[#217] Consider Copy-Source-SSE-* headers during copy

Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>
2023-10-19 17:22:26 +03:00 · 2023-10-19 17:22:26 +03:00 · fe796ba538
commit fe796ba538
parent 5ee73fad6a
15 changed files with 355 additions and 55 deletions
--- a/api/handler/put.go
+++ b/api/handler/put.go
@ -6,7 +6,6 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"encoding/xml"
-	errorsStd "errors"
 	"fmt"
 	"io"
 	"net"
@ -376,16 +375,38 @@ func (h *handler) getBodyReader(r *http.Request) (io.ReadCloser, error) {
 }

 func formEncryptionParams(r *http.Request) (enc encryption.Params, err error) {
-	sseCustomerAlgorithm := r.Header.Get(api.AmzServerSideEncryptionCustomerAlgorithm)
-	sseCustomerKey := r.Header.Get(api.AmzServerSideEncryptionCustomerKey)
-	sseCustomerKeyMD5 := r.Header.Get(api.AmzServerSideEncryptionCustomerKeyMD5)
+	return formEncryptionParamsBase(r, false)
+}
+
+func formCopySourceEncryptionParams(r *http.Request) (enc encryption.Params, err error) {
+	return formEncryptionParamsBase(r, true)
+}
+
+func formEncryptionParamsBase(r *http.Request, isCopySource bool) (enc encryption.Params, err error) {
+	var sseCustomerAlgorithm, sseCustomerKey, sseCustomerKeyMD5 string
+	if isCopySource {
+		sseCustomerAlgorithm = r.Header.Get(api.AmzCopySourceServerSideEncryptionCustomerAlgorithm)
+		sseCustomerKey = r.Header.Get(api.AmzCopySourceServerSideEncryptionCustomerKey)
+		sseCustomerKeyMD5 = r.Header.Get(api.AmzCopySourceServerSideEncryptionCustomerKeyMD5)
+	} else {
+		sseCustomerAlgorithm = r.Header.Get(api.AmzServerSideEncryptionCustomerAlgorithm)
+		sseCustomerKey = r.Header.Get(api.AmzServerSideEncryptionCustomerKey)
+		sseCustomerKeyMD5 = r.Header.Get(api.AmzServerSideEncryptionCustomerKeyMD5)
+	}

 	if len(sseCustomerAlgorithm) == 0 && len(sseCustomerKey) == 0 && len(sseCustomerKeyMD5) == 0 {
 		return
 	}

 	if r.TLS == nil {
-		return enc, errorsStd.New("encryption available only when TLS is enabled")
+		return enc, errors.GetAPIError(errors.ErrInsecureSSECustomerRequest)
+	}
+
+	if len(sseCustomerKey) > 0 && len(sseCustomerAlgorithm) == 0 {
+		return enc, errors.GetAPIError(errors.ErrMissingSSECustomerAlgorithm)
+	}
+	if len(sseCustomerAlgorithm) > 0 && len(sseCustomerKey) == 0 {
+		return enc, errors.GetAPIError(errors.ErrMissingSSECustomerKey)
 	}

 	if sseCustomerAlgorithm != layer.AESEncryptionAlgorithm {
@ -394,10 +415,16 @@ func formEncryptionParams(r *http.Request) (enc encryption.Params, err error) {

 	key, err := base64.StdEncoding.DecodeString(sseCustomerKey)
 	if err != nil {
+		if isCopySource {
+			return enc, errors.GetAPIError(errors.ErrInvalidSSECustomerParameters)
+		}
 		return enc, errors.GetAPIError(errors.ErrInvalidSSECustomerKey)
 	}

 	if len(key) != layer.AESKeySize {
+		if isCopySource {
+			return enc, errors.GetAPIError(errors.ErrInvalidSSECustomerParameters)
+		}
 		return enc, errors.GetAPIError(errors.ErrInvalidSSECustomerKey)
 	}