Merge branch 'w/9.0/improvement/CLDSRV-670-kms-copy' into tmp/octopus/w/9.1/improvement/CLDSRV-670-kms-copy

Author: bert-e

lib/api/initiateMultipartUpload.js

@@ -23,6 +23,7 @@ const { getObjectSSEConfiguration } = require('./apiUtils/bucket/bucketEncryptio
 const { setExpirationHeaders } = require('./apiUtils/object/expirationHeaders');
 const { setSSEHeaders } = require('./apiUtils/object/sseHeaders');
 const { updateEncryption } = require('./apiUtils/bucket/updateEncryption');
+const kms = require('../kms/wrapper');
 
 /*
 Sample xml response:
@@ -359,6 +360,14 @@ function initiateMultipartUpload(authInfo, request, log, callback) {
                     return next(null, corsHeaders, destinationBucket, objectSSEConfig);
                 }
             ),
+        // If SSE configured, test kms key encryption access, but ignore cipher bundle
+        (corsHeaders, destinationBucket, objectSSEConfig, next) => {
+            if (objectSSEConfig) {
+                return kms.createCipherBundle(objectSSEConfig, log,
+                    err => next(err, corsHeaders, destinationBucket, objectSSEConfig));
+            }
+            return next(null, corsHeaders, destinationBucket, objectSSEConfig);
+        },
     ],
         (error, corsHeaders, destinationBucket, objectSSEConfig) => {
             if (error) {

package.json

@@ -21,7 +21,7 @@
   "dependencies": {
     "@azure/storage-blob": "^12.25.0",
     "@hapi/joi": "^17.1.1",
-    "arsenal": "git+https://github.com/scality/Arsenal#8.2.23",
+    "arsenal": "git+https://github.com/scality/Arsenal#8.2.24",
     "async": "2.6.4",
     "aws-sdk": "^2.1692.0",
     "bucketclient": "scality/bucketclient#8.2.4",

