int rgw_s3_prepare_decrypt(req_state* s, optional_yield y,
map<string, bufferlist>& attrs,
std::unique_ptr<BlockCrypt>* block_crypt,
- std::map<std::string, std::string>& crypt_http_responses)
+ std::map<std::string, std::string>* crypt_http_responses)
{
const bool copy_source = s->src_object != nullptr;
aes->set_key(reinterpret_cast<const uint8_t*>(key_bin.c_str()), AES_256_CBC::AES_256_KEYSIZE);
if (block_crypt) *block_crypt = std::move(aes);
- crypt_http_responses["x-amz-server-side-encryption-customer-algorithm"] = "AES256";
- crypt_http_responses["x-amz-server-side-encryption-customer-key-MD5"] = keymd5;
+ if (crypt_http_responses) {
+ crypt_http_responses->emplace("x-amz-server-side-encryption-customer-algorithm", "AES256");
+ crypt_http_responses->emplace("x-amz-server-side-encryption-customer-key-MD5", keymd5);
+ }
+
return 0;
}
actual_key.replace(0, actual_key.length(), actual_key.length(), '\000');
if (block_crypt) *block_crypt = std::move(aes);
- crypt_http_responses["x-amz-server-side-encryption"] = "aws:kms";
- crypt_http_responses["x-amz-server-side-encryption-aws-kms-key-id"] = key_id;
+ if (crypt_http_responses) {
+ crypt_http_responses->emplace("x-amz-server-side-encryption", "aws:kms");
+ crypt_http_responses->emplace("x-amz-server-side-encryption-aws-kms-key-id", key_id);
+ }
+
return 0;
}
actual_key.replace(0, actual_key.length(), actual_key.length(), '\000');
if (block_crypt) *block_crypt = std::move(aes);
- crypt_http_responses["x-amz-server-side-encryption"] = "AES256";
+ if (crypt_http_responses) {
+ crypt_http_responses->emplace("x-amz-server-side-encryption", "AES256");
+ }
+
return 0;
}
std::map<std::string, ceph::bufferlist>& attrs,
std::unique_ptr<BlockCrypt>* block_crypt,
std::map<std::string,
- std::string>& crypt_http_responses);
+ std::string>* crypt_http_responses);
static inline void set_attr(std::map<std::string, bufferlist>& attrs,
const char* key,
JSONDecoder::decode_json("path", path, obj);
JSONDecoder::decode_json("etag", etag, obj);
JSONDecoder::decode_json("size_bytes", size_bytes, obj);
-};
+}
+
+int get_decrypt_filter(
+ std::unique_ptr<RGWGetObj_Filter>* filter,
+ RGWGetObj_Filter* cb,
+ req_state* s,
+ std::map<std::string, bufferlist>& attrs,
+ bufferlist* manifest_bl,
+ std::map<std::string, std::string>* crypt_http_responses)
+{
+ std::unique_ptr<BlockCrypt> block_crypt;
+ int res = rgw_s3_prepare_decrypt(s, s->yield, attrs, &block_crypt,
+ crypt_http_responses);
+ if (res < 0) {
+ return res;
+ }
+ if (block_crypt == nullptr) {
+ return 0;
+ }
+
+ // in case of a multipart upload, we need to know the part lengths to
+ // correctly decrypt across part boundaries
+ std::vector<size_t> parts_len;
+
+ // for replicated objects, the original part lengths are preserved in an xattr
+ if (auto i = attrs.find(RGW_ATTR_CRYPT_PARTS); i != attrs.end()) {
+ try {
+ auto p = i->second.cbegin();
+ using ceph::decode;
+ decode(parts_len, p);
+ } catch (const buffer::error&) {
+ ldpp_dout(s, 1) << "failed to decode RGW_ATTR_CRYPT_PARTS" << dendl;
+ return -EIO;
+ }
+ } else if (manifest_bl) {
+ // otherwise, we read the part lengths from the manifest
+ res = RGWGetObj_BlockDecrypt::read_manifest_parts(s, *manifest_bl,
+ parts_len);
+ if (res < 0) {
+ return res;
+ }
+ }
+
+ *filter = std::make_unique<RGWGetObj_BlockDecrypt>(
+ s, s->cct, cb, std::move(block_crypt),
+ std::move(parts_len), s->yield);
+ return 0;
+}
CephContext *cct,
std::map<std::string, bufferlist>& attrset,
RGWAccessControlPolicy *policy);
+
+int get_decrypt_filter(
+ std::unique_ptr<RGWGetObj_Filter>* filter,
+ RGWGetObj_Filter* cb,
+ req_state* s,
