storj.io/minio@v0.0.0-20230509071714-0cbc90f649b1/cmd/crypto/metadata.go

storj.io/minio@v0.0.0-20230509071714-0cbc90f649b1/cmd/crypto/metadata.go (about)

     1  // MinIO Cloud Storage, (C) 2015, 2016, 2017, 2018 MinIO, Inc.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //    http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package crypto
    16  
    17  import (
    18  	xhttp "storj.io/minio/cmd/http"
    19  )
    20  
    21  const (
    22  	// MetaMultipart indicates that the object has been uploaded
    23  	// in multiple parts - via the S3 multipart API.
    24  	MetaMultipart = "X-Minio-Internal-Encrypted-Multipart"
    25  
    26  	// MetaIV is the random initialization vector (IV) used for
    27  	// the MinIO-internal key derivation.
    28  	MetaIV = "X-Minio-Internal-Server-Side-Encryption-Iv"
    29  
    30  	// MetaAlgorithm is the algorithm used to derive internal keys
    31  	// and encrypt the objects.
    32  	MetaAlgorithm = "X-Minio-Internal-Server-Side-Encryption-Seal-Algorithm"
    33  
    34  	// MetaSealedKeySSEC is the sealed object encryption key in case of SSE-C.
    35  	MetaSealedKeySSEC = "X-Minio-Internal-Server-Side-Encryption-Sealed-Key"
    36  	// MetaSealedKeyS3 is the sealed object encryption key in case of SSE-S3
    37  	MetaSealedKeyS3 = "X-Minio-Internal-Server-Side-Encryption-S3-Sealed-Key"
    38  	// MetaSealedKeyKMS is the sealed object encryption key in case of SSE-KMS
    39  	MetaSealedKeyKMS = "X-Minio-Internal-Server-Side-Encryption-Kms-Sealed-Key"
    40  
    41  	// MetaKeyID is the KMS master key ID used to generate/encrypt the data
    42  	// encryption key (DEK).
    43  	MetaKeyID = "X-Minio-Internal-Server-Side-Encryption-S3-Kms-Key-Id"
    44  	// MetaDataEncryptionKey is the sealed data encryption key (DEK) received from
    45  	// the KMS.
    46  	MetaDataEncryptionKey = "X-Minio-Internal-Server-Side-Encryption-S3-Kms-Sealed-Key"
    47  
    48  	// MetaContext is the KMS context provided by a client when encrypting an
    49  	// object with SSE-KMS. A client may not send a context in which case the
    50  	// MetaContext will not be present.
    51  	// MetaContext only contains the bucket/object name if the client explicitly
    52  	// added it. However, when decrypting an object the bucket/object name must
    53  	// be part of the object. Therefore, the bucket/object name must be added
    54  	// to the context, if not present, whenever a decryption is performed.
    55  	MetaContext = "X-Minio-Internal-Server-Side-Encryption-Context"
    56  )
    57  
    58  // IsMultiPart returns true if the object metadata indicates
    59  // that it was uploaded using some form of server-side-encryption
    60  // and the S3 multipart API.
    61  func IsMultiPart(metadata map[string]string) bool {
    62  	if _, ok := metadata[MetaMultipart]; ok {
    63  		return true
    64  	}
    65  	return false
    66  }
    67  
    68  // RemoveSensitiveEntries removes confidential encryption
    69  // information - e.g. the SSE-C key - from the metadata map.
    70  // It has the same semantics as RemoveSensitiveHeaders.
    71  func RemoveSensitiveEntries(metadata map[string]string) { // The functions is tested in TestRemoveSensitiveHeaders for compatibility reasons
    72  	delete(metadata, xhttp.AmzServerSideEncryptionCustomerKey)
    73  	delete(metadata, xhttp.AmzServerSideEncryptionCopyCustomerKey)
    74  	delete(metadata, xhttp.AmzMetaUnencryptedContentLength)
    75  	delete(metadata, xhttp.AmzMetaUnencryptedContentMD5)
    76  }
    77  
    78  // RemoveSSEHeaders removes all crypto-specific SSE
    79  // header entries from the metadata map.
