mirror of
https://github.com/minio/minio.git
synced 2025-01-11 23:13:23 -05:00
enable SSE-KMS pass-through on S3 gateway (#7788)
This commit relaxes the restriction that the MinIO gateway does not accept SSE-KMS headers. Now, the S3 gateway allows SSE-KMS headers for PUT and MULTIPART PUT requests and forwards them to the S3 gateway backend (AWS). This is considered SSE pass-through mode. Fixes #7753
This commit is contained in:
parent
35c38e4bd8
commit
98d3913a1e
@ -28,10 +28,12 @@ type objectAPIHandlers struct {
|
|||||||
CacheAPI func() CacheObjectLayer
|
CacheAPI func() CacheObjectLayer
|
||||||
// Returns true of handlers should interpret encryption.
|
// Returns true of handlers should interpret encryption.
|
||||||
EncryptionEnabled func() bool
|
EncryptionEnabled func() bool
|
||||||
|
// Returns true if handlers allow SSE-KMS encryption headers.
|
||||||
|
AllowSSEKMS func() bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// registerAPIRouter - registers S3 compatible APIs.
|
// registerAPIRouter - registers S3 compatible APIs.
|
||||||
func registerAPIRouter(router *mux.Router, encryptionEnabled bool) {
|
func registerAPIRouter(router *mux.Router, encryptionEnabled, allowSSEKMS bool) {
|
||||||
// Initialize API.
|
// Initialize API.
|
||||||
api := objectAPIHandlers{
|
api := objectAPIHandlers{
|
||||||
ObjectAPI: newObjectLayerFn,
|
ObjectAPI: newObjectLayerFn,
|
||||||
@ -39,6 +41,9 @@ func registerAPIRouter(router *mux.Router, encryptionEnabled bool) {
|
|||||||
EncryptionEnabled: func() bool {
|
EncryptionEnabled: func() bool {
|
||||||
return encryptionEnabled
|
return encryptionEnabled
|
||||||
},
|
},
|
||||||
|
AllowSSEKMS: func() bool {
|
||||||
|
return allowSSEKMS
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
// API Router
|
// API Router
|
||||||
|
@ -18,6 +18,7 @@ import (
|
|||||||
"bytes"
|
"bytes"
|
||||||
"crypto/md5"
|
"crypto/md5"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
|
"encoding/json"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"strings"
|
||||||
)
|
)
|
||||||
@ -125,6 +126,25 @@ func (s3KMS) IsRequested(h http.Header) bool {
|
|||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ParseHTTP parses the SSE-KMS headers and returns the SSE-KMS key ID
|
||||||
|
// and context, if present, on success.
|
||||||
|
func (s3KMS) ParseHTTP(h http.Header) (string, interface{}, error) {
|
||||||
|
algorithm := h.Get(SSEHeader)
|
||||||
|
if algorithm != SSEAlgorithmKMS {
|
||||||
|
return "", nil, ErrInvalidEncryptionMethod
|
||||||
|
}
|
||||||
|
|
||||||
|
contextStr, ok := h[SSEKmsContext]
|
||||||
|
if ok {
|
||||||
|
var context map[string]interface{}
|
||||||
|
if err := json.Unmarshal([]byte(contextStr[0]), &context); err != nil {
|
||||||
|
return "", nil, err
|
||||||
|
}
|
||||||
|
return h.Get(SSEKmsID), context, nil
|
||||||
|
}
|
||||||
|
return h.Get(SSEKmsID), nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
// SSEC represents AWS SSE-C. It provides functionality to handle
|
// SSEC represents AWS SSE-C. It provides functionality to handle
|
||||||
// SSE-C requests.
|
// SSE-C requests.
