mirrors/seaweedfs
1
0
Fork 0
mirror of https://github.com/chrislusf/seaweedfs synced 2025-09-10 05:12:47 +02:00
Code Issues Projects Releases Wiki Activity
seaweedfs/weed/s3api/s3api_object_handlers_copy.go
Chris Lu 50530e2553
S3 API: Add SSE-S3 (#7151) 
* implement sse-c

* fix Content-Range

* adding tests

* Update s3_sse_c_test.go

* copy sse-c objects

* adding tests

* refactor

* multi reader

* remove extra write header call

* refactor

* SSE-C encrypted objects do not support HTTP Range requests

* robust

* fix server starts

* Update Makefile

* Update Makefile

* ci: remove SSE-C integration tests and workflows; delete test/s3/encryption/

* s3: SSE-C MD5 must be base64 (case-sensitive); fix validation, comparisons, metadata storage; update tests

* minor

* base64

* Update SSE-C_IMPLEMENTATION.md

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update weed/s3api/s3api_object_handlers.go

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update SSE-C_IMPLEMENTATION.md

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* address comments

* fix test

* fix compilation

* Bucket Default Encryption

To complete the SSE-KMS implementation for production use:
Add AWS KMS Provider - Implement weed/kms/aws/aws_kms.go using AWS SDK
Integrate with S3 Handlers - Update PUT/GET object handlers to use SSE-KMS
Add Multipart Upload Support - Extend SSE-KMS to multipart uploads
Configuration Integration - Add KMS configuration to filer.toml
Documentation - Update SeaweedFS wiki with SSE-KMS usage examples

* store bucket sse config in proto

* add more tests

* Update SSE-C_IMPLEMENTATION.md

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Fix rebase errors and restore structured BucketMetadata API

Merge Conflict Fixes:
- Fixed merge conflicts in header.go (SSE-C and SSE-KMS headers)
- Fixed merge conflicts in s3api_errors.go (SSE-C and SSE-KMS error codes)
- Fixed merge conflicts in s3_sse_c.go (copy strategy constants)
- Fixed merge conflicts in s3api_object_handlers_copy.go (copy strategy usage)

API Restoration:
- Restored BucketMetadata struct with Tags, CORS, and Encryption fields
- Restored structured API functions: GetBucketMetadata, SetBucketMetadata, UpdateBucketMetadata
- Restored helper functions: UpdateBucketTags, UpdateBucketCORS, UpdateBucketEncryption
- Restored clear functions: ClearBucketTags, ClearBucketCORS, ClearBucketEncryption

Handler Updates:
- Updated GetBucketTaggingHandler to use GetBucketMetadata() directly
- Updated PutBucketTaggingHandler to use UpdateBucketTags()
- Updated DeleteBucketTaggingHandler to use ClearBucketTags()
- Updated CORS handlers to use UpdateBucketCORS() and ClearBucketCORS()
- Updated loadCORSFromBucketContent to use GetBucketMetadata()

Internal Function Updates:
- Updated getBucketMetadata() to return *BucketMetadata struct
- Updated setBucketMetadata() to accept *BucketMetadata struct
- Updated getBucketEncryptionMetadata() to use GetBucketMetadata()
- Updated setBucketEncryptionMetadata() to use SetBucketMetadata()

Benefits:
- Resolved all rebase conflicts while preserving both SSE-C and SSE-KMS functionality
- Maintained consistent structured API throughout the codebase
- Eliminated intermediate wrapper functions for cleaner code
- Proper error handling with better granularity
- All tests passing and build successful

The bucket metadata system now uses a unified, type-safe, structured API
that supports tags, CORS, and encryption configuration consistently.

* Fix updateEncryptionConfiguration for first-time bucket encryption setup

- Change getBucketEncryptionMetadata to getBucketMetadata to avoid failures when no encryption config exists
- Change setBucketEncryptionMetadata to setBucketMetadataWithEncryption for consistency
- This fixes the critical issue where bucket encryption configuration failed for buckets without existing encryption

Fixes: https://github.com/seaweedfs/seaweedfs/pull/7144#discussion_r2285669572

* Fix rebase conflicts and maintain structured BucketMetadata API

Resolved Conflicts:
- Fixed merge conflicts in s3api_bucket_config.go between structured API (HEAD) and old intermediate functions
- Kept modern structured API approach: UpdateBucketCORS, ClearBucketCORS, UpdateBucketEncryption
- Removed old intermediate functions: setBucketTags, deleteBucketTags, setBucketMetadataWithEncryption

API Consistency Maintained:
- updateCORSConfiguration: Uses UpdateBucketCORS() directly
- removeCORSConfiguration: Uses ClearBucketCORS() directly
- updateEncryptionConfiguration: Uses UpdateBucketEncryption() directly
- All structured API functions preserved: GetBucketMetadata, SetBucketMetadata, UpdateBucketMetadata

Benefits:
- Maintains clean separation between API layers
- Preserves atomic metadata updates with proper error handling
- Eliminates function indirection for better performance
- Consistent API usage pattern throughout codebase
- All tests passing and build successful

The bucket metadata system continues to use the unified, type-safe, structured API
that properly handles tags, CORS, and encryption configuration without any
intermediate wrapper functions.

* Fix complex rebase conflicts and maintain clean structured BucketMetadata API

Resolved Complex Conflicts:
- Fixed merge conflicts between modern structured API (HEAD) and mixed approach
- Removed duplicate function declarations that caused compilation errors
- Consistently chose structured API approach over intermediate functions

Fixed Functions:
- BucketMetadata struct: Maintained clean field alignment
- loadCORSFromBucketContent: Uses GetBucketMetadata() directly
- updateCORSConfiguration: Uses UpdateBucketCORS() directly
- removeCORSConfiguration: Uses ClearBucketCORS() directly
- getBucketMetadata: Returns *BucketMetadata struct consistently
- setBucketMetadata: Accepts *BucketMetadata struct consistently

Removed Duplicates:
- Eliminated duplicate GetBucketMetadata implementations
- Eliminated duplicate SetBucketMetadata implementations
- Eliminated duplicate UpdateBucketMetadata implementations
- Eliminated duplicate helper functions (UpdateBucketTags, etc.)

API Consistency Achieved:
- Single, unified BucketMetadata struct for all operations
- Atomic updates through UpdateBucketMetadata with function callbacks
- Type-safe operations with proper error handling
- No intermediate wrapper functions cluttering the API

Benefits:
- Clean, maintainable codebase with no function duplication
- Consistent structured API usage throughout all bucket operations
- Proper error handling and type safety
- Build successful and all tests passing

The bucket metadata system now has a completely clean, structured API
without any conflicts, duplicates, or inconsistencies.

* Update remaining functions to use new structured BucketMetadata APIs directly

Updated functions to follow the pattern established in bucket config:
- getEncryptionConfiguration() -> Uses GetBucketMetadata() directly
- removeEncryptionConfiguration() -> Uses ClearBucketEncryption() directly

Benefits:
- Consistent API usage pattern across all bucket metadata operations
- Simpler, more readable code that leverages the structured API
- Eliminates calls to intermediate legacy functions
- Better error handling and logging consistency
- All tests pass with improved functionality

This completes the transition to using the new structured BucketMetadata API
throughout the entire bucket configuration and encryption subsystem.

* Fix GitHub PR #7144 code review comments

Address all code review comments from Gemini Code Assist bot:

1. **High Priority - SSE-KMS Key Validation**: Fixed ValidateSSEKMSKey to allow empty KMS key ID
   - Empty key ID now indicates use of default KMS key (consistent with AWS behavior)
   - Updated ParseSSEKMSHeaders to call validation after parsing
   - Enhanced isValidKMSKeyID to reject keys with spaces and invalid characters

2. **Medium Priority - KMS Registry Error Handling**: Improved error collection in CloseAll
   - Now collects all provider close errors instead of only returning the last one
   - Uses proper error formatting with %w verb for error wrapping
   - Returns single error for one failure, combined message for multiple failures

3. **Medium Priority - Local KMS Aliases Consistency**: Fixed alias handling in CreateKey
   - Now updates the aliases slice in-place to maintain consistency
   - Ensures both p.keys map and key.Aliases slice use the same prefixed format

All changes maintain backward compatibility and improve error handling robustness.
Tests updated and passing for all scenarios including edge cases.

* Use errors.Join for KMS registry error handling

Replace manual string building with the more idiomatic errors.Join function:

- Removed manual error message concatenation with strings.Builder
- Simplified error handling logic by using errors.Join(allErrors...)
- Removed unnecessary string import
- Added errors import for errors.Join

This approach is cleaner, more idiomatic, and automatically handles:
- Returning nil for empty error slice
- Returning single error for one-element slice
- Properly formatting multiple errors with newlines

The errors.Join function was introduced in Go 1.20 and is the
recommended way to combine multiple errors.

* Update registry.go

* Fix GitHub PR #7144 latest review comments

Address all new code review comments from Gemini Code Assist bot:

1. **High Priority - SSE-KMS Detection Logic**: Tightened IsSSEKMSEncrypted function
   - Now relies only on the canonical x-amz-server-side-encryption header
   - Removed redundant check for x-amz-encrypted-data-key metadata
   - Prevents misinterpretation of objects with inconsistent metadata state
   - Updated test case to reflect correct behavior (encrypted data key only = false)

2. **Medium Priority - UUID Validation**: Enhanced KMS key ID validation
   - Replaced simplistic length/hyphen count check with proper regex validation
   - Added regexp import for robust UUID format checking
   - Regex pattern: ^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$
   - Prevents invalid formats like '------------------------------------' from passing

3. **Medium Priority - Alias Mutation Fix**: Avoided input slice modification
   - Changed CreateKey to not mutate the input aliases slice in-place
   - Uses local variable for modified alias to prevent side effects
   - Maintains backward compatibility while being safer for callers

All changes improve code robustness and follow AWS S3 standards more closely.
Tests updated and passing for all scenarios including edge cases.

* Fix failing SSE tests

Address two failing test cases:

1. **TestSSEHeaderConflicts**: Fixed SSE-C and SSE-KMS mutual exclusion
   - Modified IsSSECRequest to return false if SSE-KMS headers are present
   - Modified IsSSEKMSRequest to return false if SSE-C headers are present
   - This prevents both detection functions from returning true simultaneously
   - Aligns with AWS S3 behavior where SSE-C and SSE-KMS are mutually exclusive

2. **TestBucketEncryptionEdgeCases**: Fixed XML namespace validation
   - Added namespace validation in encryptionConfigFromXMLBytes function
   - Now rejects XML with invalid namespaces (only allows empty or AWS standard namespace)
   - Validates XMLName.Space to ensure proper XML structure
   - Prevents acceptance of malformed XML with incorrect namespaces

Both fixes improve compliance with AWS S3 standards and prevent invalid
configurations from being accepted. All SSE and bucket encryption tests
now pass successfully.

* Fix GitHub PR #7144 latest review comments

Address two new code review comments from Gemini Code Assist bot:

1. **High Priority - Race Condition in UpdateBucketMetadata**: Fixed thread safety issue
   - Added per-bucket locking mechanism to prevent race conditions
   - Introduced bucketMetadataLocks map with RWMutex for each bucket
   - Added getBucketMetadataLock helper with double-checked locking pattern
   - UpdateBucketMetadata now uses bucket-specific locks to serialize metadata updates
   - Prevents last-writer-wins scenarios when concurrent requests update different metadata parts

2. **Medium Priority - KMS Key ARN Validation**: Improved robustness of ARN validation
   - Enhanced isValidKMSKeyID function to strictly validate ARN structure
   - Changed from 'len(parts) >= 6' to 'len(parts) != 6' for exact part count
   - Added proper resource validation for key/ and alias/ prefixes
   - Prevents malformed ARNs with incorrect structure from being accepted
   - Now validates: arn:aws:kms:region:account:key/keyid or arn:aws:kms:region:account:alias/aliasname

Both fixes improve system reliability and prevent edge cases that could cause
data corruption or security issues. All existing tests continue to pass.

* format

* address comments

* Configuration Adapter

* Regex Optimization

* Caching Integration

* add negative cache for non-existent buckets

* remove bucketMetadataLocks

* address comments

* address comments

* copying objects with sse-kms

* copying strategy

* store IV in entry metadata

* implement compression reader

* extract json map as sse kms context

* bucket key

* comments

* rotate sse chunks

* KMS Data Keys use AES-GCM + nonce

* add comments

* Update weed/s3api/s3_sse_kms.go

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update s3api_object_handlers_put.go

* get IV from response header

* set sse headers

* Update s3api_object_handlers.go

* deterministic JSON marshaling

* store iv in entry metadata

* address comments

* not used

* store iv in destination metadata

ensures that SSE-C copy operations with re-encryption (decrypt/re-encrypt scenario) now properly store the destination encryption metadata

* add todo

* address comments

* SSE-S3 Deserialization

* add BucketKMSCache to BucketConfig

* fix test compilation

* already not empty

* use constants

* fix: critical metadata (encrypted data keys, encryption context, etc.) was never stored during PUT/copy operations

* address comments

* fix tests

* Fix SSE-KMS Copy Re-encryption

* Cache now persists across requests

* fix test

* iv in metadata only

* SSE-KMS copy operations should follow the same pattern as SSE-C

* fix size overhead calculation

* Filer-Side SSE Metadata Processing

* SSE Integration Tests

* fix tests

* clean up

* Update s3_sse_multipart_test.go

* add s3 sse tests

* unused

* add logs

* Update Makefile

* Update Makefile

* s3 health check

* The tests were failing because they tried to run both SSE-C and SSE-KMS tests

* Update weed/s3api/s3_sse_c.go

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Update Makefile

* add back

* Update Makefile

* address comments

* fix tests

* Update s3-sse-tests.yml

* Update s3-sse-tests.yml

* fix sse-kms for PUT operation

* IV

* Update auth_credentials.go

* fix multipart with kms

* constants

* multipart sse kms

Modified handleSSEKMSResponse to detect multipart SSE-KMS objects
Added createMultipartSSEKMSDecryptedReader to handle each chunk independently
Each chunk now gets its own decrypted reader before combining into the final stream

* validate key id

* add SSEType

* permissive kms key format

* Update s3_sse_kms_test.go

* format

* assert equal

* uploading SSE-KMS metadata per chunk

* persist sse type and metadata

* avoid re-chunk multipart uploads

* decryption process to use stored PartOffset values

* constants

* sse-c multipart upload

* Unified Multipart SSE Copy

* purge

* fix fatalf

* avoid io.MultiReader which does not close underlying readers

* unified cross-encryption

* fix Single-object SSE-C

* adjust constants

* range read sse files

* remove debug logs

* add sse-s3

* copying sse-s3 objects

* fix copying

* Resolve merge conflicts: integrate SSE-S3 encryption support

- Resolved conflicts in protobuf definitions to add SSE_S3 enum value
- Integrated SSE-S3 server-side encryption with S3-managed keys
- Updated S3 API handlers to support SSE-S3 alongside existing SSE-C and SSE-KMS
- Added comprehensive SSE-S3 integration tests
- Resolved conflicts in filer server handlers for encryption support
- Updated constants and headers for SSE-S3 metadata handling
- Ensured backward compatibility with existing encryption methods

All merge conflicts resolved and codebase compiles successfully.

* Regenerate corrupted protobuf file after merge

- Regenerated weed/pb/filer_pb/filer.pb.go using protoc
- Fixed protobuf initialization panic caused by merge conflict resolution
- Verified SSE functionality works correctly after regeneration

* Refactor repetitive encryption header filtering logic

Address PR comment by creating a helper function shouldSkipEncryptionHeader()
to consolidate repetitive code when copying extended attributes during S3
object copy operations.

Changes:
- Extract repetitive if/else blocks into shouldSkipEncryptionHeader()
- Support all encryption types: SSE-C, SSE-KMS, and SSE-S3
- Group header constants by encryption type for cleaner logic
- Handle all cross-encryption scenarios (e.g., SSE-KMS→SSE-C, SSE-S3→unencrypted)
- Improve code maintainability and readability
- Add comprehensive documentation for the helper function

The refactoring reduces code duplication from ~50 lines to ~10 lines while
maintaining identical functionality. All SSE copy tests continue to pass.

* reduce logs

* Address PR comments: consolidate KMS validation & reduce debug logging

1. Create shared s3_validation_utils.go for consistent KMS key validation
   - Move isValidKMSKeyID from s3_sse_kms.go to shared utility
   - Ensures consistent validation across bucket encryption, object operations, and copy validation
   - Eliminates coupling between s3_bucket_encryption.go and s3_sse_kms.go
   - Provides comprehensive validation: rejects spaces, control characters, validates length

2. Reduce verbose debug logging in calculateIVWithOffset function
   - Change glog.Infof to glog.V(4).Infof for debug statements
   - Prevents log flooding in production environments
   - Consistent with other debug logs in the codebase

Both changes improve code quality, maintainability, and production readiness.

* Fix critical issues identified in PR review #7151

1. Remove unreachable return statement in s3_sse_s3.go
   - Fixed dead code on line 43 that was unreachable after return on line 42
   - Ensures proper function termination and eliminates confusion

2. Fix malformed error handling in s3api_object_handlers_put.go
   - Corrected incorrectly indented and duplicated error handling block
   - Fixed compilation error caused by syntax issues in merge conflict resolution
   - Proper error handling for encryption context parsing now restored

3. Remove misleading test case in s3_sse_integration_test.go
   - Eliminated "Explicit Encryption Overrides Default" test that was misleading
   - Test claimed to verify override behavior but only tested normal bucket defaults
   - Reduces confusion and eliminates redundant test coverage

All changes verified with successful compilation and basic S3 API tests passing.

* Fix critical SSE-S3 security vulnerabilities and functionality gaps from PR review #7151

🔒 SECURITY FIXES:
1. Fix severe IV reuse vulnerability in SSE-S3 CTR mode encryption
   - Added calculateSSES3IVWithOffset function to ensure unique IVs per chunk/part
   - Updated CreateSSES3EncryptedReaderWithBaseIV to accept offset parameter
   - Prevents CTR mode IV reuse which could compromise confidentiality
   - Same secure approach as used in SSE-KMS implementation

🚀 FUNCTIONALITY FIXES:
2. Add missing SSE-S3 multipart upload support in PutObjectPartHandler
   - SSE-S3 multipart uploads now properly inherit encryption settings from CreateMultipartUpload
   - Added logic to check for SeaweedFSSSES3Encryption metadata in upload entry
   - Sets appropriate headers for putToFiler to handle SSE-S3 encryption
   - Mirrors existing SSE-KMS multipart implementation pattern

3. Fix incorrect SSE type tracking for SSE-S3 chunks
   - Changed from filer_pb.SSEType_NONE to filer_pb.SSEType_SSE_S3
   - Ensures proper chunk metadata tracking and consistency
   - Eliminates confusion about encryption status of SSE-S3 chunks

🔧 LOGGING IMPROVEMENTS:
4. Reduce verbose debug logging in SSE-S3 detection
   - Changed glog.Infof to glog.V(4).Infof for debug messages
   - Prevents log flooding in production environments
   - Consistent with other debug logging patterns

 VERIFICATION:
- All changes compile successfully
- Basic S3 API tests pass
- Security vulnerability eliminated with proper IV offset calculation
- Multipart SSE-S3 uploads now properly supported
- Chunk metadata correctly tagged with SSE-S3 type

* Address code maintainability issues from PR review #7151

🔄 CODE DEDUPLICATION:
1. Eliminate duplicate IV calculation functions
   - Created shared s3_sse_utils.go with unified calculateIVWithOffset function
   - Removed duplicate calculateSSES3IVWithOffset from s3_sse_s3.go
   - Removed duplicate calculateIVWithOffset from s3_sse_kms.go
   - Both SSE-KMS and SSE-S3 now use the same proven IV offset calculation
   - Ensures consistent cryptographic behavior across all SSE implementations

📋 SHARED HEADER LOGIC IMPROVEMENT:
2. Refactor shouldSkipEncryptionHeader for better clarity
   - Explicitly identify shared headers (AmzServerSideEncryption) used by multiple SSE types
   - Separate SSE-specific headers from shared headers for clearer reasoning
   - Added isSharedSSEHeader, isSSECOnlyHeader, isSSEKMSOnlyHeader, isSSES3OnlyHeader
   - Improved logic flow: shared headers are contextually assigned to appropriate SSE types
   - Enhanced code maintainability and reduced confusion about header ownership

🎯 BENEFITS:
- DRY principle: Single source of truth for IV offset calculation (40 lines → shared utility)
- Maintainability: Changes to IV calculation logic now only need updates in one place
- Clarity: Header filtering logic is now explicit about shared vs. specific headers
- Consistency: Same cryptographic operations across SSE-KMS and SSE-S3
- Future-proofing: Easier to add new SSE types or shared headers

 VERIFICATION:
- All code compiles successfully
- Basic S3 API tests pass
- No functional changes - purely structural improvements
- Same security guarantees maintained with better organization

* 🚨 CRITICAL FIX: Complete SSE-S3 multipart upload implementation - prevents data corruption

⚠️  CRITICAL BUG FIXED:
The SSE-S3 multipart upload implementation was incomplete and would have caused
data corruption for all multipart SSE-S3 uploads. Each part would be encrypted
with a different key, making the final assembled object unreadable.

