1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
|
package s3api
import (
"fmt"
"net/http"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
)
// CopyValidationError represents validation errors during copy operations
type CopyValidationError struct {
Code s3err.ErrorCode
Message string
}
func (e *CopyValidationError) Error() string {
return e.Message
}
// ValidateCopyEncryption performs comprehensive validation of copy encryption parameters
func ValidateCopyEncryption(srcMetadata map[string][]byte, headers http.Header) error {
// Validate SSE-C copy requirements
if err := validateSSECCopyRequirements(srcMetadata, headers); err != nil {
return err
}
// Validate SSE-KMS copy requirements
if err := validateSSEKMSCopyRequirements(srcMetadata, headers); err != nil {
return err
}
// Validate incompatible encryption combinations
if err := validateEncryptionCompatibility(headers); err != nil {
return err
}
return nil
}
// validateSSECCopyRequirements validates SSE-C copy header requirements
func validateSSECCopyRequirements(srcMetadata map[string][]byte, headers http.Header) error {
srcIsSSEC := IsSSECEncrypted(srcMetadata)
hasCopyHeaders := hasSSECCopyHeaders(headers)
hasSSECHeaders := hasSSECHeaders(headers)
// If source is SSE-C encrypted, copy headers are required
if srcIsSSEC && !hasCopyHeaders {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: "SSE-C encrypted source requires copy source encryption headers",
}
}
// If copy headers are provided, source must be SSE-C encrypted
if hasCopyHeaders && !srcIsSSEC {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: "SSE-C copy headers provided but source is not SSE-C encrypted",
}
}
// Validate copy header completeness
if hasCopyHeaders {
if err := validateSSECCopyHeaderCompleteness(headers); err != nil {
return err
}
}
// Validate destination SSE-C headers if present
if hasSSECHeaders {
if err := validateSSECHeaderCompleteness(headers); err != nil {
return err
}
}
return nil
}
// validateSSEKMSCopyRequirements validates SSE-KMS copy requirements
func validateSSEKMSCopyRequirements(srcMetadata map[string][]byte, headers http.Header) error {
dstIsSSEKMS := IsSSEKMSRequest(&http.Request{Header: headers})
// Validate KMS key ID format if provided
if dstIsSSEKMS {
keyID := headers.Get(s3_constants.AmzServerSideEncryptionAwsKmsKeyId)
if keyID != "" && !isValidKMSKeyID(keyID) {
return &CopyValidationError{
Code: s3err.ErrKMSKeyNotFound,
Message: fmt.Sprintf("Invalid KMS key ID format: %s", keyID),
}
}
}
// Validate encryption context format if provided
if contextHeader := headers.Get(s3_constants.AmzServerSideEncryptionContext); contextHeader != "" {
if !dstIsSSEKMS {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: "Encryption context can only be used with SSE-KMS",
}
}
// Validate base64 encoding and JSON format
if err := validateEncryptionContext(contextHeader); err != nil {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: fmt.Sprintf("Invalid encryption context: %v", err),
}
}
}
return nil
}
// validateEncryptionCompatibility validates that encryption methods are not conflicting
func validateEncryptionCompatibility(headers http.Header) error {
hasSSEC := hasSSECHeaders(headers)
hasSSEKMS := headers.Get(s3_constants.AmzServerSideEncryption) == "aws:kms"
hasSSES3 := headers.Get(s3_constants.AmzServerSideEncryption) == "AES256"
// Count how many encryption methods are specified
encryptionCount := 0
if hasSSEC {
encryptionCount++
}
if hasSSEKMS {
encryptionCount++
}
if hasSSES3 {
encryptionCount++
}
// Only one encryption method should be specified
if encryptionCount > 1 {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: "Multiple encryption methods specified - only one is allowed",
}
}
return nil
}
// validateSSECCopyHeaderCompleteness validates that all required SSE-C copy headers are present
func validateSSECCopyHeaderCompleteness(headers http.Header) error {
