CLDSRV-657: Functional tests for sse KMS Migration

Test is run in 3 steps:
- seed before migration
- run migration
- run kms kms tests on fresh buckets and objects

Author: BourgoisMickael

package.json

@@ -77,6 +77,10 @@
     "ft_test": "npm-run-all -s ft_awssdk ft_s3cmd ft_s3curl ft_node ft_healthchecks ft_management ft_backbeat",
     "ft_search": "cd tests/functional/aws-node-sdk && mocha --reporter mocha-multi-reporters --reporter-options configFile=$INIT_CWD/tests/reporter-config.json -t 40000 test/mdSearch",
     "ft_kmip": "cd tests/functional/kmip && mocha --reporter mocha-multi-reporters --reporter-options configFile=$INIT_CWD/tests/reporter-config.json -t 40000 *.js",
+    "ft_sse_cleanup": "cd tests/functional/sse-kms-migration && mocha --reporter mocha-multi-reporters --reporter-options configFile=$INIT_CWD/tests/reporter-config.json -t 10000 cleanup.js",
+    "ft_sse_before_migration": "cd tests/functional/sse-kms-migration && mocha --reporter mocha-multi-reporters --reporter-options configFile=$INIT_CWD/tests/reporter-config.json -t 10000 cleanup.js beforeMigration.js",
+    "ft_sse_migration": "cd tests/functional/sse-kms-migration && mocha --reporter mocha-multi-reporters --reporter-options configFile=$INIT_CWD/tests/reporter-config.json -t 10000 migration.js",
+    "ft_sse_arn": "cd tests/functional/sse-kms-migration && mocha --reporter mocha-multi-reporters --reporter-options configFile=$INIT_CWD/tests/reporter-config.json -t 10000 cleanup.js arnPrefix.js",
     "install_ft_deps": "yarn install aws-sdk@2.28.0 bluebird@3.3.1 mocha@2.3.4 mocha-junit-reporter@1.23.1 tv4@1.2.7",
     "lint": "eslint $(git ls-files '*.js')",
     "lint_md": "mdlint $(git ls-files '*.md')",

tests/functional/aws-node-sdk/lib/json/mem_credentials.json

@@ -6,5 +6,9 @@
   "lisa": {
     "accessKey": "accessKey2",
     "secretKey": "verySecretKey2"
+  },
+  "vault": {
+    "accessKey": "TESTAK00000000000000",
+    "secretKey": "TESTSK0000000000000000000000000000000000"
   }
 }

tests/functional/sse-kms-migration/arnPrefix.js

@@ -0,0 +1,38 @@
+/* eslint-disable */
+const helpers = require('./helpers');
+const scenarios = require('./scenarios');
+
+// copy part of aws-node-sdk/test/object/encryptionHeaders.js and add more tests
+
+async function cleanup(Bucket) {
+    try {
+        void await helpers.cleanup(Bucket);
+    } catch (e) {
+        console.log('Ignore error for', Bucket, e.toString());
+    }
+}
+
+describe('SSE KMS Cleanup', () => {
+    /** Bucket to test CopyObject from and to */
+    const copyBkt = 'enc-bkt-copy';
+    const mpuCopyBkt = 'enc-bkt-mpu-copy';
+
+    it('Empty and delete buckets for SSE KMS Migration', async () => {
+        console.log('Run cleanup',
+            { profile: helpers.credsProfile, accessKeyId: helpers.s3.config.credentials.accessKeyId });
+        const allBuckets = (await helpers.s3.listBuckets().promise()).Buckets.map(b => b.Name);
+        console.log('List buckets:', allBuckets);
+
+        void await helpers.MD.setup();
+
+        try {
+            // pre cleanup
+            void await cleanup(copyBkt);
+            void await cleanup(mpuCopyBkt);
+            void await Promise.all(scenarios.testCases.map(async bktConf => {
+                void await cleanup(`enc-bkt-${bktConf.name}`);
+                return await cleanup(`versioned-enc-bkt-${bktConf.name}`);
+            }));
+        } catch (e) { void e; }
+    });
+});

tests/functional/sse-kms-migration/beforeMigration.js

@@ -0,0 +1,11 @@
+{
+
+    "kmsAWS": {
+        "noAwsArn": true,
+        "providerName": "local",
+        "region": "us-east-1", 
+        "endpoint": "http://0:8080",
+        "ak": "456",
+        "sk": "123"
+    }
+}

