fixup tests localkms assertion + factorization test array

Author: BourgoisMickael

tests/functional/sse-kms-migration/arnPrefix.js

@@ -505,59 +505,82 @@ describe('ensure MPU use good SSE', () => {
         );
     });
 });
-
 describe('KMS error', () => {
-    const sseConfig = { algo: 'aws:kms', masterKeyId: true }
+    const sseConfig = { algo: 'aws:kms', masterKeyId: true };
     const Bucket = 'bkt-kms-err';
     const Key = 'obj';
     const body = 'content';
 
-    let masterKeyId, masterKeyArn;
-    let anotherKeyInfo;
+    let mpuEncrypted;
+    let mpuPlaintext;
+
+    let masterKeyId;
+    let masterKeyArn;
 
-    let expectedErr, expectedMsg;
+    let expected;
 
     const expectedKMIP = {
-        code: /KMS\.NotFoundException/,
+        code: 'KMS.NotFoundException',
         msg: (action, keyId) => new RegExp(`^KMS \\(KMIP\\) error for ${action} on ${keyId}\\..*`),
     };
-    // localkms container returns a different error message when the key is pending deletion
-    // as we decrypt without passing the keyId, so we need to handle it separately
-    const localKms = 'The ciphertext refers to a customer master key that does not exist, ' +
-        'does not exist in this region, or you are not allowed to access\\.';
     const expectedAWS = {
-        code: /KMS\.KMSInvalidStateException|KMS\.AccessDeniedException/,
-        msg: (_, keyId) => new RegExp(`${keyId} is pending deletion\\.|${localKms}`),
+        code: 'KMS.KMSInvalidStateException',
+        msg: (_, keyId) => new RegExp(`${keyId} is pending deletion\\.`),
+    };
+    /**
+     * localkms container returns a different error message when the key is pending deletion
+     * as we decrypt without passing the keyId, so we need to handle it separately
+     */
+    const expectedLocalKms = {
+        code: 'KMS.AccessDeniedException',
+        msg: () => new RegExp(
+            'The ciphertext refers to a customer master key that does not exist, ' +
+            'does not exist in this region, or you are not allowed to access\\.'
+        ),
     };
-
     if (helpers.config.backends.kms === 'kmip') {
-        ({ code: expectedErr, msg: expectedMsg } = expectedKMIP);
+        expected = expectedKMIP;
     } else if (helpers.config.backends.kms === 'aws') {
-        ({ code: expectedErr, msg: expectedMsg } = expectedAWS);
+        expected = expectedAWS;
     } else {
         throw new Error(`Unsupported KMS backend: ${helpers.config.backends.kms}`);
     }
 
     function assertKmsError(action, keyId) {
         return err => {
-            assert.match(err.name, expectedErr);
-            assert.match(err.message, expectedMsg(action, keyId));
+            if (helpers.config.backends.kms === 'aws' && action === 'Decrypt') {
+                assert.strictEqual(err.name, expectedLocalKms.code);
+                assert.match(err.message, expectedLocalKms.msg(action, keyId));
+                return true;
+            }
+            assert.strictEqual(err.name, expected.code);
+            assert.match(err.message, expected.msg(action, keyId));
             return true;
         };
     }
 
     before(async () => {
         void await helpers.s3.createBucket({ Bucket }).promise();
+
         await helpers.s3.putObject({
             ...helpers.putObjParams(Bucket, 'plaintext', {}, null),
             Body: body,
         }).promise();
 
+        mpuPlaintext = await helpers.s3.createMultipartUpload(
+            helpers.putObjParams(Bucket, 'mpuPlaintext', {}, null)).promise();
+
         ({ masterKeyId, masterKeyArn } = await helpers.createKmsKey(log));
+
         await helpers.putEncryptedObject(Bucket, Key, sseConfig, masterKeyArn, body);
         // ensure we can decrypt and read the object
         const obj = await helpers.s3.getObject({ Bucket, Key }).promise();
         assert.strictEqual(obj.Body.toString(), body);
+
+        mpuEncrypted = await helpers.s3.createMultipartUpload(
+            helpers.putObjParams(Bucket, 'mpuEncrypted', sseConfig, masterKeyArn)).promise();
+
+        // make key unavailable
         void await helpers.destroyKmsKey(masterKeyArn, log);
     });
 
@@ -571,96 +594,74 @@ describe('KMS error', () => {
         }
     });
 
