From bd9ff0f7b10b1271c0956e7d6ce6e834c3aa0049 Mon Sep 17 00:00:00 2001
From: Marcus Watts <mwatts@redhat.com>
Date: Mon, 14 Feb 2022 20:16:42 -0500
Subject: [PATCH] rgw/crypt - improve PutBucketEncryption /
 RGWBucketEncryptionConfig

The existing logic for bucket encryption was incomplete.  This adds the
rest of the changes necessary to support sse-kms with default bucket
encryption.

The new logic has these changes:

on input: SSEAlgorithm is now optional.

On output: emit xmlns attribute at top level.
also output
BucketKeyEnabled and KMSMasterKeyID.
Hnadle "empty rule" case.

for testing and diagnostics:
support RGWBucketEncryptionConfig in ceph-dencoder

Signed-off-by: Marcus Watts <mwatts@redhat.com>
src/rgw/rgw_bucket_encryption.cc
src/rgw/rgw_bucket_encryption.h
src/rgw/rgw_crypt.cc
src/rgw/rgw_dencoder.cc
src/rgw/rgw_json_enc.cc
src/rgw/rgw_rest_s3.cc
src/tools/ceph-dencoder/rgw_types.h
---
 src/rgw/rgw_bucket_encryption.cc    | 22 ++++++++++++++++++++--
 src/rgw/rgw_bucket_encryption.h     | 14 +++++++++++++-
 src/rgw/rgw_dencoder.cc             | 12 ++++++++++++
 src/rgw/rgw_rest_s3.cc              |  3 ++-
 src/tools/ceph-dencoder/rgw_types.h |  3 +++
 5 files changed, 50 insertions(+), 4 deletions(-)

diff --git a/src/rgw/rgw_bucket_encryption.cc b/src/rgw/rgw_bucket_encryption.cc
index 0310e5ac5a84f..f029709db97ae 100644
--- a/src/rgw/rgw_bucket_encryption.cc
+++ b/src/rgw/rgw_bucket_encryption.cc
@@ -3,6 +3,7 @@
 //
 #include "rgw_bucket_encryption.h"
 #include "rgw_xml.h"
+#include "common/ceph_json.h"
 
 void ApplyServerSideEncryptionByDefault::decode_xml(XMLObj *obj) {
   RGWXMLDecoder::decode_xml("KMSMasterKeyID", kmsMasterKeyID, obj, false);
@@ -11,15 +12,21 @@ void ApplyServerSideEncryptionByDefault::decode_xml(XMLObj *obj) {
 
 void ApplyServerSideEncryptionByDefault::dump_xml(Formatter *f) const {
   encode_xml("SSEAlgorithm", sseAlgorithm, f);
+  if (kmsMasterKeyID != "") {
+    encode_xml("KMSMasterKeyID", kmsMasterKeyID, f);
+  }
 }
 
 void ServerSideEncryptionConfiguration::decode_xml(XMLObj *obj) {
-  RGWXMLDecoder::decode_xml("ApplyServerSideEncryptionByDefault", applyServerSideEncryptionByDefault, obj, true);
+  RGWXMLDecoder::decode_xml("ApplyServerSideEncryptionByDefault", applyServerSideEncryptionByDefault, obj, false);
   RGWXMLDecoder::decode_xml("BucketKeyEnabled", bucketKeyEnabled, obj, false);
 }
 
 void ServerSideEncryptionConfiguration::dump_xml(Formatter *f) const {
   encode_xml("ApplyServerSideEncryptionByDefault", applyServerSideEncryptionByDefault, f);
+  if (bucketKeyEnabled) {
+    encode_xml("BucketKeyEnabled", true, f);
+  }
 }
 
 void RGWBucketEncryptionConfig::decode_xml(XMLObj *obj) {
@@ -27,5 +34,16 @@ void RGWBucketEncryptionConfig::decode_xml(XMLObj *obj) {
 }
 
 void RGWBucketEncryptionConfig::dump_xml(Formatter *f) const {
-  encode_xml("Rule", rule, f);
+  if (rule_exist) {
+    encode_xml("Rule", rule, f);
+  }
+}
+
+void RGWBucketEncryptionConfig::dump(Formatter *f) const {
+  encode_json("rule_exist", has_rule(), f);
+  if (has_rule()) {
+    encode_json("sse_algorithm", sse_algorithm(), f);
+    encode_json("kms_master_key_id", kms_master_key_id(), f);
+    encode_json("bucket_key_enabled", bucket_key_enabled(), f);
+  }
 }
diff --git a/src/rgw/rgw_bucket_encryption.h b/src/rgw/rgw_bucket_encryption.h
index b279e3a166ac1..ba567bc719999 100644
--- a/src/rgw/rgw_bucket_encryption.h
+++ b/src/rgw/rgw_bucket_encryption.h
@@ -12,7 +12,10 @@ class ApplyServerSideEncryptionByDefault
   std::string sseAlgorithm;
 
