adding support for input encoding and output decoding

README.rst

@@ -332,6 +332,40 @@ references to other configuration files.
 
    aws-crypto @my-encrypt -i $INPUT -o $OUTPUT
 
+
+Encoding
+--------
+By default, ``aws-crypto`` will always output raw binary data and expect raw binary data
+as input. However, there are some cases where you might not want this to be the case.
+
+Sometimes this might be for convenience:
+
+* Accepting ciphertext through stdin from a human.
+* Presenting ciphertext through stdout to a human.
+
+Sometimes it might be out of necessity:
+
+* Saving ciphertext output to a shell variable.
+
+   * Most shells apply a system encoding to any data stored in a variable. As a result, this
+     often results in corrupted data if binary data is stored without additional encoding.
+
+* Piping ciphertext in PowerShell.
+
+   * Similar to the above, all data passed through a PowerShell pipe is encoded using the
+     system encoding.
+
+In order to address these scenarios, we provide two optional arguments:
+
+* ``--decode`` : Base64-decode input before processing.
+* ``--encode`` : Base64-encode output after processing.
+
+These can be used independently or together, on any valid input or output.
+
+Be aware, however, that if you target multiple files either through a path expansion or by
+targetting a directory, the requested decoding/encoding will be applied to all files.
+
+
 Execution
 =========
 
@@ -381,6 +415,8 @@ Execution
      -o OUTPUT, --output OUTPUT
                            Output file or directory for encrypt/decrypt
                            operation, or - for stdout.
+     --encode              Base64-encode output after processing
+     --decode              Base64-decode input before processing
      -c ENCRYPTION_CONTEXT [ENCRYPTION_CONTEXT ...], --encryption-context ENCRYPTION_CONTEXT [ENCRYPTION_CONTEXT ...]
                            key-value pair encryption context values (encryption
                            only). Must a set of "key=value" pairs. ex: -c

doc/index.rst

@@ -11,6 +11,7 @@ Modules
     aws_encryption_sdk_cli
     aws_encryption_sdk_cli.internal
     aws_encryption_sdk_cli.internal.arg_parsing
+    aws_encryption_sdk_cli.internal.encoding
     aws_encryption_sdk_cli.internal.identifiers
     aws_encryption_sdk_cli.internal.io_handling
     aws_encryption_sdk_cli.internal.master_key_parsing

src/aws_encryption_sdk_cli/__init__.py

@@ -111,7 +111,9 @@ def process_cli_request(
         recursive,  # type: bool
         interactive,  # type: bool
         no_overwrite,  # type: bool
-        suffix=None  # type: Optional[str]
+        suffix=None,  # type: Optional[str]
+        decode_input=False,  # type: Optional[bool]
+        encode_output=False  # type: Optional[bool]
 ):
     # type: (...) -> None
     """Maps the operation request to the appropriate function based on the type of input and output provided.
@@ -123,6 +125,8 @@ def process_cli_request(
     :param bool interactive: Should prompt before overwriting existing files
     :param bool no_overwrite: Should never overwrite existing files
     :param str suffix: Suffix to append to output filename (optional)
+    :param bool decode_input: Should input be base64 decoded before operation (optional)
+    :param bool encode_output: Should output be base64 encoded after operation (optional)
     """
     _catch_bad_destination_requests(destination)
     _catch_bad_stdin_stdout_requests(source, destination)
@@ -134,7 +138,9 @@ def process_cli_request(
             source=source,
             destination=destination,
             interactive=interactive,
-            no_overwrite=no_overwrite
+            no_overwrite=no_overwrite,
+            decode_input=decode_input,
+            encode_output=encode_output
         )
         return
 
@@ -154,7 +160,9 @@ def process_cli_request(
                 destination=_destination,
                 interactive=interactive,
                 no_overwrite=no_overwrite,
-                suffix=suffix
+                suffix=suffix,
+                decode_input=decode_input,
+                encode_output=encode_output
             )
 
         elif os.path.isfile(_source):
@@ -172,7 +180,9 @@ def process_cli_request(
                 source=_source,
                 destination=_destination,
                 interactive=interactive,
-                no_overwrite=no_overwrite
+                no_overwrite=no_overwrite,
+                decode_input=decode_input,
+                encode_output=encode_output
             )
 
 
@@ -236,7 +246,9 @@ def cli(raw_args=None):
             recursive=args.recursive,
             interactive=args.interactive,
             no_overwrite=args.no_overwrite,
-            suffix=args.suffix
+            suffix=args.suffix,
+            decode_input=args.decode,
+            encode_output=args.encode
         )
         return None
     except AWSEncryptionSDKCLIError as error:

src/aws_encryption_sdk_cli/internal/arg_parsing.py

@@ -214,6 +214,17 @@ def _build_parser():
         help='Output file or directory for encrypt/decrypt operation, or - for stdout.'
     )
 
+    parser.add_argument(
+        '--encode',
+        action='store_true',
+        help='Base64-encode output after processing'
+    )
+    parser.add_argument(
+        '--decode',
+        action='store_true',
+        help='Base64-decode input before processing'
+    )
+
     parser.add_argument(
         '-c',
         '--encryption-context',