From 8bfe972bab02982e77cd277049414f5cc8fb5a46 Mon Sep 17 00:00:00 2001 From: Allan Roger Reid Date: Tue, 21 Feb 2023 17:43:01 -0800 Subject: [PATCH] Set meaningful message from minio with env variable KMS_SECRET_KEY (#16584) --- cmd/admin-server-info.go | 3 +- cmd/api-errors.go | 10 +- cmd/apierrorcode_string.go | 337 ++++++++++++++++++----------------- cmd/common-main.go | 52 +++--- cmd/encryption-v1.go | 11 +- cmd/kms-handlers.go | 18 +- internal/config/constants.go | 11 -- internal/kms/config.go | 32 ++++ internal/kms/kes.go | 21 +++ internal/kms/kms.go | 6 + internal/kms/single-key.go | 19 +- 11 files changed, 304 insertions(+), 216 deletions(-) create mode 100644 internal/kms/config.go diff --git a/cmd/admin-server-info.go b/cmd/admin-server-info.go index 572b39362..caa7847f9 100644 --- a/cmd/admin-server-info.go +++ b/cmd/admin-server-info.go @@ -28,6 +28,7 @@ import ( "github.com/minio/madmin-go/v2" "github.com/minio/minio/internal/config" + "github.com/minio/minio/internal/kms" "github.com/minio/minio/internal/logger" ) @@ -118,7 +119,7 @@ func getLocalServerProperty(endpointServerPools EndpointServerPools, r *http.Req config.EnvRootUser: {}, config.EnvRootPassword: {}, config.EnvMinIOSubnetAPIKey: {}, - config.EnvKMSSecretKey: {}, + kms.EnvKMSSecretKey: {}, } for _, v := range os.Environ() { if !strings.HasPrefix(v, "MINIO") && !strings.HasPrefix(v, "_MINIO") { diff --git a/cmd/api-errors.go b/cmd/api-errors.go index 485c6c0df..d2de42515 100644 --- a/cmd/api-errors.go +++ b/cmd/api-errors.go @@ -1,4 +1,4 @@ -// Copyright (c) 2015-2021 MinIO, Inc. +// Copyright (c) 2015-2023 MinIO, Inc. // // This file is part of MinIO Object Storage stack // @@ -220,6 +220,7 @@ const ( ErrIncompatibleEncryptionMethod ErrKMSNotConfigured ErrKMSKeyNotFoundException + ErrKMSDefaultKeyAlreadyConfigured ErrNoAccessKey ErrInvalidToken @@ -1172,6 +1173,11 @@ var errorCodes = errorCodeMap{ Description: "Invalid keyId", HTTPStatusCode: http.StatusBadRequest, }, + ErrKMSDefaultKeyAlreadyConfigured: { + Code: "KMS.DefaultKeyAlreadyConfiguredException", + Description: "A default encryption already exists and cannot be changed on KMS", + HTTPStatusCode: http.StatusConflict, + }, ErrNoAccessKey: { Code: "AccessDenied", Description: "No AWSAccessKey was presented", @@ -2047,6 +2053,8 @@ func toAPIErrorCode(ctx context.Context, err error) (apiErr APIErrorCode) { apiErr = ErrKMSNotConfigured case errKMSKeyNotFound: apiErr = ErrKMSKeyNotFoundException + case errKMSDefaultKeyAlreadyConfigured: + apiErr = ErrKMSDefaultKeyAlreadyConfigured case context.Canceled, context.DeadlineExceeded: apiErr = ErrOperationTimedOut diff --git a/cmd/apierrorcode_string.go b/cmd/apierrorcode_string.go index cc8f04d58..8e6969c96 100644 --- a/cmd/apierrorcode_string.go +++ b/cmd/apierrorcode_string.go @@ -148,177 +148,178 @@ func _() { _ = x[ErrIncompatibleEncryptionMethod-137] _ = x[ErrKMSNotConfigured-138] _ = x[ErrKMSKeyNotFoundException-139] - _ = x[ErrNoAccessKey-140] - _ = x[ErrInvalidToken-141] - _ = x[ErrEventNotification-142] - _ = x[ErrARNNotification-143] - _ = x[ErrRegionNotification-144] - _ = x[ErrOverlappingFilterNotification-145] - _ = x[ErrFilterNameInvalid-146] - _ = x[ErrFilterNamePrefix-147] - _ = x[ErrFilterNameSuffix-148] - _ = x[ErrFilterValueInvalid-149] - _ = x[ErrOverlappingConfigs-150] - _ = x[ErrUnsupportedNotification-151] - _ = x[ErrContentSHA256Mismatch-152] - _ = x[ErrContentChecksumMismatch-153] - _ = x[ErrReadQuorum-154] - _ = x[ErrWriteQuorum-155] - _ = x[ErrStorageFull-156] - _ = x[ErrRequestBodyParse-157] - _ = x[ErrObjectExistsAsDirectory-158] - _ = x[ErrInvalidObjectName-159] - _ = x[ErrInvalidObjectNamePrefixSlash-160] - _ = x[ErrInvalidResourceName-161] - _ = x[ErrServerNotInitialized-162] - _ = x[ErrOperationTimedOut-163] - _ = x[ErrClientDisconnected-164] - _ = x[ErrOperationMaxedOut-165] - _ = x[ErrInvalidRequest-166] - _ = x[ErrTransitionStorageClassNotFoundError-167] - _ = x[ErrInvalidStorageClass-168] - _ = x[ErrBackendDown-169] - _ = x[ErrMalformedJSON-170] - _ = x[ErrAdminNoSuchUser-171] - _ = x[ErrAdminNoSuchGroup-172] - _ = x[ErrAdminGroupNotEmpty-173] - _ = x[ErrAdminNoSuchJob-174] - _ = x[ErrAdminNoSuchPolicy-175] - _ = x[ErrAdminPolicyChangeAlreadyApplied-176] - _ = x[ErrAdminInvalidArgument-177] - _ = x[ErrAdminInvalidAccessKey-178] - _ = x[ErrAdminInvalidSecretKey-179] - _ = x[ErrAdminConfigNoQuorum-180] - _ = x[ErrAdminConfigTooLarge-181] - _ = x[ErrAdminConfigBadJSON-182] - _ = x[ErrAdminNoSuchConfigTarget-183] - _ = x[ErrAdminConfigEnvOverridden-184] - _ = x[ErrAdminConfigDuplicateKeys-185] - _ = x[ErrAdminConfigInvalidIDPType-186] - _ = x[ErrAdminConfigLDAPValidation-187] - _ = x[ErrAdminConfigIDPCfgNameAlreadyExists-188] - _ = x[ErrAdminConfigIDPCfgNameDoesNotExist-189] - _ = x[ErrAdminCredentialsMismatch-190] - _ = x[ErrInsecureClientRequest-191] - _ = x[ErrObjectTampered-192] - _ = x[ErrSiteReplicationInvalidRequest-193] - _ = x[ErrSiteReplicationPeerResp-194] - _ = x[ErrSiteReplicationBackendIssue-195] - _ = x[ErrSiteReplicationServiceAccountError-196] - _ = x[ErrSiteReplicationBucketConfigError-197] - _ = x[ErrSiteReplicationBucketMetaError-198] - _ = x[ErrSiteReplicationIAMError-199] - _ = x[ErrSiteReplicationConfigMissing-200] - _ = x[ErrAdminRebalanceAlreadyStarted-201] - _ = x[ErrAdminRebalanceNotStarted-202] - _ = x[ErrAdminBucketQuotaExceeded-203] - _ = x[ErrAdminNoSuchQuotaConfiguration-204] - _ = x[ErrHealNotImplemented-205] - _ = x[ErrHealNoSuchProcess-206] - _ = x[ErrHealInvalidClientToken-207] - _ = x[ErrHealMissingBucket-208] - _ = x[ErrHealAlreadyRunning-209] - _ = x[ErrHealOverlappingPaths-210] - _ = x[ErrIncorrectContinuationToken-211] - _ = x[ErrEmptyRequestBody-212] - _ = x[ErrUnsupportedFunction-213] - _ = x[ErrInvalidExpressionType-214] - _ = x[ErrBusy-215] - _ = x[ErrUnauthorizedAccess-216] - _ = x[ErrExpressionTooLong-217] - _ = x[ErrIllegalSQLFunctionArgument-218] - _ = x[ErrInvalidKeyPath-219] - _ = x[ErrInvalidCompressionFormat-220] - _ = x[ErrInvalidFileHeaderInfo-221] - _ = x[ErrInvalidJSONType-222] - _ = x[ErrInvalidQuoteFields-223] - _ = x[ErrInvalidRequestParameter-224] - _ = x[ErrInvalidDataType-225] - _ = x[ErrInvalidTextEncoding-226] - _ = x[ErrInvalidDataSource-227] - _ = x[ErrInvalidTableAlias-228] - _ = x[ErrMissingRequiredParameter-229] - _ = x[ErrObjectSerializationConflict-230] - _ = x[ErrUnsupportedSQLOperation-231] - _ = x[ErrUnsupportedSQLStructure-232] - _ = x[ErrUnsupportedSyntax-233] - _ = x[ErrUnsupportedRangeHeader-234] - _ = x[ErrLexerInvalidChar-235] - _ = x[ErrLexerInvalidOperator-236] - _ = x[ErrLexerInvalidLiteral-237] - _ = x[ErrLexerInvalidIONLiteral-238] - _ = x[ErrParseExpectedDatePart-239] - _ = x[ErrParseExpectedKeyword-240] - _ = x[ErrParseExpectedTokenType-241] - _ = x[ErrParseExpected2TokenTypes-242] - _ = x[ErrParseExpectedNumber-243] - _ = x[ErrParseExpectedRightParenBuiltinFunctionCall-244] - _ = x[ErrParseExpectedTypeName-245] - _ = x[ErrParseExpectedWhenClause-246] - _ = x[ErrParseUnsupportedToken-247] - _ = x[ErrParseUnsupportedLiteralsGroupBy-248] - _ = x[ErrParseExpectedMember-249] - _ = x[ErrParseUnsupportedSelect-250] - _ = x[ErrParseUnsupportedCase-251] - _ = x[ErrParseUnsupportedCaseClause-252] - _ = x[ErrParseUnsupportedAlias-253] - _ = x[ErrParseUnsupportedSyntax-254] - _ = x[ErrParseUnknownOperator-255] - _ = x[ErrParseMissingIdentAfterAt-256] - _ = x[ErrParseUnexpectedOperator-257] - _ = x[ErrParseUnexpectedTerm-258] - _ = x[ErrParseUnexpectedToken-259] - _ = x[ErrParseUnexpectedKeyword-260] - _ = x[ErrParseExpectedExpression-261] - _ = x[ErrParseExpectedLeftParenAfterCast-262] - _ = x[ErrParseExpectedLeftParenValueConstructor-263] - _ = x[ErrParseExpectedLeftParenBuiltinFunctionCall-264] - _ = x[ErrParseExpectedArgumentDelimiter-265] - _ = x[ErrParseCastArity-266] - _ = x[ErrParseInvalidTypeParam-267] - _ = x[ErrParseEmptySelect-268] - _ = x[ErrParseSelectMissingFrom-269] - _ = x[ErrParseExpectedIdentForGroupName-270] - _ = x[ErrParseExpectedIdentForAlias-271] - _ = x[ErrParseUnsupportedCallWithStar-272] - _ = x[ErrParseNonUnaryAgregateFunctionCall-273] - _ = x[ErrParseMalformedJoin-274] - _ = x[ErrParseExpectedIdentForAt-275] - _ = x[ErrParseAsteriskIsNotAloneInSelectList-276] - _ = x[ErrParseCannotMixSqbAndWildcardInSelectList-277] - _ = x[ErrParseInvalidContextForWildcardInSelectList-278] - _ = x[ErrIncorrectSQLFunctionArgumentType-279] - _ = x[ErrValueParseFailure-280] - _ = x[ErrEvaluatorInvalidArguments-281] - _ = x[ErrIntegerOverflow-282] - _ = x[ErrLikeInvalidInputs-283] - _ = x[ErrCastFailed-284] - _ = x[ErrInvalidCast-285] - _ = x[ErrEvaluatorInvalidTimestampFormatPattern-286] - _ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbolForParsing-287] - _ = x[ErrEvaluatorTimestampFormatPatternDuplicateFields-288] - _ = x[ErrEvaluatorTimestampFormatPatternHourClockAmPmMismatch-289] - _ = x[ErrEvaluatorUnterminatedTimestampFormatPatternToken-290] - _ = x[ErrEvaluatorInvalidTimestampFormatPatternToken-291] - _ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbol-292] - _ = x[ErrEvaluatorBindingDoesNotExist-293] - _ = x[ErrMissingHeaders-294] - _ = x[ErrInvalidColumnIndex-295] - _ = x[ErrAdminConfigNotificationTargetsFailed-296] - _ = x[ErrAdminProfilerNotEnabled-297] - _ = x[ErrInvalidDecompressedSize-298] - _ = x[ErrAddUserInvalidArgument-299] - _ = x[ErrAdminResourceInvalidArgument-300] - _ = x[ErrAdminAccountNotEligible-301] - _ = x[ErrAccountNotEligible-302] - _ = x[ErrAdminServiceAccountNotFound-303] - _ = x[ErrPostPolicyConditionInvalidFormat-304] - _ = x[ErrInvalidChecksum-305] + _ = x[ErrKMSDefaultKeyAlreadyConfigured-140] + _ = x[ErrNoAccessKey-141] + _ = x[ErrInvalidToken-142] + _ = x[ErrEventNotification-143] + _ = x[ErrARNNotification-144] + _ = x[ErrRegionNotification-145] + _ = x[ErrOverlappingFilterNotification-146] + _ = x[ErrFilterNameInvalid-147] + _ = x[ErrFilterNamePrefix-148] + _ = x[ErrFilterNameSuffix-149] + _ = x[ErrFilterValueInvalid-150] + _ = x[ErrOverlappingConfigs-151] + _ = x[ErrUnsupportedNotification-152] + _ = x[ErrContentSHA256Mismatch-153] + _ = x[ErrContentChecksumMismatch-154] + _ = x[ErrReadQuorum-155] + _ = x[ErrWriteQuorum-156] + _ = x[ErrStorageFull-157] + _ = x[ErrRequestBodyParse-158] + _ = x[ErrObjectExistsAsDirectory-159] + _ = x[ErrInvalidObjectName-160] + _ = x[ErrInvalidObjectNamePrefixSlash-161] + _ = x[ErrInvalidResourceName-162] + _ = x[ErrServerNotInitialized-163] + _ = x[ErrOperationTimedOut-164] + _ = x[ErrClientDisconnected-165] + _ = x[ErrOperationMaxedOut-166] + _ = x[ErrInvalidRequest-167] + _ = x[ErrTransitionStorageClassNotFoundError-168] + _ = x[ErrInvalidStorageClass-169] + _ = x[ErrBackendDown-170] + _ = x[ErrMalformedJSON-171] + _ = x[ErrAdminNoSuchUser-172] + _ = x[ErrAdminNoSuchGroup-173] + _ = x[ErrAdminGroupNotEmpty-174] + _ = x[ErrAdminNoSuchJob-175] + _ = x[ErrAdminNoSuchPolicy-176] + _ = x[ErrAdminPolicyChangeAlreadyApplied-177] + _ = x[ErrAdminInvalidArgument-178] + _ = x[ErrAdminInvalidAccessKey-179] + _ = x[ErrAdminInvalidSecretKey-180] + _ = x[ErrAdminConfigNoQuorum-181] + _ = x[ErrAdminConfigTooLarge-182] + _ = x[ErrAdminConfigBadJSON-183] + _ = x[ErrAdminNoSuchConfigTarget-184] + _ = x[ErrAdminConfigEnvOverridden-185] + _ = x[ErrAdminConfigDuplicateKeys-186] + _ = x[ErrAdminConfigInvalidIDPType-187] + _ = x[ErrAdminConfigLDAPValidation-188] + _ = x[ErrAdminConfigIDPCfgNameAlreadyExists-189] + _ = x[ErrAdminConfigIDPCfgNameDoesNotExist-190] + _ = x[ErrAdminCredentialsMismatch-191] + _ = x[ErrInsecureClientRequest-192] + _ = x[ErrObjectTampered-193] + _ = x[ErrSiteReplicationInvalidRequest-194] + _ = x[ErrSiteReplicationPeerResp-195] + _ = x[ErrSiteReplicationBackendIssue-196] + _ = x[ErrSiteReplicationServiceAccountError-197] + _ = x[ErrSiteReplicationBucketConfigError-198] + _ = x[ErrSiteReplicationBucketMetaError-199] + _ = x[ErrSiteReplicationIAMError-200] + _ = x[ErrSiteReplicationConfigMissing-201] + _ = x[ErrAdminRebalanceAlreadyStarted-202] + _ = x[ErrAdminRebalanceNotStarted-203] + _ = x[ErrAdminBucketQuotaExceeded-204] + _ = x[ErrAdminNoSuchQuotaConfiguration-205] + _ = x[ErrHealNotImplemented-206] + _ = x[ErrHealNoSuchProcess-207] + _ = x[ErrHealInvalidClientToken-208] + _ = x[ErrHealMissingBucket-209] + _ = x[ErrHealAlreadyRunning-210] + _ = x[ErrHealOverlappingPaths-211] + _ = x[ErrIncorrectContinuationToken-212] + _ = x[ErrEmptyRequestBody-213] + _ = x[ErrUnsupportedFunction-214] + _ = x[ErrInvalidExpressionType-215] + _ = x[ErrBusy-216] + _ = x[ErrUnauthorizedAccess-217] + _ = x[ErrExpressionTooLong-218] + _ = x[ErrIllegalSQLFunctionArgument-219] + _ = x[ErrInvalidKeyPath-220] + _ = x[ErrInvalidCompressionFormat-221] + _ = x[ErrInvalidFileHeaderInfo-222] + _ = x[ErrInvalidJSONType-223] + _ = x[ErrInvalidQuoteFields-224] + _ = x[ErrInvalidRequestParameter-225] + _ = x[ErrInvalidDataType-226] + _ = x[ErrInvalidTextEncoding-227] + _ = x[ErrInvalidDataSource-228] + _ = x[ErrInvalidTableAlias-229] + _ = x[ErrMissingRequiredParameter-230] + _ = x[ErrObjectSerializationConflict-231] + _ = x[ErrUnsupportedSQLOperation-232] + _ = x[ErrUnsupportedSQLStructure-233] + _ = x[ErrUnsupportedSyntax-234] + _ = x[ErrUnsupportedRangeHeader-235] + _ = x[ErrLexerInvalidChar-236] + _ = x[ErrLexerInvalidOperator-237] + _ = x[ErrLexerInvalidLiteral-238] + _ = x[ErrLexerInvalidIONLiteral-239] + _ = x[ErrParseExpectedDatePart-240] + _ = x[ErrParseExpectedKeyword-241] + _ = x[ErrParseExpectedTokenType-242] + _ = x[ErrParseExpected2TokenTypes-243] + _ = x[ErrParseExpectedNumber-244] + _ = x[ErrParseExpectedRightParenBuiltinFunctionCall-245] + _ = x[ErrParseExpectedTypeName-246] + _ = x[ErrParseExpectedWhenClause-247] + _ = x[ErrParseUnsupportedToken-248] + _ = x[ErrParseUnsupportedLiteralsGroupBy-249] + _ = x[ErrParseExpectedMember-250] + _ = x[ErrParseUnsupportedSelect-251] + _ = x[ErrParseUnsupportedCase-252] + _ = x[ErrParseUnsupportedCaseClause-253] + _ = x[ErrParseUnsupportedAlias-254] + _ = x[ErrParseUnsupportedSyntax-255] + _ = x[ErrParseUnknownOperator-256] + _ = x[ErrParseMissingIdentAfterAt-257] + _ = x[ErrParseUnexpectedOperator-258] + _ = x[ErrParseUnexpectedTerm-259] + _ = x[ErrParseUnexpectedToken-260] + _ = x[ErrParseUnexpectedKeyword-261] + _ = x[ErrParseExpectedExpression-262] + _ = x[ErrParseExpectedLeftParenAfterCast-263] + _ = x[ErrParseExpectedLeftParenValueConstructor-264] + _ = x[ErrParseExpectedLeftParenBuiltinFunctionCall-265] + _ = x[ErrParseExpectedArgumentDelimiter-266] + _ = x[ErrParseCastArity-267] + _ = x[ErrParseInvalidTypeParam-268] + _ = x[ErrParseEmptySelect-269] + _ = x[ErrParseSelectMissingFrom-270] + _ = x[ErrParseExpectedIdentForGroupName-271] + _ = x[ErrParseExpectedIdentForAlias-272] + _ = x[ErrParseUnsupportedCallWithStar-273] + _ = x[ErrParseNonUnaryAgregateFunctionCall-274] + _ = x[ErrParseMalformedJoin-275] + _ = x[ErrParseExpectedIdentForAt-276] + _ = x[ErrParseAsteriskIsNotAloneInSelectList-277] + _ = x[ErrParseCannotMixSqbAndWildcardInSelectList-278] + _ = x[ErrParseInvalidContextForWildcardInSelectList-279] + _ = x[ErrIncorrectSQLFunctionArgumentType-280] + _ = x[ErrValueParseFailure-281] + _ = x[ErrEvaluatorInvalidArguments-282] + _ = x[ErrIntegerOverflow-283] + _ = x[ErrLikeInvalidInputs-284] + _ = x[ErrCastFailed-285] + _ = x[ErrInvalidCast-286] + _ = x[ErrEvaluatorInvalidTimestampFormatPattern-287] + _ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbolForParsing-288] + _ = x[ErrEvaluatorTimestampFormatPatternDuplicateFields-289] + _ = x[ErrEvaluatorTimestampFormatPatternHourClockAmPmMismatch-290] + _ = x[ErrEvaluatorUnterminatedTimestampFormatPatternToken-291] + _ = x[ErrEvaluatorInvalidTimestampFormatPatternToken-292] + _ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbol-293] + _ = x[ErrEvaluatorBindingDoesNotExist-294] + _ = x[ErrMissingHeaders-295] + _ = x[ErrInvalidColumnIndex-296] + _ = x[ErrAdminConfigNotificationTargetsFailed-297] + _ = x[ErrAdminProfilerNotEnabled-298] + _ = x[ErrInvalidDecompressedSize-299] + _ = x[ErrAddUserInvalidArgument-300] + _ = x[ErrAdminResourceInvalidArgument-301] + _ = x[ErrAdminAccountNotEligible-302] + _ = x[ErrAccountNotEligible-303] + _ = x[ErrAdminServiceAccountNotFound-304] + _ = x[ErrPostPolicyConditionInvalidFormat-305] + _ = x[ErrInvalidChecksum-306] } -const _APIErrorCode_name = "NoneAccessDeniedBadDigestEntityTooSmallEntityTooLargePolicyTooLargeIncompleteBodyInternalErrorInvalidAccessKeyIDAccessKeyDisabledInvalidBucketNameInvalidDigestInvalidRangeInvalidRangePartNumberInvalidCopyPartRangeInvalidCopyPartRangeSourceInvalidMaxKeysInvalidEncodingMethodInvalidMaxUploadsInvalidMaxPartsInvalidPartNumberMarkerInvalidPartNumberInvalidRequestBodyInvalidCopySourceInvalidMetadataDirectiveInvalidCopyDestInvalidPolicyDocumentInvalidObjectStateMalformedXMLMissingContentLengthMissingContentMD5MissingRequestBodyErrorMissingSecurityHeaderNoSuchBucketNoSuchBucketPolicyNoSuchBucketLifecycleNoSuchLifecycleConfigurationInvalidLifecycleWithObjectLockNoSuchBucketSSEConfigNoSuchCORSConfigurationNoSuchWebsiteConfigurationReplicationConfigurationNotFoundErrorRemoteDestinationNotFoundErrorReplicationDestinationMissingLockRemoteTargetNotFoundErrorReplicationRemoteConnectionErrorReplicationBandwidthLimitErrorBucketRemoteIdenticalToSourceBucketRemoteAlreadyExistsBucketRemoteLabelInUseBucketRemoteArnTypeInvalidBucketRemoteArnInvalidBucketRemoteRemoveDisallowedRemoteTargetNotVersionedErrorReplicationSourceNotVersionedErrorReplicationNeedsVersioningErrorReplicationBucketNeedsVersioningErrorReplicationDenyEditErrorRemoteTargetDenyEditErrorReplicationNoExistingObjectsObjectRestoreAlreadyInProgressNoSuchKeyNoSuchUploadInvalidVersionIDNoSuchVersionNotImplementedPreconditionFailedRequestTimeTooSkewedSignatureDoesNotMatchMethodNotAllowedInvalidPartInvalidPartOrderAuthorizationHeaderMalformedMalformedPOSTRequestPOSTFileRequiredSignatureVersionNotSupportedBucketNotEmptyAllAccessDisabledPolicyInvalidVersionMissingFieldsMissingCredTagCredMalformedInvalidRegionInvalidServiceS3InvalidServiceSTSInvalidRequestVersionMissingSignTagMissingSignHeadersTagMalformedDateMalformedPresignedDateMalformedCredentialDateMalformedCredentialRegionMalformedExpiresNegativeExpiresAuthHeaderEmptyExpiredPresignRequestRequestNotReadyYetUnsignedHeadersMissingDateHeaderInvalidQuerySignatureAlgoInvalidQueryParamsBucketAlreadyOwnedByYouInvalidDurationBucketAlreadyExistsMetadataTooLargeUnsupportedMetadataMaximumExpiresSlowDownInvalidPrefixMarkerBadRequestKeyTooLongErrorInvalidBucketObjectLockConfigurationObjectLockConfigurationNotFoundObjectLockConfigurationNotAllowedNoSuchObjectLockConfigurationObjectLockedInvalidRetentionDatePastObjectLockRetainDateUnknownWORMModeDirectiveBucketTaggingNotFoundObjectLockInvalidHeadersInvalidTagDirectivePolicyAlreadyAttachedPolicyNotAttachedInvalidEncryptionMethodInvalidEncryptionKeyIDInsecureSSECustomerRequestSSEMultipartEncryptedSSEEncryptedObjectInvalidEncryptionParametersInvalidEncryptionParametersSSECInvalidSSECustomerAlgorithmInvalidSSECustomerKeyMissingSSECustomerKeyMissingSSECustomerKeyMD5SSECustomerKeyMD5MismatchInvalidSSECustomerParametersIncompatibleEncryptionMethodKMSNotConfiguredKMSKeyNotFoundExceptionNoAccessKeyInvalidTokenEventNotificationARNNotificationRegionNotificationOverlappingFilterNotificationFilterNameInvalidFilterNamePrefixFilterNameSuffixFilterValueInvalidOverlappingConfigsUnsupportedNotificationContentSHA256MismatchContentChecksumMismatchReadQuorumWriteQuorumStorageFullRequestBodyParseObjectExistsAsDirectoryInvalidObjectNameInvalidObjectNamePrefixSlashInvalidResourceNameServerNotInitializedOperationTimedOutClientDisconnectedOperationMaxedOutInvalidRequestTransitionStorageClassNotFoundErrorInvalidStorageClassBackendDownMalformedJSONAdminNoSuchUserAdminNoSuchGroupAdminGroupNotEmptyAdminNoSuchJobAdminNoSuchPolicyAdminPolicyChangeAlreadyAppliedAdminInvalidArgumentAdminInvalidAccessKeyAdminInvalidSecretKeyAdminConfigNoQuorumAdminConfigTooLargeAdminConfigBadJSONAdminNoSuchConfigTargetAdminConfigEnvOverriddenAdminConfigDuplicateKeysAdminConfigInvalidIDPTypeAdminConfigLDAPValidationAdminConfigIDPCfgNameAlreadyExistsAdminConfigIDPCfgNameDoesNotExistAdminCredentialsMismatchInsecureClientRequestObjectTamperedSiteReplicationInvalidRequestSiteReplicationPeerRespSiteReplicationBackendIssueSiteReplicationServiceAccountErrorSiteReplicationBucketConfigErrorSiteReplicationBucketMetaErrorSiteReplicationIAMErrorSiteReplicationConfigMissingAdminRebalanceAlreadyStartedAdminRebalanceNotStartedAdminBucketQuotaExceededAdminNoSuchQuotaConfigurationHealNotImplementedHealNoSuchProcessHealInvalidClientTokenHealMissingBucketHealAlreadyRunningHealOverlappingPathsIncorrectContinuationTokenEmptyRequestBodyUnsupportedFunctionInvalidExpressionTypeBusyUnauthorizedAccessExpressionTooLongIllegalSQLFunctionArgumentInvalidKeyPathInvalidCompressionFormatInvalidFileHeaderInfoInvalidJSONTypeInvalidQuoteFieldsInvalidRequestParameterInvalidDataTypeInvalidTextEncodingInvalidDataSourceInvalidTableAliasMissingRequiredParameterObjectSerializationConflictUnsupportedSQLOperationUnsupportedSQLStructureUnsupportedSyntaxUnsupportedRangeHeaderLexerInvalidCharLexerInvalidOperatorLexerInvalidLiteralLexerInvalidIONLiteralParseExpectedDatePartParseExpectedKeywordParseExpectedTokenTypeParseExpected2TokenTypesParseExpectedNumberParseExpectedRightParenBuiltinFunctionCallParseExpectedTypeNameParseExpectedWhenClauseParseUnsupportedTokenParseUnsupportedLiteralsGroupByParseExpectedMemberParseUnsupportedSelectParseUnsupportedCaseParseUnsupportedCaseClauseParseUnsupportedAliasParseUnsupportedSyntaxParseUnknownOperatorParseMissingIdentAfterAtParseUnexpectedOperatorParseUnexpectedTermParseUnexpectedTokenParseUnexpectedKeywordParseExpectedExpressionParseExpectedLeftParenAfterCastParseExpectedLeftParenValueConstructorParseExpectedLeftParenBuiltinFunctionCallParseExpectedArgumentDelimiterParseCastArityParseInvalidTypeParamParseEmptySelectParseSelectMissingFromParseExpectedIdentForGroupNameParseExpectedIdentForAliasParseUnsupportedCallWithStarParseNonUnaryAgregateFunctionCallParseMalformedJoinParseExpectedIdentForAtParseAsteriskIsNotAloneInSelectListParseCannotMixSqbAndWildcardInSelectListParseInvalidContextForWildcardInSelectListIncorrectSQLFunctionArgumentTypeValueParseFailureEvaluatorInvalidArgumentsIntegerOverflowLikeInvalidInputsCastFailedInvalidCastEvaluatorInvalidTimestampFormatPatternEvaluatorInvalidTimestampFormatPatternSymbolForParsingEvaluatorTimestampFormatPatternDuplicateFieldsEvaluatorTimestampFormatPatternHourClockAmPmMismatchEvaluatorUnterminatedTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternSymbolEvaluatorBindingDoesNotExistMissingHeadersInvalidColumnIndexAdminConfigNotificationTargetsFailedAdminProfilerNotEnabledInvalidDecompressedSizeAddUserInvalidArgumentAdminResourceInvalidArgumentAdminAccountNotEligibleAccountNotEligibleAdminServiceAccountNotFoundPostPolicyConditionInvalidFormatInvalidChecksum" +const _APIErrorCode_name = "NoneAccessDeniedBadDigestEntityTooSmallEntityTooLargePolicyTooLargeIncompleteBodyInternalErrorInvalidAccessKeyIDAccessKeyDisabledInvalidBucketNameInvalidDigestInvalidRangeInvalidRangePartNumberInvalidCopyPartRangeInvalidCopyPartRangeSourceInvalidMaxKeysInvalidEncodingMethodInvalidMaxUploadsInvalidMaxPartsInvalidPartNumberMarkerInvalidPartNumberInvalidRequestBodyInvalidCopySourceInvalidMetadataDirectiveInvalidCopyDestInvalidPolicyDocumentInvalidObjectStateMalformedXMLMissingContentLengthMissingContentMD5MissingRequestBodyErrorMissingSecurityHeaderNoSuchBucketNoSuchBucketPolicyNoSuchBucketLifecycleNoSuchLifecycleConfigurationInvalidLifecycleWithObjectLockNoSuchBucketSSEConfigNoSuchCORSConfigurationNoSuchWebsiteConfigurationReplicationConfigurationNotFoundErrorRemoteDestinationNotFoundErrorReplicationDestinationMissingLockRemoteTargetNotFoundErrorReplicationRemoteConnectionErrorReplicationBandwidthLimitErrorBucketRemoteIdenticalToSourceBucketRemoteAlreadyExistsBucketRemoteLabelInUseBucketRemoteArnTypeInvalidBucketRemoteArnInvalidBucketRemoteRemoveDisallowedRemoteTargetNotVersionedErrorReplicationSourceNotVersionedErrorReplicationNeedsVersioningErrorReplicationBucketNeedsVersioningErrorReplicationDenyEditErrorRemoteTargetDenyEditErrorReplicationNoExistingObjectsObjectRestoreAlreadyInProgressNoSuchKeyNoSuchUploadInvalidVersionIDNoSuchVersionNotImplementedPreconditionFailedRequestTimeTooSkewedSignatureDoesNotMatchMethodNotAllowedInvalidPartInvalidPartOrderAuthorizationHeaderMalformedMalformedPOSTRequestPOSTFileRequiredSignatureVersionNotSupportedBucketNotEmptyAllAccessDisabledPolicyInvalidVersionMissingFieldsMissingCredTagCredMalformedInvalidRegionInvalidServiceS3InvalidServiceSTSInvalidRequestVersionMissingSignTagMissingSignHeadersTagMalformedDateMalformedPresignedDateMalformedCredentialDateMalformedCredentialRegionMalformedExpiresNegativeExpiresAuthHeaderEmptyExpiredPresignRequestRequestNotReadyYetUnsignedHeadersMissingDateHeaderInvalidQuerySignatureAlgoInvalidQueryParamsBucketAlreadyOwnedByYouInvalidDurationBucketAlreadyExistsMetadataTooLargeUnsupportedMetadataMaximumExpiresSlowDownInvalidPrefixMarkerBadRequestKeyTooLongErrorInvalidBucketObjectLockConfigurationObjectLockConfigurationNotFoundObjectLockConfigurationNotAllowedNoSuchObjectLockConfigurationObjectLockedInvalidRetentionDatePastObjectLockRetainDateUnknownWORMModeDirectiveBucketTaggingNotFoundObjectLockInvalidHeadersInvalidTagDirectivePolicyAlreadyAttachedPolicyNotAttachedInvalidEncryptionMethodInvalidEncryptionKeyIDInsecureSSECustomerRequestSSEMultipartEncryptedSSEEncryptedObjectInvalidEncryptionParametersInvalidEncryptionParametersSSECInvalidSSECustomerAlgorithmInvalidSSECustomerKeyMissingSSECustomerKeyMissingSSECustomerKeyMD5SSECustomerKeyMD5MismatchInvalidSSECustomerParametersIncompatibleEncryptionMethodKMSNotConfiguredKMSKeyNotFoundExceptionKMSDefaultKeyAlreadyConfiguredNoAccessKeyInvalidTokenEventNotificationARNNotificationRegionNotificationOverlappingFilterNotificationFilterNameInvalidFilterNamePrefixFilterNameSuffixFilterValueInvalidOverlappingConfigsUnsupportedNotificationContentSHA256MismatchContentChecksumMismatchReadQuorumWriteQuorumStorageFullRequestBodyParseObjectExistsAsDirectoryInvalidObjectNameInvalidObjectNamePrefixSlashInvalidResourceNameServerNotInitializedOperationTimedOutClientDisconnectedOperationMaxedOutInvalidRequestTransitionStorageClassNotFoundErrorInvalidStorageClassBackendDownMalformedJSONAdminNoSuchUserAdminNoSuchGroupAdminGroupNotEmptyAdminNoSuchJobAdminNoSuchPolicyAdminPolicyChangeAlreadyAppliedAdminInvalidArgumentAdminInvalidAccessKeyAdminInvalidSecretKeyAdminConfigNoQuorumAdminConfigTooLargeAdminConfigBadJSONAdminNoSuchConfigTargetAdminConfigEnvOverriddenAdminConfigDuplicateKeysAdminConfigInvalidIDPTypeAdminConfigLDAPValidationAdminConfigIDPCfgNameAlreadyExistsAdminConfigIDPCfgNameDoesNotExistAdminCredentialsMismatchInsecureClientRequestObjectTamperedSiteReplicationInvalidRequestSiteReplicationPeerRespSiteReplicationBackendIssueSiteReplicationServiceAccountErrorSiteReplicationBucketConfigErrorSiteReplicationBucketMetaErrorSiteReplicationIAMErrorSiteReplicationConfigMissingAdminRebalanceAlreadyStartedAdminRebalanceNotStartedAdminBucketQuotaExceededAdminNoSuchQuotaConfigurationHealNotImplementedHealNoSuchProcessHealInvalidClientTokenHealMissingBucketHealAlreadyRunningHealOverlappingPathsIncorrectContinuationTokenEmptyRequestBodyUnsupportedFunctionInvalidExpressionTypeBusyUnauthorizedAccessExpressionTooLongIllegalSQLFunctionArgumentInvalidKeyPathInvalidCompressionFormatInvalidFileHeaderInfoInvalidJSONTypeInvalidQuoteFieldsInvalidRequestParameterInvalidDataTypeInvalidTextEncodingInvalidDataSourceInvalidTableAliasMissingRequiredParameterObjectSerializationConflictUnsupportedSQLOperationUnsupportedSQLStructureUnsupportedSyntaxUnsupportedRangeHeaderLexerInvalidCharLexerInvalidOperatorLexerInvalidLiteralLexerInvalidIONLiteralParseExpectedDatePartParseExpectedKeywordParseExpectedTokenTypeParseExpected2TokenTypesParseExpectedNumberParseExpectedRightParenBuiltinFunctionCallParseExpectedTypeNameParseExpectedWhenClauseParseUnsupportedTokenParseUnsupportedLiteralsGroupByParseExpectedMemberParseUnsupportedSelectParseUnsupportedCaseParseUnsupportedCaseClauseParseUnsupportedAliasParseUnsupportedSyntaxParseUnknownOperatorParseMissingIdentAfterAtParseUnexpectedOperatorParseUnexpectedTermParseUnexpectedTokenParseUnexpectedKeywordParseExpectedExpressionParseExpectedLeftParenAfterCastParseExpectedLeftParenValueConstructorParseExpectedLeftParenBuiltinFunctionCallParseExpectedArgumentDelimiterParseCastArityParseInvalidTypeParamParseEmptySelectParseSelectMissingFromParseExpectedIdentForGroupNameParseExpectedIdentForAliasParseUnsupportedCallWithStarParseNonUnaryAgregateFunctionCallParseMalformedJoinParseExpectedIdentForAtParseAsteriskIsNotAloneInSelectListParseCannotMixSqbAndWildcardInSelectListParseInvalidContextForWildcardInSelectListIncorrectSQLFunctionArgumentTypeValueParseFailureEvaluatorInvalidArgumentsIntegerOverflowLikeInvalidInputsCastFailedInvalidCastEvaluatorInvalidTimestampFormatPatternEvaluatorInvalidTimestampFormatPatternSymbolForParsingEvaluatorTimestampFormatPatternDuplicateFieldsEvaluatorTimestampFormatPatternHourClockAmPmMismatchEvaluatorUnterminatedTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternSymbolEvaluatorBindingDoesNotExistMissingHeadersInvalidColumnIndexAdminConfigNotificationTargetsFailedAdminProfilerNotEnabledInvalidDecompressedSizeAddUserInvalidArgumentAdminResourceInvalidArgumentAdminAccountNotEligibleAccountNotEligibleAdminServiceAccountNotFoundPostPolicyConditionInvalidFormatInvalidChecksum" -var _APIErrorCode_index = [...]uint16{0, 4, 16, 25, 39, 53, 67, 81, 94, 112, 129, 146, 159, 171, 193, 213, 239, 253, 274, 291, 306, 329, 346, 364, 381, 405, 420, 441, 459, 471, 491, 508, 531, 552, 564, 582, 603, 631, 661, 682, 705, 731, 