aboutsummaryrefslogtreecommitdiff
path: root/weed/s3api/s3_bucket_encryption.go
blob: cc9a0220f90f08476881e79cb07b27e582029525 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360

package s3api

import (
	"encoding/xml"
	"errors"
	"fmt"
	"io"
	"net/http"

	"github.com/seaweedfs/seaweedfs/weed/glog"
	"github.com/seaweedfs/seaweedfs/weed/pb/s3_pb"
	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
	"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
)

// ErrNoEncryptionConfig is returned when a bucket has no encryption configuration
var ErrNoEncryptionConfig = errors.New("no encryption configuration found")

// ServerSideEncryptionConfiguration represents the bucket encryption configuration
type ServerSideEncryptionConfiguration struct {
	XMLName xml.Name                   `xml:"ServerSideEncryptionConfiguration"`
	Rules   []ServerSideEncryptionRule `xml:"Rule"`
}

// ServerSideEncryptionRule represents a single encryption rule
type ServerSideEncryptionRule struct {
	ApplyServerSideEncryptionByDefault ApplyServerSideEncryptionByDefault `xml:"ApplyServerSideEncryptionByDefault"`
	BucketKeyEnabled                   *bool                              `xml:"BucketKeyEnabled,omitempty"`
}

// ApplyServerSideEncryptionByDefault specifies the default encryption settings
type ApplyServerSideEncryptionByDefault struct {
	SSEAlgorithm   string `xml:"SSEAlgorithm"`
	KMSMasterKeyID string `xml:"KMSMasterKeyID,omitempty"`
}

// encryptionConfigToProto converts EncryptionConfiguration to protobuf format
func encryptionConfigToProto(config *s3_pb.EncryptionConfiguration) *s3_pb.EncryptionConfiguration {
	if config == nil {
		return nil
	}
	return &s3_pb.EncryptionConfiguration{
		SseAlgorithm:     config.SseAlgorithm,
		KmsKeyId:         config.KmsKeyId,
		BucketKeyEnabled: config.BucketKeyEnabled,
	}
}

// encryptionConfigFromXML converts XML ServerSideEncryptionConfiguration to protobuf
func encryptionConfigFromXML(xmlConfig *ServerSideEncryptionConfiguration) *s3_pb.EncryptionConfiguration {
	if xmlConfig == nil || len(xmlConfig.Rules) == 0 {
		return nil
	}

	rule := xmlConfig.Rules[0] // AWS S3 supports only one rule
	return &s3_pb.EncryptionConfiguration{
		SseAlgorithm:     rule.ApplyServerSideEncryptionByDefault.SSEAlgorithm,
		KmsKeyId:         rule.ApplyServerSideEncryptionByDefault.KMSMasterKeyID,
		BucketKeyEnabled: rule.BucketKeyEnabled != nil && *rule.BucketKeyEnabled,
	}
}

// encryptionConfigToXML converts protobuf EncryptionConfiguration to XML
func encryptionConfigToXML(config *s3_pb.EncryptionConfiguration) *ServerSideEncryptionConfiguration {
	if config == nil {
		return nil
	}

	return &ServerSideEncryptionConfiguration{
		Rules: []ServerSideEncryptionRule{
			{
				ApplyServerSideEncryptionByDefault: ApplyServerSideEncryptionByDefault{
					SSEAlgorithm:   config.SseAlgorithm,
					KMSMasterKeyID: config.KmsKeyId,
				},
				BucketKeyEnabled: &config.BucketKeyEnabled,
			},
		},
	}
}

// Default encryption algorithms
const (
	EncryptionTypeAES256 = "AES256"
	EncryptionTypeKMS    = "aws:kms"
)

// GetBucketEncryptionHandler handles GET bucket encryption requests
func (s3a *S3ApiServer) GetBucketEncryptionHandler(w http.ResponseWriter, r *http.Request) {
	bucket, _ := s3_constants.GetBucketAndObject(r)

	// Load bucket encryption configuration
	config, errCode := s3a.getEncryptionConfiguration(bucket)
	if errCode != s3err.ErrNone {
		if errCode == s3err.ErrNoSuchBucketEncryptionConfiguration {
			s3err.WriteErrorResponse(w, r, s3err.ErrNoSuchBucketEncryptionConfiguration)
			return
		}
		s3err.WriteErrorResponse(w, r, errCode)
		return
	}

	// Convert protobuf config to S3 XML response
	response := encryptionConfigToXML(config)
	if response == nil {
		s3err.WriteErrorResponse(w, r, s3err.ErrNoSuchBucketEncryptionConfiguration)
		return
	}

	w.Header().Set("Content-Type", "application/xml")
	if err := xml.NewEncoder(w).Encode(response); err != nil {
		glog.Errorf("Failed to encode bucket encryption response: %v", err)
		s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
		return
	}
}

// PutBucketEncryptionHandler handles PUT bucket encryption requests
func (s3a *S3ApiServer) PutBucketEncryptionHandler(w http.ResponseWriter, r *http.Request) {
	bucket, _ := s3_constants.GetBucketAndObject(r)

