oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Omit empty algorithm tags in bucket encryption XML (#8987)

Browse Source 
- Bucket encryption config returned by MinIO would always have the xml namespace
set
- Make unit tests in pkg/bucket/encryption more robust
master
Krishnan Parthasarathi 5 years ago committed by GitHub
parent 716a52f261
commit 9f298d2311
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 77 additions and 88 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 12
      pkg/bucket/encryption/bucket-sse-config.go
  2. 153
      pkg/bucket/encryption/bucket-sse-config_test.go

12
pkg/bucket/encryption/bucket-sse-config.go
Unescape View File

@ -58,8 +58,8 @@ func (alg *SSEAlgorithm) MarshalXML(e *xml.Encoder, start xml.StartElement) erro
// EncryptionAction - for ApplyServerSideEncryptionByDefault XML tag // EncryptionAction - for ApplyServerSideEncryptionByDefault XML tag
type EncryptionAction struct { type EncryptionAction struct {
Algorithm SSEAlgorithm `xml:"SSEAlgorithm"` Algorithm SSEAlgorithm `xml:"SSEAlgorithm,omitempty"`
MasterKeyID string `xml:"KMSMasterKeyID"` MasterKeyID string `xml:"KMSMasterKeyID,omitempty"`
} }
// SSERule - for ServerSideEncryptionConfiguration XML tag // SSERule - for ServerSideEncryptionConfiguration XML tag
@ -67,8 +67,11 @@ type SSERule struct {
DefaultEncryptionAction EncryptionAction `xml:"ApplyServerSideEncryptionByDefault"` DefaultEncryptionAction EncryptionAction `xml:"ApplyServerSideEncryptionByDefault"`
} }
const xmlNS = "http://s3.amazonaws.com/doc/2006-03-01/"
// BucketSSEConfig - represents default bucket encryption configuration // BucketSSEConfig - represents default bucket encryption configuration
type BucketSSEConfig struct { type BucketSSEConfig struct {
XMLNS string `xml:"xmlns,attr,omitempty"`
XMLName xml.Name `xml:"ServerSideEncryptionConfiguration"` XMLName xml.Name `xml:"ServerSideEncryptionConfiguration"`
Rules []SSERule `xml:"Rule"` Rules []SSERule `xml:"Rule"`
} }
@ -99,5 +102,10 @@ func ParseBucketSSEConfig(r io.Reader) (*BucketSSEConfig, error) {
} }
} }
} }
if config.XMLNS == "" {
config.XMLNS = xmlNS
}
return &config, nil return &config, nil
} }

