gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3f946fc0c0bda0c1831adbca9fa401caa4076cdb
seaweedFS/weed/s3api/s3_sse_kms.go
Chris Lu ca84a8a713 S3: Directly read write volume servers (#7481) 
* Lazy Versioning Check, Conditional SSE Entry Fetch, HEAD Request Optimization

* revert

Reverted the conditional versioning check to always check versioning status
Reverted the conditional SSE entry fetch to always fetch entry metadata
Reverted the conditional versioning check to always check versioning status
Reverted the conditional SSE entry fetch to always fetch entry metadata

* Lazy Entry Fetch for SSE, Skip Conditional Header Check

* SSE-KMS headers are present, this is not an SSE-C request (mutually exclusive)

* SSE-C is mutually exclusive with SSE-S3 and SSE-KMS

* refactor

* Removed Premature Mutual Exclusivity Check

* check for the presence of the X-Amz-Server-Side-Encryption header

* not used

* fmt

* directly read write volume servers

* HTTP Range Request Support

* set header

* md5

* copy object

* fix sse

* fmt

* implement sse

* sse continue

* fixed the suffix range bug (bytes=-N for "last N bytes")

* debug logs

* Missing PartsCount Header

* profiling

* url encoding

* test_multipart_get_part

* headers

* debug

* adjust log level

* handle part number

* Update s3api_object_handlers.go

* nil safety

* set ModifiedTsNs

* remove

* nil check

* fix sse header

* same logic as filer

* decode values

* decode ivBase64

* s3: Fix SSE decryption JWT authentication and streaming errors

Critical fix for SSE (Server-Side Encryption) test failures:

1. **JWT Authentication Bug** (Root Cause):
   - Changed from GenJwtForFilerServer to GenJwtForVolumeServer
   - S3 API now uses correct JWT when directly reading from volume servers
   - Matches filer's authentication pattern for direct volume access
   - Fixes 'unexpected EOF' and 500 errors in SSE tests

2. **Streaming Error Handling**:
   - Added error propagation in getEncryptedStreamFromVolumes goroutine
   - Use CloseWithError() to properly communicate stream failures
   - Added debug logging for streaming errors

3. **Response Header Timing**:
   - Removed premature WriteHeader(http.StatusOK) call
   - Let Go's http package write status automatically on first write
   - Prevents header lock when errors occur during streaming

4. **Enhanced SSE Decryption Debugging**:
   - Added IV/Key validation and logging for SSE-C, SSE-KMS, SSE-S3
   - Better error messages for missing or invalid encryption metadata
   - Added glog.V(2) debugging for decryption setup

This fixes SSE integration test failures where encrypted objects
could not be retrieved due to volume server authentication failures.
The JWT bug was causing volume servers to reject requests, resulting
in truncated/empty streams (EOF) or internal errors.

* s3: Fix SSE multipart upload metadata preservation

Critical fix for SSE multipart upload test failures (SSE-C and SSE-KMS):

**Root Cause - Incomplete SSE Metadata Copying**:
The old code only tried to copy 'SeaweedFSSSEKMSKey' from the first
part to the completed object. This had TWO bugs:

1. **Wrong Constant Name** (Key Mismatch Bug):
   - Storage uses: SeaweedFSSSEKMSKeyHeader = 'X-SeaweedFS-SSE-KMS-Key'
   - Old code read: SeaweedFSSSEKMSKey = 'x-seaweedfs-sse-kms-key'
   - Result: SSE-KMS metadata was NEVER copied → 500 errors

2. **Missing SSE-C and SSE-S3 Headers**:
   - SSE-C requires: IV, Algorithm, KeyMD5
   - SSE-S3 requires: encrypted key data + standard headers
   - Old code: copied nothing for SSE-C/SSE-S3 → decryption failures

**Fix - Complete SSE Header Preservation**:
Now copies ALL SSE headers from first part to completed object:

- SSE-C: SeaweedFSSSEIV, CustomerAlgorithm, CustomerKeyMD5
- SSE-KMS: SeaweedFSSSEKMSKeyHeader, AwsKmsKeyId, ServerSideEncryption
- SSE-S3: SeaweedFSSSES3Key, ServerSideEncryption

Applied consistently to all 3 code paths:
1. Versioned buckets (creates version file)
2. Suspended versioning (creates main object with null versionId)
3. Non-versioned buckets (creates main object)

**Why This Is Correct**:
The headers copied EXACTLY match what putToFiler stores during part
upload (lines 496-521 in s3api_object_handlers_put.go). This ensures
detectPrimarySSEType() can correctly identify encrypted multipart
objects and trigger inline decryption with proper metadata.

Fixes: TestSSEMultipartUploadIntegration (SSE-C and SSE-KMS subtests)

* s3: Add debug logging for versioning state diagnosis

Temporary debug logging to diagnose test_versioning_obj_plain_null_version_overwrite_suspended failure.

Added glog.V(0) logging to show:
1. setBucketVersioningStatus: when versioning status is changed
2. PutObjectHandler: what versioning state is detected (Enabled/Suspended/none)
3. PutObjectHandler: which code path is taken (putVersionedObject vs putSuspendedVersioningObject)

This will help identify if:
- The versioning status is being set correctly in bucket config
- The cache is returning stale/incorrect versioning state
- The switch statement is correctly routing to suspended vs enabled handlers

* s3: Enhanced versioning state tracing for suspended versioning diagnosis

Added comprehensive logging across the entire versioning state flow:

PutBucketVersioningHandler:
- Log requested status (Enabled/Suspended)
- Log when calling setBucketVersioningStatus
- Log success/failure of status change

setBucketVersioningStatus:
- Log bucket and status being set
- Log when config is updated
- Log completion with error code

updateBucketConfig:
- Log versioning state being written to cache
- Immediate cache verification after Set
- Log if cache verification fails

getVersioningState:
- Log bucket name and state being returned
- Log if object lock forces VersioningEnabled
- Log errors

This will reveal:
1. If PutBucketVersioning(Suspended) is reaching the handler
2. If the cache update succeeds
3. What state getVersioningState returns during PUT
4. Any cache consistency issues

Expected to show why bucket still reports 'Enabled' after 'Suspended' call.

* s3: Add SSE chunk detection debugging for multipart uploads

Added comprehensive logging to diagnose why TestSSEMultipartUploadIntegration fails:

detectPrimarySSEType now logs:
1. Total chunk count and extended header count
2. All extended headers with 'sse'/'SSE'/'encryption' in the name
3. For each chunk: index, SseType, and whether it has metadata
4. Final SSE type counts (SSE-C, SSE-KMS, SSE-S3)

This will reveal if:
- Chunks are missing SSE metadata after multipart completion
- Extended headers are copied correctly from first part
- The SSE detection logic is working correctly

Expected to show if chunks have SseType=0 (none) or proper SSE types set.