	// Read and parse the request body
	body, err := io.ReadAll(r.Body)
	if err != nil {
		glog.Errorf("Failed to read request body: %v", err)
		s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
		return
	}
	defer r.Body.Close()

	var xmlConfig ServerSideEncryptionConfiguration
	if err := xml.Unmarshal(body, &xmlConfig); err != nil {
		glog.Errorf("Failed to parse bucket encryption configuration: %v", err)
		s3err.WriteErrorResponse(w, r, s3err.ErrMalformedXML)
		return
	}

	// Validate the configuration
	if len(xmlConfig.Rules) == 0 {
		s3err.WriteErrorResponse(w, r, s3err.ErrMalformedXML)
		return
	}

	rule := xmlConfig.Rules[0] // AWS S3 supports only one rule

	// Validate SSE algorithm
	if rule.ApplyServerSideEncryptionByDefault.SSEAlgorithm != EncryptionTypeAES256 &&
		rule.ApplyServerSideEncryptionByDefault.SSEAlgorithm != EncryptionTypeKMS {
		s3err.WriteErrorResponse(w, r, s3err.ErrInvalidEncryptionAlgorithm)
		return
	}

	// For aws:kms, validate KMS key if provided
	if rule.ApplyServerSideEncryptionByDefault.SSEAlgorithm == EncryptionTypeKMS {
		keyID := rule.ApplyServerSideEncryptionByDefault.KMSMasterKeyID
		if keyID != "" && !isValidKMSKeyID(keyID) {
			s3err.WriteErrorResponse(w, r, s3err.ErrKMSKeyNotFound)
			return
		}
	}

	// Convert XML to protobuf configuration
	encryptionConfig := encryptionConfigFromXML(&xmlConfig)

	// Update the bucket configuration
	errCode := s3a.updateEncryptionConfiguration(bucket, encryptionConfig)
	if errCode != s3err.ErrNone {
		s3err.WriteErrorResponse(w, r, errCode)
		return
	}

	w.WriteHeader(http.StatusOK)
}

// DeleteBucketEncryptionHandler handles DELETE bucket encryption requests
func (s3a *S3ApiServer) DeleteBucketEncryptionHandler(w http.ResponseWriter, r *http.Request) {
	bucket, _ := s3_constants.GetBucketAndObject(r)

	errCode := s3a.removeEncryptionConfiguration(bucket)
	if errCode != s3err.ErrNone {
		s3err.WriteErrorResponse(w, r, errCode)
		return
	}

	w.WriteHeader(http.StatusNoContent)
}

// GetBucketEncryptionConfig retrieves the bucket encryption configuration for internal use
func (s3a *S3ApiServer) GetBucketEncryptionConfig(bucket string) (*s3_pb.EncryptionConfiguration, error) {
	config, errCode := s3a.getEncryptionConfiguration(bucket)
	if errCode != s3err.ErrNone {
		if errCode == s3err.ErrNoSuchBucketEncryptionConfiguration {
			return nil, ErrNoEncryptionConfig
		}
		return nil, fmt.Errorf("failed to get encryption configuration")
	}
	return config, nil
}

// Internal methods following the bucket configuration pattern

// getEncryptionConfiguration retrieves encryption configuration with caching
func (s3a *S3ApiServer) getEncryptionConfiguration(bucket string) (*s3_pb.EncryptionConfiguration, s3err.ErrorCode) {
	// Get metadata using structured API
	metadata, err := s3a.GetBucketMetadata(bucket)
	if err != nil {
		glog.Errorf("getEncryptionConfiguration: failed to get bucket metadata for bucket %s: %v", bucket, err)
		return nil, s3err.ErrInternalError
	}

	if metadata.Encryption == nil {
		return nil, s3err.ErrNoSuchBucketEncryptionConfiguration
	}

	return metadata.Encryption, s3err.ErrNone
}

// updateEncryptionConfiguration updates the encryption configuration for a bucket
func (s3a *S3ApiServer) updateEncryptionConfiguration(bucket string, encryptionConfig *s3_pb.EncryptionConfiguration) s3err.ErrorCode {
	// Update using structured API
	// Note: UpdateBucketEncryption -> UpdateBucketMetadata -> setBucketMetadata
	// already invalidates the cache synchronously after successful update
	err := s3a.UpdateBucketEncryption(bucket, encryptionConfig)
	if err != nil {
		glog.Errorf("updateEncryptionConfiguration: failed to update encryption config for bucket %s: %v", bucket, err)
		return s3err.ErrInternalError
	}

	return s3err.ErrNone
}

// removeEncryptionConfiguration removes the encryption configuration for a bucket
func (s3a *S3ApiServer) removeEncryptionConfiguration(bucket string) s3err.ErrorCode {
	// Check if encryption configuration exists
	metadata, err := s3a.GetBucketMetadata(bucket)
	if err != nil {
		glog.Errorf("removeEncryptionConfiguration: failed to get bucket metadata for bucket %s: %v", bucket, err)
		return s3err.ErrInternalError
	}

	if metadata.Encryption == nil {
		return s3err.ErrNoSuchBucketEncryptionConfiguration
	}

