From d824db7f69c4f289ae59f5ae0eb86533eae807f7 Mon Sep 17 00:00:00 2001
From: Denis Kirillov <denis@nspcc.ru>
Date: Wed, 10 Aug 2022 21:54:24 +0300
Subject: [PATCH] [#595] Allow SSE-C only with TLS

Signed-off-by: Denis Kirillov <denis@nspcc.ru>
---
 api/handler/api.go              |  1 +
 api/handler/attributes.go       |  2 +-
 api/handler/copy.go             |  2 +-
 api/handler/get.go              |  2 +-
 api/handler/handlers_test.go    |  4 +++-
 api/handler/head.go             |  2 +-
 api/handler/multipart_upload.go | 10 +++++-----
 api/handler/put.go              |  9 +++++++--
 cmd/s3-gw/app.go                |  1 +
 9 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/api/handler/api.go b/api/handler/api.go
index c1e759b3..d3aa3f56 100644
--- a/api/handler/api.go
+++ b/api/handler/api.go
@@ -27,6 +27,7 @@ type (
 		DefaultPolicy      netmap.PlacementPolicy
 		DefaultMaxAge      int
 		NotificatorEnabled bool
+		TLSEnabled         bool
 	}
 )
 
diff --git a/api/handler/attributes.go b/api/handler/attributes.go
index c6d8eca5..e0837318 100644
--- a/api/handler/attributes.go
+++ b/api/handler/attributes.go
@@ -94,7 +94,7 @@ func (h *handler) GetObjectAttributesHandler(w http.ResponseWriter, r *http.Requ
 	}
 	info := extendedInfo.ObjectInfo
 
-	encryption, err := formEncryptionParams(r.Header)
+	encryption, err := h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
diff --git a/api/handler/copy.go b/api/handler/copy.go
index 3f7803a8..7b46d9f3 100644
--- a/api/handler/copy.go
+++ b/api/handler/copy.go
@@ -96,7 +96,7 @@ func (h *handler) CopyObjectHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	encryption, err := formEncryptionParams(r.Header)
+	encryption, err := h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
diff --git a/api/handler/get.go b/api/handler/get.go
index b4d6e682..0cb7393f 100644
--- a/api/handler/get.go
+++ b/api/handler/get.go
@@ -150,7 +150,7 @@ func (h *handler) GetObjectHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	encryption, err := formEncryptionParams(r.Header)
+	encryption, err := h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
diff --git a/api/handler/handlers_test.go b/api/handler/handlers_test.go
index e6b6fd9c..25065432 100644
--- a/api/handler/handlers_test.go
+++ b/api/handler/handlers_test.go
@@ -71,7 +71,9 @@ func prepareHandlerContext(t *testing.T) *handlerContext {
 	h := &handler{
 		log: l,
 		obj: layer.NewLayer(l, tp, layerCfg),
-		cfg: &Config{},
+		cfg: &Config{
+			TLSEnabled: true,
+		},
 	}
 
 	return &handlerContext{
diff --git a/api/handler/head.go b/api/handler/head.go
index 49538607..5b22c341 100644
--- a/api/handler/head.go
+++ b/api/handler/head.go
@@ -53,7 +53,7 @@ func (h *handler) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	info := extendedInfo.ObjectInfo
 
-	encryption, err := formEncryptionParams(r.Header)
+	encryption, err := h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
diff --git a/api/handler/multipart_upload.go b/api/handler/multipart_upload.go
index dcb2b5b9..db6f3d48 100644
--- a/api/handler/multipart_upload.go
+++ b/api/handler/multipart_upload.go
@@ -137,7 +137,7 @@ func (h *handler) CreateMultipartUploadHandler(w http.ResponseWriter, r *http.Re
 		}
 	}
 
-	p.Info.Encryption, err = formEncryptionParams(r.Header)
+	p.Info.Encryption, err = h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
@@ -220,7 +220,7 @@ func (h *handler) UploadPartHandler(w http.ResponseWriter, r *http.Request) {
 		Reader:     r.Body,
 	}
 
-	p.Info.Encryption, err = formEncryptionParams(r.Header)
+	p.Info.Encryption, err = h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
@@ -321,7 +321,7 @@ func (h *handler) UploadPartCopy(w http.ResponseWriter, r *http.Request) {
 		Range:      srcRange,
 	}
 
-	p.Info.Encryption, err = formEncryptionParams(r.Header)
+	p.Info.Encryption, err = h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
@@ -558,7 +558,7 @@ func (h *handler) ListPartsHandler(w http.ResponseWriter, r *http.Request) {
 		PartNumberMarker: partNumberMarker,
 	}
 
-	p.Info.Encryption, err = formEncryptionParams(r.Header)
+	p.Info.Encryption, err = h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
@@ -593,7 +593,7 @@ func (h *handler) AbortMultipartUploadHandler(w http.ResponseWriter, r *http.Req
 		Key:      reqInfo.ObjectName,
 	}
 
-	p.Encryption, err = formEncryptionParams(r.Header)
+	p.Encryption, err = h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
diff --git a/api/handler/put.go b/api/handler/put.go
index 3741f836..182f7ea7 100644
--- a/api/handler/put.go
+++ b/api/handler/put.go
@@ -6,6 +6,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"encoding/xml"
+	errorsStd "errors"
 	"fmt"
 	"io"
 	"net"
@@ -210,7 +211,7 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
 		metadata[api.Expires] = expires
 	}
 
-	encryption, err := formEncryptionParams(r.Header)
+	encryption, err := h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
@@ -296,7 +297,7 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
 	api.WriteSuccessResponseHeadersOnly(w)
 }
 
-func formEncryptionParams(header http.Header) (enc layer.EncryptionParams, err error) {
+func (h handler) formEncryptionParams(header http.Header) (enc layer.EncryptionParams, err error) {
 	sseCustomerAlgorithm := header.Get(api.AmzServerSideEncryptionCustomerAlgorithm)
 	sseCustomerKey := header.Get(api.AmzServerSideEncryptionCustomerKey)
 	sseCustomerKeyMD5 := header.Get(api.AmzServerSideEncryptionCustomerKeyMD5)
@@ -305,6 +306,10 @@ func formEncryptionParams(header http.Header) (enc layer.EncryptionParams, err e
 		return
 	}
 
+	if !h.cfg.TLSEnabled {
+		return enc, errorsStd.New("encryption available only when TLS is enabled")
+	}
+
 	if sseCustomerAlgorithm != layer.AESEncryptionAlgorithm {
 		return enc, errors.GetAPIError(errors.ErrInvalidEncryptionAlgorithm)
 	}
diff --git a/cmd/s3-gw/app.go b/cmd/s3-gw/app.go
index 039e1a62..fe93bc24 100644
--- a/cmd/s3-gw/app.go
+++ b/cmd/s3-gw/app.go
@@ -419,6 +419,7 @@ func getHandlerOptions(v *viper.Viper, l *zap.Logger) *handler.Config {
 
 	cfg.DefaultMaxAge = defaultMaxAge
 	cfg.NotificatorEnabled = v.GetBool(cfgEnableNATS)
+	cfg.TLSEnabled = v.IsSet(cfgTLSKeyFile) && v.IsSet(cfgTLSCertFile)
 
 	return &cfg
 }