tests/functional/sse-kms-migration/arnPrefix.js

@@ -504,3 +504,163 @@ describe('ensure MPU use good SSE', () => {
         );
     });
 });
+describe('KMS error', () => {
+    const sseConfig = { algo: 'aws:kms', masterKeyId: true };
+    const Bucket = 'bkt-kms-err';
+    const Key = 'obj';
+    const body = 'content';
+
+    let mpuEncrypted;
+    let mpuPlaintext;
+
+    let masterKeyId;
+    let masterKeyArn;
+
+    let expected;
+
+    const expectedKMIP = {
+        code: 'KMS.NotFoundException',
+        msg: (action, keyId) => new RegExp(`^KMS \\(KMIP\\) error for ${action} on ${keyId}\\..*`),
+    };
+    const expectedAWS = {
+        code: 'KMS.KMSInvalidStateException',
+        msg: (_, keyId) => new RegExp(`${keyId} is pending deletion\\.`),
+    };
+    /**
+     * localkms container returns a different error message when the key is pending deletion
+     * as we decrypt without passing the keyId, so we need to handle it separately
+     */
+    const expectedLocalKms = {
+        code: 'KMS.AccessDeniedException',
+        msg: () => new RegExp(
+            'The ciphertext refers to a customer master key that does not exist, ' +
+            'does not exist in this region, or you are not allowed to access\\.'
+        ),
+    };
+    if (helpers.config.backends.kms === 'kmip') {
+        expected = expectedKMIP;
+    } else if (helpers.config.backends.kms === 'aws') {
+        expected = expectedAWS;
+    } else {
+        throw new Error(`Unsupported KMS backend: ${helpers.config.backends.kms}`);
+    }
+
+    function assertKmsError(action, keyId) {
+        return err => {
+            if (helpers.config.backends.kms === 'aws' && action === 'Decrypt') {
+                assert.strictEqual(err.name, expectedLocalKms.code);
+                assert.match(err.message, expectedLocalKms.msg(action, keyId));
+                return true;
+            }
+            assert.strictEqual(err.name, expected.code);
+            assert.match(err.message, expected.msg(action, keyId));
+            return true;
+        };
+    }
+
+    before(async () => {
+        void await helpers.s3.createBucket({ Bucket }).promise();
+
+        await helpers.s3.putObject({
+            ...helpers.putObjParams(Bucket, 'plaintext', {}, null),
+            Body: body,
+        }).promise();
+
+        mpuPlaintext = await helpers.s3.createMultipartUpload(
+            helpers.putObjParams(Bucket, 'mpuPlaintext', {}, null)).promise();
+
+        ({ masterKeyId, masterKeyArn } = await helpers.createKmsKey(log));
+
+        await helpers.putEncryptedObject(Bucket, Key, sseConfig, masterKeyArn, body);
+        // ensure we can decrypt and read the object
+        const obj = await helpers.s3.getObject({ Bucket, Key }).promise();
+        assert.strictEqual(obj.Body.toString(), body);
+
+        mpuEncrypted = await helpers.s3.createMultipartUpload(
+            helpers.putObjParams(Bucket, 'mpuEncrypted', sseConfig, masterKeyArn)).promise();
+
+        // make key unavailable
+        void await helpers.destroyKmsKey(masterKeyArn, log);
+    });
+
+    after(async () => {
+        void await helpers.cleanup(Bucket);
+        if (masterKeyArn) {
+            try {
+                void await helpers.destroyKmsKey(masterKeyArn, log);
+            } catch (e) { void e; }
+            [masterKeyArn, masterKeyId] = [null, null];
+        }
+    });
+
+    const testCases = [
+        {
+            action: 'putObject', kmsAction: 'Encrypt',
+            fct: async ({ masterKeyArn }) =>
+                helpers.putEncryptedObject(Bucket, 'fail', sseConfig, masterKeyArn, body),
+        },
+        {
+            action: 'getObject', kmsAction: 'Decrypt',
+            fct: async () => helpers.s3.getObject({ Bucket, Key }).promise(),
+        },
+        {
+            action: 'copyObject', detail: ' when getting from source', kmsAction: 'Decrypt',
+            fct: async () =>
+                helpers.s3.copyObject({ Bucket, Key: 'copy', CopySource: `${Bucket}/${Key}` }).promise(),
+        },
+        {
+            action: 'copyObject', detail: ' when putting to destination', kmsAction: 'Encrypt',
+            fct: async ({ masterKeyArn }) => helpers.s3.copyObject({
+                Bucket,
+                Key: 'copyencrypted',
+                CopySource: `${Bucket}/plaintext`,
+                ServerSideEncryption: 'aws:kms',
+                SSEKMSKeyId: masterKeyArn,
+            }).promise(),
+        },
+        {
+            action: 'createMPU', kmsAction: 'Encrypt',
+            fct: async ({ masterKeyArn }) => helpers.s3.createMultipartUpload(
+                helpers.putObjParams(Bucket, 'mpuKeyEncryptedFail', sseConfig, masterKeyArn)).promise(),
+        },
+        {
+            action: 'mpu uploadPartCopy', detail: ' when getting from source', kmsAction: 'Decrypt',
+            fct: async ({ mpuPlaintext }) => helpers.s3.uploadPartCopy({
+                UploadId: mpuPlaintext.UploadId,
+                Bucket,
+                Key: 'mpuPlaintext',
+                PartNumber: 1,
+                CopySource: `${Bucket}/${Key}`,
+            }).promise(),
+        },
+        {
+            action: 'mpu uploadPart', detail: ' when putting to destination', kmsAction: 'Encrypt',
+            fct: async ({ mpuEncrypted }) => helpers.s3.uploadPart({
+                UploadId: mpuEncrypted.UploadId,
+                Bucket,
+                Key: 'mpuEncrypted',
+                PartNumber: 1,
+                Body: body,
+            }).promise(),
+        },
+        {
+            action: 'mpu uploadPartCopy', detail: ' when putting to destination', kmsAction: 'Encrypt',
+            fct: async ({ mpuEncrypted }) => helpers.s3.uploadPartCopy({
+                UploadId: mpuEncrypted.UploadId,
+                Bucket,
+                Key: 'mpuEncrypted',
+                PartNumber: 1,
+                CopySource: `${Bucket}/plaintext`,
+            }).promise(),
+        },
+    ];
+
+    testCases.forEach(({ action, kmsAction, fct, detail }) => {
+        it(`${action} should fail with kms error${detail || ''}`, async () => {
+            await assert.rejects(
+                fct({ masterKeyArn, mpuEncrypted, mpuPlaintext }),
+                assertKmsError(kmsAction, masterKeyId),
+            );
+        });
+    });
+});

