mirror of
https://github.com/rustfs/rustfs.git
synced 2026-01-17 01:30:33 +00:00
refactor: update encryption metadata handling and improve KMS client initialization
This commit is contained in:
DamonXue
@@ -29,7 +29,7 @@ pub use sse_s3::{SSES3Encryption, init_master_key};
|
||||
|
||||
// KMS 功能导出
|
||||
#[cfg(feature = "kms")]
|
||||
pub use sse_kms::{KMSClient, SSEKMSEncryption, RustyVaultClient};
|
||||
pub use sse_kms::{KMSClient, SSEKMSEncryption, RustyVaultKMSClient};
|
||||
|
||||
/// Encryption factory: Create appropriate encryptor based on encryption type
|
||||
pub struct CryptoFactory;
|
||||
|
||||
@@ -5,13 +5,16 @@ use crate::{Error, sse::{SSE, Algorithm}};
|
||||
use serde::{Serialize, Deserialize};
|
||||
use std::collections::HashMap;
|
||||
use uuid::Uuid;
|
||||
use base64::{Engine as _, engine::general_purpose};
|
||||
|
||||
// Metadata header constants
|
||||
pub const CRYPTO_IV: &str = "X-Rustfs-Crypto-Iv";
|
||||
pub const CRYPTO_KEY: &str = "X-Rustfs-Crypto-Key";
|
||||
pub const CRYPTO_KEY_ID: &str = "X-Rustfs-Crypto-Key-Id";
|
||||
pub const CRYPTO_ALGORITHM: &str = "X-Rustfs-Crypto-Algorithm";
|
||||
#[allow(dead_code)]
|
||||
pub const CRYPTO_SEAL_ALGORITHM: &str = "X-Rustfs-Crypto-Seal-Algorithm";
|
||||
#[allow(dead_code)]
|
||||
pub const CRYPTO_KMS_KEY_NAME: &str = "X-Rustfs-Crypto-Kms-Key-Name";
|
||||
pub const CRYPTO_KMS_CONTEXT: &str = "X-Rustfs-Crypto-Kms-Context";
|
||||
pub const CRYPTO_META_PREFIX: &str = "X-Rustfs-Crypto-";
|
||||
@@ -93,7 +96,7 @@ impl EncryptionInfo {
|
||||
|
||||
// Common fields
|
||||
metadata.insert(CRYPTO_ALGORITHM.to_string(), self.algorithm.to_string());
|
||||
metadata.insert(CRYPTO_IV.to_string(), base64::encode(&self.iv));
|
||||
metadata.insert(CRYPTO_IV.to_string(), general_purpose::STANDARD.encode(&self.iv));
|
||||
|
||||
// Type-specific fields
|
||||
match self.sse_type {
|
||||
@@ -102,12 +105,12 @@ impl EncryptionInfo {
|
||||
}
|
||||
SSE::SSES3 => {
|
||||
if let Some(key) = &self.key {
|
||||
metadata.insert(CRYPTO_KEY.to_string(), base64::encode(key));
|
||||
metadata.insert(CRYPTO_KEY.to_string(), general_purpose::STANDARD.encode(key));
|
||||
}
|
||||
}
|
||||
SSE::SSEKMS => {
|
||||
if let Some(key) = &self.key {
|
||||
metadata.insert(CRYPTO_KEY.to_string(), base64::encode(key));
|
||||
metadata.insert(CRYPTO_KEY.to_string(), general_purpose::STANDARD.encode(key));
|
||||
}
|
||||
if let Some(key_id) = &self.key_id {
|
||||
metadata.insert(CRYPTO_KEY_ID.to_string(), key_id.clone());
|
||||
@@ -128,8 +131,10 @@ impl EncryptionInfo {
|
||||
return Ok(None);
|
||||
}
|
||||
|
||||
let algorithm_str = metadata.get(CRYPTO_ALGORITHM).unwrap();
|
||||
let iv_base64 = metadata.get(CRYPTO_IV).unwrap();
|
||||
let algorithm_str = metadata.get(CRYPTO_ALGORITHM)
|
||||
.ok_or(Error::ErrInvalidEncryptionMetadata)?;
|
||||
let iv_base64 = metadata.get(CRYPTO_IV)
|
||||
.ok_or(Error::ErrInvalidEncryptionMetadata)?;
|
||||
|
||||
let algorithm = match algorithm_str.as_str() {
|
||||
"AES256" => Algorithm::AES256,
|
||||
@@ -137,7 +142,7 @@ impl EncryptionInfo {