* s3: Trace SSE chunk metadata through multipart completion and retrieval

Added end-to-end logging to track SSE chunk metadata lifecycle:

**During Multipart Completion (filer_multipart.go)**:
1. Log finalParts chunks BEFORE mkFile - shows SseType and metadata
2. Log versionEntry.Chunks INSIDE mkFile callback - shows if mkFile preserves SSE info
3. Log success after mkFile completes

**During GET Retrieval (s3api_object_handlers.go)**:
1. Log retrieved entry chunks - shows SseType and metadata after retrieval
2. Log detected SSE type result

This will reveal at which point SSE chunk metadata is lost:
- If finalParts have SSE metadata but versionEntry.Chunks don't → mkFile bug
- If versionEntry.Chunks have SSE metadata but retrieved chunks don't → storage/retrieval bug
- If chunks never have SSE metadata → multipart completion SSE processing bug

Expected to show chunks with SseType=NONE during retrieval even though
they were created with proper SseType during multipart completion.

* s3: Fix SSE-C multipart IV base64 decoding bug

**Critical Bug Found**: SSE-C multipart uploads were failing because:

Root Cause:
- entry.Extended[SeaweedFSSSEIV] stores base64-encoded IV (24 bytes for 16-byte IV)
- SerializeSSECMetadata expects raw IV bytes (16 bytes)
- During multipart completion, we were passing base64 IV directly → serialization error

Error Message:
"Failed to serialize SSE-C metadata for chunk in part X: invalid IV length: expected 16 bytes, got 24"

Fix:
- Base64-decode IV before passing to SerializeSSECMetadata
- Added error handling for decode failures

Impact:
- SSE-C multipart uploads will now correctly serialize chunk metadata
- Chunks will have proper SSE metadata for decryption during GET

This fixes the SSE-C subtest of TestSSEMultipartUploadIntegration.
SSE-KMS still has a separate issue (error code 23) being investigated.

* fixes

* kms sse

* handle retry if not found in .versions folder and should read the normal object

* quick check (no retries) to see if the .versions/ directory exists

* skip retry if object is not found

* explicit update to avoid sync delay

* fix map update lock

* Remove fmt.Printf debug statements

* Fix SSE-KMS multipart base IV fallback to fail instead of regenerating

* fmt

* Fix ACL grants storage logic

* header handling

* nil handling

* range read for sse content

* test range requests for sse objects

* fmt

* unused code

* upload in chunks

* header case

* fix url

* bucket policy error vs bucket not found

* jwt handling

* fmt

* jwt in request header

* Optimize Case-Insensitive Prefix Check

* dead code

* Eliminated Unnecessary Stream Prefetch for Multipart SSE

* range sse

* sse

* refactor

* context

* fmt

* fix type

* fix SSE-C IV Mismatch

* Fix Headers Being Set After WriteHeader

* fix url parsing

* propergate sse headers

* multipart sse-s3

* aws sig v4 authen

* sse kms

* set content range

* better errors

* Update s3api_object_handlers_copy.go

* Update s3api_object_handlers.go

* Update s3api_object_handlers.go

* avoid magic number

* clean up

* Update s3api_bucket_policy_handlers.go

* fix url parsing

* context

* data and metadata both use background context

* adjust the offset

* SSE Range Request IV Calculation

* adjust logs

* IV relative to offset in each part, not the whole file

* collect logs

* offset

* fix offset

* fix url

* logs

* variable

* jwt

* Multipart ETag semantics: conditionally set object-level Md5 for single-chunk uploads only.

* sse

* adjust IV and offset

* multipart boundaries

* ensures PUT and GET operations return consistent ETags

* Metadata Header Case

* CommonPrefixes Sorting with URL Encoding

* always sort

* remove the extra PathUnescape call

* fix the multipart get part ETag

* the FileChunk is created without setting ModifiedTsNs

* Sort CommonPrefixes lexicographically to match AWS S3 behavior

* set md5 for multipart uploads

* prevents any potential data loss or corruption in the small-file inline storage path

* compiles correctly

* decryptedReader will now be properly closed after use

* Fixed URL encoding and sort order for CommonPrefixes

* Update s3api_object_handlers_list.go

* SSE-x Chunk View Decryption

* Different IV offset calculations for single-part vs multipart objects

* still too verbose in logs

* less logs

* ensure correct conversion

* fix listing

* nil check

* minor fixes

* nil check

* single character delimiter

* optimize

* range on empty object or zero-length

* correct IV based on its position within that part, not its position in the entire object

* adjust offset

* offset

Fetch FULL encrypted chunk (not just the range)
Adjust IV by PartOffset/ChunkOffset only
Decrypt full chunk
Skip in the DECRYPTED stream to reach OffsetInChunk

* look breaking

* refactor

* error on no content

* handle intra-block byte skipping

* Incomplete HTTP Response Error Handling

* multipart SSE

* Update s3api_object_handlers.go

* address comments

* less logs

* handling directory

* Optimized rejectDirectoryObjectWithoutSlash() to avoid unnecessary lookups

* Revert "handling directory"

This reverts commit 3a335f0ac33c63f51975abc63c40e5328857a74b.

* constant

* Consolidate nil entry checks in GetObjectHandler

* add range tests

* Consolidate redundant nil entry checks in HeadObjectHandler

* adjust logs

* SSE type

* large files

* large files

Reverted the plain-object range test

* ErrNoEncryptionConfig

* Fixed SSERangeReader Infinite Loop Vulnerability

* Fixed SSE-KMS Multipart ChunkReader HTTP Body Leak

* handle empty directory in S3, added PyArrow tests

* purge unused code

* Update s3_parquet_test.py

* Update requirements.txt

* According to S3 specifications, when both partNumber and Range are present, the Range should apply within the selected part's boundaries, not to the full object.

* handle errors

* errors after writing header

* https

* fix: Wait for volume assignment readiness before running Parquet tests

The test-implicit-dir-with-server test was failing with an Internal Error
because volume assignment was not ready when tests started. This fix adds
a check that attempts a volume assignment and waits for it to succeed
before proceeding with tests.

This ensures that:
1. Volume servers are registered with the master
2. Volume growth is triggered if needed
3. The system can successfully assign volumes for writes

Fixes the timeout issue where boto3 would retry 4 times and fail with
'We encountered an internal error, please try again.'

* sse tests

* store derived IV

* fix: Clean up gRPC ports between tests to prevent port conflicts

The second test (test-implicit-dir-with-server) was failing because the
volume server's gRPC port (18080 = VOLUME_PORT + 10000) was still in use
from the first test. The cleanup code only killed HTTP port processes,
not gRPC port processes.

Added cleanup for gRPC ports in all stop targets:
- Master gRPC: MASTER_PORT + 10000 (19333)
- Volume gRPC: VOLUME_PORT + 10000 (18080)
- Filer gRPC: FILER_PORT + 10000 (18888)

This ensures clean state between test runs in CI.

* add import

* address comments

* docs: Add placeholder documentation files for Parquet test suite

Added three missing documentation files referenced in test/s3/parquet/README.md:

1. TEST_COVERAGE.md - Documents 43 total test cases (17 Go unit tests,
   6 Python integration tests, 20 Python end-to-end tests)

2. FINAL_ROOT_CAUSE_ANALYSIS.md - Explains the s3fs compatibility issue
   with PyArrow, the implicit directory problem, and how the fix works

3. MINIO_DIRECTORY_HANDLING.md - Compares MinIO's directory handling
   approach with SeaweedFS's implementation

Each file contains:
- Title and overview
- Key technical details relevant to the topic
- TODO sections for future expansion

These placeholder files resolve the broken README links and provide
structure for future detailed documentation.