🔍 ROOT CAUSE:
PutObjectPartHandler only set AmzServerSideEncryption header but did NOT retrieve
and pass the shared base IV and key data that were stored during CreateMultipartUpload.
This caused putToFiler to generate NEW encryption keys for each part instead of
using the consistent shared key.

 COMPREHENSIVE SOLUTION:

1. **Added missing header constants** (s3_constants/header.go):
   - SeaweedFSSSES3BaseIVHeader: for passing base IV to putToFiler
   - SeaweedFSSSES3KeyDataHeader: for passing key data to putToFiler

2. **Fixed PutObjectPartHandler** (s3api_object_handlers_multipart.go):
   - Retrieve base IV from uploadEntry.Extended[SeaweedFSSSES3BaseIV]
   - Retrieve key data from uploadEntry.Extended[SeaweedFSSSES3KeyData]
   - Pass both to putToFiler via request headers
   - Added comprehensive error handling and logging for missing data
   - Mirrors the proven SSE-KMS multipart implementation pattern

3. **Enhanced putToFiler SSE-S3 logic** (s3api_object_handlers_put.go):
   - Detect multipart parts via presence of SSE-S3 headers
   - For multipart: deserialize provided key + use base IV with offset calculation
   - For single-part: maintain existing logic (generate new key + IV)
   - Use CreateSSES3EncryptedReaderWithBaseIV for consistent multipart encryption

🔐 SECURITY & CONSISTENCY:
- Same encryption key used across ALL parts of a multipart upload
- Unique IV per part using calculateIVWithOffset (prevents CTR mode vulnerabilities)
- Proper base IV offset calculation ensures cryptographic security
- Complete metadata serialization for storage and retrieval

📊 DATA FLOW FIX:
Before: CreateMultipartUpload stores key/IV → PutObjectPart ignores → new key per part → CORRUPTED FINAL OBJECT
After:  CreateMultipartUpload stores key/IV → PutObjectPart retrieves → same key all parts → VALID FINAL OBJECT

 VERIFICATION:
- All code compiles successfully
- Basic S3 API tests pass
- Follows same proven patterns as working SSE-KMS multipart implementation
- Comprehensive error handling prevents silent failures

This fix is essential for SSE-S3 multipart uploads to function correctly in production.

* 🚨 CRITICAL FIX: Activate bucket default encryption - was completely non-functional

⚠️  CRITICAL BUG FIXED:
Bucket default encryption functions were implemented but NEVER CALLED anywhere
in the request handling pipeline, making the entire feature completely non-functional.
Users setting bucket default encryption would expect automatic encryption, but
objects would be stored unencrypted.

🔍 ROOT CAUSE:
The functions applyBucketDefaultEncryption(), applySSES3DefaultEncryption(), and
applySSEKMSDefaultEncryption() were defined in putToFiler but never invoked.
No integration point existed to check for bucket defaults when no explicit
encryption headers were provided.

 COMPLETE INTEGRATION:

1. **Added bucket default encryption logic in putToFiler** (lines 361-385):
   - Check if no explicit encryption was applied (SSE-C, SSE-KMS, or SSE-S3)
   - Call applyBucketDefaultEncryption() to check bucket configuration
   - Apply appropriate default encryption (SSE-S3 or SSE-KMS) if configured
   - Handle all metadata serialization for applied default encryption

2. **Automatic coverage for ALL upload types**:
    Regular PutObject uploads (PutObjectHandler)
    Versioned object uploads (putVersionedObject)
    Suspended versioning uploads (putSuspendedVersioningObject)
    POST policy uploads (PostPolicyHandler)
    Multipart parts (intentionally skip - inherit from CreateMultipartUpload)

3. **Proper response headers**:
   - Existing SSE type detection automatically includes bucket default encryption
   - PutObjectHandler already sets response headers based on returned sseType
   - No additional changes needed for proper S3 API compliance

🔄 AWS S3 BEHAVIOR IMPLEMENTED:
- Bucket default encryption automatically applies when no explicit encryption specified
- Explicit encryption headers always override bucket defaults (correct precedence)
- Response headers correctly indicate applied encryption method
- Supports both SSE-S3 and SSE-KMS bucket default encryption

📊 IMPACT:
Before: Bucket default encryption = COMPLETELY IGNORED (major S3 compatibility gap)
After:  Bucket default encryption = FULLY FUNCTIONAL (complete S3 compatibility)

 VERIFICATION:
- All code compiles successfully
- Basic S3 API tests pass
- Universal application through putToFiler ensures consistent behavior
- Proper error handling prevents silent failures

This fix makes bucket default encryption feature fully operational for the first time.

* 🚨 CRITICAL SECURITY FIX: Fix insufficient error handling in SSE multipart uploads

CRITICAL VULNERABILITY FIXED:
Silent failures in SSE-S3 and SSE-KMS multipart upload initialization could
lead to severe security vulnerabilities, specifically zero-value IV usage
which completely compromises encryption security.

ROOT CAUSE ANALYSIS:

1. Zero-value IV vulnerability (CRITICAL):
   - If rand.Read(baseIV) fails, IV remains all zeros
   - Zero IV in CTR mode = catastrophic crypto failure
   - All encrypted data becomes trivially decryptable

2. Silent key generation failure (HIGH):
   - If keyManager.GetOrCreateKey() fails, no encryption key stored
   - Parts upload without encryption while appearing to be encrypted
   - Data stored unencrypted despite SSE headers

3. Invalid serialization handling (MEDIUM):
   - If SerializeSSES3Metadata() fails, corrupted key data stored
   - Causes decryption failures during object retrieval
   - Silent data corruption with delayed failure

COMPREHENSIVE FIXES APPLIED:

1. Proper error propagation pattern:
   - Added criticalError variable to capture failures within anonymous function
   - Check criticalError after mkdir() call and return s3err.ErrInternalError
   - Prevents silent failures that could compromise security

2. Fixed ALL critical crypto operations:
    SSE-S3 rand.Read(baseIV) - prevents zero-value IV
    SSE-S3 keyManager.GetOrCreateKey() - prevents missing encryption keys
    SSE-S3 SerializeSSES3Metadata() - prevents invalid key data storage
    SSE-KMS rand.Read(baseIV) - prevents zero-value IV (consistency fix)

3. Fail-fast security model:
   - Any critical crypto operation failure → immediate request termination
   - No partial initialization that could lead to security vulnerabilities
   - Clear error messages for debugging without exposing sensitive details

SECURITY IMPACT:
Before: Critical crypto vulnerabilities possible
After: Cryptographically secure initialization guaranteed

This fix prevents potential data exposure and ensures cryptographic security
for all SSE multipart uploads.

* 🚨 CRITICAL FIX: Address PR review issues from #7151

⚠️  ADDRESSES CRITICAL AND MEDIUM PRIORITY ISSUES:

1. **CRITICAL: Fix IV storage for bucket default SSE-S3 encryption**
   - Problem: IV was stored in separate variable, not on SSES3Key object
   - Impact: Made decryption impossible for bucket default encrypted objects
   - Fix: Store IV directly on key.IV for proper decryption access

2. **MEDIUM: Remove redundant sseS3IV parameter**
   - Simplified applyBucketDefaultEncryption and applySSES3DefaultEncryption signatures
   - Removed unnecessary IV parameter passing since IV is now stored on key object
   - Cleaner, more maintainable API

3. **MEDIUM: Remove empty else block for code clarity**
   - Removed empty else block in filer_server_handlers_write_upload.go
   - Improves code readability and eliminates dead code

📊 DETAILED CHANGES:

**weed/s3api/s3api_object_handlers_put.go**:
- Updated applyBucketDefaultEncryption signature: removed sseS3IV parameter
- Updated applySSES3DefaultEncryption signature: removed sseS3IV parameter
- Added key.IV = iv assignment in applySSES3DefaultEncryption
- Updated putToFiler call site: removed sseS3IV variable and parameter

**weed/server/filer_server_handlers_write_upload.go**:
- Removed empty else block (lines 314-315 in original)
- Fixed missing closing brace for if r != nil block
- Improved code structure and readability

🔒 SECURITY IMPACT:

**Before Fix:**
- Bucket default SSE-S3 encryption generated objects that COULD NOT be decrypted
- IV was stored separately and lost during key retrieval process
- Silent data loss - objects appeared encrypted but were unreadable

**After Fix:**
- Bucket default SSE-S3 encryption works correctly end-to-end
- IV properly stored on key object and available during decryption
- Complete functionality restoration for bucket default encryption feature

 VERIFICATION:
- All code compiles successfully
- Bucket encryption tests pass (TestBucketEncryptionAPIOperations, etc.)
- No functional regressions detected
- Code structure improved with better clarity

These fixes ensure bucket default encryption is fully functional and secure,
addressing critical issues that would have prevented successful decryption
of encrypted objects.

* 📝 MEDIUM FIX: Improve error message clarity for SSE-S3 serialization failures

🔍 ISSUE IDENTIFIED:
Copy-paste error in SSE-S3 multipart upload error handling resulted in
identical error messages for two different failure scenarios, making
debugging difficult.

📊 BEFORE (CONFUSING):
- Key generation failure: "failed to generate SSE-S3 key for multipart upload"
- Serialization failure: "failed to serialize SSE-S3 key for multipart upload"
  ^^ SAME MESSAGE - impossible to distinguish which operation failed

 AFTER (CLEAR):
- Key generation failure: "failed to generate SSE-S3 key for multipart upload"
- Serialization failure: "failed to serialize SSE-S3 metadata for multipart upload"
  ^^ DISTINCT MESSAGE - immediately clear what failed

🛠️ CHANGE DETAILS:
**weed/s3api/filer_multipart.go (line 133)**:
- Updated criticalError message to be specific about metadata serialization
- Changed from generic "key" to specific "metadata" to indicate the operation
- Maintains consistency with the glog.Errorf message which was already correct

🔍 DEBUGGING BENEFIT:
When multipart upload initialization fails, developers can now immediately
identify whether the failure was in:
1. Key generation (crypto operation failure)
2. Metadata serialization (data encoding failure)

This distinction is critical for proper error handling and debugging in
production environments.

 VERIFICATION:
- Code compiles successfully
- All multipart tests pass (TestMultipartSSEMixedScenarios, TestMultipartSSEPerformance)
- No functional impact - purely improves error message clarity
- Follows best practices for distinct, actionable error messages

This fix improves developer experience and production debugging capabilities.

* 🚨 CRITICAL FIX: Fix IV storage for explicit SSE-S3 uploads - prevents unreadable objects

⚠️  CRITICAL VULNERABILITY FIXED:
The initialization vector (IV) returned by CreateSSES3EncryptedReader was being
discarded for explicit SSE-S3 uploads, making encrypted objects completely
unreadable. This affected all single-part PUT operations with explicit
SSE-S3 headers (X-Amz-Server-Side-Encryption: AES256).

🔍 ROOT CAUSE ANALYSIS:

**weed/s3api/s3api_object_handlers_put.go (line 338)**:

**IMPACT**:
- Objects encrypted but IMPOSSIBLE TO DECRYPT
- Silent data loss - encryption appeared successful
- Complete feature non-functionality for explicit SSE-S3 uploads

🔧 COMPREHENSIVE FIX APPLIED:

📊 AFFECTED UPLOAD SCENARIOS:

| Upload Type | Before Fix | After Fix |
|-------------|------------|-----------|
| **Explicit SSE-S3 (single-part)** |  Objects unreadable |  Full functionality |
| **Bucket default SSE-S3** |  Fixed in prev commit |  Working |
| **SSE-S3 multipart uploads** |  Already working |  Working |
| **SSE-C/SSE-KMS uploads** |  Unaffected |  Working |

🔒 SECURITY & FUNCTIONALITY RESTORATION:

**Before Fix:**
- 💥 **Explicit SSE-S3 uploads = data loss** - objects encrypted but unreadable
- 💥 **Silent failure** - no error during upload, failure during retrieval
- 💥 **Inconsistent behavior** - bucket defaults worked, explicit headers didn't

**After Fix:**
-  **Complete SSE-S3 functionality** - all upload types work end-to-end
-  **Proper IV management** - stored on key objects for reliable decryption
-  **Consistent behavior** - explicit headers and bucket defaults both work

🛠️ TECHNICAL IMPLEMENTATION:

1. **Capture IV from CreateSSES3EncryptedReader**:
   - Changed from discarding (_) to capturing (iv) the return value

2. **Store IV on key object**:
   - Added sseS3Key.IV = iv assignment
   - Ensures IV is included in metadata serialization

3. **Maintains compatibility**:
   - No changes to function signatures or external APIs
   - Consistent with bucket default encryption pattern

 VERIFICATION:
- All code compiles successfully
- All SSE tests pass (48 SSE-related tests)
- Integration tests run successfully
- No functional regressions detected
- Fixes critical data accessibility issue

This completes the SSE-S3 implementation by ensuring IVs are properly stored
for ALL SSE-S3 upload scenarios, making the feature fully production-ready.

* 🧪 ADD CRITICAL REGRESSION TESTS: Prevent IV storage bugs in SSE-S3

⚠️  BACKGROUND - WHY THESE TESTS ARE NEEDED:
The two critical IV storage bugs I fixed earlier were NOT caught by existing
integration tests because the existing tests were too high-level and didn't
verify the specific implementation details where the bugs existed.

🔍 EXISTING TEST ANALYSIS:
- 10 SSE test files with 56 test functions existed
- Tests covered component functionality but missed integration points
- TestSSES3IntegrationBasic and TestSSES3BucketDefaultEncryption existed
- BUT they didn't catch IV storage bugs - they tested overall flow, not internals

🎯 NEW REGRESSION TESTS ADDED:

1. **TestSSES3IVStorageRegression**:
   - Tests explicit SSE-S3 uploads (X-Amz-Server-Side-Encryption: AES256)
   - Verifies IV is properly stored on key object for decryption
   - Would have FAILED with original bug where IV was discarded in putToFiler
   - Tests multiple objects to ensure unique IV storage

2. **TestSSES3BucketDefaultIVStorageRegression**:
   - Tests bucket default SSE-S3 encryption (no explicit headers)
   - Verifies applySSES3DefaultEncryption stores IV on key object
   - Would have FAILED with original bug where IV wasn't stored on key
   - Tests multiple objects with bucket default encryption

3. **TestSSES3EdgeCaseRegression**:
   - Tests empty objects (0 bytes) with SSE-S3
   - Tests large objects (1MB) with SSE-S3
   - Ensures IV storage works across all object sizes

4. **TestSSES3ErrorHandlingRegression**:
   - Tests SSE-S3 with metadata and other S3 operations
   - Verifies integration doesn't break with additional headers

5. **TestSSES3FunctionalityCompletion**:
   - Comprehensive test of all SSE-S3 scenarios
   - Both explicit headers and bucket defaults
   - Ensures complete functionality after bug fixes

🔒 CRITICAL TEST CHARACTERISTICS:

**Explicit Decryption Verification**:

**Targeted Bug Detection**:
- Tests the exact code paths where bugs existed
- Verifies IV storage at metadata/key object level
- Tests both explicit SSE-S3 and bucket default scenarios
- Covers edge cases (empty, large objects)

**Integration Point Testing**:
- putToFiler() → CreateSSES3EncryptedReader() → IV storage
- applySSES3DefaultEncryption() → IV storage on key object
- Bucket configuration → automatic encryption application

📊 TEST RESULTS:
 All 4 new regression test suites pass (11 sub-tests total)
 TestSSES3IVStorageRegression: PASS (0.26s)
 TestSSES3BucketDefaultIVStorageRegression: PASS (0.46s)
 TestSSES3EdgeCaseRegression: PASS (0.46s)
 TestSSES3FunctionalityCompletion: PASS (0.25s)

🎯 FUTURE BUG PREVENTION:

**What These Tests Catch**:
- IV storage failures (both explicit and bucket default)
- Metadata serialization issues
- Key object integration problems
- Decryption failures due to missing/corrupted IVs

**Test Strategy Improvement**:
- Added integration-point testing alongside component testing
- End-to-end encrypt→store→retrieve→decrypt verification
- Edge case coverage (empty, large objects)
- Error condition testing

🔄 CI/CD INTEGRATION:
These tests run automatically in the test suite and will catch similar
critical bugs before they reach production. The regression tests complement
existing unit tests by focusing on integration points and data flow.

This ensures the SSE-S3 feature remains fully functional and prevents
regression of the critical IV storage bugs that were fixed.

* Clean up dead code: remove commented-out code blocks and unused TODO comments

* 🔒 CRITICAL SECURITY FIX: Address IV reuse vulnerability in SSE-S3/KMS multipart uploads

**VULNERABILITY ADDRESSED:**
Resolved critical IV reuse vulnerability in SSE-S3 and SSE-KMS multipart uploads
identified in GitHub PR review #3142971052. Using hardcoded offset of 0 for all
multipart upload parts created identical encryption keystreams, compromising
data confidentiality in CTR mode encryption.

**CHANGES MADE:**

1. **Enhanced putToFiler Function Signature:**
   - Added partNumber parameter to calculate unique offsets for each part
   - Prevents IV reuse by ensuring each part gets a unique starting IV

2. **Part Offset Calculation:**
   - Implemented secure offset calculation: (partNumber-1) * 8GB
   - 8GB multiplier ensures no overlap between parts (S3 max part size is 5GB)
   - Applied to both SSE-S3 and SSE-KMS encryption modes

3. **Updated SSE-S3 Implementation:**
   - Modified putToFiler to use partOffset instead of hardcoded 0
   - Enhanced CreateSSES3EncryptedReaderWithBaseIV calls with unique offsets

4. **Added SSE-KMS Security Fix:**
   - Created CreateSSEKMSEncryptedReaderWithBaseIVAndOffset function
   - Updated KMS multipart encryption to use unique IV offsets

5. **Updated All Call Sites:**
   - PutObjectPartHandler: passes actual partID for multipart uploads
   - Single-part uploads: use partNumber=1 for consistency
   - Post-policy uploads: use partNumber=1

**SECURITY IMPACT:**
 BEFORE: All multipart parts used same IV (critical vulnerability)
 AFTER: Each part uses unique IV calculated from part number (secure)

**VERIFICATION:**
 All regression tests pass (TestSSES3.*Regression)
 Basic SSE-S3 functionality verified
 Both explicit SSE-S3 and bucket default scenarios tested
 Build verification successful

**AFFECTED FILES:**
- weed/s3api/s3api_object_handlers_put.go (main fix)
- weed/s3api/s3api_object_handlers_multipart.go (part ID passing)
- weed/s3api/s3api_object_handlers_postpolicy.go (call site update)
- weed/s3api/s3_sse_kms.go (SSE-KMS offset function added)

This fix ensures that the SSE-S3 and SSE-KMS multipart upload implementations
are cryptographically secure and prevent IV reuse attacks in CTR mode encryption.