|
||||||
|
@ -54,6 +54,56 @@ func TestKMSIsRequested(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var kmsParseHTTPTests = []struct {
|
||||||
|
Header http.Header
|
||||||
|
ShouldFail bool
|
||||||
|
}{
|
||||||
|
{Header: http.Header{}, ShouldFail: true}, // 0
|
||||||
|
{Header: http.Header{"X-Amz-Server-Side-Encryption": []string{"aws:kms"}}, ShouldFail: false}, // 1
|
||||||
|
{Header: http.Header{
|
||||||
|
"X-Amz-Server-Side-Encryption": []string{"aws:kms"},
|
||||||
|
"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": []string{"s3-007-293847485-724784"},
|
||||||
|
}, ShouldFail: false}, // 2
|
||||||
|
{Header: http.Header{
|
||||||
|
"X-Amz-Server-Side-Encryption": []string{"aws:kms"},
|
||||||
|
"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": []string{"s3-007-293847485-724784"},
|
||||||
|
"X-Amz-Server-Side-Encryption-Context": []string{"{}"},
|
||||||
|
}, ShouldFail: false}, // 3
|
||||||
|
{Header: http.Header{
|
||||||
|
"X-Amz-Server-Side-Encryption": []string{"aws:kms"},
|
||||||
|
"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": []string{"s3-007-293847485-724784"},
|
||||||
|
"X-Amz-Server-Side-Encryption-Context": []string{"{\"bucket\": \"some-bucket\"}"},
|
||||||
|
}, ShouldFail: false}, // 4
|
||||||
|
{Header: http.Header{
|
||||||
|
"X-Amz-Server-Side-Encryption": []string{"aws:kms"},
|
||||||
|
"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": []string{"s3-007-293847485-724784"},
|
||||||
|
"X-Amz-Server-Side-Encryption-Context": []string{"{\"bucket\": \"some-bucket\"}"},
|
||||||
|
}, ShouldFail: false}, // 5
|
||||||
|
{Header: http.Header{
|
||||||
|
"X-Amz-Server-Side-Encryption": []string{"AES256"},
|
||||||
|
"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": []string{"s3-007-293847485-724784"},
|
||||||
|
"X-Amz-Server-Side-Encryption-Context": []string{"{\"bucket\": \"some-bucket\"}"},
|
||||||
|
}, ShouldFail: true}, // 6
|
||||||
|
{Header: http.Header{
|
||||||
|
"X-Amz-Server-Side-Encryption": []string{"aws:kms"},
|
||||||
|
"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": []string{"s3-007-293847485-724784"},
|
||||||
|
"X-Amz-Server-Side-Encryption-Context": []string{"{\"bucket\": \"some-bucket\""}, // invalid JSON
|
||||||
|
}, ShouldFail: true}, // 7
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestKMSParseHTTP(t *testing.T) {
|
||||||
|
for i, test := range kmsParseHTTPTests {
|
||||||
|
_, _, err := S3KMS.ParseHTTP(test.Header)
|
||||||
|
if err == nil && test.ShouldFail {
|
||||||
|
t.Errorf("Test %d: should fail but succeeded", i)
|
||||||
|
}
|
||||||
|
if err != nil && !test.ShouldFail {
|
||||||
|
t.Errorf("Test %d: should pass but failed with: %v", i, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
var s3IsRequestedTests = []struct {
|
var s3IsRequestedTests = []struct {
|
||||||
Header http.Header
|
Header http.Header
|
||||||
Expected bool
|
Expected bool
|
||||||
|
@ -1238,6 +1238,17 @@ func putOpts(ctx context.Context, r *http.Request, bucket, object string, metada
|
|||||||
opts.UserDefined = metadata
|
opts.UserDefined = metadata
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
if crypto.S3KMS.IsRequested(r.Header) {
|
||||||
|
keyID, context, err := crypto.S3KMS.ParseHTTP(r.Header)
|
||||||
|
if err != nil {
|
||||||
|
return ObjectOptions{}, err
|
||||||
|
}
|
||||||
|
sseKms, err := encrypt.NewSSEKMS(keyID, context)
|
||||||
|
if err != nil {
|
||||||
|
return ObjectOptions{}, err
|
||||||
|
}
|
||||||
|
return ObjectOptions{ServerSideEncryption: sseKms, UserDefined: metadata}, nil
|
||||||
|
}
|
||||||
// default case of passing encryption headers and UserDefined metadata to backend
|
// default case of passing encryption headers and UserDefined metadata to backend
|
||||||
return getDefaultOpts(r.Header, false, metadata)
|
return getDefaultOpts(r.Header, false, metadata)
|
||||||
}
|
}
|
||||||
|
@ -181,9 +181,10 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
|
|||||||
|
|
||||||
// Currently only NAS and S3 gateway support encryption headers.
|
// Currently only NAS and S3 gateway support encryption headers.
|
||||||
encryptionEnabled := gatewayName == "s3" || gatewayName == "nas"
|
encryptionEnabled := gatewayName == "s3" || gatewayName == "nas"
|
||||||
|
allowSSEKMS := gatewayName == "s3" // Only S3 can support SSE-KMS (as pass-through)
|
||||||
|
|
||||||
// Add API router.
|
// Add API router.
|
||||||
registerAPIRouter(router, encryptionEnabled)
|
registerAPIRouter(router, encryptionEnabled, allowSSEKMS)
|
||||||
|
|
||||||
var getCert certs.GetCertificateFunc
|
var getCert certs.GetCertificateFunc
|
||||||
if globalTLSCerts != nil {
|
if globalTLSCerts != nil {
|
||||||
|
@ -442,7 +442,8 @@ func (l *s3EncObjects) PutObject(ctx context.Context, bucket string, object stri
|
|||||||
// Decide if sse options needed to be passed to backend
|
// Decide if sse options needed to be passed to backend
|
||||||
if opts.ServerSideEncryption != nil &&
|
if opts.ServerSideEncryption != nil &&
|
||||||
((minio.GlobalGatewaySSE.SSEC() && opts.ServerSideEncryption.Type() == encrypt.SSEC) ||
|
((minio.GlobalGatewaySSE.SSEC() && opts.ServerSideEncryption.Type() == encrypt.SSEC) ||
|
||||||
(minio.GlobalGatewaySSE.SSES3() && opts.ServerSideEncryption.Type() == encrypt.S3)) {
|
(minio.GlobalGatewaySSE.SSES3() && opts.ServerSideEncryption.Type() == encrypt.S3) ||
|
||||||
|
opts.ServerSideEncryption.Type() == encrypt.KMS) {
|
||||||
sseOpts = opts.ServerSideEncryption
|
sseOpts = opts.ServerSideEncryption
|
||||||
}
|
}
|
||||||
if opts.ServerSideEncryption == nil {
|
if opts.ServerSideEncryption == nil {
|
||||||
|
@ -1052,7 +1052,7 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req
|
|||||||
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
|
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if crypto.S3KMS.IsRequested(r.Header) {
|
if crypto.S3KMS.IsRequested(r.Header) && !api.AllowSSEKMS() {
|
||||||
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported
|
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -1178,7 +1178,7 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This request header needs to be set prior to setting ObjectOptions
|
// This request header needs to be set prior to setting ObjectOptions
|
||||||
if globalAutoEncryption && !crypto.SSEC.IsRequested(r.Header) {
|
if globalAutoEncryption && !crypto.SSEC.IsRequested(r.Header) && !crypto.S3KMS.IsRequested(r.Header) {
|
||||||
r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
|
r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1315,7 +1315,7 @@ func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r
|
|||||||
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
|
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if crypto.S3KMS.IsRequested(r.Header) {
|
if crypto.S3KMS.IsRequested(r.Header) && !api.AllowSSEKMS() {
|
||||||
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported
|
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrNotImplemented), r.URL, guessIsBrowserReq(r)) // SSE-KMS is not supported
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -1333,7 +1333,7 @@ func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This request header needs to be set prior to setting ObjectOptions
|
// This request header needs to be set prior to setting ObjectOptions
|
||||||
if globalAutoEncryption && !crypto.SSEC.IsRequested(r.Header) {
|
if globalAutoEncryption && !crypto.SSEC.IsRequested(r.Header) && !crypto.S3KMS.IsRequested(r.Header) {
|
||||||
r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
|
r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -119,8 +119,9 @@ func configureServerHandler(endpoints EndpointList) (http.Handler, error) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Add API router, additionally all server mode support encryption.
|
// Add API router, additionally all server mode support encryption
|
||||||
registerAPIRouter(router, true)
|
// but don't allow SSE-KMS.
|
||||||
|
registerAPIRouter(router, true, false)
|
||||||
|
|
||||||
// Register rest of the handlers.
|
// Register rest of the handlers.
|
||||||
return registerHandlers(router, globalHandlers...), nil
|
return registerHandlers(router, globalHandlers...), nil
|
||||||
|
@ -2135,7 +2135,7 @@ func registerBucketLevelFunc(bucket *mux.Router, api objectAPIHandlers, apiFunct
|
|||||||
func registerAPIFunctions(muxRouter *mux.Router, objLayer ObjectLayer, apiFunctions ...string) {
|
func registerAPIFunctions(muxRouter *mux.Router, objLayer ObjectLayer, apiFunctions ...string) {
|
||||||
if len(apiFunctions) == 0 {
|
if len(apiFunctions) == 0 {
|
||||||
// Register all api endpoints by default.
|
// Register all api endpoints by default.
|
||||||
registerAPIRouter(muxRouter, true)
|
registerAPIRouter(muxRouter, true, false)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
// API Router.
|
// API Router.
|
||||||
@ -2176,7 +2176,7 @@ func initTestAPIEndPoints(objLayer ObjectLayer, apiFunctions []string) http.Hand
|
|||||||
registerAPIFunctions(muxRouter, objLayer, apiFunctions...)
|
registerAPIFunctions(muxRouter, objLayer, apiFunctions...)
|
||||||
return muxRouter
|
return muxRouter
|
||||||
}
|
}
|
||||||
registerAPIRouter(muxRouter, true)
|
registerAPIRouter(muxRouter, true, false)
|
||||||
return muxRouter
|
return muxRouter
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user