s3: Fix precondition failed in CopyObjectPart when src is encrypted

[vadmeste]

Description

CopyObject precondition checks into GetObjectReader
in order to perform SSE-C pre-condition checks using the
last 32 bytes of encrypted ETag rather than the decrypted
ETag

This also necessitates moving precondition checks for
gateways to gateway layer rather than object handler check

Motivation and Context

Fix issue

Regression

No

How Has This Been Tested?

This PR tests this use case minio/minio-go#1078

Otherwise, to test manually, you can upload a large file, e.g. 600 Mb, upload it
encrypted (SSE-C), then copy it in the same bucket with mc.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added unit tests to cover my changes. (CopyObjectPart: Add x-amz-copy-source-if-match as condition minio-go#1078)
• I have added/updated functional tests in mint. (If yes, add mint PR # here: )
• All new and existing tests passed.

[codecov]

Codecov Report

Merging #7276 into master will increase coverage by 0.45%.
The diff coverage is 43.24%.

@@            Coverage Diff             @@
##           master    #7276      +/-   ##
==========================================
+ Coverage    47.9%   48.36%   +0.45%     
==========================================
  Files         281      296      +15     
  Lines       45965    46364     +399     
==========================================
+ Hits        22021    22425     +404     
+ Misses      21900    21883      -17     
- Partials     2044     2056      +12

Impacted Files	Coverage Δ
cmd/gateway/gcs/gateway-gcs.go	22.02% <0%> (-0.05%)	⬇️
cmd/gateway/azure/gateway-azure.go	20.66% <0%> (-0.07%)	⬇️
cmd/gateway/b2/gateway-b2.go	16.32% <0%> (ø)	⬆️
cmd/disk-cache.go	12.36% <0%> (+0.01%)	⬆️
cmd/gateway/oss/gateway-oss.go	19.24% <0%> (-0.08%)	⬇️
cmd/gateway/s3/gateway-s3.go	19.28% <0%> (-0.1%)	⬇️
cmd/gateway/s3/gateway-s3-sse.go	0% <0%> (ø)	⬆️
cmd/xl-v1-object.go	77.65% <100%> (ø)	⬆️
cmd/fs-v1.go	64.18% <100%> (+2.37%)	⬆️
cmd/object-handlers-common.go	65.8% <41.17%> (-2.28%)	⬇️
... and 35 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e8e9cd3...c5960fc. Read the comment docs.

[harshavardhana]

A refactor is needed to move the pre-condition checks inside the GetObjectNInfo() @vadmeste that way we can selectively avoid decrypting the ETag to match.

[vadmeste]

A refactor is needed to move the pre-condition checks inside the GetObjectNInfo() @vadmeste that way we can selectively avoid decrypting the ETag to match.

Or, we can ensure that ETag in ObjectInfo always contain the real etag but we return the encrypted format (32 bytes) when responding to users (head object, list objects, etc..)

Is there any written specification about S3 behavior ? other than the etag should not be md5sum in case of SSE-C ?

[harshavardhana]

It is the output, that is how it used to be . But many tools verify the md5sum like s3cmd, aws-sdk-java and they selectively ignore sse-c.

So we ended up keeping this style.

[poornas]

@vadmeste ,https://github.com/poornas/minio/tree/fixcopyETag on top of your commit should fix the etag issue - essentially bringing in the etag pre-condition check prior to decrypting so we can use last 32 bytes of encrypted ETag for ssec encrypted objects.

[harshavardhana]

Thanks @poornas for the work.

[vadmeste]

Thanks @poornas !

