MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-11 23:13:23 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix ETag handling with auto-encryption with CopyObject conditions (#7000)

Browse Source 
minio-java tests were failing under multiple places when
auto encryption was turned on, handle all the cases properly

This PR fixes

 - CopyObject should decrypt ETag before it does if-match
 - CopyObject should not try to preserve metadata of source
   when rotating keys, unless explicitly asked by the user.
 - We should not try to decrypt Compressed object etag, the
   potential case was if user sets encryption headers along
   with compression enabled.
This commit is contained in:
Harshavardhana 2018-12-19 14:12:53 -08:00 committed by kannappanr
parent 8c32311b80
commit d2f8f8c7ee
2 changed files with 19 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/object-api-utils.go
View File

@ -503,6 +503,9 @@ func NewGetObjectReader(rs *HTTPRangeSpec, oi ObjectInfo, cleanUpFns ...func())
return nil, err return nil, err
} }
// Decrypt the ETag before top layer consumes this value.
oi.ETag = getDecryptedETag(h, oi, copySource)
// Apply the skipLen and limit on the // Apply the skipLen and limit on the
// decrypted stream // decrypted stream
decReader = io.LimitReader(ioutil.NewSkipReader(decReader, skipLen), decRangeLength) decReader = io.LimitReader(ioutil.NewSkipReader(decReader, skipLen), decRangeLength)

32
cmd/object-handlers.go
View File

@ -935,8 +935,11 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re
return return
} }
} }
for k, v := range srcInfo.UserDefined { for k, v := range srcInfo.UserDefined {
encMetadata[k] = v if hasPrefix(k, ReservedMetadataPrefix) {
encMetadata[k] = v
}
} }
// In case of SSE-S3 oldKey and newKey aren't used - the KMS manages the keys. // In case of SSE-S3 oldKey and newKey aren't used - the KMS manages the keys.
@ -1317,15 +1320,15 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req
return return
} }
etag := objInfo.ETag
if objInfo.IsCompressed() { if objInfo.IsCompressed() {
// Ignore compressed ETag. // Ignore compressed ETag.
objInfo.ETag = objInfo.ETag + "-1" etag = objInfo.ETag + "-1"
} } else if hasServerSideEncryptionHeader(r.Header) {
if hasServerSideEncryptionHeader(r.Header) { etag = getDecryptedETag(r.Header, objInfo, false)
w.Header().Set("ETag", "\""+getDecryptedETag(r.Header, objInfo, false)+"\"")
} else {
w.Header().Set("ETag", "\""+objInfo.ETag+"\"")
} }
w.Header().Set("ETag", "\""+etag+"\"")
if objectAPI.IsEncryptionSupported() { if objectAPI.IsEncryptionSupported() {
if crypto.IsEncrypted(objInfo.UserDefined) { if crypto.IsEncrypted(objInfo.UserDefined) {
switch { switch {
@ -1970,19 +1973,16 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http
writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r)) writeErrorResponse(w, toAPIErrorCode(ctx, err), r.URL, guessIsBrowserReq(r))
return return
} }
etag := partInfo.ETag
if isCompressed { if isCompressed {
pipeWriter.Close() pipeWriter.Close()
// Suppress compressed ETag. // Suppress compressed ETag.
partInfo.ETag = partInfo.ETag + "-1" etag = partInfo.ETag + "-1"
} } else if isEncrypted {
etag = tryDecryptETag(objectEncryptionKey, partInfo.ETag, crypto.SSEC.IsRequested(r.Header))
if partInfo.ETag != "" {
if isEncrypted {
w.Header().Set("ETag", "\""+tryDecryptETag(objectEncryptionKey, partInfo.ETag, crypto.SSEC.IsRequested(r.Header))+"\"")
} else {
w.Header().Set("ETag", "\""+partInfo.ETag+"\"")
}
} }
w.Header().Set("ETag", "\""+etag+"\"")
writeSuccessResponseHeadersOnly(w) writeSuccessResponseHeadersOnly(w)
} }