algorithm := headers.Get(s3_constants.AmzCopySourceServerSideEncryptionCustomerAlgorithm)
key := headers.Get(s3_constants.AmzCopySourceServerSideEncryptionCustomerKey)
keyMD5 := headers.Get(s3_constants.AmzCopySourceServerSideEncryptionCustomerKeyMD5)
if algorithm == "" {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: "SSE-C copy customer algorithm header is required",
}
}
if key == "" {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: "SSE-C copy customer key header is required",
}
}
if keyMD5 == "" {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: "SSE-C copy customer key MD5 header is required",
}
}
// Validate algorithm
if algorithm != "AES256" {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: fmt.Sprintf("Unsupported SSE-C algorithm: %s", algorithm),
}
}
return nil
}
// validateSSECHeaderCompleteness validates that all required SSE-C headers are present
func validateSSECHeaderCompleteness(headers http.Header) error {
algorithm := headers.Get(s3_constants.AmzServerSideEncryptionCustomerAlgorithm)
key := headers.Get(s3_constants.AmzServerSideEncryptionCustomerKey)
keyMD5 := headers.Get(s3_constants.AmzServerSideEncryptionCustomerKeyMD5)
if algorithm == "" {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: "SSE-C customer algorithm header is required",
}
}
if key == "" {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: "SSE-C customer key header is required",
}
}
if keyMD5 == "" {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: "SSE-C customer key MD5 header is required",
}
}
// Validate algorithm
if algorithm != "AES256" {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: fmt.Sprintf("Unsupported SSE-C algorithm: %s", algorithm),
}
}
return nil
}
// Helper functions for header detection
func hasSSECCopyHeaders(headers http.Header) bool {
return headers.Get(s3_constants.AmzCopySourceServerSideEncryptionCustomerAlgorithm) != "" ||
headers.Get(s3_constants.AmzCopySourceServerSideEncryptionCustomerKey) != "" ||
headers.Get(s3_constants.AmzCopySourceServerSideEncryptionCustomerKeyMD5) != ""
}
func hasSSECHeaders(headers http.Header) bool {
return headers.Get(s3_constants.AmzServerSideEncryptionCustomerAlgorithm) != "" ||
headers.Get(s3_constants.AmzServerSideEncryptionCustomerKey) != "" ||
headers.Get(s3_constants.AmzServerSideEncryptionCustomerKeyMD5) != ""
}
// validateEncryptionContext validates the encryption context header format
func validateEncryptionContext(contextHeader string) error {
// This would validate base64 encoding and JSON format
// Implementation would decode base64 and parse JSON
// For now, just check it's not empty
if contextHeader == "" {
return fmt.Errorf("encryption context cannot be empty")
}
return nil
}
// ValidateCopySource validates the copy source path and permissions
func ValidateCopySource(copySource string, srcBucket, srcObject string) error {
if copySource == "" {
return &CopyValidationError{
Code: s3err.ErrInvalidCopySource,
Message: "Copy source header is required",
}
}
if srcBucket == "" {
return &CopyValidationError{
Code: s3err.ErrInvalidCopySource,
Message: "Source bucket cannot be empty",
}
}
if srcObject == "" {
return &CopyValidationError{
Code: s3err.ErrInvalidCopySource,
Message: "Source object cannot be empty",
}
}
return nil
}
// ValidateCopyDestination validates the copy destination
func ValidateCopyDestination(dstBucket, dstObject string) error {
if dstBucket == "" {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: "Destination bucket cannot be empty",
}
}
if dstObject == "" {
return &CopyValidationError{
Code: s3err.ErrInvalidRequest,
Message: "Destination object cannot be empty",
}
}
return nil
}
// MapCopyValidationError maps validation errors to appropriate S3 error codes
func MapCopyValidationError(err error) s3err.ErrorCode {
if validationErr, ok := err.(*CopyValidationError); ok {
return validationErr.Code
}
return s3err.ErrInvalidRequest
}
|