768, 798, 831, 856, 888, 918, 947, 972, 994, 1020, 1042, 1070, 1099, 1133, 1164, 1201, 1225, 1250, 1278, 1308, 1317, 1329, 1345, 1358, 1372, 1390, 1410, 1431, 1447, 1458, 1474, 1502, 1522, 1538, 1566, 1580, 1597, 1617, 1630, 1644, 1657, 1670, 1686, 1703, 1724, 1738, 1759, 1772, 1794, 1817, 1842, 1858, 1873, 1888, 1909, 1927, 1942, 1959, 1984, 2002, 2025, 2040, 2059, 2075, 2094, 2108, 2116, 2135, 2145, 2160, 2196, 2227, 2260, 2289, 2301, 2321, 2345, 2369, 2390, 2414, 2433, 2454, 2471, 2494, 2516, 2542, 2563, 2581, 2608, 2639, 2666, 2687, 2708, 2732, 2757, 2785, 2813, 2829, 2852, 2863, 2875, 2892, 2907, 2925, 2954, 2971, 2987, 3003, 3021, 3039, 3062, 3083, 3106, 3116, 3127, 3138, 3154, 3177, 3194, 3222, 3241, 3261, 3278, 3296, 3313, 3327, 3362, 3381, 3392, 3405, 3420, 3436, 3454, 3468, 3485, 3516, 3536, 3557, 3578, 3597, 3616, 3634, 3657, 3681, 3705, 3730, 3755, 3789, 3822, 3846, 3867, 3881, 3910, 3933, 3960, 3994, 4026, 4056, 4079, 4107, 4135, 4159, 4183, 4212, 4230, 4247, 4269, 4286, 4304, 4324, 4350, 4366, 4385, 4406, 4410, 4428, 4445, 4471, 4485, 4509, 4530, 4545, 4563, 4586, 4601, 4620, 4637, 4654, 4678, 4705, 4728, 4751, 4768, 4790, 4806, 4826, 4845, 4867, 4888, 4908, 4930, 4954, 4973, 5015, 5036, 5059, 5080, 5111, 5130, 5152, 5172, 5198, 5219, 5241, 5261, 5285, 5308, 5327, 5347, 5369, 5392, 5423, 5461, 5502, 5532, 5546, 5567, 5583, 5605, 5635, 5661, 5689, 5722, 5740, 5763, 5798, 5838, 5880, 5912, 5929, 5954, 5969, 5986, 5996, 6007, 6045, 6099, 6145, 6197, 6245, 6288, 6332, 6360, 6374, 6392, 6428, 6451, 6474, 6496, 6524, 6547, 6565, 6592, 6624, 6639} +var _APIErrorCode_index = [...]uint16{0, 4, 16, 25, 39, 53, 67, 81, 94, 112, 129, 146, 159, 171, 193, 213, 239, 253, 274, 291, 306, 329, 346, 364, 381, 405, 420, 441, 459, 471, 491, 508, 531, 552, 564, 582, 603, 631, 661, 682, 705, 731, 768, 798, 831, 856, 888, 918, 947, 972, 994, 1020, 1042, 1070, 1099, 1133, 1164, 1201, 1225, 1250, 1278, 1308, 1317, 1329, 1345, 1358, 1372, 1390, 1410, 1431, 1447, 1458, 1474, 1502, 1522, 1538, 1566, 1580, 1597, 1617, 1630, 1644, 1657, 1670, 1686, 1703, 1724, 1738, 1759, 1772, 1794, 1817, 1842, 1858, 1873, 1888, 1909, 1927, 1942, 1959, 1984, 2002, 2025, 2040, 2059, 2075, 2094, 2108, 2116, 2135, 2145, 2160, 2196, 2227, 2260, 2289, 2301, 2321, 2345, 2369, 2390, 2414, 2433, 2454, 2471, 2494, 2516, 2542, 2563, 2581, 2608, 2639, 2666, 2687, 2708, 2732, 2757, 2785, 2813, 2829, 2852, 2882, 2893, 2905, 2922, 2937, 2955, 2984, 3001, 3017, 3033, 3051, 3069, 3092, 3113, 3136, 3146, 3157, 3168, 3184, 3207, 3224, 3252, 3271, 3291, 3308, 3326, 3343, 3357, 3392, 3411, 3422, 3435, 3450, 3466, 3484, 3498, 3515, 3546, 3566, 3587, 3608, 3627, 3646, 3664, 3687, 3711, 3735, 3760, 3785, 3819, 3852, 3876, 3897, 3911, 3940, 3963, 3990, 4024, 4056, 4086, 4109, 4137, 4165, 4189, 4213, 4242, 4260, 4277, 4299, 4316, 4334, 4354, 4380, 4396, 4415, 4436, 4440, 4458, 4475, 4501, 4515, 4539, 4560, 4575, 4593, 4616, 4631, 4650, 4667, 4684, 4708, 4735, 4758, 4781, 4798, 4820, 4836, 4856, 4875, 4897, 4918, 4938, 4960, 4984, 5003, 5045, 5066, 5089, 5110, 5141, 5160, 5182, 5202, 5228, 5249, 5271, 5291, 5315, 5338, 5357, 5377, 5399, 5422, 5453, 5491, 5532, 5562, 5576, 5597, 5613, 5635, 5665, 5691, 5719, 5752, 5770, 5793, 5828, 5868, 5910, 5942, 5959, 5984, 5999, 6016, 6026, 6037, 6075, 6129, 6175, 6227, 6275, 6318, 6362, 6390, 6404, 6422, 6458, 6481, 6504, 6526, 6554, 6577, 6595, 6622, 6654, 6669} func (i APIErrorCode) String() string { if i < 0 || i >= APIErrorCode(len(_APIErrorCode_index)-1) { diff --git a/cmd/common-main.go b/cmd/common-main.go index b415fc5d9..6a86c5177 100644 --- a/cmd/common-main.go +++ b/cmd/common-main.go @@ -600,13 +600,13 @@ func loadEnvVarsFromFiles() { } } - if env.IsSet(config.EnvKMSSecretKeyFile) { - kmsSecret, err := readFromSecret(env.Get(config.EnvKMSSecretKeyFile, "")) + if env.IsSet(kms.EnvKMSSecretKeyFile) { + kmsSecret, err := readFromSecret(env.Get(kms.EnvKMSSecretKeyFile, "")) if err != nil { logger.Fatal(err, "Unable to read the KMS secret key inherited from secret file") } if kmsSecret != "" { - os.Setenv(config.EnvKMSSecretKey, kmsSecret) + os.Setenv(kms.EnvKMSSecretKey, kmsSecret) } } @@ -783,29 +783,29 @@ func handleCommonEnvVars() { // It depends on KMS env variables and global cli flags. func handleKMSConfig() { switch { - case env.IsSet(config.EnvKMSSecretKey) && env.IsSet(config.EnvKESEndpoint): - logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSSecretKey, config.EnvKESEndpoint)) + case env.IsSet(kms.EnvKMSSecretKey) && env.IsSet(kms.EnvKESEndpoint): + logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", kms.EnvKMSSecretKey, kms.EnvKESEndpoint)) } - if env.IsSet(config.EnvKMSSecretKey) { - KMS, err := kms.Parse(env.Get(config.EnvKMSSecretKey, "")) + if env.IsSet(kms.EnvKMSSecretKey) { + KMS, err := kms.Parse(env.Get(kms.EnvKMSSecretKey, "")) if err != nil { logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment") } GlobalKMS = KMS } - if env.IsSet(config.EnvKESEndpoint) { - if env.IsSet(config.EnvKESAPIKey) { - if env.IsSet(config.EnvKESClientKey) { - logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKESAPIKey, config.EnvKESClientKey)) + if env.IsSet(kms.EnvKESEndpoint) { + if env.IsSet(kms.EnvKESAPIKey) { + if env.IsSet(kms.EnvKESClientKey) { + logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", kms.EnvKESAPIKey, kms.EnvKESClientKey)) } - if env.IsSet(config.EnvKESClientCert) { - logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKESAPIKey, config.EnvKESClientCert)) + if env.IsSet(kms.EnvKESClientCert) { + logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", kms.EnvKESAPIKey, kms.EnvKESClientCert)) } } var endpoints []string - for _, endpoint := range strings.Split(env.Get(config.EnvKESEndpoint, ""), ",") { + for _, endpoint := range strings.Split(env.Get(kms.EnvKESEndpoint, ""), ",") { if strings.TrimSpace(endpoint) == "" { continue } @@ -821,21 +821,21 @@ func handleKMSConfig() { endpoints = append(endpoints, strings.Join(lbls, "")) } } - rootCAs, err := certs.GetRootCAs(env.Get(config.EnvKESServerCA, globalCertsCADir.Get())) + rootCAs, err := certs.GetRootCAs(env.Get(kms.EnvKESServerCA, globalCertsCADir.Get())) if err != nil { - logger.Fatal(err, fmt.Sprintf("Unable to load X.509 root CAs for KES from %q", env.Get(config.EnvKESServerCA, globalCertsCADir.Get()))) + logger.Fatal(err, fmt.Sprintf("Unable to load X.509 root CAs for KES from %q", env.Get(kms.EnvKESServerCA, globalCertsCADir.Get()))) } var kmsConf kms.Config - if env.IsSet(config.EnvKESAPIKey) { - key, err := kes.ParseAPIKey(env.Get(config.EnvKESAPIKey, "")) + if env.IsSet(kms.EnvKESAPIKey) { + key, err := kes.ParseAPIKey(env.Get(kms.EnvKESAPIKey, "")) if err != nil { - logger.Fatal(err, fmt.Sprintf("Failed to parse KES API key from %q", env.Get(config.EnvKESAPIKey, ""))) + logger.Fatal(err, fmt.Sprintf("Failed to parse KES API key from %q", env.Get(kms.EnvKESAPIKey, ""))) } kmsConf = kms.Config{ Endpoints: endpoints, - Enclave: env.Get(config.EnvKESEnclave, ""), - DefaultKeyID: env.Get(config.EnvKESKeyName, ""), + Enclave: env.Get(kms.EnvKESEnclave, ""), + DefaultKeyID: env.Get(kms.EnvKESKeyName, ""), APIKey: key, RootCAs: rootCAs, } @@ -857,7 +857,7 @@ func handleKMSConfig() { return tls.Certificate{}, errors.New("Unable to load KES client private key as specified by the shell environment: private key contains additional data") } if x509.IsEncryptedPEMBlock(privateKeyPEM) { - keyBytes, err = x509.DecryptPEMBlock(privateKeyPEM, []byte(env.Get(config.EnvKESClientPassword, ""))) + keyBytes, err = x509.DecryptPEMBlock(privateKeyPEM, []byte(env.Get(kms.EnvKESClientPassword, ""))) if err != nil { return tls.Certificate{}, fmt.Errorf("Unable to decrypt KES client private key as specified by the shell environment: %v", err) } @@ -871,7 +871,7 @@ func handleKMSConfig() { } reloadCertEvents := make(chan tls.Certificate, 1) - certificate, err := certs.NewCertificate(env.Get(config.EnvKESClientCert, ""), env.Get(config.EnvKESClientKey, ""), loadX509KeyPair) + certificate, err := certs.NewCertificate(env.Get(kms.EnvKESClientCert, ""), env.Get(kms.EnvKESClientKey, ""), loadX509KeyPair) if err != nil { logger.Fatal(err, "Failed to load KES client certificate") } @@ -880,8 +880,8 @@ func handleKMSConfig() { kmsConf = kms.Config{ Endpoints: endpoints, - Enclave: env.Get(config.EnvKESEnclave, ""), - DefaultKeyID: env.Get(config.EnvKESKeyName, ""), + Enclave: env.Get(kms.EnvKESEnclave, ""), + DefaultKeyID: env.Get(kms.EnvKESKeyName, ""), Certificate: certificate, ReloadCertEvents: reloadCertEvents, RootCAs: rootCAs, @@ -896,7 +896,7 @@ func handleKMSConfig() { // This implicitly checks that we can communicate to KES. We don't treat // a policy error as failure condition since MinIO may not have the permission // to create keys - just to generate/decrypt data encryption keys. - if err = KMS.CreateKey(context.Background(), env.Get(config.EnvKESKeyName, "")); err != nil && !errors.Is(err, kes.ErrKeyExists) && !errors.Is(err, kes.ErrNotAllowed) { + if err = KMS.CreateKey(context.Background(), env.Get(kms.EnvKESKeyName, "")); err != nil && !errors.Is(err, kes.ErrKeyExists) && !errors.Is(err, kes.ErrNotAllowed) { logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment") } GlobalKMS = KMS diff --git a/cmd/encryption-v1.go b/cmd/encryption-v1.go index c4045ad18..b8eca012d 100644 --- a/cmd/encryption-v1.go +++ b/cmd/encryption-v1.go @@ -1,4 +1,4 @@ -// Copyright (c) 2015-2021 MinIO, Inc. +// Copyright (c) 2015-2023 MinIO, Inc. // // This file is part of MinIO Object Storage stack // @@ -48,10 +48,11 @@ import ( var ( // AWS errors for invalid SSE-C requests. - errEncryptedObject = errors.New("The object was stored using a form of SSE") - errInvalidSSEParameters = errors.New("The SSE-C key for key-rotation is not correct") // special access denied - errKMSNotConfigured = errors.New("KMS not configured for a server side encrypted object") - errKMSKeyNotFound = errors.New("Invalid KMS keyId") + errEncryptedObject = errors.New("The object was stored using a form of SSE") + errInvalidSSEParameters = errors.New("The SSE-C key for key-rotation is not correct") // special access denied + errKMSNotConfigured = errors.New("KMS not configured for a server side encrypted objects") + errKMSKeyNotFound = errors.New("Unknown KMS key ID") + errKMSDefaultKeyAlreadyConfigured = errors.New("A default encryption already exists on KMS") // Additional MinIO errors for SSE-C requests. errObjectTampered = errors.New("The requested object was modified and may be compromised") // error returned when invalid encryption parameters are specified diff --git a/cmd/kms-handlers.go b/cmd/kms-handlers.go index 321358ea7..172b4b199 100644 --- a/cmd/kms-handlers.go +++ b/cmd/kms-handlers.go @@ -1,4 +1,4 @@ -// Copyright (c) 2015-2022 MinIO, Inc. +// Copyright (c) 2015-2023 MinIO, Inc. // // This file is part of MinIO Object Storage stack // @@ -173,7 +173,12 @@ func (a kmsAPIHandlers) KMSVersionHandler(w http.ResponseWriter, r *http.Request // KMSCreateKeyHandler - POST /minio/kms/v1/key/create?key-id= func (a kmsAPIHandlers) KMSCreateKeyHandler(w http.ResponseWriter, r *http.Request) { + // If env variable MINIO_KMS_SECRET_KEY is populated, prevent creation of new keys ctx := newContext(r, w, "KMSCreateKey") + if GlobalKMS != nil && GlobalKMS.IsLocal() { + writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrKMSDefaultKeyAlreadyConfigured), r.URL) + return + } defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSCreateKeyAction) @@ -228,6 +233,15 @@ func (a kmsAPIHandlers) KMSDeleteKeyHandler(w http.ResponseWriter, r *http.Reque // KMSListKeysHandler - GET /minio/kms/v1/key/list?pattern= func (a kmsAPIHandlers) KMSListKeysHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "KMSListKeys") + if GlobalKMS != nil && GlobalKMS.IsLocal() { + res, err := json.Marshal(GlobalKMS.List()) + if err != nil { + writeCustomErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInternalError), err.Error(), r.URL) + return + } + writeSuccessResponseJSON(w, res) + return + } defer logger.AuditLog(ctx, w, r, mustGetClaimsFromToken(r)) objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSListKeysAction) @@ -241,7 +255,7 @@ func (a kmsAPIHandlers) KMSListKeysHandler(w http.ResponseWriter, r *http.Reques } manager, ok := GlobalKMS.