Skip to content

Commit

Permalink
Merge branch 'w/8.7/bugfix/CLDSRV-580/aws_kms0' into tmp/octopus/w/8.…
Browse files Browse the repository at this point in the history
…8/bugfix/CLDSRV-580/aws_kms0
  • Loading branch information
bert-e committed Nov 19, 2024
2 parents d11b522 + efa4727 commit f6db11f
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 21 deletions.
31 changes: 20 additions & 11 deletions lib/api/bucketDeleteEncryption.js
Original file line number Diff line number Diff line change
Expand Up @@ -30,24 +30,33 @@ function bucketDeleteEncryption(authInfo, request, log, callback) {
(bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
(bucket, next) => {
const sseConfig = bucket.getServerSideEncryption();

if (sseConfig === null) {
return next(null, bucket);
}

const updatedConfig = {
mandatory: false,
algorithm: sseConfig.algorithm,
cryptoScheme: sseConfig.cryptoScheme,
masterKeyId: sseConfig.masterKeyId,
configuredMasterKeyId: sseConfig.configuredMasterKeyId,
};
const { isAccountEncryptionEnabled, masterKeyId, algorithm, cryptoScheme } = sseConfig;

let updatedSseConfig = null;

const { isAccountEncryptionEnabled } = sseConfig;
if (isAccountEncryptionEnabled) {
updatedConfig.isAccountEncryptionEnabled = isAccountEncryptionEnabled;
if (!isAccountEncryptionEnabled && masterKeyId) {
// Keep the encryption configuration as a "cache" to avoid generating a new master key:
// - if the default encryption master key is defined at the bucket level (!isAccountEncryptionEnabled),
// - and if a bucket-level default encryption key is already set.
// This "cache" is implemented by storing the configuration in the bucket metadata
// with mandatory set to false, making sure it remains hidden for `getBucketEncryption` operations.
// There is no need to cache the configuration if the default encryption master key is
// managed at the account level, as the master key id in that case is stored directly in
// the account metadata.
updatedSseConfig = {
mandatory: false,
algorithm,
cryptoScheme,
masterKeyId,
};
}

bucket.setServerSideEncryption(updatedConfig);
bucket.setServerSideEncryption(updatedSseConfig);
return metadata.updateBucket(bucketName, bucket, log, err => next(err, bucket));
},
],
Expand Down
18 changes: 8 additions & 10 deletions tests/unit/api/bucketDeleteEncryption.js
Original file line number Diff line number Diff line change
Expand Up @@ -51,17 +51,15 @@ describe('bucketDeleteEncryption API', () => {
});
}));

it('should disable mandatory sse and clear key for aws:kms with a configured master key id', done => {
it('should remove sse and clear key for aws:kms with a configured master key id', done => {
const post = templateSSEConfig({ algorithm: 'aws:kms', keyId: '12345' });
bucketPutEncryption(authInfo, templateRequest(bucketName, { post }), log, err => {
assert.ifError(err);
bucketDeleteEncryption(authInfo, templateRequest(bucketName, {}), log, err => {
assert.ifError(err);
return getSSEConfig(bucketName, log, (err, sseInfo) => {
assert.ifError(err);
assert(!sseInfo.masterKeyId);
assert.strictEqual(sseInfo.mandatory, false);
assert.strictEqual(sseInfo.configuredMasterKeyId, '12345');
assert(!sseInfo);
done();
});
});
Expand Down Expand Up @@ -228,7 +226,7 @@ describe('bucketDeleteEncryption API', () => {
sinon.restore();
});

it('should keep isAccountEncryptionEnabled after deleting AES256 bucket encryption', done => {
it('should clear the sse config after deleting AES256 bucket encryption', done => {
const post = templateSSEConfig({ algorithm: 'AES256' });
bucketPutEncryption(authInfo, templateRequest(bucketName, { post }), log, err => {
assert.ifError(err);
Expand All @@ -239,15 +237,15 @@ describe('bucketDeleteEncryption API', () => {
assert.ifError(err);
return getSSEConfig(bucketName, log, (err, sseInfoAfterDeletion) => {
assert.ifError(err);
assert.strictEqual(sseInfoAfterDeletion.isAccountEncryptionEnabled, true);
assert(!sseInfoAfterDeletion);
done();
});
});
});
});
});

it('should keep isAccountEncryptionEnabled after deleting aws:kms bucket encryption', done => {
it('should clear the sse config after deleting aws:kms bucket encryption', done => {
const post = templateSSEConfig({ algorithm: 'aws:kms' });
bucketPutEncryption(authInfo, templateRequest(bucketName, { post }), log, err => {
assert.ifError(err);
Expand All @@ -258,15 +256,15 @@ describe('bucketDeleteEncryption API', () => {
assert.ifError(err);
return getSSEConfig(bucketName, log, (err, sseInfoAfterDeletion) => {
assert.ifError(err);
assert.strictEqual(sseInfoAfterDeletion.isAccountEncryptionEnabled, true);
assert(!sseInfoAfterDeletion);
done();
});
});
});
});
});

it('should keep isAccountEncryptionEnabled after deleting aws:kms and key id bucket encryption', done => {
it('should clear the sse config after deleting aws:kms and key id bucket encryption', done => {
const postAES256 = templateSSEConfig({ algorithm: 'AES256' });
bucketPutEncryption(authInfo, templateRequest(bucketName, { post: postAES256 }), log, err => {
assert.ifError(err);
Expand All @@ -280,7 +278,7 @@ describe('bucketDeleteEncryption API', () => {
assert.ifError(err);
return getSSEConfig(bucketName, log, (err, sseInfoAfterDeletion) => {
assert.ifError(err);
assert.strictEqual(sseInfoAfterDeletion.isAccountEncryptionEnabled, true);
assert(!sseInfoAfterDeletion);
done();
});
});
Expand Down

0 comments on commit f6db11f

Please sign in to comment.