* ♻️ REFACTOR: Extract crypto constants to eliminate magic numbers

 Changes:
• Create new s3_constants/crypto.go with centralized cryptographic constants
• Replace hardcoded values:
  - AESBlockSize = 16 → s3_constants.AESBlockSize
  - SSEAlgorithmAES256 = "AES256" → s3_constants.SSEAlgorithmAES256
  - SSEAlgorithmKMS = "aws:kms" → s3_constants.SSEAlgorithmKMS
  - PartOffsetMultiplier = 1<<33 → s3_constants.PartOffsetMultiplier
• Remove duplicate AESBlockSize from s3_sse_c.go
• Update all 16 references across 8 files for consistency
• Remove dead/unreachable code in s3_sse_s3.go

🎯 Benefits:
• Eliminates magic numbers for better maintainability
• Centralizes crypto constants in one location
• Improves code readability and reduces duplication
• Makes future updates easier (change in one place)

 Tested: All S3 API packages compile successfully

* ♻️ REFACTOR: Extract common validation utilities

 Changes:
• Enhanced s3_validation_utils.go with reusable validation functions:
  - ValidateIV() - centralized IV length validation (16 bytes for AES)
  - ValidateSSEKMSKey() - null check for SSE-KMS keys
  - ValidateSSECKey() - null check for SSE-C customer keys
  - ValidateSSES3Key() - null check for SSE-S3 keys

• Updated 7 validation call sites across 3 files:
  - s3_sse_kms.go: 5 IV validation calls + 1 key validation
  - s3_sse_c.go: 1 IV validation call
  - Replaced repetitive validation patterns with function calls

🎯 Benefits:
• Eliminates duplicated validation logic (DRY principle)
• Consistent error messaging across all SSE validation
• Easier to update validation rules in one place
• Better maintainability and readability
• Reduces cognitive complexity of individual functions

 Tested: All S3 API packages compile successfully, no lint errors

* ♻️ REFACTOR: Extract SSE-KMS data key generation utilities (part 1/2)

 Changes:
• Create new s3_sse_kms_utils.go with common utility functions:
  - generateKMSDataKey() - centralized KMS data key generation
  - clearKMSDataKey() - safe memory cleanup for data keys
  - createSSEKMSKey() - SSEKMSKey struct creation from results
  - KMSDataKeyResult type - structured result container

• Refactor CreateSSEKMSEncryptedReaderWithBucketKey to use utilities:
  - Replace 30+ lines of repetitive code with 3 utility function calls
  - Maintain same functionality with cleaner structure
  - Improved error handling and memory management
  - Use s3_constants.AESBlockSize for consistency

🎯 Benefits:
• Eliminates code duplication across multiple SSE-KMS functions
• Centralizes KMS provider setup and error handling
• Consistent data key generation pattern
• Easier to maintain and update KMS integration
• Better separation of concerns

📋 Next: Refactor remaining 2 SSE-KMS functions to use same utilities

 Tested: All S3 API packages compile successfully

* ♻️ REFACTOR: Complete SSE-KMS utilities extraction (part 2/2)

 Changes:
• Refactored remaining 2 SSE-KMS functions to use common utilities:
  - CreateSSEKMSEncryptedReaderWithBaseIV (lines 121-138)
  - CreateSSEKMSEncryptedReaderWithBaseIVAndOffset (lines 157-173)

• Eliminated 60+ lines of duplicate code across 3 functions:
  - Before: Each function had ~25 lines of KMS setup + cipher creation
  - After: Each function uses 3 utility function calls
  - Total code reduction: ~75 lines → ~15 lines of core logic

• Consistent patterns now used everywhere:
  - generateKMSDataKey() for all KMS data key generation
  - clearKMSDataKey() for all memory cleanup
  - createSSEKMSKey() for all SSEKMSKey struct creation
  - s3_constants.AESBlockSize for all IV allocations

🎯 Benefits:
• 80% reduction in SSE-KMS implementation duplication
• Single source of truth for KMS data key generation
• Centralized error handling and memory management
• Consistent behavior across all SSE-KMS functions
• Much easier to maintain, test, and update

 Tested: All S3 API packages compile successfully, no lint errors
🏁 Phase 2 Step 1 Complete: Core SSE-KMS patterns extracted

* ♻️ REFACTOR: Consolidate error handling patterns

 Changes:
• Create new s3_error_utils.go with common error handling utilities:
  - handlePutToFilerError() - standardized putToFiler error format
  - handlePutToFilerInternalError() - convenience for internal errors
  - handleMultipartError() - standardized multipart error format
  - handleMultipartInternalError() - convenience for multipart internal errors
  - handleSSEError() - SSE-specific error handling with context
  - handleSSEInternalError() - convenience for SSE internal errors
  - logErrorAndReturn() - general error logging with S3 error codes

• Refactored 12+ error handling call sites across 2 key files:
  - s3api_object_handlers_put.go: 10+ SSE error patterns simplified
  - filer_multipart.go: 2 multipart error patterns simplified

• Benefits achieved:
  - Consistent error messages across all S3 operations
  - Reduced code duplication from ~3 lines per error → 1 line
  - Centralized error logging format and context
  - Easier to modify error handling behavior globally
  - Better maintainability for error response patterns

🎯 Impact:
• ~30 lines of repetitive error handling → ~12 utility function calls
• Consistent error context (operation names, SSE types)
• Single source of truth for error message formatting

 Tested: All S3 API packages compile successfully
🏁 Phase 2 Step 2 Complete: Error handling patterns consolidated

* 🚀 REFACTOR: Break down massive putToFiler function (MAJOR)

 Changes:
• Created new s3api_put_handlers.go with focused encryption functions:
  - calculatePartOffset() - part offset calculation (5 lines)
  - handleSSECEncryption() - SSE-C processing (25 lines)
  - handleSSEKMSEncryption() - SSE-KMS processing (60 lines)
  - handleSSES3Encryption() - SSE-S3 processing (80 lines)

• Refactored putToFiler function from 311+ lines → ~161 lines (48% reduction):
  - Replaced 150+ lines of encryption logic with 4 function calls
  - Eliminated duplicate metadata serialization calls
  - Improved error handling consistency
  - Better separation of concerns

• Additional improvements:
  - Fixed AESBlockSize references in 3 test files
  - Consistent function signatures and return patterns
  - Centralized encryption logic in dedicated functions
  - Each function handles single responsibility (SSE type)

📊 Impact:
• putToFiler complexity: Very High → Medium
• Total encryption code: ~200 lines → ~170 lines (reusable functions)
• Code duplication: Eliminated across 3 SSE types
• Maintainability: Significantly improved
• Testability: Much easier to unit test individual components

🎯 Benefits:
• Single Responsibility Principle: Each function handles one SSE type
• DRY Principle: No more duplicate encryption patterns
• Open/Closed Principle: Easy to add new SSE types
• Better debugging: Focused functions with clear scope
• Improved readability: Logic flow much easier to follow

 Tested: All S3 API packages compile successfully
🏁 FINAL PHASE: All major refactoring goals achieved

* 🔧 FIX: Store SSE-S3 metadata per-chunk for consistency

 Changes:
• Store SSE-S3 metadata in sseKmsMetadata field per-chunk (lines 306-308)
• Updated comment to reflect proper metadata storage behavior
• Changed log message from 'Processing' to 'Storing' for accuracy

🎯 Benefits:
• Consistent metadata handling across all SSE types (SSE-KMS, SSE-C, SSE-S3)
• Future-proof design for potential object modification features
• Proper per-chunk metadata storage matches architectural patterns
• Better consistency with existing SSE implementations

🔍 Technical Details:
• SSE-S3 metadata now stored in same field used by SSE-KMS/SSE-C
• Maintains backward compatibility with object-level metadata
• Follows established pattern in ToPbFileChunkWithSSE method
• Addresses PR reviewer feedback for improved architecture

 Impact:
• No breaking changes - purely additive improvement
• Better consistency across SSE type implementations
• Enhanced future maintainability and extensibility

* ♻️ REFACTOR: Rename sseKmsMetadata to sseMetadata for accuracy

 Changes:
• Renamed misleading variable sseKmsMetadata → sseMetadata (5 occurrences)
• Variable now properly reflects it stores metadata for all SSE types
• Updated all references consistently throughout the function

🎯 Benefits:
• Accurate naming: Variable stores SSE-KMS, SSE-C, AND SSE-S3 metadata
• Better code clarity: Name reflects actual usage across all SSE types
• Improved maintainability: No more confusion about variable purpose
• Consistent with unified metadata handling approach

📝 Technical Details:
• Variable declared on line 249: var sseMetadata []byte
• Used for SSE-KMS metadata (line 258)
• Used for SSE-C metadata (line 287)
• Used for SSE-S3 metadata (line 308)
• Passed to ToPbFileChunkWithSSE (line 319)

 Quality: All server packages compile successfully
🎯 Impact: Better code readability and maintainability

* ♻️ REFACTOR: Simplify shouldSkipEncryptionHeader logic for better readability

 Changes:
• Eliminated indirect is...OnlyHeader and isSharedSSEHeader variables
• Defined header types directly with inline shared header logic
• Merged intermediate variable definitions into final header categorizations
• Fixed missing import in s3_sse_multipart_test.go for s3_constants

🎯 Benefits:
• More self-contained and easier to follow logic
• Reduced code indirection and complexity
• Improved readability and maintainability
• Direct header type definitions incorporate shared AmzServerSideEncryption logic inline

📝 Technical Details:
Before:
• Used separate isSharedSSEHeader, is...OnlyHeader variables
• Required convenience groupings to combine shared and specific headers

After:
• Direct isSSECHeader, isSSEKMSHeader, isSSES3Header definitions
• Inline logic for shared AmzServerSideEncryption header
• Cleaner, more self-documenting code structure

 Quality: All copy tests pass successfully
🎯 Impact: Better code maintainability without behavioral changes

Addresses: https://github.com/seaweedfs/seaweedfs/pull/7151#pullrequestreview-3143093588

* 🐛 FIX: Correct SSE-S3 logging condition to avoid misleading logs

 Problem Fixed:
• Logging condition 'sseHeader != "" || result' was too broad
• Logged for ANY SSE request (SSE-C, SSE-KMS, SSE-S3) due to logical equivalence
• Log message said 'SSE-S3 detection' but fired for other SSE types too
• Misleading debugging information for developers

🔧 Solution:
• Changed condition from 'sseHeader != "" || result' to 'if result'
• Now only logs when SSE-S3 is actually detected (result = true)
• Updated comment from 'for any SSE-S3 requests' to 'for SSE-S3 requests'
• Log precision matches the actual SSE-S3 detection logic

🎯 Technical Analysis:
Before: sseHeader != "" || result
• Since result = (sseHeader == SSES3Algorithm)
• If result is true, then sseHeader is not empty
• Condition equivalent to sseHeader != "" (logs all SSE types)

After: if result
• Only logs when sseHeader == SSES3Algorithm
• Precise logging that matches the function's purpose
• No more false positives from other SSE types

 Quality: SSE-S3 integration tests pass successfully
🎯 Impact: More accurate debugging logs, less log noise

* Update s3_sse_s3.go

* 📝 IMPROVE: Address Copilot AI code review suggestions for better performance and clarity

 Changes Applied:
1. **Enhanced Function Documentation**
   • Clarified CreateSSES3EncryptedReaderWithBaseIV return value
   • Added comment indicating returned IV is offset-derived, not input baseIV
   • Added inline comment /* derivedIV */ for return type clarity

2. **Optimized Logging Performance**
   • Reduced verbose logging in calculateIVWithOffset function
   • Removed 3 debug glog.V(4).Infof calls from hot path loop
   • Consolidated to single summary log statement
   • Prevents performance impact in high-throughput scenarios

3. **Improved Code Readability**
   • Fixed shouldSkipEncryptionHeader function call formatting
   • Improved multi-line parameter alignment for better readability
   • Cleaner, more consistent code structure

🎯 Benefits:
• **Performance**: Eliminated per-iteration logging in IV calculation hot path
• **Clarity**: Clear documentation on what IV is actually returned
• **Maintainability**: Better formatted function calls, easier to read
• **Production Ready**: Reduced log noise for high-volume encryption operations

📝 Technical Details:
• calculateIVWithOffset: 4 debug statements → 1 consolidated statement
• CreateSSES3EncryptedReaderWithBaseIV: Enhanced documentation accuracy
• shouldSkipEncryptionHeader: Improved parameter formatting consistency

 Quality: All SSE-S3, copy, and multipart tests pass successfully
🎯 Impact: Better performance and code clarity without behavioral changes

Addresses: https://github.com/seaweedfs/seaweedfs/pull/7151#pullrequestreview-3143190092

* 🐛 FIX: Enable comprehensive KMS key ID validation in ParseSSEKMSHeaders

 Problem Identified:
• Test TestSSEKMSInvalidConfigurations/Invalid_key_ID_format was failing
• ParseSSEKMSHeaders only called ValidateSSEKMSKey (basic nil check)
• Did not call ValidateSSEKMSKeyInternal which includes isValidKMSKeyID format validation
• Invalid key IDs like "invalid key id with spaces" were accepted when they should be rejected

🔧 Solution Implemented:
• Changed ParseSSEKMSHeaders to call ValidateSSEKMSKeyInternal instead of ValidateSSEKMSKey
• ValidateSSEKMSKeyInternal includes comprehensive validation:
  - Basic nil checks (via ValidateSSEKMSKey)
  - Key ID format validation (via isValidKMSKeyID)
  - Proper rejection of key IDs with spaces, invalid formats

📝 Technical Details:
Before:
• ValidateSSEKMSKey: Only checks if sseKey is nil
• Missing key ID format validation in header parsing

After:
• ValidateSSEKMSKeyInternal: Full validation chain
  - Calls ValidateSSEKMSKey for nil checks
  - Validates key ID format using isValidKMSKeyID
  - Rejects keys with spaces, invalid formats

🎯 Test Results:
 TestSSEKMSInvalidConfigurations/Invalid_key_ID_format: Now properly fails invalid formats
 All existing SSE tests continue to pass (30+ test cases)
 Comprehensive validation without breaking existing functionality

🔍 Impact:
• Better security: Invalid key IDs properly rejected at parse time
• Consistent validation: Same validation logic across all KMS operations
• Test coverage: Previously untested validation path now working correctly

Fixes failing test case expecting rejection of key ID: "invalid key id with spaces"

* Update s3_sse_kms.go

* ♻️ REFACTOR: Address Copilot AI suggestions for better code quality

 Improvements Applied:
• Enhanced SerializeSSES3Metadata validation consistency
• Removed trailing spaces from comment lines
• Extracted deep nested SSE-S3 multipart logic into helper function
• Reduced nesting complexity from 4+ levels to 2 levels

🎯 Benefits:
• Better validation consistency across SSE serialization functions
• Improved code readability and maintainability
• Reduced cognitive complexity in multipart handlers
• Enhanced testability through better separation of concerns

 Quality: All multipart SSE tests pass successfully
🎯 Impact: Better code structure without behavioral changes

Addresses GitHub PR review suggestions for improved code quality

* ♻️ REFACTOR: Eliminate repetitive dataReader assignments in SSE handling

 Problem Addressed:
• Repetitive dataReader = encryptedReader assignments after each SSE handler
• Code duplication in SSE processing pipeline (SSE-C → SSE-KMS → SSE-S3)
• Manual SSE type determination logic at function end

🔧 Solution Implemented:
• Created unified handleAllSSEEncryption function that processes all SSE types
• Eliminated 3 repetitive dataReader assignments in putToFiler function
• Centralized SSE type determination in unified handler
• Returns structured PutToFilerEncryptionResult with all encryption data

🎯 Benefits:
• Reduced Code Duplication: 15+ lines → 3 lines in putToFiler
• Better Maintainability: Single point of SSE processing logic
• Improved Readability: Clear separation of concerns
• Enhanced Testability: Unified handler can be tested independently

 Quality: All SSE unit tests (35+) and integration tests pass successfully
🎯 Impact: Cleaner code structure with zero behavioral changes

Addresses Copilot AI suggestion to eliminate dataReader assignment duplication

* refactor

* constants

* ♻️ REFACTOR: Replace hard-coded SSE type strings with constants

• Created SSETypeC, SSETypeKMS, SSETypeS3 constants in s3_constants/crypto.go
• Replaced magic strings in 7 files for better maintainability
• All 54 SSE unit tests pass successfully
• Addresses Copilot AI suggestion to use constants instead of magic strings

* 🔒 FIX: Address critical Copilot AI security and code quality concerns

 Problem Addressed:
• Resource leak risk in filer_multipart.go encryption preparation
• High cyclomatic complexity in shouldSkipEncryptionHeader function
• Missing KMS keyID validation allowing potential injection attacks

🔧 Solution Implemented:

**1. Fix Resource Leak in Multipart Encryption**
• Moved encryption config preparation INSIDE mkdir callback
• Prevents key/IV allocation if directory creation fails
• Added proper error propagation from callback scope
• Ensures encryption resources only allocated on successful directory creation

**2. Reduce Cyclomatic Complexity in Copy Header Logic**
• Broke down shouldSkipEncryptionHeader into focused helper functions
• Created EncryptionHeaderContext struct for better data organization
• Added isSSECHeader, isSSEKMSHeader, isSSES3Header classification functions
• Split cross-encryption and encrypted-to-unencrypted logic into separate methods
• Improved testability and maintainability with structured approach

**3. Add KMS KeyID Security Validation**
• Added keyID validation in generateKMSDataKey using existing isValidKMSKeyID
• Prevents injection attacks and malformed requests to KMS service
• Validates format before making expensive KMS API calls
• Provides clear error messages for invalid key formats

🎯 Benefits:
• Security: Prevents KMS injection attacks and validates all key IDs
• Resource Safety: Eliminates encryption key leaks on mkdir failures
• Code Quality: Reduced complexity with better separation of concerns
• Maintainability: Structured approach with focused single-responsibility functions

 Quality: All 54+ SSE unit tests pass successfully
🎯 Impact: Enhanced security posture with cleaner, more robust code

Addresses 3 critical concerns from Copilot AI review:
https://github.com/seaweedfs/seaweedfs/pull/7151#pullrequestreview-3143244067

* format

* 🔒 FIX: Address additional Copilot AI security vulnerabilities

 Problem Addressed:
• Silent failures in SSE-S3 multipart header setup could corrupt uploads
• Missing validation in CreateSSES3EncryptedReaderWithBaseIV allows panics
• Unvalidated encryption context in KMS requests poses security risk
• Partial rand.Read could create predictable IVs for CTR mode encryption

🔧 Solution Implemented:

**1. Fix Silent SSE-S3 Multipart Failures**
• Modified handleSSES3MultipartHeaders to return error instead of void
• Added robust validation for base IV decoding and length checking
• Enhanced error messages with specific failure context
• Updated caller to handle errors and return HTTP 500 on failure
• Prevents silent multipart upload corruption

**2. Add SSES3Key Security Validation**
• Added ValidateSSES3Key() call in CreateSSES3EncryptedReaderWithBaseIV
• Validates key is non-nil and has correct 32-byte length
• Prevents panics from nil pointer dereferences
• Ensures cryptographic security with proper key validation

**3. Add KMS Encryption Context Validation**
• Added comprehensive validation in generateKMSDataKey function
• Validates context keys/values for control characters and length limits
• Enforces AWS KMS limits: ≤10 pairs, ≤2048 chars per key/value
• Prevents injection attacks and malformed KMS requests
• Added required 'strings' import for validation functions

**4. Fix Predictable IV Vulnerability**
• Modified rand.Read calls in filer_multipart.go to validate byte count
• Checks both error AND bytes read to prevent partial fills
• Added detailed error messages showing read/expected byte counts
• Prevents CTR mode IV predictability which breaks encryption security
• Applied to both SSE-KMS and SSE-S3 base IV generation

🎯 Benefits:
• Security: Prevents IV predictability, KMS injection, and nil pointer panics
• Reliability: Eliminates silent multipart upload failures
• Robustness: Comprehensive input validation across all SSE functions
• AWS Compliance: Enforces KMS service limits and validation rules

 Quality: All 54+ SSE unit tests pass successfully
🎯 Impact: Hardened security posture with comprehensive input validation

