* Bucket Put Encryption - Put bucket SSE configuration * @param {AuthInfo} authInfo - Instance of AuthInfo class with requester's info * @param {object} request - http request object * @param {object} log - Werelogs logger * @param {function} callback - callback to server * @return {undefined}
(authInfo, request, log, callback)
| 18 | */ |
| 19 | |
| 20 | function bucketPutEncryption(authInfo, request, log, callback) { |
| 21 | const { bucketName } = request; |
| 22 | |
| 23 | const metadataValParams = { |
| 24 | authInfo, |
| 25 | bucketName, |
| 26 | requestType: request.apiMethods || 'bucketPutEncryption', |
| 27 | request, |
| 28 | }; |
| 29 | |
| 30 | return async.waterfall([ |
| 31 | next => standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, next), |
| 32 | (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)), |
| 33 | (bucket, next) => { |
| 34 | log.trace('parsing encryption config', { method: 'bucketPutEncryption' }); |
| 35 | return parseEncryptionXml(request.post, log, (err, encryptionConfig) => { |
| 36 | if (err) { |
| 37 | return next(err); |
| 38 | } |
| 39 | return next(null, bucket, encryptionConfig); |
| 40 | }); |
| 41 | }, |
| 42 | (bucket, encryptionConfig, next) => { |
| 43 | const existingConfig = bucket.getServerSideEncryption(); |
| 44 | // Check if encryption is not configured or if a default master key has not been created yet. |
| 45 | if (existingConfig === null || !existingConfig.masterKeyId) { |
| 46 | return kms.bucketLevelEncryption(bucket, encryptionConfig, log, |
| 47 | (err, updatedConfig) => { |
| 48 | if (err) { |
| 49 | return next(err); |
| 50 | } |
| 51 | return next(null, bucket, updatedConfig); |
| 52 | }); |
| 53 | } |
| 54 | |
| 55 | // If encryption is already configured and a default master key exists |
| 56 | |
| 57 | // If the request does not specify a custom key, reuse the existing default master key id |
| 58 | // This ensures that a new default master key is not generated every time |
| 59 | // `putBucketEncryption` is called, avoiding unnecessary key creation |
| 60 | const updatedConfig = { |
| 61 | mandatory: true, |
| 62 | algorithm: encryptionConfig.algorithm, |
| 63 | cryptoScheme: existingConfig.cryptoScheme, |
| 64 | masterKeyId: existingConfig.masterKeyId, |
| 65 | }; |
| 66 | |
| 67 | // If the request specifies a custom master key id, store it in the updated configuration |
| 68 | const { configuredMasterKeyId } = encryptionConfig; |
| 69 | if (configuredMasterKeyId) { |
| 70 | updatedConfig.configuredMasterKeyId = configuredMasterKeyId; |
| 71 | } |
| 72 | |
| 73 | const { isAccountEncryptionEnabled } = existingConfig; |
| 74 | if (isAccountEncryptionEnabled) { |
| 75 | updatedConfig.isAccountEncryptionEnabled = isAccountEncryptionEnabled; |
| 76 | } |
| 77 |
no test coverage detected