minio/cmd/bucket-encryption-handlers.go

/*
 * MinIO Cloud Storage, (C) 2020 MinIO, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package cmd

import (
	"encoding/xml"
	"io"
	"net/http"

	"github.com/gorilla/mux"
	xhttp "github.com/minio/minio/cmd/http"
	"github.com/minio/minio/cmd/logger"
	bucketsse "github.com/minio/minio/pkg/bucket/encryption"
	"github.com/minio/minio/pkg/bucket/policy"
)

const (
	// Bucket Encryption configuration file name.
	bucketSSEConfig = "bucket-encryption.xml"
)

// PutBucketEncryptionHandler - Stores given bucket encryption configuration
// https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
func (api objectAPIHandlers) PutBucketEncryptionHandler(w http.ResponseWriter, r *http.Request) {
	ctx := newContext(r, w, "PutBucketEncryption")

	defer logger.AuditLog(w, r, "PutBucketEncryption", mustGetClaimsFromToken(r))

	objAPI := api.ObjectAPI()
	if objAPI == nil {
		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
		return
	}

	vars := mux.Vars(r)
	bucket := vars["bucket"]

	// PutBucketEncyrption API requires Content-Md5
	if _, ok := r.Header[xhttp.ContentMD5]; !ok {
		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentMD5), r.URL, guessIsBrowserReq(r))
		return
	}

	if s3Error := checkRequestAuthType(ctx, r, policy.PutBucketEncryptionAction, bucket, ""); s3Error != ErrNone {
		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
		return
	}

	// Check if bucket exists.
	if _, err := objAPI.GetBucketInfo(ctx, bucket); err != nil {
		writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
		return
	}

	// Parse bucket encryption xml
	encConfig, err := validateBucketSSEConfig(io.LimitReader(r.Body, maxBucketSSEConfigSize))
	if err != nil {
		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMalformedXML), r.URL, guessIsBrowserReq(r))
		return
	}

	// Return error if KMS is not initialized
	if GlobalKMS == nil {
		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrKMSNotConfigured), r.URL, guessIsBrowserReq(r))
		return
	}

	// Store the bucket encryption configuration in the object layer
	if err = objAPI.SetBucketSSEConfig(ctx, bucket, encConfig); err != nil {
		writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
		return
	}

	// Update the in-memory bucket encryption cache
	globalBucketSSEConfigSys.Set(bucket, *encConfig)

	// Update peer MinIO servers of the updated bucket encryption config
	globalNotificationSys.SetBucketSSEConfig(ctx, bucket, encConfig)

	writeSuccessResponseHeadersOnly(w)
}

// GetBucketEncryptionHandler - Returns bucket policy configuration
// https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
func (api objectAPIHandlers) GetBucketEncryptionHandler(w http.ResponseWriter, r *http.Request) {
	ctx := newContext(r, w, "GetBucketEncryption")

	defer logger.AuditLog(w, r, "GetBucketEncryption", mustGetClaimsFromToken(r))

	objAPI := api.ObjectAPI()
	if objAPI == nil {
		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
		return
	}

	vars := mux.Vars(r)
	bucket := vars["bucket"]

	if s3Error := checkRequestAuthType(ctx, r, policy.GetBucketEncryptionAction, bucket, ""); s3Error != ErrNone {
		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
		return
	}

	// Check if bucket exists
	var err error
	if _, err = objAPI.GetBucketInfo(ctx, bucket); err != nil {
		writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
		return
	}

	// Fetch bucket encryption configuration from object layer
	var encConfig *bucketsse.BucketSSEConfig
	if encConfig, err = objAPI.GetBucketSSEConfig(ctx, bucket); err != nil {
		writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
		return
	}

	var encConfigData []byte
	if encConfigData, err = xml.Marshal(encConfig); err != nil {
		writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
		return
	}

	// Write bucket encryption configuration to client
	writeSuccessResponseXML(w, encConfigData)
}

