From: Marcus Watts <mwatts@redhat.com>
Date: Fri, 4 Mar 2022 01:37:53 +0000 (-0500)
Subject: rgw/crypt - fix rest call to fail if insufficient kms args supplied.
X-Git-Tag: v18.0.0~968^2~2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=be37c2c687bcdd5bc2055999e96cabe9b9f292ce;p=ceph.git

rgw/crypt - fix rest call to fail if insufficient kms args supplied.

in s3-land, it is ok to supply incomplete kms args for bucket encryption
configuration, but not on the rest call.  This is a fix to distinguish
between the two and error out in the case of the latter.

Signed-off-by: Marcus Watts <mwatts@redhat.com>
---

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index ef500221d105..9e70dddef4a2 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -153,6 +153,7 @@ int get_encryption_defaults(req_state *s)
   constexpr auto kms_attr = "x-amz-server-side-encryption-aws-kms-key-id";
   constexpr auto bucket_key_attr = "x-amz-server-side-encryption-bucket-key-enabled";
   bool bucket_configuration_found { false };
+  bool rest_only { false };
 
   for (auto& kv : s->info.crypt_attribute_map) {
     if (kv.first.find(sse_c_prefix) == 0)
@@ -197,11 +198,25 @@ int get_encryption_defaults(req_state *s)
 	  <<  sse_algorithm << dendl;
   }
 
-  auto iter = s->info.crypt_attribute_map.find(kms_attr);
+  auto iter = s->info.crypt_attribute_map.find(encrypt_attr);
+  if (iter != s->info.crypt_attribute_map.end()) {
+ldpp_dout(s, 20) << "get_encryption_defaults: found encrypt_attr " << encrypt_attr << " = " << iter->second << ", setting sse_algorithm to that" << dendl;
+    rest_only = true;
+    sse_algorithm = iter->second;
+  } else if (sse_algorithm != "") {
+    rgw_set_amz_meta_header(s->info.crypt_attribute_map, encrypt_attr, sse_algorithm, OVERWRITE);
+  }
+
+  iter = s->info.crypt_attribute_map.find(kms_attr);
   if (iter != s->info.crypt_attribute_map.end()) {
 ldpp_dout(s, 20) << "get_encryption_defaults: found kms_attr " << kms_attr << " = " << iter->second << ", setting kms_attr_seen" << dendl;
+    if (!rest_only) {
+      s->err.message = std::string("incomplete rest sse parms: ") + kms_attr + " not valid without kms";
+      ldpp_dout(s, 5) << __func__ << "argument problem: " << s->err.message << dendl;
+      return -EINVAL;
+    }
     kms_attr_seen = true;
-  } else if (kms_master_key_id != "") {
+  } else if (!rest_only && kms_master_key_id != "") {
 ldpp_dout(s, 20) << "get_encryption_defaults: no kms_attr, but kms_master_key_id = " << kms_master_key_id << ", settig kms_attr_seen" << dendl;
     kms_attr_seen = true;
     rgw_set_amz_meta_header(s->info.crypt_attribute_map, kms_attr, kms_master_key_id, OVERWRITE);
@@ -210,8 +225,13 @@ ldpp_dout(s, 20) << "get_encryption_defaults: no kms_attr, but kms_master_key_id
   iter = s->info.crypt_attribute_map.find(bucket_key_attr);
   if (iter != s->info.crypt_attribute_map.end()) {
 ldpp_dout(s, 20) << "get_encryption_defaults: found bucket_key_attr " << bucket_key_attr << " = " << iter->second << ", setting kms_attr_seen" << dendl;
+    if (!rest_only) {
+      s->err.message = std::string("incomplete rest sse parms: ") + bucket_key_attr + " not valid without kms";
+      ldpp_dout(s, 5) << __func__ << "argument problem: " << s->err.message << dendl;
+      return -EINVAL;
+    }
     kms_attr_seen = true;
-  } else if (bucket_key_enabled) {
+  } else if (!rest_only && bucket_key_enabled) {
 ldpp_dout(s, 20) << "get_encryption_defaults: no bucket_key_attr, but bucket_key_enabled,  setting kms_attr_seen" << dendl;
     kms_attr_seen = true;
     rgw_set_amz_meta_header(s->info.crypt_attribute_map, bucket_key_attr, "true", OVERWRITE);
@@ -220,6 +240,11 @@ ldpp_dout(s, 20) << "get_encryption_defaults: no bucket_key_attr, but bucket_key
   iter = s->info.crypt_attribute_map.find(context_attr);
   if (iter != s->info.crypt_attribute_map.end()) {
 ldpp_dout(s, 20) << "get_encryption_defaults: found context_attr " << context_attr << " = " << iter->second << ", setting kms_attr_seen" << dendl;
+    if (!rest_only) {
+      s->err.message = std::string("incomplete rest sse parms: ") + context_attr + " not valid without kms";
+      ldpp_dout(s, 5) << __func__ << "argument problem: " << s->err.message << dendl;
+      return -EINVAL;
+    }
     kms_attr_seen = true;
   }
 
@@ -227,14 +252,6 @@ ldpp_dout(s, 20) << "get_encryption_defaults: found context_attr " << context_at
 ldpp_dout(s, 20) << "get_encryption_defaults: kms_attr but no algorithm, defaulting to aws_kms" << dendl;
     sse_algorithm = "aws:kms";
   }
-
-  iter = s->info.crypt_attribute_map.find(encrypt_attr);
-  if (iter != s->info.crypt_attribute_map.end()) {
-ldpp_dout(s, 20) << "get_encryption_defaults: found encrypt_attr " << encrypt_attr << " = " << iter->second << ", setting sse_algorithm to that" << dendl;
-    sse_algorithm = iter->second;
-  } else if (sse_algorithm != "") {
-    rgw_set_amz_meta_header(s->info.crypt_attribute_map, encrypt_attr, sse_algorithm, OVERWRITE);
-  }
 for (const auto& kv: s->info.crypt_attribute_map) {
 ldpp_dout(s, 20) << "get_encryption_defaults:  final map: " << kv.first << " = " << kv.second << dendl;
 }