mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
webhandler - display encryption errors properly (#6339)
For encrypted objects, download errors need to be displayed in web response format instead of xml format. Fixes #6327
This commit is contained in:
parent
01721a840a
commit
d547873b17
@ -43,6 +43,8 @@ var (
|
|||||||
errKMSNotConfigured = errors.New("KMS not configured for a server side encrypted object")
|
errKMSNotConfigured = errors.New("KMS not configured for a server side encrypted object")
|
||||||
// Additional Minio errors for SSE-C requests.
|
// Additional Minio errors for SSE-C requests.
|
||||||
errObjectTampered = errors.New("The requested object was modified and may be compromised")
|
errObjectTampered = errors.New("The requested object was modified and may be compromised")
|
||||||
|
// error returned when invalid encryption parameters are specified
|
||||||
|
errInvalidEncryptionParameters = errors.New("The encryption parameters are not applicable to this object")
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@ -714,28 +716,25 @@ func DecryptCopyObjectInfo(info *ObjectInfo, headers http.Header) (apiErr APIErr
|
|||||||
// decryption succeeded.
|
// decryption succeeded.
|
||||||
//
|
//
|
||||||
// DecryptObjectInfo also returns whether the object is encrypted or not.
|
// DecryptObjectInfo also returns whether the object is encrypted or not.
|
||||||
func DecryptObjectInfo(info *ObjectInfo, headers http.Header) (apiErr APIErrorCode, encrypted bool) {
|
func DecryptObjectInfo(info *ObjectInfo, headers http.Header) (encrypted bool, err error) {
|
||||||
// Directories are never encrypted.
|
// Directories are never encrypted.
|
||||||
if info.IsDir {
|
if info.IsDir {
|
||||||
return ErrNone, false
|
return false, nil
|
||||||
}
|
}
|
||||||
// disallow X-Amz-Server-Side-Encryption header on HEAD and GET
|
// disallow X-Amz-Server-Side-Encryption header on HEAD and GET
|
||||||
if crypto.S3.IsRequested(headers) {
|
if crypto.S3.IsRequested(headers) {
|
||||||
apiErr = ErrInvalidEncryptionParameters
|
err = errInvalidEncryptionParameters
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if apiErr, encrypted = ErrNone, crypto.IsEncrypted(info.UserDefined); !encrypted && crypto.SSEC.IsRequested(headers) {
|
if err, encrypted = nil, crypto.IsEncrypted(info.UserDefined); !encrypted && crypto.SSEC.IsRequested(headers) {
|
||||||
apiErr = ErrInvalidEncryptionParameters
|
err = errInvalidEncryptionParameters
|
||||||
} else if encrypted {
|
} else if encrypted {
|
||||||
if (crypto.SSEC.IsEncrypted(info.UserDefined) && !crypto.SSEC.IsRequested(headers)) ||
|
if (crypto.SSEC.IsEncrypted(info.UserDefined) && !crypto.SSEC.IsRequested(headers)) ||
|
||||||
(crypto.S3.IsEncrypted(info.UserDefined) && crypto.SSEC.IsRequested(headers)) {
|
(crypto.S3.IsEncrypted(info.UserDefined) && crypto.SSEC.IsRequested(headers)) {
|
||||||
apiErr = ErrSSEEncryptedObject
|
err = errEncryptedObject
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
var err error
|
info.Size, err = info.DecryptedSize()
|
||||||
if info.Size, err = info.DecryptedSize(); err != nil {
|
|
||||||
apiErr = toAPIErrorCode(err)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -521,43 +521,43 @@ func TestDecryptRequest(t *testing.T) {
|
|||||||
var decryptObjectInfoTests = []struct {
|
var decryptObjectInfoTests = []struct {
|
||||||
info ObjectInfo
|
info ObjectInfo
|
||||||
headers http.Header
|
headers http.Header
|
||||||
expErr APIErrorCode
|
expErr error
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
info: ObjectInfo{Size: 100},
|
info: ObjectInfo{Size: 100},
|
||||||
headers: http.Header{},
|
headers: http.Header{},
|
||||||
expErr: ErrNone,
|
expErr: nil,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
info: ObjectInfo{Size: 100, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}},
|
info: ObjectInfo{Size: 100, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}},
|
||||||
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
|
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
|
||||||
expErr: ErrNone,
|
expErr: nil,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
info: ObjectInfo{Size: 0, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}},
|
info: ObjectInfo{Size: 0, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}},
|
||||||
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
|
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
|
||||||
expErr: ErrNone,
|
expErr: nil,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
info: ObjectInfo{Size: 100, UserDefined: map[string]string{crypto.SSECSealedKey: "EAAfAAAAAAD7v1hQq3PFRUHsItalxmrJqrOq6FwnbXNarxOOpb8jTWONPPKyM3Gfjkjyj6NCf+aB/VpHCLCTBA=="}},
|
info: ObjectInfo{Size: 100, UserDefined: map[string]string{crypto.SSECSealedKey: "EAAfAAAAAAD7v1hQq3PFRUHsItalxmrJqrOq6FwnbXNarxOOpb8jTWONPPKyM3Gfjkjyj6NCf+aB/VpHCLCTBA=="}},
|
||||||
