Merge branch 'master' into add-ec-vacuumorigin/add-ec-vacuum

author: chrislu <chris.lu@gmail.com> 2025-08-30 11:18:03 -0700
committer: chrislu <chris.lu@gmail.com> 2025-08-30 11:18:03 -0700
commit: 87021a146027f83f911619f71b9c27bd51e9d55a (patch)
tree: c7720f1c285683ce19d28931bd7c11b5475a2844 /weed/s3api/s3_constants
parent: 0748214c8e2f497a84b9392d2d7d4ec976bc84eb (diff)
parent: 879d512b552d834136cfb746a239e6168e5c4ffb (diff)
download: seaweedfs-origin/add-ec-vacuum.tar.xz
seaweedfs-origin/add-ec-vacuum.zip
3 files changed, 95 insertions, 0 deletions
diff --git a/weed/s3api/s3_constants/crypto.go b/weed/s3api/s3_constants/crypto.go
new file mode 100644
index 000000000..398e2b669
--- /dev/null
+++ b/weed/s3api/s3_constants/crypto.go
@@ -0,0 +1,32 @@
+package s3_constants
+
+// Cryptographic constants
+const (
+	// AES block and key sizes
+	AESBlockSize = 16 // 128 bits for AES block size (IV length)
+	AESKeySize   = 32 // 256 bits for AES-256 keys
+
+	// SSE algorithm identifiers
+	SSEAlgorithmAES256 = "AES256"
+	SSEAlgorithmKMS    = "aws:kms"
+
+	// SSE type identifiers for response headers and internal processing
+	SSETypeC   = "SSE-C"
+	SSETypeKMS = "SSE-KMS"
+	SSETypeS3  = "SSE-S3"
+
+	// S3 multipart upload limits and offsets
+	S3MaxPartSize = 5 * 1024 * 1024 * 1024 // 5GB - AWS S3 maximum part size limit
+
+	// Multipart offset calculation for unique IV generation
+	// Using 8GB offset between parts (larger than max part size) to prevent IV collisions
+	// Critical for CTR mode encryption security in multipart uploads
+	PartOffsetMultiplier = int64(1) << 33 // 8GB per part offset
+
+	// KMS validation limits based on AWS KMS service constraints
+	MaxKMSEncryptionContextPairs = 10  // Maximum number of encryption context key-value pairs
+	MaxKMSKeyIDLength            = 500 // Maximum length for KMS key identifiers
+
+	// S3 multipart upload limits based on AWS S3 service constraints
+	MaxS3MultipartParts = 10000 // Maximum number of parts in a multipart upload (1-10,000)
+)
diff --git a/weed/s3api/s3_constants/header.go b/weed/s3api/s3_constants/header.go
index 52bcda548..86863f257 100644
--- a/weed/s3api/s3_constants/header.go
+++ b/weed/s3api/s3_constants/header.go
@@ -57,6 +57,12 @@ const (
 	AmzObjectLockRetainUntilDate = "X-Amz-Object-Lock-Retain-Until-Date"
 	AmzObjectLockLegalHold       = "X-Amz-Object-Lock-Legal-Hold"
 
+	// S3 conditional headers
+	IfMatch           = "If-Match"
+	IfNoneMatch       = "If-None-Match"
+	IfModifiedSince   = "If-Modified-Since"
+	IfUnmodifiedSince = "If-Unmodified-Since"
+
 	// S3 conditional copy headers
 	AmzCopySourceIfMatch           = "X-Amz-Copy-Source-If-Match"
 	AmzCopySourceIfNoneMatch       = "X-Amz-Copy-Source-If-None-Match"
@@ -64,6 +70,55 @@ const (
 	AmzCopySourceIfUnmodifiedSince = "X-Amz-Copy-Source-If-Unmodified-Since"
 