* clean up if metadata operation failed

* Update s3_parquet_test.py

* clean up

* Update Makefile

* Update s3_parquet_test.py

* Update Makefile

* Handle ivSkip for non-block-aligned offsets

* Update README.md

* stop volume server faster

* stop volume server in 1 second

* different IV for each chunk in SSE-S3 and SSE-KMS

* clean up if fails

* testing upload

* error propagation

* fmt

* simplify

* fix copying

* less logs

* endian

* Added marshaling error handling

* handling invalid ranges

* error handling for adding to log buffer

* fix logging

* avoid returning too quickly and ensure proper cleaning up

* Activity Tracking for Disk Reads

* Cleanup Unused Parameters

* Activity Tracking for Kafka Publishers

* Proper Test Error Reporting

* refactoring

* less logs

* less logs

* go fmt

* guard it with if entry.Attributes.TtlSec > 0 to match the pattern used elsewhere.

* Handle bucket-default encryption config errors explicitly for multipart

* consistent activity tracking

* obsolete code for s3 on filer read/write handlers

* Update weed/s3api/s3api_object_handlers_list.go

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2025-11-18 23:18:35 -08:00

1071 lines
36 KiB
Go
Raw Blame History

package s3api
import (
"context"
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"encoding/hex"
"encoding/json"
"fmt"
"io"
"net/http"
"regexp"
"sort"
"strings"
"time"
"github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/kms"
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
)
// Compiled regex patterns for KMS key validation
var (
uuidRegex = regexp.MustCompile(`^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$`)
arnRegex = regexp.MustCompile(`^arn:aws:kms:[a-z0-9-]+:\d{12}:(key|alias)/.+$`)
)
// SSEKMSKey contains the metadata for an SSE-KMS encrypted object
type SSEKMSKey struct {
KeyID string // The KMS key ID used
EncryptedDataKey []byte // The encrypted data encryption key
EncryptionContext map[string]string // The encryption context used
BucketKeyEnabled bool // Whether S3 Bucket Keys are enabled
IV []byte // The initialization vector for encryption
ChunkOffset int64 // Offset of this chunk within the original part (for IV calculation)
}
// SSEKMSMetadata represents the metadata stored with SSE-KMS objects
type SSEKMSMetadata struct {
Algorithm string `json:"algorithm"` // "aws:kms"
KeyID string `json:"keyId"` // KMS key identifier
EncryptedDataKey string `json:"encryptedDataKey"` // Base64-encoded encrypted data key
EncryptionContext map[string]string `json:"encryptionContext"` // Encryption context
BucketKeyEnabled bool `json:"bucketKeyEnabled"` // S3 Bucket Key optimization
IV string `json:"iv"` // Base64-encoded initialization vector
PartOffset int64 `json:"partOffset"` // Offset within original multipart part (for IV calculation)
}
const (
// Default data key size (256 bits)
DataKeySize = 32
)
// Bucket key cache TTL (moved to be used with per-bucket cache)
const BucketKeyCacheTTL = time.Hour
// CreateSSEKMSEncryptedReader creates an encrypted reader using KMS envelope encryption
func CreateSSEKMSEncryptedReader(r io.Reader, keyID string, encryptionContext map[string]string) (io.Reader, *SSEKMSKey, error) {
return CreateSSEKMSEncryptedReaderWithBucketKey(r, keyID, encryptionContext, false)
}
// CreateSSEKMSEncryptedReaderWithBucketKey creates an encrypted reader with optional S3 Bucket Keys optimization
func CreateSSEKMSEncryptedReaderWithBucketKey(r io.Reader, keyID string, encryptionContext map[string]string, bucketKeyEnabled bool) (io.Reader, *SSEKMSKey, error) {
if bucketKeyEnabled {
// Use S3 Bucket Keys optimization - try to get or create a bucket-level data key
// Note: This is a simplified implementation. In practice, this would need
// access to the bucket name and S3ApiServer instance for proper per-bucket caching.
// For now, generate per-object keys (bucket key optimization disabled)
glog.V(2).Infof("Bucket key optimization requested but not fully implemented yet - using per-object keys")
bucketKeyEnabled = false
}
// Generate data key using common utility
dataKeyResult, err := generateKMSDataKey(keyID, encryptionContext)
if err != nil {
return nil, nil, err
}
// Ensure we clear the plaintext data key from memory when done
defer clearKMSDataKey(dataKeyResult)
// Generate a random IV for CTR mode
// Note: AES-CTR is used for object data encryption (not AES-GCM) because:
// 1. CTR mode supports streaming encryption for large objects
// 2. CTR mode supports range requests (seek to arbitrary positions)
// 3. This matches AWS S3 and other S3-compatible implementations
// The KMS data key encryption (separate layer) uses AES-GCM for authentication
iv := make([]byte, s3_constants.AESBlockSize)
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return nil, nil, fmt.Errorf("failed to generate IV: %v", err)
}
// Create CTR mode cipher stream
stream := cipher.NewCTR(dataKeyResult.Block, iv)
// Create the SSE-KMS metadata using utility function
sseKey := createSSEKMSKey(dataKeyResult, encryptionContext, bucketKeyEnabled, iv, 0)
// The IV is stored in SSE key metadata, so the encrypted stream does not need to prepend the IV
// This ensures correct Content-Length for clients
encryptedReader := &cipher.StreamReader{S: stream, R: r}
// Store IV in the SSE key for metadata storage
sseKey.IV = iv
return encryptedReader, sseKey, nil
}
// CreateSSEKMSEncryptedReaderWithBaseIV creates an SSE-KMS encrypted reader using a provided base IV
// This is used for multipart uploads where all chunks need to use the same base IV
func CreateSSEKMSEncryptedReaderWithBaseIV(r io.Reader, keyID string, encryptionContext map[string]string, bucketKeyEnabled bool, baseIV []byte) (io.Reader, *SSEKMSKey, error) {
if err := ValidateIV(baseIV, "base IV"); err != nil {
return nil, nil, err
}
// Generate data key using common utility
dataKeyResult, err := generateKMSDataKey(keyID, encryptionContext)
if err != nil {
return nil, nil, err
}
// Ensure we clear the plaintext data key from memory when done
defer clearKMSDataKey(dataKeyResult)