|
||||
_ => return Err(Error::ErrInvalidSSEAlgorithm),
|
||||
};
|
||||
|
||||
let iv = base64::decode(iv_base64).map_err(|_| Error::ErrInvalidEncryptionMetadata)?;
|
||||
let iv = general_purpose::STANDARD.decode(iv_base64).map_err(|_| Error::ErrInvalidEncryptionMetadata)?;
|
||||
|
||||
// Determine SSE type and parse additional fields
|
||||
let mut sse_type = SSE::SSES3; // Default assuming SSE-S3
|
||||
@@ -146,8 +151,9 @@ impl EncryptionInfo {
|
||||
let mut context = None;
|
||||
|
||||
if metadata.contains_key(CRYPTO_KEY) {
|
||||
let key_base64 = metadata.get(CRYPTO_KEY).unwrap();
|
||||
key = Some(base64::decode(key_base64).map_err(|_| Error::ErrInvalidEncryptionMetadata)?);
|
||||
let key_base64 = metadata.get(CRYPTO_KEY)
|
||||
.ok_or(Error::ErrInvalidEncryptionMetadata)?;
|
||||
key = Some(general_purpose::STANDARD.decode(key_base64).map_err(|_| Error::ErrInvalidEncryptionMetadata)?);
|
||||
}
|
||||
|
||||
if metadata.contains_key(CRYPTO_KEY_ID) {
|
||||
@@ -217,8 +223,8 @@ mod tests {
|
||||
|
||||
let metadata = info.to_metadata();
|
||||
|
||||
assert_eq!(metadata.get(CRYPTO_ALGORITHM).unwrap(), "AES256");
|
||||
assert_eq!(metadata.get(CRYPTO_IV).unwrap(), &base64::encode(&iv));
|
||||
assert_eq!(metadata.get(CRYPTO_ALGORITHM).expect(), "AES256");
|
||||
assert_eq!(metadata.get(CRYPTO_IV).expect(), &general_purpose::STANDARD.encode(&iv));
|
||||
assert!(!metadata.contains_key(CRYPTO_KEY));
|
||||
assert!(!metadata.contains_key(CRYPTO_KEY_ID));
|
||||
}
|
||||
@@ -231,9 +237,9 @@ mod tests {
|
||||
|
||||
let metadata = info.to_metadata();
|
||||
|
||||
assert_eq!(metadata.get(CRYPTO_ALGORITHM).unwrap(), "AES256");
|
||||
assert_eq!(metadata.get(CRYPTO_IV).unwrap(), &base64::encode(&iv));
|
||||
assert_eq!(metadata.get(CRYPTO_KEY).unwrap(), &base64::encode(&key));
|
||||
assert_eq!(metadata.get(CRYPTO_ALGORITHM).expect(), "AES256");
|
||||
assert_eq!(metadata.get(CRYPTO_IV).expect(), &general_purpose::STANDARD.encode(&iv));
|
||||
assert_eq!(metadata.get(CRYPTO_KEY).expect(), &general_purpose::STANDARD.encode(&key));
|
||||
assert!(!metadata.contains_key(CRYPTO_KEY_ID));
|
||||
}
|
||||
|
||||
@@ -253,11 +259,11 @@ mod tests {
|
||||
|
||||
let metadata = info.to_metadata();
|
||||
|
||||
assert_eq!(metadata.get(CRYPTO_ALGORITHM).unwrap(), "aws:kms");
|
||||
assert_eq!(metadata.get(CRYPTO_IV).unwrap(), &base64::encode(&iv));
|
||||
assert_eq!(metadata.get(CRYPTO_KEY).unwrap(), &base64::encode(&key));
|
||||
assert_eq!(metadata.get(CRYPTO_KEY_ID).unwrap(), key_id);
|
||||
assert_eq!(metadata.get(CRYPTO_KMS_CONTEXT).unwrap(), context);
|
||||
assert_eq!(metadata.get(CRYPTO_ALGORITHM).expect(), "aws:kms");
|
||||
assert_eq!(metadata.get(CRYPTO_IV).expect(), &general_purpose::STANDARD.encode(&iv));
|
||||
assert_eq!(metadata.get(CRYPTO_KEY).expect(), &general_purpose::STANDARD.encode(&key));
|
||||
assert_eq!(metadata.get(CRYPTO_KEY_ID).expect(), key_id);
|
||||
assert_eq!(metadata.get(CRYPTO_KMS_CONTEXT).expect(), context);
|
||||
}
|
||||
|
||||
#[test]
|
||||
@@ -269,19 +275,19 @@ mod tests {
|
||||
|
||||
