From 58944d0ba6476b5c42aabbabf92a2068f464200a Mon Sep 17 00:00:00 2001 From: hechuang Date: Fri, 30 Jun 2017 13:56:58 +0800 Subject: [PATCH 1/3] rgw: Data encryption is not follow the AWS agreement MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Encryption request headers should not be sent for GET requests and HEAD requests if your object uses SSE-KMS/SSE-S3 or you’ll get an HTTP 400 BadRequest error. Signed-off-by: hechuang --- s3tests/functional/test_s3.py | 32 +++++--------------------------- 1 file changed, 5 insertions(+), 27 deletions(-) diff --git a/s3tests/functional/test_s3.py b/s3tests/functional/test_s3.py index 309004b..650c366 100644 --- a/s3tests/functional/test_s3.py +++ b/s3tests/functional/test_s3.py @@ -8376,7 +8376,7 @@ def _test_sse_kms_customer_write(file_size, key_id = 'testkey-1'): key = bucket.new_key('testobj') data = 'A'*file_size key.set_contents_from_string(data, headers=sse_kms_client_headers) - rdata = key.get_contents_as_string(headers=sse_kms_client_headers) + rdata = key.get_contents_as_string() eq(data, rdata) @@ -8455,28 +8455,6 @@ def test_sse_kms_present(): eq(data, result) -@attr(resource='object') -@attr(method='put') -@attr(operation='write encrypted with SSE-KMS but read with other key') -@attr(assertion='operation fails') -@attr('encryption') -def test_sse_kms_other_key(): - bucket = get_new_bucket() - sse_kms_client_headers_A = { - 'x-amz-server-side-encryption': 'aws:kms', - 'x-amz-server-side-encryption-aws-kms-key-id': 'testkey-1' - } - sse_kms_client_headers_B = { - 'x-amz-server-side-encryption': 'aws:kms', - 'x-amz-server-side-encryption-aws-kms-key-id': 'testkey-2' - } - key = bucket.new_key('testobj') - data = 'A'*100 - key.set_contents_from_string(data, headers=sse_kms_client_headers_A) - result = key.get_contents_as_string(headers=sse_kms_client_headers_B) - eq(data, result) - - @attr(resource='object') @attr(method='put') @attr(operation='declare SSE-KMS but do not provide key_id') @@ -8537,13 +8515,13 @@ def test_sse_kms_multipart_upload(): k = bucket.get_key(key) eq(k.metadata['foo'], 'bar') eq(k.content_type, content_type) - test_string = k.get_contents_as_string(headers=enc_headers) + test_string = k.get_contents_as_string() eq(len(test_string), k.size) eq(data, test_string) eq(test_string, data) - _check_content_using_range_enc(k, data, 1000000, enc_headers=enc_headers) - _check_content_using_range_enc(k, data, 10000000, enc_headers=enc_headers) + _check_content_using_range(k, data, 1000000) + _check_content_using_range(k, data, 10000000) @attr(resource='object') @@ -8639,7 +8617,7 @@ def test_sse_kms_post_object_authenticated_request(): } key = bucket.get_key("foo.txt") - got = key.get_contents_as_string(headers=get_headers) + got = key.get_contents_as_string() eq(got, 'bar') @attr(resource='object') From b5549732393a82e405dc39c01c050f818a033f0e Mon Sep 17 00:00:00 2001 From: hechuang Date: Fri, 30 Jun 2017 14:19:45 +0800 Subject: [PATCH 2/3] add test_sse_kms_read_declare() for aws standard Signed-off-by: hechuang --- s3tests/functional/test_s3.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/s3tests/functional/test_s3.py b/s3tests/functional/test_s3.py index 650c366..d6a88bd 100644 --- a/s3tests/functional/test_s3.py +++ b/s3tests/functional/test_s3.py @@ -8663,6 +8663,23 @@ def test_sse_kms_barb_transfer_13b(): raise SkipTest _test_sse_kms_customer_write(13, key_id = config['main']['kms_keyid']) +@attr(resource='object') +@attr(method='get') +@attr(operation='write encrypted with SSE-KMS and read with SSE-KMS') +@attr(assertion='operation fails') +@attr('encryption') +def test_sse_kms_read_declare(): + bucket = get_new_bucket() + sse_kms_client_headers = { + 'x-amz-server-side-encryption': 'aws:kms', + 'x-amz-server-side-encryption-aws-kms-key-id': 'testkey-1' + } + key = bucket.new_key('testobj') + data = 'A'*100 + key.set_contents_from_string(data, headers=sse_kms_client_headers) + e = assert_raises(boto.exception.S3ResponseError, key.get_contents_as_string, headers=sse_kms_client_headers) + eq(e.status, 400) + @attr(resource='bucket') @attr(method='get') @attr(operation='Test Bucket Policy') From 1ca6a94e6ac7fd88870d929ac4c0e136295e406c Mon Sep 17 00:00:00 2001 From: hechuang Date: Mon, 3 Jul 2017 12:11:08 +0800 Subject: [PATCH 3/3] modify test_sse_kms_method_head() for aws standard Signed-off-by: hechuang --- s3tests/functional/test_s3.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/s3tests/functional/test_s3.py b/s3tests/functional/test_s3.py index d6a88bd..dd943ff 100644 --- a/s3tests/functional/test_s3.py +++ b/s3tests/functional/test_s3.py @@ -8435,6 +8435,9 @@ def test_sse_kms_method_head(): eq(res.status, 200) eq(res.getheader('x-amz-server-side-encryption'), 'aws:kms') eq(res.getheader('x-amz-server-side-encryption-aws-kms-key-id'), 'testkey-1') + + res = _make_request('HEAD', bucket, key, authenticated=True, request_headers=sse_kms_client_headers) + eq(res.status, 400) @attr(resource='object')