Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check both MD5 locations for S3 KMS support. #1167

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Check both MD5 locations for S3 KMS support. #1167

wants to merge 2 commits into from

Conversation

Melraidin
Copy link

@Melraidin Melraidin commented Mar 22, 2023
edited

Fixes #1117

Requirements

All new code should be covered with tests, documentation should be updated. CI should pass.

Description of the Change

If the S3 bucket used to house a repo has KMS encryption enabled then the etag of an object may not match the MD5 of the file. This may cause an incorrect error to be reported stating the file already exists and is different.

A mechanism exists to work around this issue by using the MD5 stored in object metadata. This check doesn't always cover the case where KMS is enabled as the fallback is only used if the etag is not 32 characters long.

This commit changes the fallback mechanism so that it is used in any case where the object's etag is not 32 characters or if the S3 bucket has encryption enabled for new objects by default.

Checklist

  • unit-test added (if change is algorithm)
  • functional test added/updated (if change is functional)
  • man page updated (if applicable)
  • bash completion updated (if applicable)
  • documentation updated
  • author name in AUTHORS

@Melraidin
Check both MD5 locations for S3 KMS support.
67c6dd3 
If the S3 bucket used to house a repo has KMS encryption enabled then
the etag of an object may not match the MD5 of the file. This may
cause an incorrect error to be reported stating the file already
exists and is different.

A mechanism exists to work around this issue by using the MD5 stored
in object metadata. This check doesn't always cover the case where KMS
is enabled as the fallback is only used if the etag is not 32
characters long.

This commit changes the fallback mechanism so that it is used in any
case where the object's etag does not match the source MD5. This will
incur a performance penalty of an extra head request for each object
with a mismatch.
@codecov
Copy link

codecov bot commented Mar 22, 2023
edited

Codecov Report

Attention: Patch coverage is 57.89474% with 8 lines in your changes are missing coverage. Please review.

Project coverage is 66.24%. Comparing base (8e62195) to head (1b4c0f7).
Report is 78 commits behind head on master.

Files Patch % Lines
s3/public.go 57.89% 6 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #1167      +/-   ##
==========================================
- Coverage   66.50%   66.24%   -0.27%     
==========================================
  Files         143      143              
  Lines       16065    16147      +82     
==========================================
+ Hits        10684    10696      +12     
- Misses       4632     4700      +68     
- Partials      749      751       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Melraidin
Check if S3 bucket is encrypted by default.
1b4c0f7 
Adds check to see if the S3 bucket is encrypted by default. If so this
uses the existing workaround for object etags not matching file MD5s.
@randombenj randombenj self-requested a review May 1, 2023 14:27
@neolynx
Copy link
Member

neolynx commented Jan 14, 2024
edited

I am getting a build error after rebase on master:

s3/public.go:109:48: not enough arguments in call to storage.s3.GetBucketEncryption
have (*"github.com/aws/aws-sdk-go-v2/service/s3".GetBucketEncryptionInput)
want ("context".Context, *"github.com/aws/aws-sdk-go-v2/service/s3".GetBucketEncryptionInput, ...func(*"github.com/aws/aws-sdk-go-v2/service/s3".Options))
s3/public.go:115:4: invalid operation: cannot indirect output.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.SSEAlgorithm (variable of type "github.com/aws/aws-sdk-go-v2/service/s3/types".ServerSideEncryption)

could you try to fix the build on master ?

@neolynx neolynx self-assigned this Jan 14, 2024
@neolynx neolynx mentioned this pull request Apr 17, 2024
Open
6 tasks
@neolynx
Copy link
Member

neolynx commented Apr 20, 2024
edited

Rebased on master, some fixes and updated test: #1272

Could you maybe check if this works for you ?
Also, why are two s3 calls to /test?encryption= needed (https://github.com/aptly-dev/aptly/pull/1272/files#diff-7ed984d7519264eda1b9ba70e1540c82b75bb2f53ff87436a3520fc5ee2d9436R350) ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@randombenj randombenj Awaiting requested review from randombenj

At least 1 approving review is required to merge this pull request.

Assignees

@neolynx neolynx

Labels
PR superseded
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

'file already exists and is different' when publishing to S3 with KMS encryption
2 participants
@Melraidin @neolynx