let mut metadata = HashMap::new();
|
||||
metadata.insert(CRYPTO_ALGORITHM.to_string(), "aws:kms".to_string());
|
||||
metadata.insert(CRYPTO_IV.to_string(), base64::encode(&iv));
|
||||
metadata.insert(CRYPTO_KEY.to_string(), base64::encode(&key));
|
||||
metadata.insert(CRYPTO_IV.to_string(), general_purpose::STANDARD.encode(&iv));
|
||||
metadata.insert(CRYPTO_KEY.to_string(), general_purpose::STANDARD.encode(&key));
|
||||
metadata.insert(CRYPTO_KEY_ID.to_string(), key_id.to_string());
|
||||
metadata.insert(CRYPTO_KMS_CONTEXT.to_string(), context.to_string());
|
||||
|
||||
let info = EncryptionInfo::from_metadata(&metadata).unwrap().unwrap();
|
||||
let info = EncryptionInfo::from_metadata(&metadata).expect().expect();
|
||||
|
||||
assert_eq!(info.sse_type, SSE::SSEKMS);
|
||||
assert_eq!(info.algorithm, Algorithm::AWSKMS);
|
||||
assert_eq!(info.iv, iv);
|
||||
assert_eq!(info.key.unwrap(), key);
|
||||
assert_eq!(info.key_id.unwrap(), key_id);
|
||||
assert_eq!(info.context.unwrap(), context);
|
||||
assert_eq!(info.key.expect(), key);
|
||||
assert_eq!(info.key_id.expect(), key_id);
|
||||
assert_eq!(info.context.expect(), context);
|
||||
}
|
||||
|
||||
#[test]
|
||||
|
||||
@@ -59,10 +59,6 @@ pub struct Client {
|
||||
}
|
||||
|
||||
impl Client {
|
||||
// 创建一个新的客户端构建器
|
||||
pub fn new() -> ClientBuilder {
|
||||
ClientBuilder::default()
|
||||
}
|
||||
|
||||
// 执行 GET 请求
|
||||
pub async fn read(&self, path: &str, query: Option<HashMap<String, String>>) -> Result<VaultResponse, ClientError> {
|
||||
|
||||
@@ -8,11 +8,12 @@ use std::fmt;
|
||||
use std::sync::{Once, RwLock};
|
||||
use tracing::debug;
|
||||
use base64::{Engine as _, engine::general_purpose::STANDARD as BASE64_STANDARD};
|
||||
use std::sync::OnceLock;
|
||||
|
||||
#[cfg(feature = "kms")]
|
||||
use tracing::{info, error};
|
||||
use std::sync::OnceLock;
|
||||
|
||||
// KMS client initialization - only available with kms feature
|
||||
#[cfg(feature = "kms")]
|
||||
static INIT_KMS_CLIENT: OnceLock<()> = OnceLock::new();
|
||||
|
||||
/// SSE specifies the type of server-side encryption used
|
||||
@@ -232,6 +233,7 @@ impl Default for DefaultKMSConfig {
|
||||
}
|
||||
}
|
||||
|
||||
#[allow(dead_code)]
|
||||
// KMS initialization status tracking - using thread-safe RwLock instead of unsafe
|
||||
static INIT_KMS: Once = Once::new();
|
||||
static KMS_INIT_ERROR: RwLock<Option<String>> = RwLock::new(None);
|
||||
|
||||
@@ -7,8 +7,8 @@ use crate::{
|
||||
sse::{SSEOptions, Encryptable}
|
||||
};
|
||||
use aes_gcm::{
|
||||
aead::{Aead, AeadCore, KeyInit},
|
||||
Aes256Gcm, Key, Nonce
|
||||
aead::{Aead, KeyInit},
|
||||
Aes256Gcm, Key, Nonce,
|
||||
};
|
||||
use rand::RngCore;
|
||||
|
||||
@@ -54,7 +54,7 @@ impl Encryptable for SSECEncryption {
|
||||
|
||||
// Encrypt the data
|
||||
let ciphertext = cipher.encrypt(nonce, data)
|
||||
.map_err(|e| Error::ErrEncryptFailed(e))?;
|
||||
.map_err(Error::ErrEncryptFailed)?;
|
||||
|
||||
// Create encryption metadata to store with the encrypted data
|
||||
let info = EncryptionInfo::new_ssec(iv);