(kms.KeyManager) if !ok { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL) + writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrKMSNotConfigured), r.URL) return } keys, err := manager.ListKeys(ctx, r.Form.Get("pattern")) diff --git a/internal/config/constants.go b/internal/config/constants.go index 923ff15e0..82fe06b32 100644 --- a/internal/config/constants.go +++ b/internal/config/constants.go @@ -67,17 +67,6 @@ const ( EnvUpdate = "MINIO_UPDATE" - EnvKMSSecretKey = "MINIO_KMS_SECRET_KEY" - EnvKMSSecretKeyFile = "MINIO_KMS_SECRET_KEY_FILE" - EnvKESEndpoint = "MINIO_KMS_KES_ENDPOINT" // One or multiple KES endpoints, separated by ',' - EnvKESEnclave = "MINIO_KMS_KES_ENCLAVE" // Optional "namespace" within a KES cluster - not required for stateless KES - EnvKESKeyName = "MINIO_KMS_KES_KEY_NAME" // The default key name used for IAM data and when no key ID is specified on a bucket - EnvKESAPIKey = "MINIO_KMS_KES_API_KEY" // Access credential for KES - API keys and private key / certificate are mutually exclusive - EnvKESClientKey = "MINIO_KMS_KES_KEY_FILE" // Path to TLS private key for authenticating to KES with mTLS - usually prefer API keys - EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD" // Optional password to decrypt an encrypt TLS private key - EnvKESClientCert = "MINIO_KMS_KES_CERT_FILE" // Path to TLS certificate for authenticating to KES with mTLS - usually prefer API keys - EnvKESServerCA = "MINIO_KMS_KES_CAPATH" // Path to file/directory containing CA certificates to verify the KES server certificate - EnvEndpoints = "MINIO_ENDPOINTS" // legacy EnvWorm = "MINIO_WORM" // legacy EnvRegion = "MINIO_REGION" // legacy diff --git a/internal/kms/config.go b/internal/kms/config.go new file mode 100644 index 000000000..ace90efb1 --- /dev/null +++ b/internal/kms/config.go @@ -0,0 +1,32 @@ +// Copyright (c) 2015-2023 MinIO, Inc. +// +// This file is part of MinIO Object Storage stack +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package kms + +// Top level config constants for KMS +const ( + EnvKMSSecretKey = "MINIO_KMS_SECRET_KEY" + EnvKMSSecretKeyFile = "MINIO_KMS_SECRET_KEY_FILE" + EnvKESEndpoint = "MINIO_KMS_KES_ENDPOINT" // One or multiple KES endpoints, separated by ',' + EnvKESEnclave = "MINIO_KMS_KES_ENCLAVE" // Optional "namespace" within a KES cluster - not required for stateless KES + EnvKESKeyName = "MINIO_KMS_KES_KEY_NAME" // The default key name used for IAM data and when no key ID is specified on a bucket + EnvKESAPIKey = "MINIO_KMS_KES_API_KEY" // Access credential for KES - API keys and private key / certificate are mutually exclusive + EnvKESClientKey = "MINIO_KMS_KES_KEY_FILE" // Path to TLS private key for authenticating to KES with mTLS - usually prefer API keys + EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD" // Optional password to decrypt an encrypt TLS private key + EnvKESClientCert = "MINIO_KMS_KES_CERT_FILE" // Path to TLS certificate for authenticating to KES with mTLS - usually prefer API keys + EnvKESServerCA = "MINIO_KMS_KES_CAPATH" // Path to file/directory containing CA certificates to verify the KES server certificate +) diff --git a/internal/kms/kes.go b/internal/kms/kes.go index fab5e3cbc..f13e14c78 100644 --- a/internal/kms/kes.go +++ b/internal/kms/kes.go @@ -28,6 +28,7 @@ import ( "github.com/minio/kes-go" "github.com/minio/pkg/certs" + "github.com/minio/pkg/env" ) const ( @@ -189,6 +190,26 @@ func (c *kesClient) Stat(ctx context.Context) (Status, error) { }, nil } +// IsLocal returns true if the KMS is a local implementation +func (c *kesClient) IsLocal() bool { + return env.IsSet(EnvKMSSecretKey) +} + +// List returns an array of local KMS Names +func (c *kesClient) List() []kes.KeyInfo { + var kmsSecret []kes.KeyInfo + envKMSSecretKey := env.Get(EnvKMSSecretKey, "") + values := strings.SplitN(envKMSSecretKey, ":", 2) + if len(values) == 2 { + kmsSecret = []kes.KeyInfo{ + { + Name: values[0], + }, + } + } + return kmsSecret +} + // Metrics retrieves server metrics in the Prometheus exposition format. func (c *kesClient) Metrics(ctx context.Context) (kes.Metric, error) { c.lock.RLock() diff --git a/internal/kms/kms.go b/internal/kms/kms.go index 71d220b5f..e0cce75f4 100644 --- a/internal/kms/kms.go +++ b/internal/kms/kms.go @@ -32,6 +32,12 @@ type KMS interface { // Stat returns the current KMS status. Stat(cxt context.Context) (Status, error) + // IsLocal returns true if the KMS is a local implementation + IsLocal() bool + + // List returns an array of local KMS Names + List() []kes.KeyInfo + // Metrics returns a KMS metric snapshot. Metrics(ctx context.Context) (kes.Metric, error) diff --git a/internal/kms/single-key.go b/internal/kms/single-key.go index 59f2299d7..b95db0d50 100644 --- a/internal/kms/single-key.go +++ b/internal/kms/single-key.go @@ -91,8 +91,23 @@ func (kms secretKey) Stat(context.Context) (Status, error) { }, nil } -func (secretKey) Metrics(context.Context) (kes.Metric, error) { - return kes.Metric{}, errors.New("kms: metrics not supported") +// IsLocal returns true if the KMS is a local implementation +func (kms secretKey) IsLocal() bool { + return true +} + +// List returns an array of local KMS Names +func (kms secretKey) List() []kes.KeyInfo { + kmsSecret := []kes.KeyInfo{ + { + Name: kms.keyID, + }, + } + return kmsSecret +} + +func (secretKey) Metrics(ctx context.Context) (kes.Metric, error) { + return kes.Metric{}, errors.New("kms: metrics are not supported") } func (kms secretKey) CreateKey(_ context.Context, keyID string) error {