constellation/s3proxy/internal/router/object.go

221 lines
7.2 KiB
Go
Raw Normal View History

/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
package router
import (
"context"
"encoding/hex"
"io"
"net/http"
"net/url"
"regexp"
"strconv"
"strings"
"time"
"github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/s3proxy/internal/crypto"
"go.uber.org/zap"
)
const (
// dekTag is the name of the header that holds the encrypted data encryption key for the attached object. Presence of the key implies the object needs to be decrypted.
// Use lowercase only, as AWS automatically lowercases all metadata keys.
dekTag = "constellation-dek"
)
// object bundles data to implement http.Handler methods that use data from incoming requests.
type object struct {
kek [32]byte
client s3Client
key string
bucket string
data []byte
query url.Values
tags string
contentType string
metadata map[string]string
objectLockLegalHoldStatus string
objectLockMode string
objectLockRetainUntilDate time.Time
sseCustomerAlgorithm string
sseCustomerKey string
sseCustomerKeyMD5 string
log *logger.Logger
}
// get is a http.HandlerFunc that implements the GET method for objects.
func (o object) get(w http.ResponseWriter, r *http.Request) {
o.log.With(zap.String("key", o.key), zap.String("host", o.bucket)).Debugf("getObject")
versionID, ok := o.query["versionId"]
if !ok {
versionID = []string{""}
}
output, err := o.client.GetObject(r.Context(), o.bucket, o.key, versionID[0], o.sseCustomerAlgorithm, o.sseCustomerKey, o.sseCustomerKeyMD5)
if err != nil {
// log with Info as it might be expected behavior (e.g. object not found).
o.log.With(zap.Error(err)).Errorf("GetObject sending request to S3")
// We want to forward error codes from the s3 API to clients as much as possible.
code := parseErrorCode(err)
if code != 0 {
http.Error(w, err.Error(), code)
return
}
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
if output.ETag != nil {
w.Header().Set("ETag", strings.Trim(*output.ETag, "\""))
}
if output.Expiration != nil {
w.Header().Set("x-amz-expiration", *output.Expiration)
}
if output.ChecksumCRC32 != nil {
w.Header().Set("x-amz-checksum-crc32", *output.ChecksumCRC32)
}
if output.ChecksumCRC32C != nil {
w.Header().Set("x-amz-checksum-crc32c", *output.ChecksumCRC32C)
}
if output.ChecksumSHA1 != nil {
w.Header().Set("x-amz-checksum-sha1", *output.ChecksumSHA1)
}
if output.ChecksumSHA256 != nil {
w.Header().Set("x-amz-checksum-sha256", *output.ChecksumSHA256)
}
if output.SSECustomerAlgorithm != nil {
w.Header().Set("x-amz-server-side-encryption-customer-algorithm", *output.SSECustomerAlgorithm)
}
if output.SSECustomerKeyMD5 != nil {
w.Header().Set("x-amz-server-side-encryption-customer-key-MD5", *output.SSECustomerKeyMD5)
}
if output.SSEKMSKeyId != nil {
w.Header().Set("x-amz-server-side-encryption-aws-kms-key-id", *output.SSEKMSKeyId)
}
if output.ServerSideEncryption != "" {
w.Header().Set("x-amz-server-side-encryption-context", string(output.ServerSideEncryption))
}
body, err := io.ReadAll(output.Body)
if err != nil {
o.log.With(zap.Error(err)).Errorf("GetObject reading S3 response")
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
plaintext := body
rawEncryptedDEK, ok := output.Metadata[dekTag]
if ok {
encryptedDEK, err := hex.DecodeString(rawEncryptedDEK)
if err != nil {
o.log.Errorf("GetObject decoding DEK", "error", err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
plaintext, err = crypto.Decrypt(body, encryptedDEK, o.kek)
if err != nil {
o.log.With(zap.Error(err)).Errorf("GetObject decrypting response")
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
}
w.WriteHeader(http.StatusOK)
if _, err := w.Write(plaintext); err != nil {
o.log.With(zap.Error(err)).Errorf("GetObject sending response")
}
}
// put is a http.HandlerFunc that implements the PUT method for objects.
func (o object) put(w http.ResponseWriter, r *http.Request) {
ciphertext, encryptedDEK, err := crypto.Encrypt(o.data, o.kek)
if err != nil {
o.log.With(zap.Error(err)).Errorf("PutObject")
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
o.metadata[dekTag] = hex.EncodeToString(encryptedDEK)
output, err := o.client.PutObject(r.Context(), o.bucket, o.key, o.tags, o.contentType, o.objectLockLegalHoldStatus, o.objectLockMode, o.sseCustomerAlgorithm, o.sseCustomerKey, o.sseCustomerKeyMD5, o.objectLockRetainUntilDate, o.metadata, ciphertext)
if err != nil {
o.log.With(zap.Error(err)).Errorf("PutObject sending request to S3")
// We want to forward error codes from the s3 API to clients whenever possible.
code := parseErrorCode(err)
if code != 0 {
http.Error(w, err.Error(), code)
return
}
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
w.Header().Set("x-amz-server-side-encryption", string(output.ServerSideEncryption))
if output.VersionId != nil {
w.Header().Set("x-amz-version-id", *output.VersionId)
}
if output.ETag != nil {
w.Header().Set("ETag", strings.Trim(*output.ETag, "\""))
}
if output.Expiration != nil {
w.Header().Set("x-amz-expiration", *output.Expiration)
}
if output.ChecksumCRC32 != nil {
w.Header().Set("x-amz-checksum-crc32", *output.ChecksumCRC32)
}
if output.ChecksumCRC32C != nil {
w.Header().Set("x-amz-checksum-crc32c", *output.ChecksumCRC32C)
}
if output.ChecksumSHA1 != nil {
w.Header().Set("x-amz-checksum-sha1", *output.ChecksumSHA1)
}
if output.ChecksumSHA256 != nil {
w.Header().Set("x-amz-checksum-sha256", *output.ChecksumSHA256)
}
if output.SSECustomerAlgorithm != nil {
w.Header().Set("x-amz-server-side-encryption-customer-algorithm", *output.SSECustomerAlgorithm)
}
if output.SSECustomerKeyMD5 != nil {
w.Header().Set("x-amz-server-side-encryption-customer-key-MD5", *output.SSECustomerKeyMD5)
}
if output.SSEKMSKeyId != nil {
w.Header().Set("x-amz-server-side-encryption-aws-kms-key-id", *output.SSEKMSKeyId)
}
if output.SSEKMSEncryptionContext != nil {
w.Header().Set("x-amz-server-side-encryption-context", *output.SSEKMSEncryptionContext)
}
w.WriteHeader(http.StatusOK)
if _, err := w.Write(nil); err != nil {
o.log.With(zap.Error(err)).Errorf("PutObject sending response")
}
}
func parseErrorCode(err error) int {
regex := regexp.MustCompile(`https response error StatusCode: (\d+)`)
matches := regex.FindStringSubmatch(err.Error())
if len(matches) > 1 {
code, _ := strconv.Atoi(matches[1])
return code
}
return 0
}
type s3Client interface {
GetObject(ctx context.Context, bucket, key, versionID, sseCustomerAlgorithm, sseCustomerKey, sseCustomerKeyMD5 string) (*s3.GetObjectOutput, error)
PutObject(ctx context.Context, bucket, key, tags, contentType, objectLockLegalHoldStatus, objectLockMode, sseCustomerAlgorithm, sseCustomerKey, sseCustomerKeyMD5 string, objectLockRetainUntilDate time.Time, metadata map[string]string, body []byte) (*s3.PutObjectOutput, error)
}