S3 API: Add SSE-C (#7143)

* implement sse-c * fix Content-Range * adding tests * Update s3_sse_c_test.go * copy sse-c objects * adding tests * refactor * multi reader * remove extra write header call * refactor * SSE-C encrypted objects do not support HTTP Range requests * robust * fix server starts * Update Makefile * Update Makefile * ci: remove SSE-C integration tests and workflows; delete test/s3/encryption/ * s3: SSE-C MD5 must be base64 (case-sensitive); fix validation, comparisons, metadata storage; update tests * minor * base64 * Update SSE-C_IMPLEMENTATION.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update weed/s3api/s3api_object_handlers.go Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update SSE-C_IMPLEMENTATION.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * address comments * fix test * fix compilation --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2025-08-19 08:19:30 -07:00
parent 6e56cac9e5
commit 2714b70955
12 changed files with 1267 additions and 23 deletions
--- a/weed/s3api/s3api_object_handlers_put.go
+++ b/weed/s3api/s3api_object_handlers_put.go
@@ -190,6 +190,25 @@ func (s3a *S3ApiServer) PutObjectHandler(w http.ResponseWriter, r *http.Request)

 func (s3a *S3ApiServer) putToFiler(r *http.Request, uploadUrl string, dataReader io.Reader, destination string, bucket string) (etag string, code s3err.ErrorCode) {

+	// Handle SSE-C encryption if requested
+	customerKey, err := ParseSSECHeaders(r)
+	if err != nil {
+		glog.Errorf("SSE-C header validation failed: %v", err)
+		// Use shared error mapping helper
+		errCode := MapSSECErrorToS3Error(err)
+		return "", errCode
+	}
+
+	// Apply SSE-C encryption if customer key is provided
+	if customerKey != nil {
+		encryptedReader, encErr := CreateSSECEncryptedReader(dataReader, customerKey)
+		if encErr != nil {
+			glog.Errorf("Failed to create SSE-C encrypted reader: %v", encErr)
+			return "", s3err.ErrInternalError
+		}
+		dataReader = encryptedReader
+	}
+
 	hash := md5.New()
 	var body = io.TeeReader(dataReader, hash)