/* * Minio Cloud Storage, (C) 2017 Minio, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package cmd import ( "bytes" "net/http" "testing" ) var isSSECustomerRequestTests = []struct { headers map[string]string sseRequest bool }{ {headers: map[string]string{SSECustomerAlgorithm: "AES256", SSECustomerKey: "key", SSECustomerKeyMD5: "md5"}, sseRequest: true}, // 0 {headers: map[string]string{SSECustomerAlgorithm: "AES256"}, sseRequest: true}, // 1 {headers: map[string]string{SSECustomerKey: "key"}, sseRequest: true}, // 2 {headers: map[string]string{SSECustomerKeyMD5: "md5"}, sseRequest: true}, // 3 {headers: map[string]string{}, sseRequest: false}, // 4 {headers: map[string]string{SSECustomerAlgorithm + " ": "AES256", " " + SSECustomerKey: "key", SSECustomerKeyMD5 + " ": "md5"}, sseRequest: false}, // 5 {headers: map[string]string{SSECustomerAlgorithm: "", SSECustomerKey: "", SSECustomerKeyMD5: ""}, sseRequest: false}, // 6 } func TestIsSSECustomerRequest(t *testing.T) { for i, test := range isSSECustomerRequestTests { headers := http.Header{} for k, v := range test.headers { headers.Set(k, v) } if IsSSECustomerRequest(headers) != test.sseRequest { t.Errorf("Test %d: Expected IsSSECustomerRequest to return %v", i, test.sseRequest) } } } var parseSSECustomerRequestTests = []struct { headers map[string]string useTLS bool err error }{ { headers: map[string]string{ SSECustomerAlgorithm: "AES256", SSECustomerKey: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", // 0 SSECustomerKeyMD5: "bY4wkxQejw9mUJfo72k53A==", }, useTLS: true, err: nil, }, { headers: map[string]string{ SSECustomerAlgorithm: "AES256", SSECustomerKey: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", // 1 SSECustomerKeyMD5: "bY4wkxQejw9mUJfo72k53A==", }, useTLS: false, err: errInsecureSSERequest, }, { headers: map[string]string{ SSECustomerAlgorithm: "AES 256", SSECustomerKey: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", // 2 SSECustomerKeyMD5: "bY4wkxQejw9mUJfo72k53A==", }, useTLS: true, err: errInvalidSSEAlgorithm, }, { headers: map[string]string{ SSECustomerAlgorithm: "AES256", SSECustomerKey: "NjE0SL87s+ZhYtaTrg5eI5cjhCQLGPVMKenPG2bCJFw=", // 3 SSECustomerKeyMD5: "H+jq/LwEOEO90YtiTuNFVw==", }, useTLS: true, err: errSSEKeyMD5Mismatch, }, { headers: map[string]string{ SSECustomerAlgorithm: "AES256", SSECustomerKey: " jE0SL87s+ZhYtaTrg5eI5cjhCQLGPVMKenPG2bCJFw=", // 4 SSECustomerKeyMD5: "H+jq/LwEOEO90YtiTuNFVw==", }, useTLS: true, err: errInvalidSSEKey, }, { headers: map[string]string{ SSECustomerAlgorithm: "AES256", SSECustomerKey: "NjE0SL87s+ZhYtaTrg5eI5cjhCQLGPVMKenPG2bCJFw=", // 5 SSECustomerKeyMD5: " +jq/LwEOEO90YtiTuNFVw==", }, useTLS: true, err: errSSEKeyMD5Mismatch, }, { headers: map[string]string{ SSECustomerAlgorithm: "AES256", SSECustomerKey: "vFQ9ScFOF6Tu/BfzMS+rVMvlZGJHi5HmGJenJfrfKI45", // 6 SSECustomerKeyMD5: "9KPgDdZNTHimuYCwnJTp5g==", }, useTLS: true, err: errInvalidSSEKey, }, { headers: map[string]string{ SSECustomerAlgorithm: "AES256", SSECustomerKey: "", // 7 SSECustomerKeyMD5: "9KPgDdZNTHimuYCwnJTp5g==", }, useTLS: true, err: errMissingSSEKey, }, { headers: map[string]string{ SSECustomerAlgorithm: "AES256", SSECustomerKey: "vFQ9ScFOF6Tu/BfzMS+rVMvlZGJHi5HmGJenJfrfKI45", // 8 SSECustomerKeyMD5: "", }, useTLS: true, err: errMissingSSEKeyMD5, }, } func TestParseSSECustomerRequest(t *testing.T) { defer func(flag bool) { globalIsSSL = flag }(globalIsSSL) for i, test := range parseSSECustomerRequestTests { headers := http.Header{} for k, v := range test.headers { headers.Set(k, v) } request := &http.Request{} request.Header = headers globalIsSSL = test.useTLS _, err := ParseSSECustomerRequest(request) if err != test.err { t.Errorf("Test %d: Parse returned: %v want: %v", i, err, test.err) } key := request.Header.Get(SSECustomerKey) if (err == nil || err == errSSEKeyMD5Mismatch) && key != "" { t.Errorf("Test %d: Client key survived parsing - found key: %v", i, key) } } } var encryptedSizeTests = []struct { size, encsize int64 }{ {size: 