tests/functional/sse-kms-migration/cleanup.js

@@ -0,0 +1,91 @@
+{
+    "port": 8000,
+    "listenOn": [],
+    "metricsPort": 8002,
+    "metricsListenOn": [],
+    "replicationGroupId": "RG001",
+    "restEndpoints": {
+        "localhost": "us-east-1",
+        "127.0.0.1": "us-east-1",
+        "cloudserver-front": "us-east-1",
+        "s3.docker.test": "us-east-1",
+        "127.0.0.2": "us-east-1",
+        "s3.amazonaws.com": "us-east-1"
+    },
+    "websiteEndpoints": ["s3-website-us-east-1.amazonaws.com",
+                        "s3-website.us-east-2.amazonaws.com",
+                        "s3-website-us-west-1.amazonaws.com",
+                        "s3-website-us-west-2.amazonaws.com",
+                        "s3-website.ap-south-1.amazonaws.com",
+                        "s3-website.ap-northeast-2.amazonaws.com",
+                        "s3-website-ap-southeast-1.amazonaws.com",
+                        "s3-website-ap-southeast-2.amazonaws.com",
+                        "s3-website-ap-northeast-1.amazonaws.com",
+                        "s3-website.eu-central-1.amazonaws.com",
+                        "s3-website-eu-west-1.amazonaws.com",
+                        "s3-website-sa-east-1.amazonaws.com",
+                        "s3-website.localhost",
+                        "s3-website.scality.test"],
+    "replicationEndpoints": [{
+        "site": "zenko",
+        "servers": ["127.0.0.1:8000"],
+        "default": true
+    }, {
+        "site": "us-east-2",
+        "type": "aws_s3"
+    }],
+    "cdmi": {
+        "host": "localhost",
+        "port": 81,
+        "path": "/dewpoint",
+        "readonly": true
+    },
+    "bucketd": {
+        "bootstrap": ["localhost:9000"]
+    },
+    "vaultd": {
+        "host": "localhost",
+        "port": 8500
+    },
+    "clusters": 10,
+    "log": {
+        "logLevel": "info",
+        "dumpLevel": "error"
+    },
+    "healthChecks": {
+        "allowFrom": ["127.0.0.1/8", "::1"]
+    },
+    "metadataClient": {
+        "host": "localhost",
+        "port": 9990
+    },
+    "dataClient": {
+        "host": "localhost",
+        "port": 9991
+    },
+    "metadataDaemon": {
+        "bindAddress": "localhost",
+        "port": 9990
+    },
+    "dataDaemon": {
+        "bindAddress": "localhost",
+        "port": 9991
+    },
+    "recordLog": {
+        "enabled": false,
+        "recordLogName": "s3-recordlog"
+    },
+    "requests": {
+        "viaProxy": false,
+        "trustedProxyCIDRs": [],
+        "extractClientIPFromHeader": ""
+    },
+    "bucketNotificationDestinations": [
+        {
+            "resource": "target1",
+            "type": "dummy",
+            "host": "localhost:6000"
+        }
+    ],
+    "defaultEncryptionKeyPerAccount": true
+}

tests/functional/sse-kms-migration/configs/aws.json

@@ -0,0 +1,18 @@
+{
+    "kmip": {
+        "providerName": "thales",
+        "client": {
+            "compoundCreateActivate": false
+        },
+        "transport": {
+            "pipelineDepth": 8,
+            "tls": {
+                "port": 5696,
+                "host": "pykmip.local",
+                "key": "/tmp/ssl-kmip/kmip-client-key.pem",
+                "cert": "/tmp/ssl-kmip/kmip-client-cert.pem",
+                "ca": "/tmp/ssl-kmip/kmip-ca.pem"
+            }
+        }
+    }
+}

tests/functional/sse-kms-migration/configs/base.json

@@ -0,0 +1,7 @@
+{
+    "sseMigration": {
+        "previousKeyType": "internal",
+        "previousKeyProtocol": "file",
+        "previousKeyProvider": "scality"
+    }
+}

