mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2025-09-19 01:37:57 +08:00
2714b70955
* implement sse-c * fix Content-Range * adding tests * Update s3_sse_c_test.go * copy sse-c objects * adding tests * refactor * multi reader * remove extra write header call * refactor * SSE-C encrypted objects do not support HTTP Range requests * robust * fix server starts * Update Makefile * Update Makefile * ci: remove SSE-C integration tests and workflows; delete test/s3/encryption/ * s3: SSE-C MD5 must be base64 (case-sensitive); fix validation, comparisons, metadata storage; update tests * minor * base64 * Update SSE-C_IMPLEMENTATION.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update weed/s3api/s3api_object_handlers.go Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update SSE-C_IMPLEMENTATION.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * address comments * fix test * fix compilation --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
64 lines
2.2 KiB
Go
64 lines
2.2 KiB
Go
package s3api
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/md5"
|
|
"encoding/base64"
|
|
"io"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/gorilla/mux"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
|
|
)
|
|
|
|
// ResponseRecorder that also implements http.Flusher
|
|
type recorderFlusher struct{ *httptest.ResponseRecorder }
|
|
|
|
func (r recorderFlusher) Flush() {}
|
|
|
|
// TestSSECRangeRequestsNotSupported verifies that HTTP Range requests are rejected
|
|
// for SSE-C encrypted objects because the IV is required at the beginning of the stream
|
|
func TestSSECRangeRequestsNotSupported(t *testing.T) {
|
|
// Create a request with Range header and valid SSE-C headers
|
|
req := httptest.NewRequest(http.MethodGet, "/b/o", nil)
|
|
req.Header.Set("Range", "bytes=10-20")
|
|
req.Header.Set(s3_constants.AmzServerSideEncryptionCustomerAlgorithm, "AES256")
|
|
|
|
key := make([]byte, 32)
|
|
for i := range key {
|
|
key[i] = byte(i)
|
|
}
|
|
s := md5.Sum(key)
|
|
keyMD5 := base64.StdEncoding.EncodeToString(s[:])
|
|
|
|
req.Header.Set(s3_constants.AmzServerSideEncryptionCustomerKey, base64.StdEncoding.EncodeToString(key))
|
|
req.Header.Set(s3_constants.AmzServerSideEncryptionCustomerKeyMD5, keyMD5)
|
|
|
|
// Attach mux vars to avoid panic in error writer
|
|
req = mux.SetURLVars(req, map[string]string{"bucket": "b", "object": "o"})
|
|
|
|
// Create a mock HTTP response that simulates SSE-C encrypted object metadata
|
|
proxyResponse := &http.Response{
|
|
StatusCode: 200,
|
|
Header: make(http.Header),
|
|
Body: io.NopCloser(bytes.NewReader([]byte("mock encrypted data"))),
|
|
}
|
|
proxyResponse.Header.Set(s3_constants.AmzServerSideEncryptionCustomerAlgorithm, "AES256")
|
|
proxyResponse.Header.Set(s3_constants.AmzServerSideEncryptionCustomerKeyMD5, keyMD5)
|
|
|
|
// Call the function under test
|
|
s3a := &S3ApiServer{}
|
|
rec := httptest.NewRecorder()
|
|
w := recorderFlusher{rec}
|
|
statusCode, _ := s3a.handleSSECResponse(req, proxyResponse, w)
|
|
|
|
if statusCode != http.StatusRequestedRangeNotSatisfiable {
|
|
t.Fatalf("expected status %d, got %d", http.StatusRequestedRangeNotSatisfiable, statusCode)
|
|
}
|
|
if rec.Result().StatusCode != http.StatusRequestedRangeNotSatisfiable {
|
|
t.Fatalf("writer status expected %d, got %d", http.StatusRequestedRangeNotSatisfiable, rec.Result().StatusCode)
|
|
}
|
|
}
|