From 5a0fa34d4e0b7eed6ee4208d2c306160a2267633 Mon Sep 17 00:00:00 2001 From: Andy Jewell Date: Tue, 25 Nov 2025 16:01:07 -0500 Subject: [PATCH] Add migration example --- all-examples/cpp/main.cpp | 80 +++++++++++++++++++++++++++++++++++---- 1 file changed, 72 insertions(+), 8 deletions(-) diff --git a/all-examples/cpp/main.cpp b/all-examples/cpp/main.cpp index db8627d7..30cb2b8d 100644 --- a/all-examples/cpp/main.cpp +++ b/all-examples/cpp/main.cpp @@ -1,15 +1,7 @@ -#include -#include -#include #include #include #include #include -#include - -#include -#include -#include using namespace Aws::S3Encryption; using Aws::S3Encryption::Materials::KMSWithContextEncryptionMaterials; @@ -23,6 +15,78 @@ static Aws::Map get_encryption_context(const char * ve }; } +static int test_migration(const char *bucket, const char *object, const char *kms_key_id, const char *region) +{ + Aws::Client::ClientConfiguration s3ClientConfig; + s3ClientConfig.region = region; + + auto materials = std::make_shared(kms_key_id, s3ClientConfig); + CryptoConfigurationV3 config(materials); + + // STEP 1: Upgrade to V3 client to prepare to read messages with commitment. + // You want to update your readers before you update your writers + config.SetCommitmentPolicy(CommitmentPolicy::FORBID_ENCRYPT_ALLOW_DECRYPT); + auto client = std::make_shared(config, s3ClientConfig); + + auto encryption_context = get_encryption_context("V3"); + + // Put Object - writes objects WITHOUT commitment + Aws::S3::Model::PutObjectRequest put_request; + put_request.SetBucket(bucket); + put_request.SetKey(object); + + auto data = std::string("This is the sample content."); + + auto stream = std::make_shared(data); + put_request.SetBody(stream); + + // Put Object - writes objects WITHOUT commitment + auto put_outcome = client->PutObject(put_request, encryption_context); + assert(put_outcome.IsSuccess()); + + Aws::S3::Model::GetObjectRequest get_request; + get_request.SetBucket(bucket); + get_request.SetKey(object); + + // Get Object - can read objects with or without commitment + auto get_outcome = client->GetObject(get_request, encryption_context); + assert(get_outcome.IsSuccess()); + + // STEP 2: If all of the readers can read with or without commitment + // you can upgrade the commitment policy to write objects with commitment + config.SetCommitmentPolicy(CommitmentPolicy::REQUIRE_ENCRYPT_ALLOW_DECRYPT); + client = std::make_shared(config, s3ClientConfig); + + stream = std::make_shared(data); + put_request.SetBody(stream); + + // Put Object - writes objects WITH commitment + put_outcome = client->PutObject(put_request, encryption_context); + assert(put_outcome.IsSuccess()); + + // Get Object - can read objects with or without commitment + get_outcome = client->GetObject(get_request, encryption_context); + assert(get_outcome.IsSuccess()); + + // STEP 3: Once your system no longer has to read messages without commitment, + // you may update your client to only read messages written with key commitment + config.SetCommitmentPolicy(CommitmentPolicy::REQUIRE_ENCRYPT_REQUIRE_DECRYPT); + client = std::make_shared(config, s3ClientConfig); + + stream = std::make_shared(data); + put_request.SetBody(stream); + + // Put Object - writes objects WITH commitment + put_outcome = client->PutObject(put_request, encryption_context); + assert(put_outcome.IsSuccess()); + + // Get Object - can only read objects with commitment + get_outcome = client->GetObject(get_request, encryption_context); + assert(get_outcome.IsSuccess()); + + return 0; +} + static int test_v3(const char *bucket, const char *object, const char *kms_key_id, const char *region) { Aws::Client::ClientConfiguration s3ClientConfig;