Fixes #465 (#466)

* Fixes #465

* Added more tests and allow mode config with integration tests

Author: dekobon

CHANGELOG.md

@@ -3,6 +3,11 @@ All notable changes to this project will be documented in this file.
 This project aims to adhere to [Semantic Versioning](http://semver.org/).
 
 ## [3.3.1] -
+### Added
+ - [Allow for authentication to be disabled in CSE](https://github.com/joyent/java-manta/issues/465)
+   Client side encryption HMAC authentication of ciphertext for CTR/CBC ciphers
+   can now be disabled. The default authentication mode continues to be
+   Mandatory.
 ### Changed
  - [Deprecate Jobs Multipart implementation and disable integration tests](https://github.com/joyent/java-manta/issues/459)
 ### Fixed

USAGE.md

@@ -199,7 +199,7 @@ Note: Dynamic Updates marked with an asterisk (*) are enabled by the `AuthAwareC
     encryption is enabled.
 * `manta.encryption_auth_mode` (**MANTA_ENCRYPTION_AUTH_MODE**)
     [EncryptionAuthenticationMode](/java-manta-client-unshaded/src/main/java/com/joyent/manta/config/EncryptionAuthenticationMode.java)
-    enum type indicating that authenticating encryption verification is either Mandatory or Optional.
+    enum type indicating that authenticating encryption verification is either `Mandatory`, `Optional` or `Disabled`.
 * `manta.encryption_key_path` (**MANTA_ENCRYPTION_KEY_PATH**)
     The path on the local filesystem or a URI understandable by the JVM indicating the
     location of the private key used to perform client-side encryption. If this value is

java-manta-client-unshaded/src/main/java/com/joyent/manta/config/EncryptionAuthenticationMode.java

@@ -26,7 +26,13 @@ public enum EncryptionAuthenticationMode {
      * {@link com.joyent.manta.exception.UnauthenticatableOperationException}
      * exception.
      */
-    Mandatory;
+    Mandatory,
+
+    /**
+     * Disabled mode will disable ciphertext verification upon decryption.
+     * HMACs will still be created when encrypting.
+     */
+    Disabled;
 
     /**
      * The default encryption object authentication mode (Mandatory).

java-manta-client-unshaded/src/main/java/com/joyent/manta/http/EncryptionHttpHelper.java

@@ -281,6 +281,12 @@ public MantaObjectInputStream httpRequestAsInputStream(final HttpUriRequest requ
             throws IOException {
         final boolean hasRangeRequest = requestHeaders != null && requestHeaders.getRange() != null;
 
+        /* Errors when we attempt to do an HTTP range request when authentication
+         * mode is set to Mandatory because HTTP range requests will only work
+         * with authentication disabled. When you do a range request, it gets
+         * arbitrary bytes from the ciphertext of the source object which means
+         * that you will not be able to verify the ciphertext using the HMAC
+         * because you don't have all of the bytes available. */
         if (hasRangeRequest && encryptionAuthenticationMode.equals(EncryptionAuthenticationMode.Mandatory)) {
             String msg = "HTTP range requests (random reads) aren't supported when using "
                     + "client-side encryption in mandatory authentication mode.";
@@ -373,8 +379,12 @@ public MantaObjectInputStream httpRequestAsInputStream(final HttpUriRequest requ
             return new MantaEncryptedObjectInputStream(rawStream, this.cipherDetails,
                     secretKey, false, initialSkipBytes, plaintextRangeLength, unboundedEnd);
         } else {
+            /* We skip authentication on the ciphertext only when it is explicitly
+             * disabled. For the Mandatory and Optional modes, it is enabled. */
+            final boolean authenticateCiphertext =
+                    !encryptionAuthenticationMode.equals(EncryptionAuthenticationMode.Disabled);
             return new MantaEncryptedObjectInputStream(rawStream, this.cipherDetails,
-                    secretKey, true);
+                    secretKey, authenticateCiphertext);
         }
     }
 

java-manta-client-unshaded/src/test/java/com/joyent/manta/config/SystemSettingsConfigContextTest.java

