From ec083ba0fbd50353a010f3be1f907f668a677b43 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Mon, 24 Jun 2024 11:59:30 -0700
Subject: [PATCH] fix: make sure to set the right sse-kms key

---
 cmd/encryption-methods.go      | 13 +++++------
 cmd/encryption-methods_test.go | 40 +++++++++++++++++++++++++++++++++-
 2 files changed, 45 insertions(+), 8 deletions(-)

diff --git a/cmd/encryption-methods.go b/cmd/encryption-methods.go
index da4b41a3ce..fd3a1bb7c4 100644
--- a/cmd/encryption-methods.go
+++ b/cmd/encryption-methods.go
@@ -200,26 +200,25 @@ func parseSSEKey(sseKey string, keyType sseKeyType) (
 
 	separatorIndex := bytes.LastIndex(sseKeyBytes, []byte("="))
 	if separatorIndex < 0 {
+		if keyType == sseS3 {
+			alias, prefix = splitKey(sseKey)
+			return
+		}
 		err = errSSEKeyMissing().Trace(sseKey)
 		return
 	}
-
-	encodedKey := string(sseKeyBytes[separatorIndex+1:])
 	if separatorIndex == len(sseKeyBytes)-1 {
 		err = errSSEKeyMissing().Trace(sseKey)
 		return
 	}
 
+	encodedKey := string(sseKeyBytes[separatorIndex+1:])
 	alias, prefix = splitKey(string(sseKeyBytes[:separatorIndex]))
-
-	if keyType == sseS3 {
-		return
-	}
-
 	if keyType == sseKMS {
 		if !validKMSKeyName(encodedKey) {
 			err = errSSEKMSKeyFormat(fmt.Sprintf("Key (%s) is badly formatted.", encodedKey)).Trace(sseKey)
 		}
+		key = encodedKey
 		return
 	}
 
diff --git a/cmd/encryption-methods_test.go b/cmd/encryption-methods_test.go
index 65aa164514..0dea80e784 100644
--- a/cmd/encryption-methods_test.go
+++ b/cmd/encryption-methods_test.go
@@ -26,6 +26,8 @@ func TestParseEncryptionKeys(t *testing.T) {
 	baseAlias := "mintest"
 	basePrefix := "two/layer/prefix"
 	baseObject := "object_name"
+	sseKeyKMS := "my-default-key"
+	sseKeyKMSInvalid := "my@default@key"
 	sseKey := "MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDA"
 	sseKeyPlain := "01234567890123456789012345678900"
 	sseHexKey := "3031323334353637383930313233343536373839303132333435363738393030"
@@ -52,6 +54,7 @@ func TestParseEncryptionKeys(t *testing.T) {
 			alias:         baseAlias,
 			prefix:        basePrefix,
 			object:        baseObject,
+			sseType:       sseC,
 			success:       true,
 		},
 		{
@@ -60,6 +63,7 @@ func TestParseEncryptionKeys(t *testing.T) {
 			alias:         baseAlias,
 			prefix:        basePrefix,
 			object:        baseObject,
+			sseType:       sseC,
 			success:       true,
 		},
 		{
@@ -68,6 +72,7 @@ func TestParseEncryptionKeys(t *testing.T) {
 			alias:         baseAlias + "=",
 			prefix:        basePrefix + "=",
 			object:        baseObject + "=",
+			sseType:       sseC,
 			success:       true,
 		},
 		{
@@ -76,6 +81,7 @@ func TestParseEncryptionKeys(t *testing.T) {
 			alias:         baseAlias + "/",
 			prefix:        basePrefix + "/",
 			object:        baseObject + "/",
+			sseType:       sseC,
 			success:       true,
 		},
 		{
@@ -84,6 +90,7 @@ func TestParseEncryptionKeys(t *testing.T) {
 			alias:         baseAlias,
 			prefix:        basePrefix,
 			object:        baseObject + "=",
+			sseType:       sseC,
 			success:       true,
 		},
 		{
@@ -92,36 +99,67 @@ func TestParseEncryptionKeys(t *testing.T) {
 			alias:         baseAlias,
 			prefix:        basePrefix,
 			object:        baseObject + "!@_==_$^&*",
+			sseType:       sseC,
 			success:       true,
 		},
 		{
 			encryptionKey: fmt.Sprintf("%s/%s/%s=%sXXXXX", baseAlias, basePrefix, baseObject, sseKey),
+			sseType:       sseC,
 			success:       false,
 		},
 		{
 			encryptionKey: fmt.Sprintf("%s/%s/%s=%s", baseAlias, basePrefix, baseObject, sseKeyInvalidShort),
+			sseType:       sseC,
 			success:       false,
 		},
 		{
 			encryptionKey: fmt.Sprintf("%s/%s/%s=%s", baseAlias, basePrefix, baseObject, sseKeyInvalidSymbols),
+			sseType:       sseC,
 			success:       false,
 		},
 		{
 			encryptionKey: fmt.Sprintf("%s/%s/%s=%s", baseAlias, basePrefix, baseObject, sseKeyInvalidSpaces),
+			sseType:       sseC,
 			success:       false,
 		},
 		{
 			encryptionKey: fmt.Sprintf("%s/%s/%s=%s", baseAlias, basePrefix, baseObject, sseKeyInvalidPrefixSpace),
+			sseType:       sseC,
 			success:       false,
 		},
 		{
 			encryptionKey: fmt.Sprintf("%s/%s/%s==%s", baseAlias, basePrefix, baseObject, sseKeyInvalidOneShort),
+			sseType:       sseC,
 			success:       false,
 		},
+		// sse-type KMS
+		{
+			encryptionKey: fmt.Sprintf("%s/%s/%s=%s", baseAlias, basePrefix, baseObject, sseKeyKMS),
+			keyPlain:      sseKeyKMS,
+			alias:         baseAlias,
+			prefix:        basePrefix,
+			object:        baseObject,
+			sseType:       sseKMS,
+			success:       true,
+		},
+		{
+			encryptionKey: fmt.Sprintf("%s/%s/%s=%s", baseAlias, basePrefix, baseObject, sseKeyKMSInvalid),
+			sseType:       sseKMS,
+			success:       false,
+		},
+		// sse-type S3
+		{
+			encryptionKey: fmt.Sprintf("%s/%s/%s", baseAlias, basePrefix, baseObject),
+			alias:         baseAlias,
+			prefix:        basePrefix,
+			object:        baseObject,
+			sseType:       sseS3,
+			success:       true,
+		},
 	}
 
 	for i, tc := range testCases {
-		alias, prefix, key, err := parseSSEKey(tc.encryptionKey, sseC)
+		alias, prefix, key, err := parseSSEKey(tc.encryptionKey, tc.sseType)
 		if tc.success {
 			if err != nil {
 				t.Fatalf("Test %d: Expected success, got %s", i+1, err)