From: Adam Kupczyk Date: Wed, 22 Feb 2017 10:29:34 +0000 (+0100) Subject: Fixed HEAD for encrypted objects. X-Git-Tag: v12.0.2~34^2~17 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a130ecf9d0199d638548890b32a0d8c77e4a32bf;p=ceph.git Fixed HEAD for encrypted objects. Now transactions for encrypted objects require encryped connection. Added option to suppress this requirement. Signed-off-by: Adam Kupczyk --- diff --git a/src/common/config_opts.h b/src/common/config_opts.h index b37547909d6f..5bf9d7ce7165 100644 --- a/src/common/config_opts.h +++ b/src/common/config_opts.h @@ -1657,6 +1657,7 @@ OPTION(mgr_connect_retry_interval, OPT_DOUBLE, 1.0) OPTION(mon_mgr_digest_period, OPT_INT, 5) // How frequently to send digests OPTION(mon_mgr_beacon_grace, OPT_INT, 30) // How long to wait to failover OPTION(mon_mgr_inactive_grace, OPT_INT, 60) // How long before health WARN -> ERR +OPTION(rgw_crypt_require_ssl, OPT_BOOL, true) // requests including encryption key headers must be sent over ssl OPTION(rgw_crypt_default_encryption_key, OPT_STR, "") // base64 encoded key for encryption of rgw objects OPTION(rgw_crypt_s3_kms_encryption_keys, OPT_STR, "") // extra keys that may be used for aws:kms // defined as map "key1=YmluCmJvb3N0CmJvb3N0LQ== key2=b3V0CnNyYwpUZXN0aW5nCg==" diff --git a/src/rgw/rgw_crypt.cc b/src/rgw/rgw_crypt.cc index 5ab4c0c218fb..f192bac14613 100644 --- a/src/rgw/rgw_crypt.cc +++ b/src/rgw/rgw_crypt.cc @@ -1113,6 +1113,10 @@ int s3_prepare_encrypt(struct req_state* s, if (req_sse_ca != "AES256") { return -ERR_INVALID_REQUEST; } + if (s->cct->_conf->rgw_crypt_require_ssl && + !s->info.env->exists("SERVER_PORT_SECURE")) { + return -ERR_INVALID_REQUEST; + } std::string key_bin = from_base64( get_crypt_attribute(s->info.env, parts, X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY) ); if (key_bin.size() != AES_256_CBC::AES_256_KEYSIZE) { @@ -1153,6 +1157,10 @@ int s3_prepare_encrypt(struct req_state* s, if (req_sse != "aws:kms") { return -ERR_INVALID_REQUEST; } + if (s->cct->_conf->rgw_crypt_require_ssl && + !s->info.env->exists("SERVER_PORT_SECURE")) { + return -ERR_INVALID_REQUEST; + } boost::string_ref key_id = get_crypt_attribute(s->info.env, parts, X_AMZ_SERVER_SIDE_ENCRYPTION_AWS_KMS_KEY_ID); if (key_id.empty()) { @@ -1227,6 +1235,10 @@ int s3_prepare_decrypt(struct req_state* s, std::string stored_mode = get_str_attribute(attrs, RGW_ATTR_CRYPT_MODE); ldout(s->cct, 15) << "Encryption mode: " << stored_mode << dendl; if (stored_mode == "SSE-C-AES256") { + if (s->cct->_conf->rgw_crypt_require_ssl && + !s->info.env->exists("SERVER_PORT_SECURE")) { + return -ERR_INVALID_REQUEST; + } const char *req_cust_alg = s->info.env->get("HTTP_X_AMZ_SERVER_SIDE_ENCRYPTION_CUSTOMER_ALGORITHM", NULL); @@ -1266,6 +1278,10 @@ int s3_prepare_decrypt(struct req_state* s, } if (stored_mode == "SSE-KMS") { + if (s->cct->_conf->rgw_crypt_require_ssl && + !s->info.env->exists("SERVER_PORT_SECURE")) { + return -ERR_INVALID_REQUEST; + } /* try to retrieve actual key */ std::string key_id = get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYID); std::string key_selector = get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYSEL); diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 04515f57c179..c7eb8f25cf87 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -1483,8 +1483,8 @@ void RGWGetObj::execute() start = ofs; - if (!get_data || ofs > end) { - send_response_data(bl, 0, 0); + /* STAT ops don't need data, and do no i/o */ + if (get_type() == RGW_OP_STAT_OBJ) { return; } @@ -1498,6 +1498,11 @@ void RGWGetObj::execute() goto done_err; } + if (!get_data || ofs > end) { + send_response_data(bl, 0, 0); + return; + } + perfcounter->inc(l_rgw_get_b, end - ofs); ofs_x = ofs;