From 48640b1de214c7dbb8fe1a7ca2d7bbfa724d3eac Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Tue, 16 Aug 2022 11:28:30 -0700 Subject: [PATCH] fix: trim arn:aws:kms from incoming SSE aws-kms-key-id (#15540) --- cmd/api-errors.go | 10 +- cmd/apierrorcode_string.go | 343 +++++++++--------- cmd/encryption-v1.go | 2 +- .../bucket/encryption/bucket-sse-config.go | 10 +- .../encryption/bucket-sse-config_test.go | 24 +- internal/crypto/error.go | 3 + internal/crypto/metadata.go | 3 + internal/crypto/sse-kms.go | 15 +- 8 files changed, 227 insertions(+), 183 deletions(-) diff --git a/cmd/api-errors.go b/cmd/api-errors.go index 9760495af..5bdc58034 100644 --- a/cmd/api-errors.go +++ b/cmd/api-errors.go @@ -196,8 +196,9 @@ const ( ErrInvalidTagDirective // Add new error codes here. - // SSE-S3 related API errors + // SSE-S3/SSE-KMS related API errors ErrInvalidEncryptionMethod + ErrInvalidEncryptionKeyID // Server-Side-Encryption (with Customer provided key) related API errors. ErrInsecureSSECustomerRequest @@ -1072,6 +1073,11 @@ var errorCodes = errorCodeMap{ Description: "The encryption method specified is not supported", HTTPStatusCode: http.StatusBadRequest, }, + ErrInvalidEncryptionKeyID: { + Code: "InvalidRequest", + Description: "The specified KMS KeyID contains unsupported characters", + HTTPStatusCode: http.StatusBadRequest, + }, ErrInsecureSSECustomerRequest: { Code: "InvalidRequest", Description: "Requests specifying Server Side Encryption with Customer provided keys must be made over a secure connection.", @@ -1921,6 +1927,8 @@ func toAPIErrorCode(ctx context.Context, err error) (apiErr APIErrorCode) { apiErr = ErrInvalidEncryptionParameters case crypto.ErrInvalidEncryptionMethod: apiErr = ErrInvalidEncryptionMethod + case crypto.ErrInvalidEncryptionKeyID: + apiErr = ErrInvalidEncryptionKeyID case crypto.ErrInvalidCustomerAlgorithm: apiErr = ErrInvalidSSECustomerAlgorithm case crypto.ErrMissingCustomerKey: diff --git a/cmd/apierrorcode_string.go b/cmd/apierrorcode_string.go index 4552d751f..4dc6b888b 100644 --- a/cmd/apierrorcode_string.go +++ b/cmd/apierrorcode_string.go @@ -130,180 +130,181 @@ func _() { _ = x[ErrObjectLockInvalidHeaders-119] _ = x[ErrInvalidTagDirective-120] _ = x[ErrInvalidEncryptionMethod-121] - _ = x[ErrInsecureSSECustomerRequest-122] - _ = x[ErrSSEMultipartEncrypted-123] - _ = x[ErrSSEEncryptedObject-124] - _ = x[ErrInvalidEncryptionParameters-125] - _ = x[ErrInvalidSSECustomerAlgorithm-126] - _ = x[ErrInvalidSSECustomerKey-127] - _ = x[ErrMissingSSECustomerKey-128] - _ = x[ErrMissingSSECustomerKeyMD5-129] - _ = x[ErrSSECustomerKeyMD5Mismatch-130] - _ = x[ErrInvalidSSECustomerParameters-131] - _ = x[ErrIncompatibleEncryptionMethod-132] - _ = x[ErrKMSNotConfigured-133] - _ = x[ErrKMSKeyNotFoundException-134] - _ = x[ErrNoAccessKey-135] - _ = x[ErrInvalidToken-136] - _ = x[ErrEventNotification-137] - _ = x[ErrARNNotification-138] - _ = x[ErrRegionNotification-139] - _ = x[ErrOverlappingFilterNotification-140] - _ = x[ErrFilterNameInvalid-141] - _ = x[ErrFilterNamePrefix-142] - _ = x[ErrFilterNameSuffix-143] - _ = x[ErrFilterValueInvalid-144] - _ = x[ErrOverlappingConfigs-145] - _ = x[ErrUnsupportedNotification-146] - _ = x[ErrContentSHA256Mismatch-147] - _ = x[ErrReadQuorum-148] - _ = x[ErrWriteQuorum-149] - _ = x[ErrStorageFull-150] - _ = x[ErrRequestBodyParse-151] - _ = x[ErrObjectExistsAsDirectory-152] - _ = x[ErrInvalidObjectName-153] - _ = x[ErrInvalidObjectNamePrefixSlash-154] - _ = x[ErrInvalidResourceName-155] - _ = x[ErrServerNotInitialized-156] - _ = x[ErrOperationTimedOut-157] - _ = x[ErrClientDisconnected-158] - _ = x[ErrOperationMaxedOut-159] - _ = x[ErrInvalidRequest-160] - _ = x[ErrTransitionStorageClassNotFoundError-161] - _ = x[ErrInvalidStorageClass-162] - _ = x[ErrBackendDown-163] - _ = x[ErrMalformedJSON-164] - _ = x[ErrAdminNoSuchUser-165] - _ = x[ErrAdminNoSuchGroup-166] - _ = x[ErrAdminGroupNotEmpty-167] - _ = x[ErrAdminNoSuchPolicy-168] - _ = x[ErrAdminInvalidArgument-169] - _ = x[ErrAdminInvalidAccessKey-170] - _ = x[ErrAdminInvalidSecretKey-171] - _ = x[ErrAdminConfigNoQuorum-172] - _ = x[ErrAdminConfigTooLarge-173] - _ = x[ErrAdminConfigBadJSON-174] - _ = x[ErrAdminNoSuchConfigTarget-175] - _ = x[ErrAdminConfigEnvOverridden-176] - _ = x[ErrAdminConfigDuplicateKeys-177] - _ = x[ErrAdminCredentialsMismatch-178] - _ = x[ErrInsecureClientRequest-179] - _ = x[ErrObjectTampered-180] - _ = x[ErrSiteReplicationInvalidRequest-181] - _ = x[ErrSiteReplicationPeerResp-182] - _ = x[ErrSiteReplicationBackendIssue-183] - _ = x[ErrSiteReplicationServiceAccountError-184] - _ = x[ErrSiteReplicationBucketConfigError-185] - _ = x[ErrSiteReplicationBucketMetaError-186] - _ = x[ErrSiteReplicationIAMError-187] - _ = x[ErrSiteReplicationConfigMissing-188] - _ = x[ErrAdminBucketQuotaExceeded-189] - _ = x[ErrAdminNoSuchQuotaConfiguration-190] - _ = x[ErrHealNotImplemented-191] - _ = x[ErrHealNoSuchProcess-192] - _ = x[ErrHealInvalidClientToken-193] - _ = x[ErrHealMissingBucket-194] - _ = x[ErrHealAlreadyRunning-195] - _ = x[ErrHealOverlappingPaths-196] - _ = x[ErrIncorrectContinuationToken-197] - _ = x[ErrEmptyRequestBody-198] - _ = x[ErrUnsupportedFunction-199] - _ = x[ErrInvalidExpressionType-200] - _ = x[ErrBusy-201] - _ = x[ErrUnauthorizedAccess-202] - _ = x[ErrExpressionTooLong-203] - _ = x[ErrIllegalSQLFunctionArgument-204] - _ = x[ErrInvalidKeyPath-205] - _ = x[ErrInvalidCompressionFormat-206] - _ = x[ErrInvalidFileHeaderInfo-207] - _ = x[ErrInvalidJSONType-208] - _ = x[ErrInvalidQuoteFields-209] - _ = x[ErrInvalidRequestParameter-210] - _ = x[ErrInvalidDataType-211] - _ = x[ErrInvalidTextEncoding-212] - _ = x[ErrInvalidDataSource-213] - _ = x[ErrInvalidTableAlias-214] - _ = x[ErrMissingRequiredParameter-215] - _ = x[ErrObjectSerializationConflict-216] - _ = x[ErrUnsupportedSQLOperation-217] - _ = x[ErrUnsupportedSQLStructure-218] - _ = x[ErrUnsupportedSyntax-219] - _ = x[ErrUnsupportedRangeHeader-220] - _ = x[ErrLexerInvalidChar-221] - _ = x[ErrLexerInvalidOperator-222] - _ = x[ErrLexerInvalidLiteral-223] - _ = x[ErrLexerInvalidIONLiteral-224] - _ = x[ErrParseExpectedDatePart-225] - _ = x[ErrParseExpectedKeyword-226] - _ = x[ErrParseExpectedTokenType-227] - _ = x[ErrParseExpected2TokenTypes-228] - _ = x[ErrParseExpectedNumber-229] - _ = x[ErrParseExpectedRightParenBuiltinFunctionCall-230] - _ = x[ErrParseExpectedTypeName-231] - _ = x[ErrParseExpectedWhenClause-232] - _ = x[ErrParseUnsupportedToken-233] - _ = x[ErrParseUnsupportedLiteralsGroupBy-234] - _ = x[ErrParseExpectedMember-235] - _ = x[ErrParseUnsupportedSelect-236] - _ = x[ErrParseUnsupportedCase-237] - _ = x[ErrParseUnsupportedCaseClause-238] - _ = x[ErrParseUnsupportedAlias-239] - _ = x[ErrParseUnsupportedSyntax-240] - _ = x[ErrParseUnknownOperator-241] - _ = x[ErrParseMissingIdentAfterAt-242] - _ = x[ErrParseUnexpectedOperator-243] - _ = x[ErrParseUnexpectedTerm-244] - _ = x[ErrParseUnexpectedToken-245] - _ = x[ErrParseUnexpectedKeyword-246] - _ = x[ErrParseExpectedExpression-247] - _ = x[ErrParseExpectedLeftParenAfterCast-248] - _ = x[ErrParseExpectedLeftParenValueConstructor-249] - _ = x[ErrParseExpectedLeftParenBuiltinFunctionCall-250] - _ = x[ErrParseExpectedArgumentDelimiter-251] - _ = x[ErrParseCastArity-252] - _ = x[ErrParseInvalidTypeParam-253] - _ = x[ErrParseEmptySelect-254] - _ = x[ErrParseSelectMissingFrom-255] - _ = x[ErrParseExpectedIdentForGroupName-256] - _ = x[ErrParseExpectedIdentForAlias-257] - _ = x[ErrParseUnsupportedCallWithStar-258] - _ = x[ErrParseNonUnaryAgregateFunctionCall-259] - _ = x[ErrParseMalformedJoin-260] - _ = x[ErrParseExpectedIdentForAt-261] - _ = x[ErrParseAsteriskIsNotAloneInSelectList-262] - _ = x[ErrParseCannotMixSqbAndWildcardInSelectList-263] - _ = x[ErrParseInvalidContextForWildcardInSelectList-264] - _ = x[ErrIncorrectSQLFunctionArgumentType-265] - _ = x[ErrValueParseFailure-266] - _ = x[ErrEvaluatorInvalidArguments-267] - _ = x[ErrIntegerOverflow-268] - _ = x[ErrLikeInvalidInputs-269] - _ = x[ErrCastFailed-270] - _ = x[ErrInvalidCast-271] - _ = x[ErrEvaluatorInvalidTimestampFormatPattern-272] - _ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbolForParsing-273] - _ = x[ErrEvaluatorTimestampFormatPatternDuplicateFields-274] - _ = x[ErrEvaluatorTimestampFormatPatternHourClockAmPmMismatch-275] - _ = x[ErrEvaluatorUnterminatedTimestampFormatPatternToken-276] - _ = x[ErrEvaluatorInvalidTimestampFormatPatternToken-277] - _ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbol-278] - _ = x[ErrEvaluatorBindingDoesNotExist-279] - _ = x[ErrMissingHeaders-280] - _ = x[ErrInvalidColumnIndex-281] - _ = x[ErrAdminConfigNotificationTargetsFailed-282] - _ = x[ErrAdminProfilerNotEnabled-283] - _ = x[ErrInvalidDecompressedSize-284] - _ = x[ErrAddUserInvalidArgument-285] - _ = x[ErrAdminResourceInvalidArgument-286] - _ = x[ErrAdminAccountNotEligible-287] - _ = x[ErrAccountNotEligible-288] - _ = x[ErrAdminServiceAccountNotFound-289] - _ = x[ErrPostPolicyConditionInvalidFormat-290] + _ = x[ErrInvalidEncryptionKeyID-122] + _ = x[ErrInsecureSSECustomerRequest-123] + _ = x[ErrSSEMultipartEncrypted-124] + _ = x[ErrSSEEncryptedObject-125] + _ = x[ErrInvalidEncryptionParameters-126] + _ = x[ErrInvalidSSECustomerAlgorithm-127] + _ = x[ErrInvalidSSECustomerKey-128] + _ = x[ErrMissingSSECustomerKey-129] + _ = x[ErrMissingSSECustomerKeyMD5-130] + _ = x[ErrSSECustomerKeyMD5Mismatch-131] + _ = x[ErrInvalidSSECustomerParameters-132] + _ = x[ErrIncompatibleEncryptionMethod-133] + _ = x[ErrKMSNotConfigured-134] + _ = x[ErrKMSKeyNotFoundException-135] + _ = x[ErrNoAccessKey-136] + _ = x[ErrInvalidToken-137] + _ = x[ErrEventNotification-138] + _ = x[ErrARNNotification-139] + _ = x[ErrRegionNotification-140] + _ = x[ErrOverlappingFilterNotification-141] + _ = x[ErrFilterNameInvalid-142] + _ = x[ErrFilterNamePrefix-143] + _ = x[ErrFilterNameSuffix-144] + _ = x[ErrFilterValueInvalid-145] + _ = x[ErrOverlappingConfigs-146] + _ = x[ErrUnsupportedNotification-147] + _ = x[ErrContentSHA256Mismatch-148] + _ = x[ErrReadQuorum-149] + _ = x[ErrWriteQuorum-150] + _ = x[ErrStorageFull-151] + _ = x[ErrRequestBodyParse-152] + _ = x[ErrObjectExistsAsDirectory-153] + _ = x[ErrInvalidObjectName-154] + _ = x[ErrInvalidObjectNamePrefixSlash-155] + _ = x[ErrInvalidResourceName-156] + _ = x[ErrServerNotInitialized-157] + _ = x[ErrOperationTimedOut-158] + _ = x[ErrClientDisconnected-159] + _ = x[ErrOperationMaxedOut-160] + _ = x[ErrInvalidRequest-161] + _ = x[ErrTransitionStorageClassNotFoundError-162] + _ = x[ErrInvalidStorageClass-163] + _ = x[ErrBackendDown-164] + _ = x[ErrMalformedJSON-165] + _ = x[ErrAdminNoSuchUser-166] + _ = x[ErrAdminNoSuchGroup-167] + _ = x[ErrAdminGroupNotEmpty-168] + _ = x[ErrAdminNoSuchPolicy-169] + _ = x[ErrAdminInvalidArgument-170] + _ = x[ErrAdminInvalidAccessKey-171] + _ = x[ErrAdminInvalidSecretKey-172] + _ = x[ErrAdminConfigNoQuorum-173] + _ = x[ErrAdminConfigTooLarge-174] + _ = x[ErrAdminConfigBadJSON-175] + _ = x[ErrAdminNoSuchConfigTarget-176] + _ = x[ErrAdminConfigEnvOverridden-177] + _ = x[ErrAdminConfigDuplicateKeys-178] + _ = x[ErrAdminCredentialsMismatch-179] + _ = x[ErrInsecureClientRequest-180] + _ = x[ErrObjectTampered-181] + _ = x[ErrSiteReplicationInvalidRequest-182] + _ = x[ErrSiteReplicationPeerResp-183] + _ = x[ErrSiteReplicationBackendIssue-184] + _ = x[ErrSiteReplicationServiceAccountError-185] + _ = x[ErrSiteReplicationBucketConfigError-186] + _ = x[ErrSiteReplicationBucketMetaError-187] + _ = x[ErrSiteReplicationIAMError-188] + _ = x[ErrSiteReplicationConfigMissing-189] + _ = x[ErrAdminBucketQuotaExceeded-190] + _ = x[ErrAdminNoSuchQuotaConfiguration-191] + _ = x[ErrHealNotImplemented-192] + _ = x[ErrHealNoSuchProcess-193] + _ = x[ErrHealInvalidClientToken-194] + _ = x[ErrHealMissingBucket-195] + _ = x[ErrHealAlreadyRunning-196] + _ = x[ErrHealOverlappingPaths-197] + _ = x[ErrIncorrectContinuationToken-198] + _ = x[ErrEmptyRequestBody-199] + _ = x[ErrUnsupportedFunction-200] + _ = x[ErrInvalidExpressionType-201] + _ = x[ErrBusy-202] + _ = x[ErrUnauthorizedAccess-203] + _ = x[ErrExpressionTooLong-204] + _ = x[ErrIllegalSQLFunctionArgument-205] + _ = x[ErrInvalidKeyPath-206] + _ = x[ErrInvalidCompressionFormat-207] + _ = x[ErrInvalidFileHeaderInfo-208] + _ = x[ErrInvalidJSONType-209] + _ = x[ErrInvalidQuoteFields-210] + _ = x[ErrInvalidRequestParameter-211] + _ = x[ErrInvalidDataType-212] + _ = x[ErrInvalidTextEncoding-213] + _ = x[ErrInvalidDataSource-214] + _ = x[ErrInvalidTableAlias-215] + _ = x[ErrMissingRequiredParameter-216] + _ = x[ErrObjectSerializationConflict-217] + _ = x[ErrUnsupportedSQLOperation-218] + _ = x[ErrUnsupportedSQLStructure-219] + _ = x[ErrUnsupportedSyntax-220] + _ = x[ErrUnsupportedRangeHeader-221] + _ = x[ErrLexerInvalidChar-222] + _ = x[ErrLexerInvalidOperator-223] + _ = x[ErrLexerInvalidLiteral-224] + _ = x[ErrLexerInvalidIONLiteral-225] + _ = x[ErrParseExpectedDatePart-226] + _ = x[ErrParseExpectedKeyword-227] + _ = x[ErrParseExpectedTokenType-228] + _ = x[ErrParseExpected2TokenTypes-229] + _ = x[ErrParseExpectedNumber-230] + _ = x[ErrParseExpectedRightParenBuiltinFunctionCall-231] + _ = x[ErrParseExpectedTypeName-232] + _ = x[ErrParseExpectedWhenClause-233] + _ = x[ErrParseUnsupportedToken-234] + _ = x[ErrParseUnsupportedLiteralsGroupBy-235] + _ = x[ErrParseExpectedMember-236] + _ = x[ErrParseUnsupportedSelect-237] + _ = x[ErrParseUnsupportedCase-238] + _ = x[ErrParseUnsupportedCaseClause-239] + _ = x[ErrParseUnsupportedAlias-240] + _ = x[ErrParseUnsupportedSyntax-241] + _ = x[ErrParseUnknownOperator-242] + _ = x[ErrParseMissingIdentAfterAt-243] + _ = x[ErrParseUnexpectedOperator-244] + _ = x[ErrParseUnexpectedTerm-245] + _ = x[ErrParseUnexpectedToken-246] + _ = x[ErrParseUnexpectedKeyword-247] + _ = x[ErrParseExpectedExpression-248] + _ = x[ErrParseExpectedLeftParenAfterCast-249] + _ = x[ErrParseExpectedLeftParenValueConstructor-250] + _ = x[ErrParseExpectedLeftParenBuiltinFunctionCall-251] + _ = x[ErrParseExpectedArgumentDelimiter-252] + _ = x[ErrParseCastArity-253] + _ = x[ErrParseInvalidTypeParam-254] + _ = x[ErrParseEmptySelect-255] + _ = x[ErrParseSelectMissingFrom-256] + _ = x[ErrParseExpectedIdentForGroupName-257] + _ = x[ErrParseExpectedIdentForAlias-258] + _ = x[ErrParseUnsupportedCallWithStar-259] + _ = x[ErrParseNonUnaryAgregateFunctionCall-260] + _ = x[ErrParseMalformedJoin-261] + _ = x[ErrParseExpectedIdentForAt-262] + _ = x[ErrParseAsteriskIsNotAloneInSelectList-263] + _ = x[ErrParseCannotMixSqbAndWildcardInSelectList-264] + _ = x[ErrParseInvalidContextForWildcardInSelectList-265] + _ = x[ErrIncorrectSQLFunctionArgumentType-266] + _ = x[ErrValueParseFailure-267] + _ = x[ErrEvaluatorInvalidArguments-268] + _ = x[ErrIntegerOverflow-269] + _ = x[ErrLikeInvalidInputs-270] + _ = x[ErrCastFailed-271] + _ = x[ErrInvalidCast-272] + _ = x[ErrEvaluatorInvalidTimestampFormatPattern-273] + _ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbolForParsing-274] + _ = x[ErrEvaluatorTimestampFormatPatternDuplicateFields-275] + _ = x[ErrEvaluatorTimestampFormatPatternHourClockAmPmMismatch-276] + _ = x[ErrEvaluatorUnterminatedTimestampFormatPatternToken-277] + _ = x[ErrEvaluatorInvalidTimestampFormatPatternToken-278] + _ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbol-279] + _ = x[ErrEvaluatorBindingDoesNotExist-280] + _ = x[ErrMissingHeaders-281] + _ = x[ErrInvalidColumnIndex-282] + _ = x[ErrAdminConfigNotificationTargetsFailed-283] + _ = x[ErrAdminProfilerNotEnabled-284] + _ = x[ErrInvalidDecompressedSize-285] + _ = x[ErrAddUserInvalidArgument-286] + _ = x[ErrAdminResourceInvalidArgument-287] + _ = x[ErrAdminAccountNotEligible-288] + _ = x[ErrAccountNotEligible-289] + _ = x[ErrAdminServiceAccountNotFound-290] + _ = x[ErrPostPolicyConditionInvalidFormat-291] } -const _APIErrorCode_name = "NoneAccessDeniedBadDigestEntityTooSmallEntityTooLargePolicyTooLargeIncompleteBodyInternalErrorInvalidAccessKeyIDAccessKeyDisabledInvalidBucketNameInvalidDigestInvalidRangeInvalidRangePartNumberInvalidCopyPartRangeInvalidCopyPartRangeSourceInvalidMaxKeysInvalidEncodingMethodInvalidMaxUploadsInvalidMaxPartsInvalidPartNumberMarkerInvalidPartNumberInvalidRequestBodyInvalidCopySourceInvalidMetadataDirectiveInvalidCopyDestInvalidPolicyDocumentInvalidObjectStateMalformedXMLMissingContentLengthMissingContentMD5MissingRequestBodyErrorMissingSecurityHeaderNoSuchBucketNoSuchBucketPolicyNoSuchBucketLifecycleNoSuchLifecycleConfigurationInvalidLifecycleWithObjectLockNoSuchBucketSSEConfigNoSuchCORSConfigurationNoSuchWebsiteConfigurationReplicationConfigurationNotFoundErrorRemoteDestinationNotFoundErrorReplicationDestinationMissingLockRemoteTargetNotFoundErrorReplicationRemoteConnectionErrorReplicationBandwidthLimitErrorBucketRemoteIdenticalToSourceBucketRemoteAlreadyExistsBucketRemoteLabelInUseBucketRemoteArnTypeInvalidBucketRemoteArnInvalidBucketRemoteRemoveDisallowedRemoteTargetNotVersionedErrorReplicationSourceNotVersionedErrorReplicationNeedsVersioningErrorReplicationBucketNeedsVersioningErrorReplicationDenyEditErrorReplicationNoExistingObjectsObjectRestoreAlreadyInProgressNoSuchKeyNoSuchUploadInvalidVersionIDNoSuchVersionNotImplementedPreconditionFailedRequestTimeTooSkewedSignatureDoesNotMatchMethodNotAllowedInvalidPartInvalidPartOrderAuthorizationHeaderMalformedMalformedPOSTRequestPOSTFileRequiredSignatureVersionNotSupportedBucketNotEmptyAllAccessDisabledMalformedPolicyMissingFieldsMissingCredTagCredMalformedInvalidRegionInvalidServiceS3InvalidServiceSTSInvalidRequestVersionMissingSignTagMissingSignHeadersTagMalformedDateMalformedPresignedDateMalformedCredentialDateMalformedCredentialRegionMalformedExpiresNegativeExpiresAuthHeaderEmptyExpiredPresignRequestRequestNotReadyYetUnsignedHeadersMissingDateHeaderInvalidQuerySignatureAlgoInvalidQueryParamsBucketAlreadyOwnedByYouInvalidDurationBucketAlreadyExistsMetadataTooLargeUnsupportedMetadataMaximumExpiresSlowDownInvalidPrefixMarkerBadRequestKeyTooLongErrorInvalidBucketObjectLockConfigurationObjectLockConfigurationNotFoundObjectLockConfigurationNotAllowedNoSuchObjectLockConfigurationObjectLockedInvalidRetentionDatePastObjectLockRetainDateUnknownWORMModeDirectiveBucketTaggingNotFoundObjectLockInvalidHeadersInvalidTagDirectiveInvalidEncryptionMethodInsecureSSECustomerRequestSSEMultipartEncryptedSSEEncryptedObjectInvalidEncryptionParametersInvalidSSECustomerAlgorithmInvalidSSECustomerKeyMissingSSECustomerKeyMissingSSECustomerKeyMD5SSECustomerKeyMD5MismatchInvalidSSECustomerParametersIncompatibleEncryptionMethodKMSNotConfiguredKMSKeyNotFoundExceptionNoAccessKeyInvalidTokenEventNotificationARNNotificationRegionNotificationOverlappingFilterNotificationFilterNameInvalidFilterNamePrefixFilterNameSuffixFilterValueInvalidOverlappingConfigsUnsupportedNotificationContentSHA256MismatchReadQuorumWriteQuorumStorageFullRequestBodyParseObjectExistsAsDirectoryInvalidObjectNameInvalidObjectNamePrefixSlashInvalidResourceNameServerNotInitializedOperationTimedOutClientDisconnectedOperationMaxedOutInvalidRequestTransitionStorageClassNotFoundErrorInvalidStorageClassBackendDownMalformedJSONAdminNoSuchUserAdminNoSuchGroupAdminGroupNotEmptyAdminNoSuchPolicyAdminInvalidArgumentAdminInvalidAccessKeyAdminInvalidSecretKeyAdminConfigNoQuorumAdminConfigTooLargeAdminConfigBadJSONAdminNoSuchConfigTargetAdminConfigEnvOverriddenAdminConfigDuplicateKeysAdminCredentialsMismatchInsecureClientRequestObjectTamperedSiteReplicationInvalidRequestSiteReplicationPeerRespSiteReplicationBackendIssueSiteReplicationServiceAccountErrorSiteReplicationBucketConfigErrorSiteReplicationBucketMetaErrorSiteReplicationIAMErrorSiteReplicationConfigMissingAdminBucketQuotaExceededAdminNoSuchQuotaConfigurationHealNotImplementedHealNoSuchProcessHealInvalidClientTokenHealMissingBucketHealAlreadyRunningHealOverlappingPathsIncorrectContinuationTokenEmptyRequestBodyUnsupportedFunctionInvalidExpressionTypeBusyUnauthorizedAccessExpressionTooLongIllegalSQLFunctionArgumentInvalidKeyPathInvalidCompressionFormatInvalidFileHeaderInfoInvalidJSONTypeInvalidQuoteFieldsInvalidRequestParameterInvalidDataTypeInvalidTextEncodingInvalidDataSourceInvalidTableAliasMissingRequiredParameterObjectSerializationConflictUnsupportedSQLOperationUnsupportedSQLStructureUnsupportedSyntaxUnsupportedRangeHeaderLexerInvalidCharLexerInvalidOperatorLexerInvalidLiteralLexerInvalidIONLiteralParseExpectedDatePartParseExpectedKeywordParseExpectedTokenTypeParseExpected2TokenTypesParseExpectedNumberParseExpectedRightParenBuiltinFunctionCallParseExpectedTypeNameParseExpectedWhenClauseParseUnsupportedTokenParseUnsupportedLiteralsGroupByParseExpectedMemberParseUnsupportedSelectParseUnsupportedCaseParseUnsupportedCaseClauseParseUnsupportedAliasParseUnsupportedSyntaxParseUnknownOperatorParseMissingIdentAfterAtParseUnexpectedOperatorParseUnexpectedTermParseUnexpectedTokenParseUnexpectedKeywordParseExpectedExpressionParseExpectedLeftParenAfterCastParseExpectedLeftParenValueConstructorParseExpectedLeftParenBuiltinFunctionCallParseExpectedArgumentDelimiterParseCastArityParseInvalidTypeParamParseEmptySelectParseSelectMissingFromParseExpectedIdentForGroupNameParseExpectedIdentForAliasParseUnsupportedCallWithStarParseNonUnaryAgregateFunctionCallParseMalformedJoinParseExpectedIdentForAtParseAsteriskIsNotAloneInSelectListParseCannotMixSqbAndWildcardInSelectListParseInvalidContextForWildcardInSelectListIncorrectSQLFunctionArgumentTypeValueParseFailureEvaluatorInvalidArgumentsIntegerOverflowLikeInvalidInputsCastFailedInvalidCastEvaluatorInvalidTimestampFormatPatternEvaluatorInvalidTimestampFormatPatternSymbolForParsingEvaluatorTimestampFormatPatternDuplicateFieldsEvaluatorTimestampFormatPatternHourClockAmPmMismatchEvaluatorUnterminatedTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternSymbolEvaluatorBindingDoesNotExistMissingHeadersInvalidColumnIndexAdminConfigNotificationTargetsFailedAdminProfilerNotEnabledInvalidDecompressedSizeAddUserInvalidArgumentAdminResourceInvalidArgumentAdminAccountNotEligibleAccountNotEligibleAdminServiceAccountNotFoundPostPolicyConditionInvalidFormat" +const _APIErrorCode_name = "NoneAccessDeniedBadDigestEntityTooSmallEntityTooLargePolicyTooLargeIncompleteBodyInternalErrorInvalidAccessKeyIDAccessKeyDisabledInvalidBucketNameInvalidDigestInvalidRangeInvalidRangePartNumberInvalidCopyPartRangeInvalidCopyPartRangeSourceInvalidMaxKeysInvalidEncodingMethodInvalidMaxUploadsInvalidMaxPartsInvalidPartNumberMarkerInvalidPartNumberInvalidRequestBodyInvalidCopySourceInvalidMetadataDirectiveInvalidCopyDestInvalidPolicyDocumentInvalidObjectStateMalformedXMLMissingContentLengthMissingContentMD5MissingRequestBodyErrorMissingSecurityHeaderNoSuchBucketNoSuchBucketPolicyNoSuchBucketLifecycleNoSuchLifecycleConfigurationInvalidLifecycleWithObjectLockNoSuchBucketSSEConfigNoSuchCORSConfigurationNoSuchWebsiteConfigurationReplicationConfigurationNotFoundErrorRemoteDestinationNotFoundErrorReplicationDestinationMissingLockRemoteTargetNotFoundErrorReplicationRemoteConnectionErrorReplicationBandwidthLimitErrorBucketRemoteIdenticalToSourceBucketRemoteAlreadyExistsBucketRemoteLabelInUseBucketRemoteArnTypeInvalidBucketRemoteArnInvalidBucketRemoteRemoveDisallowedRemoteTargetNotVersionedErrorReplicationSourceNotVersionedErrorReplicationNeedsVersioningErrorReplicationBucketNeedsVersioningErrorReplicationDenyEditErrorReplicationNoExistingObjectsObjectRestoreAlreadyInProgressNoSuchKeyNoSuchUploadInvalidVersionIDNoSuchVersionNotImplementedPreconditionFailedRequestTimeTooSkewedSignatureDoesNotMatchMethodNotAllowedInvalidPartInvalidPartOrderAuthorizationHeaderMalformedMalformedPOSTRequestPOSTFileRequiredSignatureVersionNotSupportedBucketNotEmptyAllAccessDisabledMalformedPolicyMissingFieldsMissingCredTagCredMalformedInvalidRegionInvalidServiceS3InvalidServiceSTSInvalidRequestVersionMissingSignTagMissingSignHeadersTagMalformedDateMalformedPresignedDateMalformedCredentialDateMalformedCredentialRegionMalformedExpiresNegativeExpiresAuthHeaderEmptyExpiredPresignRequestRequestNotReadyYetUnsignedHeadersMissingDateHeaderInvalidQuerySignatureAlgoInvalidQueryParamsBucketAlreadyOwnedByYouInvalidDurationBucketAlreadyExistsMetadataTooLargeUnsupportedMetadataMaximumExpiresSlowDownInvalidPrefixMarkerBadRequestKeyTooLongErrorInvalidBucketObjectLockConfigurationObjectLockConfigurationNotFoundObjectLockConfigurationNotAllowedNoSuchObjectLockConfigurationObjectLockedInvalidRetentionDatePastObjectLockRetainDateUnknownWORMModeDirectiveBucketTaggingNotFoundObjectLockInvalidHeadersInvalidTagDirectiveInvalidEncryptionMethodInvalidEncryptionKeyIDInsecureSSECustomerRequestSSEMultipartEncryptedSSEEncryptedObjectInvalidEncryptionParametersInvalidSSECustomerAlgorithmInvalidSSECustomerKeyMissingSSECustomerKeyMissingSSECustomerKeyMD5SSECustomerKeyMD5MismatchInvalidSSECustomerParametersIncompatibleEncryptionMethodKMSNotConfiguredKMSKeyNotFoundExceptionNoAccessKeyInvalidTokenEventNotificationARNNotificationRegionNotificationOverlappingFilterNotificationFilterNameInvalidFilterNamePrefixFilterNameSuffixFilterValueInvalidOverlappingConfigsUnsupportedNotificationContentSHA256MismatchReadQuorumWriteQuorumStorageFullRequestBodyParseObjectExistsAsDirectoryInvalidObjectNameInvalidObjectNamePrefixSlashInvalidResourceNameServerNotInitializedOperationTimedOutClientDisconnectedOperationMaxedOutInvalidRequestTransitionStorageClassNotFoundErrorInvalidStorageClassBackendDownMalformedJSONAdminNoSuchUserAdminNoSuchGroupAdminGroupNotEmptyAdminNoSuchPolicyAdminInvalidArgumentAdminInvalidAccessKeyAdminInvalidSecretKeyAdminConfigNoQuorumAdminConfigTooLargeAdminConfigBadJSONAdminNoSuchConfigTargetAdminConfigEnvOverriddenAdminConfigDuplicateKeysAdminCredentialsMismatchInsecureClientRequestObjectTamperedSiteReplicationInvalidRequestSiteReplicationPeerRespSiteReplicationBackendIssueSiteReplicationServiceAccountErrorSiteReplicationBucketConfigErrorSiteReplicationBucketMetaErrorSiteReplicationIAMErrorSiteReplicationConfigMissingAdminBucketQuotaExceededAdminNoSuchQuotaConfigurationHealNotImplementedHealNoSuchProcessHealInvalidClientTokenHealMissingBucketHealAlreadyRunningHealOverlappingPathsIncorrectContinuationTokenEmptyRequestBodyUnsupportedFunctionInvalidExpressionTypeBusyUnauthorizedAccessExpressionTooLongIllegalSQLFunctionArgumentInvalidKeyPathInvalidCompressionFormatInvalidFileHeaderInfoInvalidJSONTypeInvalidQuoteFieldsInvalidRequestParameterInvalidDataTypeInvalidTextEncodingInvalidDataSourceInvalidTableAliasMissingRequiredParameterObjectSerializationConflictUnsupportedSQLOperationUnsupportedSQLStructureUnsupportedSyntaxUnsupportedRangeHeaderLexerInvalidCharLexerInvalidOperatorLexerInvalidLiteralLexerInvalidIONLiteralParseExpectedDatePartParseExpectedKeywordParseExpectedTokenTypeParseExpected2TokenTypesParseExpectedNumberParseExpectedRightParenBuiltinFunctionCallParseExpectedTypeNameParseExpectedWhenClauseParseUnsupportedTokenParseUnsupportedLiteralsGroupByParseExpectedMemberParseUnsupportedSelectParseUnsupportedCaseParseUnsupportedCaseClauseParseUnsupportedAliasParseUnsupportedSyntaxParseUnknownOperatorParseMissingIdentAfterAtParseUnexpectedOperatorParseUnexpectedTermParseUnexpectedTokenParseUnexpectedKeywordParseExpectedExpressionParseExpectedLeftParenAfterCastParseExpectedLeftParenValueConstructorParseExpectedLeftParenBuiltinFunctionCallParseExpectedArgumentDelimiterParseCastArityParseInvalidTypeParamParseEmptySelectParseSelectMissingFromParseExpectedIdentForGroupNameParseExpectedIdentForAliasParseUnsupportedCallWithStarParseNonUnaryAgregateFunctionCallParseMalformedJoinParseExpectedIdentForAtParseAsteriskIsNotAloneInSelectListParseCannotMixSqbAndWildcardInSelectListParseInvalidContextForWildcardInSelectListIncorrectSQLFunctionArgumentTypeValueParseFailureEvaluatorInvalidArgumentsIntegerOverflowLikeInvalidInputsCastFailedInvalidCastEvaluatorInvalidTimestampFormatPatternEvaluatorInvalidTimestampFormatPatternSymbolForParsingEvaluatorTimestampFormatPatternDuplicateFieldsEvaluatorTimestampFormatPatternHourClockAmPmMismatchEvaluatorUnterminatedTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternSymbolEvaluatorBindingDoesNotExistMissingHeadersInvalidColumnIndexAdminConfigNotificationTargetsFailedAdminProfilerNotEnabledInvalidDecompressedSizeAddUserInvalidArgumentAdminResourceInvalidArgumentAdminAccountNotEligibleAccountNotEligibleAdminServiceAccountNotFoundPostPolicyConditionInvalidFormat" -var _APIErrorCode_index = [...]uint16{0, 4, 16, 25, 39, 53, 67, 81, 94, 112, 129, 146, 159, 171, 193, 213, 239, 253, 274, 291, 306, 329, 346, 364, 381, 405, 420, 441, 459, 471, 491, 508, 531, 552, 564, 582, 603, 631, 661, 682, 705, 731, 768, 798, 831, 856, 888, 918, 947, 972, 994, 1020, 1042, 1070, 1099, 1133, 1164, 1201, 1225, 1253, 1283, 1292, 1304, 1320, 1333, 1347, 1365, 1385, 1406, 1422, 1433, 1449, 1477, 1497, 1513, 1541, 1555, 1572, 1587, 1600, 1614, 1627, 1640, 1656, 1673, 1694, 1708, 1729, 1742, 1764, 1787, 1812, 1828, 1843, 1858, 1879, 1897, 1912, 1929, 1954, 1972, 1995, 2010, 2029, 2045, 2064, 2078, 2086, 2105, 2115, 2130, 2166, 2197, 2230, 2259, 2271, 2291, 2315, 2339, 2360, 2384, 2403, 2426, 2452, 2473, 2491, 2518, 2545, 2566, 2587, 2611, 2636, 2664, 2692, 2708, 2731, 2742, 2754, 2771, 2786, 2804, 2833, 2850, 2866, 2882, 2900, 2918, 2941, 2962, 