The following diff is still needed for minio-go tests successful:

diff --git a/cmd/object-api-utils.go b/cmd/object-api-utils.go
index bd46eff6..fdf537c5 100644
--- a/cmd/object-api-utils.go
+++ b/cmd/object-api-utils.go
@@ -558,6 +558,19 @@ func NewGetObjectReader(rs *HTTPRangeSpec, oi ObjectInfo, pcfn CheckCopyPrecondi
 			}
 		}
 		fn = func(inputReader io.Reader, _ http.Header, pcfn CheckCopyPreconditionFn, cFns ...func()) (r *GetObjectReader, err error) {
+
+			cFns = append(cleanUpFns, cFns...)
+
+			if pcfn != nil {
+				if ok := pcfn(oi, ""); ok {
+					// Call the cleanup funcs
+					for i := len(cFns) - 1; i >= 0; i-- {
+						cFns[i]()
+					}
+					return nil, PreConditionFailed{}
+				}
+			}
+
 			// Decompression reader.
 			snappyReader := snappy.NewReader(inputReader)
 			// Apply the skipLen and limit on the
@@ -569,7 +582,7 @@ func NewGetObjectReader(rs *HTTPRangeSpec, oi ObjectInfo, pcfn CheckCopyPrecondi
 			r = &GetObjectReader{
 				ObjInfo:    oi,
 				pReader:    decReader,
-				cleanUpFns: append(cleanUpFns, cFns...),
+				cleanUpFns: cFns,
 				precondFn:  pcfn,
 			}
 			return r, nil
@@ -581,10 +594,23 @@ func NewGetObjectReader(rs *HTTPRangeSpec, oi ObjectInfo, pcfn CheckCopyPrecondi
 			return nil, 0, 0, err
 		}
 		fn = func(inputReader io.Reader, _ http.Header, pcfn CheckCopyPreconditionFn, cFns ...func()) (r *GetObjectReader, err error) {
+
+			cFns = append(cleanUpFns, cFns...)
+
+			if pcfn != nil {
+				if ok := pcfn(oi, ""); ok {
+					// Call the cleanup funcs
+					for i := len(cFns) - 1; i >= 0; i-- {
+						cFns[i]()
+					}
+					return nil, PreConditionFailed{}
+				}
+			}
+
 			r = &GetObjectReader{
 				ObjInfo:    oi,
 				pReader:    inputReader,
-				cleanUpFns: append(cleanUpFns, cFns...),
+				cleanUpFns: cFns,
 				precondFn:  pcfn,
 			}
 			return r, nil
diff --git a/cmd/object-handlers-common.go b/cmd/object-handlers-common.go
index f14a9cc2..e31e69ae 100644
--- a/cmd/object-handlers-common.go
+++ b/cmd/object-handlers-common.go
@@ -96,7 +96,7 @@ func checkCopyObjectPreconditions(ctx context.Context, w http.ResponseWriter, r
 		}
 	}
 
-	ssec := crypto.SSEC.IsRequested(r.Header)
+	ssec := crypto.SSECopy.IsRequested(r.Header)
 
 	// x-amz-copy-source-if-match : Return the object only if its entity tag (ETag) is the
 	// same as the one specified; otherwise return a 412 (precondition failed).

would you review them and push it again in your branch so I can cherry-pick your commit ?

[poornas]

Thanks @poornas !

The following diff is still needed for minio-go tests successful:

diff --git a/cmd/object-api-utils.go b/cmd/object-api-utils.go
index bd46eff6..fdf537c5 100644
--- a/cmd/object-api-utils.go
+++ b/cmd/object-api-utils.go
@@ -558,6 +558,19 @@ func NewGetObjectReader(rs *HTTPRangeSpec, oi ObjectInfo, pcfn CheckCopyPrecondi
 			}
 		}
 		fn = func(inputReader io.Reader, _ http.Header, pcfn CheckCopyPreconditionFn, cFns ...func()) (r *GetObjectReader, err error) {
+
+			cFns = append(cleanUpFns, cFns...)
+
+			if pcfn != nil {
+				if ok := pcfn(oi, ""); ok {
+					// Call the cleanup funcs
+					for i := len(cFns) - 1; i >= 0; i-- {
+						cFns[i]()
+					}
+					return nil, PreConditionFailed{}
+				}
+			}
+
 			// Decompression reader.
 			snappyReader := snappy.NewReader(inputReader)
 			// Apply the skipLen and limit on the
@@ -569,7 +582,7 @@ func NewGetObjectReader(rs *HTTPRangeSpec, oi ObjectInfo, pcfn CheckCopyPrecondi
 			r = &GetObjectReader{
 				ObjInfo:    oi,
 				pReader:    decReader,
-				cleanUpFns: append(cleanUpFns, cFns...),
+				cleanUpFns: cFns,
 				precondFn:  pcfn,
 			}
 			return r, nil
@@ -581,10 +594,23 @@ func NewGetObjectReader(rs *HTTPRangeSpec, oi ObjectInfo, pcfn CheckCopyPrecondi
 			return nil, 0, 0, err
 		}
 		fn = func(inputReader io.Reader, _ http.Header, pcfn CheckCopyPreconditionFn, cFns ...func()) (r *GetObjectReader, err error) {
+
+			cFns = append(cleanUpFns, cFns...)
+
+			if pcfn != nil {
+				if ok := pcfn(oi, ""); ok {
+					// Call the cleanup funcs
+					for i := len(cFns) - 1; i >= 0; i-- {
+						cFns[i]()
+					}
+					return nil, PreConditionFailed{}
+				}
+			}
+
 			r = &GetObjectReader{
 				ObjInfo:    oi,
 				pReader:    inputReader,
-				cleanUpFns: append(cleanUpFns, cFns...),
+				cleanUpFns: cFns,
 				precondFn:  pcfn,
 			}
 			return r, nil
diff --git a/cmd/object-handlers-common.go b/cmd/object-handlers-common.go
index f14a9cc2..e31e69ae 100644
--- a/cmd/object-handlers-common.go
+++ b/cmd/object-handlers-common.go
@@ -96,7 +96,7 @@ func checkCopyObjectPreconditions(ctx context.Context, w http.ResponseWriter, r
 		}
 	}
 
-	ssec := crypto.SSEC.IsRequested(r.Header)
+	ssec := crypto.SSECopy.IsRequested(r.Header)
 
 	// x-amz-copy-source-if-match : Return the object only if its entity tag (ETag) is the
 	// same as the one specified; otherwise return a 412 (precondition failed).

would you review them and push it again in your branch so I can cherry-pick your commit ?

good catch @vadmeste , updated the branch and tested.

[harshavardhana]

@vadmeste gateway-s3 test seem to be failing

(10/13) Running minio-js tests ... FAILED in 1 seconds
{
  "name": "minio-js",
  "function": "copyObject(bucketName, objectName, srcObject, conditions, cb)",
  "args": "bucketName:minio-js-test-646f5eef-7107-4c07-b814-ad23ba2e1dd2, objectName:datafile-100-kB-copy, srcObject:/minio-js-test-646f5eef-7107-4c07-b814-ad23ba2e1dd2/datafile-100-kB, conditions:ExceptCorrectEtag",
  "duration": 5,
  "status": "FAIL",
  "error": "Error: CopyObject should have failed. at client.copyObject.then (test/functional-tests.js:472:16) at process._tickCallback (internal/process/next_tick.js:109:7)"
}

Executed 9 out of 13 tests successfully.
error running minio/mint:30f12fcb5832046f0728d236e41ffccd3760cdcb: exit status 1

[kannappanr]

This can be reproduced with minio as the backend

[poornas]

@vadmeste, added gateway precondition check for the s3 gateway test failure

[poornas]

LGTM and tested.
might want to remove me from official reviewers for this PR.

[harshavardhana]

You are the official reviewer @poornas

[harshavardhana]

LGTM & tested

[harshavardhana]

S3 behavior requires precondition to be validated before validating the range - but this can be fixed in a different PR @vadmeste

[kannappanr]

Code should be above the comment.