Addresses 4 critical security vulnerabilities from Copilot AI review:
https://github.com/seaweedfs/seaweedfs/pull/7151#pullrequestreview-3143271266

* Update s3api_object_handlers_multipart.go

* 🔒 FIX: Add critical part number validation in calculatePartOffset

 Problem Addressed:
• Function accepted invalid part numbers (≤0) which violates AWS S3 specification
• Silent failure (returning 0) could lead to IV reuse vulnerability in CTR mode
• Programming errors were masked instead of being caught during development

🔧 Solution Implemented:
• Changed validation from partNumber <= 0 to partNumber < 1 for clarity
• Added panic with descriptive error message for invalid part numbers
• AWS S3 compliance: part numbers must start from 1, never 0 or negative
• Added fmt import for proper error formatting

🎯 Benefits:
• Security: Prevents IV reuse by failing fast on invalid part numbers
• AWS Compliance: Enforces S3 specification for part number validation
• Developer Experience: Clear panic message helps identify programming errors
• Fail Fast: Programming errors caught immediately during development/testing

 Quality: All 54+ SSE unit tests pass successfully
🎯 Impact: Critical security improvement for multipart upload IV generation

Addresses Copilot AI concern about part number validation:
AWS S3 part numbers start from 1, and invalid values could compromise IV calculations

* fail fast with invalid part number

* 🎯 FIX: Address 4 Copilot AI code quality improvements

 Problems Addressed from PR #7151 Review 3143338544:
• Pointer parameters in bucket default encryption functions reduced code clarity
• Magic numbers for KMS validation limits lacked proper constants
• crypto/rand usage already explicit but could be clearer for reviewers

🔧 Solutions Implemented:

**1. Eliminate Pointer Parameter Pattern** 
• Created BucketDefaultEncryptionResult struct for clear return values
• Refactored applyBucketDefaultEncryption() to return result instead of modifying pointers
• Refactored applySSES3DefaultEncryption() for clarity and testability
• Refactored applySSEKMSDefaultEncryption() with improved signature
• Updated call site in putToFiler() to handle new return-based pattern

**2. Add Constants for Magic Numbers** 
• Added MaxKMSEncryptionContextPairs = 10 to s3_constants/crypto.go
• Added MaxKMSKeyIDLength = 500 to s3_constants/crypto.go
• Updated s3_sse_kms_utils.go to use MaxKMSEncryptionContextPairs
• Updated s3_validation_utils.go to use MaxKMSKeyIDLength
• Added missing s3_constants import to s3_sse_kms_utils.go

**3. Crypto/rand Usage Already Explicit** 
• Verified filer_multipart.go correctly imports crypto/rand (not math/rand)
• All rand.Read() calls use cryptographically secure implementation
• No changes needed - already following security best practices

🎯 Benefits:
• Code Clarity: Eliminated confusing pointer parameter modifications
• Maintainability: Constants make validation limits explicit and configurable
• Testability: Return-based functions easier to unit test in isolation
• Security: Verified cryptographically secure random number generation
• Standards: Follows Go best practices for function design

 Quality: All 54+ SSE unit tests pass successfully
🎯 Impact: Improved code maintainability and readability

Addresses Copilot AI code quality review comments:
https://github.com/seaweedfs/seaweedfs/pull/7151#pullrequestreview-3143338544

* format

* 🔧 FIX: Correct AWS S3 multipart upload part number validation

 Problem Addressed (Copilot AI Issue):
• Part validation was allowing up to 100,000 parts vs AWS S3 limit of 10,000
• Missing explicit validation warning users about the 10,000 part limit
• Inconsistent error types between part validation scenarios

🔧 Solution Implemented:

**1. Fix Incorrect Part Limit Constant** 
• Corrected globalMaxPartID from 100000 → 10000 (matches AWS S3 specification)
• Added MaxS3MultipartParts = 10000 constant to s3_constants/crypto.go
• Consolidated multipart limits with other S3 service constraints

**2. Updated Part Number Validation** 
• Updated PutObjectPartHandler to use s3_constants.MaxS3MultipartParts
• Updated CopyObjectPartHandler to use s3_constants.MaxS3MultipartParts
• Changed error type from ErrInvalidMaxParts → ErrInvalidPart for consistency
• Removed obsolete globalMaxPartID constant definition

**3. Consistent Error Handling** 
• Both regular and copy part handlers now use ErrInvalidPart for part number validation
• Aligned with AWS S3 behavior for invalid part number responses
• Maintains existing validation for partID < 1 (already correct)

🎯 Benefits:
• AWS S3 Compliance: Enforces correct 10,000 part limit per AWS specification
• Security: Prevents resource exhaustion from excessive part numbers
• Consistency: Unified validation logic across multipart upload and copy operations
• Constants: Better maintainability with centralized S3 service constraints
• Error Clarity: Consistent error responses for all part number validation failures

 Quality: All 54+ SSE unit tests pass successfully
🎯 Impact: Critical AWS S3 compliance fix for multipart upload validation

Addresses Copilot AI validation concern:
AWS S3 allows maximum 10,000 parts in a multipart upload, not 100,000

* 📚 REFACTOR: Extract SSE-S3 encryption helper functions for better readability

 Problem Addressed (Copilot AI Nitpick):
• handleSSES3Encryption function had high complexity with nested conditionals
• Complex multipart upload logic (lines 134-168) made function hard to read and maintain
• Single monolithic function handling two distinct scenarios (single-part vs multipart)

🔧 Solution Implemented:

**1. Extracted Multipart Logic** 
• Created handleSSES3MultipartEncryption() for multipart upload scenarios
• Handles key data decoding, base IV processing, and offset-aware encryption
• Clear single-responsibility function with focused error handling

**2. Extracted Single-Part Logic** 
• Created handleSSES3SinglePartEncryption() for single-part upload scenarios
• Handles key generation, IV creation, and key storage
• Simplified function signature without unused parameters

**3. Simplified Main Function** 
• Refactored handleSSES3Encryption() to orchestrate the two helper functions
• Reduced from 70+ lines to 35 lines with clear decision logic
• Eliminated deeply nested conditionals and improved readability

**4. Improved Code Organization** 
• Each function now has single responsibility (SRP compliance)
• Better error propagation with consistent s3err.ErrorCode returns
• Enhanced maintainability through focused, testable functions

🎯 Benefits:
• Readability: Complex nested logic now split into focused functions
• Maintainability: Each function handles one specific encryption scenario
• Testability: Smaller functions are easier to unit test in isolation
• Reusability: Helper functions can be used independently if needed
• Debugging: Clearer stack traces with specific function names
• Code Review: Easier to review smaller, focused functions

 Quality: All 54+ SSE unit tests pass successfully
🎯 Impact: Significantly improved code readability without functional changes

Addresses Copilot AI complexity concern:
Function had high complexity with nested conditionals - now properly factored

* 🏷️ RENAME: Change sse_kms_metadata to sse_metadata for clarity

 Problem Addressed:
• Protobuf field sse_kms_metadata was misleading - used for ALL SSE types, not just KMS
• Field name suggested KMS-only usage but actually stored SSE-C, SSE-KMS, and SSE-S3 metadata
• Code comments and field name were inconsistent with actual unified metadata usage

🔧 Solution Implemented:

**1. Updated Protobuf Schema** 
• Renamed field from sse_kms_metadata → sse_metadata
• Updated comment to clarify: 'Serialized SSE metadata for this chunk (SSE-C, SSE-KMS, or SSE-S3)'
• Regenerated protobuf Go code with correct field naming

**2. Updated All Code References** 
• Updated 29 references across all Go files
• Changed SseKmsMetadata → SseMetadata (struct field)
• Changed GetSseKmsMetadata() → GetSseMetadata() (getter method)
• Updated function parameters: sseKmsMetadata → sseMetadata
• Fixed parameter references in function bodies

**3. Preserved Unified Metadata Pattern** 
• Maintained existing behavior: one field stores all SSE metadata types
• SseType field still determines how to deserialize the metadata
• No breaking changes to the unified metadata storage approach
• All SSE functionality continues to work identically

🎯 Benefits:
• Clarity: Field name now accurately reflects its unified purpose
• Documentation: Comments clearly indicate support for all SSE types
• Maintainability: No confusion about what metadata the field contains
• Consistency: Field name aligns with actual usage patterns
• Future-proof: Clear naming for additional SSE types

 Quality: All 54+ SSE unit tests pass successfully
🎯 Impact: Better code clarity without functional changes

This change eliminates the misleading KMS-specific naming while preserving
the proven unified metadata storage architecture.

* Update weed/s3api/s3api_object_handlers_multipart.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update weed/s3api/s3api_object_handlers_copy.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Fix Copilot AI code quality suggestions: hasExplicitEncryption helper and SSE-S3 validation order

* Update weed/s3api/s3api_object_handlers_multipart.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update weed/s3api/s3api_put_handlers.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update weed/s3api/s3api_object_handlers_copy.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-08-22 01:15:42 -07:00

