Fix encrypted file downloads and adds encryption key rotation (GoogleCloudPlatform#257)

* fixes encrypted file downloads in storage sample
* adds encryption key rotation

Author: bshaffer

storage/api/composer.json

@@ -1,6 +1,6 @@
 {
     "require": {
-        "google/cloud": "0.9",
+        "google/cloud": "^0.13",
         "paragonie/random_compat": "^2.0",
         "symfony/console": " ^3.0"
     },

storage/api/composer.lock

@@ -70,6 +70,12 @@ protected function configure()
                 InputOption::VALUE_REQUIRED,
                 'Supply your encryption key'
             )
+            ->addOption(
+                'rotate-key',
+                null,
+                InputOption::VALUE_REQUIRED,
+                'Supply a new encryption key'
+            )
             ->addOption(
                 'generate-key',
                 null,
@@ -92,11 +98,16 @@ protected function execute(InputInterface $input, OutputInterface $output)
                     upload_encrypted_object($bucketName, $objectName, $source, $encryptionKey);
                 } elseif ($destination = $input->getOption('download-to')) {
                     download_encrypted_object($bucketName, $objectName, $destination, $encryptionKey);
+                } elseif ($rotateKey = $input->getOption('rotate-key')) {
+                    if (is_null($encryptionKey)) {
+                        throw new \Exception('--key is required when using --rotate-key');
+                    }
+                    rotate_encryption_key($bucketName, $objectName, $encryptionKey, $rotateKey);
                 } else {
-                    throw new \Exception('supply either --upload-from or --download-to');
+                    throw new \Exception('Supply --rotate-key, --upload-from or --download-to');
                 }
             } else {
-                throw new \Exception('Supply a bucket, object and --key OR --generate-key');
+                throw new \Exception('Supply a bucket and object OR --generate-key');
             }
         }
     }

storage/api/src/EncryptionCommand.php

@@ -32,12 +32,13 @@
  * @param string $bucketName the name of your Google Cloud bucket.
  * @param string $objectName the name of your Google Cloud object.
  * @param string $destination the local destination to save the encrypted file.
- * @param string $encryptionKey the encryption key.
+ * @param string $base64EncryptionKey the base64 encoded encryption key.
  *
  * @return void
  */
-function download_encrypted_object($bucketName, $objectName, $destination, $encryptionKey)
+function download_encrypted_object($bucketName, $objectName, $destination, $base64EncryptionKey)
 {
+    $encryptionKey = base64_decode($base64EncryptionKey);
     $storage = new StorageClient();
     $bucket = $storage->bucket($bucketName);
     $object = $bucket->object($objectName);

storage/api/src/functions/download_encrypted_object.php

@@ -26,7 +26,7 @@
 # [START generate_encryption_key]
 
 /**
- * Generate an encryption key for Google Cloud Storage.
+ * Generate a base64 encoded encryption key for Google Cloud Storage.
  *
  * @return void
  */

storage/api/src/functions/generate_encryption_key.php

@@ -23,19 +23,38 @@
 
 namespace Google\Cloud\Samples\Storage;
 
-use Exception;
-
 # [START rotate_encryption_key]
+use Google\Cloud\Storage\StorageClient;
 
 /**
- * Rotate your encryption keys
+ * Change the encryption key used to store an existing object.
  *
- * @param string $encryptionKey the encryption key to rotate.
+ * @param string $bucketName the name of your Google Cloud bucket.
+ * @param string $objectName the name of your Google Cloud object.
+ * @param string $base64EncryptionKey the base64 encoded encryption key.
+ * @param string $newBase64EncryptionKey the new base64 encoded encryption key.
  *
  * @return void
  */
-function rotate_encryption_key($encryptionKey)
-{
-    throw new Exception('This is currently not available using the Cloud Client Library.');
+function rotate_encryption_key(
+    $bucketName,
+    $objectName,
+    $base64EncryptionKey,
+    $newBase64EncryptionKey
+) {
+    $encryptionKey = base64_decode($base64EncryptionKey);
+    $newEncryptionKey = base64_decode($newBase64EncryptionKey);
+    $storage = new StorageClient();
+    $object = $storage->bucket($bucketName)->object($objectName);
+
+    $rewrittenObject = $object->rewrite($bucketName, [
+        'encryptionKey' => $encryptionKey,
+        'encryptionKeySHA256' => hash('SHA256', $encryptionKey, true),
+        'destinationEncryptionKey' => $newEncryptionKey,
+        'destinationEncryptionKeySHA256' => hash('SHA256', $newEncryptionKey, true),
+    ]);
+
+    printf('Rotated encryption key for object gs://%s/%s' . PHP_EOL,
+        $bucketName, $objectName);
 }
 # [END rotate_encryption_key]