ca6b4773ed
This change adds server-side-encryption support for HEAD, GET and PUT
operations. This PR only addresses single-part PUTs and GETs without
HTTP ranges.
Further this change adds the concept of reserved object metadata which is required
to make encrypted objects tamper-proof and provide API compatibility to AWS S3.
This PR adds the following reserved metadata entries:
- X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property)
- X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future)
- X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility)
The prefix `X-Minio_Internal` specifies an internal metadata entry which must not
send to clients. All client requests containing a metadata key starting with `X-Minio-Internal`
must also rejected. This is implemented by a generic-handler.
This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt
server-side-encrypted objects on the client-side. However, clients can encrypted the same object
with CSE and SSE-C.
This PR does not address:
- SSE-C Copy and Copy part
- SSE-C GET with HTTP ranges
- SSE-C multipart PUT
- SSE-C Gateway
Each point must be addressed in a separate PR.
Added to vendor dir:
- x/crypto/chacha20poly1305
- x/crypto/poly1305
- github.com/minio/sio
74 lines
2.8 KiB
Go
74 lines
2.8 KiB
Go
/*
|
|
* Minio Cloud Storage, (C) 2016 Minio, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"errors"
|
|
"testing"
|
|
|
|
"github.com/minio/minio/pkg/hash"
|
|
)
|
|
|
|
var toAPIErrorCodeTests = []struct {
|
|
err error
|
|
errCode APIErrorCode
|
|
}{
|
|
{err: hash.BadDigest{}, errCode: ErrBadDigest},
|
|
{err: hash.SHA256Mismatch{}, errCode: ErrContentSHA256Mismatch},
|
|
{err: IncompleteBody{}, errCode: ErrIncompleteBody},
|
|
{err: ObjectExistsAsDirectory{}, errCode: ErrObjectExistsAsDirectory},
|
|
{err: BucketNameInvalid{}, errCode: ErrInvalidBucketName},
|
|
{err: BucketExists{}, errCode: ErrBucketAlreadyOwnedByYou},
|
|
{err: ObjectNotFound{}, errCode: ErrNoSuchKey},
|
|
{err: ObjectNameInvalid{}, errCode: ErrInvalidObjectName},
|
|
{err: InvalidUploadID{}, errCode: ErrNoSuchUpload},
|
|
{err: InvalidPart{}, errCode: ErrInvalidPart},
|
|
{err: InsufficientReadQuorum{}, errCode: ErrReadQuorum},
|
|
{err: InsufficientWriteQuorum{}, errCode: ErrWriteQuorum},
|
|
{err: UnsupportedDelimiter{}, errCode: ErrNotImplemented},
|
|
{err: InvalidMarkerPrefixCombination{}, errCode: ErrNotImplemented},
|
|
{err: InvalidUploadIDKeyCombination{}, errCode: ErrNotImplemented},
|
|
{err: MalformedUploadID{}, errCode: ErrNoSuchUpload},
|
|
{err: PartTooSmall{}, errCode: ErrEntityTooSmall},
|
|
{err: BucketNotEmpty{}, errCode: ErrBucketNotEmpty},
|
|
{err: BucketNotFound{}, errCode: ErrNoSuchBucket},
|
|
{err: StorageFull{}, errCode: ErrStorageFull},
|
|
{err: NotImplemented{}, errCode: ErrNotImplemented},
|
|
{err: errSignatureMismatch, errCode: ErrSignatureDoesNotMatch},
|
|
|
|
// SSE-C errors
|
|
{err: errInsecureSSERequest, errCode: ErrInsecureSSECustomerRequest},
|
|
{err: errInvalidSSEAlgorithm, errCode: ErrInvalidSSECustomerAlgorithm},
|
|
{err: errMissingSSEKey, errCode: ErrMissingSSECustomerKey},
|
|
{err: errInvalidSSEKey, errCode: ErrInvalidSSECustomerKey},
|
|
{err: errMissingSSEKeyMD5, errCode: ErrMissingSSECustomerKeyMD5},
|
|
{err: errSSEKeyMD5Mismatch, errCode: ErrSSECustomerKeyMD5Mismatch},
|
|
{err: errObjectTampered, errCode: ErrObjectTampered},
|
|
|
|
{err: nil, errCode: ErrNone},
|
|
{err: errors.New("Custom error"), errCode: ErrInternalError}, // Case where err type is unknown.
|
|
}
|
|
|
|
func TestAPIErrCode(t *testing.T) {
|
|
for i, testCase := range toAPIErrorCodeTests {
|
|
errCode := toAPIErrorCode(testCase.err)
|
|
if errCode != testCase.errCode {
|
|
t.Errorf("Test %d: Expected error code %d, got %d", i+1, testCase.errCode, errCode)
|
|
}
|
|
}
|
|
}
|