Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check both MD5 locations for S3 KMS support. #1167

Merged
merged 4 commits into from
Jun 20, 2024
Merged

Check both MD5 locations for S3 KMS support. #1167

merged 4 commits into from
Jun 20, 2024

Conversation

Melraidin
Copy link
Contributor

@Melraidin Melraidin commented Mar 22, 2023
edited
Loading

Fixes #1117

Requirements

All new code should be covered with tests, documentation should be updated. CI should pass.

Description of the Change

If the S3 bucket used to house a repo has KMS encryption enabled then the etag of an object may not match the MD5 of the file. This may cause an incorrect error to be reported stating the file already exists and is different.

A mechanism exists to work around this issue by using the MD5 stored in object metadata. This check doesn't always cover the case where KMS is enabled as the fallback is only used if the etag is not 32 characters long.

This commit changes the fallback mechanism so that it is used in any case where the object's etag is not 32 characters or if the S3 bucket has encryption enabled for new objects by default.

Checklist

  • unit-test added (if change is algorithm)
  • functional test added/updated (if change is functional)
  • man page updated (if applicable)
  • bash completion updated (if applicable)
  • documentation updated
  • author name in AUTHORS

@codecov
Copy link

codecov bot commented Mar 22, 2023
edited
Loading

Codecov Report

Attention: Patch coverage is 57.89474% with 8 lines in your changes missing coverage. Please review.

Project coverage is 74.62%. Comparing base (f0bf519) to head (8e3c12f).

Files Patch % Lines
s3/public.go 57.89% 6 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #1167      +/-   ##
==========================================
- Coverage   74.63%   74.62%   -0.01%     
==========================================
  Files         144      144              
  Lines       16299    16312      +13     
==========================================
+ Hits        12164    12173       +9     
- Misses       3188     3192       +4     
  Partials      947      947

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@randombenj randombenj self-requested a review May 1, 2023 14:27
@neolynx
Copy link
Member

neolynx commented Jan 14, 2024
edited
Loading

I am getting a build error after rebase on master:

s3/public.go:109:48: not enough arguments in call to storage.s3.GetBucketEncryption
have (*"github.com/aws/aws-sdk-go-v2/service/s3".GetBucketEncryptionInput)
want ("context".Context, *"github.com/aws/aws-sdk-go-v2/service/s3".GetBucketEncryptionInput, ...func(*"github.com/aws/aws-sdk-go-v2/service/s3".Options))
s3/public.go:115:4: invalid operation: cannot indirect output.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.SSEAlgorithm (variable of type "github.com/aws/aws-sdk-go-v2/service/s3/types".ServerSideEncryption)

could you try to fix the build on master ?

@neolynx neolynx self-assigned this Jan 14, 2024
@neolynx neolynx mentioned this pull request Apr 17, 2024
Closed
6 tasks
@neolynx
Copy link
Member

neolynx commented Apr 20, 2024
edited
Loading

Rebased on master, some fixes and updated test: #1272

Could you maybe check if this works for you ?
Also, why are two s3 calls to /test?encryption= needed (https://github.com/aptly-dev/aptly/pull/1272/files#diff-7ed984d7519264eda1b9ba70e1540c82b75bb2f53ff87436a3520fc5ee2d9436R350) ?

Melraidin and others added 4 commits June 15, 2024 23:18
@Melraidin @neolynx
Check both MD5 locations for S3 KMS support.
5ca53e2 
If the S3 bucket used to house a repo has KMS encryption enabled then
the etag of an object may not match the MD5 of the file. This may
cause an incorrect error to be reported stating the file already
exists and is different.

A mechanism exists to work around this issue by using the MD5 stored
in object metadata. This check doesn't always cover the case where KMS
is enabled as the fallback is only used if the etag is not 32
characters long.

This commit changes the fallback mechanism so that it is used in any
case where the object's etag does not match the source MD5. This will
incur a performance penalty of an extra head request for each object
with a mismatch.
@Melraidin @neolynx
Check if S3 bucket is encrypted by default.
573fe6e 
Adds check to see if the S3 bucket is encrypted by default. If so this
uses the existing workaround for object etags not matching file MD5s.
@neolynx
fix compilation
a808344
@neolynx
fix test
8e3c12f
@neolynx neolynx added needs review Ready for review & merge increase coverage The PR lacks test coverage and removed PR superseded labels Jun 15, 2024
@neolynx neolynx requested a review from mfolusiak June 15, 2024 21:22
@neolynx
Copy link
Member

neolynx commented Jun 15, 2024

abandonned #1272, continuing here

@neolynx neolynx removed the increase coverage The PR lacks test coverage label Jun 17, 2024
@neolynx neolynx requested a review from a team June 17, 2024 19:40
@neolynx neolynx merged commit 5cf8c54 into aptly-dev:master Jun 20, 2024
16 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mfolusiak mfolusiak mfolusiak approved these changes

@randombenj randombenj Awaiting requested review from randombenj

Assignees

@neolynx neolynx

Labels
needs review Ready for review & merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

'file already exists and is different' when publishing to S3 with KMS encryption
3 participants
@Melraidin @neolynx @mfolusiak