* * @param {BucketInfo} bucket - bucket info * @param {object} sseConfig - SSE configuration * @param {object} log - logger object * @param {function} cb - callback * @returns {undefined} * @callback called with (err, serverSideEncryptionInfo: object)
(bucket, sseConfig, log, cb)
| 231 | * @callback called with (err, serverSideEncryptionInfo: object) |
| 232 | */ |
| 233 | static bucketLevelEncryption(bucket, sseConfig, log, cb) { |
| 234 | /* |
| 235 | The purpose of bucket level encryption is so that the client does not |
| 236 | have to send appropriate headers to trigger encryption on each object |
| 237 | put in an "encrypted bucket". Customer provided keys are not |
| 238 | feasible in this system because we do not want to store this key |
| 239 | in the bucket metadata. |
| 240 | */ |
| 241 | const { algorithm, configuredMasterKeyId, mandatory } = sseConfig; |
| 242 | const _mandatory = mandatory === true; |
| 243 | if (algorithm === 'AES256' || algorithm === 'aws:kms') { |
| 244 | const serverSideEncryptionInfo = { |
| 245 | cryptoScheme: 1, |
| 246 | algorithm, |
| 247 | mandatory: _mandatory, |
| 248 | }; |
| 249 | |
| 250 | if (algorithm === 'aws:kms' && configuredMasterKeyId) { |
| 251 | // If input key is scality arn format it needs validation |
| 252 | // otherwise prepend the current KMS client arnPrefix |
| 253 | if (isScalityKmsArn(configuredMasterKeyId)) { |
| 254 | const detail = extractDetailFromArn(configuredMasterKeyId); |
| 255 | const error = validateKeyDetail(detail, availableBackends); |
| 256 | if (error) { |
| 257 | return cb(error); |
| 258 | } |
| 259 | serverSideEncryptionInfo.configuredMasterKeyId = configuredMasterKeyId; |
| 260 | } else { |
| 261 | serverSideEncryptionInfo.configuredMasterKeyId = |
| 262 | `${client.backend.arnPrefix}${configuredMasterKeyId}`; |
| 263 | } |
| 264 | |
| 265 | return process.nextTick(() => cb(null, serverSideEncryptionInfo)); |
| 266 | } |
| 267 | |
| 268 | return this.createBucketKey(bucket, log, (err, data) => { |
| 269 | if (err) { |
| 270 | return cb(err); |
| 271 | } |
| 272 | |
| 273 | const { masterKeyId, masterKeyArn, isAccountEncryptionEnabled } = data; |
| 274 | serverSideEncryptionInfo.masterKeyId = masterKeyArn || masterKeyId; |
| 275 | |
| 276 | if (isAccountEncryptionEnabled) { |
| 277 | serverSideEncryptionInfo.isAccountEncryptionEnabled = isAccountEncryptionEnabled; |
| 278 | } |
| 279 | |
| 280 | return cb(null, serverSideEncryptionInfo); |
| 281 | }); |
| 282 | } |
| 283 | /* |
| 284 | * no encryption |
| 285 | */ |
| 286 | return cb(null, null); |
| 287 | } |
| 288 | |
| 289 | /** |
| 290 | * |
no test coverage detected