[minio-ops]

Error running mint automation
+ mkdir -p 7276-5dd4e0f/gopath/src/github.com/minio
+ git -C 7276-5dd4e0f/gopath/src/github.com/minio clone --quiet https://github.com/minio/minio.git
+ git -C 7276-5dd4e0f/gopath/src/github.com/minio/minio remote add minio https://github.com/minio/minio.git
+ git -C 7276-5dd4e0f/gopath/src/github.com/minio/minio fetch --quiet minio pull/7276/head:pr7276
+ git -C 7276-5dd4e0f/gopath/src/github.com/minio/minio checkout --quiet pr7276
+ GOPATH=/mnt/nvme/mint-auto/7276-5dd4e0f/gopath
+ make -C 7276-5dd4e0f/gopath/src/github.com/minio/minio --quiet
# github.com/minio/minio/cmd
cmd/fs-v1.go:503:74: opts.CheckCopyPrecondFN undefined (type ObjectOptions has no field or method CheckCopyPrecondFN, but does have CheckCopyPrecondFn)
make: *** [build] Error 2

[vadmeste]

@poornas we still need the following diff after I investigated new mint errors with gateways:

diff --git a/cmd/disk-cache.go b/cmd/disk-cache.go
index 2774ddfe..7cf2bff4 100644
--- a/cmd/disk-cache.go
+++ b/cmd/disk-cache.go
@@ -254,8 +254,7 @@ func (c cacheObjects) GetObjectNInfo(ctx context.Context, bucket, object string,
 
 	cleanupBackend := func() { bkReader.Close() }
 	cleanupPipe := func() { pipeReader.Close() }
-	gr = NewGetObjectReaderFromReader(teeReader, bkReader.ObjInfo, opts.CheckCopyPrecondFn, cleanupBackend, cleanupPipe)
-	return gr, nil
+	return NewGetObjectReaderFromReader(teeReader, bkReader.ObjInfo, opts.CheckCopyPrecondFn, cleanupBackend, cleanupPipe)
 }
 
 // Uses cached-object to serve the request. If object is not cached it serves the request from the backend and also
diff --git a/cmd/fs-v1.go b/cmd/fs-v1.go
index a5ae1e5b..fabbbe6d 100644
--- a/cmd/fs-v1.go
+++ b/cmd/fs-v1.go
@@ -500,7 +500,7 @@ func (fs *FSObjects) GetObjectNInfo(ctx context.Context, bucket, object string,
 	if hasSuffix(object, slashSeparator) {
 		// The lock taken above is released when
 		// objReader.Close() is called by the caller.
-		return NewGetObjectReaderFromReader(bytes.NewBuffer(nil), objInfo, opts.CheckCopyPrecondFn, nsUnlocker), nil
+		return NewGetObjectReaderFromReader(bytes.NewBuffer(nil), objInfo, opts.CheckCopyPrecondFn, nsUnlocker)
 	}
 	// Take a rwPool lock for NFS gateway type deployment
 	rwPoolUnlocker := func() {}
diff --git a/cmd/gateway/azure/gateway-azure.go b/cmd/gateway/azure/gateway-azure.go
index eb4bd608..fc7750ac 100644
--- a/cmd/gateway/azure/gateway-azure.go
+++ b/cmd/gateway/azure/gateway-azure.go
@@ -651,7 +651,7 @@ func (a *azureObjects) GetObjectNInfo(ctx context.Context, bucket, object string
 	// Setup cleanup function to cause the above go-routine to
 	// exit in case of partial read
 	pipeCloser := func() { pr.Close() }
-	return minio.NewGetObjectReaderFromReader(pr, objInfo, opts.CheckCopyPrecondFn, pipeCloser), nil
+	return minio.NewGetObjectReaderFromReader(pr, objInfo, opts.CheckCopyPrecondFn, pipeCloser)
 }
 
 // GetObject - reads an object from azure. Supports additional
diff --git a/cmd/gateway/b2/gateway-b2.go b/cmd/gateway/b2/gateway-b2.go
index 7a1e8493..03c54716 100644
--- a/cmd/gateway/b2/gateway-b2.go
+++ b/cmd/gateway/b2/gateway-b2.go
@@ -417,7 +417,7 @@ func (l *b2Objects) GetObjectNInfo(ctx context.Context, bucket, object string, r
 	// Setup cleanup function to cause the above go-routine to
 	// exit in case of partial read
 	pipeCloser := func() { pr.Close() }
-	return minio.NewGetObjectReaderFromReader(pr, objInfo, opts.CheckCopyPrecondFn, pipeCloser), nil
+	return minio.NewGetObjectReaderFromReader(pr, objInfo, opts.CheckCopyPrecondFn, pipeCloser)
 }
 
