Merge remote-tracking branch 'origin/improvement/CLDSRV-625-kms-ip' into w/8.8/improvement/CLDSRV-625-kms-ip

Author: BourgoisMickael

lib/Config.js

@@ -690,6 +690,114 @@ class Config extends EventEmitter {
         return kmsAWS;
     }
 
+    _parseKmipTransport(transportKmip) {
+        const transport = {
+            /** Specify the request pipeline depth here.
+             * If for some reason the server sends the replies
+             * out of order and confuses the client, a value of 1
+             * should be a convenient workaround for a server side bug.
+             * The default value of 8 is fine and there is almost no
+             * benefit to tune this value for performance improvement.
+             * Note: 0 is not an appropriate value and will fall back to 1.
+             */
+            pipelineDepth: process.env.S3KMIP_PIPELINE_DEPTH || 8,
+            tls: {
+                port: process.env.S3KMIP_PORT || 5696,
+                // ignore multiple hosts via env
+                // prefer array of transport in config file
+                // for customization per host
+                host: process.env.S3KMIP_HOSTS || process.env.S3KMIP_HOST,
+                key: this._loadTlsFile(process.env.S3KMIP_KEY || undefined),
+                cert: this._loadTlsFile(process.env.S3KMIP_CERT ||
+                                        undefined),
+                ca: (process.env.S3KMIP_CA
+                     ? process.env.S3KMIP_CA.split(',')
+                     : []).map(ca => this._loadTlsFile(ca)),
+            },
+        };
+        if (transportKmip.pipelineDepth) {
+            assert(typeof transportKmip.pipelineDepth === 'number');
+            transport.pipelineDepth = transportKmip.pipelineDepth;
+        }
+        if (transportKmip.tls) {
+            const { host, port, key, cert, ca } = transportKmip.tls;
+            if (!!key !== !!cert) {
+                throw new Error('bad config: KMIP TLS certificate ' +
+                                'and key must come along');
+            }
+            if (port) {
+                assert(typeof port === 'number',
+                       'bad config: KMIP TLS Port must be a number');
+                transport.tls.port = port;
+            }
+            if (host) {
+                assert(typeof host === 'string',
+                       'bad config: KMIP TLS Host must be a string');
+                transport.tls.host = host;
+            }
+            if (key) {
+                transport.tls.key = this._loadTlsFile(key);
+            }
+            if (cert) {
+                transport.tls.cert = this._loadTlsFile(cert);
+            }
+            if (Array.isArray(ca)) {
+                transport.tls.ca = ca.map(ca => this._loadTlsFile(ca));
+            } else {
+                transport.tls.ca = this._loadTlsFile(ca);
+            }
+        }
+        return transport;
+    }
+
+    _parseKmsKmip(config) {
+        this.kmip = {
+            client: {
+                /** Enable this option if the KMIP Server supports
+                 * Create and Activate in one operation.
+                 * Leave it disabled to prevent clock desynchronisation
+                 * issues because the two steps creation uses server's
+                 * time for `now' instead of client specified activation date
+                 * which also targets the present instant.
+                 */
+                compoundCreateActivate:
+                (process.env.S3KMIP_COMPOUND_CREATE === 'true') || false,
+                /** Set the bucket name attribute name here if the KMIP
+                 * server supports storing custom attributes along
+                 * with the keys.
+                 */
+                bucketNameAttributeName:
+                process.env.S3KMIP_BUCKET_ATTRIBUTE_NAME || '',
+            },
+            transport: this._parseKmipTransport({}),
+        };
+        if (config.kmip) {
+            if (config.kmip.client) {
+                if (config.kmip.client.compoundCreateActivate) {
+                    assert(typeof config.kmip.client.compoundCreateActivate ===
+                          'boolean');
+                    this.kmip.client.compoundCreateActivate =
+                        config.kmip.client.compoundCreateActivate;
+                }
+                if (config.kmip.client.bucketNameAttributeName) {
+                    assert(typeof config.kmip.client.bucketNameAttributeName ===
+                          'string');
+                    this.kmip.client.bucketNameAttributeName =
+                        config.kmip.client.bucketNameAttributeName;
+                }
+            }
+            if (config.kmip.transport) {
+                if (Array.isArray(config.kmip.transport)) {
+                    this.kmip.transport = config.kmip.transport.map(t =>
+                        this._parseKmipTransport(t));
+                } else {
+                    this.kmip.transport =
+                        this._parseKmipTransport(config.kmip.transport);
+                }
+            }
+        }
+    }
+
     _getLocationConfig() {
         let locationConfig;
         try {
@@ -1394,110 +1502,7 @@ class Config extends EventEmitter {
             }
         }
 
