diff --git a/apache-nifi.yaml b/apache-nifi.yaml index cbb2acf8838..b50f0832a43 100644 --- a/apache-nifi.yaml +++ b/apache-nifi.yaml @@ -1,7 +1,7 @@ package: name: apache-nifi version: "2.7.2" - epoch: 1 # GHSA-3677-xxcr-wjqv + epoch: 2 # GHSA-x44p-gvrj-pj2r description: Apache NiFi is an easy to use, powerful, and reliable system to process and distribute data. copyright: - license: Apache-2.0 @@ -52,6 +52,11 @@ pipeline: tag: rel/nifi-${{package.version}} expected-commit: 098c97460988449ef4fba5508a83b20cc65ce9ab + - uses: patch + with: + patches: | + GHSA-x44p-gvrj-pj2r.patch + - uses: maven/pombump with: patch-file: pombump-deps.yaml diff --git a/apache-nifi/GHSA-x44p-gvrj-pj2r.patch b/apache-nifi/GHSA-x44p-gvrj-pj2r.patch new file mode 100644 index 00000000000..e1d2405a2a3 --- /dev/null +++ b/apache-nifi/GHSA-x44p-gvrj-pj2r.patch @@ -0,0 +1,428 @@ +From 3c52bed1b42a2386eae5fd56a9dc432c6ea8fe53 Mon Sep 17 00:00:00 2001 +From: Pierre Villard +Date: Mon, 22 Dec 2025 16:15:16 +0100 +Subject: [PATCH] NIFI-15359 Upgraded S3 Encryption Client from 3.6.0 to 4.0.0 + (#10659) + +- Added Commitment Policy property with secure default value requiring key-committing algorithm + +Signed-off-by: David Handermann +--- + .../ClientSideCEncryptionStrategy.java | 5 +- + .../ClientSideKMSEncryptionStrategy.java | 5 +- + .../S3EncryptionCommitmentPolicy.java | 74 +++++++++++++++++++ + .../s3/encryption/S3EncryptionKeySpec.java | 5 +- + .../StandardS3EncryptionService.java | 64 ++++++++++++---- + .../s3/encryption/S3EncryptionTestUtil.java | 7 +- + ...tSideCEncryptionStrategyKeyValidation.java | 6 +- + .../TestS3EncryptionStrategies.java | 9 ++- + ...rSideCEncryptionStrategyKeyValidation.java | 6 +- + .../TestStandardS3EncryptionService.java | 3 +- + pom.xml | 2 +- + 11 files changed, 152 insertions(+), 34 deletions(-) + create mode 100644 nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/S3EncryptionCommitmentPolicy.java + +diff --git a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/ClientSideCEncryptionStrategy.java b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/ClientSideCEncryptionStrategy.java +index 08222f9449e2..3243d568ac81 100644 +--- a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/ClientSideCEncryptionStrategy.java ++++ b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/ClientSideCEncryptionStrategy.java +@@ -41,8 +41,9 @@ public S3EncryptionClient.Builder createEncryptionClientBuilder(S3EncryptionKeyS + final byte[] keyMaterial = Base64.decodeBase64(keySpec.material()); + final SecretKeySpec symmetricKey = new SecretKeySpec(keyMaterial, "AES"); + +- return S3EncryptionClient.builder() +- .aesKey(symmetricKey); ++ return S3EncryptionClient.builderV4() ++ .aesKey(symmetricKey) ++ .commitmentPolicy(keySpec.commitmentPolicy()); + } + + @Override +diff --git a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/ClientSideKMSEncryptionStrategy.java b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/ClientSideKMSEncryptionStrategy.java +index 3cac483b5c92..364eaa8c2d11 100644 +--- a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/ClientSideKMSEncryptionStrategy.java ++++ b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/ClientSideKMSEncryptionStrategy.java +@@ -30,8 +30,9 @@ + public class ClientSideKMSEncryptionStrategy implements S3EncryptionStrategy { + @Override + public S3EncryptionClient.Builder createEncryptionClientBuilder(S3EncryptionKeySpec keySpec) { +- return S3EncryptionClient.builder() +- .kmsKeyId(keySpec.kmsId()); ++ return S3EncryptionClient.builderV4() ++ .kmsKeyId(keySpec.kmsId()) ++ .commitmentPolicy(keySpec.commitmentPolicy()); + } + + @Override +diff --git a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/S3EncryptionCommitmentPolicy.java b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/S3EncryptionCommitmentPolicy.java +new file mode 100644 +index 000000000000..1cc869313270 +--- /dev/null ++++ b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/S3EncryptionCommitmentPolicy.java +@@ -0,0 +1,74 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.nifi.processors.aws.s3.encryption; ++ ++import