Removed the invalid parameter exception handling and added support of…

… sse_customer_algorithm, sse_customer_key, and sse_customer_key_md5 optional qualifier support
turbot · Feb 17, 2025 · eac8088 · eac8088
1 parent 4be9841
commit eac8088
Showing 1 changed file with 59 additions and 14 deletions.
diff --git a/aws/table_aws_s3_object.go b/aws/table_aws_s3_object.go
@@ -26,14 +26,16 @@ func tableAwsS3Object(_ context.Context) *plugin.Table {
 			KeyColumns: []*plugin.KeyColumn{
 				{Name: "bucket_name", Require: plugin.Required, CacheMatch: query_cache.CacheMatchExact},
 				{Name: "prefix", Require: plugin.Optional, CacheMatch: query_cache.CacheMatchExact},
-			},
-			IgnoreConfig: &plugin.IgnoreConfig{
-				ShouldIgnoreErrorFunc: shouldIgnoreErrors([]string{"InvalidRequest"}),
+
+				// If you encrypt an object by using server-side encryption with customer-provided
+				// encryption keys (SSE-C) when you store the object in Amazon S3, then when you
+				// GET the object, you must use the following query parameter:
+				{Name: "sse_customer_algorithm", Require: plugin.Optional, CacheMatch: query_cache.CacheMatchExact},
+				{Name: "sse_customer_key", Require: plugin.Optional, CacheMatch: query_cache.CacheMatchExact},
+				{Name: "sse_customer_key_md5", Require: plugin.Optional, CacheMatch: query_cache.CacheMatchExact},
 			},
 		},
 
-		// If The object was stored using a form of Server Side Encryption, we will experience InvalidRequest error.
-		// Error: aws: operation error S3: GetObjectAttributes, https response error StatusCode: 400, RequestID: QHYFJR9C3NSGZD6K, HostID: [REDACTED], api error InvalidRequest: The object was stored using a form of Server Side Encryption. The correct parameters must be provided to retrieve the object.
 		HydrateConfig: []plugin.HydrateConfig{
 			{
 				Func: getBucketRegionForObjects,
@@ -43,25 +45,16 @@ func tableAwsS3Object(_ context.Context) *plugin.Table {
 				Func:    getS3Object,
 				Depends: []plugin.HydrateFunc{getBucketRegionForObjects},
 				Tags:    map[string]string{"service": "s3", "action": "GetObject"},
-				IgnoreConfig: &plugin.IgnoreConfig{
-					ShouldIgnoreErrorFunc: shouldIgnoreErrors([]string{"InvalidRequest"}),
-				},
 			},
 			{
 				Func:    headS3Object,
 				Depends: []plugin.HydrateFunc{getBucketRegionForObjects},
 				Tags:    map[string]string{"service": "s3", "action": "HeadObject"},
-				IgnoreConfig: &plugin.IgnoreConfig{
-					ShouldIgnoreErrorFunc: shouldIgnoreErrors([]string{"BadRequest"}),
-				},
 			},
 			{
 				Func:    getS3ObjectAttributes,
 				Depends: []plugin.HydrateFunc{getBucketRegionForObjects},
 				Tags:    map[string]string{"service": "s3", "action": "GetObjectAttributes"},
-				IgnoreConfig: &plugin.IgnoreConfig{
-					ShouldIgnoreErrorFunc: shouldIgnoreErrors([]string{"InvalidRequest"}),
-				},
 			},
 			{
 				Func:    getS3ObjectACL,
@@ -302,6 +295,13 @@ func tableAwsS3Object(_ context.Context) *plugin.Table {
 				Transform:   transform.FromField("SSECustomerAlgorithm"),
 				Hydrate:     headS3Object,
 			},
+			{
+				Name:        "sse_customer_key",
+				Description: "Specifies the customer-provided encryption key for Amazon S3 to use in encrypting data. This value is used to store the object and then it is discarded; Amazon S3 does not store the encryption key. The key must be appropriate for use with the algorithm specified in the x-amz-server-side-encryption-customer-algorithm header.",
+				Type:        proto.ColumnType_STRING,
+				Transform:   transform.FromQual("sse_customer_key"),
+				Hydrate:     headS3Object,
+			},
 			{
 				Name:        "sse_customer_key_md5",
 				Description: "If server-side encryption with a customer-provided encryption key was requested, the response will include this header to provide round-trip message integrity verification of the customer-provided encryption key.",
@@ -484,6 +484,9 @@ func listS3Objects(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateDa
 
 func getS3Object(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) {
 	bucketName := d.EqualsQuals["bucket_name"].GetStringValue()
+	sseCusAlgorithm := d.EqualsQuals["sse_customer_algorithm"].GetStringValue()
+	sseCusKeyMd5 := d.EqualsQuals["sse_customer_key_md5"].GetStringValue()
+	sseCusKey := d.EqualsQuals["sse_customer_key"].GetStringValue()
 	bucketRegion := ""
 
