oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

webhandler - display encryption errors properly (#6339)

Browse Source 
For encrypted objects, download errors need to be
displayed in web response format instead of xml format.

Fixes #6327
master
poornas 6 years ago committed by kannappanr
parent 01721a840a
commit d547873b17
4 changed files with 32 additions and 27 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 19
      cmd/encryption-v1.go
  2. 16
      cmd/encryption-v1_test.go
  3. 10
      cmd/object-handlers.go
  4. 14
      cmd/web-handlers.go

19
cmd/encryption-v1.go
Unescape View File

@ -43,6 +43,8 @@ var (
errKMSNotConfigured = errors.New("KMS not configured for a server side encrypted object") errKMSNotConfigured = errors.New("KMS not configured for a server side encrypted object")
// Additional Minio errors for SSE-C requests. // Additional Minio errors for SSE-C requests.
errObjectTampered = errors.New("The requested object was modified and may be compromised") errObjectTampered = errors.New("The requested object was modified and may be compromised")
// error returned when invalid encryption parameters are specified
errInvalidEncryptionParameters = errors.New("The encryption parameters are not applicable to this object")
) )
const ( const (
@ -714,28 +716,25 @@ func DecryptCopyObjectInfo(info *ObjectInfo, headers http.Header) (apiErr APIErr
// decryption succeeded. // decryption succeeded.
// //
// DecryptObjectInfo also returns whether the object is encrypted or not. // DecryptObjectInfo also returns whether the object is encrypted or not.
func DecryptObjectInfo(info *ObjectInfo, headers http.Header) (apiErr APIErrorCode, encrypted bool) { func DecryptObjectInfo(info *ObjectInfo, headers http.Header) (encrypted bool, err error) {
// Directories are never encrypted. // Directories are never encrypted.
if info.IsDir { if info.IsDir {
return ErrNone, false return false, nil
} }
// disallow X-Amz-Server-Side-Encryption header on HEAD and GET // disallow X-Amz-Server-Side-Encryption header on HEAD and GET
if crypto.S3.IsRequested(headers) { if crypto.S3.IsRequested(headers) {
apiErr = ErrInvalidEncryptionParameters err = errInvalidEncryptionParameters
return return
} }
if apiErr, encrypted = ErrNone, crypto.IsEncrypted(info.UserDefined); !encrypted && crypto.SSEC.IsRequested(headers) { if err, encrypted = nil, crypto.IsEncrypted(info.UserDefined); !encrypted && crypto.SSEC.IsRequested(headers) {
apiErr = ErrInvalidEncryptionParameters err = errInvalidEncryptionParameters
} else if encrypted { } else if encrypted {
if (crypto.SSEC.IsEncrypted(info.UserDefined) && !crypto.SSEC.IsRequested(headers)) || if (crypto.SSEC.IsEncrypted(info.UserDefined) && !crypto.SSEC.IsRequested(headers)) ||
(crypto.S3.IsEncrypted(info.UserDefined) && crypto.SSEC.IsRequested(headers)) { (crypto.S3.IsEncrypted(info.UserDefined) && crypto.SSEC.IsRequested(headers)) {
apiErr = ErrSSEEncryptedObject err = errEncryptedObject
return return
} }
var err error info.Size, err = info.DecryptedSize()
if info.Size, err = info.DecryptedSize(); err != nil {
apiErr = toAPIErrorCode(err)
}
} }
return return
} }

