)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":7233,"name":"Matthew Oliver","email":"matt@oliver.net.au","username":"mattoliverau"},"change_message_id":"067e730b5b2107d3e068dbbd1271ad22c00a0999","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Currently AWS provides an encryption method that is used for objects"},{"line_number":10,"context_line":"at rest in S3. Swift\u0027s s3api middleware does not add this header so to"},{"line_number":11,"context_line":"fulfill the compact, we should add it."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html"},{"line_number":14,"context_line":"\"All Amazon S3 buckets have encryption configured by default, and all"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"4dc8917f_57f05923","line":11,"range":{"start_line":11,"start_character":12,"end_line":11,"end_character":19},"updated":"2026-05-28 04:54:48.000000000","message":"contract?","commit_id":"f7fcf60db01ee34b5e5fa44c6ccd219bade631f1"},{"author":{"_account_id":39146,"name":"Nathaniel Martes","display_name":"Nate Martes","email":"nmartes@NVIDIA.com","username":"nmartes"},"change_message_id":"d052172b2dc63278975f2343b97b1c720da19f6a","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Currently AWS provides an encryption method that is used for objects"},{"line_number":10,"context_line":"at rest in S3. Swift\u0027s s3api middleware does not add this header so to"},{"line_number":11,"context_line":"fulfill the compact, we should add it."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html"},{"line_number":14,"context_line":"\"All Amazon S3 buckets have encryption configured by default, and all"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"4f750df2_f3d1ddc8","line":11,"range":{"start_line":11,"start_character":12,"end_line":11,"end_character":19},"in_reply_to":"4dc8917f_57f05923","updated":"2026-05-28 16:01:56.000000000","message":"Yes I think contract would be a better word here","commit_id":"f7fcf60db01ee34b5e5fa44c6ccd219bade631f1"},{"author":{"_account_id":39146,"name":"Nathaniel Martes","display_name":"Nate Martes","email":"nmartes@NVIDIA.com","username":"nmartes"},"change_message_id":"3a6abf6a62de2967ef878ead18feda070e103ad9","unresolved":false,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Currently AWS provides an encryption method that is used for objects"},{"line_number":10,"context_line":"at rest in S3. Swift\u0027s s3api middleware does not add this header so to"},{"line_number":11,"context_line":"fulfill the compact, we should add it."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html"},{"line_number":14,"context_line":"\"All Amazon S3 buckets have encryption configured by default, and all"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"1d12637b_c0245d03","line":11,"range":{"start_line":11,"start_character":12,"end_line":11,"end_character":19},"in_reply_to":"4f750df2_f3d1ddc8","updated":"2026-05-28 20:45:46.000000000","message":"Acknowledged","commit_id":"f7fcf60db01ee34b5e5fa44c6ccd219bade631f1"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":1179,"name":"Clay Gerrard","email":"clay.gerrard@gmail.com","username":"clay-gerrard"},"change_message_id":"ae1bcb4b56197e64272b08cc4faeac8aa1013955","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"76d03afc_76883727","updated":"2026-05-27 23:10:11.000000000","message":"I\u0027m not sure about the \"is encrypted\" behavior when metadata is NOT encrypted:\n\n990396: sq? Test questionable unencrypted_metadata_has_headers | https://review.opendev.org/c/openstack/swift/+/990396","commit_id":"f7fcf60db01ee34b5e5fa44c6ccd219bade631f1"},{"author":{"_account_id":39146,"name":"Nathaniel Martes","display_name":"Nate Martes","email":"nmartes@NVIDIA.com","username":"nmartes"},"change_message_id":"9cb7d6310893d9d5bb63caf181b19233986d96c3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"fa0df36d_80a8d959","updated":"2026-05-28 18:44:55.000000000","message":"Latest patch resolves issues","commit_id":"e74fc658de83f16411e9e3ba65b449b5b195234a"},{"author":{"_account_id":39146,"name":"Nathaniel Martes","display_name":"Nate