[#595] Allow SSE-C only with TLS

Signed-off-by: Denis Kirillov <denis@nspcc.ru>
2022-08-10 21:54:24 +03:00 · 2022-08-10 21:54:24 +03:00 · d824db7f69
commit d824db7f69
parent 50eeda03fa
9 changed files with 21 additions and 12 deletions
--- a/api/handler/api.go
+++ b/api/handler/api.go
@ -27,6 +27,7 @@ type (
 		DefaultPolicy      netmap.PlacementPolicy
 		DefaultMaxAge      int
 		NotificatorEnabled bool
+		TLSEnabled         bool
 	}
 )

--- a/api/handler/attributes.go
+++ b/api/handler/attributes.go
@ -94,7 +94,7 @@ func (h *handler) GetObjectAttributesHandler(w http.ResponseWriter, r *http.Requ
 	}
 	info := extendedInfo.ObjectInfo

-	encryption, err := formEncryptionParams(r.Header)
+	encryption, err := h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
--- a/api/handler/copy.go
+++ b/api/handler/copy.go
@ -96,7 +96,7 @@ func (h *handler) CopyObjectHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	encryption, err := formEncryptionParams(r.Header)
+	encryption, err := h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
--- a/api/handler/get.go
+++ b/api/handler/get.go
@ -150,7 +150,7 @@ func (h *handler) GetObjectHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	encryption, err := formEncryptionParams(r.Header)
+	encryption, err := h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
--- a/api/handler/handlers_test.go
+++ b/api/handler/handlers_test.go
@ -71,7 +71,9 @@ func prepareHandlerContext(t *testing.T) *handlerContext {
 	h := &handler{
 		log: l,
 		obj: layer.NewLayer(l, tp, layerCfg),
-		cfg: &Config{},
+		cfg: &Config{
+			TLSEnabled: true,
+		},
 	}

 	return &handlerContext{
--- a/api/handler/head.go
+++ b/api/handler/head.go
@ -53,7 +53,7 @@ func (h *handler) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	info := extendedInfo.ObjectInfo

-	encryption, err := formEncryptionParams(r.Header)
+	encryption, err := h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
--- a/api/handler/multipart_upload.go
+++ b/api/handler/multipart_upload.go
@ -137,7 +137,7 @@ func (h *handler) CreateMultipartUploadHandler(w http.ResponseWriter, r *http.Re
 		}
 	}

-	p.Info.Encryption, err = formEncryptionParams(r.Header)
+	p.Info.Encryption, err = h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
@ -220,7 +220,7 @@ func (h *handler) UploadPartHandler(w http.ResponseWriter, r *http.Request) {
 		Reader:     r.Body,
 	}

-	p.Info.Encryption, err = formEncryptionParams(r.Header)
+	p.Info.Encryption, err = h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
@ -321,7 +321,7 @@ func (h *handler) UploadPartCopy(w http.ResponseWriter, r *http.Request) {
 		Range:      srcRange,
 	}

-	p.Info.Encryption, err = formEncryptionParams(r.Header)
+	p.Info.Encryption, err = h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
@ -558,7 +558,7 @@ func (h *handler) ListPartsHandler(w http.ResponseWriter, r *http.Request) {
 		PartNumberMarker: partNumberMarker,
 	}

-	p.Info.Encryption, err = formEncryptionParams(r.Header)
+	p.Info.Encryption, err = h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
@ -593,7 +593,7 @@ func (h *handler) AbortMultipartUploadHandler(w http.ResponseWriter, r *http.Req
 		Key:      reqInfo.ObjectName,
 	}

-	p.Encryption, err = formEncryptionParams(r.Header)
+	p.Encryption, err = h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
--- a/api/handler/put.go
+++ b/api/handler/put.go
@ -6,6 +6,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"encoding/xml"
+	errorsStd "errors"
 	"fmt"
 	"io"
 	"net"
@ -210,7 +211,7 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
 		metadata[api.Expires] = expires
 	}

-	encryption, err := formEncryptionParams(r.Header)
+	encryption, err := h.formEncryptionParams(r.Header)
 	if err != nil {
 		h.logAndSendError(w, "invalid sse headers", reqInfo, err)
 		return
@ -296,7 +297,7 @@ func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
 	api.WriteSuccessResponseHeadersOnly(w)
 }

-func formEncryptionParams(header http.Header) (enc layer.EncryptionParams, err error) {
+func (h handler) formEncryptionParams(header http.Header) (enc layer.EncryptionParams, err error) {
 	sseCustomerAlgorithm := header.Get(api.AmzServerSideEncryptionCustomerAlgorithm)
 	sseCustomerKey := header.Get(api.AmzServerSideEncryptionCustomerKey)
 	sseCustomerKeyMD5 := header.Get(api.AmzServerSideEncryptionCustomerKeyMD5)
@ -305,6 +306,10 @@ func formEncryptionParams(header http.Header) (enc layer.EncryptionParams, err e
 		return
 	}

+	if !h.cfg.TLSEnabled {
+		return enc, errorsStd.New("encryption available only when TLS is enabled")
+	}
+
 	if sseCustomerAlgorithm != layer.AESEncryptionAlgorithm {
 		return enc, errors.GetAPIError(errors.ErrInvalidEncryptionAlgorithm)
 	}
--- a/cmd/s3-gw/app.go
+++ b/cmd/s3-gw/app.go
@ -419,6 +419,7 @@ func getHandlerOptions(v *viper.Viper, l *zap.Logger) *handler.Config {

 	cfg.DefaultMaxAge = defaultMaxAge
 	cfg.NotificatorEnabled = v.GetBool(cfgEnableNATS)
+	cfg.TLSEnabled = v.IsSet(cfgTLSKeyFile) && v.IsSet(cfgTLSCertFile)

 	return &cfg
 }