Re: [PR] GH-43535: [C++] support the AWS S3 SSE-C encryption [arrow]

via GitHub Tue, 15 Oct 2024 22:21:51 -0700


kou commented on code in PR #43601:
URL: https://github.com/apache/arrow/pull/43601#discussion_r1802359625



##########
cpp/src/arrow/filesystem/s3_internal.h:
##########
@@ -291,6 +314,47 @@ class ConnectRetryStrategy : public 
Aws::Client::RetryStrategy {
   int32_t max_retry_duration_;
 };
 
+/// \brief calculate the MD5 of the input sse-c key (raw key, not base64 
encoded)

Review Comment:
   ```suggestion
   /// \brief calculate the MD5 of the input SSE-C key (raw key, not base64 
encoded)
   ```



##########
cpp/src/arrow/filesystem/s3_internal.h:
##########
@@ -291,6 +314,47 @@ class ConnectRetryStrategy : public 
Aws::Client::RetryStrategy {
   int32_t max_retry_duration_;
 };
 
+/// \brief calculate the MD5 of the input sse-c key (raw key, not base64 
encoded)
+/// \param sse_customer_key is the input sse key
+/// \return the base64 encoded MD5 for the input key
+inline Result<std::string> CalculateSSECustomerKeyMD5(
+    const std::string& sse_customer_key) {
+  // the key needs to be 256 bits (32 bytes) according to
+  // 
https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html#specifying-s3-c-encryption
+  if (sse_customer_key.length() != 32) {
+    return Status::Invalid("32 bytes sse-c key is expected");

Review Comment:
   ```suggestion
       return Status::Invalid("32 bytes SSE-C key is expected");
   ```



##########
cpp/src/arrow/filesystem/s3_internal.h:
##########
@@ -291,6 +314,47 @@ class ConnectRetryStrategy : public 
Aws::Client::RetryStrategy {
   int32_t max_retry_duration_;
 };
 
+/// \brief calculate the MD5 of the input sse-c key (raw key, not base64 
encoded)
+/// \param sse_customer_key is the input sse key
+/// \return the base64 encoded MD5 for the input key
+inline Result<std::string> CalculateSSECustomerKeyMD5(
+    const std::string& sse_customer_key) {
+  // the key needs to be 256 bits (32 bytes) according to

Review Comment:
   ```suggestion
     // The key needs to be 256 bits (32 bytes) according to
   ```



##########
cpp/src/arrow/filesystem/s3fs_test.cc:
##########
@@ -1298,6 +1349,59 @@ TEST_F(TestS3FS, OpenInputFile) {
   ASSERT_RAISES(IOError, file->Seek(10));
 }
 
+#ifdef MINIO_SERVER_WITH_TLS
+TEST_F(TestS3FS, SSECustomerKeyMatch) {
+  // normal write/read with correct SSEC key

Review Comment:
   ```suggestion
     // normal write/read with correct SSE-C key
   ```



##########
cpp/src/arrow/filesystem/s3_test_util.cc:
##########
@@ -89,11 +135,21 @@ Status MinioTestServer::Start() {
   // Disable the embedded console (one less listening address to care about)
   impl_->server_process_->SetEnv("MINIO_BROWSER", "off");
   impl_->connect_string_ = GenerateConnectString();
+  std::vector<std::string> minio_args({"server", "--quiet", "--compat", 
"--address",
+                                       impl_->connect_string_,
+                                       impl_->temp_dir_->path().ToString()});
+  if (enable_tls_if_supported) {
+#ifdef MINIO_SERVER_WITH_TLS
+    ARROW_RETURN_NOT_OK(GenerateCertificateFile());
+    minio_args.push_back("--certs-dir");
+    minio_args.push_back(ca_dir_path());
+    impl_->scheme_ = "https";
+#endif  // MINIO_SERVER_WITH_TLS
+  }
+
   
ARROW_RETURN_NOT_OK(impl_->server_process_->SetExecutable(kMinioExecutableName));
   // NOTE: --quiet makes startup faster by suppressing remote version check

Review Comment:
   Could you move this comment too?



##########
cpp/src/arrow/filesystem/s3_internal.h:
##########
@@ -291,6 +314,47 @@ class ConnectRetryStrategy : public 
Aws::Client::RetryStrategy {
   int32_t max_retry_duration_;
 };
 
+/// \brief calculate the MD5 of the input sse-c key (raw key, not base64 
encoded)
+/// \param sse_customer_key is the input sse key

Review Comment:
   ```suggestion
   /// \param sse_customer_key is the input SSE-C key
   ```



##########
cpp/src/arrow/filesystem/s3fs.h:
##########
@@ -196,6 +196,25 @@ struct ARROW_EXPORT S3Options {
   /// delay between retries.
   std::shared_ptr<S3RetryStrategy> retry_strategy;
 
+  /// the SSE-C customized key (raw 32 bytes key).

Review Comment:
   ```suggestion
     /// The SSE-C customized key (raw 32 bytes key).
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] GH-43535: [C++] support the AWS S3 SSE-C encryption [arrow]

Reply via email to