Check if S3 bucket is encrypted by default.

Adds check to see if the S3 bucket is encrypted by default. If so this uses the existing workaround for object etags not matching file MD5s.
2026-01-11 03:11:50 +00:00 · 2023-03-21 23:25:10 -04:00
parent 1af09069f7
commit 13f4bb441d
1 changed files with 21 additions and 1 deletions
--- a/s3/public.go
+++ b/s3/public.go
@@ -53,6 +53,9 @@ type PublishedStorage struct {
 	plusWorkaround   bool
 	disableMultiDel  bool
 	pathCache        map[string]string
+
+	// True if the bucket encrypts objects by default.
+	encryptByDefault bool
 }

 // Check interface
@@ -94,9 +97,26 @@ func NewPublishedStorageRaw(
 		disableMultiDel:  disabledMultiDel,
 	}

+	result.setKMSFlag()
+
 	return result, nil
 }

+func (storage *PublishedStorage) setKMSFlag() {
+	params := &s3.GetBucketEncryptionInput{
+		Bucket: aws.String(storage.bucket),
+	}
+	output, err := storage.s3.GetBucketEncryption(params)
+	if err != nil {
+		return
+	}
+
+	if len(output.ServerSideEncryptionConfiguration.Rules) > 0 &&
+		*output.ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.SSEAlgorithm == "aws:kms" {
+		storage.encryptByDefault = true
+	}
+}
+
 // NewPublishedStorage creates new instance of PublishedStorage with specified S3 access
 // keys, region and bucket name
 func NewPublishedStorage(
@@ -339,7 +359,7 @@ func (storage *PublishedStorage) LinkFromPool(publishedPrefix, publishedRelPath,
 			return fmt.Errorf("unable to compare object, MD5 checksum missing")
 		}

-		if len(destinationMD5) != 32 || destinationMD5 != sourceMD5 {
+		if len(destinationMD5) != 32 || storage.encryptByDefault {
 			// doesn’t look like a valid MD5,
 			// attempt to fetch one from the metadata
 			var err error