From: Seena Fallah Date: Fri, 12 Apr 2024 14:36:43 +0000 (+0200) Subject: rgw: eliminate ssl enforcement for sse-s3 encryption X-Git-Tag: testing/wip-mchangir-testing-20240429.064231-main-debug~13^2 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=8315b7d4b782127a844693a53801d2115af204f6;p=ceph-ci.git rgw: eliminate ssl enforcement for sse-s3 encryption SSE-S3 Encryption does not include any keys in the headers, thus SSL enforcement is unnecessary. Fixes: https://tracker.ceph.com/issues/65462 Signed-off-by: Seena Fallah --- diff --git a/src/rgw/rgw_crypt.cc b/src/rgw/rgw_crypt.cc index 58874bf22b9..2196e982953 100644 --- a/src/rgw/rgw_crypt.cc +++ b/src/rgw/rgw_crypt.cc @@ -1149,13 +1149,13 @@ int rgw_s3_prepare_encrypt(req_state* s, optional_yield y, crypt_attributes.get(X_AMZ_SERVER_SIDE_ENCRYPTION); if (! req_sse.empty()) { - if (s->cct->_conf->rgw_crypt_require_ssl && - !rgw_transport_is_secure(s->cct, *s->info.env)) { - ldpp_dout(s, 5) << "ERROR: insecure request, rgw_crypt_require_ssl is set" << dendl; - return -ERR_INVALID_REQUEST; - } - if (req_sse == "aws:kms") { + if (s->cct->_conf->rgw_crypt_require_ssl && + !rgw_transport_is_secure(s->cct, *s->info.env)) { + ldpp_dout(s, 5) << "ERROR: insecure request, rgw_crypt_require_ssl is set" << dendl; + return -ERR_INVALID_REQUEST; + } + std::string_view context = crypt_attributes.get(X_AMZ_SERVER_SIDE_ENCRYPTION_CONTEXT); std::string cooked_context; @@ -1469,11 +1469,6 @@ int rgw_s3_prepare_decrypt(req_state* s, optional_yield y, /* SSE-S3 */ if (stored_mode == "AES256") { - if (s->cct->_conf->rgw_crypt_require_ssl && - !rgw_transport_is_secure(s->cct, *s->info.env)) { - ldpp_dout(s, 5) << "ERROR: Insecure request, rgw_crypt_require_ssl is set" << dendl; - return -ERR_INVALID_REQUEST; - } /* try to retrieve actual key */ std::string key_id = get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYID); std::string actual_key;