16
cmd/encryption-v1_test.go
Unescape View File

@ -521,43 +521,43 @@ func TestDecryptRequest(t *testing.T) {
var decryptObjectInfoTests = []struct { var decryptObjectInfoTests = []struct {
info ObjectInfo info ObjectInfo
headers http.Header headers http.Header
expErr APIErrorCode expErr error
}{ }{
{ {
info: ObjectInfo{Size: 100}, info: ObjectInfo{Size: 100},
headers: http.Header{}, headers: http.Header{},
expErr: ErrNone, expErr: nil,
}, },
{ {
info: ObjectInfo{Size: 100, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}}, info: ObjectInfo{Size: 100, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}},
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}}, headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
expErr: ErrNone, expErr: nil,
}, },
{ {
info: ObjectInfo{Size: 0, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}}, info: ObjectInfo{Size: 0, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}},
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}}, headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
expErr: ErrNone, expErr: nil,
}, },
{ {
info: ObjectInfo{Size: 100, UserDefined: map[string]string{crypto.SSECSealedKey: "EAAfAAAAAAD7v1hQq3PFRUHsItalxmrJqrOq6FwnbXNarxOOpb8jTWONPPKyM3Gfjkjyj6NCf+aB/VpHCLCTBA=="}}, info: ObjectInfo{Size: 100, UserDefined: map[string]string{crypto.SSECSealedKey: "EAAfAAAAAAD7v1hQq3PFRUHsItalxmrJqrOq6FwnbXNarxOOpb8jTWONPPKyM3Gfjkjyj6NCf+aB/VpHCLCTBA=="}},
headers: http.Header{}, headers: http.Header{},
expErr: ErrSSEEncryptedObject, expErr: errEncryptedObject,
}, },
{ {
info: ObjectInfo{Size: 100, UserDefined: map[string]string{}}, info: ObjectInfo{Size: 100, UserDefined: map[string]string{}},
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}}, headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
expErr: ErrInvalidEncryptionParameters, expErr: errInvalidEncryptionParameters,
}, },
{ {
info: ObjectInfo{Size: 31, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}}, info: ObjectInfo{Size: 31, UserDefined: map[string]string{crypto.SSESealAlgorithm: SSESealAlgorithmDareSha256}},
headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}}, headers: http.Header{crypto.SSECAlgorithm: []string{crypto.SSEAlgorithmAES256}},
expErr: ErrObjectTampered, expErr: errObjectTampered,
}, },
} }
func TestDecryptObjectInfo(t *testing.T) { func TestDecryptObjectInfo(t *testing.T) {
for i, test := range decryptObjectInfoTests { for i, test := range decryptObjectInfoTests {
if err, encrypted := DecryptObjectInfo(&test.info, test.headers); err != test.expErr { if encrypted, err := DecryptObjectInfo(&test.info, test.headers); err != test.expErr {
t.Errorf("Test %d: Decryption returned wrong error code: got %d , want %d", i, err, test.expErr) t.Errorf("Test %d: Decryption returned wrong error code: got %d , want %d", i, err, test.expErr)
} else if enc := crypto.IsEncrypted(test.info.UserDefined); encrypted && enc != encrypted { } else if enc := crypto.IsEncrypted(test.info.UserDefined); encrypted && enc != encrypted {
t.Errorf("Test %d: Decryption thinks object is encrypted but it is not", i) t.Errorf("Test %d: Decryption thinks object is encrypted but it is not", i)

10
cmd/object-handlers.go
Unescape View File

@ -306,8 +306,8 @@ func (api objectAPIHandlers) GetObjectHandler(w http.ResponseWriter, r *http.Req
} }
if objectAPI.IsEncryptionSupported() { if objectAPI.IsEncryptionSupported() {
if apiErr, _ := DecryptObjectInfo(&objInfo, r.Header); apiErr != ErrNone { if _, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
writeErrorResponse(w, apiErr, r.URL) writeErrorResponse(w, toAPIErrorCode(err), r.URL)
return return
} }
} }
@ -468,10 +468,10 @@ func (api objectAPIHandlers) HeadObjectHandler(w http.ResponseWriter, r *http.Re
writeErrorResponseHeadersOnly(w, toAPIErrorCode(err)) writeErrorResponseHeadersOnly(w, toAPIErrorCode(err))
return return
} }
var encrypted bool
if objectAPI.IsEncryptionSupported() { if objectAPI.IsEncryptionSupported() {
if apiErr, encrypted := DecryptObjectInfo(&objInfo, r.Header); apiErr != ErrNone { if encrypted, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
writeErrorResponse(w, apiErr, r.URL) writeErrorResponse(w, toAPIErrorCode(err), r.URL)
return return
} else if encrypted { } else if encrypted {
s3Encrypted := crypto.S3.IsEncrypted(objInfo.UserDefined) s3Encrypted := crypto.S3.IsEncrypted(objInfo.UserDefined)

14
cmd/web-handlers.go
Unescape View File

@ -715,8 +715,8 @@ func (web *webAPIHandlers) Download(w http.ResponseWriter, r *http.Request) {
} }
if objectAPI.IsEncryptionSupported() { if objectAPI.IsEncryptionSupported() {
if apiErr, _ := DecryptObjectInfo(&objInfo, r.Header); apiErr != ErrNone { if _, err = DecryptObjectInfo(&objInfo, r.Header); err != nil {
writeErrorResponse(w, apiErr, r.URL) writeWebErrorResponse(w, err)
return return
} }
} }
@ -818,8 +818,8 @@ func (web *webAPIHandlers) DownloadZip(w http.ResponseWriter, r *http.Request) {
return err return err
} }
if objectAPI.IsEncryptionSupported() { if objectAPI.IsEncryptionSupported() {
if apiErr, _ := DecryptObjectInfo(&info, r.Header); apiErr != ErrNone { if _, err = DecryptObjectInfo(&info, r.Header); err != nil {
writeErrorResponse(w, apiErr, r.URL) writeWebErrorResponse(w, err)
return err return err
} }
} }
@ -1235,6 +1235,12 @@ func toWebAPIError(err error) APIError {
HTTPStatusCode: http.StatusBadRequest, HTTPStatusCode: http.StatusBadRequest,
Description: err.Error(), Description: err.Error(),
} }
} else if err == errEncryptedObject {
return getAPIError(ErrSSEEncryptedObject)
} else if err == errInvalidEncryptionParameters {
return getAPIError(ErrInvalidEncryptionParameters)
} else if err == errObjectTampered {
return getAPIError(ErrObjectTampered)
} else if err == errMethodNotAllowed { } else if err == errMethodNotAllowed {
return getAPIError(ErrMethodNotAllowed) return getAPIError(ErrMethodNotAllowed)
} }

Write Preview
Loading…
Cancel
Save