尝试使用Javascript实现Amazon S3客户端加密。
为bucket内的特定S3对象建立SSE是可选的,可以很容易地在单个对象级别建立。还可以设置"一揽子"策略,要求将所有数据发送到S3待加密的桶。这种策略的示例如下:
{
"Version":"2013-05-17",
"Id":"PutObjPolicy",
"Statement":[{
"Sid":"DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal":{
"AWS":"*"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::SensitiveBucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":"AES256"
}
}
}
]
}
要成功地将任何数据放入这个S3桶,请求将需要包含"x-amz-server-side-encryption"头。
因为它是客户端,我得到了这个jSON策略设置:
{
"expiration": "2020-01-01T00:00:00Z",
"conditions": [
{"bucket": "angular-file-upload"},
["starts-with", "$key", ""],
{"acl": "private"},
{ "x-amz-server-side-encryption": "AES256"},
{"x-amz-server-side-encryption-customer-key": "ABC1234835784375349754857893"},
{"x-amz-server-side-encryption-customer-key-MD5": "d0259989a64a9234457dbc51d5202c24"},
["starts-with", "$Content-Type", ""],
["starts-with", "$filename", ""],
["content-length-range", 0, 524288000]
]
}
将文件以cors方式发送到S3 (POST),并且在上传期间额外发送x-amz-服务器端加密头。
尝试了两个json策略,但是它们都抛出了相同的结果。
响应如下:
<Error><Code>AccessDenied</Code>
<Message>Invalid according to Policy: Extra input fields: x-amz-server-side-encryption-customer-key</Message><RequestId>...</RequestId><HostId>...</HostId></Error>
有人知道这是怎么回事吗?最近,我甚至开始好奇是否有可能用JS加密客户端。歌珥。
欢呼。
通过在创建的策略和base64编码以及在AJAX请求中发送的表单数据中包含x-amz-server-side-encryption,我能够消除这个警告。
政策:
var s3Policy = {
"expiration": formatted,
"conditions": [
{ "bucket": "MYBUCKET" },
{ "acl": config.acl },
{ "x-amz-server-side-encryption": "AES256" },
[ "eq", "$key", path],
[ "eq", "$Content-Type", mimetype ],
[ "content-length-range", 0, maxSize ],
]
};
表单Post数据:
data.params = {
key: path,
AWSAccessKeyId: key,
acl: acl,
Policy: base64Policy,
Signature: signature,
"Content-Type": mimetype,
"x-amz-server-side-encryption": "AES256",
},
为了完整起见,我还有以下CORS配置:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<ExposeHeader>x-amz-server-side-encryption</ExposeHeader>
<AllowedHeader>*</AllowedHeader>
<AllowedHeader>Content-Type</AllowedHeader>
<AllowedHeader>x-amz-acl</AllowedHeader>
<AllowedHeader>origin</AllowedHeader>
</CORSRule>
</CORSConfiguration>
和Bucket Policy(强制加密):
{
"Version": "2012-10-17",
"Id": "Policy1447114958606",
"Statement": [
{
"Sid": "Stmt1447114951553",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MYBUCKET/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
}
我的代码实际将文件发送到s3,看起来像这样,但它将取决于您选择使用的库和包装器:
// Build the form data (this is what we will eventually post)
var fd = new FormData();
if (data.params)
{
for (var prop in data.params) {
if (data.params.hasOwnProperty(prop)) {
fd.append(prop,data.params[prop]);
}
}
}
fd.append('file', file);
// Post data
var deferred = $q.defer();
var req = $.ajax({
type: 'POST',
url: data.url,
data: fd,
cache: false,
contentType: false,
processData: false,
success: function(response, textStatus, jqXHR) { deferred.resolve(response); },
error: function(jqXHR, textStatus, errorThrown) { deferred.reject(errorThrown || "Upload failed, try again"); },
xhr: function() {
var myXhr = $.ajaxSettings.xhr();
if (myXhr.upload) myXhr.upload.addEventListener('progress', function (progress) { deferred.notify(progress); }, false);
return myXhr;
}
});
var promise = deferred.promise;
promise.cancel = function()
{
req.abort();
deferred.reject("Cancelled");
};
return promise;