rgw/crypt - improve PutBucketEncryption / RGWBucketEncryptionConfig

The existing logic for bucket encryption was incomplete.  This adds the
rest of the changes necessary to support sse-kms with default bucket
encryption.

The new logic has these changes:

on input: SSEAlgorithm is now optional.

On output: emit xmlns attribute at top level.
also output
BucketKeyEnabled and KMSMasterKeyID.
Hnadle "empty rule" case.

for testing and diagnostics:
support RGWBucketEncryptionConfig in ceph-dencoder

Signed-off-by: Marcus Watts <mwatts@redhat.com>
src/rgw/rgw_bucket_encryption.cc
src/rgw/rgw_bucket_encryption.h
src/rgw/rgw_crypt.cc
src/rgw/rgw_dencoder.cc
src/rgw/rgw_json_enc.cc
src/rgw/rgw_rest_s3.cc
src/tools/ceph-dencoder/rgw_types.h

(cherry picked from commit bd9ff0f7b10b1271c0956e7d6ce6e834c3aa0049)

diff --git a/src/rgw/rgw_bucket_encryption.cc b/src/rgw/rgw_bucket_encryption.cc
index 0310e5ac5a84f36ecd93bcd093e16e61065b8f43..f029709db97aef18665a654e343c8b7677a4ce01 100644 (file)
--- a/src/rgw/rgw_bucket_encryption.cc
+++ b/src/rgw/rgw_bucket_encryption.cc
@@ -3,6 +3,7 @@
 //
 #include "rgw_bucket_encryption.h"
 #include "rgw_xml.h"
+#include "common/ceph_json.h"
 
 void ApplyServerSideEncryptionByDefault::decode_xml(XMLObj *obj) {
   RGWXMLDecoder::decode_xml("KMSMasterKeyID", kmsMasterKeyID, obj, false);
@@ -11,15 +12,21 @@ void ApplyServerSideEncryptionByDefault::decode_xml(XMLObj *obj) {
 
 void ApplyServerSideEncryptionByDefault::dump_xml(Formatter *f) const {
   encode_xml("SSEAlgorithm", sseAlgorithm, f);
+  if (kmsMasterKeyID != "") {
+    encode_xml("KMSMasterKeyID", kmsMasterKeyID, f);
+  }
 }
 
 void ServerSideEncryptionConfiguration::decode_xml(XMLObj *obj) {
-  RGWXMLDecoder::decode_xml("ApplyServerSideEncryptionByDefault", applyServerSideEncryptionByDefault, obj, true);
+  RGWXMLDecoder::decode_xml("ApplyServerSideEncryptionByDefault", applyServerSideEncryptionByDefault, obj, false);
   RGWXMLDecoder::decode_xml("BucketKeyEnabled", bucketKeyEnabled, obj, false);
 }
 
 void ServerSideEncryptionConfiguration::dump_xml(Formatter *f) const {
   encode_xml("ApplyServerSideEncryptionByDefault", applyServerSideEncryptionByDefault, f);
+  if (bucketKeyEnabled) {
+    encode_xml("BucketKeyEnabled", true, f);
+  }
 }
 
 void RGWBucketEncryptionConfig::decode_xml(XMLObj *obj) {
@@ -27,5 +34,16 @@ void RGWBucketEncryptionConfig::decode_xml(XMLObj *obj) {
 }
 
 void RGWBucketEncryptionConfig::dump_xml(Formatter *f) const {
-  encode_xml("Rule", rule, f);
+  if (rule_exist) {
+    encode_xml("Rule", rule, f);
+  }
+}
+
+void RGWBucketEncryptionConfig::dump(Formatter *f) const {
+  encode_json("rule_exist", has_rule(), f);
+  if (has_rule()) {
+    encode_json("sse_algorithm", sse_algorithm(), f);
+    encode_json("kms_master_key_id", kms_master_key_id(), f);
+    encode_json("bucket_key_enabled", bucket_key_enabled(), f);
+  }
 }

diff --git a/src/rgw/rgw_bucket_encryption.h b/src/rgw/rgw_bucket_encryption.h
index b279e3a166ac15d170e464657283d949410f07b8..ba567bc71999923094fcb8162c987e79343f965f 100644 (file)
--- a/src/rgw/rgw_bucket_encryption.h
+++ b/src/rgw/rgw_bucket_encryption.h
@@ -12,7 +12,10 @@ class ApplyServerSideEncryptionByDefault
   std::string sseAlgorithm;
 