// Use the provided base IV instead of generating a new one
iv := make([]byte, s3_constants.AESBlockSize)
copy(iv, baseIV)
// Create CTR mode cipher stream
stream := cipher.NewCTR(dataKeyResult.Block, iv)
// Create the SSE-KMS metadata using utility function
sseKey := createSSEKMSKey(dataKeyResult, encryptionContext, bucketKeyEnabled, iv, 0)
// The IV is stored in SSE key metadata, so the encrypted stream does not need to prepend the IV
// This ensures correct Content-Length for clients
encryptedReader := &cipher.StreamReader{S: stream, R: r}
// Store the base IV in the SSE key for metadata storage
sseKey.IV = iv
return encryptedReader, sseKey, nil
}
// CreateSSEKMSEncryptedReaderWithBaseIVAndOffset creates an SSE-KMS encrypted reader using a provided base IV and offset
// This is used for multipart uploads where all chunks need unique IVs to prevent IV reuse vulnerabilities
func CreateSSEKMSEncryptedReaderWithBaseIVAndOffset(r io.Reader, keyID string, encryptionContext map[string]string, bucketKeyEnabled bool, baseIV []byte, offset int64) (io.Reader, *SSEKMSKey, error) {
if err := ValidateIV(baseIV, "base IV"); err != nil {
return nil, nil, err
}
// Generate data key using common utility
dataKeyResult, err := generateKMSDataKey(keyID, encryptionContext)
if err != nil {
return nil, nil, err
}
// Ensure we clear the plaintext data key from memory when done
defer clearKMSDataKey(dataKeyResult)
// Calculate unique IV using base IV and offset to prevent IV reuse in multipart uploads
// Skip is not used here because we're encrypting from the start (not reading a range)
iv, _ := calculateIVWithOffset(baseIV, offset)
// Create CTR mode cipher stream
stream := cipher.NewCTR(dataKeyResult.Block, iv)
// Create the SSE-KMS metadata using utility function
sseKey := createSSEKMSKey(dataKeyResult, encryptionContext, bucketKeyEnabled, iv, offset)
// The IV is stored in SSE key metadata, so the encrypted stream does not need to prepend the IV
// This ensures correct Content-Length for clients
encryptedReader := &cipher.StreamReader{S: stream, R: r}
return encryptedReader, sseKey, nil
}
// hashEncryptionContext creates a deterministic hash of the encryption context
func hashEncryptionContext(encryptionContext map[string]string) string {
if len(encryptionContext) == 0 {
return "empty"
}
// Create a deterministic representation of the context
hash := sha256.New()
// Sort keys to ensure deterministic hash
keys := make([]string, 0, len(encryptionContext))
for k := range encryptionContext {
keys = append(keys, k)
}
sort.Strings(keys)
// Hash the sorted key-value pairs
for _, k := range keys {
hash.Write([]byte(k))
hash.Write([]byte("="))
hash.Write([]byte(encryptionContext[k]))
hash.Write([]byte(";"))
}
return hex.EncodeToString(hash.Sum(nil))[:16] // Use first 16 chars for brevity
}
// getBucketDataKey retrieves or creates a cached bucket-level data key for SSE-KMS
// This is a simplified implementation that demonstrates the per-bucket caching concept
// In a full implementation, this would integrate with the actual bucket configuration system
func getBucketDataKey(bucketName, keyID string, encryptionContext map[string]string, bucketCache *BucketKMSCache) (*kms.GenerateDataKeyResponse, error) {
// Create context hash for cache key
contextHash := hashEncryptionContext(encryptionContext)
cacheKey := fmt.Sprintf("%s:%s", keyID, contextHash)
// Try to get from cache first if cache is available
if bucketCache != nil {
if cacheEntry, found := bucketCache.Get(cacheKey); found {
if dataKey, ok := cacheEntry.DataKey.(*kms.GenerateDataKeyResponse); ok {
glog.V(3).Infof("Using cached bucket key for bucket %s, keyID %s", bucketName, keyID)
return dataKey, nil
}
}
}
// Cache miss - generate new data key
kmsProvider := kms.GetGlobalKMS()
if kmsProvider == nil {
return nil, fmt.Errorf("KMS is not configured")
}
dataKeyReq := &kms.GenerateDataKeyRequest{
KeyID: keyID,
KeySpec: kms.KeySpecAES256,
EncryptionContext: encryptionContext,
}
ctx := context.Background()
dataKeyResp, err := kmsProvider.GenerateDataKey(ctx, dataKeyReq)
if err != nil {
return nil, fmt.Errorf("failed to generate bucket data key: %v", err)
}
// Cache the data key for future use if cache is available
if bucketCache != nil {
bucketCache.Set(cacheKey, keyID, dataKeyResp, BucketKeyCacheTTL)
glog.V(2).Infof("Generated and cached new bucket key for bucket %s, keyID %s", bucketName, keyID)
} else {
glog.V(2).Infof("Generated new bucket key for bucket %s, keyID %s (caching disabled)", bucketName, keyID)
}
return dataKeyResp, nil
}
// CreateSSEKMSEncryptedReaderForBucket creates an encrypted reader with bucket-specific caching
// This method is part of S3ApiServer to access bucket configuration and caching
func (s3a *S3ApiServer) CreateSSEKMSEncryptedReaderForBucket(r io.Reader, bucketName, keyID string, encryptionContext map[string]string, bucketKeyEnabled bool) (io.Reader, *SSEKMSKey, error) {
var dataKeyResp *kms.GenerateDataKeyResponse
var err error
if bucketKeyEnabled {
// Use S3 Bucket Keys optimization with persistent per-bucket caching
bucketCache, err := s3a.getBucketKMSCache(bucketName)
if err != nil {
glog.V(2).Infof("Failed to get bucket KMS cache for %s, falling back to per-object key: %v", bucketName, err)
bucketKeyEnabled = false
} else {
dataKeyResp, err = getBucketDataKey(bucketName, keyID, encryptionContext, bucketCache)
if err != nil {
// Fall back to per-object key generation if bucket key fails
glog.V(2).Infof("Bucket key generation failed for bucket %s, falling back to per-object key: %v", bucketName, err)
bucketKeyEnabled = false
}
}
}
if !bucketKeyEnabled {
// Generate a per-object data encryption key using KMS
kmsProvider := kms.GetGlobalKMS()
if kmsProvider == nil {
return nil, nil, fmt.Errorf("KMS is not configured")
}
dataKeyReq := &kms.GenerateDataKeyRequest{
KeyID: keyID,
KeySpec: kms.KeySpecAES256,
EncryptionContext: encryptionContext,
}
ctx := context.Background()
dataKeyResp, err = kmsProvider.GenerateDataKey(ctx, dataKeyReq)
if err != nil {
return nil, nil, fmt.Errorf("failed to generate data key: %v", err)
}
}
// Ensure we clear the plaintext data key from memory when done