Martes","email":"nmartes@NVIDIA.com","username":"nmartes"},"change_message_id":"48f9a2fa0585da59e9397592243ec735f65eee7e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"b44ae835_bd7af09a","updated":"2026-05-28 20:44:53.000000000","message":"Issue resolved in patchset 8","commit_id":"7782a743a0ec1a77887923a87e3032809c468da7"},{"author":{"_account_id":34930,"name":"Jianjian Huo","email":"jhuo@nvidia.com","username":"jhuo"},"change_message_id":"b80cc9999c3dc059e6cfef9b78280f3e379532e9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"bf64a0cf_c5ae6320","updated":"2026-05-29 21:08:21.000000000","message":"Good job, Nate! Very good start.","commit_id":"f886fd7da2a3a62f2b6a1f6f175f4197e4a06846"},{"author":{"_account_id":34930,"name":"Jianjian Huo","email":"jhuo@nvidia.com","username":"jhuo"},"change_message_id":"cf1cbaec18d57ff834453df785930aaf340b36de","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"d62159d4_a1d31d20","updated":"2026-05-29 21:08:49.000000000","message":"it does require some changes, and more test cases for sure.","commit_id":"f886fd7da2a3a62f2b6a1f6f175f4197e4a06846"}],"swift/common/middleware/crypto/decrypter.py":[{"author":{"_account_id":7233,"name":"Matthew Oliver","email":"matt@oliver.net.au","username":"mattoliverau"},"change_message_id":"067e730b5b2107d3e068dbbd1271ad22c00a0999","unresolved":true,"context_lines":[{"line_number":48,"context_line":"    :return: a list of headers with encryption metadata headers added"},{"line_number":49,"context_line":"    \"\"\""},{"line_number":50,"context_line":"    cipher \u003d Crypto.cipher"},{"line_number":51,"context_line":"    headers.append((\u0027X-Encryption-Is-Encrypted\u0027, \u0027true\u0027))"},{"line_number":52,"context_line":"    headers.append((\u0027X-Encryption-Method\u0027, cipher))"},{"line_number":53,"context_line":"    return headers"},{"line_number":54,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"f9ff0ec5_573bd419","line":51,"updated":"2026-05-28 04:54:48.000000000","message":"so this is only added if the object is encrypted, I guess it\u0027s cool to return and all. but then wouldn\u0027t the existance of a `X-Encrytion-Method` give us the same signal? And better it\u0027s signal with some more information, the cipher.\n\nFurther if we lower to the one header, we could probably also just in-line it, as it seems it only needs to be added in one place. Unless this function was refactored out to ease testing or something.\n\nFurther, the bug seems to suggest that one of the swift design decisions when at-rest encryption was done was people users didn\u0027t need to know. So suggests using a backend header (X-Backend-*). These backend headers are stripped at the gatekeeper middleware. So we know they can\u0027t leave the cluster.\n\nDo we then want to maybe just add a single:\n```\nX-Backend-Crypto-Cipher: ...\n```\nTo indicate the object is encrypted. s3api can then just check and use the value.\n\nThe other advantage of just uing the one and inlineing is we can use the put_cryto_meta, which in my understanding, should have a [\u0027cipher\u0027] that was used when the object was incrypted. Whereas the  Crypto.cipher you\u0027re using might have changed (if we ever change it). So the objects meta version is more correct.","commit_id":"f7fcf60db01ee34b5e5fa44c6ccd219bade631f1"},{"author":{"_account_id":39146,"name":"Nathaniel Martes","display_name":"Nate Martes","email":"nmartes@NVIDIA.com","username":"nmartes"},"change_message_id":"d052172b2dc63278975f2343b97b1c720da19f6a","unresolved":true,"context_lines":[{"line_number":48,"context_line":"    :return: a list of headers with encryption metadata headers added"},{"line_number":49,"context_line":"    \"\"\""},{"line_number":50,"context_line":"    cipher \u003d Crypto.cipher"},{"line_number":51,"context_line":"    headers.append((\u0027X-Encryption-Is-Encrypted\u0027, \u0027true\u0027))"},{"line_number":52,"context_line":"    headers.append((\u0027X-Encryption-Method\u0027, cipher))"},{"line_number":53,"context_line":"    return headers"},{"line_number":54,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"ffae1780_4d9610ab","line":51,"in_reply_to":"f9ff0ec5_573bd419","updated":"2026-05-28 