gitea/vendor/github.com/minio/minio-go/v7/pkg/encrypt/server-side.go

/*
 * MinIO Go Library for Amazon S3 Compatible Cloud Storage
 * Copyright 2018 MinIO, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package encrypt

import (
	"crypto/md5"
	"encoding/base64"
	"errors"
	"net/http"

	jsoniter "github.com/json-iterator/go"
	"golang.org/x/crypto/argon2"
)

const (
	// sseGenericHeader is the AWS SSE header used for SSE-S3 and SSE-KMS.
	sseGenericHeader = "X-Amz-Server-Side-Encryption"

	// sseKmsKeyID is the AWS SSE-KMS key id.
	sseKmsKeyID = sseGenericHeader + "-Aws-Kms-Key-Id"
	// sseEncryptionContext is the AWS SSE-KMS Encryption Context data.
	sseEncryptionContext = sseGenericHeader + "-Context"

	// sseCustomerAlgorithm is the AWS SSE-C algorithm HTTP header key.
	sseCustomerAlgorithm = sseGenericHeader + "-Customer-Algorithm"
	// sseCustomerKey is the AWS SSE-C encryption key HTTP header key.
	sseCustomerKey = sseGenericHeader + "-Customer-Key"
	// sseCustomerKeyMD5 is the AWS SSE-C encryption key MD5 HTTP header key.
	sseCustomerKeyMD5 = sseGenericHeader + "-Customer-Key-MD5"

	// sseCopyCustomerAlgorithm is the AWS SSE-C algorithm HTTP header key for CopyObject API.
	sseCopyCustomerAlgorithm = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm"
	// sseCopyCustomerKey is the AWS SSE-C encryption key HTTP header key for CopyObject API.
	sseCopyCustomerKey = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key"
	// sseCopyCustomerKeyMD5 is the AWS SSE-C encryption key MD5 HTTP header key for CopyObject API.
	sseCopyCustomerKeyMD5 = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-MD5"
)

// PBKDF creates a SSE-C key from the provided password and salt.
// PBKDF is a password-based key derivation function
// which can be used to derive a high-entropy cryptographic
// key from a low-entropy password and a salt.
type PBKDF func(password, salt []byte) ServerSide

// DefaultPBKDF is the default PBKDF. It uses Argon2id with the
// recommended parameters from the RFC draft (1 pass, 64 MB memory, 4 threads).
var DefaultPBKDF PBKDF = func(password, salt []byte) ServerSide {
	sse := ssec{}
	copy(sse[:], argon2.IDKey(password, salt, 1, 64*1024, 4, 32))
	return sse
}

// Type is the server-side-encryption method. It represents one of
// the following encryption methods:
//  - SSE-C: server-side-encryption with customer provided keys
//  - KMS:   server-side-encryption with managed keys
//  - S3:    server-side-encryption using S3 storage encryption
type Type string

const (
	// SSEC represents server-side-encryption with customer provided keys
	SSEC Type = "SSE-C"
	// KMS represents server-side-encryption with managed keys
	KMS Type = "KMS"
	// S3 represents server-side-encryption using S3 storage encryption
	S3 Type = "S3"
)

// ServerSide is a form of S3 server-side-encryption.
type ServerSide interface {
	// Type returns the server-side-encryption method.
	Type() Type

	// Marshal adds encryption headers to the provided HTTP headers.
	// It marks an HTTP request as server-side-encryption request
	// and inserts the required data into the headers.
	Marshal(h http.Header)
}

// NewSSE returns a server-side-encryption using S3 storage encryption.
// Using SSE-S3 the server will encrypt the object with server-managed keys.
func NewSSE() ServerSide { return s3{} }

// NewSSEKMS returns a new server-side-encryption using SSE-KMS and the provided Key Id and context.
func NewSSEKMS(keyID string, context interface{}) (ServerSide, error) {
	if context == nil {
		return kms{key: keyID, hasContext: false}, nil
	}
	var json = jsoniter.ConfigCompatibleWithStandardLibrary
	serializedContext, err := json.Marshal(context)
	if err != nil {
		return nil, err
	}
	return kms{key: keyID, context: serializedContext, hasContext: true}, nil
}

// NewSSEC returns a new server-side-encryption using SSE-C and the provided key.
// The key must be 32 bytes long.
func NewSSEC(key []byte) (ServerSide, error) {
	if len(key) != 32 {
		return nil, errors.New("encrypt: SSE-C key must be 256 bit long")
	}
	sse := ssec{}
	copy(sse[:], key)
	return sse, nil
}

// SSE transforms a SSE-C copy encryption into a SSE-C encryption.
// It is the inverse of SSECopy(...).
//
// If the provided sse is no SSE-C copy encryption SSE returns
// sse unmodified.
func SSE(sse ServerSide) ServerSide {
	if sse == nil || sse.Type() != SSEC {
		return sse
	}
	if sse, ok := sse.(ssecCopy); ok {
		return ssec(sse)
	}
	return sse
}

