webhandler - display encryption errors properly (#6339)

For encrypted objects, download errors need to be
displayed in web response format instead of xml format.

Fixes #6327
This commit is contained in:
poornas 2018-08-24 07:56:24 -07:00 committed by kannappanr
parent 01721a840a
commit d547873b17
4 changed files with 32 additions and 27 deletions

View File

@ -43,6 +43,8 @@ var (
errKMSNotConfigured = errors.New("KMS not configured for a server side encrypted object") errKMSNotConfigured = errors.New("KMS not configured for a server side encrypted object")
// Additional Minio errors for SSE-C requests. // Additional Minio errors for SSE-C requests.
errObjectTampered = errors.New("The requested object was modified and may be compromised") errObjectTampered = errors.New("The requested object was modified and may be compromised")
// error returned when invalid encryption parameters are specified
errInvalidEncryptionParameters = errors.New("The encryption parameters are not applicable to this object")
) )
const ( const (
@ -714,28 +716,25 @@ func DecryptCopyObjectInfo(info *ObjectInfo, headers http.Header) (apiErr APIErr
// decryption succeeded. // decryption succeeded.
// //
// DecryptObjectInfo also returns whether the object is encrypted or not. // DecryptObjectInfo also returns whether the object is encrypted or not.
func DecryptObjectInfo(info *ObjectInfo, headers http.Header) (apiErr APIErrorCode, encrypted bool) { func DecryptObjectInfo(info *ObjectInfo, headers http.Header) (encrypted bool, err error) {
// Directories are never encrypted. // Directories are never encrypted.
if info.IsDir { if info.IsDir {
return ErrNone, false return false, nil
} }
// disallow X-Amz-Server-Side-Encryption header on HEAD and GET // disallow X-Amz-Server-Side-Encryption header on HEAD and GET
if crypto.S3.IsRequested(headers) { if crypto.S3.IsRequested(headers) {
apiErr = ErrInvalidEncryptionParameters err = errInvalidEncryptionParameters
return return
} }
if apiErr, encrypted = ErrNone, crypto.IsEncrypted(info.UserDefined); !encrypted && crypto.SSEC.IsRequested(headers) { if err, encrypted = nil, crypto.IsEncrypted(info.UserDefined); !encrypted && crypto.SSEC.IsRequested(headers) {
apiErr = ErrInvalidEncryptionParameters err = errInvalidEncryptionParameters
} else if encrypted { } else if encrypted {
if (crypto.SSEC.IsEncrypted(info.UserDefined) && !crypto.SSEC.IsRequested(headers)) || if (crypto.SSEC.IsEncrypted(info.UserDefined) && !crypto.SSEC.IsRequested(headers)) ||
(crypto.S3.IsEncrypted(info.UserDefined) && crypto.SSEC.IsRequested(headers)) { (crypto.S3.IsEncrypted(info.UserDefined) && crypto.SSEC.IsRequested(headers)) {
apiErr = ErrSSEEncryptedObject err = errEncryptedObject
return return
} }
var err error info.Size, err = info.DecryptedSize()
if info.Size, err = info.DecryptedSize(); err != nil {
apiErr = toAPIErrorCode(err)
}
} }
return return
} }