 // GetObject reads an object from B2. Supports additional
diff --git a/cmd/gateway/gcs/gateway-gcs.go b/cmd/gateway/gcs/gateway-gcs.go
index ec7c07cc..f45964af 100644
--- a/cmd/gateway/gcs/gateway-gcs.go
+++ b/cmd/gateway/gcs/gateway-gcs.go
@@ -753,7 +753,7 @@ func (l *gcsGateway) GetObjectNInfo(ctx context.Context, bucket, object string,
 	// Setup cleanup function to cause the above go-routine to
 	// exit in case of partial read
 	pipeCloser := func() { pr.Close() }
-	return minio.NewGetObjectReaderFromReader(pr, objInfo, opts.CheckCopyPrecondFn, pipeCloser), nil
+	return minio.NewGetObjectReaderFromReader(pr, objInfo, opts.CheckCopyPrecondFn, pipeCloser)
 }
 
 // GetObject - reads an object from GCS. Supports additional
diff --git a/cmd/gateway/oss/gateway-oss.go b/cmd/gateway/oss/gateway-oss.go
index 52d3fbd0..ccb80c14 100644
--- a/cmd/gateway/oss/gateway-oss.go
+++ b/cmd/gateway/oss/gateway-oss.go
@@ -569,7 +569,7 @@ func (l *ossObjects) GetObjectNInfo(ctx context.Context, bucket, object string,
 	// Setup cleanup function to cause the above go-routine to
 	// exit in case of partial read
 	pipeCloser := func() { pr.Close() }
-	return minio.NewGetObjectReaderFromReader(pr, objInfo, opts.CheckCopyPrecondFn, pipeCloser), nil
+	return minio.NewGetObjectReaderFromReader(pr, objInfo, opts.CheckCopyPrecondFn, pipeCloser)
 }
 
 // GetObject reads an object on OSS. Supports additional
diff --git a/cmd/gateway/s3/gateway-s3.go b/cmd/gateway/s3/gateway-s3.go
index d5c0cd40..9ec42b3a 100644
--- a/cmd/gateway/s3/gateway-s3.go
+++ b/cmd/gateway/s3/gateway-s3.go
@@ -400,7 +400,7 @@ func (l *s3Objects) GetObjectNInfo(ctx context.Context, bucket, object string, r
 	// Setup cleanup function to cause the above go-routine to
 	// exit in case of partial read
 	pipeCloser := func() { pr.Close() }
-	return minio.NewGetObjectReaderFromReader(pr, objInfo, opts.CheckCopyPrecondFn, pipeCloser), nil
+	return minio.NewGetObjectReaderFromReader(pr, objInfo, opts.CheckCopyPrecondFn, pipeCloser)
 }
 
 // GetObject reads an object from S3. Supports additional
diff --git a/cmd/object-api-utils.go b/cmd/object-api-utils.go
index 3e553820..e32cf237 100644
--- a/cmd/object-api-utils.go
+++ b/cmd/object-api-utils.go
@@ -428,13 +428,22 @@ type GetObjectReader struct {
 
 // NewGetObjectReaderFromReader sets up a GetObjectReader with a given
 // reader. This ignores any object properties.
-func NewGetObjectReaderFromReader(r io.Reader, oi ObjectInfo, pcfn CheckCopyPreconditionFn, cleanupFns ...func()) *GetObjectReader {
+func NewGetObjectReaderFromReader(r io.Reader, oi ObjectInfo, pcfn CheckCopyPreconditionFn, cleanupFns ...func()) (*GetObjectReader, error) {
+	if pcfn != nil {
+		if ok := pcfn(oi, ""); ok {
+			// Call the cleanup funcs
+			for i := len(cleanupFns) - 1; i >= 0; i-- {
+				cleanupFns[i]()
+			}
+			return nil, PreConditionFailed{}
+		}
+	}
 	return &GetObjectReader{
 		ObjInfo:    oi,
 		pReader:    r,
 		cleanUpFns: cleanupFns,
 		precondFn:  pcfn,
-	}
+	}, nil
 }
 