// SSECopy transforms a SSE-C encryption into a SSE-C copy
// encryption. This is required for SSE-C key rotation or a SSE-C
// copy where the source and the destination should be encrypted.
//
// If the provided sse is no SSE-C encryption SSECopy returns
// sse unmodified.
func SSECopy(sse ServerSide) ServerSide {
	if sse == nil || sse.Type() != SSEC {
		return sse
	}
	if sse, ok := sse.(ssec); ok {
		return ssecCopy(sse)
	}
	return sse
}

type ssec [32]byte

func (s ssec) Type() Type { return SSEC }

func (s ssec) Marshal(h http.Header) {
	keyMD5 := md5.Sum(s[:])
	h.Set(sseCustomerAlgorithm, "AES256")
	h.Set(sseCustomerKey, base64.StdEncoding.EncodeToString(s[:]))
	h.Set(sseCustomerKeyMD5, base64.StdEncoding.EncodeToString(keyMD5[:]))
}

type ssecCopy [32]byte

func (s ssecCopy) Type() Type { return SSEC }

func (s ssecCopy) Marshal(h http.Header) {
	keyMD5 := md5.Sum(s[:])
	h.Set(sseCopyCustomerAlgorithm, "AES256")
	h.Set(sseCopyCustomerKey, base64.StdEncoding.EncodeToString(s[:]))
	h.Set(sseCopyCustomerKeyMD5, base64.StdEncoding.EncodeToString(keyMD5[:]))
}

type s3 struct{}

func (s s3) Type() Type { return S3 }

func (s s3) Marshal(h http.Header) { h.Set(sseGenericHeader, "AES256") }

type kms struct {
	key        string
	context    []byte
	hasContext bool
}

func (s kms) Type() Type { return KMS }

func (s kms) Marshal(h http.Header) {
	h.Set(sseGenericHeader, "aws:kms")
	if s.key != "" {
		h.Set(sseKmsKeyID, s.key)
	}
	if s.hasContext {
		h.Set(sseEncryptionContext, base64.StdEncoding.EncodeToString(s.context))
	}
}
Add a storage layer for attachments (#11387) * Add a storage layer for attachments * Fix some bug * fix test * Fix copyright head and lint * Fix bug * Add setting for minio and flags for migrate-storage * Add documents * fix lint * Add test for minio store type on attachments * fix test * fix test * Apply suggestions from code review Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> * Add warning when storage migrated successfully * Fix drone * fix test * rebase * Fix test * display the error on console * Move minio test to amd64 since minio docker don't support arm64 * refactor the codes * add trace * Fix test * remove log on xorm * Fi download bug * Add a storage layer for attachments * Add setting for minio and flags for migrate-storage * fix lint * Add test for minio store type on attachments * Apply suggestions from code review Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> * Fix drone * fix test * Fix test * display the error on console * Move minio test to amd64 since minio docker don't support arm64 * refactor the codes * add trace * Fix test * Add URL function to serve attachments directly from S3/Minio * Add ability to enable/disable redirection in attachment configuration * Fix typo * Add a storage layer for attachments * Add setting for minio and flags for migrate-storage * fix lint * Add test for minio store type on attachments * Apply suggestions from code review Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> * Fix drone * fix test * Fix test * display the error on console * Move minio test to amd64 since minio docker don't support arm64 * don't change unrelated files * Fix lint * Fix build * update go.mod and go.sum * Use github.com/minio/minio-go/v6 * Remove unused function * Upgrade minio to v7 and some other improvements * fix lint * Fix go mod Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> Co-authored-by: Tyler <tystuyfzand@gmail.com> 2020-08-18 04:23:45 +00:00			`/*`
			`* MinIO Go Library for Amazon S3 Compatible Cloud Storage`
			`* Copyright 2018 MinIO, Inc.`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package encrypt`

			`import (`
			`"crypto/md5"`
			`"encoding/base64"`
			`"errors"`
			`"net/http"`

			`jsoniter "github.com/json-iterator/go"`
			`"golang.org/x/crypto/argon2"`
			`)`

			`const (`
			`// sseGenericHeader is the AWS SSE header used for SSE-S3 and SSE-KMS.`
			`sseGenericHeader = "X-Amz-Server-Side-Encryption"`

