aboutsummaryrefslogtreecommitdiff
path: root/weed/s3api/s3api_put_handlers.go
diff options
context:
space:
mode:
Diffstat (limited to 'weed/s3api/s3api_put_handlers.go')
-rw-r--r--weed/s3api/s3api_put_handlers.go270
1 files changed, 270 insertions, 0 deletions
diff --git a/weed/s3api/s3api_put_handlers.go b/weed/s3api/s3api_put_handlers.go
new file mode 100644
index 000000000..fafd2f329
--- /dev/null
+++ b/weed/s3api/s3api_put_handlers.go
@@ -0,0 +1,270 @@
+package s3api
+
+import (
+ "encoding/base64"
+ "io"
+ "net/http"
+ "strings"
+
+ "github.com/seaweedfs/seaweedfs/weed/glog"
+ "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
+ "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
+)
+
+// PutToFilerEncryptionResult holds the result of encryption processing
+type PutToFilerEncryptionResult struct {
+ DataReader io.Reader
+ SSEType string
+ CustomerKey *SSECustomerKey
+ SSEIV []byte
+ SSEKMSKey *SSEKMSKey
+ SSES3Key *SSES3Key
+ SSEKMSMetadata []byte
+ SSES3Metadata []byte
+}
+
+// calculatePartOffset calculates unique offset for each part to prevent IV reuse in multipart uploads
+// AWS S3 part numbers must start from 1, never 0 or negative
+func calculatePartOffset(partNumber int) int64 {
+ // AWS S3 part numbers must start from 1, never 0 or negative
+ if partNumber < 1 {
+ glog.Errorf("Invalid partNumber: %d. Must be >= 1.", partNumber)
+ return 0
+ }
+ // Using a large multiplier to ensure block offsets for different parts do not overlap.
+ // S3 part size limit is 5GB, so this provides a large safety margin.
+ partOffset := int64(partNumber-1) * s3_constants.PartOffsetMultiplier
+ return partOffset
+}
+
+// handleSSECEncryption processes SSE-C encryption for the data reader
+func (s3a *S3ApiServer) handleSSECEncryption(r *http.Request, dataReader io.Reader) (io.Reader, *SSECustomerKey, []byte, s3err.ErrorCode) {
+ // Handle SSE-C encryption if requested
+ customerKey, err := ParseSSECHeaders(r)
+ if err != nil {
+ glog.Errorf("SSE-C header validation failed: %v", err)
+ // Use shared error mapping helper
+ errCode := MapSSECErrorToS3Error(err)
+ return nil, nil, nil, errCode
+ }
+
+ // Apply SSE-C encryption if customer key is provided
+ var sseIV []byte
+ if customerKey != nil {
+ encryptedReader, iv, encErr := CreateSSECEncryptedReader(dataReader, customerKey)
+ if encErr != nil {
+ return nil, nil, nil, s3err.ErrInternalError
+ }
+ dataReader = encryptedReader
+ sseIV = iv
+ }
+
+ return dataReader, customerKey, sseIV, s3err.ErrNone
+}
+
+// handleSSEKMSEncryption processes SSE-KMS encryption for the data reader
+func (s3a *S3ApiServer) handleSSEKMSEncryption(r *http.Request, dataReader io.Reader, partOffset int64) (io.Reader, *SSEKMSKey, []byte, s3err.ErrorCode) {
+ // Handle SSE-KMS encryption if requested
+ if !IsSSEKMSRequest(r) {
+ return dataReader, nil, nil, s3err.ErrNone
+ }
+
+ glog.V(3).Infof("handleSSEKMSEncryption: SSE-KMS request detected, processing encryption")
+
+ // Parse SSE-KMS headers
+ keyID := r.Header.Get(s3_constants.AmzServerSideEncryptionAwsKmsKeyId)
+ bucketKeyEnabled := strings.ToLower(r.Header.Get(s3_constants.AmzServerSideEncryptionBucketKeyEnabled)) == "true"
+
+ // Build encryption context
+ bucket, object := s3_constants.GetBucketAndObject(r)
+ encryptionContext := BuildEncryptionContext(bucket, object, bucketKeyEnabled)
+
+ // Add any user-provided encryption context
+ if contextHeader := r.Header.Get(s3_constants.AmzServerSideEncryptionContext); contextHeader != "" {