-        this.kmip = {
-            client: {
-                /* Enable this option if the KMIP Server supports
-                 * Create and Activate in one operation.
-                 * Leave it disabled to prevent clock desynchronisation
-                 * issues because the two steps creation uses server's
-                 * time for `now' instead of client specified activation date
-                 * which also targets the present instant.
-                 */
-                compoundCreateActivate:
-                (process.env.S3KMIP_COMPOUND_CREATE === 'true') || false,
-                /* Set the bucket name attribute name here if the KMIP
-                 * server supports storing custom attributes along
-                 * with the keys.
-                 */
-                bucketNameAttributeName:
-                process.env.S3KMIP_BUCKET_ATTRIBUTE_NAME || '',
-            },
-            transport: {
-                /* Specify the request pipeline depth here.
-                 * If for some reason the server sends the replies
-                 * out of order and confuses the client, a value of 1
-                 * should be a convenient workaround for a server side bug.
-                 * The default value of 8 is fine and there is almost no
-                 * benefit to tune this value for performance improvement.
-                 * Note: 0 is not an appropriate value and will fall back to 1.
-                 */
-                pipelineDepth: process.env.S3KMIP_PIPELINE_DEPTH || 8,
-                tls: {
-                    port: process.env.S3KMIP_PORT || 5696,
-                    /* TODO: HA is not implmented yet.
-                     * The code expects only one host, but the
-                     * configuration already permits to provide
-                     * plenty of them (separated with commas).
-                     * This comment must be removed, the
-                     * S3KMIP_HOSTS must be split and transformed
-                     * into an array of strings. And the 'host' attribute
-                     * must become 'hosts'
-                     */
-                    host: process.env.S3KMIP_HOSTS,
-                    key: this._loadTlsFile(process.env.S3KMIP_KEY || undefined),
-                    cert: this._loadTlsFile(process.env.S3KMIP_CERT ||
-                                            undefined),
-                    ca: (process.env.S3KMIP_CA
-                         ? process.env.S3KMIP_CA.split(',')
-                         : []).map(this._loadTlsFile),
-                },
-            },
-        };
-        if (config.kmip) {
-            if (config.kmip.client) {
-                if (config.kmip.client.compoundCreateActivate) {
-                    assert(typeof config.kmip.client.compoundCreateActivate ===
-                          'boolean');
-                    this.kmip.client.compoundCreateActivate =
-                        config.kmip.client.compoundCreateActivate;
-                }
-                if (config.kmip.client.bucketNameAttributeName) {
-                    assert(typeof config.kmip.client.bucketNameAttributeName ===
-                          'string');
-                    this.kmip.client.bucketNameAttributeName =
-                        config.kmip.client.bucketNameAttributeName;
-                }
-            }
-            if (config.kmip.transport) {
-                if (config.kmip.transport.pipelineDepth) {
-                    assert(typeof config.kmip.transport.pipelineDepth ===
-                           'number');
-                    this.kmip.transport.pipelineDepth =
-                        config.kmip.transport.pipelineDepth;
-                }
-                if (config.kmip.transport.tls) {
-                    const { host, port, key, cert, ca } =
-                          config.kmip.transport.tls;
-                    if (!!key !== !!cert) {
-                        throw new Error('bad config: KMIP TLS certificate ' +
-                                        'and key must come along');
-                    }
-                    if (port) {
-                        assert(typeof port === 'number',
-                               'bad config: KMIP TLS Port must be a number');
-                        this.kmip.transport.tls.port = port;
-                    }
-                    if (host) {
-                        assert(typeof host === 'string',
-                               'bad config: KMIP TLS Host must be a string');
-                        this.kmip.transport.tls.host = host;
-                    }
-
-                    if (key) {
-                        this.kmip.transport.tls.key = this._loadTlsFile(key);
-                    }
-                    if (cert) {
-                        this.kmip.transport.tls.cert = this._loadTlsFile(cert);
-                    }
-                    if (Array.isArray(ca)) {
-                        this.kmip.transport.tls.ca = ca.map(this._loadTlsFile);
-                    } else {
-                        this.kmip.transport.tls.ca = this._loadTlsFile(ca);
-                    }
-                }
-            }
-        }
-
+        this._parseKmsKmip(config);
         this.kmsAWS = this._parseKmsAWS(config);
 
