duplicity-team team mailing list archive

[Kenneth Loafman <kenneth@xxxxxxxxxxx>]

Kenneth Loafman has proposed merging lp:~vam9/duplicity/0.8-series-s3-kms-support into lp:duplicity.

Commit message:
Added s3 kms server side encryption support with kms-grants support.


Requested reviews:
  duplicity-team (duplicity-team)

For more details, see:
https://code.launchpad.net/~vam9/duplicity/0.8-series-s3-kms-support/+merge/362000
-- 
Your team duplicity-team is requested to review the proposed merge of lp:~vam9/duplicity/0.8-series-s3-kms-support into lp:duplicity.

=== modified file 'duplicity/backends/_boto_single.py'
--- duplicity/backends/_boto_single.py	2018-11-29 19:00:15 +0000
+++ duplicity/backends/_boto_single.py	2019-01-19 16:17:11 +0000
@@ -165,7 +165,7 @@
         # duplicity and boto.storage_uri() have different URI formats.
         # boto uses scheme://bucket[/name] and specifies hostname on connect()
         self.boto_uri_str = u'://'.join((parsed_url.scheme[:2],
-                                        parsed_url.path.lstrip(u'/')))
+                                         parsed_url.path.lstrip(u'/')))
         if globals.s3_european_buckets:
             self.my_location = Location.EU
         else:
@@ -235,6 +235,19 @@
                 u'x-amz-storage-class': storage_class,
                 u'x-amz-server-side-encryption': u'AES256'
             }
+        elif globals.s3_use_sse_kms:
+            if globals.s3_kms_key_id is None:
+                raise FatalBackendException("S3 USE SSE KMS was requested, but key id not provided "
+                                            "require (--s3-kms-key-id)",
+                                            code=log.ErrorCode.s3_kms_no_id)
+            headers = {
+                'Content-Type': 'application/octet-stream',
+                'x-amz-storage-class': storage_class,
+                'x-amz-server-side-encryption': 'aws:kms',
+                'x-amz-server-side-encryption-aws-kms-key-id': globals.s3_kms_key_id
+            }
+            if globals.s3_kms_grant is not None:
+                headers['x-amz-grant-full-control'] = globals.s3_kms_grant
         else:
             headers = {
                 u'Content-Type': u'application/octet-stream',

=== modified file 'duplicity/commandline.py'
--- duplicity/commandline.py	2019-01-01 21:36:27 +0000
+++ duplicity/commandline.py	2019-01-19 16:17:11 +0000
@@ -572,6 +572,11 @@
     # Option to allow use of server side encryption in s3
     parser.add_option(u"--s3-use-server-side-encryption", action=u"store_true", dest=u"s3_use_sse")
 
+    # Options to allow use of server side KMS encryption
+    parser.add_option("--s3-use-server-side-kms-encryption", action=u"store_true", dest="s3_use_sse_kms")
+    parser.add_option("--s3-kms-key-id", action=u"store", dest="s3_kms_key_id")
+    parser.add_option("--s3-kms-grant", action=u"store", dest="s3_kms_grant")
+
     # Option to specify a Swift container storage policy.
     parser.add_option(u"--swift-storage-policy", type=u"string", metavar=_(u"policy"))
 

=== modified file 'duplicity/globals.py'
--- duplicity/globals.py	2019-01-01 21:36:27 +0000
+++ duplicity/globals.py	2019-01-19 16:17:11 +0000
@@ -220,6 +220,11 @@
 # Use server side encryption in s3
 s3_use_sse = False
 
+# Use server side kms encryption in s3
+s3_use_sse_kms = False
+s3_kms_key_id = None
+s3_kms_grant = None
+
 # Which storage policy to use for Swift containers
 swift_storage_policy = u""
 

=== modified file 'duplicity/log.py'
--- duplicity/log.py	2018-11-29 19:00:15 +0000
+++ duplicity/log.py	2019-01-19 16:17:11 +0000
@@ -312,6 +312,7 @@
     dpbx_nologin = 47
 
     bad_request = 48
+    s3_kms_no_id = 49
 
     # 50->69 reserved for backend errors
     backend_error = 50