registry/storage/driver/s3-aws kms support

Signed-off-by: Matt Duch <matt@learnmetrics.com>
This commit is contained in:
Matt Duch 2016-03-09 18:52:59 -06:00
parent 4c2edee417
commit 789c90ac42
2 changed files with 25 additions and 1 deletions

View file

@ -60,6 +60,7 @@ type DriverParameters struct {
Region string Region string
RegionEndpoint string RegionEndpoint string
Encrypt bool Encrypt bool
KeyID string
Secure bool Secure bool
ChunkSize int64 ChunkSize int64
RootDirectory string RootDirectory string
@ -100,6 +101,7 @@ type driver struct {
Bucket string Bucket string
ChunkSize int64 ChunkSize int64
Encrypt bool Encrypt bool
KeyID string
RootDirectory string RootDirectory string
StorageClass string StorageClass string
} }
@ -188,6 +190,11 @@ func FromParameters(parameters map[string]interface{}) (*Driver, error) {
return nil, fmt.Errorf("The secure parameter should be a boolean") return nil, fmt.Errorf("The secure parameter should be a boolean")
} }
keyID := parameters["keyid"]
if keyID == nil {
keyID = ""
}
chunkSize := int64(defaultChunkSize) chunkSize := int64(defaultChunkSize)
chunkSizeParam := parameters["chunksize"] chunkSizeParam := parameters["chunksize"]
switch v := chunkSizeParam.(type) { switch v := chunkSizeParam.(type) {
@ -243,6 +250,7 @@ func FromParameters(parameters map[string]interface{}) (*Driver, error) {
region, region,
fmt.Sprint(regionEndpoint), fmt.Sprint(regionEndpoint),
encryptBool, encryptBool,
fmt.Sprint(keyID),
secureBool, secureBool,
chunkSize, chunkSize,
fmt.Sprint(rootDirectory), fmt.Sprint(rootDirectory),
@ -317,6 +325,7 @@ func New(params DriverParameters) (*Driver, error) {
Bucket: params.Bucket, Bucket: params.Bucket,
ChunkSize: params.ChunkSize, ChunkSize: params.ChunkSize,
Encrypt: params.Encrypt, Encrypt: params.Encrypt,
KeyID: params.KeyID,
RootDirectory: params.RootDirectory, RootDirectory: params.RootDirectory,
StorageClass: params.StorageClass, StorageClass: params.StorageClass,
} }
@ -353,6 +362,7 @@ func (d *driver) PutContent(ctx context.Context, path string, contents []byte) e
ContentType: d.getContentType(), ContentType: d.getContentType(),
ACL: d.getACL(), ACL: d.getACL(),
ServerSideEncryption: d.getEncryptionMode(), ServerSideEncryption: d.getEncryptionMode(),
SSEKMSKeyId: d.getSSEKMSKeyID(),
StorageClass: d.getStorageClass(), StorageClass: d.getStorageClass(),
Body: bytes.NewReader(contents), Body: bytes.NewReader(contents),
}) })
@ -390,6 +400,7 @@ func (d *driver) Writer(ctx context.Context, path string, append bool) (storaged
ContentType: d.getContentType(), ContentType: d.getContentType(),
ACL: d.getACL(), ACL: d.getACL(),
ServerSideEncryption: d.getEncryptionMode(), ServerSideEncryption: d.getEncryptionMode(),
SSEKMSKeyId: d.getSSEKMSKeyID(),
StorageClass: d.getStorageClass(), StorageClass: d.getStorageClass(),
}) })
if err != nil { if err != nil {
@ -534,6 +545,7 @@ func (d *driver) Move(ctx context.Context, sourcePath string, destPath string) e
ContentType: d.getContentType(), ContentType: d.getContentType(),
ACL: d.getACL(), ACL: d.getACL(),
ServerSideEncryption: d.getEncryptionMode(), ServerSideEncryption: d.getEncryptionMode(),
SSEKMSKeyId: d.getSSEKMSKeyID(),
StorageClass: d.getStorageClass(), StorageClass: d.getStorageClass(),
CopySource: aws.String(d.Bucket + "/" + d.s3Path(sourcePath)), CopySource: aws.String(d.Bucket + "/" + d.s3Path(sourcePath)),
}) })
@ -645,9 +657,19 @@ func parseError(path string, err error) error {
} }
func (d *driver) getEncryptionMode() *string { func (d *driver) getEncryptionMode() *string {
if d.Encrypt { if !d.Encrypt {
return nil
}
if d.KeyID == "" {
return aws.String("AES256") return aws.String("AES256")
} }
return aws.String("aws:kms")
}
func (d *driver) getSSEKMSKeyID() *string {
if d.KeyID != "" {
return aws.String(d.KeyID)
}
return nil return nil
} }

View file

@ -27,6 +27,7 @@ func init() {
secretKey := os.Getenv("AWS_SECRET_KEY") secretKey := os.Getenv("AWS_SECRET_KEY")
bucket := os.Getenv("S3_BUCKET") bucket := os.Getenv("S3_BUCKET")
encrypt := os.Getenv("S3_ENCRYPT") encrypt := os.Getenv("S3_ENCRYPT")
keyID := os.Getenv("S3_KEY_ID")
secure := os.Getenv("S3_SECURE") secure := os.Getenv("S3_SECURE")
region := os.Getenv("AWS_REGION") region := os.Getenv("AWS_REGION")
root, err := ioutil.TempDir("", "driver-") root, err := ioutil.TempDir("", "driver-")
@ -60,6 +61,7 @@ func init() {
region, region,
regionEndpoint, regionEndpoint,
encryptBool, encryptBool,
keyID,
secureBool, secureBool,
minChunkSize, minChunkSize,
rootDirectory, rootDirectory,