more compliance related fixes (#17408)

- lifecycle must return InvalidArgument for rule errors
- do not return `null` versionId in HTTP header
- reject mixed SSE uploads with correct error message
This commit is contained in:
Harshavardhana 2023-06-13 13:52:33 -07:00 committed by GitHub
parent 22c247a988
commit f32efd5429
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 52 additions and 17 deletions

View File

@ -1121,8 +1121,13 @@ var errorCodes = errorCodeMap{
HTTPStatusCode: http.StatusBadRequest, HTTPStatusCode: http.StatusBadRequest,
}, },
ErrInvalidEncryptionMethod: { ErrInvalidEncryptionMethod: {
Code: "InvalidRequest", Code: "InvalidArgument",
Description: "The encryption method specified is not supported", Description: "Server Side Encryption with AWS KMS managed key requires HTTP header x-amz-server-side-encryption : aws:kms",
HTTPStatusCode: http.StatusBadRequest,
},
ErrIncompatibleEncryptionMethod: {
Code: "InvalidArgument",
Description: "Server Side Encryption with Customer provided key is incompatible with the encryption method specified",
HTTPStatusCode: http.StatusBadRequest, HTTPStatusCode: http.StatusBadRequest,
}, },
ErrInvalidEncryptionKeyID: { ErrInvalidEncryptionKeyID: {
@ -1185,11 +1190,6 @@ var errorCodes = errorCodeMap{
Description: "The provided encryption parameters did not match the ones used originally.", Description: "The provided encryption parameters did not match the ones used originally.",
HTTPStatusCode: http.StatusBadRequest, HTTPStatusCode: http.StatusBadRequest,
}, },
ErrIncompatibleEncryptionMethod: {
Code: "InvalidArgument",
Description: "Server side encryption specified with both SSE-C and SSE-S3 headers",
HTTPStatusCode: http.StatusBadRequest,
},
ErrKMSNotConfigured: { ErrKMSNotConfigured: {
Code: "NotImplemented", Code: "NotImplemented",
Description: "Server side encryption specified but KMS is not configured", Description: "Server side encryption specified but KMS is not configured",
@ -2392,7 +2392,7 @@ func toAPIError(ctx context.Context, err error) APIError {
} }
case lifecycle.Error: case lifecycle.Error:
apiErr = APIError{ apiErr = APIError{
Code: "InvalidRequest", Code: "InvalidArgument",
Description: e.Error(), Description: e.Error(),
HTTPStatusCode: http.StatusBadRequest, HTTPStatusCode: http.StatusBadRequest,
} }

View File

@ -203,7 +203,7 @@ func setObjectHeaders(w http.ResponseWriter, objInfo ObjectInfo, rs *HTTPRangeSp
} }
// Set the relevant version ID as part of the response header. // Set the relevant version ID as part of the response header.
if objInfo.VersionID != "" { if objInfo.VersionID != "" && objInfo.VersionID != nullVersionID {
w.Header()[xhttp.AmzVersionID] = []string{objInfo.VersionID} w.Header()[xhttp.AmzVersionID] = []string{objInfo.VersionID}
} }

View File

@ -1199,6 +1199,16 @@ func (api objectAPIHandlers) PostPolicyBucketHandler(w http.ResponseWriter, r *h
return return
} }
if crypto.SSEC.IsRequested(r.Header) && crypto.S3.IsRequested(r.Header) {
writeErrorResponse(ctx, w, toAPIError(ctx, crypto.ErrIncompatibleEncryptionMethod), r.URL)
return
}
if crypto.SSEC.IsRequested(r.Header) && crypto.S3KMS.IsRequested(r.Header) {
writeErrorResponse(ctx, w, toAPIError(ctx, crypto.ErrIncompatibleEncryptionMethod), r.URL)
return
}
if crypto.SSEC.IsRequested(r.Header) && isReplicationEnabled(ctx, bucket) { if crypto.SSEC.IsRequested(r.Header) && isReplicationEnabled(ctx, bucket) {
writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParametersSSEC), r.URL) writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParametersSSEC), r.URL)
return return
@ -1370,7 +1380,7 @@ func (api objectAPIHandlers) PostPolicyBucketHandler(w http.ResponseWriter, r *h
w.Header()[xhttp.ETag] = []string{`"` + objInfo.ETag + `"`} w.Header()[xhttp.ETag] = []string{`"` + objInfo.ETag + `"`}
// Set the relevant version ID as part of the response header. // Set the relevant version ID as part of the response header.
if objInfo.VersionID != "" { if objInfo.VersionID != "" && objInfo.VersionID != nullVersionID {
w.Header()[xhttp.AmzVersionID] = []string{objInfo.VersionID} w.Header()[xhttp.AmzVersionID] = []string{objInfo.VersionID}
} }

View File

@ -179,7 +179,7 @@ func testBucketLifecycleHandlers(obj ObjectLayer, instanceType, bucketName strin
lifecycleResponse: []byte(``), lifecycleResponse: []byte(``),
errorResponse: APIErrorResponse{ errorResponse: APIErrorResponse{
Resource: SlashSeparator + bucketName + SlashSeparator, Resource: SlashSeparator + bucketName + SlashSeparator,
Code: "InvalidRequest", Code: "InvalidArgument",
Message: "Filter must have exactly one of Prefix, Tag, or And specified", Message: "Filter must have exactly one of Prefix, Tag, or And specified",
}, },
@ -196,7 +196,7 @@ func testBucketLifecycleHandlers(obj ObjectLayer, instanceType, bucketName strin
lifecycleResponse: []byte(``), lifecycleResponse: []byte(``),
errorResponse: APIErrorResponse{ errorResponse: APIErrorResponse{
Resource: SlashSeparator + bucketName + SlashSeparator, Resource: SlashSeparator + bucketName + SlashSeparator,
Code: "InvalidRequest", Code: "InvalidArgument",
Message: "Date must be provided in ISO 8601 format", Message: "Date must be provided in ISO 8601 format",
}, },