2290 lines
80 KiB
Go
Raw Permalink Blame History

package s3api
import (
"bytes"
"context"
"crypto/rand"
"encoding/base64"
"fmt"
"io"
"net/http"
"net/url"
"strconv"
"strings"
"time"
"modernc.org/strutil"
"github.com/seaweedfs/seaweedfs/weed/filer"
"github.com/seaweedfs/seaweedfs/weed/glog"
"github.com/seaweedfs/seaweedfs/weed/operation"
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
"github.com/seaweedfs/seaweedfs/weed/security"
"github.com/seaweedfs/seaweedfs/weed/util"
util_http "github.com/seaweedfs/seaweedfs/weed/util/http"
)
const (
DirectiveCopy = "COPY"
DirectiveReplace = "REPLACE"
)
func (s3a *S3ApiServer) CopyObjectHandler(w http.ResponseWriter, r *http.Request) {
dstBucket, dstObject := s3_constants.GetBucketAndObject(r)
// Copy source path.
cpSrcPath, err := url.QueryUnescape(r.Header.Get("X-Amz-Copy-Source"))
if err != nil {
// Save unescaped string as is.
cpSrcPath = r.Header.Get("X-Amz-Copy-Source")
}
srcBucket, srcObject, srcVersionId := pathToBucketObjectAndVersion(cpSrcPath)
glog.V(3).Infof("CopyObjectHandler %s %s (version: %s) => %s %s", srcBucket, srcObject, srcVersionId, dstBucket, dstObject)
// Validate copy source and destination
if err := ValidateCopySource(cpSrcPath, srcBucket, srcObject); err != nil {
glog.V(2).Infof("CopyObjectHandler validation error: %v", err)
errCode := MapCopyValidationError(err)
s3err.WriteErrorResponse(w, r, errCode)
return
}
if err := ValidateCopyDestination(dstBucket, dstObject); err != nil {
glog.V(2).Infof("CopyObjectHandler validation error: %v", err)
errCode := MapCopyValidationError(err)
s3err.WriteErrorResponse(w, r, errCode)
return
}
replaceMeta, replaceTagging := replaceDirective(r.Header)
if (srcBucket == dstBucket && srcObject == dstObject || cpSrcPath == "") && (replaceMeta || replaceTagging) {
fullPath := util.FullPath(fmt.Sprintf("%s/%s%s", s3a.option.BucketsPath, dstBucket, dstObject))
dir, name := fullPath.DirAndName()
entry, err := s3a.getEntry(dir, name)
if err != nil || entry.IsDirectory {
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidCopySource)
return
}
entry.Extended, err = processMetadataBytes(r.Header, entry.Extended, replaceMeta, replaceTagging)
entry.Attributes.Mtime = time.Now().Unix()
if err != nil {
glog.Errorf("CopyObjectHandler ValidateTags error %s: %v", r.URL, err)
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidTag)
return
}
err = s3a.touch(dir, name, entry)
if err != nil {
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidCopySource)
return
}
writeSuccessResponseXML(w, r, CopyObjectResult{
ETag: fmt.Sprintf("%x", entry.Attributes.Md5),
LastModified: time.Now().UTC(),
})
return
}
// If source object is empty or bucket is empty, reply back invalid copy source.
if srcObject == "" || srcBucket == "" {
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidCopySource)
return
}
// Get detailed versioning state for source bucket
srcVersioningState, err := s3a.getVersioningState(srcBucket)
if err != nil {
glog.Errorf("Error checking versioning state for source bucket %s: %v", srcBucket, err)
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidCopySource)
return
}
// Get the source entry with version awareness based on versioning state
var entry *filer_pb.Entry
if srcVersionId != "" {
// Specific version requested - always use version-aware retrieval
entry, err = s3a.getSpecificObjectVersion(srcBucket, srcObject, srcVersionId)
} else if srcVersioningState == s3_constants.VersioningEnabled {
// Versioning enabled - get latest version from .versions directory
entry, err = s3a.getLatestObjectVersion(srcBucket, srcObject)
} else if srcVersioningState == s3_constants.VersioningSuspended {
// Versioning suspended - current object is stored as regular file ("null" version)
// Try regular file first, fall back to latest version if needed
srcPath := util.FullPath(fmt.Sprintf("%s/%s%s", s3a.option.BucketsPath, srcBucket, srcObject))
dir, name := srcPath.DirAndName()
entry, err = s3a.getEntry(dir, name)
if err != nil {
// If regular file doesn't exist, try latest version as fallback
glog.V(2).Infof("CopyObject: regular file not found for suspended versioning, trying latest version")
entry, err = s3a.getLatestObjectVersion(srcBucket, srcObject)
}
} else {
// No versioning configured - use regular retrieval
srcPath := util.FullPath(fmt.Sprintf("%s/%s%s", s3a.option.BucketsPath, srcBucket, srcObject))
dir, name := srcPath.DirAndName()
entry, err = s3a.getEntry(dir, name)
}
if err != nil || entry.IsDirectory {
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidCopySource)
return
}
if srcBucket == dstBucket && srcObject == dstObject {
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidCopyDest)
return
}
// Validate conditional copy headers
if err := s3a.validateConditionalCopyHeaders(r, entry); err != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, err)
return
}
// Validate encryption parameters
if err := ValidateCopyEncryption(entry.Extended, r.Header); err != nil {
glog.V(2).Infof("CopyObjectHandler encryption validation error: %v", err)
errCode := MapCopyValidationError(err)
s3err.WriteErrorResponse(w, r, errCode)
return
}
// Create new entry for destination
dstEntry := &filer_pb.Entry{
Attributes: &filer_pb.FuseAttributes{
FileSize: entry.Attributes.FileSize,
Mtime: time.Now().Unix(),
Crtime: entry.Attributes.Crtime,
Mime: entry.Attributes.Mime,
},
Extended: make(map[string][]byte),
}
// Copy extended attributes from source, filtering out conflicting encryption metadata
for k, v := range entry.Extended {
// Skip encryption-specific headers that might conflict with destination encryption type
skipHeader := false
// If we're doing cross-encryption, skip conflicting headers
if len(entry.GetChunks()) > 0 {
// Detect source and destination encryption types
srcHasSSEC := IsSSECEncrypted(entry.Extended)
srcHasSSEKMS := IsSSEKMSEncrypted(entry.Extended)
srcHasSSES3 := IsSSES3EncryptedInternal(entry.Extended)
dstWantsSSEC := IsSSECRequest(r)
dstWantsSSEKMS := IsSSEKMSRequest(r)
dstWantsSSES3 := IsSSES3RequestInternal(r)
// Use helper function to determine if header should be skipped
skipHeader = shouldSkipEncryptionHeader(k,
srcHasSSEC, srcHasSSEKMS, srcHasSSES3,
dstWantsSSEC, dstWantsSSEKMS, dstWantsSSES3)
}
if !skipHeader {
dstEntry.Extended[k] = v
}
}
// Process metadata and tags and apply to destination
processedMetadata, tagErr := processMetadataBytes(r.Header, entry.Extended, replaceMeta, replaceTagging)
if tagErr != nil {
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidCopySource)
return
}
// Apply processed metadata to destination entry
for k, v := range processedMetadata {
dstEntry.Extended[k] = v
}
// For zero-size files or files without chunks, use the original approach
if entry.Attributes.FileSize == 0 || len(entry.GetChunks()) == 0 {
// Just copy the entry structure without chunks for zero-size files
dstEntry.Chunks = nil
} else {
// Use unified copy strategy approach
dstChunks, dstMetadata, copyErr := s3a.executeUnifiedCopyStrategy(entry, r, dstBucket, srcObject, dstObject)
if copyErr != nil {
glog.Errorf("CopyObjectHandler unified copy error: %v", copyErr)
// Map errors to appropriate S3 errors
errCode := s3a.mapCopyErrorToS3Error(copyErr)
s3err.WriteErrorResponse(w, r, errCode)
return
}
dstEntry.Chunks = dstChunks
// Apply destination-specific metadata (e.g., SSE-C IV and headers)
if dstMetadata != nil {
for k, v := range dstMetadata {
dstEntry.Extended[k] = v
}
glog.V(2).Infof("Applied %d destination metadata entries for copy: %s", len(dstMetadata), r.URL.Path)
}
}
// Check if destination bucket has versioning configured
dstVersioningConfigured, err := s3a.isVersioningConfigured(dstBucket)
if err != nil {
glog.Errorf("Error checking versioning status for destination bucket %s: %v", dstBucket, err)
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
return
}
var dstVersionId string
var etag string
if dstVersioningConfigured {
// For versioned destination, create a new version
dstVersionId = generateVersionId()
glog.V(2).Infof("CopyObjectHandler: creating version %s for destination %s/%s", dstVersionId, dstBucket, dstObject)
// Add version metadata to the entry
if dstEntry.Extended == nil {
dstEntry.Extended = make(map[string][]byte)
}
dstEntry.Extended[s3_constants.ExtVersionIdKey] = []byte(dstVersionId)
// Calculate ETag for versioning
filerEntry := &filer.Entry{
FullPath: util.FullPath(fmt.Sprintf("%s/%s%s", s3a.option.BucketsPath, dstBucket, dstObject)),
Attr: filer.Attr{
FileSize: dstEntry.Attributes.FileSize,
Mtime: time.Unix(dstEntry.Attributes.Mtime, 0),
Crtime: time.Unix(dstEntry.Attributes.Crtime, 0),
Mime: dstEntry.Attributes.Mime,
},
Chunks: dstEntry.Chunks,
}
etag = filer.ETagEntry(filerEntry)
if !strings.HasPrefix(etag, "\"") {
etag = "\"" + etag + "\""
}
dstEntry.Extended[s3_constants.ExtETagKey] = []byte(etag)
// Create version file
versionFileName := s3a.getVersionFileName(dstVersionId)
versionObjectPath := dstObject + ".versions/" + versionFileName
bucketDir := s3a.option.BucketsPath + "/" + dstBucket
if err := s3a.mkFile(bucketDir, versionObjectPath, dstEntry.Chunks, func(entry *filer_pb.Entry) {
entry.Attributes = dstEntry.Attributes
entry.Extended = dstEntry.Extended
}); err != nil {
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
return
}
// Update the .versions directory metadata
err = s3a.updateLatestVersionInDirectory(dstBucket, dstObject, dstVersionId, versionFileName)
if err != nil {
glog.Errorf("CopyObjectHandler: failed to update latest version in directory: %v", err)
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
return
}
// Set version ID in response header
w.Header().Set("x-amz-version-id", dstVersionId)
} else {
// For non-versioned destination, use regular copy
dstPath := util.FullPath(fmt.Sprintf("%s/%s%s", s3a.option.BucketsPath, dstBucket, dstObject))
dstDir, dstName := dstPath.DirAndName()
// Check if destination exists and remove it first (S3 copy overwrites)
if exists, _ := s3a.exists(dstDir, dstName, false); exists {
if err := s3a.rm(dstDir, dstName, false, false); err != nil {
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
return
}
}
// Create the new file
if err := s3a.mkFile(dstDir, dstName, dstEntry.Chunks, func(entry *filer_pb.Entry) {
entry.Attributes = dstEntry.Attributes
entry.Extended = dstEntry.Extended
}); err != nil {
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
return
}
// Calculate ETag
filerEntry := &filer.Entry{
FullPath: dstPath,
Attr: filer.Attr{
FileSize: dstEntry.Attributes.FileSize,
Mtime: time.Unix(dstEntry.Attributes.Mtime, 0),
Crtime: time.Unix(dstEntry.Attributes.Crtime, 0),
Mime: dstEntry.Attributes.Mime,
},
Chunks: dstEntry.Chunks,
}
etag = filer.ETagEntry(filerEntry)
}
setEtag(w, etag)
response := CopyObjectResult{
ETag: etag,
LastModified: time.Now().UTC(),
}
writeSuccessResponseXML(w, r, response)
}
func pathToBucketAndObject(path string) (bucket, object string) {
path = strings.TrimPrefix(path, "/")
parts := strings.SplitN(path, "/", 2)
if len(parts) == 2 {
return parts[0], "/" + parts[1]
}
return parts[0], "/"
}
func pathToBucketObjectAndVersion(path string) (bucket, object, versionId string) {
// Parse versionId from query string if present
// Format: /bucket/object?versionId=version-id
if idx := strings.Index(path, "?versionId="); idx != -1 {
versionId = path[idx+len("?versionId="):] // dynamically calculate length
path = path[:idx]
}
bucket, object = pathToBucketAndObject(path)
return bucket, object, versionId
}
type CopyPartResult struct {
LastModified time.Time `xml:"LastModified"`
ETag string `xml:"ETag"`
}
func (s3a *S3ApiServer) CopyObjectPartHandler(w http.ResponseWriter, r *http.Request) {
// https://docs.aws.amazon.com/AmazonS3/latest/dev/CopyingObjctsUsingRESTMPUapi.html
// https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
dstBucket, dstObject := s3_constants.GetBucketAndObject(r)
// Copy source path.
cpSrcPath, err := url.QueryUnescape(r.Header.Get("X-Amz-Copy-Source"))
if err != nil {
// Save unescaped string as is.
cpSrcPath = r.Header.Get("X-Amz-Copy-Source")
}
srcBucket, srcObject, srcVersionId := pathToBucketObjectAndVersion(cpSrcPath)
// If source object is empty or bucket is empty, reply back invalid copy source.
if srcObject == "" || srcBucket == "" {
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidCopySource)
return
}
partIDString := r.URL.Query().Get("partNumber")
uploadID := r.URL.Query().Get("uploadId")
partID, err := strconv.Atoi(partIDString)
if err != nil {
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidPart)
return
}
// Check if the upload ID is valid
err = s3a.checkUploadId(dstObject, uploadID)
if err != nil {
s3err.WriteErrorResponse(w, r, s3err.ErrNoSuchUpload)
return
}
glog.V(3).Infof("CopyObjectPartHandler %s %s => %s part %d upload %s", srcBucket, srcObject, dstBucket, partID, uploadID)
// check partID with maximum part ID for multipart objects
if partID > s3_constants.MaxS3MultipartParts {
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidPart)
return
}
// Get detailed versioning state for source bucket
srcVersioningState, err := s3a.getVersioningState(srcBucket)
if err != nil {
glog.Errorf("Error checking versioning state for source bucket %s: %v", srcBucket, err)
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidCopySource)
return
}
// Get the source entry with version awareness based on versioning state
var entry *filer_pb.Entry
if srcVersionId != "" {
// Specific version requested - always use version-aware retrieval
entry, err = s3a.getSpecificObjectVersion(srcBucket, srcObject, srcVersionId)
} else if srcVersioningState == s3_constants.VersioningEnabled {
// Versioning enabled - get latest version from .versions directory
entry, err = s3a.getLatestObjectVersion(srcBucket, srcObject)
} else if srcVersioningState == s3_constants.VersioningSuspended {
// Versioning suspended - current object is stored as regular file ("null" version)
// Try regular file first, fall back to latest version if needed
srcPath := util.FullPath(fmt.Sprintf("%s/%s%s", s3a.option.BucketsPath, srcBucket, srcObject))
dir, name := srcPath.DirAndName()
entry, err = s3a.getEntry(dir, name)
if err != nil {
// If regular file doesn't exist, try latest version as fallback
glog.V(2).Infof("CopyObjectPart: regular file not found for suspended versioning, trying latest version")
entry, err = s3a.getLatestObjectVersion(srcBucket, srcObject)
}
} else {
// No versioning configured - use regular retrieval
srcPath := util.FullPath(fmt.Sprintf("%s/%s%s", s3a.option.BucketsPath, srcBucket, srcObject))
dir, name := srcPath.DirAndName()
entry, err = s3a.getEntry(dir, name)
}
if err != nil || entry.IsDirectory {
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidCopySource)
return
}
// Validate conditional copy headers
if err := s3a.validateConditionalCopyHeaders(r, entry); err != s3err.ErrNone {
s3err.WriteErrorResponse(w, r, err)
return
}
// Handle range header if present
rangeHeader := r.Header.Get("x-amz-copy-source-range")
var startOffset, endOffset int64
if rangeHeader != "" {
startOffset, endOffset, err = parseRangeHeader(rangeHeader)
if err != nil {
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRange)
return
}
} else {
startOffset = 0
if entry.Attributes.FileSize == 0 {
endOffset = -1 // For zero-size files, use -1 as endOffset
} else {
endOffset = int64(entry.Attributes.FileSize) - 1
}
}
// Create new entry for the part
dstEntry := &filer_pb.Entry{
Attributes: &filer_pb.FuseAttributes{
FileSize: uint64(endOffset - startOffset + 1),
Mtime: time.Now().Unix(),
Crtime: time.Now().Unix(),
Mime: entry.Attributes.Mime,
},
Extended: make(map[string][]byte),
}
// Handle zero-size files or empty ranges
if entry.Attributes.FileSize == 0 || endOffset < startOffset {
// For zero-size files or invalid ranges, create an empty part
dstEntry.Chunks = nil
} else {
// Copy chunks that overlap with the range
dstChunks, err := s3a.copyChunksForRange(entry, startOffset, endOffset, r.URL.Path)
if err != nil {
glog.Errorf("CopyObjectPartHandler copy chunks error: %v", err)
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
return
}
dstEntry.Chunks = dstChunks
}
// Save the part entry to the multipart uploads folder
uploadDir := s3a.genUploadsFolder(dstBucket) + "/" + uploadID
partName := fmt.Sprintf("%04d_%s.part", partID, "copy")
// Check if part exists and remove it first (allow re-copying same part)
if exists, _ := s3a.exists(uploadDir, partName, false); exists {
if err := s3a.rm(uploadDir, partName, false, false); err != nil {
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
return
}
}
if err := s3a.mkFile(uploadDir, partName, dstEntry.Chunks, func(entry *filer_pb.Entry) {
entry.Attributes = dstEntry.Attributes
entry.Extended = dstEntry.Extended
}); err != nil {
s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
return
}
// Calculate ETag for the part
partPath := util.FullPath(uploadDir + "/" + partName)
filerEntry := &filer.Entry{
FullPath: partPath,
Attr: filer.Attr{
FileSize: dstEntry.Attributes.FileSize,
Mtime: time.Unix(dstEntry.Attributes.Mtime, 0),
Crtime: time.Unix(dstEntry.Attributes.Crtime, 0),
Mime: dstEntry.Attributes.Mime,
},
Chunks: dstEntry.Chunks,
}
etag := filer.ETagEntry(filerEntry)
setEtag(w, etag)
response := CopyPartResult{
ETag: etag,
LastModified: time.Now().UTC(),
}
writeSuccessResponseXML(w, r, response)
}
func replaceDirective(reqHeader http.Header) (replaceMeta, replaceTagging bool) {
return reqHeader.Get(s3_constants.AmzUserMetaDirective) == DirectiveReplace, reqHeader.Get(s3_constants.AmzObjectTaggingDirective) == DirectiveReplace
}
func processMetadata(reqHeader, existing http.Header, replaceMeta, replaceTagging bool, getTags func(parentDirectoryPath string, entryName string) (tags map[string]string, err error), dir, name string) (err error) {
if sc := reqHeader.Get(s3_constants.AmzStorageClass); len(sc) == 0 {
if sc := existing.Get(s3_constants.AmzStorageClass); len(sc) > 0 {
reqHeader.Set(s3_constants.AmzStorageClass, sc)
}
}
if !replaceMeta {
for header := range reqHeader {
if strings.HasPrefix(header, s3_constants.AmzUserMetaPrefix) {
delete(reqHeader, header)
}
}
for k, v := range existing {
if strings.HasPrefix(k, s3_constants.AmzUserMetaPrefix) {
reqHeader[k] = v
}
}
}
if !replaceTagging {
for header, _ := range reqHeader {
if strings.HasPrefix(header, s3_constants.AmzObjectTagging) {
delete(reqHeader, header)
}
}
found := false
for k, _ := range existing {
if strings.HasPrefix(k, s3_constants.AmzObjectTaggingPrefix) {
found = true
break
}
}
if found {
tags, err := getTags(dir, name)
if err != nil {
return err
}
var tagArr []string
for k, v := range tags {
tagArr = append(tagArr, fmt.Sprintf("%s=%s", k, v))
}
tagStr := strutil.JoinFields(tagArr, "&")
reqHeader.Set(s3_constants.AmzObjectTagging, tagStr)
}
}
return
}
func processMetadataBytes(reqHeader http.Header, existing map[string][]byte, replaceMeta, replaceTagging bool) (metadata map[string][]byte, err error) {
metadata = make(map[string][]byte)
if sc := existing[s3_constants.AmzStorageClass]; len(sc) > 0 {
metadata[s3_constants.AmzStorageClass] = sc
}
if sc := reqHeader.Get(s3_constants.AmzStorageClass); len(sc) > 0 {
metadata[s3_constants.AmzStorageClass] = []byte(sc)
}
// Handle SSE-KMS headers - these are always processed from request headers if present
if sseAlgorithm := reqHeader.Get(s3_constants.AmzServerSideEncryption); sseAlgorithm == "aws:kms" {
metadata[s3_constants.AmzServerSideEncryption] = []byte(sseAlgorithm)
// KMS Key ID (optional - can use default key)
if kmsKeyID := reqHeader.Get(s3_constants.AmzServerSideEncryptionAwsKmsKeyId); kmsKeyID != "" {
metadata[s3_constants.AmzServerSideEncryptionAwsKmsKeyId] = []byte(kmsKeyID)
}
// Encryption Context (optional)
if encryptionContext := reqHeader.Get(s3_constants.AmzServerSideEncryptionContext); encryptionContext != "" {
metadata[s3_constants.AmzServerSideEncryptionContext] = []byte(encryptionContext)
}
// Bucket Key Enabled (optional)
if bucketKeyEnabled := reqHeader.Get(s3_constants.AmzServerSideEncryptionBucketKeyEnabled); bucketKeyEnabled != "" {
metadata[s3_constants.AmzServerSideEncryptionBucketKeyEnabled] = []byte(bucketKeyEnabled)
}
} else {
// If not explicitly setting SSE-KMS, preserve existing SSE headers from source
for _, sseHeader := range []string{
s3_constants.AmzServerSideEncryption,
s3_constants.AmzServerSideEncryptionAwsKmsKeyId,
s3_constants.AmzServerSideEncryptionContext,
s3_constants.AmzServerSideEncryptionBucketKeyEnabled,
} {
if existingValue, exists := existing[sseHeader]; exists {
metadata[sseHeader] = existingValue
}
}
}
// Handle SSE-C headers - these are always processed from request headers if present
if sseCustomerAlgorithm := reqHeader.Get(s3_constants.AmzServerSideEncryptionCustomerAlgorithm); sseCustomerAlgorithm != "" {
metadata[s3_constants.AmzServerSideEncryptionCustomerAlgorithm] = []byte(sseCustomerAlgorithm)
if sseCustomerKeyMD5 := reqHeader.Get(s3_constants.AmzServerSideEncryptionCustomerKeyMD5); sseCustomerKeyMD5 != "" {
metadata[s3_constants.AmzServerSideEncryptionCustomerKeyMD5] = []byte(sseCustomerKeyMD5)
}
} else {
// If not explicitly setting SSE-C, preserve existing SSE-C headers from source
for _, ssecHeader := range []string{
s3_constants.AmzServerSideEncryptionCustomerAlgorithm,
s3_constants.AmzServerSideEncryptionCustomerKeyMD5,
} {
if existingValue, exists := existing[ssecHeader]; exists {
metadata[ssecHeader] = existingValue
}
}
}
if replaceMeta {
for header, values := range reqHeader {
if strings.HasPrefix(header, s3_constants.AmzUserMetaPrefix) {
for _, value := range values {
metadata[header] = []byte(value)
}
}
}
} else {
for k, v := range existing {
if strings.HasPrefix(k, s3_constants.AmzUserMetaPrefix) {
metadata[k] = v
}
}
}
if replaceTagging {
if tags := reqHeader.Get(s3_constants.AmzObjectTagging); tags != "" {
parsedTags, err := parseTagsHeader(tags)
if err != nil {
return nil, err
}
err = ValidateTags(parsedTags)
if err != nil {
return nil, err
}
for k, v := range parsedTags {
metadata[s3_constants.AmzObjectTagging+"-"+k] = []byte(v)
}
}
} else {
for k, v := range existing {
if strings.HasPrefix(k, s3_constants.AmzObjectTagging) {
metadata[k] = v
}
}
delete(metadata, s3_constants.AmzTagCount)
}
return
}
// copyChunks replicates chunks from source entry to destination entry
func (s3a *S3ApiServer) copyChunks(entry *filer_pb.Entry, dstPath string) ([]*filer_pb.FileChunk, error) {
dstChunks := make([]*filer_pb.FileChunk, len(entry.GetChunks()))
const defaultChunkCopyConcurrency = 4
executor := util.NewLimitedConcurrentExecutor(defaultChunkCopyConcurrency) // Limit to configurable concurrent operations
errChan := make(chan error, len(entry.GetChunks()))
for i, chunk := range entry.GetChunks() {
chunkIndex := i
executor.Execute(func() {
dstChunk, err := s3a.copySingleChunk(chunk, dstPath)
if err != nil {
errChan <- fmt.Errorf("chunk %d: %v", chunkIndex, err)
return
}
dstChunks[chunkIndex] = dstChunk
errChan <- nil
})
}
// Wait for all operations to complete and check for errors
for i := 0; i < len(entry.GetChunks()); i++ {
if err := <-errChan; err != nil {
return nil, err
}
}
return dstChunks, nil
}
// copySingleChunk copies a single chunk from source to destination
func (s3a *S3ApiServer) copySingleChunk(chunk *filer_pb.FileChunk, dstPath string) (*filer_pb.FileChunk, error) {
// Create destination chunk
dstChunk := s3a.createDestinationChunk(chunk, chunk.Offset, chunk.Size)
// Prepare chunk copy (assign new volume and get source URL)
assignResult, srcUrl, err := s3a.prepareChunkCopy(chunk.GetFileIdString(), dstPath)
if err != nil {
return nil, err
}
// Set file ID on destination chunk
if err := s3a.setChunkFileId(dstChunk, assignResult); err != nil {
return nil, err
}
// Download and upload the chunk
chunkData, err := s3a.downloadChunkData(srcUrl, 0, int64(chunk.Size))
if err != nil {
return nil, fmt.Errorf("download chunk data: %w", err)
}
if err := s3a.uploadChunkData(chunkData, assignResult); err != nil {
return nil, fmt.Errorf("upload chunk data: %w", err)
}
return dstChunk, nil
}
// copySingleChunkForRange copies a portion of a chunk for range operations
func (s3a *S3ApiServer) copySingleChunkForRange(originalChunk, rangeChunk *filer_pb.FileChunk, rangeStart, rangeEnd int64, dstPath string) (*filer_pb.FileChunk, error) {
// Create destination chunk
dstChunk := s3a.createDestinationChunk(rangeChunk, rangeChunk.Offset, rangeChunk.Size)
// Prepare chunk copy (assign new volume and get source URL)
assignResult, srcUrl, err := s3a.prepareChunkCopy(originalChunk.GetFileIdString(), dstPath)
if err != nil {
return nil, err
}
// Set file ID on destination chunk
if err := s3a.setChunkFileId(dstChunk, assignResult); err != nil {
return nil, err
}
// Calculate the portion of the original chunk that we need to copy
chunkStart := originalChunk.Offset
overlapStart := max(rangeStart, chunkStart)
offsetInChunk := overlapStart - chunkStart
// Download and upload the chunk portion
chunkData, err := s3a.downloadChunkData(srcUrl, offsetInChunk, int64(rangeChunk.Size))
if err != nil {
return nil, fmt.Errorf("download chunk range data: %w", err)
}
if err := s3a.uploadChunkData(chunkData, assignResult); err != nil {
return nil, fmt.Errorf("upload chunk range data: %w", err)
}
return dstChunk, nil
}
// assignNewVolume assigns a new volume for the chunk
func (s3a *S3ApiServer) assignNewVolume(dstPath string) (*filer_pb.AssignVolumeResponse, error) {
var assignResult *filer_pb.AssignVolumeResponse
err := s3a.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error {
resp, err := client.AssignVolume(context.Background(), &filer_pb.AssignVolumeRequest{
Count: 1,
Replication: "",
Collection: "",
DiskType: "",
DataCenter: s3a.option.DataCenter,
Path: dstPath,
})
if err != nil {
return fmt.Errorf("assign volume: %w", err)
}
if resp.Error != "" {
return fmt.Errorf("assign volume: %v", resp.Error)
}
assignResult = resp
return nil
})
if err != nil {
return nil, err
}
return assignResult, nil
}
// min returns the minimum of two int64 values
func min(a, b int64) int64 {
if a < b {
return a
}
return b
}
// max returns the maximum of two int64 values
func max(a, b int64) int64 {
if a > b {
return a
}
return b
}
// parseRangeHeader parses the x-amz-copy-source-range header
func parseRangeHeader(rangeHeader string) (startOffset, endOffset int64, err error) {
// Remove "bytes=" prefix if present
rangeStr := strings.TrimPrefix(rangeHeader, "bytes=")
parts := strings.Split(rangeStr, "-")
if len(parts) != 2 {
return 0, 0, fmt.Errorf("invalid range format")
}
startOffset, err = strconv.ParseInt(parts[0], 10, 64)
if err != nil {
return 0, 0, fmt.Errorf("invalid start offset: %w", err)
}
endOffset, err = strconv.ParseInt(parts[1], 10, 64)
if err != nil {
return 0, 0, fmt.Errorf("invalid end offset: %w", err)
}
return startOffset, endOffset, nil
}
// copyChunksForRange copies chunks that overlap with the specified range
func (s3a *S3ApiServer) copyChunksForRange(entry *filer_pb.Entry, startOffset, endOffset int64, dstPath string) ([]*filer_pb.FileChunk, error) {
var relevantChunks []*filer_pb.FileChunk
// Find chunks that overlap with the range
for _, chunk := range entry.GetChunks() {
chunkStart := chunk.Offset
chunkEnd := chunk.Offset + int64(chunk.Size)
// Check if chunk overlaps with the range
if chunkStart < endOffset+1 && chunkEnd > startOffset {
// Calculate the overlap
overlapStart := max(startOffset, chunkStart)
overlapEnd := min(endOffset+1, chunkEnd)
// Create a new chunk with adjusted offset and size relative to the range
newChunk := &filer_pb.FileChunk{
FileId: chunk.FileId,
Offset: overlapStart - startOffset, // Offset relative to the range start
Size: uint64(overlapEnd - overlapStart),
ModifiedTsNs: time.Now().UnixNano(),
ETag: chunk.ETag,
IsCompressed: chunk.IsCompressed,
CipherKey: chunk.CipherKey,
Fid: chunk.Fid,
}
relevantChunks = append(relevantChunks, newChunk)
}
}
// Copy the relevant chunks using a specialized method for range copies
dstChunks := make([]*filer_pb.FileChunk, len(relevantChunks))
const defaultChunkCopyConcurrency = 4
executor := util.NewLimitedConcurrentExecutor(defaultChunkCopyConcurrency)
errChan := make(chan error, len(relevantChunks))
// Create a map to track original chunks for each relevant chunk
originalChunks := make([]*filer_pb.FileChunk, len(relevantChunks))
relevantIndex := 0
for _, chunk := range entry.GetChunks() {
chunkStart := chunk.Offset
chunkEnd := chunk.Offset + int64(chunk.Size)
// Check if chunk overlaps with the range
if chunkStart < endOffset+1 && chunkEnd > startOffset {
originalChunks[relevantIndex] = chunk
relevantIndex++
}
}
for i, chunk := range relevantChunks {
chunkIndex := i
originalChunk := originalChunks[i] // Get the corresponding original chunk
executor.Execute(func() {
dstChunk, err := s3a.copySingleChunkForRange(originalChunk, chunk, startOffset, endOffset, dstPath)
if err != nil {
errChan <- fmt.Errorf("chunk %d: %v", chunkIndex, err)
return
}
dstChunks[chunkIndex] = dstChunk
errChan <- nil
})
}
// Wait for all operations to complete and check for errors
for i := 0; i < len(relevantChunks); i++ {
if err := <-errChan; err != nil {
return nil, err
}
}
return dstChunks, nil
}
// Helper methods for copy operations to avoid code duplication
// validateConditionalCopyHeaders validates the conditional copy headers against the source entry
func (s3a *S3ApiServer) validateConditionalCopyHeaders(r *http.Request, entry *filer_pb.Entry) s3err.ErrorCode {
// Calculate ETag for the source entry
srcPath := util.FullPath(fmt.Sprintf("%s/%s", r.URL.Path, entry.Name))
filerEntry := &filer.Entry{
FullPath: srcPath,
Attr: filer.Attr{
FileSize: entry.Attributes.FileSize,
Mtime: time.Unix(entry.Attributes.Mtime, 0),
Crtime: time.Unix(entry.Attributes.Crtime, 0),
Mime: entry.Attributes.Mime,
},
Chunks: entry.Chunks,
}
sourceETag := filer.ETagEntry(filerEntry)
// Check X-Amz-Copy-Source-If-Match
if ifMatch := r.Header.Get(s3_constants.AmzCopySourceIfMatch); ifMatch != "" {
// Remove quotes if present
ifMatch = strings.Trim(ifMatch, `"`)
sourceETag = strings.Trim(sourceETag, `"`)
glog.V(3).Infof("CopyObjectHandler: If-Match check - expected %s, got %s", ifMatch, sourceETag)
if ifMatch != sourceETag {
glog.V(3).Infof("CopyObjectHandler: If-Match failed - expected %s, got %s", ifMatch, sourceETag)
return s3err.ErrPreconditionFailed
}
}
// Check X-Amz-Copy-Source-If-None-Match
if ifNoneMatch := r.Header.Get(s3_constants.AmzCopySourceIfNoneMatch); ifNoneMatch != "" {
// Remove quotes if present
ifNoneMatch = strings.Trim(ifNoneMatch, `"`)
sourceETag = strings.Trim(sourceETag, `"`)
glog.V(3).Infof("CopyObjectHandler: If-None-Match check - comparing %s with %s", ifNoneMatch, sourceETag)
if ifNoneMatch == sourceETag {
glog.V(3).Infof("CopyObjectHandler: If-None-Match failed - matched %s", sourceETag)
return s3err.ErrPreconditionFailed
}
}
// Check X-Amz-Copy-Source-If-Modified-Since
if ifModifiedSince := r.Header.Get(s3_constants.AmzCopySourceIfModifiedSince); ifModifiedSince != "" {
t, err := time.Parse(time.RFC1123, ifModifiedSince)
if err != nil {
glog.V(3).Infof("CopyObjectHandler: Invalid If-Modified-Since header: %v", err)
return s3err.ErrInvalidRequest
}
if !time.Unix(entry.Attributes.Mtime, 0).After(t) {
glog.V(3).Infof("CopyObjectHandler: If-Modified-Since failed")
return s3err.ErrPreconditionFailed
}
}
// Check X-Amz-Copy-Source-If-Unmodified-Since
if ifUnmodifiedSince := r.Header.Get(s3_constants.AmzCopySourceIfUnmodifiedSince); ifUnmodifiedSince != "" {
t, err := time.Parse(time.RFC1123, ifUnmodifiedSince)
if err != nil {
glog.V(3).Infof("CopyObjectHandler: Invalid If-Unmodified-Since header: %v", err)
return s3err.ErrInvalidRequest
}
if time.Unix(entry.Attributes.Mtime, 0).After(t) {
glog.V(3).Infof("CopyObjectHandler: If-Unmodified-Since failed")
return s3err.ErrPreconditionFailed
}
}
return s3err.ErrNone
}
// createDestinationChunk creates a new chunk based on the source chunk with modified properties
func (s3a *S3ApiServer) createDestinationChunk(sourceChunk *filer_pb.FileChunk, offset int64, size uint64) *filer_pb.FileChunk {
return &filer_pb.FileChunk{
Offset: offset,
Size: size,
ModifiedTsNs: time.Now().UnixNano(),
ETag: sourceChunk.ETag,
IsCompressed: sourceChunk.IsCompressed,
CipherKey: sourceChunk.CipherKey,
}
}
// lookupVolumeUrl looks up the volume URL for a given file ID using the filer's LookupVolume method
func (s3a *S3ApiServer) lookupVolumeUrl(fileId string) (string, error) {
var srcUrl string
err := s3a.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error {
vid, _, err := operation.ParseFileId(fileId)
if err != nil {
return fmt.Errorf("parse file ID: %w", err)
}
resp, err := client.LookupVolume(context.Background(), &filer_pb.LookupVolumeRequest{
VolumeIds: []string{vid},
})
if err != nil {
return fmt.Errorf("lookup volume: %w", err)
}
if locations, found := resp.LocationsMap[vid]; found && len(locations.Locations) > 0 {
srcUrl = "http://" + locations.Locations[0].Url + "/" + fileId
} else {
return fmt.Errorf("no location found for volume %s", vid)
}
return nil
})
if err != nil {
return "", fmt.Errorf("lookup volume URL: %w", err)
}
return srcUrl, nil
}
// setChunkFileId sets the file ID on the destination chunk
func (s3a *S3ApiServer) setChunkFileId(chunk *filer_pb.FileChunk, assignResult *filer_pb.AssignVolumeResponse) error {
chunk.FileId = assignResult.FileId
fid, err := filer_pb.ToFileIdObject(assignResult.FileId)
if err != nil {
return fmt.Errorf("parse file ID: %w", err)
}
chunk.Fid = fid
return nil
}
// prepareChunkCopy prepares a chunk for copying by assigning a new volume and looking up the source URL
func (s3a *S3ApiServer) prepareChunkCopy(sourceFileId, dstPath string) (*filer_pb.AssignVolumeResponse, string, error) {
// Assign new volume
assignResult, err := s3a.assignNewVolume(dstPath)
if err != nil {
return nil, "", fmt.Errorf("assign volume: %w", err)
}
// Look up source URL
srcUrl, err := s3a.lookupVolumeUrl(sourceFileId)
if err != nil {
return nil, "", fmt.Errorf("lookup source URL: %w", err)
}
return assignResult, srcUrl, nil
}
// uploadChunkData uploads chunk data to the destination using common upload logic
func (s3a *S3ApiServer) uploadChunkData(chunkData []byte, assignResult *filer_pb.AssignVolumeResponse) error {
dstUrl := fmt.Sprintf("http://%s/%s", assignResult.Location.Url, assignResult.FileId)
uploadOption := &operation.UploadOption{
UploadUrl: dstUrl,
Cipher: false,
IsInputCompressed: false,
MimeType: "",
PairMap: nil,
Jwt: security.EncodedJwt(assignResult.Auth),
}
uploader, err := operation.NewUploader()
if err != nil {
return fmt.Errorf("create uploader: %w", err)
}
_, err = uploader.UploadData(context.Background(), chunkData, uploadOption)
if err != nil {
return fmt.Errorf("upload chunk: %w", err)
}
return nil
}
// downloadChunkData downloads chunk data from the source URL
func (s3a *S3ApiServer) downloadChunkData(srcUrl string, offset, size int64) ([]byte, error) {
var chunkData []byte
shouldRetry, err := util_http.ReadUrlAsStream(context.Background(), srcUrl, nil, false, false, offset, int(size), func(data []byte) {
chunkData = append(chunkData, data...)
})
if err != nil {
return nil, fmt.Errorf("download chunk: %w", err)
}
if shouldRetry {
return nil, fmt.Errorf("download chunk: retry needed")
}
return chunkData, nil
}
// copyMultipartSSECChunks handles copying multipart SSE-C objects
// Returns chunks and destination metadata that should be applied to the destination entry
func (s3a *S3ApiServer) copyMultipartSSECChunks(entry *filer_pb.Entry, copySourceKey *SSECustomerKey, destKey *SSECustomerKey, dstPath string) ([]*filer_pb.FileChunk, map[string][]byte, error) {
glog.Infof("copyMultipartSSECChunks called: copySourceKey=%v, destKey=%v, path=%s", copySourceKey != nil, destKey != nil, dstPath)
var sourceKeyMD5, destKeyMD5 string
if copySourceKey != nil {
sourceKeyMD5 = copySourceKey.KeyMD5
}
if destKey != nil {
destKeyMD5 = destKey.KeyMD5
}
glog.Infof("Key MD5 comparison: source=%s, dest=%s, equal=%t", sourceKeyMD5, destKeyMD5, sourceKeyMD5 == destKeyMD5)
// For multipart SSE-C, always use decrypt/reencrypt path to ensure proper metadata handling
// The standard copyChunks() doesn't preserve SSE metadata, so we need per-chunk processing
glog.Infof("✅ Taking multipart SSE-C reencrypt path to preserve metadata: %s", dstPath)
// Different keys or key changes: decrypt and re-encrypt each chunk individually
glog.V(2).Infof("Multipart SSE-C reencrypt copy (different keys): %s", dstPath)
var dstChunks []*filer_pb.FileChunk
var destIV []byte
for _, chunk := range entry.GetChunks() {
if chunk.GetSseType() != filer_pb.SSEType_SSE_C {
// Non-SSE-C chunk, copy directly
copiedChunk, err := s3a.copySingleChunk(chunk, dstPath)
if err != nil {
return nil, nil, fmt.Errorf("failed to copy non-SSE-C chunk: %w", err)
}
dstChunks = append(dstChunks, copiedChunk)
continue
}
// SSE-C chunk: decrypt with stored per-chunk metadata, re-encrypt with dest key
copiedChunk, chunkDestIV, err := s3a.copyMultipartSSECChunk(chunk, copySourceKey, destKey, dstPath)
if err != nil {
return nil, nil, fmt.Errorf("failed to copy SSE-C chunk %s: %w", chunk.GetFileIdString(), err)
}
dstChunks = append(dstChunks, copiedChunk)
// Store the first chunk's IV as the object's IV (for single-part compatibility)
if len(destIV) == 0 {
destIV = chunkDestIV
}
}
// Create destination metadata
dstMetadata := make(map[string][]byte)
if destKey != nil && len(destIV) > 0 {
// Store the IV and SSE-C headers for single-part compatibility
StoreIVInMetadata(dstMetadata, destIV)
dstMetadata[s3_constants.AmzServerSideEncryptionCustomerAlgorithm] = []byte("AES256")
dstMetadata[s3_constants.AmzServerSideEncryptionCustomerKeyMD5] = []byte(destKey.KeyMD5)
glog.V(2).Infof("Prepared multipart SSE-C destination metadata: %s", dstPath)
}
return dstChunks, dstMetadata, nil
}
// copyMultipartSSEKMSChunks handles copying multipart SSE-KMS objects (unified with SSE-C approach)
// Returns chunks and destination metadata that should be applied to the destination entry
func (s3a *S3ApiServer) copyMultipartSSEKMSChunks(entry *filer_pb.Entry, destKeyID string, encryptionContext map[string]string, bucketKeyEnabled bool, dstPath, bucket string) ([]*filer_pb.FileChunk, map[string][]byte, error) {
glog.Infof("copyMultipartSSEKMSChunks called: destKeyID=%s, path=%s", destKeyID, dstPath)
// For multipart SSE-KMS, always use decrypt/reencrypt path to ensure proper metadata handling
// The standard copyChunks() doesn't preserve SSE metadata, so we need per-chunk processing
glog.Infof("✅ Taking multipart SSE-KMS reencrypt path to preserve metadata: %s", dstPath)
var dstChunks []*filer_pb.FileChunk
for _, chunk := range entry.GetChunks() {
if chunk.GetSseType() != filer_pb.SSEType_SSE_KMS {
// Non-SSE-KMS chunk, copy directly
copiedChunk, err := s3a.copySingleChunk(chunk, dstPath)
if err != nil {
return nil, nil, fmt.Errorf("failed to copy non-SSE-KMS chunk: %w", err)
}
dstChunks = append(dstChunks, copiedChunk)
continue
}
// SSE-KMS chunk: decrypt with stored per-chunk metadata, re-encrypt with dest key
copiedChunk, err := s3a.copyMultipartSSEKMSChunk(chunk, destKeyID, encryptionContext, bucketKeyEnabled, dstPath, bucket)
