mirror of
https://github.com/minio/minio.git
synced 2025-08-08 23:26:57 +02:00
ca6b4773ed
This change adds server-side-encryption support for HEAD, GET and PUT
operations. This PR only addresses single-part PUTs and GETs without
HTTP ranges.
Further this change adds the concept of reserved object metadata which is required
to make encrypted objects tamper-proof and provide API compatibility to AWS S3.
This PR adds the following reserved metadata entries:
- X-Minio-Internal-Server-Side-Encryption-Iv ('guarantees' tamper-proof property)
- X-Minio-Internal-Server-Side-Encryption-Kdf (makes Key-MAC computation negotiable in future)
- X-Minio-Internal-Server-Side-Encryption-Key-Mac (provides AWS S3 API compatibility)
The prefix `X-Minio_Internal` specifies an internal metadata entry which must not
send to clients. All client requests containing a metadata key starting with `X-Minio-Internal`
must also rejected. This is implemented by a generic-handler.
This PR implements SSE-C separated from client-side-encryption (CSE). This cannot decrypt
server-side-encrypted objects on the client-side. However, clients can encrypted the same object
with CSE and SSE-C.
This PR does not address:
- SSE-C Copy and Copy part
- SSE-C GET with HTTP ranges
- SSE-C multipart PUT
- SSE-C Gateway
Each point must be addressed in a separate PR.
Added to vendor dir:
- x/crypto/chacha20poly1305
- x/crypto/poly1305
- github.com/minio/sio
182 lines
4.7 KiB
Go
182 lines
4.7 KiB
Go
/*
|
|
* Minio Cloud Storage, (C) 2016 Minio, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"net/http"
|
|
"strconv"
|
|
"testing"
|
|
)
|
|
|
|
// Tests getRedirectLocation function for all its criteria.
|
|
func TestRedirectLocation(t *testing.T) {
|
|
testCases := []struct {
|
|
urlPath string
|
|
location string
|
|
}{
|
|
{
|
|
// 1. When urlPath is '/minio'
|
|
urlPath: minioReservedBucketPath,
|
|
location: minioReservedBucketPath + "/",
|
|
},
|
|
{
|
|
// 2. When urlPath is '/'
|
|
urlPath: "/",
|
|
location: minioReservedBucketPath + "/",
|
|
},
|
|
{
|
|
// 3. When urlPath is '/webrpc'
|
|
urlPath: "/webrpc",
|
|
location: minioReservedBucketPath + "/webrpc",
|
|
},
|
|
{
|
|
// 4. When urlPath is '/login'
|
|
urlPath: "/login",
|
|
location: minioReservedBucketPath + "/login",
|
|
},
|
|
{
|
|
// 5. When urlPath is '/favicon.ico'
|
|
urlPath: "/favicon.ico",
|
|
location: minioReservedBucketPath + "/favicon.ico",
|
|
},
|
|
{
|
|
// 6. When urlPath is '/unknown'
|
|
urlPath: "/unknown",
|
|
location: "",
|
|
},
|
|
}
|
|
|
|
// Validate all conditions.
|
|
for i, testCase := range testCases {
|
|
loc := getRedirectLocation(testCase.urlPath)
|
|
if testCase.location != loc {
|
|
t.Errorf("Test %d: Unexpected location expected %s, got %s", i+1, testCase.location, loc)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Tests request guess function for net/rpc requests.
|
|
func TestGuessIsRPC(t *testing.T) {
|
|
if guessIsRPCReq(nil) {
|
|
t.Fatal("Unexpected return for nil request")
|
|
}
|
|
r := &http.Request{
|
|
Proto: "HTTP/1.0",
|
|
Method: http.MethodConnect,
|
|
}
|
|
if !guessIsRPCReq(r) {
|
|
t.Fatal("Test shouldn't fail for a possible net/rpc request.")
|
|
}
|
|
r = &http.Request{
|
|
Proto: "HTTP/1.1",
|
|
Method: http.MethodGet,
|
|
}
|
|
if guessIsRPCReq(r) {
|
|
t.Fatal("Test shouldn't report as net/rpc for a non net/rpc request.")
