Critical fix for SSE (Server-Side Encryption) test failures:
1. **JWT Authentication Bug** (Root Cause):
- Changed from GenJwtForFilerServer to GenJwtForVolumeServer
- S3 API now uses correct JWT when directly reading from volume servers
- Matches filer's authentication pattern for direct volume access
- Fixes 'unexpected EOF' and 500 errors in SSE tests
2. **Streaming Error Handling**:
- Added error propagation in getEncryptedStreamFromVolumes goroutine
- Use CloseWithError() to properly communicate stream failures
- Added debug logging for streaming errors
3. **Response Header Timing**:
- Removed premature WriteHeader(http.StatusOK) call
- Let Go's http package write status automatically on first write
- Prevents header lock when errors occur during streaming
4. **Enhanced SSE Decryption Debugging**:
- Added IV/Key validation and logging for SSE-C, SSE-KMS, SSE-S3
- Better error messages for missing or invalid encryption metadata
- Added glog.V(2) debugging for decryption setup
This fixes SSE integration test failures where encrypted objects
could not be retrieved due to volume server authentication failures.
The JWT bug was causing volume servers to reject requests, resulting
in truncated/empty streams (EOF) or internal errors.
Reverted the conditional versioning check to always check versioning status
Reverted the conditional SSE entry fetch to always fetch entry metadata
Reverted the conditional versioning check to always check versioning status
Reverted the conditional SSE entry fetch to always fetch entry metadata
* refactor to avoids circular dependency
* converts a policy.PolicyDocument to policy_engine.PolicyDocument
* convert numeric types to strings
* Update weed/s3api/policy_conversion.go
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
* refactoring
* not skipping numeric and boolean values in arrays
* avoid nil
* edge cases
* handling conversion failure
The handling of unsupported types in convertToString could lead to silent policy alterations.
The conversion of map-based principals in convertPrincipal is too generic and could misinterpret policies.
* concise
* fix doc
* adjust warning
* recursion
* return errors
* reject empty principals
* better error message
---------
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
* evaluate policies during authorization
* cache bucket policy
* refactor
* matching with regex special characters
* Case Sensitivity, pattern cache, Dead Code Removal
* Fixed Typo, Restored []string Case, Added Cache Size Limit
* hook up with policy engine
* remove old implementation
* action mapping
* validate
* if not specified, fall through to IAM checks
* fmt
* Fail-close on policy evaluation errors
* Explicit `Allow` bypasses IAM checks
* fix error message
* arn:seaweed => arn:aws
* remove legacy support
* fix tests
* Clean up bucket policy after this test
* fix for tests
* address comments
* security fixes
* fix tests
* temp comment out
* handle volume not found when backing up
* error handling on reading volume ttl and replication
* fix Inconsistent error handling: should continue to next location.
* adjust messages
* close volume
* refactor
* refactor
* proper v.Close()
* Rework parameters passing for functions within `ec.rebuild`
This simplifies the overall codebase and allows to cleanly handle parallelization via waitgroups.
* fix copy source
* add tests
* remove tests not useful
* fmt
* nil check
---------
Co-authored-by: Chris Lu <chrislusf@users.noreply.github.com>
Co-authored-by: chrislu <chris.lu@gmail.com>
chrislu
Konstantin Lebedev
Lisandro Pin
Chris Lu