remove SSE-S3 key rotation in CopyObject (#8278)

This commit removes the SSE-S3 key rotation functionality
from CopyObject since there will be a dedicated Admin-API
for this purpose.

Also update the security documentation to link to mc and
the admin documentation.

cmd/object-handlers.go

@@ -707,6 +707,7 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re
 		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidMetadataDirective), r.URL, guessIsBrowserReq(r))
 		return
 	}
+
 	// This request header needs to be set prior to setting ObjectOptions
 	if globalAutoEncryption && !crypto.SSEC.IsRequested(r.Header) {
 		r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
@@ -733,11 +734,8 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re
 	}
 
 	cpSrcDstSame := isStringEqual(pathJoin(srcBucket, srcObject), pathJoin(dstBucket, dstObject))
-
+	if globalWORMEnabled { // Deny if WORM is enabled.
-	// Deny if WORM is enabled. If operation is key rotation of SSE-S3 encrypted object
+		if _, err := objectAPI.GetObjectInfo(ctx, dstBucket, dstObject, dstOpts); err == nil {
-	// allow the operation
-	if globalWORMEnabled && !(cpSrcDstSame && crypto.S3.IsRequested(r.Header)) {
-		if _, err = objectAPI.GetObjectInfo(ctx, dstBucket, dstObject, dstOpts); err == nil {
 			writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
 			return
 		}
@@ -775,11 +773,6 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re
 		return
 	}
 
-	// Deny if WORM is enabled, and it is not a SSE-S3 -> SSE-S3 key rotation or if metadata replacement is requested.
-	if globalWORMEnabled && cpSrcDstSame && (!crypto.S3.IsEncrypted(srcInfo.UserDefined) || isMetadataReplace(r.Header)) {
-		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
-		return
-	}
 	// We have to copy metadata only if source and destination are same.
 	// this changes for encryption which can be observed below.
 	if cpSrcDstSame {
@@ -866,14 +859,12 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re
 		// - the object is encrypted using SSE-S3 and the SSE-S3 header is present
 		// than execute a key rotation.
 		var keyRotation bool
-		if cpSrcDstSame && ((sseCopyC && sseC) || (sseS3 && sseCopyS3)) {
+		if cpSrcDstSame && (sseCopyC && sseC) {
-			if sseCopyC && sseC {
 			oldKey, err = ParseSSECopyCustomerRequest(r.Header, srcInfo.UserDefined)
 			if err != nil {
 				writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
 				return
 			}
-			}
 
 			for k, v := range srcInfo.UserDefined {
 				if hasPrefix(k, ReservedMetadataPrefix) {

docs/security/README.md

@@ -158,12 +158,11 @@ component that performs key sealing/unsealing operations to build a key hierarch
 
 #### Key rotation - Basic Operation
 
-The MinIO server supports key rotation for SSE-S3 encrypted objects. Therefore, an S3 client 
+The MinIO server supports key rotation for SSE-S3 encrypted objects. The minio server decrypts 
-must perform a S3 COPY operation where the copy source and destination are equal and the SSE-S3 HTTP 
+the OEK using the current encrypted data key and the master key ID of the object metadata. If
-header is set. The minio server decrypts the OEK using the current encrypted data key and the
+this succeeds, the server requests a new data key from the KMS using the master key ID of
-master key ID of the object metadata. If this succeeds, the server requests a new data key
+the **current MinIO KMS configuration** and re-wraps the *OEK* with a new *KEK* derived from
-from the KMS using the master key ID of the **current MinIO KMS configuration** and re-wraps the
+the new data key / EK:
-*OEK* with a new *KEK* derived from the new data key / EK:
 
 ```
               object metadata                                         KMS
@@ -203,21 +202,10 @@ from the KMS using the master key ID of the **current MinIO KMS configuration**
  ```
 <center>Figure 3 - KMS data key rotation</center>
 
-#### Key rotation - Extensions
+Only the root/admin user can perform an SSE-S3 key rotation using the Admin-API via [mc](https://github.com/minio/mc).
-
+For more details about how to perform key management operations using the CLI refer to
-The basic SSE-S3 key rotation operation can be used to build more powerful key management 
+[mc admin guide](https://github.com/minio/mc/blob/master/docs/minio-admin-complete-guide.md)
-operations. The following options are possible to perform manually but do not have fully 
+or run `mc admin kms key`. 
-functional API's at this time.
-
-1. **Master key migration**: The [SSE-S3 key rotation](#Key-rotation---Basic-Operation) can be performed
-                             on multiple/all objects to move them from one to another master key.
-2. **Secure object erasure**: The [SSE-S3 key rotation](#Key-rotation---Basic-Operation) can be applied
-                              to one/multiple objects with a randomly generated master key which is
-                              not stored at the KMS. That leads to an encrypted data key which can
-                              never be decrypted anymore.
-3. **Periodical key migration**: The [SSE-S3 key rotation](#Key-rotation---Basic-Operation) can be 
-                                 invoked after a certain time period to migrate one or more objects
-                                 from one master key to another.
 
 #### Secure Erasure and Locking