 	AmzMpPartsCount = "X-Amz-Mp-Parts-Count"
+
+	// S3 Server-Side Encryption with Customer-provided Keys (SSE-C)
+	AmzServerSideEncryptionCustomerAlgorithm = "X-Amz-Server-Side-Encryption-Customer-Algorithm"
+	AmzServerSideEncryptionCustomerKey       = "X-Amz-Server-Side-Encryption-Customer-Key"
+	AmzServerSideEncryptionCustomerKeyMD5    = "X-Amz-Server-Side-Encryption-Customer-Key-MD5"
+	AmzServerSideEncryptionContext           = "X-Amz-Server-Side-Encryption-Context"
+
+	// S3 Server-Side Encryption with KMS (SSE-KMS)
+	AmzServerSideEncryption                 = "X-Amz-Server-Side-Encryption"
+	AmzServerSideEncryptionAwsKmsKeyId      = "X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id"
+	AmzServerSideEncryptionBucketKeyEnabled = "X-Amz-Server-Side-Encryption-Bucket-Key-Enabled"
+
+	// S3 SSE-C copy source headers
+	AmzCopySourceServerSideEncryptionCustomerAlgorithm = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm"
+	AmzCopySourceServerSideEncryptionCustomerKey       = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key"
+	AmzCopySourceServerSideEncryptionCustomerKeyMD5    = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-MD5"
+)
+
+// Metadata keys for internal storage
+const (
+	// SSE-KMS metadata keys
+	AmzEncryptedDataKey      = "x-amz-encrypted-data-key"
+	AmzEncryptionContextMeta = "x-amz-encryption-context"
+
+	// SeaweedFS internal metadata keys for encryption (prefixed to avoid automatic HTTP header conversion)
+	SeaweedFSSSEKMSKey = "x-seaweedfs-sse-kms-key" // Key for storing serialized SSE-KMS metadata
+	SeaweedFSSSES3Key  = "x-seaweedfs-sse-s3-key"  // Key for storing serialized SSE-S3 metadata
+	SeaweedFSSSEIV     = "x-seaweedfs-sse-c-iv"    // Key for storing SSE-C IV
+
+	// Multipart upload metadata keys for SSE-KMS (consistent with internal metadata key pattern)
+	SeaweedFSSSEKMSKeyID             = "x-seaweedfs-sse-kms-key-id"             // Key ID for multipart upload SSE-KMS inheritance
+	SeaweedFSSSEKMSEncryption        = "x-seaweedfs-sse-kms-encryption"         // Encryption type for multipart upload SSE-KMS inheritance
+	SeaweedFSSSEKMSBucketKeyEnabled  = "x-seaweedfs-sse-kms-bucket-key-enabled" // Bucket key setting for multipart upload SSE-KMS inheritance
+	SeaweedFSSSEKMSEncryptionContext = "x-seaweedfs-sse-kms-encryption-context" // Encryption context for multipart upload SSE-KMS inheritance
+	SeaweedFSSSEKMSBaseIV            = "x-seaweedfs-sse-kms-base-iv"            // Base IV for multipart upload SSE-KMS (for IV offset calculation)
+
+	// Multipart upload metadata keys for SSE-S3
+	SeaweedFSSSES3Encryption = "x-seaweedfs-sse-s3-encryption" // Encryption type for multipart upload SSE-S3 inheritance
+	SeaweedFSSSES3BaseIV     = "x-seaweedfs-sse-s3-base-iv"    // Base IV for multipart upload SSE-S3 (for IV offset calculation)
+	SeaweedFSSSES3KeyData    = "x-seaweedfs-sse-s3-key-data"   // Encrypted key data for multipart upload SSE-S3 inheritance
+)
+
+// SeaweedFS internal headers for filer communication
+const (
+	SeaweedFSSSEKMSKeyHeader    = "X-SeaweedFS-SSE-KMS-Key"     // Header for passing SSE-KMS metadata to filer
+	SeaweedFSSSEIVHeader        = "X-SeaweedFS-SSE-IV"          // Header for passing SSE-C IV to filer (SSE-C only)
+	SeaweedFSSSEKMSBaseIVHeader = "X-SeaweedFS-SSE-KMS-Base-IV" // Header for passing base IV for multipart SSE-KMS
+	SeaweedFSSSES3BaseIVHeader  = "X-SeaweedFS-SSE-S3-Base-IV"  // Header for passing base IV for multipart SSE-S3
+	SeaweedFSSSES3KeyDataHeader = "X-SeaweedFS-SSE-S3-Key-Data" // Header for passing key data for multipart SSE-S3
 )
 
 // Non-Standard S3 HTTP request constants
diff --git a/weed/s3api/s3_constants/s3_actions.go b/weed/s3api/s3_constants/s3_actions.go
index e476eeaee..923327be2 100644
--- a/weed/s3api/s3_constants/s3_actions.go
+++ b/weed/s3api/s3_constants/s3_actions.go
@@ -17,6 +17,14 @@ const (
 	ACTION_GET_BUCKET_OBJECT_LOCK_CONFIG = "GetBucketObjectLockConfiguration"
 	ACTION_PUT_BUCKET_OBJECT_LOCK_CONFIG = "PutBucketObjectLockConfiguration"
 
+	// Granular multipart upload actions for fine-grained IAM policies
+	ACTION_CREATE_MULTIPART_UPLOAD = "s3:CreateMultipartUpload"
+	ACTION_UPLOAD_PART             = "s3:UploadPart"
+	ACTION_COMPLETE_MULTIPART      = "s3:CompleteMultipartUpload"
+	ACTION_ABORT_MULTIPART         = "s3:AbortMultipartUpload"
+	ACTION_LIST_MULTIPART_UPLOADS  = "s3:ListMultipartUploads"
+	ACTION_LIST_PARTS              = "s3:ListParts"
+
 	SeaweedStorageDestinationHeader = "x-seaweedfs-destination"
 	MultipartUploadsFolder          = ".uploads"
 	FolderMimeType                  = "httpd/unix-directory"
author	chrislu <chris.lu@gmail.com>	2025-08-30 11:18:03 -0700
committer	chrislu <chris.lu@gmail.com>	2025-08-30 11:18:03 -0700
commit	87021a146027f83f911619f71b9c27bd51e9d55a (patch)
tree	c7720f1c285683ce19d28931bd7c11b5475a2844 /weed/s3api/s3_constants
parent	0748214c8e2f497a84b9392d2d7d4ec976bc84eb (diff)
parent	879d512b552d834136cfb746a239e6168e5c4ffb (diff)
download	seaweedfs-origin/add-ec-vacuum.tar.xz seaweedfs-origin/add-ec-vacuum.zip