From 3024b70ad56a7733527be7bae53d0a19a368c45c Mon Sep 17 00:00:00 2001
From: Seena Fallah <seenafallah@gmail.com>
Date: Fri, 28 Feb 2025 17:07:32 +0100
Subject: [PATCH] rgw: GetObject(Version) not allowed to replicate sse-kms
 objects

To replicate objects encrypted via sse-kms objects,
s3:GetObjectVersionForReplication is required.

Signed-off-by: Seena Fallah <seenafallah@gmail.com>
---
 src/rgw/rgw_op.cc      | 9 +++++++++
 src/rgw/rgw_process.cc | 5 ++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 908371c81fc7d..441f527a7a6ae 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -1145,6 +1145,15 @@ int RGWGetObj::verify_permission(optional_yield y)
 
     // fallback to s3:GetObject(Version) permission
     action = s->object->get_instance().empty() ? rgw::IAM::s3GetObject : rgw::IAM::s3GetObjectVersion;
+
+    // sse-kms is not supported by s3:GetObject(Version) permission
+    bufferlist bl;
+    if (s->object->get_attr(RGW_ATTR_CRYPT_MODE, bl) && bl.to_str() == "SSE-KMS") {
+      s->err.message = "object is encrypted with SSE-KMS, missing s3:GetObjectVersionForReplication permission";
+      ldpp_dout(this, 4) << "ERROR: fetching object for replication object=" << s->object << " reason=" << s->err.message << dendl;
+
+      return -EACCES;
+    }
   } else if (get_torrent) {
     action = s->object->get_instance().empty() ? rgw::IAM::s3GetObjectTorrent : rgw::IAM::s3GetObjectVersionTorrent;
   } else {
diff --git a/src/rgw/rgw_process.cc b/src/rgw/rgw_process.cc
index 37d5ac0f6ab93..8cf1c41775f6e 100644
--- a/src/rgw/rgw_process.cc
+++ b/src/rgw/rgw_process.cc
@@ -226,7 +226,7 @@ int rgw_process_authenticated(RGWHandler_REST * const handler,
     ret = op->verify_permission(y);
     std::swap(span, s->trace);
   }
-  if (ret < 0) {
+  if (ret == -EACCES || ret == -EPERM || ret == -ERR_AUTHORIZATION) {
     // system requests may impersonate another user/role for permission checks
     // so only rely on is_admin_of() to override permissions
     if (s->auth.identity->is_admin_of(s->user->get_id())) {
@@ -234,6 +234,9 @@ int rgw_process_authenticated(RGWHandler_REST * const handler,
     } else {
       return ret;
     }
+  } else if (ret < 0) {
+    // other errors are not overridden as they might be invalid input
+    return ret;
   }
 
   ldpp_dout(op, 2) << "verifying op params" << dendl;
-- 
2.39.5