CLDSRV-670: Test KMS error returned to end user

BourgoisMickael · BourgoisMickael · commit 46e468adc8b2 · 2025-06-24T01:05:43.000+02:00
diff --git a/tests/functional/sse-kms-migration/arnPrefix.js b/tests/functional/sse-kms-migration/arnPrefix.js
@@ -6,6 +6,7 @@ const log = new DummyRequestLogger();
 const { makeRequest } = require('../raw-node/utils/makeRequest');
 const helpers = require('./helpers');
 const scenarios = require('./scenarios');
+const kms = require('../../../lib/kms/wrapper');
 
 // copy part of aws-node-sdk/test/object/encryptionHeaders.js and add more tests
 
@@ -505,3 +506,164 @@ describe('ensure MPU use good SSE', () => {
         );
     });
 });
+
+describe('KMS error', () => {
+    const destroyKmsKey = promisify(kms.destroyBucketKey);
+    const sseConfig = { algo: 'aws:kms', masterKeyId: true }
+    const Bucket = 'bkt-kms-err';
+    const Key = 'obj';
+    const body = 'content';
+
+    let masterKeyId, masterKeyArn;
+    let anotherKeyInfo;
+
+    let expectedErr, expectedMsg;
+
+    const expectedKMIP = {
+        code: /KMS\.NotFoundException/,
+        msg: (action, keyId) => new RegExp(`^KMS \\(KMIP\\) error for ${action} on ${keyId}\\..*`),
+    };
+    // localkms container returns a different error message when the key is pending deletion
+    // as we decrypt without passing the keyId, so we need to handle it separately
+    const localKms = 'The ciphertext refers to a customer master key that does not exist, ' +
+        'does not exist in this region, or you are not allowed to access\\.';
+    const expectedAWS = {
+        code: /KMS\.KMSInvalidStateException|KMS\.AccessDeniedException/,
+        msg: (_, keyId) => new RegExp(`${keyId} is pending deletion\\.|${localKms}`),
+    };
+
+    if (helpers.config.backends.kms === 'kmip') {
+        ({ code: expectedErr, msg: expectedMsg } = expectedKMIP);
+    } else if (helpers.config.backends.kms === 'aws') {
+        ({ code: expectedErr, msg: expectedMsg } = expectedAWS);
+    } else {
+        throw new Error(`Unsupported KMS backend: ${helpers.config.backends.kms}`);
+    }
+
+    function assertKmsError(action, keyId) {
+        return err => {
+            assert.match(err.name, expectedErr);
+            assert.match(err.message, expectedMsg(action, keyId));
+            return true;
+        };
+    }
+
+
+    before(async () => {
+        void await helpers.s3.createBucket({ Bucket }).promise();
+        await helpers.s3.putObject({
+            ...helpers.putObjParams(Bucket, 'plaintext', {}, null),
+            Body: body,
+        }).promise();
+
+        ({ masterKeyId, masterKeyArn } = await helpers.createKmsKey(log));
+        await helpers.putEncryptedObject(Bucket, Key, sseConfig, masterKeyArn, body);
+        // ensure we can decrypt and read the object
+        const obj = await helpers.s3.getObject({ Bucket, Key }).promise();
+        assert.strictEqual(obj.Body.toString(), body);
+        void await destroyKmsKey(masterKeyArn, log);
+    });
+
+    after(async () => {
+        void await helpers.cleanup(Bucket);
+        if (masterKeyArn) {
+            try {
+                void await destroyKmsKey(masterKeyArn, log);
+            } catch (e) { void e; }
+            [masterKeyArn, masterKeyId] = [null, null];
+        }
+    });
+
+    afterEach(async () => {
+        if (anotherKeyInfo) {
+            try {
+                void await destroyKmsKey(anotherKeyInfo.masterKeyArn, log);
+            } catch (e) { void e; }
+            anotherKeyInfo = null;
+        }
+    });
+
+    it('putObject should fail with kms error', async () => {
+        await assert.rejects(helpers.putEncryptedObject(Bucket, 'fail', sseConfig, masterKeyArn, body),
+        assertKmsError('Encrypt', masterKeyId));
+    });
+
+    it('getObject should fail with kms error', async () => {
+        await assert.rejects(helpers.s3.getObject({ Bucket, Key }).promise(),
+        assertKmsError('Decrypt', masterKeyId));
+    });
+
+    it('copyObject should fail with kms error when getting from source', async () => {
+        await assert.rejects(helpers.s3.copyObject(
+            { Bucket, Key: 'copy', CopySource: `${Bucket}/${Key}` }).promise(),
+            assertKmsError('Decrypt', masterKeyId)
+        );
+    });
+
+    it('copyObject should fail with kms error when putting to destination', async () => {
+        await assert.rejects(helpers.s3.copyObject(
+            {
+                Bucket,
+                Key: 'copyencrypted',
+                CopySource: `${Bucket}/plaintext`,
+                ServerSideEncryption: 'aws:kms',
+                SSEKMSKeyId: masterKeyArn,
+            }
+        ).promise(),
+        assertKmsError('Encrypt', masterKeyId));
+    });
+
+    it('createMPU should fail with kms error', async () => {
+        const mpuKey = 'mpuKeyEncryptedFail';
+        await assert.rejects(helpers.s3.createMultipartUpload(
+            helpers.putObjParams(Bucket, mpuKey, sseConfig, masterKeyArn)).promise(),
+            assertKmsError('Encrypt', masterKeyId));
+    });
+
+    it('mpu uploadPartCopy should fail with kms error when getting from source', async () => {
+        const mpuKey = 'mpuKey';
+        const mpu = await helpers.s3.createMultipartUpload(
+            helpers.putObjParams(Bucket, mpuKey, {}, null)).promise();
+        await assert.rejects(helpers.s3.uploadPartCopy(
+            {
+                UploadId: mpu.UploadId,
+                Bucket,
+                Key: mpuKey,
+                PartNumber: 1,
+                CopySource: `${Bucket}/${Key}`,
+            }
+        ).promise(),
+        assertKmsError('Decrypt', masterKeyId));
+    });
+
+    it('mpu uploadPart & copy should fail with kms error when putting to destination', async () => {
+        const mpuKey = 'mpuKeyEncrypted';
+        anotherKeyInfo = await helpers.createKmsKey(log);
+
+        const mpu = await helpers.s3.createMultipartUpload(
+            helpers.putObjParams(Bucket, mpuKey, sseConfig, anotherKeyInfo.masterKeyArn)).promise();
+
+        void await destroyKmsKey(anotherKeyInfo.masterKeyArn, log);
+        await assert.rejects(helpers.s3.uploadPart(
+            {
+                UploadId: mpu.UploadId,
+                Bucket,
+                Key: mpuKey,
+                PartNumber: 1,
+                Body: body,
+            }
+        ).promise(),
+        assertKmsError('Encrypt', anotherKeyInfo.masterKeyId));
+
+        await assert.rejects(helpers.s3.uploadPartCopy(
+            {
+                UploadId: mpu.UploadId,
+                Bucket,
+                Key: mpuKey,
+                PartNumber: 1,
+                CopySource: `${Bucket}/plaintext`,
+            }
+        ).promise(),
+        assertKmsError('Encrypt', anotherKeyInfo.masterKeyId));
+    });
+});