// DeleteBucketEncryptionHandler - Removes bucket encryption configuration
func (api objectAPIHandlers) DeleteBucketEncryptionHandler(w http.ResponseWriter, r *http.Request) {
	ctx := newContext(r, w, "DeleteBucketEncryption")

	defer logger.AuditLog(w, r, "DeleteBucketEncryption", mustGetClaimsFromToken(r))

	objAPI := api.ObjectAPI()
	if objAPI == nil {
		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))
		return
	}

	vars := mux.Vars(r)
	bucket := vars["bucket"]

	if s3Error := checkRequestAuthType(ctx, r, policy.PutBucketEncryptionAction, bucket, ""); s3Error != ErrNone {
		writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))
		return
	}

	// Check if bucket exists
	var err error
	if _, err = objAPI.GetBucketInfo(ctx, bucket); err != nil {
		writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
		return
	}

	// Delete bucket encryption config from object layer
	if err = objAPI.DeleteBucketSSEConfig(ctx, bucket); err != nil {
		writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
		return
	}

	// Remove entry from the in-memory bucket encryption cache
	globalBucketSSEConfigSys.Remove(bucket)
	// Update peer MinIO servers of the updated bucket encryption config
	globalNotificationSys.RemoveBucketSSEConfig(ctx, bucket)

	writeSuccessNoContent(w)
}
Add support for bucket encryption feature (#8890) - pkg/bucket/encryption provides support for handling bucket encryption configuration - changes under cmd/ provide support for AES256 algorithm only Co-Authored-By: Poorna <poornas@users.noreply.github.com> Co-authored-by: Harshavardhana <harsha@minio.io> 2020-02-05 17:42:34 +08:00			`/*`
			`* MinIO Cloud Storage, (C) 2020 MinIO, Inc.`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package cmd`

			`import (`
			`"encoding/xml"`
			`"io"`
			`"net/http"`

			`"github.com/gorilla/mux"`
acl: Support PUT calls with success for 'private' ACL's (#9000) Add dummy calls which respond success when ACL's are set to be private and fails, if user tries to change them from their default 'private' Some applications such as nuxeo may have an unnecessary requirement for this operation, we support this anyways such that don't have to fully implement the functionality just that we can respond with success for default ACLs 2020-02-16 14:07:52 +08:00			`xhttp "github.com/minio/minio/cmd/http"`
Add support for bucket encryption feature (#8890) - pkg/bucket/encryption provides support for handling bucket encryption configuration - changes under cmd/ provide support for AES256 algorithm only Co-Authored-By: Poorna <poornas@users.noreply.github.com> Co-authored-by: Harshavardhana <harsha@minio.io> 2020-02-05 17:42:34 +08:00			`"github.com/minio/minio/cmd/logger"`
			`bucketsse "github.com/minio/minio/pkg/bucket/encryption"`
			`"github.com/minio/minio/pkg/bucket/policy"`
			`)`

			`const (`
			`// Bucket Encryption configuration file name.`
			`bucketSSEConfig = "bucket-encryption.xml"`
			`)`

			`// PutBucketEncryptionHandler - Stores given bucket encryption configuration`
			`// https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html`
			`func (api objectAPIHandlers) PutBucketEncryptionHandler(w http.ResponseWriter, r *http.Request) {`
			`ctx := newContext(r, w, "PutBucketEncryption")`

			`defer logger.AuditLog(w, r, "PutBucketEncryption", mustGetClaimsFromToken(r))`

			`objAPI := api.ObjectAPI()`
			`if objAPI == nil {`
			`writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`vars := mux.Vars(r)`
			`bucket := vars["bucket"]`

acl: Support PUT calls with success for 'private' ACL's (#9000) Add dummy calls which respond success when ACL's are set to be private and fails, if user tries to change them from their default 'private' Some applications such as nuxeo may have an unnecessary requirement for this operation, we support this anyways such that don't have to fully implement the functionality just that we can respond with success for default ACLs 2020-02-16 14:07:52 +08:00			`// PutBucketEncyrption API requires Content-Md5`
			`if _, ok := r.Header[xhttp.ContentMD5]; !ok {`
			`writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMissingContentMD5), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