    80  func RemoveSSEHeaders(metadata map[string]string) {
    81  	delete(metadata, xhttp.AmzServerSideEncryption)
    82  	delete(metadata, xhttp.AmzServerSideEncryptionKmsID)
    83  	delete(metadata, xhttp.AmzServerSideEncryptionKmsContext)
    84  	delete(metadata, xhttp.AmzServerSideEncryptionCustomerAlgorithm)
    85  	delete(metadata, xhttp.AmzServerSideEncryptionCustomerKey)
    86  	delete(metadata, xhttp.AmzServerSideEncryptionCustomerKeyMD5)
    87  	delete(metadata, xhttp.AmzServerSideEncryptionCopyCustomerAlgorithm)
    88  	delete(metadata, xhttp.AmzServerSideEncryptionCopyCustomerKey)
    89  	delete(metadata, xhttp.AmzServerSideEncryptionCopyCustomerKeyMD5)
    90  }
    91  
    92  // RemoveInternalEntries removes all crypto-specific internal
    93  // metadata entries from the metadata map.
    94  func RemoveInternalEntries(metadata map[string]string) {
    95  	delete(metadata, MetaMultipart)
    96  	delete(metadata, MetaAlgorithm)
    97  	delete(metadata, MetaIV)
    98  	delete(metadata, MetaSealedKeySSEC)
    99  	delete(metadata, MetaSealedKeyS3)
   100  	delete(metadata, MetaSealedKeyKMS)
   101  	delete(metadata, MetaKeyID)
   102  	delete(metadata, MetaDataEncryptionKey)
   103  }
   104  
   105  // IsSourceEncrypted returns true if the source is encrypted
   106  func IsSourceEncrypted(metadata map[string]string) bool {
   107  	if _, ok := metadata[xhttp.AmzServerSideEncryptionCustomerAlgorithm]; ok {
   108  		return true
   109  	}
   110  	if _, ok := metadata[xhttp.AmzServerSideEncryption]; ok {
   111  		return true
   112  	}
   113  	return false
   114  }
   115  
   116  // IsEncrypted returns true if the object metadata indicates
   117  // that it was uploaded using some form of server-side-encryption.
   118  //
   119  // IsEncrypted only checks whether the metadata contains at least
   120  // one entry indicating SSE-C or SSE-S3.
   121  func IsEncrypted(metadata map[string]string) (Type, bool) {
   122  	if S3KMS.IsEncrypted(metadata) {
   123  		return S3KMS, true
   124  	}
   125  	if S3.IsEncrypted(metadata) {
   126  		return S3, true
   127  	}
   128  	if SSEC.IsEncrypted(metadata) {
   129  		return SSEC, true
   130  	}
   131  	if IsMultiPart(metadata) {
   132  		return nil, true
   133  	}
   134  	if _, ok := metadata[MetaIV]; ok {
   135  		return nil, true
   136  	}
   137  	if _, ok := metadata[MetaAlgorithm]; ok {
   138  		return nil, true
   139  	}
   140  	if _, ok := metadata[MetaKeyID]; ok {
   141  		return nil, true
   142  	}
   143  	if _, ok := metadata[MetaDataEncryptionKey]; ok {
   144  		return nil, true
   145  	}
   146  	if _, ok := metadata[MetaContext]; ok {
   147  		return nil, true
   148  	}
   149  	return nil, false
   150  }
   151  
   152  // CreateMultipartMetadata adds the multipart flag entry to metadata
   153  // and returns modifed metadata. It allocates a new metadata map if
   154  // metadata is nil.
   155  func CreateMultipartMetadata(metadata map[string]string) map[string]string {
   156  	if metadata == nil {
   157  		return map[string]string{MetaMultipart: ""}
   158  	}
   159  	metadata[MetaMultipart] = ""
   160  	return metadata
   161  }
   162  
   163  // IsETagSealed returns true if the etag seems to be encrypted.
   164  func IsETagSealed(etag []byte) bool { return len(etag) > 16 }