org.apache.nifi.components.DescribedValue; ++import software.amazon.encryption.s3.CommitmentPolicy; ++ ++/** ++ * Enumeration of supported S3 Encryption Commitment Policies ++ */ ++public enum S3EncryptionCommitmentPolicy implements DescribedValue { ++ REQUIRE_ENCRYPT_REQUIRE_DECRYPT( ++ "Require Encrypt Require Decrypt", ++ "Requires key-committing algorithm suites for both encryption and decryption. " + ++ "This is the most secure option but will not decrypt data encrypted with older non-key-committing algorithms.", ++ CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT ++ ), ++ REQUIRE_ENCRYPT_ALLOW_DECRYPT( ++ "Require Encrypt Allow Decrypt", ++ "Requires key-committing algorithm suites for encryption, but allows decryption of data encrypted with " + ++ "either key-committing or non-key-committing algorithms. Use this during migration from older encryption.", ++ CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT ++ ), ++ FORBID_ENCRYPT_ALLOW_DECRYPT( ++ "Forbid Encrypt Allow Decrypt", ++ "Forbids encryption but allows decryption of data encrypted with either key-committing or non-key-committing algorithms. " + ++ "Use this for read-only access to legacy encrypted data.", ++ CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT ++ ); ++ ++ private final String displayName; ++ private final String description; ++ private final CommitmentPolicy commitmentPolicy; ++ ++ S3EncryptionCommitmentPolicy(final String displayName, final String description, final CommitmentPolicy commitmentPolicy) { ++ this.displayName = displayName; ++ this.description = description; ++ this.commitmentPolicy = commitmentPolicy; ++ } ++ ++ @Override ++ public String getValue() { ++ return name(); ++ } ++ ++ @Override ++ public String getDisplayName() { ++ return displayName; ++ } ++ ++ @Override ++ public String getDescription() { ++ return description; ++ } ++ ++ public CommitmentPolicy getCommitmentPolicy() { ++ return commitmentPolicy; ++ } ++} ++ +diff --git a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/S3EncryptionKeySpec.java b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/S3EncryptionKeySpec.java +index 67ce0b4e56a0..ca0c4997db5b 100644 +--- a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/S3EncryptionKeySpec.java ++++ b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/S3EncryptionKeySpec.java +@@ -16,12 +16,15 @@ + */ + package org.apache.nifi.processors.aws.s3.encryption; + ++import software.amazon.encryption.s3.CommitmentPolicy; ++ + /** + * Specifies key parameters used by different encryption strategies. + * + * @param kmsId the KMS ID of the key (used by SSE-KMS and CSE-KMS) + * @param material the key in Base64 encoded form (used by SSE-C and CSE-C) + * @param md5 the MD5 hash of the key in Base64 encoded form (used by SSE-C) ++ * @param commitmentPolicy the commitment policy for client-side encryption (used by CSE-KMS and CSE-C) + */ +-public record S3EncryptionKeySpec(String kmsId, String material, String md5) { ++public record S3EncryptionKeySpec(String kmsId, String material, String md5, CommitmentPolicy commitmentPolicy) { + } +diff --git a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/StandardS3EncryptionService.java b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/StandardS3EncryptionService.java +index 41adfc0b2d3f..ca26d57d64f1 100644 +--- a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/StandardS3EncryptionService.java ++++ b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/StandardS3EncryptionService.java +@@ -39,6 +39,7 @@ + import software.amazon.awssdk.services.s3.model.GetObjectRequest; + import software.amazon.awssdk.services.s3.model.PutObjectRequest; + import software.amazon.awssdk.services.s3.model.UploadPartRequest; ++import software.amazon.encryption.s3.CommitmentPolicy; + import software.amazon.encryption.s3.S3EncryptionClient; + + import java.security.MessageDigest; +@@ -113,10 +114,23 @@ STRATEGY_NAME_CSE_C, new ClientSideCEncryptionStrategy() + .dependsOn(ENCRYPTION_STRATEGY, SSE_C, CSE_C) + .build(); + ++ public static final PropertyDescriptor COMMITMENT_POLICY = new PropertyDescriptor.Builder() ++ .name("Commitment