Fixed HEAD for encrypted objects.

Now transactions for encrypted objects require encryped connection.
Added option to suppress this requirement.

Signed-off-by: Adam Kupczyk <akupczyk@mirantis.com>

diff --git a/src/common/config_opts.h b/src/common/config_opts.h
index b37547909d6fd544fa1467fc20019613e8497fa0..5bf9d7ce7165d6146d3f401b2bbdea79b37000bd 100644 (file)
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@@ -1657,6 +1657,7 @@ OPTION(mgr_connect_retry_interval, OPT_DOUBLE, 1.0)
 OPTION(mon_mgr_digest_period, OPT_INT, 5)  // How frequently to send digests
 OPTION(mon_mgr_beacon_grace, OPT_INT, 30)  // How long to wait to failover
 OPTION(mon_mgr_inactive_grace, OPT_INT, 60) // How long before health WARN -> ERR
+OPTION(rgw_crypt_require_ssl, OPT_BOOL, true) // requests including encryption key headers must be sent over ssl
 OPTION(rgw_crypt_default_encryption_key, OPT_STR, "") // base64 encoded key for encryption of rgw objects
 OPTION(rgw_crypt_s3_kms_encryption_keys, OPT_STR, "") // extra keys that may be used for aws:kms
                                                       // defined as map "key1=YmluCmJvb3N0CmJvb3N0LQ== key2=b3V0CnNyYwpUZXN0aW5nCg=="

diff --git a/src/rgw/rgw_crypt.cc b/src/rgw/rgw_crypt.cc
index 5ab4c0c218fb1985eecd6d2bcce88407e61c918b..f192bac14613af0ae8cdf35b0bcac5be01afc321 100644 (file)
--- a/src/rgw/rgw_crypt.cc
+++ b/src/rgw/rgw_crypt.cc
@@ -1113,6 +1113,10 @@ int s3_prepare_encrypt(struct req_state* s,
       if (req_sse_ca != "AES256") {
         return -ERR_INVALID_REQUEST;
       }
+      if (s->cct->_conf->rgw_crypt_require_ssl &&
+          !s->info.env->exists("SERVER_PORT_SECURE")) {
+        return -ERR_INVALID_REQUEST;
+      }
       std::string key_bin = from_base64(
           get_crypt_attribute(s->info.env, parts, X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY) );
       if (key_bin.size() != AES_256_CBC::AES_256_KEYSIZE) {
@@ -1153,6 +1157,10 @@ int s3_prepare_encrypt(struct req_state* s,
       if (req_sse != "aws:kms") {
         return -ERR_INVALID_REQUEST;
       }
+      if (s->cct->_conf->rgw_crypt_require_ssl &&
+          !s->info.env->exists("SERVER_PORT_SECURE")) {
+        return -ERR_INVALID_REQUEST;
+      }
       boost::string_ref key_id =
           get_crypt_attribute(s->info.env, parts, X_AMZ_SERVER_SIDE_ENCRYPTION_AWS_KMS_KEY_ID);
       if (key_id.empty()) {
@@ -1227,6 +1235,10 @@ int s3_prepare_decrypt(struct req_state* s,
   std::string stored_mode = get_str_attribute(attrs, RGW_ATTR_CRYPT_MODE);
   ldout(s->cct, 15) << "Encryption mode: " << stored_mode << dendl;
   if (stored_mode == "SSE-C-AES256") {
+    if (s->cct->_conf->rgw_crypt_require_ssl &&
+        !s->info.env->exists("SERVER_PORT_SECURE")) {
+      return -ERR_INVALID_REQUEST;
+    }
     const char *req_cust_alg =
         s->info.env->get("HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_ALGORITHM", NULL);
 
@@ -1266,6 +1278,10 @@ int s3_prepare_decrypt(struct req_state* s,
   }
 
   if (stored_mode == "SSE-KMS") {
+    if (s->cct->_conf->rgw_crypt_require_ssl &&
+        !s->info.env->exists("SERVER_PORT_SECURE")) {
+      return -ERR_INVALID_REQUEST;
+    }
     /* try to retrieve actual key */
     std::string key_id = get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYID);
     std::string key_selector = get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYSEL);

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 04515f57c179ae1c882d2ecff04e887c861af500..c7eb8f25cf875846feb26c53bc978a66c8f2b4ed 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -1483,8 +1483,8 @@ void RGWGetObj::execute()
 
   start = ofs;
 
-  if (!get_data || ofs > end) {
-    send_response_data(bl, 0, 0);
+  /* STAT ops don't need data, and do no i/o */
+  if (get_type() == RGW_OP_STAT_OBJ) {
     return;
   }
 
@@ -1498,6 +1498,11 @@ void RGWGetObj::execute()
     goto done_err;
   }
 
+  if (!get_data || ofs > end) {
+    send_response_data(bl, 0, 0);
+    return;
+  }
+
   perfcounter->inc(l_rgw_get_b, end - ofs);
 
   ofs_x = ofs;