+ userContext, err := parseEncryptionContext(contextHeader)
+ if err != nil {
+ return nil, nil, nil, s3err.ErrInvalidRequest
+ }
+ // Merge user context with default context
+ for k, v := range userContext {
+ encryptionContext[k] = v
+ }
+ }
+
+ // Check if a base IV is provided (for multipart uploads)
+ var encryptedReader io.Reader
+ var sseKey *SSEKMSKey
+ var encErr error
+
+ baseIVHeader := r.Header.Get(s3_constants.SeaweedFSSSEKMSBaseIVHeader)
+ if baseIVHeader != "" {
+ // Decode the base IV from the header
+ baseIV, decodeErr := base64.StdEncoding.DecodeString(baseIVHeader)
+ if decodeErr != nil || len(baseIV) != 16 {
+ return nil, nil, nil, s3err.ErrInternalError
+ }
+ // Use the provided base IV with unique part offset for multipart upload consistency
+ encryptedReader, sseKey, encErr = CreateSSEKMSEncryptedReaderWithBaseIVAndOffset(dataReader, keyID, encryptionContext, bucketKeyEnabled, baseIV, partOffset)
+ glog.V(4).Infof("Using provided base IV %x for SSE-KMS encryption", baseIV[:8])
+ } else {
+ // Generate a new IV for single-part uploads
+ encryptedReader, sseKey, encErr = CreateSSEKMSEncryptedReaderWithBucketKey(dataReader, keyID, encryptionContext, bucketKeyEnabled)
+ }
+
+ if encErr != nil {
+ return nil, nil, nil, s3err.ErrInternalError
+ }
+
+ // Prepare SSE-KMS metadata for later header setting
+ sseKMSMetadata, metaErr := SerializeSSEKMSMetadata(sseKey)
+ if metaErr != nil {
+ return nil, nil, nil, s3err.ErrInternalError
+ }
+
+ return encryptedReader, sseKey, sseKMSMetadata, s3err.ErrNone
+}
+
+// handleSSES3MultipartEncryption handles multipart upload logic for SSE-S3 encryption
+func (s3a *S3ApiServer) handleSSES3MultipartEncryption(r *http.Request, dataReader io.Reader, partOffset int64) (io.Reader, *SSES3Key, s3err.ErrorCode) {
+ keyDataHeader := r.Header.Get(s3_constants.SeaweedFSSSES3KeyDataHeader)
+ baseIVHeader := r.Header.Get(s3_constants.SeaweedFSSSES3BaseIVHeader)
+
+ glog.V(4).Infof("handleSSES3MultipartEncryption: using provided key and base IV for multipart part")
+
+ // Decode the key data
+ keyData, decodeErr := base64.StdEncoding.DecodeString(keyDataHeader)
+ if decodeErr != nil {
+ return nil, nil, s3err.ErrInternalError
+ }
+
+ // Deserialize the SSE-S3 key
+ keyManager := GetSSES3KeyManager()
+ key, deserializeErr := DeserializeSSES3Metadata(keyData, keyManager)
+ if deserializeErr != nil {
+ return nil, nil, s3err.ErrInternalError
+ }
+
+ // Decode the base IV
+ baseIV, decodeErr := base64.StdEncoding.DecodeString(baseIVHeader)
+ if decodeErr != nil || len(baseIV) != s3_constants.AESBlockSize {
+ return nil, nil, s3err.ErrInternalError
+ }
+
+ // Use the provided base IV with unique part offset for multipart upload consistency
+ encryptedReader, _, encErr := CreateSSES3EncryptedReaderWithBaseIV(dataReader, key, baseIV, partOffset)
+ if encErr != nil {
+ return nil, nil, s3err.ErrInternalError
+ }
+
+ glog.V(4).Infof("handleSSES3MultipartEncryption: using provided base IV %x", baseIV[:8])
+ return encryptedReader, key, s3err.ErrNone
+}
+
+// handleSSES3SinglePartEncryption handles single-part upload logic for SSE-S3 encryption
+func (s3a *S3ApiServer) handleSSES3SinglePartEncryption(dataReader io.Reader) (io.Reader, *SSES3Key, s3err.ErrorCode) {
+ glog.V(4).Infof("handleSSES3SinglePartEncryption: generating new key for single-part upload")
+
+ keyManager := GetSSES3KeyManager()
+ key, err := keyManager.GetOrCreateKey("")
+ if err != nil {
+ return nil, nil, s3err.ErrInternalError
+ }
+
+ // Create encrypted reader
