chore: remove ~50k lines of unreachable dead code (#8913)
* chore: remove unreachable dead code across the codebase Remove ~50,000 lines of unreachable code identified by static analysis. Major removals: - weed/filer/redis_lua: entire unused Redis Lua filer store implementation - weed/wdclient/net2, resource_pool: unused connection/resource pool packages - weed/plugin/worker/lifecycle: unused lifecycle plugin worker - weed/s3api: unused S3 policy templates, presigned URL IAM, streaming copy, multipart IAM, key rotation, and various SSE helper functions - weed/mq/kafka: unused partition mapping, compression, schema, and protocol functions - weed/mq/offset: unused SQL storage and migration code - weed/worker: unused registry, task, and monitoring functions - weed/query: unused SQL engine, parquet scanner, and type functions - weed/shell: unused EC proportional rebalance functions - weed/storage/erasure_coding/distribution: unused distribution analysis functions - Individual unreachable functions removed from 150+ files across admin, credential, filer, iam, kms, mount, mq, operation, pb, s3api, server, shell, storage, topology, and util packages * fix(s3): reset shared memory store in IAM test to prevent flaky failure TestLoadIAMManagerFromConfig_EmptyConfigWithFallbackKey was flaky because the MemoryStore credential backend is a singleton registered via init(). Earlier tests that create anonymous identities pollute the shared store, causing LookupAnonymous() to unexpectedly return true. Fix by calling Reset() on the memory store before the test runs. * style: run gofmt on changed files * fix: restore KMS functions used by integration tests * fix(plugin): prevent panic on send to closed worker session channel The Plugin.sendToWorker method could panic with "send on closed channel" when a worker disconnected while a message was being sent. The race was between streamSession.close() closing the outgoing channel and sendToWorker writing to it concurrently. Add a done channel to streamSession that is closed before the outgoing channel, and check it in sendToWorker's select to safely detect closed sessions without panicking.
This commit is contained in:
Chris Lu
@@ -59,11 +59,6 @@ const (
|
||||
// Bucket key cache TTL (moved to be used with per-bucket cache)
|
||||
const BucketKeyCacheTTL = time.Hour
|
||||
|
||||
// CreateSSEKMSEncryptedReader creates an encrypted reader using KMS envelope encryption
|
||||
func CreateSSEKMSEncryptedReader(r io.Reader, keyID string, encryptionContext map[string]string) (io.Reader, *SSEKMSKey, error) {
|
||||
return CreateSSEKMSEncryptedReaderWithBucketKey(r, keyID, encryptionContext, false)
|
||||
}
|
||||
|
||||
// CreateSSEKMSEncryptedReaderWithBucketKey creates an encrypted reader with optional S3 Bucket Keys optimization
|
||||
func CreateSSEKMSEncryptedReaderWithBucketKey(r io.Reader, keyID string, encryptionContext map[string]string, bucketKeyEnabled bool) (io.Reader, *SSEKMSKey, error) {
|
||||
if bucketKeyEnabled {
|
||||
@@ -111,42 +106,6 @@ func CreateSSEKMSEncryptedReaderWithBucketKey(r io.Reader, keyID string, encrypt
|
||||
return encryptedReader, sseKey, nil
|
||||
}
|
||||
|
||||
// CreateSSEKMSEncryptedReaderWithBaseIV creates an SSE-KMS encrypted reader using a provided base IV
|
||||
// This is used for multipart uploads where all chunks need to use the same base IV
|
||||
func CreateSSEKMSEncryptedReaderWithBaseIV(r io.Reader, keyID string, encryptionContext map[string]string, bucketKeyEnabled bool, baseIV []byte) (io.Reader, *SSEKMSKey, error) {
|
||||
if err := ValidateIV(baseIV, "base IV"); err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
// Generate data key using common utility
|
||||
dataKeyResult, err := generateKMSDataKey(keyID, encryptionContext)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
// Ensure we clear the plaintext data key from memory when done
|
||||
defer clearKMSDataKey(dataKeyResult)
|
||||
|
||||
// Use the provided base IV instead of generating a new one
|
||||
iv := make([]byte, s3_constants.AESBlockSize)
|
||||
copy(iv, baseIV)
|
||||
|
||||
// Create CTR mode cipher stream
|
||||
stream := cipher.NewCTR(dataKeyResult.Block, iv)
|
||||
|
||||
// Create the SSE-KMS metadata using utility function
|
||||
sseKey := createSSEKMSKey(dataKeyResult, encryptionContext, bucketKeyEnabled, iv, 0)
|
||||
|
||||
// The IV is stored in SSE key metadata, so the encrypted stream does not need to prepend the IV
|
||||
// This ensures correct Content-Length for clients
|
||||
encryptedReader := &cipher.StreamReader{S: stream, R: r}
|
||||
|
||||
// Store the base IV in the SSE key for metadata storage
|
||||
sseKey.IV = iv
|
||||
|
||||
return encryptedReader, sseKey, nil
|
||||
}
|
||||
|
||||
// CreateSSEKMSEncryptedReaderWithBaseIVAndOffset creates an SSE-KMS encrypted reader using a provided base IV and offset
|
||||
// This is used for multipart uploads where all chunks need unique IVs to prevent IV reuse vulnerabilities
|
||||