         const globalEncryptionEnabled = config.globalEncryptionEnabled;

lib/kms/wrapper.js

@@ -7,24 +7,30 @@ const logger = require('../utilities/logger');
 const inMemory = require('./in_memory/backend').backend;
 const file = require('./file/backend');
 const KMIPClient = require('arsenal').network.kmipClient;
+const KMIPClusterClient = require('arsenal').network.kmipClusterClient;
 const { KmsAWSClient } = require('arsenal').network;
 const Common = require('./common');
 const vault = require('../auth/vault');
 const Cache = require('./Cache');
 const cache = new Cache();
-let scalityKMS;
-let scalityKMSImpl;
-try {
-     // eslint-disable-next-line import/no-unresolved
-    const ScalityKMS = require('scality-kms');
-    scalityKMS = new ScalityKMS(config.kms);
-    scalityKMSImpl = 'scalityKms';
-} catch (error) {
-    logger.warn('scality kms unavailable. ' +
-      'Using file kms backend unless mem specified.',
-      { error });
-    scalityKMS = file;
-    scalityKMSImpl = 'fileKms';
+
+function getScalityKms() {
+    let scalityKMS;
+    let scalityKMSImpl;
+
+    try {
+        // eslint-disable-next-line import/no-unresolved
+        const ScalityKMS = require('scality-kms');
+        scalityKMS = new ScalityKMS(config.kms);
+        scalityKMSImpl = 'scalityKms';
+    } catch (error) {
+        logger.warn('scality kms unavailable. ' +
+        'Using file kms backend unless mem specified.',
+        { error });
+        scalityKMS = file;
+        scalityKMSImpl = 'fileKms';
+    }
+    return { scalityKMS, scalityKMSImpl };
 }
 
 let client;
@@ -37,14 +43,17 @@ if (config.backends.kms === 'mem') {
     client = file;
     implName = 'fileKms';
 } else if (config.backends.kms === 'scality') {
-    client = scalityKMS;
-    implName = scalityKMSImpl;
+    ({ scalityKMS: client, scalityKMSImpl: implName } = getScalityKms());
 } else if (config.backends.kms === 'kmip') {
     const kmipConfig = { kmip: config.kmip };
     if (!kmipConfig.kmip) {
         throw new Error('KMIP KMS driver configuration is missing.');
     }
-    client = new KMIPClient(kmipConfig);
+    if (Array.isArray(config.kmip.transport)) {
+        client = new KMIPClusterClient(kmipConfig);
+    } else {
+        client = new KMIPClient(kmipConfig);
+    }
     implName = 'kmip';
 } else if (config.backends.kms === 'aws') {
     const awsConfig = { kmsAWS: config.kmsAWS };

package.json

@@ -21,7 +21,7 @@
   "dependencies": {
     "@azure/storage-blob": "^12.12.0",
     "@hapi/joi": "^17.1.0",
-    "arsenal": "git+https://github.com/scality/arsenal#8.1.149",
+    "arsenal": "git+https://github.com/scality/arsenal#8.1.150",
     "async": "~2.5.0",
     "aws-sdk": "2.905.0",
     "bucketclient": "scality/bucketclient#8.1.9",

yarn.lock

@@ -1220,9 +1220,9 @@ arraybuffer.slice@~0.0.7:
   optionalDependencies:
     ioctl "^2.0.2"
 
-"arsenal@git+https://github.com/scality/arsenal#8.1.149":
-  version "8.1.149"
-  resolved "git+https://github.com/scality/arsenal#10a57341688644bf3aaf5316b8e0b09f40eb5479"
+"arsenal@git+https://github.com/scality/arsenal#8.1.150":
+  version "8.1.150"
+  resolved "git+https://github.com/scality/arsenal#3eea86afaecb40e39cae441700bb186b68e453e0"
   dependencies:
     "@azure/identity" "^3.1.1"
     "@azure/storage-blob" "^12.12.0"