			`// sseKmsKeyID is the AWS SSE-KMS key id.`
			`sseKmsKeyID = sseGenericHeader + "-Aws-Kms-Key-Id"`
			`// sseEncryptionContext is the AWS SSE-KMS Encryption Context data.`
Vendor Update (#14496) * update code.gitea.io/sdk/gitea v0.13.1 -> v0.13.2 * update github.com/go-swagger/go-swagger v0.25.0 -> v0.26.0 * update github.com/google/uuid v1.1.2 -> v1.2.0 * update github.com/klauspost/compress v1.11.3 -> v1.11.7 * update github.com/lib/pq 083382b7e6fc -> v1.9.0 * update github.com/markbates/goth v1.65.0 -> v1.66.1 * update github.com/mattn/go-sqlite3 v1.14.4 -> v1.14.6 * update github.com/mgechev/revive 246eac737dc7 -> v1.0.3 * update github.com/minio/minio-go/v7 v7.0.6 -> v7.0.7 * update github.com/niklasfasching/go-org v1.3.2 -> v1.4.0 * update github.com/olivere/elastic/v7 v7.0.21 -> v7.0.22 * update github.com/pquerna/otp v1.2.0 -> v1.3.0 * update github.com/xanzy/go-gitlab v0.39.0 -> v0.42.0 * update github.com/yuin/goldmark v1.2.1 -> v1.3.1 2021-01-28 16:56:38 +00:00			`sseEncryptionContext = sseGenericHeader + "-Context"`
Add a storage layer for attachments (#11387) * Add a storage layer for attachments * Fix some bug * fix test * Fix copyright head and lint * Fix bug * Add setting for minio and flags for migrate-storage * Add documents * fix lint * Add test for minio store type on attachments * fix test * fix test * Apply suggestions from code review Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> * Add warning when storage migrated successfully * Fix drone * fix test * rebase * Fix test * display the error on console * Move minio test to amd64 since minio docker don't support arm64 * refactor the codes * add trace * Fix test * remove log on xorm * Fi download bug * Add a storage layer for attachments * Add setting for minio and flags for migrate-storage * fix lint * Add test for minio store type on attachments * Apply suggestions from code review Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> * Fix drone * fix test * Fix test * display the error on console * Move minio test to amd64 since minio docker don't support arm64 * refactor the codes * add trace * Fix test * Add URL function to serve attachments directly from S3/Minio * Add ability to enable/disable redirection in attachment configuration * Fix typo * Add a storage layer for attachments * Add setting for minio and flags for migrate-storage * fix lint * Add test for minio store type on attachments * Apply suggestions from code review Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> * Fix drone * fix test * Fix test * display the error on console * Move minio test to amd64 since minio docker don't support arm64 * don't change unrelated files * Fix lint * Fix build * update go.mod and go.sum * Use github.com/minio/minio-go/v6 * Remove unused function * Upgrade minio to v7 and some other improvements * fix lint * Fix go mod Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> Co-authored-by: Tyler <tystuyfzand@gmail.com> 2020-08-18 04:23:45 +00:00
			`// sseCustomerAlgorithm is the AWS SSE-C algorithm HTTP header key.`
			`sseCustomerAlgorithm = sseGenericHeader + "-Customer-Algorithm"`
			`// sseCustomerKey is the AWS SSE-C encryption key HTTP header key.`
			`sseCustomerKey = sseGenericHeader + "-Customer-Key"`
			`// sseCustomerKeyMD5 is the AWS SSE-C encryption key MD5 HTTP header key.`
			`sseCustomerKeyMD5 = sseGenericHeader + "-Customer-Key-MD5"`

			`// sseCopyCustomerAlgorithm is the AWS SSE-C algorithm HTTP header key for CopyObject API.`
			`sseCopyCustomerAlgorithm = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm"`
			`// sseCopyCustomerKey is the AWS SSE-C encryption key HTTP header key for CopyObject API.`
			`sseCopyCustomerKey = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key"`
			`// sseCopyCustomerKeyMD5 is the AWS SSE-C encryption key MD5 HTTP header key for CopyObject API.`
			`sseCopyCustomerKeyMD5 = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-MD5"`
			`)`

			`// PBKDF creates a SSE-C key from the provided password and salt.`
			`// PBKDF is a password-based key derivation function`
			`// which can be used to derive a high-entropy cryptographic`
			`// key from a low-entropy password and a salt.`
			`type PBKDF func(password, salt []byte) ServerSide`

			`// DefaultPBKDF is the default PBKDF. It uses Argon2id with the`
			`// recommended parameters from the RFC draft (1 pass, 64 MB memory, 4 threads).`
			`var DefaultPBKDF PBKDF = func(password, salt []byte) ServerSide {`
			`sse := ssec{}`
			`copy(sse[:], argon2.IDKey(password, salt, 1, 64*1024, 4, 32))`
			`return sse`
			`}`

			`// Type is the server-side-encryption method. It represents one of`
			`// the following encryption methods:`
			`// - SSE-C: server-side-encryption with customer provided keys`
			`// - KMS: server-side-encryption with managed keys`
			`// - S3: server-side-encryption using S3 storage encryption`
			`type Type string`