153
pkg/bucket/encryption/bucket-sse-config_test.go
Unescape View File

@ -25,114 +25,98 @@ import (
// TestParseBucketSSEConfig performs basic sanity tests on ParseBucketSSEConfig // TestParseBucketSSEConfig performs basic sanity tests on ParseBucketSSEConfig
func TestParseBucketSSEConfig(t *testing.T) { func TestParseBucketSSEConfig(t *testing.T) {
actualAES256NoNSConfig := &BucketSSEConfig{
XMLName: xml.Name{
Local: "ServerSideEncryptionConfiguration",
},
Rules: []SSERule{
{
DefaultEncryptionAction: EncryptionAction{
Algorithm: AES256,
},
},
},
}
actualAES256Config := &BucketSSEConfig{
XMLNS: xmlNS,
XMLName: xml.Name{
Local: "ServerSideEncryptionConfiguration",
},
Rules: []SSERule{
{
DefaultEncryptionAction: EncryptionAction{
Algorithm: AES256,
},
},
},
}
actualKMSConfig := &BucketSSEConfig{
XMLNS: xmlNS,
XMLName: xml.Name{
Local: "ServerSideEncryptionConfiguration",
},
Rules: []SSERule{
{
DefaultEncryptionAction: EncryptionAction{
Algorithm: AWSKms,
MasterKeyID: "arn:aws:kms:us-east-1:1234/5678example",
},
},
},
}
testCases := []struct { testCases := []struct {
inputXML string inputXML string
expectedErr error expectedErr error
shouldPass bool shouldPass bool
expectedConfig *BucketSSEConfig
}{ }{
// 1. Valid XML SSE-S3 // 1. Valid XML SSE-S3
{ {
inputXML: `<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> inputXML: `<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Rule><ApplyServerSideEncryptionByDefault><SSEAlgorithm>AES256</SSEAlgorithm></ApplyServerSideEncryptionByDefault></Rule></ServerSideEncryptionConfiguration>`,
<Rule> expectedErr: nil,
<ApplyServerSideEncryptionByDefault> shouldPass: true,
<SSEAlgorithm>AES256</SSEAlgorithm> expectedConfig: actualAES256Config,
</ApplyServerSideEncryptionByDefault>
</Rule>
</ServerSideEncryptionConfiguration>`,
expectedErr: nil,
shouldPass: true,
}, },
// 2. Valid XML SSE-KMS // 2. Valid XML SSE-KMS
{ {
inputXML: `<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> inputXML: `<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Rule><ApplyServerSideEncryptionByDefault><SSEAlgorithm>aws:kms</SSEAlgorithm><KMSMasterKeyID>arn:aws:kms:us-east-1:1234/5678example</KMSMasterKeyID></ApplyServerSideEncryptionByDefault></Rule></ServerSideEncryptionConfiguration>`,
<Rule> expectedErr: nil,
<ApplyServerSideEncryptionByDefault> shouldPass: true,
<SSEAlgorithm>aws:kms</SSEAlgorithm> expectedConfig: actualKMSConfig,
<KMSMasterKeyID>arn:aws:kms:us-east-1:1234/5678example</KMSMasterKeyID>
</ApplyServerSideEncryptionByDefault>
</Rule>
</ServerSideEncryptionConfiguration>`,
expectedErr: nil,
shouldPass: true,
}, },
// 3. Invalid - more than one rule // 3. Invalid - more than one rule
{ {
inputXML: `<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> inputXML: `<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Rule><ApplyServerSideEncryptionByDefault><SSEAlgorithm>AES256</SSEAlgorithm></ApplyServerSideEncryptionByDefault></Rule><Rule><ApplyServerSideEncryptionByDefault><SSEAlgorithm>AES256</SSEAlgorithm></ApplyServerSideEncryptionByDefault></Rule></ServerSideEncryptionConfiguration>`,
<Rule>
<ApplyServerSideEncryptionByDefault>
<SSEAlgorithm>AES256</SSEAlgorithm>
</ApplyServerSideEncryptionByDefault>
</Rule>
<Rule>
<ApplyServerSideEncryptionByDefault>
<SSEAlgorithm>AES256</SSEAlgorithm>
</ApplyServerSideEncryptionByDefault>
</Rule>
</ServerSideEncryptionConfiguration>`,
expectedErr: errors.New("Only one server-side encryption rule is allowed"), expectedErr: errors.New("Only one server-side encryption rule is allowed"),
shouldPass: false, shouldPass: false,
}, },
// 4. Invalid XML - master key ID present in AES256 // 4. Invalid XML - master key ID present along with AES256
{ {