tests/functional/sse-kms-migration/configs/kmip.json

@@ -0,0 +1,116 @@
+/* eslint-disable no-unused-expressions */
+const getConfig = require('../aws-node-sdk/test/support/config');
+const { S3 } = require('aws-sdk');
+const kms = require('../../../lib/kms/wrapper');
+const { promisify } = require('util');
+const { DummyRequestLogger } = require('../../unit/helpers');
+const BucketUtility = require('../aws-node-sdk/lib/utility/bucket-util');
+const metadata = require('../../../lib/metadata/wrapper');
+const log = new DummyRequestLogger();
+const { config } = require('../../../lib/Config');
+const { getKeyIdFromArn } = require('arsenal/build/lib/network/KMSInterface');
+const { ArsenalError } = require('arsenal/build/lib/errors');
+
+function getKey(key) {
+    return config.kmsHideScalityArn ? getKeyIdFromArn(key) : key;
+}
+
+// for Integration use default profile, in cloudserver use vault profile
+const credsProfile = process.env.S3_END_TO_END === 'true' ? 'default' : 'vault';
+const s3config = getConfig(credsProfile, { signatureVersion: 'v4' });
+const s3 = new S3(s3config);
+const bucketUtil = new BucketUtility(credsProfile);
+
+function hydrateSSEConfig({ algo: SSEAlgorithm, masterKeyId: KMSMasterKeyID }) {
+    // stringify and parse to strip undefined values
+    return JSON.parse(JSON.stringify({ Rules: [{
+        ApplyServerSideEncryptionByDefault: {
+            SSEAlgorithm,
+            KMSMasterKeyID,
+        },
+    }] }));
+}
+
+function putObjParams(Bucket, Key, sseConfig, kmsKeyId) {
+    return {
+        Bucket,
+        Key,
+        ...(sseConfig.algo && {
+            ServerSideEncryption: sseConfig.algo,
+            ...(sseConfig.masterKeyId && {
+                SSEKMSKeyId: kmsKeyId,
+            }),
+        }),
+    };
+}
+
+const MD = {
+    setup: promisify(metadata.setup.bind(metadata)),
+    getBucket: promisify(metadata.getBucket.bind(metadata)),
+    getObject: promisify(metadata.getObjectMD.bind(metadata)),
+    updateBucket: promisify(metadata.updateBucket.bind(metadata)),
+};
+
+async function getBucketSSE(Bucket) {
+    const sse = await s3.getBucketEncryption({ Bucket }).promise();
+    return sse
+        .ServerSideEncryptionConfiguration
+        .Rules[0]
+        .ApplyServerSideEncryptionByDefault;
+}
+
+async function putEncryptedObject(Bucket, Key, sseConfig, kmsKeyId, Body) {
+    return s3.putObject({
+        ...putObjParams(Bucket, Key, sseConfig, kmsKeyId),
+        Body,
+    }).promise();
+}
+
+async function getObjectMDSSE(Bucket, Key) {
+    const objMD = await MD.getObject(Bucket, Key, {}, log);
+
+    const sse = objMD['x-amz-server-side-encryption'];
+    const key = objMD['x-amz-server-side-encryption-aws-kms-key-id'];
+
+    return {
+        ServerSideEncryption: sse,
+        SSEKMSKeyId: key,
+    };
+}
+
+async function createKmsKey(log) {
+    return new Promise((resolve, reject) => {
+        kms.client.createBucketKey('testFakeBucketName', log, (err, masterKeyId, masterKeyArn) => {
+            if (err) {
+                if (err instanceof ArsenalError) {
+                    // Help see error detail in logs
+                    // eslint-disable-next-line no-param-reassign
+                    err.message += ` ${err.description}`;
+                }
+                return reject(err);
+            }
+            return resolve({ masterKeyId, masterKeyArn });
+        });
+    });
+}
+
+async function cleanup(Bucket) {
+    await bucketUtil.empty(Bucket);
+    await s3.deleteBucket({ Bucket }).promise();
+}
+
+module.exports = {
+    config,
+    getKey,
+    credsProfile,
+    s3,
+    bucketUtil,
+    hydrateSSEConfig,
+    putObjParams,
+    MD,
+    getBucketSSE,
+    putEncryptedObject,
+    getObjectMDSSE,
+    createKmsKey,
+    cleanup,
+};