listing: improve listing of encrypted objects (#14667)

This commit improves the listing of encrypted objects: - Use `etag.Format` and `etag.Decrypt` - Detect SSE-S3 single-part objects in a single iteration - Fix batch size to `250` - Pass request context to `DecryptAll` to not waste resources when a client cancels the operation. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2025-11-07 12:52:58 -05:00 · 2022-04-04 20:42:03 +02:00
parent d4251b2545
commit 6b1c62133d
7 changed files with 87 additions and 102 deletions
--- a/internal/kms/kes.go
+++ b/internal/kms/kes.go
@@ -162,7 +162,7 @@ func (c *kesClient) DecryptKey(keyID string, ciphertext []byte, ctx Context) ([]
 	return c.client.Decrypt(context.Background(), keyID, ciphertext, ctxBytes)
 }

-func (c *kesClient) DecryptAll(keyID string, ciphertexts [][]byte, contexts []Context) ([][]byte, error) {
+func (c *kesClient) DecryptAll(ctx context.Context, keyID string, ciphertexts [][]byte, contexts []Context) ([][]byte, error) {
 	if c.bulkAvailable {
 		CCPs := make([]kes.CCP, 0, len(ciphertexts))
 		for i := range ciphertexts {
@@ -175,7 +175,7 @@ func (c *kesClient) DecryptAll(keyID string, ciphertexts [][]byte, contexts []Co
 				Context:    bCtx,
 			})
 		}
-		PCPs, err := c.client.DecryptAll(context.Background(), keyID, CCPs...)
+		PCPs, err := c.client.DecryptAll(ctx, keyID, CCPs...)
 		if err != nil {
 			return nil, err
 		}
--- a/internal/kms/kms.go
+++ b/internal/kms/kms.go
@@ -18,12 +18,11 @@
 package kms

 import (
+	"context"
 	"encoding"
 	"encoding/json"
-	"strconv"

 	jsoniter "github.com/json-iterator/go"
-	"github.com/minio/pkg/env"
 )

 // KMS is the generic interface that abstracts over
@@ -57,19 +56,7 @@ type KMS interface {
 	// DecryptAll decrypts all ciphertexts with the key referenced
 	// by the key ID. The contexts must match the context value
 	// used to generate the ciphertexts.
-	DecryptAll(keyID string, ciphertext [][]byte, context []Context) ([][]byte, error)
-}
-
-// BatchSize returns the size of the batches that should be used during
-// KES bulk decryption API calls.
-func BatchSize() int {
-	const DefaultBatchSize = 500
-	v := env.Get("MINIO_KMS_KES_BULK_API_BATCH_SIZE", strconv.Itoa(DefaultBatchSize))
-	n, err := strconv.Atoi(v)
-	if err != nil {
-		return DefaultBatchSize
-	}
-	return n
+	DecryptAll(ctx context.Context, keyID string, ciphertext [][]byte, context []Context) ([][]byte, error)
 }

 // Status describes the current state of a KMS.
--- a/internal/kms/single-key.go
+++ b/internal/kms/single-key.go
@@ -18,6 +18,7 @@
 package kms

 import (
+	"context"
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/hmac"
@@ -224,7 +225,7 @@ func (kms secretKey) DecryptKey(keyID string, ciphertext []byte, context Context
 	return plaintext, nil
 }

-func (kms secretKey) DecryptAll(keyID string, ciphertexts [][]byte, contexts []Context) ([][]byte, error) {
+func (kms secretKey) DecryptAll(_ context.Context, keyID string, ciphertexts [][]byte, contexts []Context) ([][]byte, error) {
 	plaintexts := make([][]byte, 0, len(ciphertexts))
 	for i := range ciphertexts {
 		plaintext, err := kms.DecryptKey(keyID, ciphertexts[i], contexts[i])