m

rishav-karanjit · rishav-karanjit · commit 0a5be43d1e76 · 2026-05-20T10:03:16.000-07:00
diff --git a/src/test/java/software/amazon/encryption/s3/S3AsyncEncryptionClientTest.java b/src/test/java/software/amazon/encryption/s3/S3AsyncEncryptionClientTest.java
@@ -46,13 +46,15 @@
 import software.amazon.awssdk.services.s3.multipart.MultipartConfiguration;
 import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
 import software.amazon.encryption.s3.internal.InstructionFileConfig;
+import software.amazon.encryption.s3.materials.AesKeyring;
 import software.amazon.encryption.s3.materials.KmsKeyring;
 import software.amazon.encryption.s3.utils.BoundedInputStream;
 import software.amazon.encryption.s3.utils.S3EncryptionClientTestResources;
 import software.amazon.encryption.s3.utils.TinyBufferAsyncRequestBody;
 
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.NoSuchAlgorithmException;
@@ -349,6 +351,30 @@ public void asyncTopLevelConfigurationWrongRegion() {
         }
     }
 
+    @RetryingTest(3)
+    public void roundTripWithCrossRegionAccessEnabled() {
+        final String objectKey = appendTestSuffix("roundTripWithCrossRegionAccessEnabled-async-s3ec");
+        SecretKeySpec aesKey = new SecretKeySpec(new byte[32], "AES");
+        AesKeyring keyRing = AesKeyring.builder().wrappingKey(aesKey).build();
+
+        S3AsyncClient s3Client = S3AsyncEncryptionClient.builderV4()
+                .region(Region.EU_CENTRAL_1)
+                .crossRegionAccessEnabled(true)
+                .keyring(keyRing)
+                .build();
+
+        try {
+            PutObjectRequest request = PutObjectRequest.builder().bucket(BUCKET).key(objectKey).build();
+            S3EncryptionClientException ex = assertThrows(S3EncryptionClientException.class, () ->
+                    s3Client.putObject(request, AsyncRequestBody.fromBytes("test".getBytes())).join());
+            // Cross-region redirect causes the SDK to re-subscribe to the request body.
+            // NoRetriesAsyncRequestBody blocks this to prevent GCM cipher key/IV reuse.
+            assertTrue(ex.getMessage().contains("Re-subscription is not supported"));
+        } finally {
+            s3Client.close();
+        }
+    }
+
     @RetryingTest(3)
     public void asyncTopLevelConfigurationNullCreds() {
         final String objectKey = appendTestSuffix("wrapped-s3-client-with-null-credentials-async");
diff --git a/src/test/java/software/amazon/encryption/s3/S3EncryptionClientTest.java b/src/test/java/software/amazon/encryption/s3/S3EncryptionClientTest.java
@@ -967,9 +967,9 @@ public void s3EncryptionClientTopLevelCredentialsWrongRegion() {
         }
     }
 
-    @Test
-    public void crossRegionRoundTrip() {
-        final String objectKey = appendTestSuffix("cross-region-test");
+    @RetryingTest(3)
+    public void roundTripWithCrossRegionAccessEnabled() {
+        final String objectKey = appendTestSuffix("roundTripWithCrossRegionAccessEnabled-sync-s3ec");
         SecretKeySpec aesKey = new SecretKeySpec(new byte[32], "AES");
         AesKeyring keyRing = AesKeyring.builder().wrappingKey(aesKey).build();
 

Original file line number	Diff line number	Diff line change
`@@ -967,9 +967,9 @@ public void s3EncryptionClientTopLevelCredentialsWrongRegion() {`
`967`	`967`	`}`
`968`	`968`	`}`
`969`	`969`
`970`		`- @Test`
`971`		`- public void crossRegionRoundTrip() {`
`972`		`- final String objectKey = appendTestSuffix("cross-region-test");`
	`970`	`+ @RetryingTest(3)`
	`971`	`+ public void roundTripWithCrossRegionAccessEnabled() {`
	`972`	`+ final String objectKey = appendTestSuffix("roundTripWithCrossRegionAccessEnabled-sync-s3ec");`
`973`	`973`	`SecretKeySpec aesKey = new SecretKeySpec(new byte[32], "AES");`
`974`	`974`	`AesKeyring keyRing = AesKeyring.builder().wrappingKey(aesKey).build();`
`975`	`975`