do not crash when KMS is not enabled (#14634)

KMS when not enabled might crash when listing an object that previously had SSE-S3 enabled, fail appropriately in such situations.
2025-01-26 14:13:16 -05:00 · 2022-03-27 08:54:01 -07:00 · 2022-03-27 08:54:01 -07:00 · ecfae074dc
commit ecfae074dc
parent be5d394e56
2 changed files with 11 additions and 0 deletions
--- a/internal/crypto/sse-kms.go
+++ b/internal/crypto/sse-kms.go
@ -96,6 +96,10 @@ func (ssekms) IsEncrypted(metadata map[string]string) bool {
 // from the metadata using KMS and returns the decrypted object
 // key.
 func (s3 ssekms) UnsealObjectKey(KMS kms.KMS, metadata map[string]string, bucket, object string) (key ObjectKey, err error) {
+	if KMS == nil {
+		return key, Errorf("KMS not configured")
+	}
+
 	keyID, kmsKey, sealedKey, ctx, err := s3.ParseMetadata(metadata)
 	if err != nil {
 		return key, err
--- a/internal/crypto/sse-s3.go
+++ b/internal/crypto/sse-s3.go
@ -72,6 +72,9 @@ func (sses3) IsEncrypted(metadata map[string]string) bool {
 // from the metadata using KMS and returns the decrypted object
 // key.
 func (s3 sses3) UnsealObjectKey(KMS kms.KMS, metadata map[string]string, bucket, object string) (key ObjectKey, err error) {
+	if KMS == nil {
+		return key, Errorf("KMS not configured")
+	}
 	keyID, kmsKey, sealedKey, err := s3.ParseMetadata(metadata)
 	if err != nil {
 		return key, err
@ -90,6 +93,10 @@ func (s3 sses3) UnsealObjectKey(KMS kms.KMS, metadata map[string]string, bucket,
 //
 // The metadata, buckets and objects slices must have the same length.
 func (s3 sses3) UnsealObjectKeys(KMS kms.KMS, metadata []map[string]string, buckets, objects []string) ([]ObjectKey, error) {
+	if KMS == nil {
+		return nil, Errorf("KMS not configured")
+	}
+
 	if len(metadata) != len(buckets) || len(metadata) != len(objects) {
 		return nil, Errorf("invalid metadata/object count: %d != %d != %d", len(metadata), len(buckets), len(objects))
 	}