	// Update using structured API
	// Note: ClearBucketEncryption -> UpdateBucketMetadata -> setBucketMetadata
	// already invalidates the cache synchronously after successful update
	err = s3a.ClearBucketEncryption(bucket)
	if err != nil {
		glog.Errorf("removeEncryptionConfiguration: failed to remove encryption config for bucket %s: %v", bucket, err)
		return s3err.ErrInternalError
	}

	return s3err.ErrNone
}

// IsDefaultEncryptionEnabled checks if default encryption is enabled for a bucket
func (s3a *S3ApiServer) IsDefaultEncryptionEnabled(bucket string) bool {
	config, err := s3a.GetBucketEncryptionConfig(bucket)
	if err != nil {
		glog.V(4).Infof("IsDefaultEncryptionEnabled: failed to get encryption config for bucket %s: %v", bucket, err)
		return false
	}
	if config == nil {
		return false
	}
	return config.SseAlgorithm != ""
}

// GetDefaultEncryptionHeaders returns the default encryption headers for a bucket
func (s3a *S3ApiServer) GetDefaultEncryptionHeaders(bucket string) map[string]string {
	config, err := s3a.GetBucketEncryptionConfig(bucket)
	if err != nil {
		glog.V(4).Infof("GetDefaultEncryptionHeaders: failed to get encryption config for bucket %s: %v", bucket, err)
		return nil
	}
	if config == nil {
		return nil
	}

	headers := make(map[string]string)
	headers[s3_constants.AmzServerSideEncryption] = config.SseAlgorithm

	if config.SseAlgorithm == EncryptionTypeKMS && config.KmsKeyId != "" {
		headers[s3_constants.AmzServerSideEncryptionAwsKmsKeyId] = config.KmsKeyId
	}

	if config.BucketKeyEnabled {
		headers[s3_constants.AmzServerSideEncryptionBucketKeyEnabled] = "true"
	}

	return headers
}

// IsDefaultEncryptionEnabled checks if default encryption is enabled for a configuration
func IsDefaultEncryptionEnabled(config *s3_pb.EncryptionConfiguration) bool {
	return config != nil && config.SseAlgorithm != ""
}

// GetDefaultEncryptionHeaders generates default encryption headers from configuration
func GetDefaultEncryptionHeaders(config *s3_pb.EncryptionConfiguration) map[string]string {
	if config == nil || config.SseAlgorithm == "" {
		return nil
	}

	headers := make(map[string]string)
	headers[s3_constants.AmzServerSideEncryption] = config.SseAlgorithm

	if config.SseAlgorithm == "aws:kms" && config.KmsKeyId != "" {
		headers[s3_constants.AmzServerSideEncryptionAwsKmsKeyId] = config.KmsKeyId
	}

	return headers
}

// encryptionConfigFromXMLBytes parses XML bytes to encryption configuration
func encryptionConfigFromXMLBytes(xmlBytes []byte) (*s3_pb.EncryptionConfiguration, error) {
	var xmlConfig ServerSideEncryptionConfiguration
	if err := xml.Unmarshal(xmlBytes, &xmlConfig); err != nil {
		return nil, err
	}

	// Validate namespace - should be empty or the standard AWS namespace
	if xmlConfig.XMLName.Space != "" && xmlConfig.XMLName.Space != "http://s3.amazonaws.com/doc/2006-03-01/" {
		return nil, fmt.Errorf("invalid XML namespace: %s", xmlConfig.XMLName.Space)
	}

	// Validate the configuration
	if len(xmlConfig.Rules) == 0 {
		return nil, fmt.Errorf("encryption configuration must have at least one rule")
	}

	rule := xmlConfig.Rules[0]
	if rule.ApplyServerSideEncryptionByDefault.SSEAlgorithm == "" {
		return nil, fmt.Errorf("encryption algorithm is required")
	}

	// Validate algorithm
	validAlgorithms := map[string]bool{
		"AES256":  true,
		"aws:kms": true,
	}

	if !validAlgorithms[rule.ApplyServerSideEncryptionByDefault.SSEAlgorithm] {
		return nil, fmt.Errorf("unsupported encryption algorithm: %s", rule.ApplyServerSideEncryptionByDefault.SSEAlgorithm)
	}

	config := encryptionConfigFromXML(&xmlConfig)
	return config, nil
}

// encryptionConfigToXMLBytes converts encryption configuration to XML bytes
func encryptionConfigToXMLBytes(config *s3_pb.EncryptionConfiguration) ([]byte, error) {
	if config == nil {
		return nil, fmt.Errorf("encryption configuration is nil")
	}

	xmlConfig := encryptionConfigToXML(config)
	return xml.Marshal(xmlConfig)
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-20 23:21:10 +0000