From 615de0dbf2d64f1211b0c449d501bb790cfba435 Mon Sep 17 00:00:00 2001 From: chrislu Date: Fri, 14 Nov 2025 00:27:57 -0800 Subject: [PATCH] fmt --- weed/s3api/s3api_object_handlers.go | 54 ++++++++++++++--------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/weed/s3api/s3api_object_handlers.go b/weed/s3api/s3api_object_handlers.go index 836832c0e..b25045ed1 100644 --- a/weed/s3api/s3api_object_handlers.go +++ b/weed/s3api/s3api_object_handlers.go @@ -418,7 +418,7 @@ func (s3a *S3ApiServer) GetObjectHandler(w http.ResponseWriter, r *http.Request) // Detect SSE encryption type primarySSEType := s3a.detectPrimarySSEType(objectEntryForSSE) - + // Stream directly from volume servers with SSE support err = s3a.streamFromVolumeServersWithSSE(w, r, objectEntryForSSE, primarySSEType) if err != nil { @@ -582,16 +582,16 @@ func (s3a *S3ApiServer) streamFromVolumeServersWithSSE(w http.ResponseWriter, r if sseType == "" || sseType == "None" { return s3a.streamFromVolumeServers(w, r, entry, sseType) } - + glog.V(2).Infof("streamFromVolumeServersWithSSE: Handling %s encrypted object", sseType) - + // Add SSE response headers before streaming s3a.addSSEResponseHeadersFromEntry(w, r, entry, sseType) - + // For encrypted objects, we need to stream encrypted data through a decryption wrapper // Create a pipe: encrypted data goes into pipe writer, decrypted data comes from pipe reader pipeReader, pipeWriter := io.Pipe() - + // Start goroutine to stream encrypted data from volume servers to pipe encryptedStreamErr := make(chan error, 1) go func() { @@ -599,11 +599,11 @@ func (s3a *S3ApiServer) streamFromVolumeServersWithSSE(w http.ResponseWriter, r err := s3a.streamFromVolumeServers(&pipeWriterWrapper{pipeWriter}, r, entry, sseType) encryptedStreamErr <- err }() - + // Create decrypted reader based on SSE type var decryptedReader io.Reader var decryptErr error - + switch sseType { case s3_constants.SSETypeC: decryptedReader, decryptErr = s3a.createSSECDecryptedReaderFromEntry(r, pipeReader, entry) @@ -614,21 +614,21 @@ func (s3a *S3ApiServer) streamFromVolumeServersWithSSE(w http.ResponseWriter, r default: decryptErr = fmt.Errorf("unsupported SSE type: %s", sseType) } - + if decryptErr != nil { pipeReader.Close() return fmt.Errorf("failed to create decrypted reader for %s: %v", sseType, decryptErr) } - + // Stream decrypted data to response buf := make([]byte, 128*1024) _, copyErr := io.CopyBuffer(w, decryptedReader, buf) - + // Check if encrypted streaming had errors if streamErr := <-encryptedStreamErr; streamErr != nil { return fmt.Errorf("encrypted stream error: %v", streamErr) } - + return copyErr } @@ -637,7 +637,7 @@ func (s3a *S3ApiServer) addSSEResponseHeadersFromEntry(w http.ResponseWriter, r if entry == nil || entry.Extended == nil { return } - + switch sseType { case s3_constants.SSETypeC: // SSE-C: Echo back algorithm and key MD5 @@ -647,7 +647,7 @@ func (s3a *S3ApiServer) addSSEResponseHeadersFromEntry(w http.ResponseWriter, r if keyMD5, exists := entry.Extended[s3_constants.AmzServerSideEncryptionCustomerKeyMD5]; exists { w.Header().Set(s3_constants.AmzServerSideEncryptionCustomerKeyMD5, string(keyMD5)) } - + case s3_constants.SSETypeKMS: // SSE-KMS: Return algorithm and key ID w.Header().Set(s3_constants.AmzServerSideEncryption, "aws:kms") @@ -660,7 +660,7 @@ func (s3a *S3ApiServer) addSSEResponseHeadersFromEntry(w http.ResponseWriter, r } } } - + case s3_constants.SSETypeS3: // SSE-S3: Return algorithm w.Header().Set(s3_constants.AmzServerSideEncryption, s3_constants.SSEAlgorithmAES256) @@ -688,11 +688,11 @@ func (s3a *S3ApiServer) createSSECDecryptedReaderFromEntry(r *http.Request, encr if err != nil { return nil, fmt.Errorf("failed to parse SSE-C headers: %w", err) } - + if customerKey == nil { return nil, fmt.Errorf("SSE-C key required but not provided") } - + // Validate key MD5 from entry metadata if entry.Extended != nil { storedKeyMD5 := string(entry.Extended[s3_constants.AmzServerSideEncryptionCustomerKeyMD5]) @@ -700,18 +700,18 @@ func (s3a *S3ApiServer) createSSECDecryptedReaderFromEntry(r *http.Request, encr return nil, fmt.Errorf("SSE-C key mismatch") } } - + // Get IV from entry metadata ivBase64 := string(entry.Extended[s3_constants.SeaweedFSSSEIVHeader]) if ivBase64 == "" { return nil, fmt.Errorf("SSE-C IV not found in metadata") } - + iv, err := base64.StdEncoding.DecodeString(ivBase64) if err != nil { return nil, fmt.Errorf("failed to decode IV: %w", err) } - + // Create decrypted reader return CreateSSECDecryptedReader(encryptedReader, customerKey, iv) } @@ -722,22 +722,22 @@ func (s3a *S3ApiServer) createSSEKMSDecryptedReaderFromEntry(r *http.Request, en if entry.Extended == nil { return nil, fmt.Errorf("no extended metadata found") } - + kmsMetadataB64, exists := entry.Extended[s3_constants.SeaweedFSSSEKMSKeyHeader] if !exists { return nil, fmt.Errorf("SSE-KMS metadata not found") } - + kmsMetadataBytes, err := base64.StdEncoding.DecodeString(string(kmsMetadataB64)) if err != nil { return nil, fmt.Errorf("failed to decode SSE-KMS metadata: %w", err) } - + sseKMSKey, err := DeserializeSSEKMSMetadata(kmsMetadataBytes) if err != nil { return nil, fmt.Errorf("failed to deserialize SSE-KMS metadata: %w", err) } - + // Create decrypted reader return CreateSSEKMSDecryptedReader(encryptedReader, sseKMSKey) } @@ -748,24 +748,24 @@ func (s3a *S3ApiServer) createSSES3DecryptedReaderFromEntry(r *http.Request, enc if entry.Extended == nil { return nil, fmt.Errorf("no extended metadata found") } - + keyData, exists := entry.Extended[s3_constants.SeaweedFSSSES3Key] if !exists { return nil, fmt.Errorf("SSE-S3 metadata not found") } - + keyManager := GetSSES3KeyManager() sseS3Key, err := DeserializeSSES3Metadata(keyData, keyManager) if err != nil { return nil, fmt.Errorf("failed to deserialize SSE-S3 metadata: %w", err) } - + // Get IV iv, err := GetSSES3IV(entry, sseS3Key, keyManager) if err != nil { return nil, fmt.Errorf("failed to get SSE-S3 IV: %w", err) } - + // Create decrypted reader return CreateSSES3DecryptedReader(encryptedReader, sseS3Key, iv) }