headers: http.Header{},
|
headers: http.Header{},
|
||||||
expErr: ErrSSEEncryptedObject,
|
expErr: errEncryptedObject,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
info: ObjectInfo{Size: 100, UserDefined: map[string]string{}},
|
info: ObjectInfo{Size: 100, UserDefined: map[string]string{}},
|
||||||
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
|
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
|
||||||
expErr: ErrInvalidEncryptionParameters,
|
expErr: errInvalidEncryptionParameters,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
info: ObjectInfo{Size: 31, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}},
|
info: ObjectInfo{Size: 31, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}},
|
||||||
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
|
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
|
||||||
expErr: ErrObjectTampered,
|
expErr: errObjectTampered,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestDecryptObjectInfo(t *testing.T) {
|
func TestDecryptObjectInfo(t *testing.T) {
|
||||||
for i, test := range decryptObjectInfoTests {
|
for i, test := range decryptObjectInfoTests {
|
||||||
if err, encrypted := DecryptObjectInfo(&test.info, test.headers); err != test.expErr {
|
if encrypted, err := DecryptObjectInfo(&test.info, test.headers); err != test.expErr {
|
||||||
t.Errorf("Test %d: Decryption returned wrong error code: got %d , want %d", i, err, test.expErr)
|
t.Errorf("Test %d: Decryption returned wrong error code: got %d , want %d", i, err, test.expErr)
|
||||||
} else if enc := crypto.IsEncrypted(test.info.UserDefined); encrypted && enc != encrypted {
|
} else if enc := crypto.IsEncrypted(test.info.UserDefined); encrypted && enc != encrypted {
|
||||||
t.Errorf("Test %d: Decryption thinks object is encrypted but it is not", i)
|
t.Errorf("Test %d: Decryption thinks object is encrypted but it is not", i)
|
||||||
|
@ -306,8 +306,8 @@ func (api objectAPIHandlers) GetObjectHandler(w http.ResponseWriter, r *http.Req
|
|||||||
}
|
}
|
||||||
|
|
||||||
if objectAPI.IsEncryptionSupported() {
|
if objectAPI.IsEncryptionSupported() {
|
||||||
if apiErr, _ := DecryptObjectInfo(&objInfo, r.Header); apiErr != ErrNone {
|
if _, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
|
||||||
writeErrorResponse(w, apiErr, r.URL)
|
writeErrorResponse(w, toAPIErrorCode(err), r.URL)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -468,10 +468,10 @@ func (api objectAPIHandlers) HeadObjectHandler(w http.ResponseWriter, r *http.Re
|
|||||||
writeErrorResponseHeadersOnly(w, toAPIErrorCode(err))
|
writeErrorResponseHeadersOnly(w, toAPIErrorCode(err))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
var encrypted bool
|
||||||
if objectAPI.IsEncryptionSupported() {
|
if objectAPI.IsEncryptionSupported() {
|
||||||
if apiErr, encrypted := DecryptObjectInfo(&objInfo, r.Header); apiErr != ErrNone {
|
if encrypted, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
|
||||||
writeErrorResponse(w, apiErr, r.URL)
|
writeErrorResponse(w, toAPIErrorCode(err), r.URL)
|
||||||
return
|
return
|
||||||
} else if encrypted {
|
} else if encrypted {
|
||||||
s3Encrypted := crypto.S3.IsEncrypted(objInfo.UserDefined)
|
s3Encrypted := crypto.S3.IsEncrypted(objInfo.UserDefined)
|
||||||
|
@ -715,8 +715,8 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if objectAPI.IsEncryptionSupported() {
|
if objectAPI.IsEncryptionSupported() {
|
||||||
if apiErr, _ := DecryptObjectInfo(&objInfo, r.Header); apiErr != ErrNone {
|
if _, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
|
||||||
writeErrorResponse(w, apiErr, r.URL)
|
writeWebErrorResponse(w, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -818,8 +818,8 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if objectAPI.IsEncryptionSupported() {
|
if objectAPI.IsEncryptionSupported() {
|
||||||
if apiErr, _ := DecryptObjectInfo(&info, r.Header); apiErr != ErrNone {
|
if _, err = DecryptObjectInfo(&info, r.Header); err != nil {
|
||||||
writeErrorResponse(w, apiErr, r.URL)
|
writeWebErrorResponse(w, err)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1235,6 +1235,12 @@ func toWebAPIError(err error) APIError {
|
|||||||
HTTPStatusCode: http.StatusBadRequest,
|
HTTPStatusCode: http.StatusBadRequest,
|
||||||
Description: err.Error(),
|
Description: err.Error(),
|
||||||
}
|
}
|
||||||
|
} else if err == errEncryptedObject {
|
||||||
|
return getAPIError(ErrSSEEncryptedObject)
|
||||||
|
} else if err == errInvalidEncryptionParameters {
|
||||||
|
return getAPIError(ErrInvalidEncryptionParameters)
|
||||||
|
} else if err == errObjectTampered {
|
||||||
|
return getAPIError(ErrObjectTampered)
|
||||||
} else if err == errMethodNotAllowed {
|
} else if err == errMethodNotAllowed {
|
||||||
return getAPIError(ErrMethodNotAllowed)
|
return getAPIError(ErrMethodNotAllowed)
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user