(bucket, log, cb)
| 7 | |
| 8 | // Bucket need a key from the new KMS, not a simple reformating |
| 9 | function updateBucketEncryption(bucket, log, cb) { |
| 10 | const sse = bucket.getServerSideEncryption(); |
| 11 | |
| 12 | if (!sse) { |
| 13 | return cb(null, bucket); |
| 14 | } |
| 15 | |
| 16 | const masterKey = sse.masterKeyId; |
| 17 | const configuredKey = sse.configuredMasterKeyId; |
| 18 | |
| 19 | // Note: if migration is from an external to an external, absence of arn is not enough |
| 20 | // a comparison of arn will be necessary but config validation blocks this for now |
| 21 | const updateMaster = masterKey && !isScalityKmsArn(masterKey); |
| 22 | const updateConfigured = configuredKey && !isScalityKmsArn(configuredKey); |
| 23 | |
| 24 | if (!updateMaster && !updateConfigured) { |
| 25 | return cb(null, bucket); |
| 26 | } |
| 27 | log.debug('trying to update bucket encryption', { oldKey: masterKey || configuredKey }); |
| 28 | // this should trigger vault account key update as well |
| 29 | return kms.createBucketKey(bucket, log, (err, newSse) => { |
| 30 | if (err) { |
| 31 | return cb(err, bucket); |
| 32 | } |
| 33 | // if both keys needs migration, it is ok the use the same KMS key |
| 34 | // as the configured one should be used and the only way to use the |
| 35 | // masterKeyId is to PutBucketEncryption to AES256 but then nothing |
| 36 | // will break and the same KMS key will continue to be used. |
| 37 | // And the key is managed (created) by Scality, not passed from input. |
| 38 | if (updateMaster) { |
| 39 | sse.masterKeyId = newSse.masterKeyArn; |
| 40 | } |
| 41 | if (updateConfigured) { |
| 42 | sse.configuredMasterKeyId = newSse.masterKeyArn; |
| 43 | } |
| 44 | // KMS account key will not be deleted when bucket is deleted |
| 45 | if (newSse.isAccountEncryptionEnabled) { |
| 46 | sse.isAccountEncryptionEnabled = newSse.isAccountEncryptionEnabled; |
| 47 | } |
| 48 | |
| 49 | log.info('updating bucket encryption', { |
| 50 | oldKey: masterKey || configuredKey, |
| 51 | newKey: newSse.masterKeyArn, |
| 52 | isAccount: newSse.isAccountEncryptionEnabled, |
| 53 | }); |
| 54 | return metadata.updateBucket(bucket.getName(), bucket, log, err => cb(err, bucket)); |
| 55 | }); |
| 56 | } |
| 57 | |
| 58 | // Only reformat the key, don't generate a new one. |
| 59 | // Use opts.skipObjectUpdate to only prepare objMD without sending the update to metadata |
no test coverage detected