storage: Implement SSE support (#13)

* storage: Implement SSE support

* fix nil key

* rename error

* replace nil key check by HasEncryptionKey check

Author: xxchan

error.go

@@ -0,0 +1,9 @@
+package azblob
+
+import "errors"
+
+var (
+	// ErrInvalidEncryptionKey will be returned while encryption key is invalid.
+	// Encryption key must be a 32-byte AES-256 key.
+	ErrInvalidEncryptionKey = errors.New("invalid encryption key")
+)

generated.go

@@ -6,6 +6,6 @@ require (
 	github.com/Azure/azure-pipeline-go v0.2.3
 	github.com/Azure/azure-storage-blob-go v0.13.0
 	github.com/aos-dev/go-integration-test/v3 v3.0.0-20210205075620-0b779f4b3afc
-	github.com/aos-dev/go-storage/v3 v3.4.3-0.20210417162535-67db0dd18784
+	github.com/aos-dev/go-storage/v3 v3.5.1-0.20210422060150-bc0fae4c3fa7
 	github.com/google/uuid v1.2.0
 )

go.mod

@@ -20,9 +20,13 @@ github.com/aos-dev/go-integration-test/v3 v3.0.0-20210205075620-0b779f4b3afc/go.
 github.com/aos-dev/go-storage/v3 v3.0.1-0.20210205074802-e8a5b22166c2/go.mod h1:JznhvyhPDnETfZ3RyWm3mT/S5ic+uuYFWagSIkUZujc=
 github.com/aos-dev/go-storage/v3 v3.4.3-0.20210417162535-67db0dd18784 h1:eeKDDn+8RPtYuk7lrQC48OtTNeSRF/l9P5YHa/Q3omk=
 github.com/aos-dev/go-storage/v3 v3.4.3-0.20210417162535-67db0dd18784/go.mod h1:PZJT0Ta7YxVM5QoYoh8Q/X4I6e/z/7gOJqm85Aib4nY=
+github.com/aos-dev/go-storage/v3 v3.5.1-0.20210422060150-bc0fae4c3fa7 h1:YirUP3+06blEpQ/o6VT0RXRf5ystxNB91iaYgO0SoWM=
+github.com/aos-dev/go-storage/v3 v3.5.1-0.20210422060150-bc0fae4c3fa7/go.mod h1:JFshvl851ZDDXtFGWDFKqkg34QEPH0xuhLJ2LjikZYc=
 github.com/aos-dev/specs/go v0.0.0-20210205073047-af8ef94af73d/go.mod h1:XTNlLZtPA1inITyDH5hNnQXVjvvKUvo+lurs5GYB8NA=
 github.com/aos-dev/specs/go v0.0.0-20210312090615-23109627848b h1:qIehSnBbr31ATAckM9u9h6gSz+9PkGqu79vTngx6wPw=
 github.com/aos-dev/specs/go v0.0.0-20210312090615-23109627848b/go.mod h1:XTNlLZtPA1inITyDH5hNnQXVjvvKUvo+lurs5GYB8NA=
+github.com/aos-dev/specs/go v0.0.0-20210420062803-1a60efa2eae3 h1:LiW0Ki0Gw6opu11JwMhxWw5M+V6I9JypJ5eAIp+Rqt4=
+github.com/aos-dev/specs/go v0.0.0-20210420062803-1a60efa2eae3/go.mod h1:gNah3KaPJEfysh7uCCX+sYjQC3g2yx2VgBkFlT945Ws=
 github.com/dave/dst v0.26.2 h1:lnxLAKI3tx7MgLNVDirFCsDTlTG9nKTk7GcptKcWSwY=
 github.com/dave/dst v0.26.2/go.mod h1:UMDJuIRPfyUCC78eFuB+SV/WI8oDeyFDvM/JR6NI3IU=
 github.com/dave/gopackages v0.0.0-20170318123100-46e7023ec56e/go.mod h1:i00+b/gKdIDIxuLDFob7ustLAVqhsZRk2qVZrArELGQ=
@@ -58,6 +62,8 @@ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWb
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/pelletier/go-toml v1.8.1 h1:1Nf83orprkJyknT6h7zbuEGUEjcyVlCxSUGTENmNCRM=
 github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
+github.com/pelletier/go-toml v1.9.0 h1:NOd0BRdOKpPf0SxkL3HxSQOG7rNh+4kl6PHcBPFs7Q0=
+github.com/pelletier/go-toml v1.9.0/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

go.sum

@@ -14,10 +14,13 @@ optional = ["default_storage_pairs", "pair_policy", "work_dir"]
 optional = ["list_mode"]
 
 [namespace.storage.op.read]
-optional = ["offset", "io_callback", "size"]
+optional = ["offset", "io_callback", "size", "encryption_key", "encryption_scope"]
 
 [namespace.storage.op.write]
-optional = ["content_md5", "content_type", "io_callback", "access_tier"]
+optional = ["content_md5", "content_type", "io_callback", "access_tier", "encryption_key", "encryption_scope"]
+
+[namespace.storage.op.stat]
+optional = ["encryption_key", "encryption_scope"]
 
