MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-25 13:43:17 -05:00
Code Issues Packages Projects Releases Wiki Activity

Encrypt checksums with KMS on CompleteMultipartUpload (#16177)

Browse Source
This commit is contained in:
Klaus Post 2022-12-07 19:18:18 +01:00 committed by GitHub
parent 90d35b70b4
commit 12fd6678ee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 34 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
cmd/erasure-multipart.go
View File

@ -993,15 +993,35 @@ func (er erasureObjects) CompleteMultipartUpload(ctx context.Context, bucket str
// //
// Therefore, we adjust all ETags sent by the client to match what is stored // Therefore, we adjust all ETags sent by the client to match what is stored
// on the backend. // on the backend.
kind, isEncrypted := crypto.IsEncrypted(fi.Metadata) kind, _ := crypto.IsEncrypted(fi.Metadata)
var objectEncryptionKey []byte var objectEncryptionKey []byte
if isEncrypted && kind == crypto.S3 { switch kind {
case crypto.SSEC:
if checksumType.IsSet() {
if opts.EncryptFn == nil {
return oi, crypto.ErrMissingCustomerKey
}
baseKey := opts.EncryptFn("", nil)
if len(baseKey) != 32 {
return oi, crypto.ErrInvalidCustomerKey
}
objectEncryptionKey, err = decryptObjectMeta(baseKey, bucket, object, fi.Metadata)
if err != nil {
return oi, err
}
}
case crypto.S3, crypto.S3KMS:
objectEncryptionKey, err = decryptObjectMeta(nil, bucket, object, fi.Metadata) objectEncryptionKey, err = decryptObjectMeta(nil, bucket, object, fi.Metadata)
if err != nil { if err != nil {
return oi, err return oi, err
} }
} }
if len(objectEncryptionKey) == 32 {
var key crypto.ObjectKey
copy(key[:], objectEncryptionKey)
opts.EncryptFn = metadataEncrypter(key)
}
for i, part := range partInfoFiles { for i, part := range partInfoFiles {
partID := parts[i].PartNumber partID := parts[i].PartNumber

11
cmd/object-api-options.go
View File

@ -374,5 +374,16 @@ func completeMultipartOpts(ctx context.Context, r *http.Request, bucket, object
} }
opts.MTime = mtime opts.MTime = mtime
opts.UserDefined = make(map[string]string) opts.UserDefined = make(map[string]string)
// Transfer SSEC key in opts.EncryptFn
if crypto.SSEC.IsRequested(r.Header) {
key, err := ParseSSECustomerRequest(r)
if err == nil {
// Set EncryptFn to return SSEC key
opts.EncryptFn = func(baseKey string, data []byte) []byte {
return key
}
}
}
return opts, nil return opts, nil
} }

1
cmd/test-utils_test.go
View File

@ -2267,6 +2267,7 @@ func uploadTestObject(t *testing.T, apiRouter http.Handler, creds auth.Credentia
} }
checkRespErr := func(rec *httptest.ResponseRecorder, exp int) { checkRespErr := func(rec *httptest.ResponseRecorder, exp int) {
t.Helper()
if rec.Code != exp { if rec.Code != exp {
b, err := io.ReadAll(rec.Body) b, err := io.ReadAll(rec.Body)
t.Fatalf("Expected: %v, Got: %v, Body: %s, err: %v", exp, rec.Code, string(b), err) t.Fatalf("Expected: %v, Got: %v, Body: %s, err: %v", exp, rec.Code, string(b), err)