2972, 2983, 2994, 3010, 3033, 3050, 3078, 3097, 3117, 3134, 3152, 3169, 3183, 3218, 3237, 3248, 3261, 3276, 3292, 3310, 3327, 3347, 3368, 3389, 3408, 3427, 3445, 3468, 3492, 3516, 3540, 3561, 3575, 3604, 3627, 3654, 3688, 3720, 3750, 3773, 3801, 3825, 3854, 3872, 3889, 3911, 3928, 3946, 3966, 3992, 4008, 4027, 4048, 4052, 4070, 4087, 4113, 4127, 4151, 4172, 4187, 4205, 4228, 4243, 4262, 4279, 4296, 4320, 4347, 4370, 4393, 4410, 4432, 4448, 4468, 4487, 4509, 4530, 4550, 4572, 4596, 4615, 4657, 4678, 4701, 4722, 4753, 4772, 4794, 4814, 4840, 4861, 4883, 4903, 4927, 4950, 4969, 4989, 5011, 5034, 5065, 5103, 5144, 5174, 5188, 5209, 5225, 5247, 5277, 5303, 5331, 5364, 5382, 5405, 5440, 5480, 5522, 5554, 5571, 5596, 5611, 5628, 5638, 5649, 5687, 5741, 5787, 5839, 5887, 5930, 5974, 6002, 6016, 6034, 6070, 6093, 6116, 6138, 6166, 6189, 6207, 6234, 6266} +var _APIErrorCode_index = [...]uint16{0, 4, 16, 25, 39, 53, 67, 81, 94, 112, 129, 146, 159, 171, 193, 213, 239, 253, 274, 291, 306, 329, 346, 364, 381, 405, 420, 441, 459, 471, 491, 508, 531, 552, 564, 582, 603, 631, 661, 682, 705, 731, 768, 798, 831, 856, 888, 918, 947, 972, 994, 1020, 1042, 1070, 1099, 1133, 1164, 1201, 1225, 1253, 1283, 1292, 1304, 1320, 1333, 1347, 1365, 1385, 1406, 1422, 1433, 1449, 1477, 1497, 1513, 1541, 1555, 1572, 1587, 1600, 1614, 1627, 1640, 1656, 1673, 1694, 1708, 1729, 1742, 1764, 1787, 1812, 1828, 1843, 1858, 1879, 1897, 1912, 1929, 1954, 1972, 1995, 2010, 2029, 2045, 2064, 2078, 2086, 2105, 2115, 2130, 2166, 2197, 2230, 2259, 2271, 2291, 2315, 2339, 2360, 2384, 2403, 2426, 2448, 2474, 2495, 2513, 2540, 2567, 2588, 2609, 2633, 2658, 2686, 2714, 2730, 2753, 2764, 2776, 2793, 2808, 2826, 2855, 2872, 2888, 2904, 2922, 2940, 2963, 2984, 2994, 3005, 3016, 3032, 3055, 3072, 3100, 3119, 3139, 3156, 3174, 3191, 3205, 3240, 3259, 3270, 3283, 3298, 3314, 3332, 3349, 3369, 3390, 3411, 3430, 3449, 3467, 3490, 3514, 3538, 3562, 3583, 3597, 3626, 3649, 3676, 3710, 3742, 3772, 3795, 3823, 3847, 3876, 3894, 3911, 3933, 3950, 3968, 3988, 4014, 4030, 4049, 4070, 4074, 4092, 4109, 4135, 4149, 4173, 4194, 4209, 4227, 4250, 4265, 4284, 4301, 4318, 4342, 4369, 4392, 4415, 4432, 4454, 4470, 4490, 4509, 4531, 4552, 4572, 4594, 4618, 4637, 4679, 4700, 4723, 4744, 4775, 4794, 4816, 4836, 4862, 4883, 4905, 4925, 4949, 4972, 4991, 5011, 5033, 5056, 5087, 5125, 5166, 5196, 5210, 5231, 5247, 5269, 5299, 5325, 5353, 5386, 5404, 5427, 5462, 5502, 5544, 5576, 5593, 5618, 5633, 5650, 5660, 5671, 5709, 5763, 5809, 5861, 5909, 5952, 5996, 6024, 6038, 6056, 6092, 6115, 6138, 6160, 6188, 6211, 6229, 6256, 6288} func (i APIErrorCode) String() string { if i < 0 || i >= APIErrorCode(len(_APIErrorCode_index)-1) { diff --git a/cmd/encryption-v1.go b/cmd/encryption-v1.go index 925ed1bcc..9a947905a 100644 --- a/cmd/encryption-v1.go +++ b/cmd/encryption-v1.go @@ -82,7 +82,7 @@ func (o *MultipartInfo) KMSKeyID() string { return kmsKeyIDFromMetadata(o.UserDe // metadata, if any. It returns an empty ID if no key ID is // present. func kmsKeyIDFromMetadata(metadata map[string]string) string { - const ARNPrefix = "arn:aws:kms:" + const ARNPrefix = crypto.ARNPrefix if len(metadata) == 0 { return "" } diff --git a/internal/bucket/encryption/bucket-sse-config.go b/internal/bucket/encryption/bucket-sse-config.go index 13e6114f6..dbf65dc57 100644 --- a/internal/bucket/encryption/bucket-sse-config.go +++ b/internal/bucket/encryption/bucket-sse-config.go @@ -22,6 +22,7 @@ import ( "errors" "io" "net/http" + "strings" "github.com/minio/minio/internal/crypto" xhttp "github.com/minio/minio/internal/http" @@ -102,9 +103,14 @@ func ParseBucketSSEConfig(r io.Reader) (*BucketSSEConfig, error) { return nil, errors.New("MasterKeyID is allowed with aws:kms only") } case AWSKms: - if rule.DefaultEncryptionAction.MasterKeyID == "" { + keyID := rule.DefaultEncryptionAction.MasterKeyID + if keyID == "" { return nil, errors.New("MasterKeyID is missing with aws:kms") } + spaces := strings.HasPrefix(keyID, " ") || strings.HasSuffix(keyID, " ") + if spaces { + return nil, errors.New("MasterKeyID contains unsupported characters") + } } } @@ -164,7 +170,7 @@ func (b *BucketSSEConfig) Algo() Algorithm { // empty key ID. func (b *BucketSSEConfig) KeyID() string { for _, rule := range b.Rules { - return rule.DefaultEncryptionAction.MasterKeyID + return strings.TrimPrefix(rule.DefaultEncryptionAction.MasterKeyID, crypto.ARNPrefix) } return "" } diff --git a/internal/bucket/encryption/bucket-sse-config_test.go b/internal/bucket/encryption/bucket-sse-config_test.go index d1f6c6b42..5918e22a7 100644 --- a/internal/bucket/encryption/bucket-sse-config_test.go +++ b/internal/bucket/encryption/bucket-sse-config_test.go @@ -62,7 +62,7 @@ func TestParseBucketSSEConfig(t *testing.T) { { DefaultEncryptionAction: EncryptionAction{ Algorithm: AWSKms, - MasterKeyID: "arn:aws:kms:us-east-1:1234/5678example", + MasterKeyID: "arn:aws:kms:my-minio-key", }, }, }, @@ -70,6 +70,7 @@ func TestParseBucketSSEConfig(t *testing.T) { testCases := []struct { inputXML string + keyID string expectedErr error shouldPass bool expectedConfig *BucketSSEConfig @@ -83,10 +84,11 @@ func TestParseBucketSSEConfig(t *testing.T) { }, // 2. Valid XML SSE-KMS { - inputXML: `aws:kmsarn:aws:kms:us-east-1:1234/5678example`, + inputXML: `aws:kmsarn:aws:kms:my-minio-key`, expectedErr: nil, shouldPass: true, expectedConfig: actualKMSConfig, + keyID: "my-minio-key", }, // 3. Invalid - more than one rule { @@ -119,23 +121,33 @@ func TestParseBucketSSEConfig(t *testing.T) { shouldPass: true, expectedConfig: actualAES256NoNSConfig, }, + // 8. Space characters in MasterKeyID + { + inputXML: `aws:kms arn:aws:kms:my-minio-key `, + expectedErr: errors.New("MasterKeyID contains unsupported characters"), + shouldPass: false, + }, } for i, tc := range testCases { - _, err := ParseBucketSSEConfig(bytes.NewReader([]byte(tc.inputXML))) + ssec, err := ParseBucketSSEConfig(bytes.NewReader([]byte(tc.inputXML))) if tc.shouldPass && err != nil { - t.Fatalf("Test case %d: Expected to succeed but got %s", i+1, err) + t.Errorf("Test case %d: Expected to succeed but got %s", i+1, err) } if !tc.shouldPass { if err == nil || err != nil && err.Error() != tc.expectedErr.Error() { - t.Fatalf("Test case %d: Expected %s but got %s", i+1, tc.expectedErr, err) + t.Errorf("Test case %d: Expected %s but got %s", i+1, tc.expectedErr, err) } continue } + if tc.keyID != "" && tc.keyID != ssec.KeyID() { + t.Errorf("Test case %d: Expected bucket encryption KeyID %s but got %s", i+1, tc.keyID, ssec.KeyID()) + } + if expectedXML, err := xml.Marshal(tc.expectedConfig); err != nil || !bytes.Equal(expectedXML, []byte(tc.inputXML)) { - t.Fatalf("Test case %d: Expected bucket encryption XML %s but got %s", i+1, string(expectedXML), tc.inputXML) + t.Errorf("Test case %d: Expected bucket encryption XML %s but got %s", i+1, string(expectedXML), tc.inputXML) } } } diff --git a/internal/crypto/error.go b/internal/crypto/error.go index 7711a05a8..702063431 100644 --- a/internal/crypto/error.go +++ b/internal/crypto/error.go @@ -76,6 +76,9 @@ var ( // ErrIncompatibleEncryptionMethod indicates that both SSE-C headers and SSE-S3 headers were specified, and are incompatible // The client needs to remove the SSE-S3 header or the SSE-C headers ErrIncompatibleEncryptionMethod = Errorf("Server side encryption specified with both SSE-C and SSE-S3 headers") + + // ErrInvalidEncryptionKeyID returns error when KMS key id contains invalid characters + ErrInvalidEncryptionKeyID = Errorf("KMS KeyID contains unsupported characters") ) var ( diff --git a/internal/crypto/metadata.go b/internal/crypto/metadata.go index 68867fcc3..d9dd2415e 100644 --- a/internal/crypto/metadata.go +++ b/internal/crypto/metadata.go @@ -56,6 +56,9 @@ const ( // be part of the object. Therefore, the bucket/object name must be added // to the context, if not present, whenever a decryption is performed. MetaContext = "X-Minio-Internal-Server-Side-Encryption-Context" + + // ARNPrefix prefix for "arn:aws:kms" + ARNPrefix = "arn:aws:kms:" ) // IsMultiPart returns true if the object metadata indicates diff --git a/internal/crypto/sse-kms.go b/internal/crypto/sse-kms.go index 588ccdb34..9d554792b 100644 --- a/internal/crypto/sse-kms.go +++ b/internal/crypto/sse-kms.go @@ -55,7 +55,8 @@ func (ssekms) IsRequested(h http.Header) bool { return true } if _, ok := h[xhttp.AmzServerSideEncryption]; ok { - return strings.ToUpper(h.Get(xhttp.AmzServerSideEncryption)) != xhttp.AmzEncryptionAES // Return only true if the SSE header is specified and does not contain the SSE-S3 value + // Return only true if the SSE header is specified and does not contain the SSE-S3 value + return strings.ToUpper(h.Get(xhttp.AmzServerSideEncryption)) != xhttp.AmzEncryptionAES } return false } @@ -63,6 +64,10 @@ func (ssekms) IsRequested(h http.Header) bool { // ParseHTTP parses the SSE-KMS headers and returns the SSE-KMS key ID // and the KMS context on success. func (ssekms) ParseHTTP(h http.Header) (string, kms.Context, error) { + if h == nil { + return "", nil, ErrInvalidEncryptionMethod + } + algorithm := h.Get(xhttp.AmzServerSideEncryption) if algorithm != xhttp.AmzEncryptionKMS { return "", nil, ErrInvalidEncryptionMethod @@ -80,7 +85,13 @@ func (ssekms) ParseHTTP(h http.Header) (string, kms.Context, error) { return "", nil, err } } - return h.Get(xhttp.AmzServerSideEncryptionKmsID), ctx, nil + + keyID := h.Get(xhttp.AmzServerSideEncryptionKmsID) + spaces := strings.HasPrefix(keyID, " ") || strings.HasSuffix(keyID, " ") + if spaces { + return "", nil, ErrInvalidEncryptionKeyID + } + return strings.TrimPrefix(keyID, ARNPrefix), ctx, nil } // IsEncrypted returns true if the object metadata indicates