 public:
-  ApplyServerSideEncryptionByDefault(): kmsMasterKeyID(""), sseAlgorithm("") {};
+  ApplyServerSideEncryptionByDefault() {};
+  ApplyServerSideEncryptionByDefault(const std::string &algorithm,
+     const std::string &key_id)
+   : kmsMasterKeyID(key_id), sseAlgorithm(algorithm) {};
 
   const std::string& kms_master_key_id() const {
     return kmsMasterKeyID;
@@ -49,6 +52,10 @@ protected:
 
 public:
   ServerSideEncryptionConfiguration(): bucketKeyEnabled(false) {};
+  ServerSideEncryptionConfiguration(const std::string &algorithm,
+    const std::string &keyid="", bool enabled = false)
+      : applyServerSideEncryptionByDefault(algorithm, keyid),
+        bucketKeyEnabled(enabled) {}
 
   const std::string& kms_master_key_id() const {
     return applyServerSideEncryptionByDefault.kms_master_key_id();
@@ -89,6 +96,9 @@ protected:
 
 public:
   RGWBucketEncryptionConfig(): rule_exist(false) {}
+  RGWBucketEncryptionConfig(const std::string &algorithm,
+    const std::string &keyid = "", bool enabled = false)
+      : rule_exist(true), rule(algorithm, keyid, enabled) {}
 
   const std::string& kms_master_key_id() const {
     return rule.kms_master_key_id();
@@ -126,5 +136,7 @@ public:
 
   void decode_xml(XMLObj *obj);
   void dump_xml(Formatter *f) const;
+  void dump(Formatter *f) const;
+  static void generate_test_instances(std::list<RGWBucketEncryptionConfig*>& o);
 };
 WRITE_CLASS_ENCODER(RGWBucketEncryptionConfig)
diff --git a/src/rgw/rgw_dencoder.cc b/src/rgw/rgw_dencoder.cc
index 1d1be51c45b4c..2475b45ed6e4e 100644
--- a/src/rgw/rgw_dencoder.cc
+++ b/src/rgw/rgw_dencoder.cc
@@ -11,6 +11,7 @@
 #include "rgw_meta_sync_status.h"
 #include "rgw_data_sync.h"
 #include "rgw_multi.h"
+#include "rgw_bucket_encryption.h"
 
 #include "common/Formatter.h"
 
@@ -27,3 +28,14 @@ void obj_version::generate_test_instances(list<obj_version*>& o)
   o.push_back(v);
   o.push_back(new obj_version);
 }
+
+void RGWBucketEncryptionConfig::generate_test_instances(std::list<RGWBucketEncryptionConfig*>& o)
+{
+  auto *bc = new RGWBucketEncryptionConfig("aws:kms", "some:key", true);
+  o.push_back(bc);
+
+  bc = new RGWBucketEncryptionConfig("AES256");
+  o.push_back(bc);
+
+  o.push_back(new RGWBucketEncryptionConfig);
+}
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index d6185fb96acaf..ef500221d1059 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -3733,7 +3733,8 @@ void RGWGetBucketEncryption_ObjStore_S3::send_response()
   dump_start(s);
 
   if (!op_ret) {
-    encode_xml("ServerSideEncryptionConfiguration", bucket_encryption_conf, s->formatter);
+    encode_xml("ServerSideEncryptionConfiguration", XMLNS_AWS_S3,
+      bucket_encryption_conf, s->formatter);
     rgw_flush_formatter_and_reset(s, s->formatter);
   }
 }
diff --git a/src/tools/ceph-dencoder/rgw_types.h b/src/tools/ceph-dencoder/rgw_types.h
index f7d473083d4f6..4c136970bae9a 100644
--- a/src/tools/ceph-dencoder/rgw_types.h
+++ b/src/tools/ceph-dencoder/rgw_types.h
@@ -135,4 +135,7 @@ TYPE(rgw_data_sync_info)
 TYPE(rgw_data_sync_marker)
 TYPE(rgw_data_sync_status)
 
+#include "rgw/rgw_bucket_encryption.h"
+TYPE(RGWBucketEncryptionConfig)
+
 #endif
-- 
2.39.5