defer kms.ClearSensitiveData(dataKeyResp.Plaintext)
// Create AES cipher with the data key
block, err := aes.NewCipher(dataKeyResp.Plaintext)
if err != nil {
return nil, nil, fmt.Errorf("failed to create AES cipher: %v", err)
}
// Generate a random IV for CTR mode
iv := make([]byte, 16) // AES block size
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return nil, nil, fmt.Errorf("failed to generate IV: %v", err)
}
// Create CTR mode cipher stream
stream := cipher.NewCTR(block, iv)
// Create the encrypting reader
sseKey := &SSEKMSKey{
KeyID: keyID,
EncryptedDataKey: dataKeyResp.CiphertextBlob,
EncryptionContext: encryptionContext,
BucketKeyEnabled: bucketKeyEnabled,
IV: iv,
}
return &cipher.StreamReader{S: stream, R: r}, sseKey, nil
}
// getBucketKMSCache gets or creates the persistent KMS cache for a bucket
func (s3a *S3ApiServer) getBucketKMSCache(bucketName string) (*BucketKMSCache, error) {
// Get bucket configuration
bucketConfig, errCode := s3a.getBucketConfig(bucketName)
if errCode != s3err.ErrNone {
if errCode == s3err.ErrNoSuchBucket {
return nil, fmt.Errorf("bucket %s does not exist", bucketName)
}
return nil, fmt.Errorf("failed to get bucket config: %v", errCode)
}
// Initialize KMS cache if it doesn't exist
if bucketConfig.KMSKeyCache == nil {
bucketConfig.KMSKeyCache = NewBucketKMSCache(bucketName, BucketKeyCacheTTL)
glog.V(3).Infof("Initialized new KMS cache for bucket %s", bucketName)
}
return bucketConfig.KMSKeyCache, nil
}
// CleanupBucketKMSCache performs cleanup of expired KMS keys for a specific bucket
func (s3a *S3ApiServer) CleanupBucketKMSCache(bucketName string) int {
bucketCache, err := s3a.getBucketKMSCache(bucketName)
if err != nil {
glog.V(3).Infof("Could not get KMS cache for bucket %s: %v", bucketName, err)
return 0
}
cleaned := bucketCache.CleanupExpired()
if cleaned > 0 {
glog.V(2).Infof("Cleaned up %d expired KMS keys for bucket %s", cleaned, bucketName)
}
return cleaned
}
// CleanupAllBucketKMSCaches performs cleanup of expired KMS keys for all buckets
func (s3a *S3ApiServer) CleanupAllBucketKMSCaches() int {
totalCleaned := 0
// Access the bucket config cache safely
if s3a.bucketConfigCache != nil {
s3a.bucketConfigCache.mutex.RLock()
bucketNames := make([]string, 0, len(s3a.bucketConfigCache.cache))
for bucketName := range s3a.bucketConfigCache.cache {
bucketNames = append(bucketNames, bucketName)
}
s3a.bucketConfigCache.mutex.RUnlock()
// Clean up each bucket's KMS cache
for _, bucketName := range bucketNames {
cleaned := s3a.CleanupBucketKMSCache(bucketName)
totalCleaned += cleaned
}
}
if totalCleaned > 0 {
glog.V(2).Infof("Cleaned up %d expired KMS keys across %d bucket caches", totalCleaned, len(s3a.bucketConfigCache.cache))
}
return totalCleaned
}
// CreateSSEKMSDecryptedReader creates a decrypted reader using KMS envelope encryption
func CreateSSEKMSDecryptedReader(r io.Reader, sseKey *SSEKMSKey) (io.Reader, error) {
kmsProvider := kms.GetGlobalKMS()
if kmsProvider == nil {
return nil, fmt.Errorf("KMS is not configured")
}
// Decrypt the data encryption key using KMS
decryptReq := &kms.DecryptRequest{
CiphertextBlob: sseKey.EncryptedDataKey,
EncryptionContext: sseKey.EncryptionContext,
}
ctx := context.Background()
decryptResp, err := kmsProvider.Decrypt(ctx, decryptReq)
if err != nil {
return nil, fmt.Errorf("failed to decrypt data key: %v", err)
}
// Ensure we clear the plaintext data key from memory when done
defer kms.ClearSensitiveData(decryptResp.Plaintext)
// Verify the key ID matches (security check)
if decryptResp.KeyID != sseKey.KeyID {
return nil, fmt.Errorf("KMS key ID mismatch: expected %s, got %s", sseKey.KeyID, decryptResp.KeyID)
}
// Use the IV from the SSE key metadata, calculating offset if this is a chunked part
if err := ValidateIV(sseKey.IV, "SSE key IV"); err != nil {
return nil, fmt.Errorf("invalid IV in SSE key: %w", err)
}
// Calculate the correct IV for this chunk's offset within the original part
// Note: The skip bytes must be discarded by the caller before reading from the returned reader
var iv []byte
if sseKey.ChunkOffset > 0 {
iv, _ = calculateIVWithOffset(sseKey.IV, sseKey.ChunkOffset)
// Skip value is ignored here; caller must handle intra-block byte skipping
} else {
iv = sseKey.IV
}
// Create AES cipher with the decrypted data key
block, err := aes.NewCipher(decryptResp.Plaintext)
if err != nil {
return nil, fmt.Errorf("failed to create AES cipher: %v", err)
}
// Create CTR mode cipher stream for decryption
// Note: AES-CTR is used for object data decryption to match the encryption mode
stream := cipher.NewCTR(block, iv)
decryptReader := &cipher.StreamReader{S: stream, R: r}
// Wrap with closer if the underlying reader implements io.Closer
if closer, ok := r.(io.Closer); ok {
return &decryptReaderCloser{
Reader: decryptReader,
underlyingCloser: closer,
}, nil
}
// Return the decrypted reader
return decryptReader, nil
}
// ParseSSEKMSHeaders parses SSE-KMS headers from an HTTP request
func ParseSSEKMSHeaders(r *http.Request) (*SSEKMSKey, error) {
sseAlgorithm := r.Header.Get(s3_constants.AmzServerSideEncryption)
// Check if SSE-KMS is requested
if sseAlgorithm == "" {
return nil, nil // No SSE headers present
}
if sseAlgorithm != s3_constants.SSEAlgorithmKMS {
return nil, fmt.Errorf("invalid SSE algorithm: %s", sseAlgorithm)
}
keyID := r.Header.Get(s3_constants.AmzServerSideEncryptionAwsKmsKeyId)
encryptionContextHeader := r.Header.Get(s3_constants.AmzServerSideEncryptionContext)
bucketKeyEnabledHeader := r.Header.Get(s3_constants.AmzServerSideEncryptionBucketKeyEnabled)
// Parse encryption context if provided
var encryptionContext map[string]string
if encryptionContextHeader != "" {
// Decode base64-encoded JSON encryption context
contextBytes, err := base64.StdEncoding.DecodeString(encryptionContextHeader)
if err != nil {
return nil, fmt.Errorf("invalid encryption context format: %v", err)
}
if err := json.Unmarshal(contextBytes, &encryptionContext); err != nil {
return nil, fmt.Errorf("invalid encryption context JSON: %v", err)
}
}
// Parse bucket key enabled flag
