S3 API: Add SSE-C (#7143)

* implement sse-c

* fix Content-Range

* adding tests

* Update s3_sse_c_test.go

* copy sse-c objects

* adding tests

* refactor

* multi reader

* remove extra write header call

* refactor

* SSE-C encrypted objects do not support HTTP Range requests

* robust

* fix server starts

* Update Makefile

* Update Makefile

* ci: remove SSE-C integration tests and workflows; delete test/s3/encryption/

* s3: SSE-C MD5 must be base64 (case-sensitive); fix validation, comparisons, metadata storage; update tests

* minor

* base64

* Update SSE-C_IMPLEMENTATION.md

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update weed/s3api/s3api_object_handlers.go

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update SSE-C_IMPLEMENTATION.md

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* address comments

* fix test

* fix compilation

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

1 files changed, 63 insertions, 0 deletions

diff --git a/weed/s3api/s3_sse_c_range_test.go b/weed/s3api/s3_sse_c_range_test.go
new file mode 100644
index 000000000..456231074
--- /dev/null
+++ b/weed/s3api/s3_sse_c_range_test.go
@@ -0,0 +1,63 @@
+package s3api
+
+import (
+	"bytes"
+	"crypto/md5"
+	"encoding/base64"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gorilla/mux"
+	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
+)
+
+// ResponseRecorder that also implements http.Flusher
+type recorderFlusher struct{ *httptest.ResponseRecorder }
+
+func (r recorderFlusher) Flush() {}
+
+// TestSSECRangeRequestsNotSupported verifies that HTTP Range requests are rejected
+// for SSE-C encrypted objects because the IV is required at the beginning of the stream
+func TestSSECRangeRequestsNotSupported(t *testing.T) {
+	// Create a request with Range header and valid SSE-C headers
+	req := httptest.NewRequest(http.MethodGet, "/b/o", nil)
+	req.Header.Set("Range", "bytes=10-20")
+	req.Header.Set(s3_constants.AmzServerSideEncryptionCustomerAlgorithm, "AES256")
+
+	key := make([]byte, 32)
+	for i := range key {
+		key[i] = byte(i)
+	}
+	s := md5.Sum(key)
+	keyMD5 := base64.StdEncoding.EncodeToString(s[:])
+
+	req.Header.Set(s3_constants.AmzServerSideEncryptionCustomerKey, base64.StdEncoding.EncodeToString(key))
+	req.Header.Set(s3_constants.AmzServerSideEncryptionCustomerKeyMD5, keyMD5)
+
+	// Attach mux vars to avoid panic in error writer
+	req = mux.SetURLVars(req, map[string]string{"bucket": "b", "object": "o"})
+
+	// Create a mock HTTP response that simulates SSE-C encrypted object metadata
+	proxyResponse := &http.Response{
+		StatusCode: 200,
+		Header:     make(http.Header),
+		Body:       io.NopCloser(bytes.NewReader([]byte("mock encrypted data"))),
+	}
+	proxyResponse.Header.Set(s3_constants.AmzServerSideEncryptionCustomerAlgorithm, "AES256")
+	proxyResponse.Header.Set(s3_constants.AmzServerSideEncryptionCustomerKeyMD5, keyMD5)
+
+	// Call the function under test
+	s3a := &S3ApiServer{}
+	rec := httptest.NewRecorder()
+	w := recorderFlusher{rec}
+	statusCode, _ := s3a.handleSSECResponse(req, proxyResponse, w)
+
+	if statusCode != http.StatusRequestedRangeNotSatisfiable {
+		t.Fatalf("expected status %d, got %d", http.StatusRequestedRangeNotSatisfiable, statusCode)
+	}
+	if rec.Result().StatusCode != http.StatusRequestedRangeNotSatisfiable {
+		t.Fatalf("writer status expected %d, got %d", http.StatusRequestedRangeNotSatisfiable, rec.Result().StatusCode)
+	}
+}