@@ -110,4 +110,49 @@ public void verifyEmbeddedKeyOverwritesDefaultKeyPath() {
         assertEquals(config.getMantaUser(), user);
         assertNull(config.getMantaKeyPath());
     }
+
+    public void authenticationModeCanBeSetToMandatory() {
+        final String input = "Mandatory";
+        final EncryptionAuthenticationMode expected = EncryptionAuthenticationMode.Mandatory;
+
+        final Properties properties = new Properties();
+        properties.setProperty(MANTA_ENCRYPTION_AUTHENTICATION_MODE_KEY, input);
+        final SystemSettingsConfigContext instance = new SystemSettingsConfigContext(
+                false, properties);
+
+        final EncryptionAuthenticationMode actual = instance.getEncryptionAuthenticationMode();
+        Assert.assertEquals(actual, expected, String.format(
+                "[%s] set for [%s] didn't set the authentication mode correctly",
+                input, MANTA_ENCRYPTION_AUTHENTICATION_MODE_KEY));
+    }
+
+    public void authenticationModeCanBeSetToOptional() {
+        final String input = "Optional";
+        final EncryptionAuthenticationMode expected = EncryptionAuthenticationMode.Optional;
+
+        final Properties properties = new Properties();
+        properties.setProperty(MANTA_ENCRYPTION_AUTHENTICATION_MODE_KEY, input);
+        final SystemSettingsConfigContext instance = new SystemSettingsConfigContext(
+                false, properties);
+
+        final EncryptionAuthenticationMode actual = instance.getEncryptionAuthenticationMode();
+        Assert.assertEquals(actual, expected, String.format(
+                "[%s] set for [%s] didn't set the authentication mode correctly",
+                input, MANTA_ENCRYPTION_AUTHENTICATION_MODE_KEY));
+    }
+
+    public void authenticationModeCanBeSetToDisabled() {
+        final String input = "Disabled";
+        final EncryptionAuthenticationMode expected = EncryptionAuthenticationMode.Disabled;
+
+        final Properties properties = new Properties();
+        properties.setProperty(MANTA_ENCRYPTION_AUTHENTICATION_MODE_KEY, input);
+        final SystemSettingsConfigContext instance = new SystemSettingsConfigContext(
+                false, properties);
+
+        final EncryptionAuthenticationMode actual = instance.getEncryptionAuthenticationMode();
+        Assert.assertEquals(actual, expected, String.format(
+                "[%s] set for [%s] didn't set the authentication mode correctly",
+                input, MANTA_ENCRYPTION_AUTHENTICATION_MODE_KEY));
+    }
 }

java-manta-it/src/test/java/com/joyent/manta/config/IntegrationTestConfigContext.java

@@ -11,13 +11,14 @@
 import com.joyent.manta.client.crypto.SecretKeyUtils;
 import com.joyent.manta.client.crypto.SupportedCipherDetails;
 import com.joyent.manta.client.crypto.SupportedCiphersLookupMap;
+import com.joyent.manta.util.MantaUtils;
 import org.apache.commons.lang3.BooleanUtils;
 import org.apache.commons.lang3.ObjectUtils;
 
+import javax.crypto.SecretKey;
 import java.io.IOException;
 import java.util.Base64;
 import java.util.UUID;
-import javax.crypto.SecretKey;
 
 
 /**
@@ -68,7 +69,12 @@ private static <T> SettableConfigContext<T> enableTestEncryption(
         if (usingEncryption) {
             context.setClientEncryptionEnabled(true);
             context.setEncryptionKeyId("integration-test-key");
-            context.setEncryptionAuthenticationMode(EncryptionAuthenticationMode.Optional);
+
+            EncryptionAuthenticationMode envSettingsMode = MantaUtils.parseEnumOrNull(
+                    encryptionAuthenticationMode(), EncryptionAuthenticationMode.class);
+
+            context.setEncryptionAuthenticationMode(ObjectUtils.firstNonNull(
+                    envSettingsMode, EncryptionAuthenticationMode.Optional));
 
             SupportedCipherDetails cipherDetails = SupportedCiphersLookupMap.INSTANCE.getOrDefault(encryptionCipher,
                     DefaultsConfigContext.DEFAULT_CIPHER);
@@ -98,6 +104,13 @@ public static String encryptionCipher() {
         return sysProp != null ? sysProp : envVar;
     }
 
+    public static String encryptionAuthenticationMode() {
+        String sysProp = System.getProperty(MapConfigContext.MANTA_ENCRYPTION_AUTHENTICATION_MODE_KEY);
+        String envVar = System.getenv(EnvVarConfigContext.MANTA_ENCRYPTION_AUTHENTICATION_MODE_ENV_KEY);
+
+        return sysProp != null ? sysProp : envVar;
+    }
+
     public static String generateSuiteBasePath(final ConfigContext config) {
         final String integrationTestBase = ObjectUtils.firstNonNull(
                 System.getenv("MANTA_IT_PATH"),