bucketKeyEnabled := strings.ToLower(bucketKeyEnabledHeader) == "true"
sseKey := &SSEKMSKey{
KeyID: keyID,
EncryptionContext: encryptionContext,
BucketKeyEnabled: bucketKeyEnabled,
}
// Validate the parsed key including key ID format
if err := ValidateSSEKMSKeyInternal(sseKey); err != nil {
return nil, err
}
return sseKey, nil
}
// ValidateSSEKMSKey validates an SSE-KMS key configuration
func ValidateSSEKMSKeyInternal(sseKey *SSEKMSKey) error {
if err := ValidateSSEKMSKey(sseKey); err != nil {
return err
}
// An empty key ID is valid and means the default KMS key should be used.
if sseKey.KeyID != "" && !isValidKMSKeyID(sseKey.KeyID) {
return fmt.Errorf("invalid KMS key ID format: %s", sseKey.KeyID)
}
return nil
}
// BuildEncryptionContext creates the encryption context for S3 objects
func BuildEncryptionContext(bucketName, objectKey string, useBucketKey bool) map[string]string {
return kms.BuildS3EncryptionContext(bucketName, objectKey, useBucketKey)
}
// parseEncryptionContext parses the user-provided encryption context from base64 JSON
func parseEncryptionContext(contextHeader string) (map[string]string, error) {
if contextHeader == "" {
return nil, nil
}
// Decode base64
contextBytes, err := base64.StdEncoding.DecodeString(contextHeader)
if err != nil {
return nil, fmt.Errorf("invalid base64 encoding in encryption context: %w", err)
}
// Parse JSON
var context map[string]string
if err := json.Unmarshal(contextBytes, &context); err != nil {
return nil, fmt.Errorf("invalid JSON in encryption context: %w", err)
}
// Validate context keys and values
for k, v := range context {
if k == "" || v == "" {
return nil, fmt.Errorf("encryption context keys and values cannot be empty")
}
// AWS KMS has limits on context key/value length (256 chars each)
if len(k) > 256 || len(v) > 256 {
return nil, fmt.Errorf("encryption context key or value too long (max 256 characters)")
}
}
return context, nil
}
// SerializeSSEKMSMetadata serializes SSE-KMS metadata for storage in object metadata
func SerializeSSEKMSMetadata(sseKey *SSEKMSKey) ([]byte, error) {
if err := ValidateSSEKMSKey(sseKey); err != nil {
return nil, err
}
metadata := &SSEKMSMetadata{
Algorithm: s3_constants.SSEAlgorithmKMS,
KeyID: sseKey.KeyID,
EncryptedDataKey: base64.StdEncoding.EncodeToString(sseKey.EncryptedDataKey),
EncryptionContext: sseKey.EncryptionContext,
BucketKeyEnabled: sseKey.BucketKeyEnabled,
IV: base64.StdEncoding.EncodeToString(sseKey.IV), // Store IV for decryption
PartOffset: sseKey.ChunkOffset, // Store within-part offset
}
data, err := json.Marshal(metadata)
if err != nil {
return nil, fmt.Errorf("failed to marshal SSE-KMS metadata: %w", err)
}
glog.V(4).Infof("Serialized SSE-KMS metadata: keyID=%s, bucketKey=%t", sseKey.KeyID, sseKey.BucketKeyEnabled)
return data, nil
}
// DeserializeSSEKMSMetadata deserializes SSE-KMS metadata from storage and reconstructs the SSE-KMS key
func DeserializeSSEKMSMetadata(data []byte) (*SSEKMSKey, error) {
if len(data) == 0 {
return nil, fmt.Errorf("empty SSE-KMS metadata")
}
var metadata SSEKMSMetadata
if err := json.Unmarshal(data, &metadata); err != nil {
return nil, fmt.Errorf("failed to unmarshal SSE-KMS metadata: %w", err)
}
// Validate algorithm - be lenient with missing/empty algorithm for backward compatibility
if metadata.Algorithm != "" && metadata.Algorithm != s3_constants.SSEAlgorithmKMS {
return nil, fmt.Errorf("invalid SSE-KMS algorithm: %s", metadata.Algorithm)
}
// Set default algorithm if empty
if metadata.Algorithm == "" {
metadata.Algorithm = s3_constants.SSEAlgorithmKMS
}
// Decode the encrypted data key
encryptedDataKey, err := base64.StdEncoding.DecodeString(metadata.EncryptedDataKey)
if err != nil {
return nil, fmt.Errorf("failed to decode encrypted data key: %w", err)
}
// Decode the IV
var iv []byte
if metadata.IV != "" {
iv, err = base64.StdEncoding.DecodeString(metadata.IV)
if err != nil {
return nil, fmt.Errorf("failed to decode IV: %w", err)
}
}
sseKey := &SSEKMSKey{
KeyID: metadata.KeyID,
EncryptedDataKey: encryptedDataKey,
EncryptionContext: metadata.EncryptionContext,
BucketKeyEnabled: metadata.BucketKeyEnabled,
IV: iv, // Restore IV for decryption
ChunkOffset: metadata.PartOffset, // Use stored within-part offset
}
glog.V(4).Infof("Deserialized SSE-KMS metadata: keyID=%s, bucketKey=%t", sseKey.KeyID, sseKey.BucketKeyEnabled)
return sseKey, nil
}
// SSECMetadata represents SSE-C metadata for per-chunk storage (unified with SSE-KMS approach)
type SSECMetadata struct {
Algorithm string `json:"algorithm"` // SSE-C algorithm (always "AES256")
IV string `json:"iv"` // Base64-encoded initialization vector for this chunk
KeyMD5 string `json:"keyMD5"` // MD5 of the customer-provided key
PartOffset int64 `json:"partOffset"` // Offset within original multipart part (for IV calculation)
}
// SerializeSSECMetadata serializes SSE-C metadata for storage in chunk metadata
func SerializeSSECMetadata(iv []byte, keyMD5 string, partOffset int64) ([]byte, error) {
if err := ValidateIV(iv, "IV"); err != nil {
return nil, err
}
metadata := &SSECMetadata{
Algorithm: s3_constants.SSEAlgorithmAES256,
IV: base64.StdEncoding.EncodeToString(iv),
KeyMD5: keyMD5,
PartOffset: partOffset,
}
data, err := json.Marshal(metadata)
if err != nil {
return nil, fmt.Errorf("failed to marshal SSE-C metadata: %w", err)
}
glog.V(4).Infof("Serialized SSE-C metadata: keyMD5=%s, partOffset=%d", keyMD5, partOffset)
return data, nil
}
// DeserializeSSECMetadata deserializes SSE-C metadata from chunk storage
func DeserializeSSECMetadata(data []byte) (*SSECMetadata, error) {
if len(data) == 0 {
return nil, fmt.Errorf("empty SSE-C metadata")
}
var metadata SSECMetadata
if err := json.Unmarshal(data, &metadata); err != nil {
return nil, fmt.Errorf("failed to unmarshal SSE-C metadata: %w", err)
}
// Validate algorithm
if metadata.Algorithm != s3_constants.SSEAlgorithmAES256 {
return nil, fmt.Errorf("invalid SSE-C algorithm: %s", metadata.Algorithm)
}
// Validate IV
if metadata.IV == "" {
return nil, fmt.Errorf("missing IV in SSE-C metadata")
}
if _, err := base64.StdEncoding.DecodeString(metadata.IV); err != nil {