Add support for bucket encryption feature (#8890) - pkg/bucket/encryption provides support for handling bucket encryption configuration - changes under cmd/ provide support for AES256 algorithm only Co-Authored-By: Poorna <poornas@users.noreply.github.com> Co-authored-by: Harshavardhana <harsha@minio.io> 2020-02-05 17:42:34 +08:00			`if s3Error := checkRequestAuthType(ctx, r, policy.PutBucketEncryptionAction, bucket, ""); s3Error != ErrNone {`
			`writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`// Check if bucket exists.`
			`if _, err := objAPI.GetBucketInfo(ctx, bucket); err != nil {`
			`writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`// Parse bucket encryption xml`
			`encConfig, err := validateBucketSSEConfig(io.LimitReader(r.Body, maxBucketSSEConfigSize))`
			`if err != nil {`
			`writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMalformedXML), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`// Return error if KMS is not initialized`
			`if GlobalKMS == nil {`
			`writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrKMSNotConfigured), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`// Store the bucket encryption configuration in the object layer`
			`if err = objAPI.SetBucketSSEConfig(ctx, bucket, encConfig); err != nil {`
			`writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`// Update the in-memory bucket encryption cache`
			`globalBucketSSEConfigSys.Set(bucket, *encConfig)`

			`// Update peer MinIO servers of the updated bucket encryption config`
			`globalNotificationSys.SetBucketSSEConfig(ctx, bucket, encConfig)`

			`writeSuccessResponseHeadersOnly(w)`
			`}`

			`// GetBucketEncryptionHandler - Returns bucket policy configuration`
			`// https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html`
			`func (api objectAPIHandlers) GetBucketEncryptionHandler(w http.ResponseWriter, r *http.Request) {`
			`ctx := newContext(r, w, "GetBucketEncryption")`

			`defer logger.AuditLog(w, r, "GetBucketEncryption", mustGetClaimsFromToken(r))`

			`objAPI := api.ObjectAPI()`
			`if objAPI == nil {`
			`writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`vars := mux.Vars(r)`
			`bucket := vars["bucket"]`

			`if s3Error := checkRequestAuthType(ctx, r, policy.GetBucketEncryptionAction, bucket, ""); s3Error != ErrNone {`
			`writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`// Check if bucket exists`
			`var err error`
			`if _, err = objAPI.GetBucketInfo(ctx, bucket); err != nil {`
			`writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`// Fetch bucket encryption configuration from object layer`
			`var encConfig *bucketsse.BucketSSEConfig`
			`if encConfig, err = objAPI.GetBucketSSEConfig(ctx, bucket); err != nil {`
			`writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`var encConfigData []byte`
			`if encConfigData, err = xml.Marshal(encConfig); err != nil {`
			`writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`// Write bucket encryption configuration to client`
			`writeSuccessResponseXML(w, encConfigData)`
			`}`

			`// DeleteBucketEncryptionHandler - Removes bucket encryption configuration`
			`func (api objectAPIHandlers) DeleteBucketEncryptionHandler(w http.ResponseWriter, r *http.Request) {`
			`ctx := newContext(r, w, "DeleteBucketEncryption")`

			`defer logger.AuditLog(w, r, "DeleteBucketEncryption", mustGetClaimsFromToken(r))`

			`objAPI := api.ObjectAPI()`
			`if objAPI == nil {`
			`writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`vars := mux.Vars(r)`
			`bucket := vars["bucket"]`

			`if s3Error := checkRequestAuthType(ctx, r, policy.PutBucketEncryptionAction, bucket, ""); s3Error != ErrNone {`
			`writeErrorResponse(ctx, w, errorCodes.ToAPIErr(s3Error), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`// Check if bucket exists`
			`var err error`
			`if _, err = objAPI.GetBucketInfo(ctx, bucket); err != nil {`
			`writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`// Delete bucket encryption config from object layer`
			`if err = objAPI.DeleteBucketSSEConfig(ctx, bucket); err != nil {`
			`writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))`
			`return`
			`}`

			`// Remove entry from the in-memory bucket encryption cache`
			`globalBucketSSEConfigSys.Remove(bucket)`
			`// Update peer MinIO servers of the updated bucket encryption config`
			`globalNotificationSys.RemoveBucketSSEConfig(ctx, bucket)`

			`writeSuccessNoContent(w)`
			`}`