MCPcopy Index your code
hub / github.com/scality/cloudserver / updateBucketEncryption

Function updateBucketEncryption

lib/api/apiUtils/bucket/updateEncryption.js:9–56  ·  view source on GitHub ↗
(bucket, log, cb)

Source from the content-addressed store, hash-verified

7
8// Bucket need a key from the new KMS, not a simple reformating
9function updateBucketEncryption(bucket, log, cb) {
10 const sse = bucket.getServerSideEncryption();
11
12 if (!sse) {
13 return cb(null, bucket);
14 }
15
16 const masterKey = sse.masterKeyId;
17 const configuredKey = sse.configuredMasterKeyId;
18
19 // Note: if migration is from an external to an external, absence of arn is not enough
20 // a comparison of arn will be necessary but config validation blocks this for now
21 const updateMaster = masterKey && !isScalityKmsArn(masterKey);
22 const updateConfigured = configuredKey && !isScalityKmsArn(configuredKey);
23
24 if (!updateMaster && !updateConfigured) {
25 return cb(null, bucket);
26 }
27 log.debug('trying to update bucket encryption', { oldKey: masterKey || configuredKey });
28 // this should trigger vault account key update as well
29 return kms.createBucketKey(bucket, log, (err, newSse) => {
30 if (err) {
31 return cb(err, bucket);
32 }
33 // if both keys needs migration, it is ok the use the same KMS key
34 // as the configured one should be used and the only way to use the
35 // masterKeyId is to PutBucketEncryption to AES256 but then nothing
36 // will break and the same KMS key will continue to be used.
37 // And the key is managed (created) by Scality, not passed from input.
38 if (updateMaster) {
39 sse.masterKeyId = newSse.masterKeyArn;
40 }
41 if (updateConfigured) {
42 sse.configuredMasterKeyId = newSse.masterKeyArn;
43 }
44 // KMS account key will not be deleted when bucket is deleted
45 if (newSse.isAccountEncryptionEnabled) {
46 sse.isAccountEncryptionEnabled = newSse.isAccountEncryptionEnabled;
47 }
48
49 log.info('updating bucket encryption', {
50 oldKey: masterKey || configuredKey,
51 newKey: newSse.masterKeyArn,
52 isAccount: newSse.isAccountEncryptionEnabled,
53 });
54 return metadata.updateBucket(bucket.getName(), bucket, log, err => cb(err, bucket));
55 });
56}
57
58// Only reformat the key, don't generate a new one.
59// Use opts.skipObjectUpdate to only prepare objMD without sending the update to metadata

Callers 1

updateEncryptionFunction · 0.85

Calls 3

debugMethod · 0.80
createBucketKeyMethod · 0.80
infoMethod · 0.80

Tested by

no test coverage detected