Add S3 SSE KMS key and bucketkey encryption #26899
Conversation
tsdicloud
changed the title
There was a problem hiding this comment.
The current commit seems to revert the additional mimetype parameter of the writeObject method which was added in #26575 with that change adjusted, tests should also pass.
Looks fine otherwise from my side 👍
juliusknorr
added
2. developing
|
I am working on the incompatibility and run unit test for it. |
Signed-off-by: [email protected] <[email protected]>
Signed-off-by: [email protected] <[email protected]>
Signed-off-by: [email protected] <[email protected]>
Signed-off-by: [email protected] <[email protected]>
|
I cannot identify the php-cs-check problem. My dev setup does not show any fix for the corresponding files. Please help! |
That's unrelated to your code – a change sneaked in into master. If you rebase to the current, it won't appear anymore. |
juliusknorr
added
3. to review
| $encrypt_state = $this->connection->getBucketEncryption([ | ||
| 'Bucket' => $this->bucket, | ||
| ]); | ||
| return; |
| $logger = \OC::$server->getLogger(); | ||
|
|
||
| try { | ||
| $encrypt_state = $this->connection->getBucketEncryption([ |
| @@ -1,7 +1,6 @@ | |||
| <?php | |||
| /** | |||
| * @copyright Copyright (c) 2016 Robin Appelman <[email protected]> | |||
| * | |||
There was a problem hiding this comment.
This will most likely be re-added by the license script. So better not remove it in the first place to keep the changeset clean.
| } | ||
|
|
||
| $this->id = 'amazon::' . $params['bucket']; | ||
| $this->id = 'amazon::'.$params['bucket']; |
There was a problem hiding this comment.
This is most likely why the code style CI job fails. We keep spaces around operators in our code style.
|
|
||
| $this->test = isset($params['test']); | ||
| $this->bucket = $params['bucket']; | ||
| $this->timeout = !isset($params['timeout']) ? 15 : $params['timeout']; | ||
| $this->uploadPartSize = !isset($params['uploadPartSize']) ? 524288000 : $params['uploadPartSize']; | ||
| $params['region'] = empty($params['region']) ? 'eu-west-1' : $params['region']; | ||
| $params['hostname'] = empty($params['hostname']) ? 's3.' . $params['region'] . '.amazonaws.com' : $params['hostname']; | ||
| $params['hostname'] = empty($params['hostname']) ? 's3.'.$params['region'].'.amazonaws.com' : $params['hostname']; |
| $params['autocreate'] = !isset($params['autocreate']) ? false : $params['autocreate']; | ||
|
|
||
| // this avoid at least the hash lookups for each read/weite operation | ||
| if (isset($params['ssekmsbucketkeyid'])) { |
There was a problem hiding this comment.
This should be documented in "admin_manual/configuration_files/primary_storage.rst" of the documentation.
| // this avoid at least the hash lookups for each read/weite operation | ||
| if (isset($params['ssekmsbucketkeyid'])) { | ||
| $this->sseKmsBucketKeyId = $params['ssekmsbucketkeyid']; | ||
| } elseif (isset($params['ssekmskeyid'])) { |
There was a problem hiding this comment.
This should be documented in "admin_manual/configuration_files/primary_storage.rst" of the documentation.
| * @throws \Exception if bucket creation fails | ||
| */ | ||
| protected function createNewBucket() { | ||
| $logger = \OC::$server->getLogger(); |
There was a problem hiding this comment.
