fix: serialize SSE-KMS metadata when bucket default encryption applies KMS

When a bucket has default SSE-KMS encryption enabled and a file is uploaded without explicit SSE headers, the encryption was applied correctly but the SSE-KMS metadata (x-seaweedfs-sse-kms-key) was not serialized. This caused downloads to fail with "empty SSE-KMS metadata" because the entry's Extended map stored an empty byte slice. The existing code already handled this for SSE-S3 bucket defaults (SerializeSSES3Metadata) but was missing the equivalent call to SerializeSSEKMSMetadata for the KMS path. Fixes seaweedfs/seaweedfs#8776
2026-05-22 17:51:30 +00:00 · 2026-03-26 11:28:41 -07:00
parent aa12b51cbf
commit 4bd8e5dd59
1 changed files with 10 additions and 0 deletions
--- a/weed/s3api/s3api_object_handlers_put.go
+++ b/weed/s3api/s3api_object_handlers_put.go
@@ -374,6 +374,16 @@ func (s3a *S3ApiServer) putToFiler(r *http.Request, filePath string, dataReader
 				return "", s3err.ErrInternalError, SSEResponseMetadata{}
 			}
 		}
+
+		// If SSE-KMS was applied by bucket default, prepare metadata (if not already done)
+		if sseKMSKey != nil && len(sseKMSMetadata) == 0 {
+			var metaErr error
+			sseKMSMetadata, metaErr = SerializeSSEKMSMetadata(sseKMSKey)
+			if metaErr != nil {
+				glog.Errorf("Failed to serialize SSE-KMS metadata for bucket default encryption: %v", metaErr)
+				return "", s3err.ErrInternalError, SSEResponseMetadata{}
+			}
+		}
 	} else {
 		glog.V(4).Infof("putToFiler: explicit encryption already applied, skipping bucket default encryption")
 	}