From d824db7f69c4f289ae59f5ae0eb86533eae807f7 Mon Sep 17 00:00:00 2001 From: Denis Kirillov Date: Wed, 10 Aug 2022 21:54:24 +0300 Subject: [PATCH] [#595] Allow SSE-C only with TLS Signed-off-by: Denis Kirillov --- api/handler/api.go | 1 + api/handler/attributes.go | 2 +- api/handler/copy.go | 2 +- api/handler/get.go | 2 +- api/handler/handlers_test.go | 4 +++- api/handler/head.go | 2 +- api/handler/multipart_upload.go | 10 +++++----- api/handler/put.go | 9 +++++++-- cmd/s3-gw/app.go | 1 + 9 files changed, 21 insertions(+), 12 deletions(-) diff --git a/api/handler/api.go b/api/handler/api.go index c1e759b31..d3aa3f56d 100644 --- a/api/handler/api.go +++ b/api/handler/api.go @@ -27,6 +27,7 @@ type ( DefaultPolicy netmap.PlacementPolicy DefaultMaxAge int NotificatorEnabled bool + TLSEnabled bool } ) diff --git a/api/handler/attributes.go b/api/handler/attributes.go index c6d8eca51..e0837318f 100644 --- a/api/handler/attributes.go +++ b/api/handler/attributes.go @@ -94,7 +94,7 @@ func (h *handler) GetObjectAttributesHandler(w http.ResponseWriter, r *http.Requ } info := extendedInfo.ObjectInfo - encryption, err := formEncryptionParams(r.Header) + encryption, err := h.formEncryptionParams(r.Header) if err != nil { h.logAndSendError(w, "invalid sse headers", reqInfo, err) return diff --git a/api/handler/copy.go b/api/handler/copy.go index 3f7803a81..7b46d9f33 100644 --- a/api/handler/copy.go +++ b/api/handler/copy.go @@ -96,7 +96,7 @@ func (h *handler) CopyObjectHandler(w http.ResponseWriter, r *http.Request) { return } - encryption, err := formEncryptionParams(r.Header) + encryption, err := h.formEncryptionParams(r.Header) if err != nil { h.logAndSendError(w, "invalid sse headers", reqInfo, err) return diff --git a/api/handler/get.go b/api/handler/get.go index b4d6e6820..0cb7393f7 100644 --- a/api/handler/get.go +++ b/api/handler/get.go @@ -150,7 +150,7 @@ func (h *handler) GetObjectHandler(w http.ResponseWriter, r *http.Request) { return } - encryption, err := formEncryptionParams(r.Header) + encryption, err := h.formEncryptionParams(r.Header) if err != nil { h.logAndSendError(w, "invalid sse headers", reqInfo, err) return diff --git a/api/handler/handlers_test.go b/api/handler/handlers_test.go index e6b6fd9cc..250654325 100644 --- a/api/handler/handlers_test.go +++ b/api/handler/handlers_test.go @@ -71,7 +71,9 @@ func prepareHandlerContext(t *testing.T) *handlerContext { h := &handler{ log: l, obj: layer.NewLayer(l, tp, layerCfg), - cfg: &Config{}, + cfg: &Config{ + TLSEnabled: true, + }, } return &handlerContext{ diff --git a/api/handler/head.go b/api/handler/head.go index 495386078..5b22c341a 100644 --- a/api/handler/head.go +++ b/api/handler/head.go @@ -53,7 +53,7 @@ func (h *handler) HeadObjectHandler(w http.ResponseWriter, r *http.Request) { } info := extendedInfo.ObjectInfo - encryption, err := formEncryptionParams(r.Header) + encryption, err := h.formEncryptionParams(r.Header) if err != nil { h.logAndSendError(w, "invalid sse headers", reqInfo, err) return diff --git a/api/handler/multipart_upload.go b/api/handler/multipart_upload.go index dcb2b5b99..db6f3d484 100644 --- a/api/handler/multipart_upload.go +++ b/api/handler/multipart_upload.go @@ -137,7 +137,7 @@ func (h *handler) CreateMultipartUploadHandler(w http.ResponseWriter, r *http.Re } } - p.Info.Encryption, err = formEncryptionParams(r.Header) + p.Info.Encryption, err = h.formEncryptionParams(r.Header) if err != nil { h.logAndSendError(w, "invalid sse headers", reqInfo, err) return @@ -220,7 +220,7 @@ func (h *handler) UploadPartHandler(w http.ResponseWriter, r *http.Request) { Reader: r.Body, } - p.Info.Encryption, err = formEncryptionParams(r.Header) + p.Info.Encryption, err = h.formEncryptionParams(r.Header) if err != nil { h.logAndSendError(w, "invalid sse headers", reqInfo, err) return @@ -321,7 +321,7 @@ func (h *handler) UploadPartCopy(w http.ResponseWriter, r *http.Request) { Range: srcRange, } - p.Info.Encryption, err = formEncryptionParams(r.Header) + p.Info.Encryption, err = h.formEncryptionParams(r.Header) if err != nil { h.logAndSendError(w, "invalid sse headers", reqInfo, err) return @@ -558,7 +558,7 @@ func (h *handler) ListPartsHandler(w http.ResponseWriter, r *http.Request) { PartNumberMarker: partNumberMarker, } - p.Info.Encryption, err = formEncryptionParams(r.Header) + p.Info.Encryption, err = h.formEncryptionParams(r.Header) if err != nil { h.logAndSendError(w, "invalid sse headers", reqInfo, err) return @@ -593,7 +593,7 @@ func (h *handler) AbortMultipartUploadHandler(w http.ResponseWriter, r *http.Req Key: reqInfo.ObjectName, } - p.Encryption, err = formEncryptionParams(r.Header) + p.Encryption, err = h.formEncryptionParams(r.Header) if err != nil { h.logAndSendError(w, "invalid sse headers", reqInfo, err) return diff --git a/api/handler/put.go b/api/handler/put.go index 3741f836a..182f7ea71 100644 --- a/api/handler/put.go +++ b/api/handler/put.go @@ -6,6 +6,7 @@ import ( "encoding/base64" "encoding/json" "encoding/xml" + errorsStd "errors" "fmt" "io" "net" @@ -210,7 +211,7 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) { metadata[api.Expires] = expires } - encryption, err := formEncryptionParams(r.Header) + encryption, err := h.formEncryptionParams(r.Header) if err != nil { h.logAndSendError(w, "invalid sse headers", reqInfo, err) return @@ -296,7 +297,7 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) { api.WriteSuccessResponseHeadersOnly(w) } -func formEncryptionParams(header http.Header) (enc layer.EncryptionParams, err error) { +func (h handler) formEncryptionParams(header http.Header) (enc layer.EncryptionParams, err error) { sseCustomerAlgorithm := header.Get(api.AmzServerSideEncryptionCustomerAlgorithm) sseCustomerKey := header.Get(api.AmzServerSideEncryptionCustomerKey) sseCustomerKeyMD5 := header.Get(api.AmzServerSideEncryptionCustomerKeyMD5) @@ -305,6 +306,10 @@ func formEncryptionParams(header http.Header) (enc layer.EncryptionParams, err e return } + if !h.cfg.TLSEnabled { + return enc, errorsStd.New("encryption available only when TLS is enabled") + } + if sseCustomerAlgorithm != layer.AESEncryptionAlgorithm { return enc, errors.GetAPIError(errors.ErrInvalidEncryptionAlgorithm) } diff --git a/cmd/s3-gw/app.go b/cmd/s3-gw/app.go index 039e1a626..fe93bc240 100644 --- a/cmd/s3-gw/app.go +++ b/cmd/s3-gw/app.go @@ -419,6 +419,7 @@ func getHandlerOptions(v *viper.Viper, l *zap.Logger) *handler.Config { cfg.DefaultMaxAge = defaultMaxAge cfg.NotificatorEnabled = v.GetBool(cfgEnableNATS) + cfg.TLSEnabled = v.IsSet(cfgTLSKeyFile) && v.IsSet(cfgTLSCertFile) return &cfg }