in a decryption stream with its metadata
+     *                     information.
+     *
+     * @throws \InvalidArgumentException Thrown when arguments above are not
+     *                                   passed or are passed incorrectly.
+     */
+    public function getObject(array $args)
+    {
+        return $this->getObjectAsync($args)->wait();
+    }
+}