|
|
}
|
|
}
|
|
|
|
// Tests browser request guess function.
|
|
func TestGuessIsBrowser(t *testing.T) {
|
|
if guessIsBrowserReq(nil) {
|
|
t.Fatal("Unexpected return for nil request")
|
|
}
|
|
r := &http.Request{
|
|
Header: http.Header{},
|
|
}
|
|
r.Header.Set("User-Agent", "Mozilla")
|
|
if !guessIsBrowserReq(r) {
|
|
t.Fatal("Test shouldn't fail for a possible browser request.")
|
|
}
|
|
r = &http.Request{
|
|
Header: http.Header{},
|
|
}
|
|
r.Header.Set("User-Agent", "mc")
|
|
if guessIsBrowserReq(r) {
|
|
t.Fatal("Test shouldn't report as browser for a non browser request.")
|
|
}
|
|
}
|
|
|
|
var isHTTPHeaderSizeTooLargeTests = []struct {
|
|
header http.Header
|
|
shouldFail bool
|
|
}{
|
|
{header: generateHeader(0, 0), shouldFail: false},
|
|
{header: generateHeader(1024, 0), shouldFail: false},
|
|
{header: generateHeader(2048, 0), shouldFail: false},
|
|
{header: generateHeader(8*1024+1, 0), shouldFail: true},
|
|
{header: generateHeader(0, 1024), shouldFail: false},
|
|
{header: generateHeader(0, 2048), shouldFail: true},
|
|
{header: generateHeader(0, 2048+1), shouldFail: true},
|
|
}
|
|
|
|
func generateHeader(size, usersize int) http.Header {
|
|
header := http.Header{}
|
|
for i := 0; i < size; i++ {
|
|
header.Add(strconv.Itoa(i), "")
|
|
}
|
|
userlength := 0
|
|
for i := 0; userlength < usersize; i++ {
|
|
userlength += len(userMetadataKeyPrefixes[0] + strconv.Itoa(i))
|
|
header.Add(userMetadataKeyPrefixes[0]+strconv.Itoa(i), "")
|
|
}
|
|
return header
|
|
}
|
|
|
|
func TestIsHTTPHeaderSizeTooLarge(t *testing.T) {
|
|
for i, test := range isHTTPHeaderSizeTooLargeTests {
|
|
if res := isHTTPHeaderSizeTooLarge(test.header); res != test.shouldFail {
|
|
t.Errorf("Test %d: Expected %v got %v", i, res, test.shouldFail)
|
|
}
|
|
}
|
|
}
|
|
|
|
var containsReservedMetadataTests = []struct {
|
|
header http.Header
|
|
shouldFail bool
|
|
}{
|
|
{
|
|
header: http.Header{"X-Minio-Key": []string{"value"}},
|
|
},
|
|
{
|
|
header: http.Header{ServerSideEncryptionIV: []string{"iv"}},
|
|
shouldFail: true,
|
|
},
|
|
{
|
|
header: http.Header{ServerSideEncryptionKDF: []string{SSEKeyDerivationHmacSha256}},
|
|
shouldFail: true,
|
|
},
|
|
{
|
|
header: http.Header{ServerSideEncryptionKeyMAC: []string{"mac"}},
|
|
shouldFail: true,
|
|
},
|
|
{
|
|
header: http.Header{ReservedMetadataPrefix + "Key": []string{"value"}},
|
|
shouldFail: true,
|
|
},
|
|
}
|
|
|
|
func TestContainsReservedMetadata(t *testing.T) {
|
|
for i, test := range containsReservedMetadataTests {
|
|
if contains := containsReservedMetadata(test.header); contains && !test.shouldFail {
|
|
t.Errorf("Test %d: contains reserved header but should not fail", i)
|
|
} else if !contains && test.shouldFail {
|
|
t.Errorf("Test %d: does not contain reserved header but failed", i)
|
|
}
|
|
}
|
|
}
|