 // ObjReaderFn is a function type that takes a reader and returns
diff --git a/cmd/xl-v1-object.go b/cmd/xl-v1-object.go
index 3ef075ea..5b6cf025 100644
--- a/cmd/xl-v1-object.go
+++ b/cmd/xl-v1-object.go
@@ -182,7 +182,7 @@ func (xl xlObjects) GetObjectNInfo(ctx context.Context, bucket, object string, r
 			nsUnlocker()
 			return nil, toObjectErr(err, bucket, object)
 		}
-		return NewGetObjectReaderFromReader(bytes.NewBuffer(nil), objInfo, opts.CheckCopyPrecondFn, nsUnlocker), nil
+		return NewGetObjectReaderFromReader(bytes.NewBuffer(nil), objInfo, opts.CheckCopyPrecondFn, nsUnlocker)
 	}
 
 	var objInfo ObjectInfo

[minio-ops]

Mint Automation

Test	Result
mint-compression-xl.sh	✔️
mint-xl.sh	✔️
mint-large-bucket.sh	✔️
mint-compression-dist-xl.sh	✔️
mint-compression-fs.sh	✔️
mint-worm.sh	✔️
mint-fs.sh	✔️
mint-gateway-nas.sh	✔️
mint-dist-xl.sh	❌ more...

7276-c5960fc/mint-dist-xl.sh.log:

Running with
SERVER_ENDPOINT:      72.28.97.61:31382
ACCESS_KEY:           minio
SECRET_KEY:           ***REDACTED***
ENABLE_HTTPS:         0
SERVER_REGION:        us-east-1
MINT_DATA_DIR:        /mint/data
MINT_MODE:            full
ENABLE_VIRTUAL_STYLE: 0

To get logs, run 'docker cp d8df3b136899:/mint/log /tmp/mint-logs'

(1/14) Running aws-sdk-go tests ... done in 0 seconds
(2/14) Running aws-sdk-java tests ... done in 1 seconds
(3/14) Running aws-sdk-php tests ... done in 44 seconds
(4/14) Running aws-sdk-ruby tests ... done in 5 seconds
(5/14) Running awscli tests ... done in 1 minutes and 50 seconds
(6/14) Running healthcheck tests ... done in 0 seconds
(7/14) Running mc tests ... done in 33 seconds
(8/14) Running minio-dotnet tests ... done in 37 seconds
(9/14) Running minio-go tests ... done in 1 minutes and 22 seconds
(10/14) Running minio-java tests ... done in 2 minutes and 35 seconds
(11/14) Running minio-js tests ... FAILED in 7 seconds
{
  "name": "minio-js",
  "function": "\"after all\" hook in \"functional tests\"",
  "duration": 15,
  "status": "FAIL",
  "error": "S3Error: The bucket you tried to delete is not empty at Object.parseError (node_modules/minio/dist/main/xml-parsers.js:56:11) at /mint/run/core/minio-js/node_modules/minio/dist/main/transformers.js:117:22 at DestroyableTransform._flush (node_modules/minio/dist/main/transformers.js:48:26) at DestroyableTransform.<anonymous> (node_modules/minio/node_modules/through2/node_modules/readable-stream/lib/_stream_transform.js:135:12) at finishMaybe (node_modules/minio/node_modules/through2/node_modules/readable-stream/lib/_stream_writable.js:371:12) at endWritable (node_modules/minio/node_modules/through2/node_modules/readable-stream/lib/_stream_writable.js:378:3) at DestroyableTransform.Writable.end (node_modules/minio/node_modules/through2/node_modules/readable-stream/lib/_stream_writable.js:356:5) at IncomingMessage.onend (_stream_readable.js:514:10) at endReadableNT (_stream_readable.js:978:12) at _combinedTickCallback (internal/process/next_tick.js:80:11) at process._tickCallback (internal/process/next_tick.js:104:9)"
}

Executed 10 out of 14 tests successfully.

[vadmeste]

Can I get some reviews here ?

[harshavardhana]

LGTM & tested

[poornas]

Tested, LGTM.

[kannappanr]

@aead can you please review this PR?