github-mirrors
/
mirror-seaweedfs


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328
							package s3api

import (
	"testing"

	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
)

// TestSSECIsEncrypted tests detection of SSE-C encryption from metadata
func TestSSECIsEncrypted(t *testing.T) {
	testCases := []struct {
		name     string
		metadata map[string][]byte
		expected bool
	}{
		{
			name:     "Empty metadata",
			metadata: CreateTestMetadata(),
			expected: false,
		},
		{
			name:     "Valid SSE-C metadata",
			metadata: CreateTestMetadataWithSSEC(GenerateTestSSECKey(1)),
			expected: true,
		},
		{
			name: "SSE-C algorithm only",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryptionCustomerAlgorithm: []byte("AES256"),
			},
			expected: true,
		},
		{
			name: "SSE-C key MD5 only",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryptionCustomerKeyMD5: []byte("somemd5"),
			},
			expected: true,
		},
		{
			name: "Other encryption type (SSE-KMS)",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryption: []byte("aws:kms"),
			},
			expected: false,
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			result := IsSSECEncrypted(tc.metadata)
			if result != tc.expected {
				t.Errorf("Expected %v, got %v", tc.expected, result)
			}
		})
	}
}

// TestSSEKMSIsEncrypted tests detection of SSE-KMS encryption from metadata
func TestSSEKMSIsEncrypted(t *testing.T) {
	testCases := []struct {
		name     string
		metadata map[string][]byte
		expected bool
	}{
		{
			name:     "Empty metadata",
			metadata: CreateTestMetadata(),
			expected: false,
		},
		{
			name: "Valid SSE-KMS metadata",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryption: []byte("aws:kms"),
				s3_constants.AmzEncryptedDataKey:     []byte("encrypted-key"),
			},
			expected: true,
		},
		{
			name: "SSE-KMS algorithm only",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryption: []byte("aws:kms"),
			},
			expected: true,
		},
		{
			name: "SSE-KMS encrypted data key only",
			metadata: map[string][]byte{
				s3_constants.AmzEncryptedDataKey: []byte("encrypted-key"),
			},
			expected: false, // Only encrypted data key without algorithm header should not be considered SSE-KMS
		},
		{
			name: "Other encryption type (SSE-C)",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryptionCustomerAlgorithm: []byte("AES256"),
			},
			expected: false,
		},
		{
			name: "SSE-S3 (AES256)",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryption: []byte("AES256"),
			},
			expected: false,
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			result := IsSSEKMSEncrypted(tc.metadata)
			if result != tc.expected {
				t.Errorf("Expected %v, got %v", tc.expected, result)
			}
		})
	}
}

// TestSSETypeDiscrimination tests that SSE types don't interfere with each other
func TestSSETypeDiscrimination(t *testing.T) {
	// Test SSE-C headers don't trigger SSE-KMS detection
	t.Run("SSE-C headers don't trigger SSE-KMS", func(t *testing.T) {
		req := CreateTestHTTPRequest("PUT", "/bucket/object", nil)
		keyPair := GenerateTestSSECKey(1)
		SetupTestSSECHeaders(req, keyPair)

		// Should detect SSE-C, not SSE-KMS
		if !IsSSECRequest(req) {
			t.Error("Should detect SSE-C request")
		}
		if IsSSEKMSRequest(req) {
			t.Error("Should not detect SSE-KMS request for SSE-C headers")
		}
	})

	// Test SSE-KMS headers don't trigger SSE-C detection
	t.Run("SSE-KMS headers don't trigger SSE-C", func(t *testing.T) {
		req := CreateTestHTTPRequest("PUT", "/bucket/object", nil)
		SetupTestSSEKMSHeaders(req, "test-key-id")

		// Should detect SSE-KMS, not SSE-C
		if IsSSECRequest(req) {
			t.Error("Should not detect SSE-C request for SSE-KMS headers")
		}
		if !IsSSEKMSRequest(req) {
			t.Error("Should detect SSE-KMS request")
		}
	})

	// Test metadata discrimination
	t.Run("Metadata type discrimination", func(t *testing.T) {
		ssecMetadata := CreateTestMetadataWithSSEC(GenerateTestSSECKey(1))