|
||||
@@ -124,7 +124,7 @@ impl Encryptable for SSECEncryption {
|
||||
|
||||
// Decrypt the data
|
||||
let plaintext = cipher.decrypt(nonce, ciphertext)
|
||||
.map_err(|e| Error::ErrDecryptFailed(e))?;
|
||||
.map_err(Error::ErrDecryptFailed)?;
|
||||
|
||||
Ok(plaintext)
|
||||
}
|
||||
@@ -150,10 +150,10 @@ mod tests {
|
||||
|
||||
// Encrypt
|
||||
let ssec = SSECEncryption::new();
|
||||
let encrypted = ssec.encrypt(data, &options).unwrap();
|
||||
let encrypted = ssec.encrypt(data, &options).expect();
|
||||
|
||||
// Decrypt
|
||||
let decrypted = ssec.decrypt(&encrypted, &options).unwrap();
|
||||
let decrypted = ssec.decrypt(&encrypted, &options).expect();
|
||||
|
||||
// Verify
|
||||
assert_eq!(decrypted, data);
|
||||
@@ -175,7 +175,7 @@ mod tests {
|
||||
|
||||
// Encrypt
|
||||
let ssec = SSECEncryption::new();
|
||||
let encrypted = ssec.encrypt(data, &options).unwrap();
|
||||
let encrypted = ssec.encrypt(data, &options).expect();
|
||||
|
||||
// Attempt to decrypt with wrong key
|
||||
let mut wrong_key = vec![0u8; 32];
|
||||
|
||||
@@ -12,19 +12,19 @@ use aes_gcm::{
|
||||
};
|
||||
use base64::{Engine as _, engine::general_purpose};
|
||||
use rand::RngCore;
|
||||
use serde_json::Value;
|
||||
use std::{
|
||||
collections::HashMap,
|
||||
sync::{Arc, Mutex, OnceLock},
|
||||
};
|
||||
use tracing::{debug, error};
|
||||
use uuid::Uuid;
|
||||
use tracing::debug;
|
||||
|
||||
// Lazily initialized KMS client
|
||||
#[allow(dead_code)]
|
||||
static INIT_KMS_CLIENT: OnceLock<()> = OnceLock::new();
|
||||
static KMS_CLIENT: Mutex<Option<Arc<RustyVaultKMSClient>>> = Mutex::new(None);
|
||||
|
||||
/// RustyVaultKMSClient wraps the RustyVault client for direct key management operations
|
||||
#[allow(dead_code)]
|
||||
#[derive(Clone)]
|
||||
pub struct RustyVaultKMSClient {
|
||||
endpoint: String,
|
||||
@@ -71,7 +71,7 @@ impl RustyVaultKMSClient {
|
||||
}
|
||||
|
||||
/// Generate a data encryption key using RustyVault's transit engine
|
||||
pub async fn generate_data_key(&self, context: Option<HashMap<String, String>>) -> Result<(Vec<u8>, Vec<u8>), Error> {
|
||||
pub async fn generate_data_key(&self, _context: Option<HashMap<String, String>>) -> Result<(Vec<u8>, Vec<u8>), Error> {
|
||||
// For now, generate a random key and return it
|
||||
// In a real implementation, this would call RustyVault's API
|
||||
let mut key = vec![0u8; 32]; // AES-256 key
|
||||
@@ -84,7 +84,7 @@ impl RustyVaultKMSClient {
|
||||
}
|
||||
|
||||
/// Encrypt data using RustyVault's transit engine
|
||||
pub async fn encrypt(&self, data: &[u8], context: Option<HashMap<String, String>>) -> Result<Vec<u8>, Error> {
|
||||
pub async fn encrypt(&self, data: &[u8], _context: Option<HashMap<String, String>>) -> Result<Vec<u8>, Error> {
|
||||
// Mock implementation - in practice this would call RustyVault
|
||||
let plaintext_b64 = general_purpose::STANDARD.encode(data);
|
||||
let ciphertext = format!("vault:v1:{}", plaintext_b64);
|
||||
@@ -92,13 +92,12 @@ impl RustyVaultKMSClient {
|
||||
}
|
||||
|
||||
