mirror of
https://github.com/minio/minio.git
synced 2025-01-11 23:13:23 -05:00
fix: kms-id header should have arn:aws:kms: prefix (#13833)
arn:aws:kms: is a must for KMS keyID.
This commit is contained in:
parent
8591d17d82
commit
be34fc9134
@ -68,6 +68,21 @@ const (
|
|||||||
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// KMSKeyID returns in AWS compatible KMS KeyID() format.
|
||||||
|
func (o ObjectInfo) KMSKeyID() string {
|
||||||
|
if len(o.UserDefined) == 0 {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
kmsID, ok := o.UserDefined[crypto.MetaKeyID]
|
||||||
|
if !ok {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
if strings.HasPrefix(kmsID, "arn:aws:kms:") {
|
||||||
|
return kmsID
|
||||||
|
}
|
||||||
|
return "arn:aws:kms:" + kmsID
|
||||||
|
}
|
||||||
|
|
||||||
// isMultipart returns true if the current object is
|
// isMultipart returns true if the current object is
|
||||||
// uploaded by the user using multipart mechanism:
|
// uploaded by the user using multipart mechanism:
|
||||||
// initiate new multipart, upload part, complete upload
|
// initiate new multipart, upload part, complete upload
|
||||||
|
@ -282,7 +282,7 @@ func (api objectAPIHandlers) SelectObjectContentHandler(w http.ResponseWriter, r
|
|||||||
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES)
|
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES)
|
||||||
case crypto.S3KMS:
|
case crypto.S3KMS:
|
||||||
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS)
|
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS)
|
||||||
w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.UserDefined[crypto.MetaKeyID])
|
w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.KMSKeyID())
|
||||||
if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok {
|
if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok {
|
||||||
w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx)
|
w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx)
|
||||||
}
|
}
|
||||||
@ -481,7 +481,7 @@ func (api objectAPIHandlers) getObjectHandler(ctx context.Context, objectAPI Obj
|
|||||||
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES)
|
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES)
|
||||||
case crypto.S3KMS:
|
case crypto.S3KMS:
|
||||||
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS)
|
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS)
|
||||||
w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.UserDefined[crypto.MetaKeyID])
|
w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.KMSKeyID())
|
||||||
if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok {
|
if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok {
|
||||||
w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx)
|
w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx)
|
||||||
}
|
}
|
||||||
@ -729,7 +729,7 @@ func (api objectAPIHandlers) headObjectHandler(ctx context.Context, objectAPI Ob
|
|||||||
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES)
|
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionAES)
|
||||||
case crypto.S3KMS:
|
case crypto.S3KMS:
|
||||||
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS)
|
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS)
|
||||||
w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.UserDefined[crypto.MetaKeyID])
|
w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.KMSKeyID())
|
||||||
if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok {
|
if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok {
|
||||||
w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx)
|
w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx)
|
||||||
}
|
}
|
||||||
@ -1817,7 +1817,7 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req
|
|||||||
objInfo.ETag, _ = DecryptETag(objectEncryptionKey, ObjectInfo{ETag: objInfo.ETag})
|
objInfo.ETag, _ = DecryptETag(objectEncryptionKey, ObjectInfo{ETag: objInfo.ETag})
|
||||||
case crypto.S3KMS:
|
case crypto.S3KMS:
|
||||||
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS)
|
w.Header().Set(xhttp.AmzServerSideEncryption, xhttp.AmzEncryptionKMS)
|
||||||
w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.UserDefined[crypto.MetaKeyID])
|
w.Header().Set(xhttp.AmzServerSideEncryptionKmsID, objInfo.KMSKeyID())
|
||||||
if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok {
|
if kmsCtx, ok := objInfo.UserDefined[crypto.MetaContext]; ok {
|
||||||
w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx)
|
w.Header().Set(xhttp.AmzServerSideEncryptionKmsContext, kmsCtx)
|
||||||
}
|
}
|
||||||
|
@ -108,7 +108,7 @@ NOTE:
|
|||||||
"Vary": "Origin,Accept-Encoding",
|
"Vary": "Origin,Accept-Encoding",
|
||||||
"X-Amz-Request-Id": "16ABE7A785E7AC2C",
|
"X-Amz-Request-Id": "16ABE7A785E7AC2C",
|
||||||
"X-Amz-Server-Side-Encryption": "aws:kms",
|
"X-Amz-Server-Side-Encryption": "aws:kms",
|
||||||
"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": "my-minio-key",
|
"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": "arn:aws:kms:my-minio-key",
|
||||||
"X-Content-Type-Options": "nosniff",
|
"X-Content-Type-Options": "nosniff",
|
||||||
"X-Xss-Protection": "1; mode=block",
|
"X-Xss-Protection": "1; mode=block",
|
||||||
"x-amz-version-id": "ac4639f6-c544-4f3f-af1e-b4c0736f67f9"
|
"x-amz-version-id": "ac4639f6-c544-4f3f-af1e-b4c0736f67f9"
|
||||||
|
Loading…
Reference in New Issue
Block a user