 [pairs.access_tier]
 type = "string"
@@ -30,5 +33,19 @@ description = "set default pairs for service actions"
 type = "DefaultStoragePairs"
 description = "set default pairs for storager actions"
 
+[pairs.encryption_key]
+type = "byte_array"
+description = "is the customer's 32-byte AES-256 key"
+
+[pairs.encryption_scope]
+type = "string"
+description = "Specifies the name of the encryption scope. See https://docs.microsoft.com/en-us/azure/storage/blobs/encryption-scope-overview for details."
+
 [infos.object.meta.access-tier]
+type = "string"
+
+[infos.object.meta.encryption-key-sha256]
+type = "string"
+
+[infos.object.meta.encryption-scope]
 type = "string"

service.toml

@@ -137,9 +137,16 @@ func (s *Storage) read(ctx context.Context, path string, w io.Writer, opt pairSt
 		count = opt.Size
 	}
 
+	var cpk azblob.ClientProvidedKeyOptions
+	if opt.HasEncryptionKey {
+		cpk, err = calculateEncryptionHeaders(opt.EncryptionKey, opt.EncryptionScope)
+		if err != nil {
+			return 0, err
+		}
+	}
 	output, err := s.bucket.NewBlockBlobURL(rp).Download(
 		ctx, offset, count,
-		azblob.BlobAccessConditions{}, false, azblob.ClientProvidedKeyOptions{})
+		azblob.BlobAccessConditions{}, false, cpk)
 	if err != nil {
 		return 0, err
 	}
@@ -161,7 +168,15 @@ func (s *Storage) read(ctx context.Context, path string, w io.Writer, opt pairSt
 func (s *Storage) stat(ctx context.Context, path string, opt pairStorageStat) (o *Object, err error) {
 	rp := s.getAbsPath(path)
 
-	output, err := s.bucket.NewBlockBlobURL(rp).GetProperties(ctx, azblob.BlobAccessConditions{}, azblob.ClientProvidedKeyOptions{})
+	var cpk azblob.ClientProvidedKeyOptions
+	if opt.HasEncryptionKey {
+		cpk, err = calculateEncryptionHeaders(opt.EncryptionKey, opt.EncryptionScope)
+		if err != nil {
+			return
+		}
+	}
+
+	output, err := s.bucket.NewBlockBlobURL(rp).GetProperties(ctx, azblob.BlobAccessConditions{}, cpk)
 	if err != nil {
 		return nil, err
 	}
@@ -188,6 +203,12 @@ func (s *Storage) stat(ctx context.Context, path string, opt pairStorageStat) (o
 	if v := output.AccessTier(); v != "" {
 		sm[MetadataAccessTier] = v
 	}
+	if v := output.EncryptionKeySha256(); v != "" {
+		sm[MetadataEncryptionKeySha256] = v
+	}
+	if v := output.EncryptionScope(); v != "" {
+		sm[MetadataEncryptionScope] = v
+	}
 	o.SetServiceMetadata(sm)
 
 	return o, nil
@@ -216,11 +237,17 @@ func (s *Storage) write(ctx context.Context, path string, r io.Reader, size int6
 		headers.ContentType = opt.ContentType
 	}
 
+	var cpk azblob.ClientProvidedKeyOptions
+	if opt.HasEncryptionKey {
+		cpk, err = calculateEncryptionHeaders(opt.EncryptionKey, opt.EncryptionScope)
+		if err != nil {
+			return 0, err
+		}
+	}
 	_, err = s.bucket.NewBlockBlobURL(rp).Upload(
 		ctx, iowrap.SizedReadSeekCloser(r, size),
 		headers, azblob.Metadata{}, azblob.BlobAccessConditions{},
-		accessTier, azblob.BlobTagsMap{}, azblob.ClientProvidedKeyOptions{},
-	)
+		accessTier, azblob.BlobTagsMap{}, cpk)
 	if err != nil {
 		return 0, err
 	}

storage.go

@@ -2,6 +2,7 @@ package azblob
 
 import (
 	"context"
+	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
 
@@ -301,3 +302,20 @@ func (s *Storage) formatFileObject(v azblob.BlobItemInternal) (o *typ.Object, er
 func (s *Storage) newObject(done bool) *typ.Object {
 	return typ.NewObject(s, done)
 }
+
+func calculateEncryptionHeaders(key []byte, scope string) (cpk azblob.ClientProvidedKeyOptions, err error) {
+	if len(key) != 32 {
+		err = ErrInvalidEncryptionKey
+		return
+	}
+	keyBase64 := base64.StdEncoding.EncodeToString(key)
+	keySha256 := sha256.Sum256(key)
+	keySha256Base64 := base64.StdEncoding.EncodeToString(keySha256[:])
+	cpk = azblob.ClientProvidedKeyOptions{
+		EncryptionKey:       &keyBase64,
+		EncryptionKeySha256: &keySha256Base64,
+		EncryptionAlgorithm: "AES256",
+		EncryptionScope:     &scope,
+	}
+	return
+}