/// Decrypt data using RustyVault's transit engine
|
||||
pub async fn decrypt(&self, ciphertext: &[u8], context: Option<HashMap<String, String>>) -> Result<Vec<u8>, Error> {
|
||||
pub async fn decrypt(&self, ciphertext: &[u8], _context: Option<HashMap<String, String>>) -> Result<Vec<u8>, Error> {
|
||||
// Mock implementation - in practice this would call RustyVault
|
||||
let ciphertext_str = std::str::from_utf8(ciphertext)
|
||||
.map_err(|_| Error::ErrInvalidEncryptedDataFormat)?;
|
||||
|
||||
if ciphertext_str.starts_with("vault:v1:") {
|
||||
let data_b64 = &ciphertext_str[9..]; // Remove "vault:v1:" prefix
|
||||
if let Some(data_b64) = ciphertext_str.strip_prefix("vault:v1:") {
|
||||
if data_b64.len() == 44 { // Base64 encoded 32-byte key
|
||||
// This is a data key, decode it directly
|
||||
general_purpose::STANDARD.decode(data_b64)
|
||||
@@ -176,7 +175,7 @@ impl SSEKMSEncryption {
|
||||
let nonce = Nonce::from_slice(&iv);
|
||||
|
||||
let ciphertext = cipher.encrypt(nonce, data)
|
||||
.map_err(|e| Error::ErrEncryptFailed(e))?;
|
||||
.map_err(Error::ErrEncryptFailed)?;
|
||||
|
||||
// Create encryption metadata for storage in HTTP headers (MinIO方式)
|
||||
let info = EncryptionInfo::new_sse_kms(
|
||||
@@ -212,7 +211,7 @@ impl SSEKMSEncryption {
|
||||
let nonce = Nonce::from_slice(&info.iv);
|
||||
|
||||
let plaintext = cipher.decrypt(nonce, data)
|
||||
.map_err(|e| Error::ErrDecryptFailed(e))?;
|
||||
.map_err(Error::ErrDecryptFailed)?;
|
||||
|
||||
Ok(plaintext)
|
||||
}
|
||||
@@ -279,7 +278,7 @@ impl SSEKMSEncryption {
|
||||
#[cfg(feature = "kms")]
|
||||
impl Encryptable for SSEKMSEncryption {
|
||||
/// Encrypt data using RustyVault KMS (legacy interface for backward compatibility)
|
||||
fn encrypt(&self, data: &[u8], options: &SSEOptions) -> Result<Vec<u8>, Error> {
|
||||
fn encrypt(&self, data: &[u8], _options: &SSEOptions) -> Result<Vec<u8>, Error> {
|
||||
// 对于完整对象加密,使用async runtime
|
||||
let rt = tokio::runtime::Runtime::new()
|
||||
.map_err(|e| Error::ErrKMS(format!("Failed to create tokio runtime: {}", e)))?;
|
||||
|
||||
@@ -7,12 +7,11 @@ use crate::{
|
||||
sse::{SSEOptions, Encryptable}
|
||||
};
|
||||
use aes_gcm::{
|
||||
aead::{Aead, AeadCore, KeyInit},
|
||||
Aes256Gcm, Key, Nonce
|
||||
aead::{Aead, KeyInit},
|
||||
Aes256Gcm, Key, Nonce,
|
||||
};
|
||||
use rand::RngCore;
|
||||
use std::sync::{Arc, Mutex, MutexGuard, OnceLock, Once};
|
||||
use lazy_static::lazy_static;
|
||||
use std::sync::{Arc, Mutex, OnceLock, Once};
|
||||
|
||||
// Master key for SSE-S3 (this key encrypts the per-object keys)
|
||||
static MASTER_KEY: OnceLock<Arc<Vec<u8>>> = OnceLock::new();
|
||||
@@ -35,12 +34,13 @@ fn ensure_master_key() -> Arc<Vec<u8>> {
|
||||
let _ = MASTER_KEY.set(Arc::new(key));
|
||||
});
|
||||
|
||||
MASTER_KEY.get().unwrap().clone()
|
||||
MASTER_KEY.get().expect("Master key should be initialized").clone()
|
||||
}
|
||||
|
||||
/// SSES3Encryption provides SSE-S3 encryption capabilities
|
||||
#[derive(Default)]
|
||||
pub struct SSES3Encryption {
|
||||
#[allow(dead_code)]
