clean up

Author: paulineribeyre

.secrets.baseline

@@ -160,7 +160,7 @@
         "filename": "docs/s3.md",
         "hashed_secret": "08d2e98e6754af941484848930ccbaddfefe13d6",
         "is_verified": false,
-        "line_number": 56
+        "line_number": 55
       }
     ],
     "migrations/versions/e1886270d9d2_create_system_key_table.py": [
@@ -209,5 +209,5 @@
       }
     ]
   },
-  "generated_at": "2026-02-03T17:56:09Z"
+  "generated_at": "2026-02-25T19:02:33Z"
 }

docs/s3.md

@@ -5,7 +5,6 @@ Note: This discussion can apply to many use cases, but it is written with a spec
 Contents:
 - [Using IAM keys](#using-iam-keys)
 - [Using a custom S3 endpoint](#using-a-custom-s3-endpoint)
-- [Diagram](#diagram)
 
 ## Using IAM keys
 

gen3workflow/routes/s3.py

@@ -266,41 +266,40 @@ async def s3_endpoint(path: str, request: Request):
         assert credentials, "No AWS credentials found"
         headers["x-amz-security-token"] = credentials.token
 
-    # if this is a PUT request, we need the KMS key ID to use for encryption
-    if config["KMS_ENCRYPTION_ENABLED"] and request.method == "PUT":
-        _, kms_key_arn = aws_utils.get_existing_kms_key_for_bucket(user_bucket)
-        if not kms_key_arn:
-            err_msg = "Bucket misconfigured. Hit the `GET /storage/info` endpoint and try again."
-            logger.error(
-                f"No existing KMS key found for bucket '{user_bucket}'. {err_msg}"
-            )
-            raise HTTPException(HTTP_400_BAD_REQUEST, err_msg)
-        headers["x-amz-server-side-encryption"] = "aws:kms"
-        headers["x-amz-server-side-encryption-aws-kms-key-id"] = kms_key_arn
+    # if this is a PUT/POST request, we need the KMS key ID to use for encryption
+    # Note: PUT: file upload; POST: multipart file upload
+    # if config["KMS_ENCRYPTION_ENABLED"] and request.method in ["PUT", "POST"]:
+    #     _, kms_key_arn = aws_utils.get_existing_kms_key_for_bucket(user_bucket)
+    #     if not kms_key_arn:
+    #         err_msg = "Bucket misconfigured. Hit the `GET /storage/info` endpoint and try again."
+    #         logger.error(
+    #             f"No existing KMS key found for bucket '{user_bucket}'. {err_msg}"
+    #         )
+    #         raise HTTPException(HTTP_400_BAD_REQUEST, err_msg)
+    #     headers["x-amz-server-side-encryption"] = "aws:kms"
+    #     headers["x-amz-server-side-encryption-aws-kms-key-id"] = kms_key_arn
 
     # construct the canonical request. All header keys must be lowercase
     sorted_headers = sorted(list(headers.keys()), key=str.casefold)
-    lowercase_sorted_headers = [k.lower() for k in sorted_headers]
     canonical_headers = "".join(
         f"{key.lower()}:{headers[key]}\n" for key in sorted_headers
     )
-    signed_headers = ";".join(lowercase_sorted_headers)
+    signed_headers = ";".join([k.lower() for k in sorted_headers])
     query_params = dict(request.query_params)
     # the query params in the canonical request have to be sorted:
     query_params_names = sorted(list(query_params.keys()))
     canonical_query_params = "&".join(
         f"{urllib.parse.quote_plus(key)}={urllib.parse.quote_plus(query_params[key])}"
         for key in query_params_names
     )
-    body_hash = headers["x-amz-content-sha256"]
     canonical_request = (
         f"{request.method}\n"
         f"{request_path}\n"
         f"{canonical_query_params}\n"
         f"{canonical_headers}"
         f"\n"
         f"{signed_headers}\n"
-        f"{body_hash}"
+        f"{headers['x-amz-content-sha256']}"
     )
 
     # construct the string to sign based on the canonical request