I don't fully like that approach but as this is a trait I have no other good idea how to properly inject this dependency. Maybe @ChristophWurst has an idea, otherwise this should be fine.
| protected function createNewBucket() { | ||
| $logger = \OC::$server->getLogger(); | ||
| try { | ||
| $logger->info('Bucket "'.$this->bucket.'" does not exist - creating it.', ['app' => 'objectstore']); |
There was a problem hiding this comment.
| $logger->info('Bucket "'.$this->bucket.'" does not exist - creating it.', ['app' => 'objectstore']); | |
| $logger->info('Bucket "' . $this->bucket . '" does not exist - creating it.', ['app' => 'objectstore']); |
| try { | ||
| $logger->info('Bucket "'.$this->bucket.'" does not exist - creating it.', ['app' => 'objectstore']); | ||
| if (!$this->connection::isBucketDnsCompatible($this->bucket)) { | ||
| throw new \Exception('The bucket will not be created because the name is not dns compatible, please correct it: '.$this->bucket); |
There was a problem hiding this comment.
| throw new \Exception('The bucket will not be created because the name is not dns compatible, please correct it: '.$this->bucket); | |
| throw new \Exception('The bucket will not be created because the name is not dns compatible, please correct it: ' . $this->bucket); |
| 'level' => ILogger::DEBUG, | ||
| 'app' => 'objectstore', | ||
| ]); | ||
| throw new \Exception('Creation of bucket "'.$this->bucket.'" failed. '.$e->getMessage()); |
There was a problem hiding this comment.
| throw new \Exception('Creation of bucket "'.$this->bucket.'" failed. '.$e->getMessage()); | |
| throw new \Exception('Creation of bucket "' . $this->bucket . '" failed. ' . $e->getMessage()); |
| return; | ||
| } catch (S3Exception $e) { | ||
| try { | ||
| $logger->info('Bucket key for "'.$this->bucket.'" is not set - adding it.', ['app' => 'objectstore']); |
There was a problem hiding this comment.
| $logger->info('Bucket key for "'.$this->bucket.'" is not set - adding it.', ['app' => 'objectstore']); | |
| $logger->info('Bucket key for "' . $this->bucket . '" is not set - adding it.', ['app' => 'objectstore']); |
| 'level' => ILogger::DEBUG, | ||
| 'app' => 'objectstore', | ||
| ]); | ||
| throw new \Exception('Putting configured bucket key to "'.$this->bucket.'" failed. '.$e->getMessage()); |
There was a problem hiding this comment.
| throw new \Exception('Putting configured bucket key to "'.$this->bucket.'" failed. '.$e->getMessage()); | |
| throw new \Exception('Putting configured bucket key to "' . $this->bucket . '" failed. ' . $e->getMessage()); |
| @@ -98,7 +229,7 @@ public function getConnection() { | |||
| } | |||
|
|
|||
| $scheme = (isset($this->params['use_ssl']) && $this->params['use_ssl'] === false) ? 'http' : 'https'; | |||
| $base_url = $scheme . '://' . $this->params['hostname'] . ':' . $this->params['port'] . '/'; | |||
| $base_url = $scheme.'://'.$this->params['hostname'].':'.$this->params['port'].'/'; | |||
| @@ -132,27 +263,16 @@ public function getConnection() { | |||
|
|
|||
| if (!$this->connection::isBucketDnsCompatible($this->bucket)) { | |||
| $logger = \OC::$server->getLogger(); | |||
| $logger->debug('Bucket "' . $this->bucket . '" This bucket name is not dns compatible, it may contain invalid characters.', | |||
| ['app' => 'objectstore']); | |||
| $logger->debug('Bucket "'.$this->bucket.'" This bucket name is not dns compatible, it may contain invalid characters.', | |||
| @@ -1,13 +1,11 @@ | |||
| <?php | |||
| /** | |||
| * @copyright Copyright (c) 2017 Robin Appelman <[email protected]> | |||
| * | |||
|
Thanks for all the code hints. We will change this soon. But we found today a conceptual issue with bucket keys and default keys that may are used as a replacement. Also, we don´t need to send kms:id on read. Thus, we also need a little re-work of functionality and handling. Update will follow,. |
|
Moving to 23 as we're in freeze and the last beta is just ahead |
|
@tsdicloud I took over your changes from the nextmcloud repo and rebase them since the multipart upload optimization was already merged in #27877. Let's continue over there. |
|
New pull request is in #28601 |
This is a replacement pull request for #26001 due to diverse rebase problems on the original request.
It also contains fixes for
Let´s try again. Sorry for the unconventional retry...