Skip to content

Commit

Permalink
CLDSRV-580 Custom KMS key id persisted after deleting bucket encrypti…
Browse files Browse the repository at this point in the history
…on config
  • Loading branch information
nicolas2bert committed Nov 15, 2024
1 parent 6e4e49c commit b0a3e6d
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 14 deletions.
29 changes: 19 additions & 10 deletions lib/api/bucketDeleteEncryption.js
Original file line number Diff line number Diff line change
Expand Up @@ -34,17 +34,26 @@ function bucketDeleteEncryption(authInfo, request, log, callback) {
return next(null, bucket);
}

const updatedConfig = {
mandatory: false,
algorithm: sseConfig.algorithm,
cryptoScheme: sseConfig.cryptoScheme,
masterKeyId: sseConfig.masterKeyId,
configuredMasterKeyId: sseConfig.configuredMasterKeyId,
};
let updatedConfig = null;

const { isAccountEncryptionEnabled } = sseConfig;
if (isAccountEncryptionEnabled) {
updatedConfig.isAccountEncryptionEnabled = isAccountEncryptionEnabled;
if (sseConfig.masterKeyId) {
// Keep the encryption configuration in the cache to avoid generating
// a new master key ID for bucket-level encryption
// or to fetch it from account metadata for account-level encryption.
// This "cache" is implemented by storing the configuration
// in the bucket metadata with `mandatory` set to `false`, making sure
// it remains hidden for `putBucketEncryption` operation.
updatedConfig = {
mandatory: false,
algorithm: sseConfig.algorithm,
cryptoScheme: sseConfig.cryptoScheme,
masterKeyId: sseConfig.masterKeyId,
};

const { isAccountEncryptionEnabled } = sseConfig;
if (isAccountEncryptionEnabled) {
updatedConfig.isAccountEncryptionEnabled = isAccountEncryptionEnabled;
}
}

bucket.setServerSideEncryption(updatedConfig);
Expand Down
6 changes: 2 additions & 4 deletions tests/unit/api/bucketDeleteEncryption.js
Original file line number Diff line number Diff line change
Expand Up @@ -50,17 +50,15 @@ describe('bucketDeleteEncryption API', () => {
});
}));

it('should disable mandatory sse and clear key for aws:kms with a configured master key id', done => {
it('should remove sse and clear key for aws:kms with a configured master key id', done => {
const post = templateSSEConfig({ algorithm: 'aws:kms', keyId: '12345' });
bucketPutEncryption(authInfo, templateRequest(bucketName, { post }), log, err => {
assert.ifError(err);
bucketDeleteEncryption(authInfo, templateRequest(bucketName, {}), log, err => {
assert.ifError(err);
return getSSEConfig(bucketName, log, (err, sseInfo) => {
assert.ifError(err);
assert(!sseInfo.masterKeyId);
assert.strictEqual(sseInfo.mandatory, false);
assert.strictEqual(sseInfo.configuredMasterKeyId, '12345');
assert(!sseInfo);
done();
});
});
Expand Down

0 comments on commit b0a3e6d

Please sign in to comment.