 	// Bucket location will be nil if getBucketLocationForObjects returned an error but
@@ -512,6 +515,18 @@ func getS3Object(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData
 		Key:    key,
 	}
 
+	// If you encrypt an object by using server-side encryption with customer-provided
+	// encryption keys (SSE-C) when you store the object in Amazon S3.
+	if sseCusAlgorithm != "" {
+		params.SSECustomerAlgorithm = &sseCusAlgorithm
+	}
+	if sseCusKey != "" {
+		params.SSECustomerKey = &sseCusKey
+	}
+	if sseCusKeyMd5 != "" {
+		params.SSECustomerKeyMD5 = &sseCusKeyMd5
+	}
+
 	object, err := svc.GetObject(ctx, params)
 	if err != nil {
 		// if the key is unavailable in the provided bucket
@@ -527,6 +542,9 @@ func getS3Object(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData
 
 func headS3Object(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) {
 	bucketName := d.EqualsQuals["bucket_name"].GetStringValue()
+	sseCusAlgorithm := d.EqualsQuals["sse_customer_algorithm"].GetStringValue()
+	sseCusKeyMd5 := d.EqualsQuals["sse_customer_key_md5"].GetStringValue()
+	sseCusKey := d.EqualsQuals["sse_customer_key"].GetStringValue()
 	bucketRegion := ""
 
 	// Bucket location will be nil if getBucketLocationForObjects returned an error but
@@ -555,6 +573,18 @@ func headS3Object(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateDat
 		Key:    key,
 	}
 
+	// If you encrypt an object by using server-side encryption with customer-provided
+	// encryption keys (SSE-C) when you store the object in Amazon S3.
+	if sseCusAlgorithm != "" {
+		params.SSECustomerAlgorithm = &sseCusAlgorithm
+	}
+	if sseCusKey != "" {
+		params.SSECustomerKey = &sseCusKey
+	}
+	if sseCusKeyMd5 != "" {
+		params.SSECustomerKeyMD5 = &sseCusKeyMd5
+	}
+
 	object, err := svc.HeadObject(ctx, params)
 	if err != nil {
 		// if the key is unavailable in the provided bucket
@@ -570,6 +600,9 @@ func headS3Object(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateDat
 
 func getS3ObjectAttributes(ctx context.Context, d *plugin.QueryData, h *plugin.HydrateData) (interface{}, error) {
 	bucketName := d.EqualsQuals["bucket_name"].GetStringValue()
+	sseCusAlgorithm := d.EqualsQuals["sse_customer_algorithm"].GetStringValue()
+	sseCusKeyMd5 := d.EqualsQuals["sse_customer_key_md5"].GetStringValue()
+	sseCusKey := d.EqualsQuals["sse_customer_key"].GetStringValue()
 	bucketRegion := ""
 
 	// Bucket location will be nil if getBucketLocationForObjects returned an error but
@@ -599,6 +632,18 @@ func getS3ObjectAttributes(ctx context.Context, d *plugin.QueryData, h *plugin.H
 		ObjectAttributes: []types.ObjectAttributes{types.ObjectAttributesChecksum, types.ObjectAttributesObjectParts},
 	}
 
+	// If you encrypt an object by using server-side encryption with customer-provided
+	// encryption keys (SSE-C) when you store the object in Amazon S3.
+	if sseCusAlgorithm != "" {
+		params.SSECustomerAlgorithm = &sseCusAlgorithm
+	}
+	if sseCusKey != "" {
+		params.SSECustomerKey = &sseCusKey
+	}
+	if sseCusKeyMd5 != "" {
+		params.SSECustomerKeyMD5 = &sseCusKeyMd5
+	}
+
 	objectAttributes, err := svc.GetObjectAttributes(ctx, params)
 	if err != nil {
 		plugin.Logger(ctx).Error("aws_s3_object.GetObjectAttributes", "api_error", err)