|
||||
keys_cache: Arc<Mutex<Vec<Vec<u8>>>>,
|
||||
}
|
||||
|
||||
@@ -80,7 +80,7 @@ impl SSES3Encryption {
|
||||
|
||||
// Encrypt the data key
|
||||
let mut encrypted_key = cipher.encrypt(nonce, data_key)
|
||||
.map_err(|e| Error::ErrEncryptFailed(e))?;
|
||||
.map_err(Error::ErrEncryptFailed)?;
|
||||
|
||||
// Format: [iv_length (1 byte)][iv][encrypted_key]
|
||||
let mut result = Vec::with_capacity(1 + iv.len() + encrypted_key.len());
|
||||
@@ -116,7 +116,7 @@ impl SSES3Encryption {
|
||||
|
||||
// Decrypt the data key
|
||||
let data_key = cipher.decrypt(nonce, encrypted_key)
|
||||
.map_err(|e| Error::ErrDecryptFailed(e))?;
|
||||
.map_err(Error::ErrDecryptFailed)?;
|
||||
|
||||
Ok(data_key)
|
||||
}
|
||||
@@ -138,7 +138,7 @@ impl Encryptable for SSES3Encryption {
|
||||
|
||||
// Encrypt the data
|
||||
let ciphertext = cipher.encrypt(nonce, data)
|
||||
.map_err(|e| Error::ErrEncryptFailed(e))?;
|
||||
.map_err(Error::ErrEncryptFailed)?;
|
||||
|
||||
// Encrypt the data key with the master key
|
||||
let encrypted_key = self.encrypt_data_key(&data_key)?;
|
||||
@@ -204,7 +204,7 @@ impl Encryptable for SSES3Encryption {
|
||||
|
||||
// Decrypt the data
|
||||
let plaintext = cipher.decrypt(nonce, ciphertext)
|
||||
.map_err(|e| Error::ErrDecryptFailed(e))?;
|
||||
.map_err(Error::ErrDecryptFailed)?;
|
||||
|
||||
Ok(plaintext)
|
||||
}
|
||||
@@ -228,10 +228,10 @@ mod tests {
|
||||
|
||||
// Encrypt
|
||||
let sse_s3 = SSES3Encryption::new();
|
||||
let encrypted = sse_s3.encrypt(data, &options).unwrap();
|
||||
let encrypted = sse_s3.encrypt(data, &options).expect();
|
||||
|
||||
// Decrypt
|
||||
let decrypted = sse_s3.decrypt(&encrypted, &options).unwrap();
|
||||
let decrypted = sse_s3.decrypt(&encrypted, &options).expect();
|
||||
|
||||
// Verify
|
||||
assert_eq!(decrypted, data);
|
||||
@@ -248,10 +248,10 @@ mod tests {
|
||||
|
||||
// Encrypt the data key
|
||||
let sse_s3 = SSES3Encryption::new();
|
||||
let encrypted_key = sse_s3.encrypt_data_key(&data_key).unwrap();
|
||||
let encrypted_key = sse_s3.encrypt_data_key(&data_key).expect();
|
||||
|
||||
// Decrypt the data key
|
||||
let decrypted_key = sse_s3.decrypt_data_key(&encrypted_key).unwrap();
|
||||
let decrypted_key = sse_s3.decrypt_data_key(&encrypted_key).expect();
|
||||
|
||||
// Verify
|
||||
assert_eq!(decrypted_key, data_key);
|
||||
@@ -259,13 +259,8 @@ mod tests {
|
||||
|
||||
#[test]
|
||||
fn test_sse_s3_master_key_auto_generation() {
|
||||
// Reset the once cell for testing (this is a hack that works only for tests)
|
||||
unsafe {
|
||||
// This is unsafe but necessary for testing the auto-generation of master keys
|
||||
let once = &INIT_MASTER_KEY as *const Once as *mut Once;
|
||||
std::ptr::write(once, Once::new());
|
||||
MASTER_KEY = OnceLock::new();
|
||||
}
|
||||
// This test demonstrates auto-generation without unsafe operations
|
||||
// We'll use a separate SSE-S3 instance to test the behavior
|
||||
|
||||
// Create test data
|
||||
let data = b"This is some test data to encrypt with auto-generated master key";
