| 16 | const SCAL_KMS_ARN_REG = new RegExp(`^${SCAL_KMS_ARN}`); |
| 17 | |
| 18 | async function assertObjectSSE( |
| 19 | { Bucket, Key, VersionId, Body }, |
| 20 | { obj, objConf }, |
| 21 | { bkt, bktConf }, |
| 22 | // headers come from the command like putObject, CopyObject, MPUs... |
| 23 | { arnPrefix = kms.arnPrefix, put, headers } = { arnPrefix: kms.arnPrefix }, |
| 24 | ) { |
| 25 | const sseMD = await helpers.getObjectMDSSE(Bucket, Key); |
| 26 | const head = await helpers.s3.headObject({ Bucket, Key, VersionId }); |
| 27 | const sseMDMigrated = await helpers.getObjectMDSSE(Bucket, Key); |
| 28 | const expectedKey = `${sseMD.SSEKMSKeyId && isScalityKmsArn(sseMD.SSEKMSKeyId) |
| 29 | ? '' : arnPrefix}${sseMD.SSEKMSKeyId}`; |
| 30 | |
| 31 | if (!put && sseMD.SSEKMSKeyId) { |
| 32 | assert.doesNotMatch(sseMD.SSEKMSKeyId, SCAL_KMS_ARN_REG); |
| 33 | } |
| 34 | |
| 35 | // obj precedence over bkt |
| 36 | assert.strictEqual(head.ServerSideEncryption, (objConf.algo || bktConf.algo)); |
| 37 | headers && assert.strictEqual(headers.ServerSideEncryption, (objConf.algo || bktConf.algo)); |
| 38 | |
| 39 | if (sseMDMigrated.SSEKMSKeyId) { |
| 40 | // on metadata verify the full key with arn prefix |
| 41 | assert.strictEqual(sseMDMigrated.SSEKMSKeyId, expectedKey); |
| 42 | } |
| 43 | |
| 44 | if (obj.kmsKey) { |
| 45 | assert.strictEqual(head.SSEKMSKeyId, helpers.getKey(expectedKey)); |
| 46 | headers && assert.strictEqual(headers.SSEKMSKeyId, helpers.getKey(expectedKey)); |
| 47 | } else if (objConf.algo !== 'AES256' && bkt.kmsKey) { |
| 48 | assert.strictEqual(head.SSEKMSKeyId, helpers.getKey(expectedKey)); |
| 49 | headers && assert.strictEqual(headers.SSEKMSKeyId, helpers.getKey(expectedKey)); |
| 50 | } else if (head.ServerSideEncryption === 'aws:kms') { |
| 51 | // We differ from aws behavior and always return a |
| 52 | // masterKeyId even when not explicitly configured. |
| 53 | assert.strictEqual(head.SSEKMSKeyId, helpers.getKey(expectedKey)); |
| 54 | headers && assert.strictEqual(headers.SSEKMSKeyId, helpers.getKey(expectedKey)); |
| 55 | } else { |
| 56 | assert.strictEqual(head.SSEKMSKeyId, undefined); |
| 57 | headers && assert.strictEqual(headers.SSEKMSKeyId, undefined); |
| 58 | } |
| 59 | |
| 60 | // always verify GetObject as well to ensure acurate decryption |
| 61 | const get = await helpers.s3.getObject({ Bucket, Key, ...(VersionId && { VersionId }) }); |
| 62 | assert.strictEqual(get.Body.toString(), Body); |
| 63 | } |
| 64 | |
| 65 | describe('SSE KMS migration', () => { |
| 66 | /** Bucket to test CopyObject from and to */ |