func CreateSSEKMSEncryptedReaderWithBaseIVAndOffset(r io.Reader, keyID string, encryptionContext map[string]string, bucketKeyEnabled bool, baseIV []byte, offset int64) (io.Reader, *SSEKMSKey, error) {
|
||||
@@ -453,67 +412,6 @@ func CreateSSEKMSDecryptedReader(r io.Reader, sseKey *SSEKMSKey) (io.Reader, err
|
||||
return decryptReader, nil
|
||||
}
|
||||
|
||||
// ParseSSEKMSHeaders parses SSE-KMS headers from an HTTP request
|
||||
func ParseSSEKMSHeaders(r *http.Request) (*SSEKMSKey, error) {
|
||||
sseAlgorithm := r.Header.Get(s3_constants.AmzServerSideEncryption)
|
||||
|
||||
// Check if SSE-KMS is requested
|
||||
if sseAlgorithm == "" {
|
||||
return nil, nil // No SSE headers present
|
||||
}
|
||||
if sseAlgorithm != s3_constants.SSEAlgorithmKMS {
|
||||
return nil, fmt.Errorf("invalid SSE algorithm: %s", sseAlgorithm)
|
||||
}
|
||||
|
||||
keyID := r.Header.Get(s3_constants.AmzServerSideEncryptionAwsKmsKeyId)
|
||||
encryptionContextHeader := r.Header.Get(s3_constants.AmzServerSideEncryptionContext)
|
||||
bucketKeyEnabledHeader := r.Header.Get(s3_constants.AmzServerSideEncryptionBucketKeyEnabled)
|
||||
|
||||
// Parse encryption context if provided
|
||||
var encryptionContext map[string]string
|
||||
if encryptionContextHeader != "" {
|
||||
// Decode base64-encoded JSON encryption context
|
||||
contextBytes, err := base64.StdEncoding.DecodeString(encryptionContextHeader)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("invalid encryption context format: %v", err)
|
||||
}
|
||||
|
||||
if err := json.Unmarshal(contextBytes, &encryptionContext); err != nil {
|
||||
return nil, fmt.Errorf("invalid encryption context JSON: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// Parse bucket key enabled flag
|
||||
bucketKeyEnabled := strings.ToLower(bucketKeyEnabledHeader) == "true"
|
||||
|
||||
sseKey := &SSEKMSKey{
|
||||
KeyID: keyID,
|
||||
EncryptionContext: encryptionContext,
|
||||
BucketKeyEnabled: bucketKeyEnabled,
|
||||
}
|
||||
|
||||
// Validate the parsed key including key ID format
|
||||
if err := ValidateSSEKMSKeyInternal(sseKey); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return sseKey, nil
|
||||
}
|
||||
|
||||
// ValidateSSEKMSKey validates an SSE-KMS key configuration
|
||||
func ValidateSSEKMSKeyInternal(sseKey *SSEKMSKey) error {
|
||||
if err := ValidateSSEKMSKey(sseKey); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// An empty key ID is valid and means the default KMS key should be used.
|
||||
if sseKey.KeyID != "" && !isValidKMSKeyID(sseKey.KeyID) {
|
||||
return fmt.Errorf("invalid KMS key ID format: %s", sseKey.KeyID)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// BuildEncryptionContext creates the encryption context for S3 objects
|
||||
func BuildEncryptionContext(bucketName, objectKey string, useBucketKey bool) map[string]string {
|
||||
return kms.BuildS3EncryptionContext(bucketName, objectKey, useBucketKey)
|
||||
@@ -732,28 +630,6 @@ func IsSSEKMSEncrypted(metadata map[string][]byte) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
// IsAnySSEEncrypted checks if metadata indicates any type of SSE encryption
|
||||
func IsAnySSEEncrypted(metadata map[string][]byte) bool {
|
||||
if metadata == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
// Check for any SSE type
|
||||
if IsSSECEncrypted(metadata) {
|
||||
return true
|
||||
}
|
||||
if IsSSEKMSEncrypted(metadata) {
|
||||
return true
|
||||
}
|
||||
|
||||
// Check for SSE-S3
|
||||
if sseAlgorithm, exists := metadata[s3_constants.AmzServerSideEncryption]; exists {
|
||||
return string(sseAlgorithm) == s3_constants.SSEAlgorithmAES256
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
// MapKMSErrorToS3Error maps KMS errors to appropriate S3 error codes
|
||||
func MapKMSErrorToS3Error(err error) s3err.ErrorCode {
|
||||
if err == nil {
|
||||
@@ -990,21 +866,6 @@ func DetermineUnifiedCopyStrategy(state *EncryptionState, srcMetadata map[string
|
||||
return CopyStrategyDirect, nil
|
||||
}
|
||||
|
||||
// DetectEncryptionState analyzes the source metadata and request headers to determine encryption state
|
||||
func DetectEncryptionState(srcMetadata map[string][]byte, r *http.Request, srcPath, dstPath string) *EncryptionState {
|
||||
state := &EncryptionState{
|
||||
SrcSSEC: IsSSECEncrypted(srcMetadata),
|
||||
SrcSSEKMS: IsSSEKMSEncrypted(srcMetadata),
|
||||
SrcSSES3: IsSSES3EncryptedInternal(srcMetadata),
|
||||
DstSSEC: IsSSECRequest(r),
|
||||
DstSSEKMS: IsSSEKMSRequest(r),
|
||||
DstSSES3: IsSSES3RequestInternal(r),
|
||||
SameObject: srcPath == dstPath,
|
||||
}
|
||||
|
||||
return state
|
||||
}
|
||||
|
||||
// DetectEncryptionStateWithEntry analyzes the source entry and request headers to determine encryption state
|
||||
// This version can detect multipart encrypted objects by examining chunks
|
||||
func DetectEncryptionStateWithEntry(entry *filer_pb.Entry, r *http.Request, srcPath, dstPath string) *EncryptionState {
|
||||
|
||||
Reference in New Issue
Block a user