		// Should detect as SSE-C, not SSE-KMS
		if !IsSSECEncrypted(ssecMetadata) {
			t.Error("Should detect SSE-C encrypted metadata")
		}
		if IsSSEKMSEncrypted(ssecMetadata) {
			t.Error("Should not detect SSE-KMS for SSE-C metadata")
		}
	})
}

// TestSSECParseCorruptedMetadata tests handling of corrupted SSE-C metadata
func TestSSECParseCorruptedMetadata(t *testing.T) {
	testCases := []struct {
		name         string
		metadata     map[string][]byte
		expectError  bool
		errorMessage string
	}{
		{
			name: "Missing algorithm",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryptionCustomerKeyMD5: []byte("valid-md5"),
			},
			expectError: false, // Detection should still work with partial metadata
		},
		{
			name: "Invalid key MD5 format",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryptionCustomerAlgorithm: []byte("AES256"),
				s3_constants.AmzServerSideEncryptionCustomerKeyMD5:    []byte("invalid-base64!"),
			},
			expectError: false, // Detection should work, validation happens later
		},
		{
			name: "Empty values",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryptionCustomerAlgorithm: []byte(""),
				s3_constants.AmzServerSideEncryptionCustomerKeyMD5:    []byte(""),
			},
			expectError: false,
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			// Test that detection doesn't panic on corrupted metadata
			result := IsSSECEncrypted(tc.metadata)
			// The detection should be robust and not crash
			t.Logf("Detection result for %s: %v", tc.name, result)
		})
	}
}

// TestSSEKMSParseCorruptedMetadata tests handling of corrupted SSE-KMS metadata
func TestSSEKMSParseCorruptedMetadata(t *testing.T) {
	testCases := []struct {
		name     string
		metadata map[string][]byte
	}{
		{
			name: "Invalid encrypted data key",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryption: []byte("aws:kms"),
				s3_constants.AmzEncryptedDataKey:     []byte("invalid-base64!"),
			},
		},
		{
			name: "Invalid encryption context",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryption:  []byte("aws:kms"),
				s3_constants.AmzEncryptionContextMeta: []byte("invalid-json"),
			},
		},
		{
			name: "Empty values",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryption: []byte(""),
				s3_constants.AmzEncryptedDataKey:     []byte(""),
			},
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			// Test that detection doesn't panic on corrupted metadata
			result := IsSSEKMSEncrypted(tc.metadata)
			t.Logf("Detection result for %s: %v", tc.name, result)
		})
	}
}

// TestSSEMetadataDeserialization tests SSE-KMS metadata deserialization with various inputs
func TestSSEMetadataDeserialization(t *testing.T) {
	testCases := []struct {
		name        string
		data        []byte
		expectError bool
	}{
		{
			name:        "Empty data",
			data:        []byte{},
			expectError: true,
		},
		{
			name:        "Invalid JSON",
			data:        []byte("invalid-json"),
			expectError: true,
		},
		{
			name:        "Valid JSON but wrong structure",
			data:        []byte(`{"wrong": "structure"}`),
			expectError: false, // Our deserialization might be lenient
		},
		{
			name:        "Null data",
			data:        nil,
			expectError: true,
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			_, err := DeserializeSSEKMSMetadata(tc.data)
			if tc.expectError && err == nil {
				t.Error("Expected error but got none")
			}
			if !tc.expectError && err != nil {
				t.Errorf("Expected no error but got: %v", err)
			}
		})
	}
}

// TestGeneralSSEDetection tests the general SSE detection that works across types
func TestGeneralSSEDetection(t *testing.T) {
	testCases := []struct {
		name     string
		metadata map[string][]byte
		expected bool
	}{
		{
			name:     "No encryption",
			metadata: CreateTestMetadata(),
			expected: false,
		},
		{
			name:     "SSE-C encrypted",
			metadata: CreateTestMetadataWithSSEC(GenerateTestSSECKey(1)),
			expected: true,
		},
		{
			name: "SSE-KMS encrypted",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryption: []byte("aws:kms"),
			},
			expected: true,
		},
		{
			name: "SSE-S3 encrypted",
			metadata: map[string][]byte{
				s3_constants.AmzServerSideEncryption: []byte("AES256"),
			},
			expected: true,
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			result := IsAnySSEEncrypted(tc.metadata)
			if result != tc.expected {
				t.Errorf("Expected %v, got %v", tc.expected, result)
			}
		})
	}
}