View File

@ -521,43 +521,43 @@ func TestDecryptRequest(t *testing.T) {
var decryptObjectInfoTests = []struct { var decryptObjectInfoTests = []struct {
info ObjectInfo info ObjectInfo
headers http.Header headers http.Header
expErr APIErrorCode expErr error
}{ }{
{ {
info: ObjectInfo{Size: 100}, info: ObjectInfo{Size: 100},
headers: http.Header{}, headers: http.Header{},
expErr: ErrNone, expErr: nil,
}, },
{ {
info: ObjectInfo{Size: 100, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}}, info: ObjectInfo{Size: 100, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}},
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}}, headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
expErr: ErrNone, expErr: nil,
}, },
{ {
info: ObjectInfo{Size: 0, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}}, info: ObjectInfo{Size: 0, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}},
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}}, headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
expErr: ErrNone, expErr: nil,
}, },
{ {
info: ObjectInfo{Size: 100, UserDefined: map[string]string{crypto.SSECSealedKey: "EAAfAAAAAAD7v1hQq3PFRUHsItalxmrJqrOq6FwnbXNarxOOpb8jTWONPPKyM3Gfjkjyj6NCf+aB/VpHCLCTBA=="}}, info: ObjectInfo{Size: 100, UserDefined: map[string]string{crypto.SSECSealedKey: "EAAfAAAAAAD7v1hQq3PFRUHsItalxmrJqrOq6FwnbXNarxOOpb8jTWONPPKyM3Gfjkjyj6NCf+aB/VpHCLCTBA=="}},
headers: http.Header{}, headers: http.Header{},
expErr: ErrSSEEncryptedObject, expErr: errEncryptedObject,
}, },
{ {
info: ObjectInfo{Size: 100, UserDefined: map[string]string{}}, info: ObjectInfo{Size: 100, UserDefined: map[string]string{}},
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}}, headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
expErr: ErrInvalidEncryptionParameters, expErr: errInvalidEncryptionParameters,
}, },
{ {
info: ObjectInfo{Size: 31, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}}, info: ObjectInfo{Size: 31, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}},
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}}, headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
expErr: ErrObjectTampered, expErr: errObjectTampered,
}, },
} }
func TestDecryptObjectInfo(t *testing.T) { func TestDecryptObjectInfo(t *testing.T) {
for i, test := range decryptObjectInfoTests { for i, test := range decryptObjectInfoTests {
if err, encrypted := DecryptObjectInfo(&test.info, test.headers); err != test.expErr { if encrypted, err := DecryptObjectInfo(&test.info, test.headers); err != test.expErr {
t.Errorf("Test %d: Decryption returned wrong error code: got %d , want %d", i, err, test.expErr) t.Errorf("Test %d: Decryption returned wrong error code: got %d , want %d", i, err, test.expErr)
} else if enc := crypto.IsEncrypted(test.info.UserDefined); encrypted && enc != encrypted { } else if enc := crypto.IsEncrypted(test.info.UserDefined); encrypted && enc != encrypted {
t.Errorf("Test %d: Decryption thinks object is encrypted but it is not", i) t.Errorf("Test %d: Decryption thinks object is encrypted but it is not", i)

View File

@ -306,8 +306,8 @@ func (api objectAPIHandlers) GetObjectHandler(w http.ResponseWriter, r *http.Req
} }
if objectAPI.IsEncryptionSupported() { if objectAPI.IsEncryptionSupported() {
if apiErr, _ := DecryptObjectInfo(&objInfo, r.Header); apiErr != ErrNone { if _, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
writeErrorResponse(w, apiErr, r.URL) writeErrorResponse(w, toAPIErrorCode(err), r.URL)
return return
} }
} }
@ -468,10 +468,10 @@ func (api objectAPIHandlers) HeadObjectHandler(w http.ResponseWriter, r *http.Re
writeErrorResponseHeadersOnly(w, toAPIErrorCode(err)) writeErrorResponseHeadersOnly(w, toAPIErrorCode(err))
return return
} }
var encrypted bool
if objectAPI.IsEncryptionSupported() { if objectAPI.IsEncryptionSupported() {
if apiErr, encrypted := DecryptObjectInfo(&objInfo, r.Header); apiErr != ErrNone { if encrypted, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
writeErrorResponse(w, apiErr, r.URL) writeErrorResponse(w, toAPIErrorCode(err), r.URL)
return return
} else if encrypted { } else if encrypted {
s3Encrypted := crypto.S3.IsEncrypted(objInfo.UserDefined) s3Encrypted := crypto.S3.IsEncrypted(objInfo.UserDefined)

View File

@ -715,8 +715,8 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
} }
if objectAPI.IsEncryptionSupported() { if objectAPI.IsEncryptionSupported() {
if apiErr, _ := DecryptObjectInfo(&objInfo, r.Header); apiErr != ErrNone { if _, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
writeErrorResponse(w, apiErr, r.URL) writeWebErrorResponse(w, err)
return return
} }
} }
@ -818,8 +818,8 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
return err return err
} }
if objectAPI.IsEncryptionSupported() { if objectAPI.IsEncryptionSupported() {
if apiErr, _ := DecryptObjectInfo(&info, r.Header); apiErr != ErrNone { if _, err = DecryptObjectInfo(&info, r.Header); err != nil {
writeErrorResponse(w, apiErr, r.URL) writeWebErrorResponse(w, err)
return err return err
} }
} }
@ -1235,6 +1235,12 @@ func toWebAPIError(err error) APIError {
HTTPStatusCode: http.StatusBadRequest, HTTPStatusCode: http.StatusBadRequest,
Description: err.Error(), Description: err.Error(),
} }
} else if err == errEncryptedObject {
return getAPIError(ErrSSEEncryptedObject)
} else if err == errInvalidEncryptionParameters {
return getAPIError(ErrInvalidEncryptionParameters)
} else if err == errObjectTampered {
return getAPIError(ErrObjectTampered)
} else if err == errMethodNotAllowed { } else if err == errMethodNotAllowed {
return getAPIError(ErrMethodNotAllowed) return getAPIError(ErrMethodNotAllowed)
} }