+ encryptedReader, iv, encErr := CreateSSES3EncryptedReader(dataReader, key)
+ if encErr != nil {
+ return nil, nil, s3err.ErrInternalError
+ }
+
+ // Store IV on the key object for later decryption
+ key.IV = iv
+
+ // Store the key for later use
+ keyManager.StoreKey(key)
+
+ return encryptedReader, key, s3err.ErrNone
+}
+
+// handleSSES3Encryption processes SSE-S3 encryption for the data reader
+func (s3a *S3ApiServer) handleSSES3Encryption(r *http.Request, dataReader io.Reader, partOffset int64) (io.Reader, *SSES3Key, []byte, s3err.ErrorCode) {
+ if !IsSSES3RequestInternal(r) {
+ return dataReader, nil, nil, s3err.ErrNone
+ }
+
+ glog.V(3).Infof("handleSSES3Encryption: SSE-S3 request detected, processing encryption")
+
+ var encryptedReader io.Reader
+ var sseS3Key *SSES3Key
+ var errCode s3err.ErrorCode
+
+ // Check if this is multipart upload (key data and base IV provided)
+ keyDataHeader := r.Header.Get(s3_constants.SeaweedFSSSES3KeyDataHeader)
+ baseIVHeader := r.Header.Get(s3_constants.SeaweedFSSSES3BaseIVHeader)
+
+ if keyDataHeader != "" && baseIVHeader != "" {
+ // Multipart upload: use provided key and base IV
+ encryptedReader, sseS3Key, errCode = s3a.handleSSES3MultipartEncryption(r, dataReader, partOffset)
+ } else {
+ // Single-part upload: generate new key and IV
+ encryptedReader, sseS3Key, errCode = s3a.handleSSES3SinglePartEncryption(dataReader)
+ }
+
+ if errCode != s3err.ErrNone {
+ return nil, nil, nil, errCode
+ }
+
+ // Prepare SSE-S3 metadata for later header setting
+ sseS3Metadata, metaErr := SerializeSSES3Metadata(sseS3Key)
+ if metaErr != nil {
+ return nil, nil, nil, s3err.ErrInternalError
+ }
+
+ glog.V(3).Infof("handleSSES3Encryption: prepared SSE-S3 metadata for object")
+ return encryptedReader, sseS3Key, sseS3Metadata, s3err.ErrNone
+}
+
+// handleAllSSEEncryption processes all SSE types in sequence and returns the final encrypted reader
+// This eliminates repetitive dataReader assignments and centralizes SSE processing
+func (s3a *S3ApiServer) handleAllSSEEncryption(r *http.Request, dataReader io.Reader, partOffset int64) (*PutToFilerEncryptionResult, s3err.ErrorCode) {
+ result := &PutToFilerEncryptionResult{
+ DataReader: dataReader,
+ }
+
+ // Handle SSE-C encryption first
+ encryptedReader, customerKey, sseIV, errCode := s3a.handleSSECEncryption(r, result.DataReader)
+ if errCode != s3err.ErrNone {
+ return nil, errCode
+ }
+ result.DataReader = encryptedReader
+ result.CustomerKey = customerKey
+ result.SSEIV = sseIV
+
+ // Handle SSE-KMS encryption
+ encryptedReader, sseKMSKey, sseKMSMetadata, errCode := s3a.handleSSEKMSEncryption(r, result.DataReader, partOffset)
+ if errCode != s3err.ErrNone {
+ return nil, errCode
+ }
+ result.DataReader = encryptedReader
+ result.SSEKMSKey = sseKMSKey
+ result.SSEKMSMetadata = sseKMSMetadata
+
+ // Handle SSE-S3 encryption
+ encryptedReader, sseS3Key, sseS3Metadata, errCode := s3a.handleSSES3Encryption(r, result.DataReader, partOffset)
+ if errCode != s3err.ErrNone {
+ return nil, errCode
+ }
+ result.DataReader = encryptedReader
+ result.SSES3Key = sseS3Key
+ result.SSES3Metadata = sseS3Metadata
+
+ // Set SSE type for response headers
+ if customerKey != nil {
+ result.SSEType = s3_constants.SSETypeC
+ } else if sseKMSKey != nil {
+ result.SSEType = s3_constants.SSETypeKMS
+ } else if sseS3Key != nil {
+ result.SSEType = s3_constants.SSETypeS3
+ }
+
+ return result, s3err.ErrNone
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-21 10:10:44 +0000