constexpr auto kms_attr = "x-amz-server-side-encryption-aws-kms-key-id";
constexpr auto bucket_key_attr = "x-amz-server-side-encryption-bucket-key-enabled";
bool bucket_configuration_found { false };
+ bool rest_only { false };
for (auto& kv : s->info.crypt_attribute_map) {
if (kv.first.find(sse_c_prefix) == 0)
<< sse_algorithm << dendl;
}
- auto iter = s->info.crypt_attribute_map.find(kms_attr);
+ auto iter = s->info.crypt_attribute_map.find(encrypt_attr);
+ if (iter != s->info.crypt_attribute_map.end()) {
+ldpp_dout(s, 20) << "get_encryption_defaults: found encrypt_attr " << encrypt_attr << " = " << iter->second << ", setting sse_algorithm to that" << dendl;
+ rest_only = true;
+ sse_algorithm = iter->second;
+ } else if (sse_algorithm != "") {
+ rgw_set_amz_meta_header(s->info.crypt_attribute_map, encrypt_attr, sse_algorithm, OVERWRITE);
+ }
+
+ iter = s->info.crypt_attribute_map.find(kms_attr);
if (iter != s->info.crypt_attribute_map.end()) {
ldpp_dout(s, 20) << "get_encryption_defaults: found kms_attr " << kms_attr << " = " << iter->second << ", setting kms_attr_seen" << dendl;
+ if (!rest_only) {
+ s->err.message = std::string("incomplete rest sse parms: ") + kms_attr + " not valid without kms";
+ ldpp_dout(s, 5) << __func__ << "argument problem: " << s->err.message << dendl;
+ return -EINVAL;
+ }
kms_attr_seen = true;
- } else if (kms_master_key_id != "") {
+ } else if (!rest_only && kms_master_key_id != "") {
ldpp_dout(s, 20) << "get_encryption_defaults: no kms_attr, but kms_master_key_id = " << kms_master_key_id << ", settig kms_attr_seen" << dendl;
kms_attr_seen = true;
rgw_set_amz_meta_header(s->info.crypt_attribute_map, kms_attr, kms_master_key_id, OVERWRITE);
iter = s->info.crypt_attribute_map.find(bucket_key_attr);
if (iter != s->info.crypt_attribute_map.end()) {
ldpp_dout(s, 20) << "get_encryption_defaults: found bucket_key_attr " << bucket_key_attr << " = " << iter->second << ", setting kms_attr_seen" << dendl;
+ if (!rest_only) {
+ s->err.message = std::string("incomplete rest sse parms: ") + bucket_key_attr + " not valid without kms";
+ ldpp_dout(s, 5) << __func__ << "argument problem: " << s->err.message << dendl;
+ return -EINVAL;
+ }
kms_attr_seen = true;
- } else if (bucket_key_enabled) {
+ } else if (!rest_only && bucket_key_enabled) {
ldpp_dout(s, 20) << "get_encryption_defaults: no bucket_key_attr, but bucket_key_enabled, setting kms_attr_seen" << dendl;
kms_attr_seen = true;
rgw_set_amz_meta_header(s->info.crypt_attribute_map, bucket_key_attr, "true", OVERWRITE);
iter = s->info.crypt_attribute_map.find(context_attr);
if (iter != s->info.crypt_attribute_map.end()) {
ldpp_dout(s, 20) << "get_encryption_defaults: found context_attr " << context_attr << " = " << iter->second << ", setting kms_attr_seen" << dendl;
+ if (!rest_only) {
+ s->err.message = std::string("incomplete rest sse parms: ") + context_attr + " not valid without kms";
+ ldpp_dout(s, 5) << __func__ << "argument problem: " << s->err.message << dendl;
+ return -EINVAL;
+ }
kms_attr_seen = true;
}
ldpp_dout(s, 20) << "get_encryption_defaults: kms_attr but no algorithm, defaulting to aws_kms" << dendl;
sse_algorithm = "aws:kms";
}
-
- iter = s->info.crypt_attribute_map.find(encrypt_attr);
- if (iter != s->info.crypt_attribute_map.end()) {
-ldpp_dout(s, 20) << "get_encryption_defaults: found encrypt_attr " << encrypt_attr << " = " << iter->second << ", setting sse_algorithm to that" << dendl;
- sse_algorithm = iter->second;
- } else if (sse_algorithm != "") {
- rgw_set_amz_meta_header(s->info.crypt_attribute_map, encrypt_attr, sse_algorithm, OVERWRITE);
- }
for (const auto& kv: s->info.crypt_attribute_map) {
ldpp_dout(s, 20) << "get_encryption_defaults: final map: " << kv.first << " = " << kv.second << dendl;
}
projects / ceph.git / commitdiff