+ std::map<std::string, bufferlist>& attrs,
+ bufferlist* manifest_bl,
+ std::map<std::string, std::string>* crypt_http_responses);
return 0;
}
- std::unique_ptr<BlockCrypt> block_crypt;
- int res = rgw_s3_prepare_decrypt(s, s->yield, attrs, &block_crypt,
- crypt_http_responses);
- if (res < 0) {
- return res;
- }
- if (block_crypt == nullptr) {
- return 0;
- }
-
- // in case of a multipart upload, we need to know the part lengths to
- // correctly decrypt across part boundaries
- std::vector<size_t> parts_len;
-
- // for replicated objects, the original part lengths are preserved in an xattr
- if (auto i = attrs.find(RGW_ATTR_CRYPT_PARTS); i != attrs.end()) {
- try {
- auto p = i->second.cbegin();
- using ceph::decode;
- decode(parts_len, p);
- } catch (const buffer::error&) {
- ldpp_dout(this, 1) << "failed to decode RGW_ATTR_CRYPT_PARTS" << dendl;
- return -EIO;
- }
- } else if (manifest_bl) {
- // otherwise, we read the part lengths from the manifest
- res = RGWGetObj_BlockDecrypt::read_manifest_parts(this, *manifest_bl,
- parts_len);
- if (res < 0) {
- return res;
- }
- }
-
- *filter = std::make_unique<RGWGetObj_BlockDecrypt>(
- s, s->cct, cb, std::move(block_crypt),
- std::move(parts_len), s->yield);
- return 0;
+ return ::get_decrypt_filter(filter, cb, s, attrs, manifest_bl, &crypt_http_responses);
}
+
int RGWGetObj_ObjStore_S3::verify_requester(const rgw::auth::StrategyRegistry& auth_registry, optional_yield y)
{
int ret = -EINVAL;
map<string, bufferlist>& attrs,
bufferlist* manifest_bl)
{
- std::map<std::string, std::string> crypt_http_responses_unused;
-
- std::unique_ptr<BlockCrypt> block_crypt;
- int res = rgw_s3_prepare_decrypt(s, s->yield, attrs, &block_crypt,
- crypt_http_responses_unused);
- if (res < 0) {
- return res;
- }
- if (block_crypt == nullptr) {
- return 0;
- }
-
- // in case of a multipart upload, we need to know the part lengths to
- // correctly decrypt across part boundaries
- std::vector<size_t> parts_len;
-
- // for replicated objects, the original part lengths are preserved in an xattr
- if (auto i = attrs.find(RGW_ATTR_CRYPT_PARTS); i != attrs.end()) {
- try {
- auto p = i->second.cbegin();
- using ceph::decode;
- decode(parts_len, p);
- } catch (const buffer::error&) {
- ldpp_dout(this, 1) << "failed to decode RGW_ATTR_CRYPT_PARTS" << dendl;
- return -EIO;
- }
- } else if (manifest_bl) {
- // otherwise, we read the part lengths from the manifest
- res = RGWGetObj_BlockDecrypt::read_manifest_parts(this, *manifest_bl,
- parts_len);
- if (res < 0) {
- return res;
- }
- }
-
- *filter = std::make_unique<RGWGetObj_BlockDecrypt>(
- s, s->cct, cb, std::move(block_crypt),
- std::move(parts_len), s->yield);
- return 0;
+ return ::get_decrypt_filter(filter, cb, s, attrs, manifest_bl, nullptr);
}
int RGWPutObj_ObjStore_S3::get_encrypt_filter(
/* We are adding to existing object.
* We use crypto mode that configured as if we were decrypting. */
res = rgw_s3_prepare_decrypt(s, s->yield, obj->get_attrs(),
- &block_crypt, crypt_http_responses);
+ &block_crypt, &crypt_http_responses);
if (res == 0 && block_crypt != nullptr)
filter->reset(new RGWPutObj_BlockEncrypt(s, s->cct, cb, std::move(block_crypt), s->yield));
}
// in the SSE-KMS and SSE-S3 cases, this unfortunately causes us to fetch
// decryption keys which we don't need :(
std::unique_ptr<BlockCrypt> block_crypt; // ignored
- std::map<std::string, std::string> crypt_http_responses; // ignored
return rgw_s3_prepare_decrypt(s, s->yield, attrs, &block_crypt,
- crypt_http_responses);
+ nullptr);
}
void RGWGetObjAttrs_ObjStore_S3::send_response()
projects / ceph-ci.git / commitdiff