tests/functional/sse-kms-migration/helpers.js

@@ -93,6 +93,8 @@ async function createKmsKey(log) {
     });
 }
 
+const destroyKmsKey = promisify(kms.destroyBucketKey);
+
 async function cleanup(Bucket) {
     await bucketUtil.empty(Bucket);
     await s3.deleteBucket({ Bucket }).promise();
@@ -111,5 +113,6 @@ module.exports = {
     putEncryptedObject,
     getObjectMDSSE,
     createKmsKey,
+    destroyKmsKey,
     cleanup,
 };

yarn.lock

@@ -229,10 +229,10 @@
   resolved "https://registry.yarnpkg.com/@azure/msal-common/-/msal-common-15.3.0.tgz#cc75760f7929588b261b970a1dd1d292d0efdbc8"
   integrity sha512-lh+eZfibGwtQxFnx+mj6cYWn0pwA8tDnn8CBs9P21nC7Uw5YWRwfXaXdVQSMENZ5ojRqR+NzRaucEo4qUvs3pA==
 
-"@azure/msal-common@15.6.0":
-  version "15.6.0"
-  resolved "https://registry.yarnpkg.com/@azure/msal-common/-/msal-common-15.6.0.tgz#0764d6446eeff3970221995e25f265fdb218da66"
-  integrity sha512-EotmBz42apYGjqiIV9rDUdptaMptpTn4TdGf3JfjLvFvinSe9BJ6ywU92K9ky+t/b0ghbeTSe9RfqlgLh8f2jA==
+"@azure/msal-common@15.7.1":
+  version "15.7.1"
+  resolved "https://registry.yarnpkg.com/@azure/msal-common/-/msal-common-15.7.1.tgz#6f8df5ace9c94d570b5eec1abc6ebdd4e12831f1"
+  integrity sha512-a0eowoYfRfKZEjbiCoA5bPT3IlWRAdGSvi63OU23Hv+X6EI8gbvXCoeqokUceFMoT9NfRUWTJSx5FiuzruqT8g==
 
 "@azure/msal-node@^3.2.3":
   version "3.4.0"
@@ -244,11 +244,11 @@
     uuid "^8.3.0"
 
 "@azure/msal-node@^3.5.0":
-  version "3.5.3"
-  resolved "https://registry.yarnpkg.com/@azure/msal-node/-/msal-node-3.5.3.tgz#02f7a2344a2c2994354a0cec125b9ef9a8e7109b"
-  integrity sha512-c5mifzHX5mwm5JqMIlURUyp6LEEdKF1a8lmcNRLBo0lD7zpSYPHupa4jHyhJyg9ccLwszLguZJdk2h3ngnXwNw==
+  version "3.6.1"
+  resolved "https://registry.yarnpkg.com/@azure/msal-node/-/msal-node-3.6.1.tgz#1f288c3de15bdd734cc41a39bbd50f5a83fd64a1"
+  integrity sha512-ctcVz4xS+st5KxOlQqgpvA+uDFAa59CvkmumnuhlD2XmNczloKBdCiMQG7/TigSlaeHe01qoOlDjz3TyUAmKUg==
   dependencies:
-    "@azure/msal-common" "15.6.0"
+    "@azure/msal-common" "15.7.1"
     jsonwebtoken "^9.0.0"
     uuid "^8.3.0"
 
@@ -1296,9 +1296,9 @@ arraybuffer.prototype.slice@^1.0.4:
     get-intrinsic "^1.2.6"
     is-array-buffer "^3.0.4"
 
-"arsenal@git+https://github.com/scality/Arsenal#8.2.23":
-  version "8.2.23"
-  resolved "git+https://github.com/scality/Arsenal#77d5781ba013708e44251c4e0142428c5f05a643"
+"arsenal@git+https://github.com/scality/Arsenal#8.2.24":
+  version "8.2.24"
+  resolved "git+https://github.com/scality/Arsenal#ebf56826f4201d3bc88b5e5c7e9653c788184c29"
   dependencies:
     "@azure/identity" "^4.10.1"
     "@azure/storage-blob" "^12.27.0"