rclone/backend/oracleobjectstorage/byok.go

//go:build !plan9 && !solaris && !js

package oracleobjectstorage

import (
	"crypto/sha256"
	"encoding/base64"
	"errors"
	"fmt"
	"os"
	"strings"

	"github.com/oracle/oci-go-sdk/v65/common"
	"github.com/oracle/oci-go-sdk/v65/objectstorage"
)

const (
	sseDefaultAlgorithm = "AES256"
)

func getSha256(p []byte) []byte {
	h := sha256.New()
	h.Write(p)
	return h.Sum(nil)
}

func validateSSECustomerKeyOptions(opt *Options) error {
	if opt.SSEKMSKeyID != "" && (opt.SSECustomerKeyFile != "" || opt.SSECustomerKey != "") {
		return errors.New("oos: can't use vault sse_kms_key_id and local sse_customer_key at the same time")
	}
	if opt.SSECustomerKey != "" && opt.SSECustomerKeyFile != "" {
		return errors.New("oos: can't use sse_customer_key and sse_customer_key_file at the same time")
	}
	if opt.SSEKMSKeyID != "" {
		return nil
	}
	err := populateSSECustomerKeys(opt)
	if err != nil {
		return err
	}
	return nil
}

func populateSSECustomerKeys(opt *Options) error {
	if opt.SSECustomerKeyFile != "" {
		// Reads the base64-encoded AES key data from the specified file and computes its SHA256 checksum
		data, err := os.ReadFile(expandPath(opt.SSECustomerKeyFile))
		if err != nil {
			return fmt.Errorf("oos: error reading sse_customer_key_file: %v", err)
		}
		opt.SSECustomerKey = strings.TrimSpace(string(data))
	}
	if opt.SSECustomerKey != "" {
		decoded, err := base64.StdEncoding.DecodeString(opt.SSECustomerKey)
		if err != nil {
			return fmt.Errorf("oos: Could not decode sse_customer_key_file: %w", err)
		}
		sha256Checksum := base64.StdEncoding.EncodeToString(getSha256(decoded))
		if opt.SSECustomerKeySha256 == "" {
			opt.SSECustomerKeySha256 = sha256Checksum
		} else {
			if opt.SSECustomerKeySha256 != sha256Checksum {
				return fmt.Errorf("the computed SHA256 checksum "+
					"(%v) of the key doesn't match the config entry sse_customer_key_sha256=(%v)",
					sha256Checksum, opt.SSECustomerKeySha256)
			}
		}
		if opt.SSECustomerAlgorithm == "" {
			opt.SSECustomerAlgorithm = sseDefaultAlgorithm
		}
	}
	return nil
}

// https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/usingyourencryptionkeys.htm
func useBYOKPutObject(fs *Fs, request *objectstorage.PutObjectRequest) {
	if fs.opt.SSEKMSKeyID != "" {
		request.OpcSseKmsKeyId = common.String(fs.opt.SSEKMSKeyID)
	}
	if fs.opt.SSECustomerAlgorithm != "" {
		request.OpcSseCustomerAlgorithm = common.String(fs.opt.SSECustomerAlgorithm)
	}
	if fs.opt.SSECustomerKey != "" {
		request.OpcSseCustomerKey = common.String(fs.opt.SSECustomerKey)
	}
	if fs.opt.SSECustomerKeySha256 != "" {
		request.OpcSseCustomerKeySha256 = common.String(fs.opt.SSECustomerKeySha256)
	}
}

func useBYOKHeadObject(fs *Fs, request *objectstorage.HeadObjectRequest) {
	if fs.opt.SSECustomerAlgorithm != "" {
		request.OpcSseCustomerAlgorithm = common.String(fs.opt.SSECustomerAlgorithm)
	}
	if fs.opt.SSECustomerKey != "" {
		request.OpcSseCustomerKey = common.String(fs.opt.SSECustomerKey)
	}
	if fs.opt.SSECustomerKeySha256 != "" {
		request.OpcSseCustomerKeySha256 = common.String(fs.opt.SSECustomerKeySha256)
	}
}

func useBYOKGetObject(fs *Fs, request *objectstorage.GetObjectRequest) {
	if fs.opt.SSECustomerAlgorithm != "" {
		request.OpcSseCustomerAlgorithm = common.String(fs.opt.SSECustomerAlgorithm)
	}
	if fs.opt.SSECustomerKey != "" {
		request.OpcSseCustomerKey = common.String(fs.opt.SSECustomerKey)
	}
	if fs.opt.SSECustomerKeySha256 != "" {
		request.OpcSseCustomerKeySha256 = common.String(fs.opt.SSECustomerKeySha256)
	}
}

func useBYOKCopyObject(fs *Fs, request *objectstorage.CopyObjectRequest) {
	if fs.opt.SSEKMSKeyID != "" {
		request.OpcSseKmsKeyId = common.String(fs.opt.SSEKMSKeyID)
	}
	if fs.opt.SSECustomerAlgorithm != "" {
		request.OpcSseCustomerAlgorithm = common.String(fs.opt.SSECustomerAlgorithm)
	}
	if fs.opt.SSECustomerKey != "" {
		request.OpcSseCustomerKey = common.String(fs.opt.SSECustomerKey)
	}
	if fs.opt.SSECustomerKeySha256 != "" {
		request.OpcSseCustomerKeySha256 = common.String(fs.opt.SSECustomerKeySha256)
	}
}