MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-11 15:03:22 -05:00
Code Issues Packages Projects Releases Wiki Activity

Handle non existent kms key correctly (#14329)

Browse Source 
- in PutBucketEncryption API
- admin APIs for  `mc admin KMS key [create|info]`
- PutObject API when invalid KMS key is specified
This commit is contained in:
Poorna 2022-02-17 11:36:14 -08:00 committed by GitHub
parent 28f188e3ef
commit 93af4a4864
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 185 additions and 154 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cmd/api-errors.go
View File

@ -212,6 +212,7 @@ const (
ErrInvalidSSECustomerParameters ErrInvalidSSECustomerParameters
ErrIncompatibleEncryptionMethod ErrIncompatibleEncryptionMethod
ErrKMSNotConfigured ErrKMSNotConfigured
ErrKMSKeyNotFoundException
ErrNoAccessKey ErrNoAccessKey
ErrInvalidToken ErrInvalidToken
@ -1127,6 +1128,11 @@ var errorCodes = errorCodeMap{
Description: "Server side encryption specified but KMS is not configured", Description: "Server side encryption specified but KMS is not configured",
HTTPStatusCode: http.StatusNotImplemented, HTTPStatusCode: http.StatusNotImplemented,
}, },
ErrKMSKeyNotFoundException: {
Code: "KMS.NotFoundException",
Description: "Invalid keyId",
HTTPStatusCode: http.StatusBadRequest,
},
ErrNoAccessKey: { ErrNoAccessKey: {
Code: "AccessDenied", Code: "AccessDenied",
Description: "No AWSAccessKey was presented", Description: "No AWSAccessKey was presented",
@ -1912,6 +1918,9 @@ func toAPIErrorCode(ctx context.Context, err error) (apiErr APIErrorCode) {
apiErr = ErrIncompatibleEncryptionMethod apiErr = ErrIncompatibleEncryptionMethod
case errKMSNotConfigured: case errKMSNotConfigured:
apiErr = ErrKMSNotConfigured apiErr = ErrKMSNotConfigured
case errKMSKeyNotFound:
apiErr = ErrKMSKeyNotFoundException
case context.Canceled, context.DeadlineExceeded: case context.Canceled, context.DeadlineExceeded:
apiErr = ErrOperationTimedOut apiErr = ErrOperationTimedOut
case errDiskNotFound: case errDiskNotFound:

309
cmd/apierrorcode_string.go
View File

File diff suppressed because one or more lines are too long

16
cmd/bucket-encryption-handlers.go
View File

@ -20,12 +20,15 @@ package cmd
import ( import (
"encoding/base64" "encoding/base64"
"encoding/xml" "encoding/xml"
"errors"
"fmt" "fmt"
"io" "io"
"net/http" "net/http"
"github.com/gorilla/mux" "github.com/gorilla/mux"
"github.com/minio/kes"
"github.com/minio/madmin-go" "github.com/minio/madmin-go"
"github.com/minio/minio/internal/kms"
"github.com/minio/minio/internal/logger" "github.com/minio/minio/internal/logger"
"github.com/minio/pkg/bucket/policy" "github.com/minio/pkg/bucket/policy"
) )
@ -84,6 +87,19 @@ func (api objectAPIHandlers) PutBucketEncryptionHandler(w http.ResponseWriter, r
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrKMSNotConfigured), r.URL) writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrKMSNotConfigured), r.URL)
return return
} }
kmsKey := encConfig.KeyID()
if kmsKey != "" {
kmsContext := kms.Context{"MinIO admin API": "ServerInfoHandler"} // Context for a test key operation
_, err := GlobalKMS.GenerateKey(kmsKey, kmsContext)
if err != nil {
if errors.Is(err, kes.ErrKeyNotFound) {
writeErrorResponse(ctx, w, toAPIError(ctx, errKMSKeyNotFound), r.URL)
return
}
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
return
}
}
configData, err := xml.Marshal(encConfig) configData, err := xml.Marshal(encConfig)
if err != nil { if err != nil {

5
cmd/encryption-v1.go
View File

@ -33,6 +33,7 @@ import (
"strconv" "strconv"
"strings" "strings"
"github.com/minio/kes"
"github.com/minio/minio/internal/crypto" "github.com/minio/minio/internal/crypto"
"github.com/minio/minio/internal/fips" "github.com/minio/minio/internal/fips"
xhttp "github.com/minio/minio/internal/http" xhttp "github.com/minio/minio/internal/http"
@ -46,6 +47,7 @@ var (
errEncryptedObject = errors.New("The object was stored using a form of SSE") errEncryptedObject = errors.New("The object was stored using a form of SSE")
errInvalidSSEParameters = errors.New("The SSE-C key for key-rotation is not correct") // special access denied errInvalidSSEParameters = errors.New("The SSE-C key for key-rotation is not correct") // special access denied
errKMSNotConfigured = errors.New("KMS not configured for a server side encrypted object") errKMSNotConfigured = errors.New("KMS not configured for a server side encrypted object")
errKMSKeyNotFound = errors.New("Invalid KMS keyId")
// Additional MinIO errors for SSE-C requests. // Additional MinIO errors for SSE-C requests.
errObjectTampered = errors.New("The requested object was modified and may be compromised") errObjectTampered = errors.New("The requested object was modified and may be compromised")
// error returned when invalid encryption parameters are specified // error returned when invalid encryption parameters are specified
@ -262,6 +264,9 @@ func newEncryptMetadata(kind crypto.Type, keyID string, key []byte, bucket, obje
} }
key, err := GlobalKMS.GenerateKey(keyID, kmsCtx) key, err := GlobalKMS.GenerateKey(keyID, kmsCtx)
if err != nil { if err != nil {
if errors.Is(err, kes.ErrKeyNotFound) {
return crypto.ObjectKey{}, errKMSKeyNotFound
}
return crypto.ObjectKey{}, err return crypto.ObjectKey{}, err
} }