0, encsize: 0}, // 0 {size: 1, encsize: 33}, // 1 {size: 1024, encsize: 1024 + 32}, // 2 {size: 2 * 64 * 1024, encsize: 2 * (64*1024 + 32)}, // 3 {size: 100*64*1024 + 1, encsize: 100*(64*1024+32) + 33}, // 4 {size: 64*1024 + 1, encsize: (64*1024 + 32) + 33}, // 5 {size: 5 * 1024 * 1024 * 1024, encsize: 81920 * (64*1024 + 32)}, // 6 } func TestEncryptedSize(t *testing.T) { for i, test := range encryptedSizeTests { objInfo := ObjectInfo{Size: test.size} if size := objInfo.EncryptedSize(); test.encsize != size { t.Errorf("Test %d: got encrypted size: #%d want: #%d", i, size, test.encsize) } } } var decryptSSECustomerObjectInfoTests = []struct { encsize, size int64 err error }{ {encsize: 0, size: 0, err: nil}, // 0 {encsize: 33, size: 1, err: nil}, // 1 {encsize: 1024 + 32, size: 1024, err: nil}, // 2 {encsize: 2 * (64*1024 + 32), size: 2 * 64 * 1024, err: nil}, // 3 {encsize: 100*(64*1024+32) + 33, size: 100*64*1024 + 1, err: nil}, // 4 {encsize: (64*1024 + 32) + 33, size: 64*1024 + 1, err: nil}, // 5 {encsize: 81920 * (64*1024 + 32), size: 5 * 1024 * 1024 * 1024, err: nil}, // 6 {encsize: 0, size: 0, err: nil}, // 7 {encsize: 64*1024 + 32 + 31, size: 0, err: errObjectTampered}, // 8 } func TestDecryptedSize(t *testing.T) { for i, test := range decryptSSECustomerObjectInfoTests { objInfo := ObjectInfo{Size: test.encsize} objInfo.UserDefined = map[string]string{ ServerSideEncryptionKDF: SSEKeyDerivationHmacSha256, } size, err := objInfo.DecryptedSize() if err != test.err || (size != test.size && err == nil) { t.Errorf("Test %d: decryption returned: %v want: %v", i, err, test.err) } if err == nil && size != test.size { t.Errorf("Test %d: got decrypted size: #%d want: #%d", i, size, test.size) } } } var encryptRequestTests = []struct { header map[string]string metadata map[string]string }{ { header: map[string]string{ SSECustomerAlgorithm: "AES256", SSECustomerKey: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", SSECustomerKeyMD5: "bY4wkxQejw9mUJfo72k53A==", }, metadata: map[string]string{}, }, { header: map[string]string{ SSECustomerAlgorithm: "AES256", SSECustomerKey: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", SSECustomerKeyMD5: "bY4wkxQejw9mUJfo72k53A==", }, metadata: map[string]string{ SSECustomerKey: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", }, }, } func TestEncryptRequest(t *testing.T) { defer func(flag bool) { globalIsSSL = flag }(globalIsSSL) globalIsSSL = true for i, test := range encryptRequestTests { content := bytes.NewReader(make([]byte, 64)) req := &http.Request{Header: http.Header{}} for k, v := range test.header { req.Header.Set(k, v) } _, err := EncryptRequest(content, req, test.metadata) if err != nil { t.Fatalf("Test %d: Failed to encrypt request: %v", i, err) } if key, ok := test.metadata[SSECustomerKey]; ok { t.Errorf("Test %d: Client provided key survived in metadata - key: %s", i, key) } if kdf, ok := test.metadata[ServerSideEncryptionKDF]; !ok { t.Errorf("Test %d: ServerSideEncryptionKDF must be part of metadata: %v", i, kdf) } if iv, ok := test.metadata[ServerSideEncryptionIV]; !ok { t.Errorf("Test %d: ServerSideEncryptionIV must be part of metadata: %v", i, iv) } if mac, ok := test.metadata[ServerSideEncryptionKeyMAC]; !ok { t.Errorf("Test %d: ServerSideEncryptionKeyMAC must be part of metadata: %v", i, mac) } } } var decryptRequestTests = []struct { header map[string]string metadata map[string]string shouldFail bool }{ { header: map[string]string{ SSECustomerAlgorithm: "AES256", SSECustomerKey: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", SSECustomerKeyMD5: "bY4wkxQejw9mUJfo72k53A==", }, metadata: map[string]string{ ServerSideEncryptionKDF: SSEKeyDerivationHmacSha256, ServerSideEncryptionIV: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", ServerSideEncryptionKeyMAC: "SY5E9AvI2tI7/nUrUAssIGE32Hcs4rR9z/CUuPqu5N4=", }, shouldFail: false, }, { header: map[string]string{ SSECustomerAlgorithm: "AES256", SSECustomerKey: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", SSECustomerKeyMD5: "bY4wkxQejw9mUJfo72k53A==", }, metadata: map[string]string{ ServerSideEncryptionKDF: "HMAC-SHA3", ServerSideEncryptionIV: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", ServerSideEncryptionKeyMAC: "SY5E9AvI2tI7/nUrUAssIGE32Hcs4rR9z/CUuPqu5N4=", }, shouldFail: true, }, { header: map[string]string{ SSECustomerAlgorithm: "AES256", SSECustomerKey: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", SSECustomerKeyMD5: "bY4wkxQejw9mUJfo72k53A==", }, metadata: map[string]string{ ServerSideEncryptionKDF: SSEKeyDerivationHmacSha256, ServerSideEncryptionIV: "RrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", ServerSideEncryptionKeyMAC: "SY5E9AvI2tI7/nUrUAssIGE32Hcs4rR9z/CUuPqu5N4=", }, shouldFail: true, }, { header: map[string]string{ SSECustomerAlgorithm: "AES256", SSECustomerKey: "XAm0dRrJsEsyPb1UuFNezv1bl9hxuYsgUVC/MUctE2k=", SSECustomerKeyMD5: "bY4wkxQejw9mUJfo72k53A==", }, metadata: map[string]string{ ServerSideEncryptionKDF: SSEKeyDerivationHmacSha256, ServerSideEncryptionIV: "XAm0dRrJsEsyPb1UuFNezv1bl9ehxuYsgUVC/MUctE2k=", ServerSideEncryptionKeyMAC: "SY5E9AvI2tI7/nUrUAssIGE32Hds4rR9z/CUuPqu5N4=", }, shouldFail: true, }, } func TestDecryptRequest(t *testing.T) { defer func(flag bool) { globalIsSSL = flag }(globalIsSSL) globalIsSSL = true for i, test := range decryptRequestTests { client := bytes.NewBuffer(nil) req := &http.Request{Header: http.Header{}} for k, v := range test.header { req.Header.Set(k, v) } _, err := DecryptRequest(client, req, test.metadata) if err != nil && !test.shouldFail { t.Fatalf("Test %d: Failed to encrypt request: %v", i, err) } if key, ok := test.metadata[SSECustomerKey]; ok { t.Errorf("Test %d: Client provided key survived in metadata - key: %s", i, key) } if kdf, ok := test.metadata[ServerSideEncryptionKDF]; ok && !test.shouldFail { t.Errorf("Test %d: ServerSideEncryptionKDF should not be part of metadata: %v", i, kdf) } if iv, ok := test.metadata[ServerSideEncryptionIV]; ok && !test.shouldFail { t.Errorf("Test %d: ServerSideEncryptionIV should not be part of metadata: %v", i, iv) } if mac, ok := test.metadata[ServerSideEncryptionKeyMAC]; ok && !test.shouldFail { t.Errorf("Test %d: ServerSideEncryptionKeyMAC should not be part of metadata: %v", i, mac) } } } var decryptObjectInfoTests = []struct { info ObjectInfo headers http.Header expErr APIErrorCode }{ { info: ObjectInfo{Size: 100}, headers: http.Header{}, expErr: ErrNone, }, { info: ObjectInfo{Size: 100, UserDefined: map[string]string{ServerSideEncryptionKDF: SSEKeyDerivationHmacSha256}}, headers: http.Header{SSECustomerAlgorithm: []string{SSECustomerAlgorithmAES256}}, expErr: ErrNone, }, { info: ObjectInfo{Size: 0, UserDefined: map[string]string{ServerSideEncryptionKDF: SSEKeyDerivationHmacSha256}}, headers: http.Header{SSECustomerAlgorithm: []string{SSECustomerAlgorithmAES256}}, expErr: ErrNone, }, { info: ObjectInfo{Size: 100, UserDefined: map[string]string{ServerSideEncryptionKDF: SSEKeyDerivationHmacSha256}}, headers: http.Header{}, expErr: ErrSSEEncryptedObject, }, { info: ObjectInfo{Size: 100, UserDefined: map[string]string{}}, headers: http.Header{SSECustomerAlgorithm: []string{SSECustomerAlgorithmAES256}}, expErr: ErrInvalidEncryptionParameters, }, { info: ObjectInfo{Size: 31, UserDefined: map[string]string{ServerSideEncryptionKDF: SSEKeyDerivationHmacSha256}}, headers: http.Header{SSECustomerAlgorithm: []string{SSECustomerAlgorithmAES256}}, expErr: ErrObjectTampered, }, } func TestDecryptObjectInfo(t *testing.T) { for i, test := range decryptObjectInfoTests { if err, encrypted := DecryptObjectInfo(&test.info, test.headers); err != test.expErr { t.Errorf("Test %d: Decryption returned wrong error code: got %d , want %d", i, err, test.expErr) } else if enc := test.info.IsEncrypted(); encrypted && enc != encrypted { t.Errorf("Test %d: Decryption thinks object is encrypted but it is not", i) } else if !encrypted && enc != encrypted { t.Errorf("Test %d: Decryption thinks object is not encrypted but it is", i) } } }