Policy") ++ .description("The commitment policy for client-side encryption. Key commitment ensures that the data key used for encryption is " + ++ "cryptographically bound to the ciphertext. This prevents certain types of attacks where an attacker could manipulate the ciphertext. " + ++ "When migrating from older encryption (pre-4.0.0 S3 Encryption Client), use 'Require Encrypt Allow Decrypt' to encrypt new data with " + ++ "key-committing algorithms while still being able to decrypt legacy data.") ++ .required(true) ++ .allowableValues(S3EncryptionCommitmentPolicy.class) ++ .defaultValue(S3EncryptionCommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) ++ .dependsOn(ENCRYPTION_STRATEGY, CSE_KMS, CSE_C) ++ .build(); ++ + private static final List PROPERTY_DESCRIPTORS = List.of( + ENCRYPTION_STRATEGY, + KMS_KEY_ID, +- KEY_MATERIAL ++ KEY_MATERIAL, ++ COMMITMENT_POLICY + ); + + private S3EncryptionKeySpec keySpec; +@@ -228,32 +242,50 @@ public String getStrategyDisplayName() { + } + + private S3EncryptionKeySpec createKeySpec(final PropertyContext context, final String encryptionStrategyName) { ++ final CommitmentPolicy commitmentPolicy = getCommitmentPolicy(context, encryptionStrategyName); ++ + switch (encryptionStrategyName) { + case STRATEGY_NAME_NONE: + case STRATEGY_NAME_SSE_S3: +- return new S3EncryptionKeySpec(null, null, null); ++ return new S3EncryptionKeySpec(null, null, null, null); + case STRATEGY_NAME_SSE_KMS: ++ final String sseKmsKeyId = context.getProperty(KMS_KEY_ID).evaluateAttributeExpressions().getValue(); ++ return new S3EncryptionKeySpec(sseKmsKeyId, null, null, null); + case STRATEGY_NAME_CSE_KMS: +- final String kmsKeyId = context.getProperty(KMS_KEY_ID).evaluateAttributeExpressions().getValue(); +- return new S3EncryptionKeySpec(kmsKeyId, null, null); ++ final String cseKmsKeyId = context.getProperty(KMS_KEY_ID).evaluateAttributeExpressions().getValue(); ++ return new S3EncryptionKeySpec(cseKmsKeyId, null, null, commitmentPolicy); + case STRATEGY_NAME_SSE_C: ++ final String sseKeyMaterial = context.getProperty(KEY_MATERIAL).evaluateAttributeExpressions().getValue(); ++ final String sseKeyMaterialMd5 = calculateMd5(sseKeyMaterial); ++ return new S3EncryptionKeySpec(null, sseKeyMaterial, sseKeyMaterialMd5, null); + case STRATEGY_NAME_CSE_C: +- final String keyMaterial = context.getProperty(KEY_MATERIAL).evaluateAttributeExpressions().getValue(); +- final String keyMaterialMd5; +- try { +- keyMaterialMd5 = Base64.getEncoder().encodeToString( +- MessageDigest.getInstance("MD5").digest( +- Base64.getDecoder().decode(keyMaterial) +- ) +- ); +- } catch (NoSuchAlgorithmException e) { +- throw new ProcessException("Failed to calculate MD5 hash for Key Material", e); +- } +- return new S3EncryptionKeySpec(null, keyMaterial, keyMaterialMd5); ++ final String cseKeyMaterial = context.getProperty(KEY_MATERIAL).evaluateAttributeExpressions().getValue(); ++ final String cseKeyMaterialMd5 = calculateMd5(cseKeyMaterial); ++ return new S3EncryptionKeySpec(null, cseKeyMaterial, cseKeyMaterialMd5, commitmentPolicy); + default: + throw new IllegalArgumentException("Unknown encryption strategy: " + encryptionStrategyName); + } + } ++ ++ private CommitmentPolicy getCommitmentPolicy(final PropertyContext context, final String encryptionStrategyName) { ++ if (STRATEGY_NAME_CSE_KMS.equals(encryptionStrategyName) || STRATEGY_NAME_CSE_C.equals(encryptionStrategyName)) { ++ final S3EncryptionCommitmentPolicy policy = context.getProperty(COMMITMENT_POLICY).asAllowableValue(S3EncryptionCommitmentPolicy.class); ++ return policy.getCommitmentPolicy(); ++ } ++ return null; ++ } ++ ++ private String calculateMd5(final String keyMaterial) { ++ try { ++ return Base64.getEncoder().encodeToString( ++ MessageDigest.getInstance("MD5").digest( ++ Base64.getDecoder().decode(keyMaterial) ++ ) ++ ); ++ } catch (NoSuchAlgorithmException e) { ++ throw new ProcessException("Failed to calculate MD5 hash for Key Material", e); ++ } ++ } + } + + +diff --git a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/S3EncryptionTestUtil.java b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/S3EncryptionTestUtil.java +index 79aa75354b96..9d1bac577421 100644 +--- a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/S3EncryptionTestUtil.java ++++ b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/S3EncryptionTestUtil.java +@@ -17,6 +17,7 @@ + package org.apache.nifi.processors.aws.s3.encryption; + + import org.apache.commons.codec.binary.Base64; ++import software.amazon.encryption.s3.CommitmentPolicy; + + import java.security.MessageDigest; + import java.security.NoSuchAlgorithmException; +@@ -34,10 +35,14 @@ static String createCustomerKey(int keySize) { + } + + static S3EncryptionKeySpec createCustomerKeySpec(int keySize) { ++ return createCustomerKeySpec(keySize, null); ++ } ++ ++ static S3EncryptionKeySpec createCustomerKeySpec(int keySize, CommitmentPolicy commitmentPolicy) { + byte[] keyMaterial = createRawKey(keySize); + byte[] keyMaterialMd5 = md5(keyMaterial); + +- return new S3EncryptionKeySpec(null, base64Encode(keyMaterial), base64Encode(keyMaterialMd5)); ++ return new S3EncryptionKeySpec(null, base64Encode(keyMaterial), base64Encode(keyMaterialMd5), commitmentPolicy); + } + + private static byte[] createRawKey(int keySize) { +diff --git a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestClientSideCEncryptionStrategyKeyValidation.java b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestClientSideCEncryptionStrategyKeyValidation.java +index b65a558559d3..eff534a210b3 100644 +--- a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestClientSideCEncryptionStrategyKeyValidation.java ++++ b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestClientSideCEncryptionStrategyKeyValidation.java +@@ -71,7 +71,7 @@ public void testNotSupportedKeySize() { + + @Test + public void testNullKey() { +- S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(null, null, null); ++ S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(null, null, null, null); + + ValidationResult result = strategy.validateKeySpec(keySpec); + +@@ -80,7 +80,7 @@ public void testNullKey() { + + @Test + public void testEmptyKey() { +- S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(null, "", null); ++ S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(null, "", null, null); + + ValidationResult result = strategy.validateKeySpec(keySpec); + +@@ -89,7 +89,7 @@ public void testEmptyKey() { + + @Test + public void testNotBase64EncodedKey() { +- S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(null, "NotBase64EncodedKey", null); ++ S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(null, "NotBase64EncodedKey", null, null); + + ValidationResult result = strategy.validateKeySpec(keySpec); + +diff --git a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestS3EncryptionStrategies.java b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestS3EncryptionStrategies.java +index 9f1b7bd715f4..d749fb8b1daa 100644 +--- a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestS3EncryptionStrategies.java ++++ b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestS3EncryptionStrategies.java +@@ -24,6 +24,7 @@ + import software.amazon.awssdk.services.s3.model.ServerSideEncryption; + import software.amazon.awssdk.services.s3.model.UploadPartRequest; + import software.amazon.encryption.s3.S3EncryptionClient; ++import software.amazon.encryption.s3.CommitmentPolicy; + + import static org.apache.nifi.processors.aws.s3.encryption.S3EncryptionTestUtil.createCustomerKeySpec; + import static org.junit.jupiter.api.Assertions.assertEquals; +@@ -50,7 +51,7 @@ public void setup() { + public void testClientSideCEncryptionStrategy() { + S3EncryptionStrategy strategy = new ClientSideCEncryptionStrategy(); + +- S3EncryptionKeySpec keySpec = createCustomerKeySpec(256); ++ S3EncryptionKeySpec keySpec = createCustomerKeySpec(256, CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT); + + // This shows that the strategy creates a client builder: + S3EncryptionClient.Builder builder = strategy.createEncryptionClientBuilder(keySpec); +@@ -68,7 +69,7 @@ public void testClientSideKMSEncryptionStrategy() { + S3EncryptionStrategy strategy = new ClientSideKMSEncryptionStrategy(); + + String keyId = "key-id"; +- S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(keyId, null, null); ++ S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(keyId, null, null, CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT); + + // This shows that the strategy creates a client builder: + S3EncryptionClient.Builder builder = strategy.createEncryptionClientBuilder(keySpec); +@@ -129,7 +130,7 @@ public void testServerSideKMSEncryptionStrategy() { + S3EncryptionStrategy strategy = new ServerSideKMSEncryptionStrategy(); + + String keyId = "key-id"; +- S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(keyId, null, null); ++ S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(keyId, null, null, null); + + // This shows that the strategy sets the SSE KMS key id as expected: + strategy.configurePutObjectRequest(putObjectRequestBuilder, keySpec); +@@ -159,7 +160,7 @@ public void testServerSideKMSEncryptionStrategy() { + public void testServerSideS3EncryptionStrategy() { + S3EncryptionStrategy strategy = new ServerSideS3EncryptionStrategy(); + +- S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(null, null, null); ++ S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(null, null, null, null); + + // This shows that the strategy sets the SSE algorithm field as expected: + strategy.configurePutObjectRequest(putObjectRequestBuilder, keySpec); +diff --git a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestServerSideCEncryptionStrategyKeyValidation.java b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestServerSideCEncryptionStrategyKeyValidation.java +index 7958482ec48d..a6790d7292f3 100644 +--- a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestServerSideCEncryptionStrategyKeyValidation.java ++++ b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestServerSideCEncryptionStrategyKeyValidation.java +@@ -53,7 +53,7 @@ public void testNotSupportedKeySize() { + + @Test + public void testNullKey() { +- S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(null, null, null); ++ S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(null, null, null, null); + + ValidationResult result = strategy.validateKeySpec(keySpec); + +@@ -62,7 +62,7 @@ public void testNullKey() { + + @Test + public void testEmptyKey() { +- S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(null, "", null); ++ S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(null, "", null, null); + + ValidationResult result = strategy.validateKeySpec(keySpec); + +@@ -71,7 +71,7 @@ public void testEmptyKey() { + + @Test + public void testNotBase64EncodedKey() { +- S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(null, "NotBase64EncodedKey", null); ++ S3EncryptionKeySpec keySpec = new S3EncryptionKeySpec(null, "NotBase64EncodedKey", null, null); + + ValidationResult result = strategy.validateKeySpec(keySpec); + +diff --git a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestStandardS3EncryptionService.java b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestStandardS3EncryptionService.java +index cb49b2aef125..ea81c805fdb2 100644 +--- a/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestStandardS3EncryptionService.java ++++ b/nifi-extension-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/s3/encryption/TestStandardS3EncryptionService.java +@@ -105,10 +105,11 @@ public void testRequests() { + @Test + public void testProperties() { + List properties = service.getSupportedPropertyDescriptors(); +- assertEquals(3, properties.size()); ++ assertEquals(4, properties.size()); + + assertEquals(properties.get(0).getName(), StandardS3EncryptionService.ENCRYPTION_STRATEGY.getName()); + assertEquals(properties.get(1).getName(), StandardS3EncryptionService.KMS_KEY_ID.getName()); + assertEquals(properties.get(2).getName(), StandardS3EncryptionService.KEY_MATERIAL.getName()); ++ assertEquals(properties.get(3).getName(), StandardS3EncryptionService.COMMITMENT_POLICY.getName()); + } + } +diff --git a/pom.xml b/pom.xml +index 57a6b72ddbc8..84ead5035ef5 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -121,7 +121,7 @@ + + + 2.40.8 +- 3.5.0 ++ 4.0.0 + 1.3.3 + + \ No newline at end of file