S3: Pass server-side encryption option to minio.StatObject call (#142)

* Pass server-side encryption option to minio.StatObject call Signed-off-by: Jens Hausherr <[email protected]> * Add CHANGELOG entry Signed-off-by: Jens Hausherr <[email protected]> * Add end-to-end test for SSE-C encryption Signed-off-by: Jens Hausherr <[email protected]> * Use const access key/ secret key defined for minio Signed-off-by: Jens Hausherr <[email protected]> * Remove duplicate upload Signed-off-by: Jens Hausherr <[email protected]> * Added required parameter to s3.NewBucketWithConfig() Signed-off-by: Jens Hausherr <[email protected]> --------- Signed-off-by: Jens Hausherr <[email protected]>
thanos-io · Jan 20, 2025 · 4b72edf · 4b72edf
1 parent a54d0f0
commit 4b72edf
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ We use *breaking :warning:* to mark changes that are not backward compatible (re
 
 ### Fixed
 - [#153](https://github.com/thanos-io/objstore/pull/153) Metrics: Fix `objstore_bucket_operation_duration_seconds_*` for `get` and `get_range` operations.
+- [#141](https://github.com/thanos-io/objstore/pull/142) S3: Fix missing encryption configuration for `Bucket.Exists()` and `Bucket.Attributes()` calls.
 - [#117](https://github.com/thanos-io/objstore/pull/117) Metrics: Fix `objstore_bucket_operation_failures_total` incorrectly incremented if context is cancelled while reading object contents.
 - [#115](https://github.com/thanos-io/objstore/pull/115) GCS: Fix creation of bucket with GRPC connections. Also update storage client to `v1.40.0`.
 - [#102](https://github.com/thanos-io/objstore/pull/102) Azure: bump azblob sdk to get concurrency fixes.

diff --git a/providers/s3/s3.go b/providers/s3/s3.go
@@ -513,7 +513,14 @@ func (b *Bucket) GetRange(ctx context.Context, name string, off, length int64) (
 
 // Exists checks if the given object exists.
 func (b *Bucket) Exists(ctx context.Context, name string) (bool, error) {
-	_, err := b.client.StatObject(ctx, b.name, name, minio.StatObjectOptions{})
+	sse, err := b.getServerSideEncryption(ctx)
+	if err != nil {
+		return false, err
+	}
+
+	_, err = b.client.StatObject(ctx, b.name, name, minio.StatObjectOptions{
+		ServerSideEncryption: sse,
+	})
 	if err != nil {
 		if b.IsObjNotFoundErr(err) {
 			return false, nil
@@ -576,7 +583,14 @@ func (b *Bucket) Upload(ctx context.Context, name string, r io.Reader) error {
 
 // Attributes returns information about the specified object.
 func (b *Bucket) Attributes(ctx context.Context, name string) (objstore.ObjectAttributes, error) {
-	objInfo, err := b.client.StatObject(ctx, b.name, name, minio.StatObjectOptions{})
+	sse, err := b.getServerSideEncryption(ctx)
+	if err != nil {
+		return objstore.ObjectAttributes{}, err
+	}
+
+	objInfo, err := b.client.StatObject(ctx, b.name, name, minio.StatObjectOptions{
+		ServerSideEncryption: sse,
+	})
 	if err != nil {
 		return objstore.ObjectAttributes{}, err
 	}

diff --git a/providers/s3/s3_e2e_test.go b/providers/s3/s3_e2e_test.go
@@ -6,13 +6,18 @@ package s3_test
 import (
 	"bytes"
 	"context"
+	"io"
+	"path/filepath"
 	"strings"
 	"testing"
 
 	"github.com/efficientgo/core/testutil"
 	"github.com/efficientgo/e2e"
+	e2edb "github.com/efficientgo/e2e/db"
 	"github.com/go-kit/log"
+	"github.com/minio/minio-go/v7/pkg/encrypt"
 
+	"github.com/thanos-io/objstore/exthttp"
 	"github.com/thanos-io/objstore/providers/s3"
 	"github.com/thanos-io/objstore/test/e2e/e2ethanos"
 )
@@ -54,3 +59,57 @@ func BenchmarkUpload(b *testing.B) {
 		testutil.Ok(b, bkt.Upload(ctx, "test", strings.NewReader(str)))
 	}
 }
+
+func TestSSECencryption(t *testing.T) {
+	ctx := context.Background()
+	e, err := e2e.NewDockerEnvironment("e2e-ssec", e2e.WithLogger(log.NewNopLogger()))
+	testutil.Ok(t, err)
+	t.Cleanup(e2ethanos.CleanScenario(t, e))
+
+	const bucket = "sse-c-encryption"
+	m := e2ethanos.NewMinio(e, "sse-c-encryption", bucket)
+	testutil.Ok(t, e2e.StartAndWaitReady(m))
+
+	cfg := s3.Config{
+		Bucket:    bucket,
+		AccessKey: e2edb.MinioAccessKey,
+		SecretKey: e2edb.MinioSecretKey,
+		Endpoint:  m.Endpoint("https"),
+		Insecure:  false,
+		HTTPConfig: exthttp.HTTPConfig{
+			TLSConfig: exthttp.TLSConfig{
+				CAFile:   filepath.Join(m.Dir(), "certs", "CAs", "ca.crt"),
+				CertFile: filepath.Join(m.Dir(), "certs", "public.crt"),
+				KeyFile:  filepath.Join(m.Dir(), "certs", "private.key"),
+			},
+		},
+		SSEConfig: s3.SSEConfig{
+			Type:          string(encrypt.SSEC),
+			EncryptionKey: "testdata/encryption_key",
+		},
+		BucketLookupType: s3.AutoLookup,
+	}
+
+	bkt, err := s3.NewBucketWithConfig(
+		log.NewNopLogger(),
+		cfg,
+		"test-ssec",
+		nil,
+	)
+	testutil.Ok(t, err)
+
+	upload := "secret content"
+	testutil.Ok(t, bkt.Upload(ctx, "encrypted", strings.NewReader(upload)))
+
+	exists, err := bkt.Exists(ctx, "encrypted")
+	testutil.Ok(t, err)
+	if !exists {
+		t.Fatalf("upload failed")
+	}
+
+	r, err := bkt.Get(ctx, "encrypted")
+	testutil.Ok(t, err)
+	b, err := io.ReadAll(r)
+	testutil.Ok(t, err)
+	testutil.Equals(t, upload, string(b))
+}
diff --git a/providers/s3/testdata/encryption_key b/providers/s3/testdata/encryption_key
@@ -0,0 +1 @@
+suchSecretVeryCryptographicKeyZ