Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11983 Commits
51 Branches
315 Tags
330 MiB
 
 
 
 
 
 
Tree: b8bef0328b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b8bef0328b'
${ noResults }
seaweedfs/weed/s3api/s3_validation_utils.go

100 lines
3.0 KiB
Raw Blame History

package s3api
import (
"fmt"
"strings"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
)
// isValidKMSKeyID performs basic validation of KMS key identifiers.
// Following Minio's approach: be permissive and accept any reasonable key format.
// Only reject keys with leading/trailing spaces or other obvious issues.
//
// This function is used across multiple S3 API handlers to ensure consistent
// validation of KMS key IDs in various contexts (bucket encryption, object operations, etc.).
func isValidKMSKeyID(keyID string) bool {
// Reject empty keys
if keyID == "" {
return false
}
// Following Minio's validation: reject keys with leading/trailing spaces
if strings.HasPrefix(keyID, " ") || strings.HasSuffix(keyID, " ") {
return false
}
// Also reject keys with internal spaces (common sense validation)
if strings.Contains(keyID, " ") {
return false
}
// Reject keys with control characters or newlines
if strings.ContainsAny(keyID, "\t\n\r\x00") {
return false
}
// Accept any reasonable length key (be permissive for various KMS providers)
if len(keyID) > 0 && len(keyID) <= s3_constants.MaxKMSKeyIDLength {
return true
}
return false
}
// ValidateIV validates that an initialization vector has the correct length for AES encryption
func ValidateIV(iv []byte, name string) error {
if len(iv) != s3_constants.AESBlockSize {
return fmt.Errorf("invalid %s length: expected %d bytes, got %d", name, s3_constants.AESBlockSize, len(iv))
}
return nil
}
// ValidateSSEKMSKey validates that an SSE-KMS key is not nil and has required fields
func ValidateSSEKMSKey(sseKey *SSEKMSKey) error {
if sseKey == nil {
return fmt.Errorf("SSE-KMS key cannot be nil")
}
return nil
}
// ValidateSSECKey validates that an SSE-C key is not nil
func ValidateSSECKey(customerKey *SSECustomerKey) error {
if customerKey == nil {
return fmt.Errorf("SSE-C customer key cannot be nil")
}
return nil
}
// ValidateSSES3Key validates that an SSE-S3 key has valid structure and contents
func ValidateSSES3Key(sseKey *SSES3Key) error {
if sseKey == nil {
return fmt.Errorf("SSE-S3 key cannot be nil")
}
// Validate key bytes
if sseKey.Key == nil {
return fmt.Errorf("SSE-S3 key bytes cannot be nil")
}
if len(sseKey.Key) != SSES3KeySize {
return fmt.Errorf("invalid SSE-S3 key size: expected %d bytes, got %d", SSES3KeySize, len(sseKey.Key))
}
// Validate algorithm
if sseKey.Algorithm != SSES3Algorithm {
return fmt.Errorf("invalid SSE-S3 algorithm: expected %q, got %q", SSES3Algorithm, sseKey.Algorithm)
}
// Validate key ID (should not be empty)
if sseKey.KeyID == "" {
return fmt.Errorf("SSE-S3 key ID cannot be empty")
}
// IV validation is optional during key creation - it will be set during encryption
// If IV is set, validate its length
if len(sseKey.IV) > 0 && len(sseKey.IV) != s3_constants.AESBlockSize {
return fmt.Errorf("invalid SSE-S3 IV length: expected %d bytes, got %d", s3_constants.AESBlockSize, len(sseKey.IV))
}
return nil
}