return nil, fmt.Errorf("invalid base64 IV in SSE-C metadata: %w", err)
}
glog.V(4).Infof("Deserialized SSE-C metadata: keyMD5=%s, partOffset=%d", metadata.KeyMD5, metadata.PartOffset)
return &metadata, nil
}
// AddSSEKMSResponseHeaders adds SSE-KMS response headers to an HTTP response
func AddSSEKMSResponseHeaders(w http.ResponseWriter, sseKey *SSEKMSKey) {
w.Header().Set(s3_constants.AmzServerSideEncryption, s3_constants.SSEAlgorithmKMS)
w.Header().Set(s3_constants.AmzServerSideEncryptionAwsKmsKeyId, sseKey.KeyID)
if len(sseKey.EncryptionContext) > 0 {
// Encode encryption context as base64 JSON
contextBytes, err := json.Marshal(sseKey.EncryptionContext)
if err == nil {
contextB64 := base64.StdEncoding.EncodeToString(contextBytes)
w.Header().Set(s3_constants.AmzServerSideEncryptionContext, contextB64)
} else {
glog.Errorf("Failed to encode encryption context: %v", err)
}
}
if sseKey.BucketKeyEnabled {
w.Header().Set(s3_constants.AmzServerSideEncryptionBucketKeyEnabled, "true")
}
}
// IsSSEKMSRequest checks if the request contains SSE-KMS headers
func IsSSEKMSRequest(r *http.Request) bool {
// If SSE-C headers are present, this is not an SSE-KMS request (they are mutually exclusive)
if r.Header.Get(s3_constants.AmzServerSideEncryptionCustomerAlgorithm) != "" {
return false
}
// According to AWS S3 specification, SSE-KMS is only valid when the encryption header
// is explicitly set to "aws:kms". The KMS key ID header alone is not sufficient.
sseAlgorithm := r.Header.Get(s3_constants.AmzServerSideEncryption)
return sseAlgorithm == s3_constants.SSEAlgorithmKMS
}
// IsSSEKMSEncrypted checks if the metadata indicates SSE-KMS encryption
func IsSSEKMSEncrypted(metadata map[string][]byte) bool {
if metadata == nil {
return false
}
// The canonical way to identify an SSE-KMS encrypted object is by this header.
if sseAlgorithm, exists := metadata[s3_constants.AmzServerSideEncryption]; exists {
return string(sseAlgorithm) == s3_constants.SSEAlgorithmKMS
}
return false
}
// IsAnySSEEncrypted checks if metadata indicates any type of SSE encryption
func IsAnySSEEncrypted(metadata map[string][]byte) bool {
if metadata == nil {
return false
}
// Check for any SSE type
if IsSSECEncrypted(metadata) {
return true
}
if IsSSEKMSEncrypted(metadata) {
return true
}
// Check for SSE-S3
if sseAlgorithm, exists := metadata[s3_constants.AmzServerSideEncryption]; exists {
return string(sseAlgorithm) == s3_constants.SSEAlgorithmAES256
}
return false
}
// MapKMSErrorToS3Error maps KMS errors to appropriate S3 error codes
func MapKMSErrorToS3Error(err error) s3err.ErrorCode {
if err == nil {
return s3err.ErrNone
}
// Check if it's a KMS error
kmsErr, ok := err.(*kms.KMSError)
if !ok {
return s3err.ErrInternalError
}
switch kmsErr.Code {
case kms.ErrCodeNotFoundException:
return s3err.ErrKMSKeyNotFound
case kms.ErrCodeAccessDenied:
return s3err.ErrKMSAccessDenied
case kms.ErrCodeKeyUnavailable:
return s3err.ErrKMSDisabled
case kms.ErrCodeInvalidKeyUsage:
return s3err.ErrKMSAccessDenied
case kms.ErrCodeInvalidCiphertext:
return s3err.ErrKMSInvalidCiphertext
default:
glog.Errorf("Unmapped KMS error: %s - %s", kmsErr.Code, kmsErr.Message)
return s3err.ErrInternalError
}
}
// SSEKMSCopyStrategy represents different strategies for copying SSE-KMS encrypted objects
type SSEKMSCopyStrategy int
const (
// SSEKMSCopyStrategyDirect - Direct chunk copy (same key, no re-encryption needed)
SSEKMSCopyStrategyDirect SSEKMSCopyStrategy = iota
// SSEKMSCopyStrategyDecryptEncrypt - Decrypt source and re-encrypt for destination
SSEKMSCopyStrategyDecryptEncrypt
)
// String returns string representation of the strategy
func (s SSEKMSCopyStrategy) String() string {
switch s {
case SSEKMSCopyStrategyDirect:
return "Direct"
case SSEKMSCopyStrategyDecryptEncrypt:
return "DecryptEncrypt"
default:
return "Unknown"
}
}
// GetSourceSSEKMSInfo extracts SSE-KMS information from source object metadata
func GetSourceSSEKMSInfo(metadata map[string][]byte) (keyID string, isEncrypted bool) {
if sseAlgorithm, exists := metadata[s3_constants.AmzServerSideEncryption]; exists && string(sseAlgorithm) == s3_constants.SSEAlgorithmKMS {
if kmsKeyID, exists := metadata[s3_constants.AmzServerSideEncryptionAwsKmsKeyId]; exists {
return string(kmsKeyID), true
}
return "", true // SSE-KMS with default key
}
return "", false
}
// CanDirectCopySSEKMS determines if we can directly copy chunks without decrypt/re-encrypt
func CanDirectCopySSEKMS(srcMetadata map[string][]byte, destKeyID string) bool {
srcKeyID, srcEncrypted := GetSourceSSEKMSInfo(srcMetadata)
// Case 1: Source unencrypted, destination unencrypted -> Direct copy
if !srcEncrypted && destKeyID == "" {
return true
}
// Case 2: Source encrypted with same KMS key as destination -> Direct copy
if srcEncrypted && destKeyID != "" {
// Same key if key IDs match (empty means default key)
return srcKeyID == destKeyID
}
// All other cases require decrypt/re-encrypt
return false
}
// DetermineSSEKMSCopyStrategy determines the optimal copy strategy for SSE-KMS
func DetermineSSEKMSCopyStrategy(srcMetadata map[string][]byte, destKeyID string) (SSEKMSCopyStrategy, error) {
if CanDirectCopySSEKMS(srcMetadata, destKeyID) {
return SSEKMSCopyStrategyDirect, nil
}
return SSEKMSCopyStrategyDecryptEncrypt, nil
}
// ParseSSEKMSCopyHeaders parses SSE-KMS headers from copy request
func ParseSSEKMSCopyHeaders(r *http.Request) (destKeyID string, encryptionContext map[string]string, bucketKeyEnabled bool, err error) {
// Check if this is an SSE-KMS request
if !IsSSEKMSRequest(r) {
return "", nil, false, nil
}
// Get destination KMS key ID
destKeyID = r.Header.Get(s3_constants.AmzServerSideEncryptionAwsKmsKeyId)
// Validate key ID if provided
if destKeyID != "" && !isValidKMSKeyID(destKeyID) {
return "", nil, false, fmt.Errorf("invalid KMS key ID: %s", destKeyID)
}
// Parse encryption context if provided
if contextHeader := r.Header.Get(s3_constants.AmzServerSideEncryptionContext); contextHeader != "" {
contextBytes, decodeErr := base64.StdEncoding.DecodeString(contextHeader)
if decodeErr != nil {