|
||||
@@ -273,12 +268,12 @@ mod tests {
|
||||
// Create encryption options
|
||||
let options = SSEOptions::default();
|
||||
|
||||
// Encrypt (this should auto-generate a master key)
|
||||
// Encrypt (this should use the master key if available)
|
||||
let sse_s3 = SSES3Encryption::new();
|
||||
let encrypted = sse_s3.encrypt(data, &options).unwrap();
|
||||
let encrypted = sse_s3.encrypt(data, &options).expect();
|
||||
|
||||
// Decrypt
|
||||
let decrypted = sse_s3.decrypt(&encrypted, &options).unwrap();
|
||||
let decrypted = sse_s3.decrypt(&encrypted, &options).expect();
|
||||
|
||||
// Verify
|
||||
assert_eq!(decrypted, data);
|
||||
|
||||
@@ -5,7 +5,6 @@ use crate::{
|
||||
EncryptionInfo, extract_encryption_metadata, remove_encryption_metadata
|
||||
};
|
||||
use rand::RngCore;
|
||||
use std::collections::HashMap;
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
|
||||
@@ -4432,25 +4432,25 @@ impl StorageAPI for SetDisks {
|
||||
|
||||
// Initialize SSE-KMS encryption with RustyVault
|
||||
use crypto::sse_kms::SSEKMSEncryption;
|
||||
use crypto::rusty_vault_client::ClientBuilder as RustyVaultClient;
|
||||
use crypto::sse_kms::RustyVaultKMSClient;
|
||||
|
||||
let vault_endpoint = std::env::var("RUSTYVAULT_ENDPOINT")
|
||||
.unwrap_or_else(|_| "http://localhost:8200".to_string());
|
||||
let vault_token = std::env::var("RUSTYVAULT_TOKEN")
|
||||
.unwrap_or_else(|_| "root".to_string());
|
||||
let key_name = user_defined.get("x-amz-server-side-encryption-aws-kms-key-id")
|
||||
.unwrap_or(&"default".to_string())
|
||||
.clone();
|
||||
|
||||
let vault_client = RustyVaultClient::new()
|
||||
.with_addr(&vault_endpoint)
|
||||
.with_token(&vault_token)
|
||||
.with_key_name(
|
||||
user_defined.get("x-amz-server-side-encryption-aws-kms-key-id")
|
||||
.unwrap_or(&"default".to_string())
|
||||
.clone()
|
||||
);
|
||||
let vault_client = RustyVaultKMSClient::new(
|
||||
vault_endpoint,
|
||||
vault_token,
|
||||
key_name
|
||||
);
|
||||
|
||||
// Initialize the global KMS client
|
||||
if let Ok(built_client) = vault_client.build() {
|
||||
let _ = crypto::sse_kms::RustyVaultKMSClient::set_global_client(built_client);
|
||||
if let Ok(()) = RustyVaultKMSClient::set_global_client(vault_client) {
|
||||
// KMS client initialized successfully
|
||||
}
|
||||
|
||||
// Create SSE-KMS encryption instance
|
||||
@@ -4934,6 +4934,7 @@ impl StorageAPI for SetDisks {
|
||||
Error::new(ErasureError::InvalidPart(part_id))
|
||||
})?;
|
||||
let part = &part_fi.parts[0];
|
||||
|
||||
let part_num = part.number;
|
||||
|
||||
// debug!("complete part {} file info {:?}", part_num, &part_fi);
|
||||
@@ -6164,7 +6165,8 @@ mod tests {
|
||||
#[test]
|
||||
fn test_shuffle_disks() {
|
||||
// Test disk shuffling
|
||||
let disks = vec![None, None, None]; // Mock disks
|
||||
// Mock disks
|
||||
let disks = vec![None, None, None];
|
||||
let distribution = vec![3, 1, 2]; // 1-based indexing
|
||||
|
||||
let result = SetDisks::shuffle_disks(&disks, &distribution);
|
||||
|
||||
Reference in New Issue
Block a user