16:01:56.000000000","message":"I agree this may be better as to not change initial design choices and then since the s3api forces giving the client cipher information, we just expose that specific piece of information only to the s3 client. In the future, we can decide if we want to expose encryption information in the Swift native API (or someone can add a middleware to do it for them if need be)","commit_id":"f7fcf60db01ee34b5e5fa44c6ccd219bade631f1"},{"author":{"_account_id":39146,"name":"Nathaniel Martes","display_name":"Nate Martes","email":"nmartes@NVIDIA.com","username":"nmartes"},"change_message_id":"3a6abf6a62de2967ef878ead18feda070e103ad9","unresolved":false,"context_lines":[{"line_number":48,"context_line":"    :return: a list of headers with encryption metadata headers added"},{"line_number":49,"context_line":"    \"\"\""},{"line_number":50,"context_line":"    cipher \u003d Crypto.cipher"},{"line_number":51,"context_line":"    headers.append((\u0027X-Encryption-Is-Encrypted\u0027, \u0027true\u0027))"},{"line_number":52,"context_line":"    headers.append((\u0027X-Encryption-Method\u0027, cipher))"},{"line_number":53,"context_line":"    return headers"},{"line_number":54,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"40a0ae08_65a1c8ec","line":51,"in_reply_to":"ffae1780_4d9610ab","updated":"2026-05-28 20:45:46.000000000","message":"Acknowledged","commit_id":"f7fcf60db01ee34b5e5fa44c6ccd219bade631f1"},{"author":{"_account_id":34930,"name":"Jianjian Huo","email":"jhuo@nvidia.com","username":"jhuo"},"change_message_id":"b80cc9999c3dc059e6cfef9b78280f3e379532e9","unresolved":true,"context_lines":[{"line_number":41,"context_line":"                 get_sys_meta_prefix(\u0027object\u0027) + \u0027crypto-\u0027))]"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"def add_crypto_meta_headers(headers, put_crypto_meta):"},{"line_number":45,"context_line":"    \"\"\""},{"line_number":46,"context_line":"    Add encryption metadata headers that can be exposed."},{"line_number":47,"context_line":"    :param headers: a list of headers"}],"source_content_type":"text/x-python","patch_set":11,"id":"05590416_9fda7605","line":44,"updated":"2026-05-29 21:08:21.000000000","message":"this helper function is not called by any place","commit_id":"f886fd7da2a3a62f2b6a1f6f175f4197e4a06846"},{"author":{"_account_id":34930,"name":"Jianjian Huo","email":"jhuo@nvidia.com","username":"jhuo"},"change_message_id":"b80cc9999c3dc059e6cfef9b78280f3e379532e9","unresolved":true,"context_lines":[{"line_number":386,"context_line":""},{"line_number":387,"context_line":"        # expose encryption metadata if is encrypted"},{"line_number":388,"context_line":"        if (put_crypto_meta and put_keys and"},{"line_number":389,"context_line":"                req.method in (\u0027GET\u0027, \u0027HEAD\u0027, \u0027PUT\u0027) and"},{"line_number":390,"context_line":"                is_success(self._get_status_int())):"},{"line_number":391,"context_line":"            if put_crypto_meta.get(\u0027cipher\u0027):"},{"line_number":392,"context_line":"                mod_resp_headers.append("}],"source_content_type":"text/x-python","patch_set":11,"id":"2663b269_2563a6d8","line":389,"updated":"2026-05-29 21:08:21.000000000","message":"``Decrypter.__call__`` (decrypter.py:491-494) only dispatches GET/HEAD object requests to ``DecrypterObjContext``; PUT goes to ``EncrypterObjContext.handle_put`` (encrypter.py:237). So the ``PUT`` here will never match. For PUT responses to include x-amz-server-side-encryption (AWS does include it on PUT), the header needs to be added in ``EncrypterObjContext.handle_put`` as well, with a matching unit test.","commit_id":"f886fd7da2a3a62f2b6a1f6f175f4197e4a06846"}],"test/unit/common/middleware/crypto/test_decrypter.py":[{"author":{"_account_id":34930,"name":"Jianjian Huo","email":"jhuo@nvidia.com","username":"jhuo"},"change_message_id":"b80cc9999c3dc059e6cfef9b78280f3e379532e9","unresolved":true,"context_lines":[{"line_number":307,"context_line":"                \u0027x-object-meta-ignores-case\u0027,"},{"line_number":308,"context_line":"                \u0027x-object-meta-test\u0027,"},{"line_number":309,"context_line":"            ]),"},{"line_number":310,"context_line":"            \u0027X-Backend-Crypto-Cipher\u0027: Crypto.cipher,"},{"line_number":311,"context_line":"            \u0027Access-Control-Allow-Origin\u0027: \u0027*\u0027,"},{"line_number":312,"context_line":"        }"},{"line_number":313,"context_line":"        self.assertEqual(dict(headers), expected)"}],"source_content_type":"text/x-python","patch_set":11,"id":"442299e0_2e35053d","line":310,"updated":"2026-05-29 21:08:21.000000000","message":"consider to add a new dedicated test that asserts this header is absent on a 412 / 304 response","commit_id":"f886fd7da2a3a62f2b6a1f6f175f4197e4a06846"}],"test/unit/common/middleware/s3api/test_obj.py":[{"author":{"_account_id":34930,"name":"Jianjian Huo","email":"jhuo@nvidia.com","username":"jhuo"},"change_message_id":"b80cc9999c3dc059e6cfef9b78280f3e379532e9","unresolved":true,"context_lines":[{"line_number":1924,"context_line":"            \u0027rule-id\u003d\"swift-object-expiration\"\u0027,"},{"line_number":1925,"context_line":"            headers[\u0027x-amz-expiration\u0027])"},{"line_number":1926,"context_line":""},{"line_number":1927,"context_line":"    def test_object_GET_x_server_side_encryption(self):"},{"line_number":1928,"context_line":"        # Test that x-amz-server-side-encryption is included in the"},{"line_number":1929,"context_line":"        # response headers."},{"line_number":1930,"context_line":""}],"source_content_type":"text/x-python","patch_set":11,"id":"ccca1226_584c8f0a","line":1927,"updated":"2026-05-29 21:08:21.000000000","message":"this test case is for GET, consider to add another test case for HEAD as well","commit_id":"f886fd7da2a3a62f2b6a1f6f175f4197e4a06846"},{"author":{"_account_id":34930,"name":"Jianjian Huo","email":"jhuo@nvidia.com","username":"jhuo"},"change_message_id":"b80cc9999c3dc059e6cfef9b78280f3e379532e9","unresolved":true,"context_lines":[{"line_number":1928,"context_line":"        # Test that x-amz-server-side-encryption is included in the"},{"line_number":1929,"context_line":"        # response headers."},{"line_number":1930,"context_line":""},{"line_number":1931,"context_line":"        class TestCryptoMiddleware(object):"},{"line_number":1932,"context_line":"            def __init__(self, app, cipher\u003d\u0027AES_CTR_256\u0027):"},{"line_number":1933,"context_line":"                self.app \u003d app"},{"line_number":1934,"context_line":"                self.cipher \u003d cipher"}],"source_content_type":"text/x-python","patch_set":11,"id":"064742dd_1042df76","line":1931,"updated":"2026-05-29 21:08:21.000000000","message":"this is using a fake Crypto middleware, this patch would need some ``real`` test cases in either ``test/functional/s3api/`` or ``test/s3api/`` (I remember the latter is better)","commit_id":"f886fd7da2a3a62f2b6a1f6f175f4197e4a06846"},{"author":{"_account_id":34930,"name":"Jianjian Huo","email":"jhuo@nvidia.com","username":"jhuo"},"change_message_id":"b80cc9999c3dc059e6cfef9b78280f3e379532e9","unresolved":true,"context_lines":[{"line_number":1957,"context_line":"        status, headers, body \u003d self.call_s3api(req)"},{"line_number":1958,"context_line":""},{"line_number":1959,"context_line":"        self.assertEqual(status, \u0027200 OK\u0027)"},{"line_number":1960,"context_line":"        self.assertIn(\u0027x-amz-server-side-encryption\u0027, headers)"},{"line_number":1961,"context_line":"        self.assertEqual("},{"line_number":1962,"context_line":"            \u0027AES256\u0027,"},{"line_number":1963,"context_line":"            headers[\u0027x-amz-server-side-encryption\u0027])"}],"source_content_type":"text/x-python","patch_set":11,"id":"748ffc83_fcadae01","line":1960,"updated":"2026-05-29 21:08:21.000000000","message":"please add a negative test confirming ``x-amz-server-side-encryption`` is not present for an object with no ``X-Object-Sysmeta-Crypto-Body-Meta`` (i.e., uploaded before encryption was enabled), for both HEAD and GET","commit_id":"f886fd7da2a3a62f2b6a1f6f175f4197e4a06846"}]}