-    afterEach(async () => {
-        if (anotherKeyInfo) {
-            try {
-                void await helpers.destroyKmsKey(anotherKeyInfo.masterKeyArn, log);
-            } catch (e) { void e; }
-            anotherKeyInfo = null;
-        }
-    });
-
-    it('putObject should fail with kms error', async () => {
-        await assert.rejects(helpers.putEncryptedObject(Bucket, 'fail', sseConfig, masterKeyArn, body),
-        assertKmsError('Encrypt', masterKeyId));
-    });
-
-    it('getObject should fail with kms error', async () => {
-        await assert.rejects(helpers.s3.getObject({ Bucket, Key }).promise(),
-        assertKmsError('Decrypt', masterKeyId));
-    });
-
-    it('copyObject should fail with kms error when getting from source', async () => {
-        await assert.rejects(helpers.s3.copyObject(
-            { Bucket, Key: 'copy', CopySource: `${Bucket}/${Key}` }).promise(),
-            assertKmsError('Decrypt', masterKeyId)
-        );
-    });
-
-    it('copyObject should fail with kms error when putting to destination', async () => {
-        await assert.rejects(helpers.s3.copyObject(
-            {
+    const testCases = [
+        {
+            action: 'putObject', kmsAction: 'Encrypt',
+            fct: async ({ masterKeyArn }) =>
+                helpers.putEncryptedObject(Bucket, 'fail', sseConfig, masterKeyArn, body),
+        },
+        {
+            action: 'getObject', kmsAction: 'Decrypt',
+            fct: async () => helpers.s3.getObject({ Bucket, Key }).promise(),
+        },
+        {
+            action: 'copyObject', detail: ' when getting from source', kmsAction: 'Decrypt',
+            fct: async () =>
+                helpers.s3.copyObject({ Bucket, Key: 'copy', CopySource: `${Bucket}/${Key}` }).promise(),
+        },
+        {
+            action: 'copyObject', detail: ' when putting to destination', kmsAction: 'Encrypt',
+            fct: async ({ masterKeyArn }) => helpers.s3.copyObject({
                 Bucket,
                 Key: 'copyencrypted',
                 CopySource: `${Bucket}/plaintext`,
                 ServerSideEncryption: 'aws:kms',
                 SSEKMSKeyId: masterKeyArn,
-            }
-        ).promise(),
-        assertKmsError('Encrypt', masterKeyId));
-    });
-
-    it('createMPU should fail with kms error', async () => {
-        const mpuKey = 'mpuKeyEncryptedFail';
-        await assert.rejects(helpers.s3.createMultipartUpload(
-            helpers.putObjParams(Bucket, mpuKey, sseConfig, masterKeyArn)).promise(),
-            assertKmsError('Encrypt', masterKeyId));
-    });
-
-    it('mpu uploadPartCopy should fail with kms error when getting from source', async () => {
-        const mpuKey = 'mpuKey';
-        const mpu = await helpers.s3.createMultipartUpload(
-            helpers.putObjParams(Bucket, mpuKey, {}, null)).promise();
-        await assert.rejects(helpers.s3.uploadPartCopy(
-            {
-                UploadId: mpu.UploadId,
+            }).promise(),
+        },
+        {
+            action: 'createMPU', kmsAction: 'Encrypt',
+            fct: async ({ masterKeyArn }) => helpers.s3.createMultipartUpload(
+                helpers.putObjParams(Bucket, 'mpuKeyEncryptedFail', sseConfig, masterKeyArn)).promise(),
+        },
+        {
+            action: 'mpu uploadPartCopy', detail: ' when getting from source', kmsAction: 'Decrypt',
+            fct: async ({ mpuPlaintext }) => helpers.s3.uploadPartCopy({
+                UploadId: mpuPlaintext.UploadId,
                 Bucket,
-                Key: mpuKey,
+                Key: 'mpuPlaintext',
                 PartNumber: 1,
                 CopySource: `${Bucket}/${Key}`,
-            }
-        ).promise(),
-        assertKmsError('Decrypt', masterKeyId));
-    });
-
-    it('mpu uploadPart & copy should fail with kms error when putting to destination', async () => {
-        const mpuKey = 'mpuKeyEncrypted';
-        anotherKeyInfo = await helpers.createKmsKey(log);
-
-        const mpu = await helpers.s3.createMultipartUpload(
-            helpers.putObjParams(Bucket, mpuKey, sseConfig, anotherKeyInfo.masterKeyArn)).promise();
-
-        void await helpers.destroyKmsKey(anotherKeyInfo.masterKeyArn, log);
-        await assert.rejects(helpers.s3.uploadPart(
-            {
-                UploadId: mpu.UploadId,
+            }).promise(),
+        },
+        {
+            action: 'mpu uploadPart', detail: ' when putting to destination', kmsAction: 'Encrypt',
+            fct: async ({ mpuEncrypted }) => helpers.s3.uploadPart({
+                UploadId: mpuEncrypted.UploadId,
                 Bucket,
-                Key: mpuKey,
+                Key: 'mpuEncrypted',
                 PartNumber: 1,
                 Body: body,
-            }
-        ).promise(),
-        assertKmsError('Encrypt', anotherKeyInfo.masterKeyId));
-
-        await assert.rejects(helpers.s3.uploadPartCopy(
-            {
-                UploadId: mpu.UploadId,
+            }).promise(),
+        },
+        {
+            action: 'mpu uploadPartCopy', detail: ' when putting to destination', kmsAction: 'Encrypt',
+            fct: async ({ mpuEncrypted }) => helpers.s3.uploadPartCopy({
+                UploadId: mpuEncrypted.UploadId,
                 Bucket,
-                Key: mpuKey,
+                Key: 'mpuEncrypted',
                 PartNumber: 1,
                 CopySource: `${Bucket}/plaintext`,
-            }
-        ).promise(),
-        assertKmsError('Encrypt', anotherKeyInfo.masterKeyId));
+            }).promise(),
+        },
+    ];
+
+    testCases.forEach(({ action, kmsAction, fct, detail }) => {
+        it(`${action} should fail with kms error${detail || ''}`, async () => {
+            await assert.rejects(
+                fct({ masterKeyArn, mpuEncrypted, mpuPlaintext }),
+                assertKmsError(kmsAction, masterKeyId),
+            );
+        });
     });
 });