return "", nil, false, fmt.Errorf("invalid encryption context encoding: %v", decodeErr)
}
if unmarshalErr := json.Unmarshal(contextBytes, &encryptionContext); unmarshalErr != nil {
return "", nil, false, fmt.Errorf("invalid encryption context JSON: %v", unmarshalErr)
}
}
// Parse bucket key enabled flag
if bucketKeyHeader := r.Header.Get(s3_constants.AmzServerSideEncryptionBucketKeyEnabled); bucketKeyHeader != "" {
bucketKeyEnabled = strings.ToLower(bucketKeyHeader) == "true"
}
return destKeyID, encryptionContext, bucketKeyEnabled, nil
}
// UnifiedCopyStrategy represents all possible copy strategies across encryption types
type UnifiedCopyStrategy int
const (
// CopyStrategyDirect - Direct chunk copy (no encryption changes)
CopyStrategyDirect UnifiedCopyStrategy = iota
// CopyStrategyEncrypt - Encrypt during copy (plain → encrypted)
CopyStrategyEncrypt
// CopyStrategyDecrypt - Decrypt during copy (encrypted → plain)
CopyStrategyDecrypt
// CopyStrategyReencrypt - Decrypt and re-encrypt (different keys/methods)
CopyStrategyReencrypt
// CopyStrategyKeyRotation - Same object, different key (metadata-only update)
CopyStrategyKeyRotation
)
// String returns string representation of the unified strategy
func (s UnifiedCopyStrategy) String() string {
switch s {
case CopyStrategyDirect:
return "Direct"
case CopyStrategyEncrypt:
return "Encrypt"
case CopyStrategyDecrypt:
return "Decrypt"
case CopyStrategyReencrypt:
return "Reencrypt"
case CopyStrategyKeyRotation:
return "KeyRotation"
default:
return "Unknown"
}
}
// EncryptionState represents the encryption state of source and destination
type EncryptionState struct {
SrcSSEC bool
SrcSSEKMS bool
SrcSSES3 bool
DstSSEC bool
DstSSEKMS bool
DstSSES3 bool
SameObject bool
}
// IsSourceEncrypted returns true if source has any encryption
func (e *EncryptionState) IsSourceEncrypted() bool {
return e.SrcSSEC || e.SrcSSEKMS || e.SrcSSES3
}
// IsTargetEncrypted returns true if target should be encrypted
func (e *EncryptionState) IsTargetEncrypted() bool {
return e.DstSSEC || e.DstSSEKMS || e.DstSSES3
}
// DetermineUnifiedCopyStrategy determines the optimal copy strategy for all encryption types
func DetermineUnifiedCopyStrategy(state *EncryptionState, srcMetadata map[string][]byte, r *http.Request) (UnifiedCopyStrategy, error) {
// Key rotation: same object with different encryption
if state.SameObject && state.IsSourceEncrypted() && state.IsTargetEncrypted() {
// Check if it's actually a key change
if state.SrcSSEC && state.DstSSEC {
// SSE-C key rotation - need to compare keys
return CopyStrategyKeyRotation, nil
}
if state.SrcSSEKMS && state.DstSSEKMS {
// SSE-KMS key rotation - need to compare key IDs
srcKeyID, _ := GetSourceSSEKMSInfo(srcMetadata)
dstKeyID := r.Header.Get(s3_constants.AmzServerSideEncryptionAwsKmsKeyId)
if srcKeyID != dstKeyID {
return CopyStrategyKeyRotation, nil
}
}
}
// Direct copy: no encryption changes
if !state.IsSourceEncrypted() && !state.IsTargetEncrypted() {
return CopyStrategyDirect, nil
}
// Same encryption type and key
if state.SrcSSEKMS && state.DstSSEKMS {
srcKeyID, _ := GetSourceSSEKMSInfo(srcMetadata)
dstKeyID := r.Header.Get(s3_constants.AmzServerSideEncryptionAwsKmsKeyId)
if srcKeyID == dstKeyID {
return CopyStrategyDirect, nil
}
}
if state.SrcSSEC && state.DstSSEC {
// For SSE-C, we'd need to compare the actual keys, but we can't do that securely
// So we assume different keys and use reencrypt strategy
return CopyStrategyReencrypt, nil
}
// Encrypt: plain → encrypted
if !state.IsSourceEncrypted() && state.IsTargetEncrypted() {
return CopyStrategyEncrypt, nil
}
// Decrypt: encrypted → plain
if state.IsSourceEncrypted() && !state.IsTargetEncrypted() {
return CopyStrategyDecrypt, nil
}
// Reencrypt: different encryption types or keys
if state.IsSourceEncrypted() && state.IsTargetEncrypted() {
return CopyStrategyReencrypt, nil
}
return CopyStrategyDirect, nil
}
// DetectEncryptionState analyzes the source metadata and request headers to determine encryption state
func DetectEncryptionState(srcMetadata map[string][]byte, r *http.Request, srcPath, dstPath string) *EncryptionState {
state := &EncryptionState{
SrcSSEC: IsSSECEncrypted(srcMetadata),
SrcSSEKMS: IsSSEKMSEncrypted(srcMetadata),
SrcSSES3: IsSSES3EncryptedInternal(srcMetadata),
DstSSEC: IsSSECRequest(r),
DstSSEKMS: IsSSEKMSRequest(r),
DstSSES3: IsSSES3RequestInternal(r),
SameObject: srcPath == dstPath,
}
return state
}
// DetectEncryptionStateWithEntry analyzes the source entry and request headers to determine encryption state
// This version can detect multipart encrypted objects by examining chunks
func DetectEncryptionStateWithEntry(entry *filer_pb.Entry, r *http.Request, srcPath, dstPath string) *EncryptionState {
state := &EncryptionState{
SrcSSEC: IsSSECEncryptedWithEntry(entry),
SrcSSEKMS: IsSSEKMSEncryptedWithEntry(entry),
SrcSSES3: IsSSES3EncryptedInternal(entry.Extended),
DstSSEC: IsSSECRequest(r),
DstSSEKMS: IsSSEKMSRequest(r),
DstSSES3: IsSSES3RequestInternal(r),
SameObject: srcPath == dstPath,
}
return state
}
// IsSSEKMSEncryptedWithEntry detects SSE-KMS encryption from entry (including multipart objects)
func IsSSEKMSEncryptedWithEntry(entry *filer_pb.Entry) bool {
if entry == nil {
return false
}
// Check object-level metadata first
if IsSSEKMSEncrypted(entry.Extended) {
return true
}
// Check for multipart SSE-KMS by examining chunks
if len(entry.GetChunks()) > 0 {
for _, chunk := range entry.GetChunks() {
if chunk.GetSseType() == filer_pb.SSEType_SSE_KMS {
return true
}
}
}
return false
}
// IsSSECEncryptedWithEntry detects SSE-C encryption from entry (including multipart objects)
func IsSSECEncryptedWithEntry(entry *filer_pb.Entry) bool {
if entry == nil {
return false
}
// Check object-level metadata first
if IsSSECEncrypted(entry.Extended) {
return true
}
// Check for multipart SSE-C by examining chunks
if len(entry.GetChunks()) > 0 {
for _, chunk := range entry.GetChunks() {
if chunk.GetSseType() == filer_pb.SSEType_SSE_C {
return true
}
}
}
return false
}
// Helper functions for SSE-C detection are in s3_sse_c.go
Reference in New Issue View Git Blame Copy Permalink