			`const (`
			`// SSEC represents server-side-encryption with customer provided keys`
			`SSEC Type = "SSE-C"`
			`// KMS represents server-side-encryption with managed keys`
			`KMS Type = "KMS"`
			`// S3 represents server-side-encryption using S3 storage encryption`
			`S3 Type = "S3"`
			`)`

			`// ServerSide is a form of S3 server-side-encryption.`
			`type ServerSide interface {`
			`// Type returns the server-side-encryption method.`
			`Type() Type`

			`// Marshal adds encryption headers to the provided HTTP headers.`
			`// It marks an HTTP request as server-side-encryption request`
			`// and inserts the required data into the headers.`
			`Marshal(h http.Header)`
			`}`

			`// NewSSE returns a server-side-encryption using S3 storage encryption.`
			`// Using SSE-S3 the server will encrypt the object with server-managed keys.`
			`func NewSSE() ServerSide { return s3{} }`

			`// NewSSEKMS returns a new server-side-encryption using SSE-KMS and the provided Key Id and context.`
			`func NewSSEKMS(keyID string, context interface{}) (ServerSide, error) {`
			`if context == nil {`
			`return kms{key: keyID, hasContext: false}, nil`
			`}`
			`var json = jsoniter.ConfigCompatibleWithStandardLibrary`
			`serializedContext, err := json.Marshal(context)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return kms{key: keyID, context: serializedContext, hasContext: true}, nil`
			`}`

			`// NewSSEC returns a new server-side-encryption using SSE-C and the provided key.`
			`// The key must be 32 bytes long.`
			`func NewSSEC(key []byte) (ServerSide, error) {`
			`if len(key) != 32 {`
			`return nil, errors.New("encrypt: SSE-C key must be 256 bit long")`
			`}`
			`sse := ssec{}`
			`copy(sse[:], key)`
			`return sse, nil`
			`}`

			`// SSE transforms a SSE-C copy encryption into a SSE-C encryption.`
			`// It is the inverse of SSECopy(...).`
			`//`
			`// If the provided sse is no SSE-C copy encryption SSE returns`
			`// sse unmodified.`
			`func SSE(sse ServerSide) ServerSide {`
			`if sse == nil \|\| sse.Type() != SSEC {`
			`return sse`
			`}`
			`if sse, ok := sse.(ssecCopy); ok {`
			`return ssec(sse)`
			`}`
			`return sse`
			`}`

			`// SSECopy transforms a SSE-C encryption into a SSE-C copy`
			`// encryption. This is required for SSE-C key rotation or a SSE-C`
			`// copy where the source and the destination should be encrypted.`
			`//`
			`// If the provided sse is no SSE-C encryption SSECopy returns`
			`// sse unmodified.`
			`func SSECopy(sse ServerSide) ServerSide {`
			`if sse == nil \|\| sse.Type() != SSEC {`
			`return sse`
			`}`
			`if sse, ok := sse.(ssec); ok {`
			`return ssecCopy(sse)`
			`}`
			`return sse`
			`}`

			`type ssec [32]byte`

			`func (s ssec) Type() Type { return SSEC }`

			`func (s ssec) Marshal(h http.Header) {`
			`keyMD5 := md5.Sum(s[:])`
			`h.Set(sseCustomerAlgorithm, "AES256")`
			`h.Set(sseCustomerKey, base64.StdEncoding.EncodeToString(s[:]))`
			`h.Set(sseCustomerKeyMD5, base64.StdEncoding.EncodeToString(keyMD5[:]))`
			`}`

			`type ssecCopy [32]byte`

			`func (s ssecCopy) Type() Type { return SSEC }`

			`func (s ssecCopy) Marshal(h http.Header) {`
			`keyMD5 := md5.Sum(s[:])`
			`h.Set(sseCopyCustomerAlgorithm, "AES256")`
			`h.Set(sseCopyCustomerKey, base64.StdEncoding.EncodeToString(s[:]))`
			`h.Set(sseCopyCustomerKeyMD5, base64.StdEncoding.EncodeToString(keyMD5[:]))`
			`}`

			`type s3 struct{}`

			`func (s s3) Type() Type { return S3 }`

			`func (s s3) Marshal(h http.Header) { h.Set(sseGenericHeader, "AES256") }`

			`type kms struct {`
			`key string`
			`context []byte`
			`hasContext bool`
			`}`

			`func (s kms) Type() Type { return KMS }`

			`func (s kms) Marshal(h http.Header) {`
			`h.Set(sseGenericHeader, "aws:kms")`
			`if s.key != "" {`
			`h.Set(sseKmsKeyID, s.key)`
			`}`
			`if s.hasContext {`
			`h.Set(sseEncryptionContext, base64.StdEncoding.EncodeToString(s.context))`
			`}`
			`}`