Indicate backend encrypted only if encryption is requested (#8508)

2025-01-11 15:03:22 -05:00 · 2019-11-11 18:42:10 -08:00 · 2019-11-11 18:42:10 -08:00 · 1027afa853
commit 1027afa853
parent aa04f97f95
3 changed files with 13 additions and 14 deletions
--- a/cmd/admin-handlers-config-kv.go
+++ b/cmd/admin-handlers-config-kv.go
@ -183,7 +183,9 @@ func (a adminAPIHandlers) SetConfigKVHandler(w http.ResponseWriter, r *http.Requ
 	}

 	// Make sure to write backend is encrypted
-	saveConfig(context.Background(), objectAPI, backendEncryptedFile, backendEncryptedMigrationComplete)
+	if globalConfigEncrypted {
+		saveConfig(context.Background(), objectAPI, backendEncryptedFile, backendEncryptedMigrationComplete)
+	}
 }

 // GetConfigKVHandler - GET /minio/admin/v2/get-config-kv?key={key}
@ -447,7 +449,9 @@ func (a adminAPIHandlers) SetConfigHandler(w http.ResponseWriter, r *http.Reques
 	}

 	// Make sure to write backend is encrypted
-	saveConfig(context.Background(), objectAPI, backendEncryptedFile, backendEncryptedMigrationComplete)
+	if globalConfigEncrypted {
+		saveConfig(context.Background(), objectAPI, backendEncryptedFile, backendEncryptedMigrationComplete)
+	}

 	// Reply to the client before restarting minio server.
 	writeSuccessResponseHeadersOnly(w)
--- a/cmd/config-encrypted.go
+++ b/cmd/config-encrypted.go
@ -19,11 +19,12 @@ package cmd
 import (
 	"bytes"
 	"context"
+	"errors"
 	"os"
 	"strings"
+	"unicode/utf8"

 	etcd "github.com/coreos/etcd/clientv3"
-	jsoniter "github.com/json-iterator/go"
 	"github.com/minio/minio/cmd/config"
 	"github.com/minio/minio/cmd/logger"
 	"github.com/minio/minio/pkg/auth"
@ -260,11 +261,8 @@ func migrateIAMConfigsEtcdToEncrypted(client *etcd.Client) error {
 			data = cdata
 		}

-		// Attempt to unmarshal JSON content
-		var dummy map[string]interface{}
-		var json = jsoniter.ConfigCompatibleWithStandardLibrary
-		if err = json.Unmarshal(data, &dummy); err != nil {
-			return err
+		if !utf8.Valid(data) {
+			return errors.New("config data not in plain-text form")
 		}

 		cencdata, err = madmin.EncryptData(globalActiveCred.String(), data)
@ -335,11 +333,8 @@ func migrateConfigPrefixToEncrypted(objAPI ObjectLayer, activeCredOld auth.Crede
 				data = cdata
 			}

-			// Attempt to unmarshal JSON content
-			var dummy map[string]interface{}
-			var json = jsoniter.ConfigCompatibleWithStandardLibrary
-			if err = json.Unmarshal(data, &dummy); err != nil {
-				return err
+			if !utf8.Valid(data) {
+				return errors.New("config data not in plain-text form")
 			}

 			cencdata, err = madmin.EncryptData(globalActiveCred.String(), data)
--- a/cmd/logger/config.go
+++ b/cmd/logger/config.go
@ -193,7 +193,7 @@ func LookupConfig(scfg config.Config) (Config, error) {
 		if starget != config.Default {
 			authTokenEnv = EnvLoggerHTTPAuditAuthToken + config.Default + starget
 		}
-		cfg.HTTP[starget] = HTTP{
+		cfg.Audit[starget] = HTTP{
 			Enabled:   true,
 			Endpoint:  endpoint,
 			AuthToken: env.Get(authTokenEnv, kv.Get(AuthToken)),