inputXML: `<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> inputXML: `<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Rule><ApplyServerSideEncryptionByDefault><SSEAlgorithm>AES256</SSEAlgorithm><KMSMasterKeyID>arn:aws:kms:us-east-1:1234/5678example</KMSMasterKeyID></ApplyServerSideEncryptionByDefault></Rule></ServerSideEncryptionConfiguration>`,
<Rule>
<ApplyServerSideEncryptionByDefault>
<SSEAlgorithm>AES256</SSEAlgorithm>
<KMSMasterKeyID>arn:aws:kms:us-east-1:1234/5678example</KMSMasterKeyID>
</ApplyServerSideEncryptionByDefault>
</Rule>
</ServerSideEncryptionConfiguration>`,
expectedErr: errors.New("MasterKeyID is allowed with aws:kms only"), expectedErr: errors.New("MasterKeyID is allowed with aws:kms only"),
shouldPass: false, shouldPass: false,
}, },
// 5. Invalid XML - master key ID not found in aws:kms algorithm // 5. Invalid XML - master key ID not provided when algorithm is set to aws:kms algorithm
{ {
inputXML: `<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> inputXML: `<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Rule><ApplyServerSideEncryptionByDefault><SSEAlgorithm>aws:kms</SSEAlgorithm></ApplyServerSideEncryptionByDefault></Rule></ServerSideEncryptionConfiguration>`,
<Rule>
<ApplyServerSideEncryptionByDefault>
<SSEAlgorithm>aws:kms</SSEAlgorithm>
</ApplyServerSideEncryptionByDefault>
</Rule>
</ServerSideEncryptionConfiguration>`,
expectedErr: errors.New("MasterKeyID is missing"), expectedErr: errors.New("MasterKeyID is missing"),
shouldPass: false, shouldPass: false,
}, },
// 6. Invalid Algorithm // 6. Invalid Algorithm
{ {
inputXML: `<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> inputXML: `<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Rule><ApplyServerSideEncryptionByDefault><SSEAlgorithm>InvalidAlgorithm</SSEAlgorithm></ApplyServerSideEncryptionByDefault></Rule></ServerSideEncryptionConfiguration>`,
<Rule>
<ApplyServerSideEncryptionByDefault>
<SSEAlgorithm>InvalidAlgorithm</SSEAlgorithm>
</ApplyServerSideEncryptionByDefault>
</Rule>
</ServerSideEncryptionConfiguration>`,
expectedErr: errors.New("Unknown SSE algorithm"), expectedErr: errors.New("Unknown SSE algorithm"),
shouldPass: false, shouldPass: false,
}, },
// 7. Allow missing namespace // 7. Valid XML without the namespace set
{ {
inputXML: `<ServerSideEncryptionConfiguration> inputXML: `<ServerSideEncryptionConfiguration><Rule><ApplyServerSideEncryptionByDefault><SSEAlgorithm>AES256</SSEAlgorithm></ApplyServerSideEncryptionByDefault></Rule></ServerSideEncryptionConfiguration>`,
<Rule> expectedErr: nil,
<ApplyServerSideEncryptionByDefault> shouldPass: true,
<SSEAlgorithm>AES256</SSEAlgorithm> expectedConfig: actualAES256NoNSConfig,
</ApplyServerSideEncryptionByDefault>
</Rule>
</ServerSideEncryptionConfiguration>`,
expectedErr: nil,
shouldPass: true,
},
}
actualConfig := &BucketSSEConfig{
XMLName: xml.Name{
Local: "ServerSideEncryptionConfiguration",
},
Rules: []SSERule{
{
DefaultEncryptionAction: EncryptionAction{
Algorithm: AES256,
},
},
}, },
} }
@ -146,14 +130,11 @@ func TestParseBucketSSEConfig(t *testing.T) {
if err == nil || err != nil && err.Error() != tc.expectedErr.Error() { if err == nil || err != nil && err.Error() != tc.expectedErr.Error() {
t.Fatalf("Test case %d: Expected %s but got %s", i+1, tc.expectedErr, err) t.Fatalf("Test case %d: Expected %s but got %s", i+1, tc.expectedErr, err)
} }
}
if !tc.shouldPass {
continue continue
} }
if actualXML, err := xml.Marshal(actualConfig); err != nil && bytes.Equal(actualXML, []byte(tc.inputXML)) { if expectedXML, err := xml.Marshal(tc.expectedConfig); err != nil || !bytes.Equal(expectedXML, []byte(tc.inputXML)) {
t.Fatalf("Test case %d: Expected config %s but got %s", i+1, string(actualXML), tc.inputXML) t.Fatalf("Test case %d: Expected bucket encryption XML %s but got %s", i+1, string(expectedXML), tc.inputXML)
} }
} }
} }

Write Preview
Loading…
Cancel
Save