View File

@ -328,7 +328,7 @@ func setPutObjHeaders(w http.ResponseWriter, objInfo ObjectInfo, delete bool) {
} }
// Set the relevant version ID as part of the response header. // Set the relevant version ID as part of the response header.
if objInfo.VersionID != "" { if objInfo.VersionID != "" && objInfo.VersionID != nullVersionID {
w.Header()[xhttp.AmzVersionID] = []string{objInfo.VersionID} w.Header()[xhttp.AmzVersionID] = []string{objInfo.VersionID}
// If version is a deleted marker, set this header as well // If version is a deleted marker, set this header as well
if objInfo.DeleteMarker && delete { // only returned during delete object if objInfo.DeleteMarker && delete { // only returned during delete object

View File

@ -1831,6 +1831,16 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req
return return
} }
if crypto.SSEC.IsRequested(r.Header) && crypto.S3.IsRequested(r.Header) {
writeErrorResponse(ctx, w, toAPIError(ctx, crypto.ErrIncompatibleEncryptionMethod), r.URL)
return
}
if crypto.SSEC.IsRequested(r.Header) && crypto.S3KMS.IsRequested(r.Header) {
writeErrorResponse(ctx, w, toAPIError(ctx, crypto.ErrIncompatibleEncryptionMethod), r.URL)
return
}
if crypto.SSEC.IsRequested(r.Header) && isReplicationEnabled(ctx, bucket) { if crypto.SSEC.IsRequested(r.Header) && isReplicationEnabled(ctx, bucket) {
writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParametersSSEC), r.URL) writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParametersSSEC), r.URL)
return return
@ -2849,7 +2859,7 @@ func (api objectAPIHandlers) GetObjectTaggingHandler(w http.ResponseWriter, r *h
return return
} }
if opts.VersionID != "" { if opts.VersionID != "" && opts.VersionID != nullVersionID {
w.Header()[xhttp.AmzVersionID] = []string{opts.VersionID} w.Header()[xhttp.AmzVersionID] = []string{opts.VersionID}
} }
@ -2942,7 +2952,7 @@ func (api objectAPIHandlers) PutObjectTaggingHandler(w http.ResponseWriter, r *h
scheduleReplication(ctx, objInfo.Clone(), objAPI, dsc, replication.MetadataReplicationType) scheduleReplication(ctx, objInfo.Clone(), objAPI, dsc, replication.MetadataReplicationType)
} }
if objInfo.VersionID != "" { if objInfo.VersionID != "" && objInfo.VersionID != nullVersionID {
w.Header()[xhttp.AmzVersionID] = []string{objInfo.VersionID} w.Header()[xhttp.AmzVersionID] = []string{objInfo.VersionID}
} }
@ -3018,7 +3028,7 @@ func (api objectAPIHandlers) DeleteObjectTaggingHandler(w http.ResponseWriter, r
scheduleReplication(ctx, oi.Clone(), objAPI, dsc, replication.MetadataReplicationType) scheduleReplication(ctx, oi.Clone(), objAPI, dsc, replication.MetadataReplicationType)
} }
if oi.VersionID != "" { if oi.VersionID != "" && oi.VersionID != nullVersionID {
w.Header()[xhttp.AmzVersionID] = []string{oi.VersionID} w.Header()[xhttp.AmzVersionID] = []string{oi.VersionID}
} }
writeSuccessNoContent(w) writeSuccessNoContent(w)

View File

@ -102,6 +102,21 @@ func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r
encMetadata := map[string]string{} encMetadata := map[string]string{}
if crypto.Requested(r.Header) { if crypto.Requested(r.Header) {
if crypto.SSECopy.IsRequested(r.Header) {
writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParameters), r.URL)
return
}
if crypto.SSEC.IsRequested(r.Header) && crypto.S3.IsRequested(r.Header) {
writeErrorResponse(ctx, w, toAPIError(ctx, crypto.ErrIncompatibleEncryptionMethod), r.URL)
return
}
if crypto.SSEC.IsRequested(r.Header) && crypto.S3KMS.IsRequested(r.Header) {
writeErrorResponse(ctx, w, toAPIError(ctx, crypto.ErrIncompatibleEncryptionMethod), r.URL)
return
}
if crypto.SSEC.IsRequested(r.Header) && isReplicationEnabled(ctx, bucket) { if crypto.SSEC.IsRequested(r.Header) && isReplicationEnabled(ctx, bucket) {
writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParametersSSEC), r.URL) writeErrorResponse(ctx, w, toAPIError(ctx, errInvalidEncryptionParametersSSEC), r.URL)
return return

View File

@ -33,7 +33,7 @@ import (
var ( var (
errLifecycleTooManyRules = Errorf("Lifecycle configuration allows a maximum of 1000 rules") errLifecycleTooManyRules = Errorf("Lifecycle configuration allows a maximum of 1000 rules")
errLifecycleNoRule = Errorf("Lifecycle configuration should have at least one rule") errLifecycleNoRule = Errorf("Lifecycle configuration should have at least one rule")
errLifecycleDuplicateID = Errorf("Lifecycle configuration has rule with the same ID. Rule ID must be unique.") errLifecycleDuplicateID = Errorf("Rule ID must be unique. Found same ID for more than one rule")
errXMLNotWellFormed = Errorf("The XML you provided was not well-formed or did not validate against our published schema") errXMLNotWellFormed = Errorf("The XML you provided was not well-formed or did not validate against our published schema")
) )