enable SSE-KMS pass-through on S3 gateway (#7788)

This commit relaxes the restriction that the MinIO gateway does not accept SSE-KMS headers. Now, the S3 gateway allows SSE-KMS headers for PUT and MULTIPART PUT requests and forwards them to the S3 gateway backend (AWS). This is considered SSE pass-through mode. Fixes #7753
2025-11-07 04:42:56 -05:00 · 2019-06-20 02:37:08 +02:00
parent 35c38e4bd8
commit 98d3913a1e
9 changed files with 100 additions and 11 deletions
--- a/cmd/crypto/header.go
+++ b/cmd/crypto/header.go
@@ -18,6 +18,7 @@ import (
 	"bytes"
 	"crypto/md5"
 	"encoding/base64"
+	"encoding/json"
 	"net/http"
 	"strings"
 )
@@ -125,6 +126,25 @@ func (s3KMS) IsRequested(h http.Header) bool {
 	return false
 }

+// ParseHTTP parses the SSE-KMS headers and returns the SSE-KMS key ID
+// and context, if present, on success.
+func (s3KMS) ParseHTTP(h http.Header) (string, interface{}, error) {
+	algorithm := h.Get(SSEHeader)
+	if algorithm != SSEAlgorithmKMS {
+		return "", nil, ErrInvalidEncryptionMethod
+	}
+
+	contextStr, ok := h[SSEKmsContext]
+	if ok {
+		var context map[string]interface{}
+		if err := json.Unmarshal([]byte(contextStr[0]), &context); err != nil {
+			return "", nil, err
+		}
+		return h.Get(SSEKmsID), context, nil
+	}
+	return h.Get(SSEKmsID), nil, nil
+}
+
 var (
 	// SSEC represents AWS SSE-C. It provides functionality to handle
 	// SSE-C requests.
--- a/cmd/crypto/header_test.go
+++ b/cmd/crypto/header_test.go
@@ -54,6 +54,56 @@ func TestKMSIsRequested(t *testing.T) {
 	}
 }

+var kmsParseHTTPTests = []struct {
+	Header     http.Header
+	ShouldFail bool
+}{
+	{Header: http.Header{}, ShouldFail: true},                                                     // 0
+	{Header: http.Header{"X-Amz-Server-Side-Encryption": []string{"aws:kms"}}, ShouldFail: false}, // 1
+	{Header: http.Header{
+		"X-Amz-Server-Side-Encryption":                []string{"aws:kms"},
+		"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": []string{"s3-007-293847485-724784"},
+	}, ShouldFail: false}, // 2
+	{Header: http.Header{
+		"X-Amz-Server-Side-Encryption":                []string{"aws:kms"},
+		"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": []string{"s3-007-293847485-724784"},
+		"X-Amz-Server-Side-Encryption-Context":        []string{"{}"},
+	}, ShouldFail: false}, // 3
+	{Header: http.Header{
+		"X-Amz-Server-Side-Encryption":                []string{"aws:kms"},
+		"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": []string{"s3-007-293847485-724784"},
+		"X-Amz-Server-Side-Encryption-Context":        []string{"{\"bucket\": \"some-bucket\"}"},
+	}, ShouldFail: false}, // 4
+	{Header: http.Header{
+		"X-Amz-Server-Side-Encryption":                []string{"aws:kms"},
+		"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": []string{"s3-007-293847485-724784"},
+		"X-Amz-Server-Side-Encryption-Context":        []string{"{\"bucket\": \"some-bucket\"}"},
+	}, ShouldFail: false}, // 5
+	{Header: http.Header{
+		"X-Amz-Server-Side-Encryption":                []string{"AES256"},
+		"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": []string{"s3-007-293847485-724784"},
+		"X-Amz-Server-Side-Encryption-Context":        []string{"{\"bucket\": \"some-bucket\"}"},
+	}, ShouldFail: true}, // 6
+	{Header: http.Header{
+		"X-Amz-Server-Side-Encryption":                []string{"aws:kms"},
+		"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": []string{"s3-007-293847485-724784"},
+		"X-Amz-Server-Side-Encryption-Context":        []string{"{\"bucket\": \"some-bucket\""}, // invalid JSON
+	}, ShouldFail: true}, // 7
+
+}
+
+func TestKMSParseHTTP(t *testing.T) {
+	for i, test := range kmsParseHTTPTests {
+		_, _, err := S3KMS.ParseHTTP(test.Header)
+		if err == nil && test.ShouldFail {
+			t.Errorf("Test %d: should fail but succeeded", i)
+		}
+		if err != nil && !test.ShouldFail {
+			t.Errorf("Test %d: should pass but failed with: %v", i, err)
+		}
+	}
+}
+
 var s3IsRequestedTests = []struct {
 	Header   http.Header
 	Expected bool