 public:
-  ApplyServerSideEncryptionByDefault(): kmsMasterKeyID(""), sseAlgorithm("") {};
+  ApplyServerSideEncryptionByDefault() {};
+  ApplyServerSideEncryptionByDefault(const std::string &algorithm,
+     const std::string &key_id)
+   : kmsMasterKeyID(key_id), sseAlgorithm(algorithm) {};
 
   const std::string& kms_master_key_id() const {
     return kmsMasterKeyID;
@@ -49,6 +52,10 @@ protected:
 
 public:
   ServerSideEncryptionConfiguration(): bucketKeyEnabled(false) {};
+  ServerSideEncryptionConfiguration(const std::string &algorithm,
+    const std::string &keyid="", bool enabled = false)
+      : applyServerSideEncryptionByDefault(algorithm, keyid),
+        bucketKeyEnabled(enabled) {}
 
   const std::string& kms_master_key_id() const {
     return applyServerSideEncryptionByDefault.kms_master_key_id();
@@ -89,6 +96,9 @@ protected:
 
 public:
   RGWBucketEncryptionConfig(): rule_exist(false) {}
+  RGWBucketEncryptionConfig(const std::string &algorithm,
+    const std::string &keyid = "", bool enabled = false)
+      : rule_exist(true), rule(algorithm, keyid, enabled) {}
 
   const std::string& kms_master_key_id() const {
     return rule.kms_master_key_id();
@@ -126,5 +136,7 @@ public:
 
   void decode_xml(XMLObj *obj);
   void dump_xml(Formatter *f) const;
+  void dump(Formatter *f) const;
+  static void generate_test_instances(std::list<RGWBucketEncryptionConfig*>& o);
 };
 WRITE_CLASS_ENCODER(RGWBucketEncryptionConfig)

diff --git a/src/rgw/rgw_dencoder.cc b/src/rgw/rgw_dencoder.cc
index 1d1be51c45b4c6d021daf273efd715ed62372d33..2475b45ed6e4e3b3610b05cb524c2d47c6456c3e 100644 (file)
--- a/src/rgw/rgw_dencoder.cc
+++ b/src/rgw/rgw_dencoder.cc
@@ -11,6 +11,7 @@
 #include "rgw_meta_sync_status.h"
 #include "rgw_data_sync.h"
 #include "rgw_multi.h"
+#include "rgw_bucket_encryption.h"
 
 #include "common/Formatter.h"
 
@@ -27,3 +28,14 @@ void obj_version::generate_test_instances(list<obj_version*>& o)
   o.push_back(v);
   o.push_back(new obj_version);
 }
+
+void RGWBucketEncryptionConfig::generate_test_instances(std::list<RGWBucketEncryptionConfig*>& o)
+{
+  auto *bc = new RGWBucketEncryptionConfig("aws:kms", "some:key", true);
+  o.push_back(bc);
+
+  bc = new RGWBucketEncryptionConfig("AES256");
+  o.push_back(bc);
+
+  o.push_back(new RGWBucketEncryptionConfig);
+}

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index f52d71690078e54fb77ec194866f71b1aa941854..45879430de0568123af88d24486e9c5a18d271a5 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -3733,7 +3733,8 @@ void RGWGetBucketEncryption_ObjStore_S3::send_response()
   dump_start(s);
 
   if (!op_ret) {
-    encode_xml("ServerSideEncryptionConfiguration", bucket_encryption_conf, s->formatter);
+    encode_xml("ServerSideEncryptionConfiguration", XMLNS_AWS_S3,
+      bucket_encryption_conf, s->formatter);
     rgw_flush_formatter_and_reset(s, s->formatter);
   }
 }

diff --git a/src/tools/ceph-dencoder/rgw_types.h b/src/tools/ceph-dencoder/rgw_types.h
index bd1443ddf13352c53e77206469f8a04f54d25ea0..8862774e7dd17bbb3499bf1016ec7be9de8f7e64 100644 (file)
--- a/src/tools/ceph-dencoder/rgw_types.h
+++ b/src/tools/ceph-dencoder/rgw_types.h
@@ -128,4 +128,7 @@ TYPE(rgw_data_sync_info)
 TYPE(rgw_data_sync_marker)
 TYPE(rgw_data_sync_status)
 
+#include "rgw/rgw_bucket_encryption.h"
+TYPE(RGWBucketEncryptionConfig)
+
 #endif