if err != nil {
return nil, nil, fmt.Errorf("failed to copy SSE-KMS chunk %s: %w", chunk.GetFileIdString(), err)
}
dstChunks = append(dstChunks, copiedChunk)
}
// Create destination metadata for SSE-KMS
dstMetadata := make(map[string][]byte)
if destKeyID != "" {
// Store SSE-KMS metadata for single-part compatibility
if encryptionContext == nil {
encryptionContext = BuildEncryptionContext(bucket, dstPath, bucketKeyEnabled)
}
sseKey := &SSEKMSKey{
KeyID: destKeyID,
EncryptionContext: encryptionContext,
BucketKeyEnabled: bucketKeyEnabled,
}
if kmsMetadata, serErr := SerializeSSEKMSMetadata(sseKey); serErr == nil {
dstMetadata[s3_constants.SeaweedFSSSEKMSKey] = kmsMetadata
glog.Infof("✅ Created object-level KMS metadata for GET compatibility")
} else {
glog.Errorf("❌ Failed to serialize SSE-KMS metadata: %v", serErr)
}
}
return dstChunks, dstMetadata, nil
}
// copyMultipartSSEKMSChunk copies a single SSE-KMS chunk from a multipart object (unified with SSE-C approach)
func (s3a *S3ApiServer) copyMultipartSSEKMSChunk(chunk *filer_pb.FileChunk, destKeyID string, encryptionContext map[string]string, bucketKeyEnabled bool, dstPath, bucket string) (*filer_pb.FileChunk, error) {
// Create destination chunk
dstChunk := s3a.createDestinationChunk(chunk, chunk.Offset, chunk.Size)
// Prepare chunk copy (assign new volume and get source URL)
assignResult, srcUrl, err := s3a.prepareChunkCopy(chunk.GetFileIdString(), dstPath)
if err != nil {
return nil, err
}
// Set file ID on destination chunk
if err := s3a.setChunkFileId(dstChunk, assignResult); err != nil {
return nil, err
}
// Download encrypted chunk data
encryptedData, err := s3a.downloadChunkData(srcUrl, 0, int64(chunk.Size))
if err != nil {
return nil, fmt.Errorf("download encrypted chunk data: %w", err)
}
var finalData []byte
// Decrypt source data using stored SSE-KMS metadata (same pattern as SSE-C)
if len(chunk.GetSseMetadata()) == 0 {
return nil, fmt.Errorf("SSE-KMS chunk missing per-chunk metadata")
}
// Deserialize the SSE-KMS metadata (reusing unified metadata structure)
sourceSSEKey, err := DeserializeSSEKMSMetadata(chunk.GetSseMetadata())
if err != nil {
return nil, fmt.Errorf("failed to deserialize SSE-KMS metadata: %w", err)
}
// Decrypt the chunk data using the source metadata
decryptedReader, decErr := CreateSSEKMSDecryptedReader(bytes.NewReader(encryptedData), sourceSSEKey)
if decErr != nil {
return nil, fmt.Errorf("create SSE-KMS decrypted reader: %w", decErr)
}
decryptedData, readErr := io.ReadAll(decryptedReader)
if readErr != nil {
return nil, fmt.Errorf("decrypt chunk data: %w", readErr)
}
finalData = decryptedData
glog.V(4).Infof("Decrypted multipart SSE-KMS chunk: %d bytes → %d bytes", len(encryptedData), len(finalData))
// Re-encrypt with destination key if specified
if destKeyID != "" {
// Build encryption context if not provided
if encryptionContext == nil {
encryptionContext = BuildEncryptionContext(bucket, dstPath, bucketKeyEnabled)
}
// Encrypt with destination key
encryptedReader, destSSEKey, encErr := CreateSSEKMSEncryptedReaderWithBucketKey(bytes.NewReader(finalData), destKeyID, encryptionContext, bucketKeyEnabled)
if encErr != nil {
return nil, fmt.Errorf("create SSE-KMS encrypted reader: %w", encErr)
}
reencryptedData, readErr := io.ReadAll(encryptedReader)
if readErr != nil {
return nil, fmt.Errorf("re-encrypt chunk data: %w", readErr)
}
finalData = reencryptedData
// Create per-chunk SSE-KMS metadata for the destination chunk
// For copy operations, reset chunk offset to 0 (similar to SSE-C approach)
// The copied chunks form a new object structure independent of original part boundaries
destSSEKey.ChunkOffset = 0
kmsMetadata, err := SerializeSSEKMSMetadata(destSSEKey)
if err != nil {
return nil, fmt.Errorf("serialize SSE-KMS metadata: %w", err)
}
// Set the SSE type and metadata on destination chunk (unified approach)
dstChunk.SseType = filer_pb.SSEType_SSE_KMS
dstChunk.SseMetadata = kmsMetadata
glog.V(4).Infof("Re-encrypted multipart SSE-KMS chunk: %d bytes → %d bytes", len(finalData)-len(reencryptedData)+len(finalData), len(finalData))
}
// Upload the final data
if err := s3a.uploadChunkData(finalData, assignResult); err != nil {
return nil, fmt.Errorf("upload chunk data: %w", err)
}
// Update chunk size
dstChunk.Size = uint64(len(finalData))
glog.V(3).Infof("Successfully copied multipart SSE-KMS chunk %s → %s",
chunk.GetFileIdString(), dstChunk.GetFileIdString())
return dstChunk, nil
}
// copyMultipartSSECChunk copies a single SSE-C chunk from a multipart object
func (s3a *S3ApiServer) copyMultipartSSECChunk(chunk *filer_pb.FileChunk, copySourceKey *SSECustomerKey, destKey *SSECustomerKey, dstPath string) (*filer_pb.FileChunk, []byte, error) {
// Create destination chunk
dstChunk := s3a.createDestinationChunk(chunk, chunk.Offset, chunk.Size)
// Prepare chunk copy (assign new volume and get source URL)
assignResult, srcUrl, err := s3a.prepareChunkCopy(chunk.GetFileIdString(), dstPath)
if err != nil {
return nil, nil, err
}
// Set file ID on destination chunk
if err := s3a.setChunkFileId(dstChunk, assignResult); err != nil {
return nil, nil, err
}
// Download encrypted chunk data
encryptedData, err := s3a.downloadChunkData(srcUrl, 0, int64(chunk.Size))
if err != nil {
return nil, nil, fmt.Errorf("download encrypted chunk data: %w", err)
}
var finalData []byte
var destIV []byte
// Decrypt if source is encrypted
if copySourceKey != nil {
// Get the per-chunk SSE-C metadata
if len(chunk.GetSseMetadata()) == 0 {
return nil, nil, fmt.Errorf("SSE-C chunk missing per-chunk metadata")
}
// Deserialize the SSE-C metadata
ssecMetadata, err := DeserializeSSECMetadata(chunk.GetSseMetadata())
if err != nil {
return nil, nil, fmt.Errorf("failed to deserialize SSE-C metadata: %w", err)
}
// Decode the IV from the metadata
chunkBaseIV, err := base64.StdEncoding.DecodeString(ssecMetadata.IV)
if err != nil {
return nil, nil, fmt.Errorf("failed to decode chunk IV: %w", err)
}
// Calculate the correct IV for this chunk using within-part offset
var chunkIV []byte
if ssecMetadata.PartOffset > 0 {
chunkIV = calculateIVWithOffset(chunkBaseIV, ssecMetadata.PartOffset)
} else {
chunkIV = chunkBaseIV
}
// Decrypt the chunk data
decryptedReader, decErr := CreateSSECDecryptedReader(bytes.NewReader(encryptedData), copySourceKey, chunkIV)
if decErr != nil {
return nil, nil, fmt.Errorf("create decrypted reader: %w", decErr)
}
decryptedData, readErr := io.ReadAll(decryptedReader)
if readErr != nil {
return nil, nil, fmt.Errorf("decrypt chunk data: %w", readErr)
}
finalData = decryptedData
glog.V(4).Infof("Decrypted multipart SSE-C chunk: %d bytes → %d bytes", len(encryptedData), len(finalData))
} else {
// Source is unencrypted
finalData = encryptedData
}
// Re-encrypt if destination should be encrypted
if destKey != nil {
// Generate new IV for this chunk
newIV := make([]byte, s3_constants.AESBlockSize)
if _, err := rand.Read(newIV); err != nil {
return nil, nil, fmt.Errorf("generate IV: %w", err)
}
destIV = newIV
// Encrypt with new key and IV
encryptedReader, iv, encErr := CreateSSECEncryptedReader(bytes.NewReader(finalData), destKey)
if encErr != nil {
return nil, nil, fmt.Errorf("create encrypted reader: %w", encErr)
}
destIV = iv
reencryptedData, readErr := io.ReadAll(encryptedReader)
if readErr != nil {
return nil, nil, fmt.Errorf("re-encrypt chunk data: %w", readErr)
}
finalData = reencryptedData
// Create per-chunk SSE-C metadata for the destination chunk
ssecMetadata, err := SerializeSSECMetadata(destIV, destKey.KeyMD5, 0) // partOffset=0 for copied chunks
if err != nil {
return nil, nil, fmt.Errorf("serialize SSE-C metadata: %w", err)
}
// Set the SSE type and metadata on destination chunk
dstChunk.SseType = filer_pb.SSEType_SSE_C
dstChunk.SseMetadata = ssecMetadata // Use unified metadata field
glog.V(4).Infof("Re-encrypted multipart SSE-C chunk: %d bytes → %d bytes", len(finalData)-len(reencryptedData)+len(finalData), len(finalData))
}
// Upload the final data
if err := s3a.uploadChunkData(finalData, assignResult); err != nil {
return nil, nil, fmt.Errorf("upload chunk data: %w", err)
}
// Update chunk size
dstChunk.Size = uint64(len(finalData))
glog.V(3).Infof("Successfully copied multipart SSE-C chunk %s → %s",
chunk.GetFileIdString(), dstChunk.GetFileIdString())
return dstChunk, destIV, nil
}
// copyMultipartCrossEncryption handles all cross-encryption and decrypt-only copy scenarios
// This unified function supports: SSE-C↔SSE-KMS, SSE-C→Plain, SSE-KMS→Plain
func (s3a *S3ApiServer) copyMultipartCrossEncryption(entry *filer_pb.Entry, r *http.Request, state *EncryptionState, dstBucket, dstPath string) ([]*filer_pb.FileChunk, map[string][]byte, error) {
glog.Infof("copyMultipartCrossEncryption called: %s→%s, path=%s",
s3a.getEncryptionTypeString(state.SrcSSEC, state.SrcSSEKMS, false),
s3a.getEncryptionTypeString(state.DstSSEC, state.DstSSEKMS, false), dstPath)
var dstChunks []*filer_pb.FileChunk
// Parse destination encryption parameters
var destSSECKey *SSECustomerKey
var destKMSKeyID string
var destKMSEncryptionContext map[string]string
var destKMSBucketKeyEnabled bool
if state.DstSSEC {
var err error
destSSECKey, err = ParseSSECHeaders(r)
if err != nil {
return nil, nil, fmt.Errorf("failed to parse destination SSE-C headers: %w", err)
}
glog.Infof("Destination SSE-C: keyMD5=%s", destSSECKey.KeyMD5)
} else if state.DstSSEKMS {
var err error
destKMSKeyID, destKMSEncryptionContext, destKMSBucketKeyEnabled, err = ParseSSEKMSCopyHeaders(r)
if err != nil {
return nil, nil, fmt.Errorf("failed to parse destination SSE-KMS headers: %w", err)
}
glog.Infof("Destination SSE-KMS: keyID=%s, bucketKey=%t", destKMSKeyID, destKMSBucketKeyEnabled)
} else {
glog.Infof("Destination: Unencrypted")
}
// Parse source encryption parameters
var sourceSSECKey *SSECustomerKey
if state.SrcSSEC {
var err error
sourceSSECKey, err = ParseSSECCopySourceHeaders(r)
if err != nil {
return nil, nil, fmt.Errorf("failed to parse source SSE-C headers: %w", err)
}
glog.Infof("Source SSE-C: keyMD5=%s", sourceSSECKey.KeyMD5)
}
// Process each chunk with unified cross-encryption logic
for _, chunk := range entry.GetChunks() {
var copiedChunk *filer_pb.FileChunk
var err error
if chunk.GetSseType() == filer_pb.SSEType_SSE_C {
copiedChunk, err = s3a.copyCrossEncryptionChunk(chunk, sourceSSECKey, destSSECKey, destKMSKeyID, destKMSEncryptionContext, destKMSBucketKeyEnabled, dstPath, dstBucket, state)
} else if chunk.GetSseType() == filer_pb.SSEType_SSE_KMS {
copiedChunk, err = s3a.copyCrossEncryptionChunk(chunk, nil, destSSECKey, destKMSKeyID, destKMSEncryptionContext, destKMSBucketKeyEnabled, dstPath, dstBucket, state)
} else {
// Unencrypted chunk, copy directly
copiedChunk, err = s3a.copySingleChunk(chunk, dstPath)
}
if err != nil {
return nil, nil, fmt.Errorf("failed to copy chunk %s: %w", chunk.GetFileIdString(), err)
}
dstChunks = append(dstChunks, copiedChunk)
}
// Create destination metadata based on destination encryption type
dstMetadata := make(map[string][]byte)
// Clear any previous encryption metadata to avoid routing conflicts
if state.SrcSSEKMS && state.DstSSEC {
// SSE-KMS → SSE-C: Remove SSE-KMS headers
// These will be excluded from dstMetadata, effectively removing them
} else if state.SrcSSEC && state.DstSSEKMS {
// SSE-C → SSE-KMS: Remove SSE-C headers
// These will be excluded from dstMetadata, effectively removing them
} else if !state.DstSSEC && !state.DstSSEKMS {
// Encrypted → Unencrypted: Remove all encryption metadata
// These will be excluded from dstMetadata, effectively removing them
}
if state.DstSSEC && destSSECKey != nil {
// For SSE-C destination, use first chunk's IV for compatibility
if len(dstChunks) > 0 && dstChunks[0].GetSseType() == filer_pb.SSEType_SSE_C && len(dstChunks[0].GetSseMetadata()) > 0 {
if ssecMetadata, err := DeserializeSSECMetadata(dstChunks[0].GetSseMetadata()); err == nil {
if iv, ivErr := base64.StdEncoding.DecodeString(ssecMetadata.IV); ivErr == nil {
StoreIVInMetadata(dstMetadata, iv)
dstMetadata[s3_constants.AmzServerSideEncryptionCustomerAlgorithm] = []byte("AES256")
dstMetadata[s3_constants.AmzServerSideEncryptionCustomerKeyMD5] = []byte(destSSECKey.KeyMD5)
glog.Infof("✅ Created SSE-C object-level metadata from first chunk")
}
}
}
} else if state.DstSSEKMS && destKMSKeyID != "" {
// For SSE-KMS destination, create object-level metadata
if destKMSEncryptionContext == nil {
destKMSEncryptionContext = BuildEncryptionContext(dstBucket, dstPath, destKMSBucketKeyEnabled)
}
sseKey := &SSEKMSKey{
KeyID: destKMSKeyID,
EncryptionContext: destKMSEncryptionContext,
BucketKeyEnabled: destKMSBucketKeyEnabled,
}
if kmsMetadata, serErr := SerializeSSEKMSMetadata(sseKey); serErr == nil {
dstMetadata[s3_constants.SeaweedFSSSEKMSKey] = kmsMetadata
glog.Infof("✅ Created SSE-KMS object-level metadata")
} else {
glog.Errorf("❌ Failed to serialize SSE-KMS metadata: %v", serErr)
}
}
// For unencrypted destination, no metadata needed (dstMetadata remains empty)
return dstChunks, dstMetadata, nil
}
// copyCrossEncryptionChunk handles copying a single chunk with cross-encryption support
func (s3a *S3ApiServer) copyCrossEncryptionChunk(chunk *filer_pb.FileChunk, sourceSSECKey *SSECustomerKey, destSSECKey *SSECustomerKey, destKMSKeyID string, destKMSEncryptionContext map[string]string, destKMSBucketKeyEnabled bool, dstPath, dstBucket string, state *EncryptionState) (*filer_pb.FileChunk, error) {
// Create destination chunk
dstChunk := s3a.createDestinationChunk(chunk, chunk.Offset, chunk.Size)
// Prepare chunk copy (assign new volume and get source URL)
assignResult, srcUrl, err := s3a.prepareChunkCopy(chunk.GetFileIdString(), dstPath)
if err != nil {
return nil, err
}
// Set file ID on destination chunk
if err := s3a.setChunkFileId(dstChunk, assignResult); err != nil {
return nil, err
}
// Download encrypted chunk data
encryptedData, err := s3a.downloadChunkData(srcUrl, 0, int64(chunk.Size))
if err != nil {
return nil, fmt.Errorf("download encrypted chunk data: %w", err)
}
var finalData []byte
// Step 1: Decrypt source data
if chunk.GetSseType() == filer_pb.SSEType_SSE_C {
// Decrypt SSE-C source
if len(chunk.GetSseMetadata()) == 0 {
return nil, fmt.Errorf("SSE-C chunk missing per-chunk metadata")
}
ssecMetadata, err := DeserializeSSECMetadata(chunk.GetSseMetadata())
if err != nil {
return nil, fmt.Errorf("failed to deserialize SSE-C metadata: %w", err)
}
chunkBaseIV, err := base64.StdEncoding.DecodeString(ssecMetadata.IV)
if err != nil {
return nil, fmt.Errorf("failed to decode chunk IV: %w", err)
}
// Calculate the correct IV for this chunk using within-part offset
var chunkIV []byte
if ssecMetadata.PartOffset > 0 {
chunkIV = calculateIVWithOffset(chunkBaseIV, ssecMetadata.PartOffset)
} else {
chunkIV = chunkBaseIV
}
decryptedReader, decErr := CreateSSECDecryptedReader(bytes.NewReader(encryptedData), sourceSSECKey, chunkIV)
if decErr != nil {
return nil, fmt.Errorf("create SSE-C decrypted reader: %w", decErr)
}
decryptedData, readErr := io.ReadAll(decryptedReader)
if readErr != nil {
return nil, fmt.Errorf("decrypt SSE-C chunk data: %w", readErr)
}
finalData = decryptedData
previewLen := 16
if len(finalData) < previewLen {
previewLen = len(finalData)
}
} else if chunk.GetSseType() == filer_pb.SSEType_SSE_KMS {
// Decrypt SSE-KMS source
if len(chunk.GetSseMetadata()) == 0 {
return nil, fmt.Errorf("SSE-KMS chunk missing per-chunk metadata")
}
sourceSSEKey, err := DeserializeSSEKMSMetadata(chunk.GetSseMetadata())
if err != nil {
return nil, fmt.Errorf("failed to deserialize SSE-KMS metadata: %w", err)
}
decryptedReader, decErr := CreateSSEKMSDecryptedReader(bytes.NewReader(encryptedData), sourceSSEKey)
if decErr != nil {
return nil, fmt.Errorf("create SSE-KMS decrypted reader: %w", decErr)
}
decryptedData, readErr := io.ReadAll(decryptedReader)
if readErr != nil {
return nil, fmt.Errorf("decrypt SSE-KMS chunk data: %w", readErr)
}
finalData = decryptedData
previewLen := 16
if len(finalData) < previewLen {
previewLen = len(finalData)
}
} else {
// Source is unencrypted
finalData = encryptedData
}
// Step 2: Re-encrypt with destination encryption (if any)
if state.DstSSEC && destSSECKey != nil {
// Encrypt with SSE-C
encryptedReader, iv, encErr := CreateSSECEncryptedReader(bytes.NewReader(finalData), destSSECKey)
if encErr != nil {
return nil, fmt.Errorf("create SSE-C encrypted reader: %w", encErr)
}
reencryptedData, readErr := io.ReadAll(encryptedReader)
if readErr != nil {
return nil, fmt.Errorf("re-encrypt with SSE-C: %w", readErr)
}
finalData = reencryptedData
// Create per-chunk SSE-C metadata (offset=0 for cross-encryption copies)
ssecMetadata, err := SerializeSSECMetadata(iv, destSSECKey.KeyMD5, 0)
if err != nil {
return nil, fmt.Errorf("serialize SSE-C metadata: %w", err)
}
dstChunk.SseType = filer_pb.SSEType_SSE_C
dstChunk.SseMetadata = ssecMetadata
previewLen := 16
if len(finalData) < previewLen {
previewLen = len(finalData)
}
} else if state.DstSSEKMS && destKMSKeyID != "" {
// Encrypt with SSE-KMS
if destKMSEncryptionContext == nil {
destKMSEncryptionContext = BuildEncryptionContext(dstBucket, dstPath, destKMSBucketKeyEnabled)
}
encryptedReader, destSSEKey, encErr := CreateSSEKMSEncryptedReaderWithBucketKey(bytes.NewReader(finalData), destKMSKeyID, destKMSEncryptionContext, destKMSBucketKeyEnabled)
if encErr != nil {
return nil, fmt.Errorf("create SSE-KMS encrypted reader: %w", encErr)
}
reencryptedData, readErr := io.ReadAll(encryptedReader)
if readErr != nil {
return nil, fmt.Errorf("re-encrypt with SSE-KMS: %w", readErr)
}
finalData = reencryptedData
// Create per-chunk SSE-KMS metadata (offset=0 for cross-encryption copies)
destSSEKey.ChunkOffset = 0
kmsMetadata, err := SerializeSSEKMSMetadata(destSSEKey)
if err != nil {
return nil, fmt.Errorf("serialize SSE-KMS metadata: %w", err)
}
dstChunk.SseType = filer_pb.SSEType_SSE_KMS
dstChunk.SseMetadata = kmsMetadata
glog.V(4).Infof("Re-encrypted chunk with SSE-KMS")
}
// For unencrypted destination, finalData remains as decrypted plaintext
// Upload the final data
if err := s3a.uploadChunkData(finalData, assignResult); err != nil {
return nil, fmt.Errorf("upload chunk data: %w", err)
}
// Update chunk size
dstChunk.Size = uint64(len(finalData))
glog.V(3).Infof("Successfully copied cross-encryption chunk %s → %s",
chunk.GetFileIdString(), dstChunk.GetFileIdString())
return dstChunk, nil
}
// getEncryptionTypeString returns a string representation of encryption type for logging
func (s3a *S3ApiServer) getEncryptionTypeString(isSSEC, isSSEKMS, isSSES3 bool) string {
if isSSEC {
return s3_constants.SSETypeC
} else if isSSEKMS {
return s3_constants.SSETypeKMS
} else if isSSES3 {
return s3_constants.SSETypeS3
}
return "Plain"
}
// copyChunksWithSSEC handles SSE-C aware copying with smart fast/slow path selection
// Returns chunks and destination metadata that should be applied to the destination entry
func (s3a *S3ApiServer) copyChunksWithSSEC(entry *filer_pb.Entry, r *http.Request) ([]*filer_pb.FileChunk, map[string][]byte, error) {
glog.Infof("copyChunksWithSSEC called for %s with %d chunks", r.URL.Path, len(entry.GetChunks()))
// Parse SSE-C headers
copySourceKey, err := ParseSSECCopySourceHeaders(r)
if err != nil {
glog.Errorf("Failed to parse SSE-C copy source headers: %v", err)
return nil, nil, err
}
destKey, err := ParseSSECHeaders(r)
if err != nil {
glog.Errorf("Failed to parse SSE-C headers: %v", err)
return nil, nil, err
}
// Check if this is a multipart SSE-C object
isMultipartSSEC := false
sseCChunks := 0
