[#562] Support TLS termination header for SSE-C #566

r.loginov · 2024-12-03T12:52:36Z

r.loginov commented

2024-12-03 12:52:36 +00:00

close #562

Added the ability to specify a header that is used to indicate that TLS has been completed at the proxy level.
The default header name is X-Frostfs-TLS-Termination.

close #562 Added the ability to specify a header that is used to indicate that TLS has been completed at the proxy level. The default header name is `X-Frostfs-TLS-Termination`.

r.loginov self-assigned this 2024-12-03 12:52:36 +00:00

r.loginov added 1 commit 2024-12-03 12:52:37 +00:00

[#562 ] Support TLS termination header for SSE-C

/ DCO (pull_request) Successful in 2m6s

Details

/ Vulncheck (pull_request) Successful in 2m20s

Details

/ Builds (pull_request) Successful in 2m4s

Details

/ Lint (pull_request) Successful in 3m8s

Details

/ Tests (pull_request) Successful in 2m6s

Details

56025dab9f

The TLS termination header added for determining
whether TLS needs to be checked. If the system
requests come through a proxy server and TLS can
terminate at the proxy level, you should use this
header to disable TLS verification at SSE-C.

Signed-off-by: Roman Loginov <r.loginov@yadro.com>

r.loginov requested review from alexvanin 2024-12-03 12:52:37 +00:00

r.loginov requested review from dkirillov 2024-12-03 12:52:37 +00:00

r.loginov removed review request for dkirillov 2024-12-03 12:52:43 +00:00

r.loginov removed review request for alexvanin 2024-12-03 12:52:44 +00:00

r.loginov reviewed 2024-12-03 13:03:42 +00:00

api/handler/put.go Outdated

					
				@ -362,3 +362,3 @@

				}

				func formEncryptionParamsBase(r *http.Request, isCopySource bool) (enc encryption.Params, err error) {

				func (h *handler) formEncryptionParamsBase(r *http.Request, isCopySource bool) (enc encryption.Params, err error) {

r.loginov commented

2024-12-03 13:03:16 +00:00

question: At the moment, I have not found any tests for the formEncryptionParamsBase function. Should I add them?

question: At the moment, I have not found any tests for the `formEncryptionParamsBase` function. Should I add them?

alexvanin commented

2024-12-03 14:43:02 +00:00

Any correct tests are appreciated :)

👍 1

r.loginov marked this conversation as resolved

api/handler/put.go Outdated

					
				@ -381,0 +381,4 @@

					if tlsTerminationStr := r.Header.Get(h.cfg.TLSTerminationHeader()); len(tlsTerminationStr) > 0 {

						tlsTermination, err := strconv.ParseBool(tlsTerminationStr)

						if err != nil {

							h.reqLogger(r.Context()).Warn(logs.WarnInvalidTypeTLSTerminationHeader, zap.Error(err))

r.loginov commented

2024-12-03 13:03:20 +00:00

I'm not completely sure that you should just output a warning here, maybe you should return an error here after all.
On the one hand, there is an incorrect header from outside. On the other hand, this is not an SEC error in the context of AWS S3.

I'm not completely sure that you should just output a warning here, maybe you should return an error here after all. On the one hand, there is an incorrect header from outside. On the other hand, this is not an SEC error in the context of AWS S3.

dkirillov commented

2024-12-04 13:31:10 +00:00

I suppose warning is enough. But can we also log tlsTerminationStr?

I suppose warning is enough. But can we also log `tlsTerminationStr`?

👍 1

dkirillov marked this conversation as resolved

r.loginov requested review from alexvanin 2024-12-03 13:04:52 +00:00

r.loginov requested review from dkirillov 2024-12-03 13:04:53 +00:00

r.loginov requested review from pogpp 2024-12-03 13:04:55 +00:00

r.loginov requested review from mbiryukova 2024-12-03 13:04:56 +00:00

r.loginov requested review from nzinkevich 2024-12-03 13:04:57 +00:00

r.loginov force-pushed feature/562-support_tls_termination from 56025dab9f to dea857cda8

2024-12-04 10:53:08 +00:00

Compare

dkirillov approved these changes 2024-12-04 13:31:34 +00:00

Dismissed

dkirillov left a comment

LGTM

docs/configuration.md Outdated

					
				@ -196,6 +196,7 @@ There are some custom types used for brevity:

				| `containers`       | [Containers configuration](#containers-section)                |

				| `vhs`              | [VHS configuration](#vhs-section)                              |

				| `multinet`         | [Multinet configuration](#multinet-section)                    |

				| `sse_c`            | [SSE-C configuration](#sse_c-section)                          |

dkirillov commented

2024-12-04 13:27:49 +00:00

I would use different section name. Maybe encryption or tls something like that. sse_c name too specific I suppose

I would use different section name. Maybe `encryption` or `tls` something like that. `sse_c` name too specific I suppose

👍 1

dkirillov marked this conversation as resolved

r.loginov force-pushed feature/562-support_tls_termination from dea857cda8 to efde9fe2e7

2024-12-04 15:01:47 +00:00

Compare

r.loginov dismissed dkirillov's review 2024-12-04 15:01:47 +00:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

dkirillov approved these changes 2024-12-06 06:31:32 +00:00

Dismissed

mbiryukova approved these changes 2024-12-06 10:31:58 +00:00

Dismissed

pogpp approved these changes 2024-12-06 13:41:00 +00:00

Dismissed

nzinkevich reviewed 2024-12-09 06:36:54 +00:00

api/handler/put_test.go Outdated

					
				@ -637,0 +789,4 @@

					}

				}

				func prepareRequestForEnctyption(algo, key, md5, tlsTermination string, reqWithoutTLS, reqWithoutSSE, isCopySource bool) *http.Request {