for i, chunk := range entry.GetChunks() {
glog.V(4).Infof("Chunk %d: sseType=%d, hasMetadata=%t", i, chunk.GetSseType(), len(chunk.GetSseMetadata()) > 0)
if chunk.GetSseType() == filer_pb.SSEType_SSE_C {
sseCChunks++
}
}
isMultipartSSEC = sseCChunks > 1
glog.Infof("SSE-C copy analysis: total chunks=%d, sseC chunks=%d, isMultipart=%t", len(entry.GetChunks()), sseCChunks, isMultipartSSEC)
if isMultipartSSEC {
glog.V(2).Infof("Detected multipart SSE-C object with %d encrypted chunks for copy", sseCChunks)
return s3a.copyMultipartSSECChunks(entry, copySourceKey, destKey, r.URL.Path)
}
// Single-part SSE-C object: use original logic
// Determine copy strategy
strategy, err := DetermineSSECCopyStrategy(entry.Extended, copySourceKey, destKey)
if err != nil {
return nil, nil, err
}
glog.V(2).Infof("SSE-C copy strategy for single-part %s: %v", r.URL.Path, strategy)
switch strategy {
case SSECCopyStrategyDirect:
// FAST PATH: Direct chunk copy
glog.V(2).Infof("Using fast path: direct chunk copy for %s", r.URL.Path)
chunks, err := s3a.copyChunks(entry, r.URL.Path)
return chunks, nil, err
case SSECCopyStrategyDecryptEncrypt:
// SLOW PATH: Decrypt and re-encrypt
glog.V(2).Infof("Using slow path: decrypt/re-encrypt for %s", r.URL.Path)
chunks, destIV, err := s3a.copyChunksWithReencryption(entry, copySourceKey, destKey, r.URL.Path)
if err != nil {
return nil, nil, err
}
// Create destination metadata with IV and SSE-C headers
dstMetadata := make(map[string][]byte)
if destKey != nil && len(destIV) > 0 {
// Store the IV
StoreIVInMetadata(dstMetadata, destIV)
// Store SSE-C algorithm and key MD5 for proper metadata
dstMetadata[s3_constants.AmzServerSideEncryptionCustomerAlgorithm] = []byte("AES256")
dstMetadata[s3_constants.AmzServerSideEncryptionCustomerKeyMD5] = []byte(destKey.KeyMD5)
glog.V(2).Infof("Prepared IV and SSE-C metadata for destination copy: %s", r.URL.Path)
}
return chunks, dstMetadata, nil
default:
return nil, nil, fmt.Errorf("unknown SSE-C copy strategy: %v", strategy)
}
}
// copyChunksWithReencryption handles the slow path: decrypt source and re-encrypt for destination
// Returns the destination chunks and the IV used for encryption (if any)
func (s3a *S3ApiServer) copyChunksWithReencryption(entry *filer_pb.Entry, copySourceKey *SSECustomerKey, destKey *SSECustomerKey, dstPath string) ([]*filer_pb.FileChunk, []byte, error) {
dstChunks := make([]*filer_pb.FileChunk, len(entry.GetChunks()))
const defaultChunkCopyConcurrency = 4
executor := util.NewLimitedConcurrentExecutor(defaultChunkCopyConcurrency) // Limit to configurable concurrent operations
errChan := make(chan error, len(entry.GetChunks()))
// Generate a single IV for the destination object (if destination is encrypted)
var destIV []byte
if destKey != nil {
destIV = make([]byte, s3_constants.AESBlockSize)
if _, err := io.ReadFull(rand.Reader, destIV); err != nil {
return nil, nil, fmt.Errorf("failed to generate destination IV: %w", err)
}
}
for i, chunk := range entry.GetChunks() {
chunkIndex := i
executor.Execute(func() {
dstChunk, err := s3a.copyChunkWithReencryption(chunk, copySourceKey, destKey, dstPath, entry.Extended, destIV)
if err != nil {
errChan <- fmt.Errorf("chunk %d: %v", chunkIndex, err)
return
}
dstChunks[chunkIndex] = dstChunk
errChan <- nil
})
}
// Wait for all operations to complete and check for errors
for i := 0; i < len(entry.GetChunks()); i++ {
if err := <-errChan; err != nil {
return nil, nil, err
}
}
return dstChunks, destIV, nil
}
// copyChunkWithReencryption copies a single chunk with decrypt/re-encrypt
func (s3a *S3ApiServer) copyChunkWithReencryption(chunk *filer_pb.FileChunk, copySourceKey *SSECustomerKey, destKey *SSECustomerKey, dstPath string, srcMetadata map[string][]byte, destIV []byte) (*filer_pb.FileChunk, error) {
// Create destination chunk
dstChunk := s3a.createDestinationChunk(chunk, chunk.Offset, chunk.Size)
// Prepare chunk copy (assign new volume and get source URL)
assignResult, srcUrl, err := s3a.prepareChunkCopy(chunk.GetFileIdString(), dstPath)
if err != nil {
return nil, err
}
// Set file ID on destination chunk
if err := s3a.setChunkFileId(dstChunk, assignResult); err != nil {
return nil, err
}
// Download encrypted chunk data
encryptedData, err := s3a.downloadChunkData(srcUrl, 0, int64(chunk.Size))
if err != nil {
return nil, fmt.Errorf("download encrypted chunk data: %w", err)
}
var finalData []byte
// Decrypt if source is encrypted
if copySourceKey != nil {
// Get IV from source metadata
srcIV, err := GetIVFromMetadata(srcMetadata)
if err != nil {
return nil, fmt.Errorf("failed to get IV from metadata: %w", err)
}
// Use counter offset based on chunk position in the original object
decryptedReader, decErr := CreateSSECDecryptedReaderWithOffset(bytes.NewReader(encryptedData), copySourceKey, srcIV, uint64(chunk.Offset))
if decErr != nil {
return nil, fmt.Errorf("create decrypted reader: %w", decErr)
}
decryptedData, readErr := io.ReadAll(decryptedReader)
if readErr != nil {
return nil, fmt.Errorf("decrypt chunk data: %w", readErr)
}
finalData = decryptedData
} else {
// Source is unencrypted
finalData = encryptedData
}
// Re-encrypt if destination should be encrypted
if destKey != nil {
// Use the provided destination IV with counter offset based on chunk position
// This ensures all chunks of the same object use the same IV with different counters
encryptedReader, encErr := CreateSSECEncryptedReaderWithOffset(bytes.NewReader(finalData), destKey, destIV, uint64(chunk.Offset))
if encErr != nil {
return nil, fmt.Errorf("create encrypted reader: %w", encErr)
}
reencryptedData, readErr := io.ReadAll(encryptedReader)
if readErr != nil {
return nil, fmt.Errorf("re-encrypt chunk data: %w", readErr)
}
finalData = reencryptedData
// Update chunk size to include IV
dstChunk.Size = uint64(len(finalData))
}
// Upload the processed data
if err := s3a.uploadChunkData(finalData, assignResult); err != nil {
return nil, fmt.Errorf("upload processed chunk data: %w", err)
}
return dstChunk, nil
}
// copyChunksWithSSEKMS handles SSE-KMS aware copying with smart fast/slow path selection
// Returns chunks and destination metadata like SSE-C for consistency
func (s3a *S3ApiServer) copyChunksWithSSEKMS(entry *filer_pb.Entry, r *http.Request, bucket string) ([]*filer_pb.FileChunk, map[string][]byte, error) {
glog.Infof("copyChunksWithSSEKMS called for %s with %d chunks", r.URL.Path, len(entry.GetChunks()))
// Parse SSE-KMS headers from copy request
destKeyID, encryptionContext, bucketKeyEnabled, err := ParseSSEKMSCopyHeaders(r)
if err != nil {
return nil, nil, err
}
// Check if this is a multipart SSE-KMS object
isMultipartSSEKMS := false
sseKMSChunks := 0
for i, chunk := range entry.GetChunks() {
glog.V(4).Infof("Chunk %d: sseType=%d, hasKMSMetadata=%t", i, chunk.GetSseType(), len(chunk.GetSseMetadata()) > 0)
if chunk.GetSseType() == filer_pb.SSEType_SSE_KMS {
sseKMSChunks++
}
}
isMultipartSSEKMS = sseKMSChunks > 1
glog.Infof("SSE-KMS copy analysis: total chunks=%d, sseKMS chunks=%d, isMultipart=%t", len(entry.GetChunks()), sseKMSChunks, isMultipartSSEKMS)
if isMultipartSSEKMS {
glog.V(2).Infof("Detected multipart SSE-KMS object with %d encrypted chunks for copy", sseKMSChunks)
return s3a.copyMultipartSSEKMSChunks(entry, destKeyID, encryptionContext, bucketKeyEnabled, r.URL.Path, bucket)
}
// Single-part SSE-KMS object: use existing logic
// If no SSE-KMS headers and source is not SSE-KMS encrypted, use regular copy
if destKeyID == "" && !IsSSEKMSEncrypted(entry.Extended) {
chunks, err := s3a.copyChunks(entry, r.URL.Path)
return chunks, nil, err
}
// Apply bucket default encryption if no explicit key specified
if destKeyID == "" {
bucketMetadata, err := s3a.getBucketMetadata(bucket)
if err != nil {
glog.V(2).Infof("Could not get bucket metadata for default encryption: %v", err)
} else if bucketMetadata != nil && bucketMetadata.Encryption != nil && bucketMetadata.Encryption.SseAlgorithm == "aws:kms" {
destKeyID = bucketMetadata.Encryption.KmsKeyId
bucketKeyEnabled = bucketMetadata.Encryption.BucketKeyEnabled
}
}
// Determine copy strategy
strategy, err := DetermineSSEKMSCopyStrategy(entry.Extended, destKeyID)
if err != nil {
return nil, nil, err
}
glog.V(2).Infof("SSE-KMS copy strategy for %s: %v", r.URL.Path, strategy)
switch strategy {
case SSEKMSCopyStrategyDirect:
// FAST PATH: Direct chunk copy (same key or both unencrypted)
glog.V(2).Infof("Using fast path: direct chunk copy for %s", r.URL.Path)
chunks, err := s3a.copyChunks(entry, r.URL.Path)
// For direct copy, generate destination metadata if we're encrypting to SSE-KMS
var dstMetadata map[string][]byte
if destKeyID != "" {
dstMetadata = make(map[string][]byte)
if encryptionContext == nil {
encryptionContext = BuildEncryptionContext(bucket, r.URL.Path, bucketKeyEnabled)
}
sseKey := &SSEKMSKey{
KeyID: destKeyID,
EncryptionContext: encryptionContext,
BucketKeyEnabled: bucketKeyEnabled,
}
if kmsMetadata, serializeErr := SerializeSSEKMSMetadata(sseKey); serializeErr == nil {
dstMetadata[s3_constants.SeaweedFSSSEKMSKey] = kmsMetadata
glog.V(3).Infof("Generated SSE-KMS metadata for direct copy: keyID=%s", destKeyID)
} else {
glog.Errorf("Failed to serialize SSE-KMS metadata for direct copy: %v", serializeErr)
}
}
return chunks, dstMetadata, err
case SSEKMSCopyStrategyDecryptEncrypt:
// SLOW PATH: Decrypt source and re-encrypt for destination
glog.V(2).Infof("Using slow path: decrypt/re-encrypt for %s", r.URL.Path)
return s3a.copyChunksWithSSEKMSReencryption(entry, destKeyID, encryptionContext, bucketKeyEnabled, r.URL.Path, bucket)
default:
return nil, nil, fmt.Errorf("unknown SSE-KMS copy strategy: %v", strategy)
}
}
// copyChunksWithSSEKMSReencryption handles the slow path: decrypt source and re-encrypt for destination
// Returns chunks and destination metadata like SSE-C for consistency
func (s3a *S3ApiServer) copyChunksWithSSEKMSReencryption(entry *filer_pb.Entry, destKeyID string, encryptionContext map[string]string, bucketKeyEnabled bool, dstPath, bucket string) ([]*filer_pb.FileChunk, map[string][]byte, error) {
var dstChunks []*filer_pb.FileChunk
// Extract and deserialize source SSE-KMS metadata
var sourceSSEKey *SSEKMSKey
if keyData, exists := entry.Extended[s3_constants.SeaweedFSSSEKMSKey]; exists {
var err error
sourceSSEKey, err = DeserializeSSEKMSMetadata(keyData)
if err != nil {
return nil, nil, fmt.Errorf("failed to deserialize source SSE-KMS metadata: %w", err)
}
glog.V(3).Infof("Extracted source SSE-KMS key: keyID=%s, bucketKey=%t", sourceSSEKey.KeyID, sourceSSEKey.BucketKeyEnabled)
}
// Process chunks
for _, chunk := range entry.GetChunks() {
dstChunk, err := s3a.copyChunkWithSSEKMSReencryption(chunk, sourceSSEKey, destKeyID, encryptionContext, bucketKeyEnabled, dstPath, bucket)
if err != nil {
return nil, nil, fmt.Errorf("copy chunk with SSE-KMS re-encryption: %w", err)
}
dstChunks = append(dstChunks, dstChunk)
}
// Generate destination metadata for SSE-KMS encryption (consistent with SSE-C pattern)
dstMetadata := make(map[string][]byte)
if destKeyID != "" {
// Build encryption context if not provided
if encryptionContext == nil {
encryptionContext = BuildEncryptionContext(bucket, dstPath, bucketKeyEnabled)
}
// Create SSE-KMS key structure for destination metadata
sseKey := &SSEKMSKey{
KeyID: destKeyID,
EncryptionContext: encryptionContext,
BucketKeyEnabled: bucketKeyEnabled,
// Note: EncryptedDataKey will be generated during actual encryption
// IV is also generated per chunk during encryption
}
// Serialize SSE-KMS metadata for storage
kmsMetadata, err := SerializeSSEKMSMetadata(sseKey)
if err != nil {
return nil, nil, fmt.Errorf("serialize destination SSE-KMS metadata: %w", err)
}
dstMetadata[s3_constants.SeaweedFSSSEKMSKey] = kmsMetadata
glog.V(3).Infof("Generated destination SSE-KMS metadata: keyID=%s, bucketKey=%t", destKeyID, bucketKeyEnabled)
}
return dstChunks, dstMetadata, nil
}
// copyChunkWithSSEKMSReencryption copies a single chunk with SSE-KMS decrypt/re-encrypt
func (s3a *S3ApiServer) copyChunkWithSSEKMSReencryption(chunk *filer_pb.FileChunk, sourceSSEKey *SSEKMSKey, destKeyID string, encryptionContext map[string]string, bucketKeyEnabled bool, dstPath, bucket string) (*filer_pb.FileChunk, error) {
// Create destination chunk
dstChunk := s3a.createDestinationChunk(chunk, chunk.Offset, chunk.Size)
// Prepare chunk copy (assign new volume and get source URL)
assignResult, srcUrl, err := s3a.prepareChunkCopy(chunk.GetFileIdString(), dstPath)
if err != nil {
return nil, err
}
// Set file ID on destination chunk
if err := s3a.setChunkFileId(dstChunk, assignResult); err != nil {
return nil, err
}
// Download chunk data
chunkData, err := s3a.downloadChunkData(srcUrl, 0, int64(chunk.Size))
if err != nil {
return nil, fmt.Errorf("download chunk data: %w", err)
}
var finalData []byte
// Decrypt source data if it's SSE-KMS encrypted
if sourceSSEKey != nil {
// For SSE-KMS, the encrypted chunk data contains IV + encrypted content
// Use the source SSE key to decrypt the chunk data
decryptedReader, err := CreateSSEKMSDecryptedReader(bytes.NewReader(chunkData), sourceSSEKey)
if err != nil {
return nil, fmt.Errorf("create SSE-KMS decrypted reader: %w", err)
}
decryptedData, err := io.ReadAll(decryptedReader)
if err != nil {
return nil, fmt.Errorf("decrypt chunk data: %w", err)
}
finalData = decryptedData
glog.V(4).Infof("Decrypted chunk data: %d bytes → %d bytes", len(chunkData), len(finalData))
} else {
// Source is not SSE-KMS encrypted, use data as-is
finalData = chunkData
}
// Re-encrypt if destination should be SSE-KMS encrypted
if destKeyID != "" {
// Encryption context should already be provided by the caller
// But ensure we have a fallback for robustness
if encryptionContext == nil {
encryptionContext = BuildEncryptionContext(bucket, dstPath, bucketKeyEnabled)
}
encryptedReader, _, err := CreateSSEKMSEncryptedReaderWithBucketKey(bytes.NewReader(finalData), destKeyID, encryptionContext, bucketKeyEnabled)
if err != nil {
return nil, fmt.Errorf("create SSE-KMS encrypted reader: %w", err)
}
reencryptedData, err := io.ReadAll(encryptedReader)
if err != nil {
return nil, fmt.Errorf("re-encrypt chunk data: %w", err)
}
// Store original decrypted data size for logging
originalSize := len(finalData)
finalData = reencryptedData
glog.V(4).Infof("Re-encrypted chunk data: %d bytes → %d bytes", originalSize, len(finalData))
// Update chunk size to include IV and encryption overhead
dstChunk.Size = uint64(len(finalData))
}
// Upload the processed data
if err := s3a.uploadChunkData(finalData, assignResult); err != nil {
return nil, fmt.Errorf("upload processed chunk data: %w", err)
}
glog.V(3).Infof("Successfully processed SSE-KMS chunk re-encryption: src_key=%s, dst_key=%s, size=%d→%d",
getKeyIDString(sourceSSEKey), destKeyID, len(chunkData), len(finalData))
return dstChunk, nil
}
// getKeyIDString safely gets the KeyID from an SSEKMSKey, handling nil cases
func getKeyIDString(key *SSEKMSKey) string {
if key == nil {
return "none"
}
if key.KeyID == "" {
return "default"
}
return key.KeyID
}
// EncryptionHeaderContext holds encryption type information and header classifications
type EncryptionHeaderContext struct {
SrcSSEC, SrcSSEKMS, SrcSSES3 bool
DstSSEC, DstSSEKMS, DstSSES3 bool
IsSSECHeader, IsSSEKMSHeader, IsSSES3Header bool
}
// newEncryptionHeaderContext creates a context for encryption header processing
func newEncryptionHeaderContext(headerKey string, srcSSEC, srcSSEKMS, srcSSES3, dstSSEC, dstSSEKMS, dstSSES3 bool) *EncryptionHeaderContext {
return &EncryptionHeaderContext{
SrcSSEC: srcSSEC, SrcSSEKMS: srcSSEKMS, SrcSSES3: srcSSES3,
DstSSEC: dstSSEC, DstSSEKMS: dstSSEKMS, DstSSES3: dstSSES3,
IsSSECHeader: isSSECHeader(headerKey),
IsSSEKMSHeader: isSSEKMSHeader(headerKey, srcSSEKMS, dstSSEKMS),
IsSSES3Header: isSSES3Header(headerKey, srcSSES3, dstSSES3),
}
}
// isSSECHeader checks if the header is SSE-C specific
func isSSECHeader(headerKey string) bool {
return headerKey == s3_constants.AmzServerSideEncryptionCustomerAlgorithm ||
headerKey == s3_constants.AmzServerSideEncryptionCustomerKeyMD5 ||
headerKey == s3_constants.SeaweedFSSSEIV
}
// isSSEKMSHeader checks if the header is SSE-KMS specific
func isSSEKMSHeader(headerKey string, srcSSEKMS, dstSSEKMS bool) bool {
return (headerKey == s3_constants.AmzServerSideEncryption && (srcSSEKMS || dstSSEKMS)) ||
headerKey == s3_constants.AmzServerSideEncryptionAwsKmsKeyId ||
headerKey == s3_constants.SeaweedFSSSEKMSKey ||
headerKey == s3_constants.SeaweedFSSSEKMSKeyID ||
headerKey == s3_constants.SeaweedFSSSEKMSEncryption ||
headerKey == s3_constants.SeaweedFSSSEKMSBucketKeyEnabled ||
headerKey == s3_constants.SeaweedFSSSEKMSEncryptionContext ||
headerKey == s3_constants.SeaweedFSSSEKMSBaseIV
}
// isSSES3Header checks if the header is SSE-S3 specific
func isSSES3Header(headerKey string, srcSSES3, dstSSES3 bool) bool {
return (headerKey == s3_constants.AmzServerSideEncryption && (srcSSES3 || dstSSES3)) ||
headerKey == s3_constants.SeaweedFSSSES3Key ||
headerKey == s3_constants.SeaweedFSSSES3Encryption ||
headerKey == s3_constants.SeaweedFSSSES3BaseIV ||
headerKey == s3_constants.SeaweedFSSSES3KeyData
}
// shouldSkipCrossEncryptionHeader handles cross-encryption copy scenarios
func (ctx *EncryptionHeaderContext) shouldSkipCrossEncryptionHeader() bool {
// SSE-C to SSE-KMS: skip SSE-C headers
if ctx.SrcSSEC && ctx.DstSSEKMS && ctx.IsSSECHeader {
return true
}
// SSE-KMS to SSE-C: skip SSE-KMS headers
if ctx.SrcSSEKMS && ctx.DstSSEC && ctx.IsSSEKMSHeader {
return true
}
// SSE-C to SSE-S3: skip SSE-C headers
if ctx.SrcSSEC && ctx.DstSSES3 && ctx.IsSSECHeader {
return true
}
// SSE-S3 to SSE-C: skip SSE-S3 headers
if ctx.SrcSSES3 && ctx.DstSSEC && ctx.IsSSES3Header {
return true
}
// SSE-KMS to SSE-S3: skip SSE-KMS headers
if ctx.SrcSSEKMS && ctx.DstSSES3 && ctx.IsSSEKMSHeader {
return true
}
// SSE-S3 to SSE-KMS: skip SSE-S3 headers
if ctx.SrcSSES3 && ctx.DstSSEKMS && ctx.IsSSES3Header {
return true
}
return false
}
// shouldSkipEncryptedToUnencryptedHeader handles encrypted to unencrypted copy scenarios
func (ctx *EncryptionHeaderContext) shouldSkipEncryptedToUnencryptedHeader() bool {
// Skip all encryption headers when copying from encrypted to unencrypted
hasSourceEncryption := ctx.SrcSSEC || ctx.SrcSSEKMS || ctx.SrcSSES3
hasDestinationEncryption := ctx.DstSSEC || ctx.DstSSEKMS || ctx.DstSSES3
isAnyEncryptionHeader := ctx.IsSSECHeader || ctx.IsSSEKMSHeader || ctx.IsSSES3Header
return hasSourceEncryption && !hasDestinationEncryption && isAnyEncryptionHeader
}
// shouldSkipEncryptionHeader determines if a header should be skipped when copying extended attributes
// based on the source and destination encryption types. This consolidates the repetitive logic for
// filtering encryption-related headers during copy operations.
func shouldSkipEncryptionHeader(headerKey string,
srcSSEC, srcSSEKMS, srcSSES3 bool,
dstSSEC, dstSSEKMS, dstSSES3 bool) bool {
// Create context to reduce complexity and improve testability
ctx := newEncryptionHeaderContext(headerKey, srcSSEC, srcSSEKMS, srcSSES3, dstSSEC, dstSSEKMS, dstSSES3)
// If it's not an encryption header, don't skip it
if !ctx.IsSSECHeader && !ctx.IsSSEKMSHeader && !ctx.IsSSES3Header {
return false
}
// Handle cross-encryption scenarios (different encryption types)
if ctx.shouldSkipCrossEncryptionHeader() {
return true
}
// Handle encrypted to unencrypted scenarios
if ctx.shouldSkipEncryptedToUnencryptedHeader() {
return true
}
// Default: don't skip the header
return false
}
Reference in a new issue View git blame Copy permalink