diff --git a/lib/api/objectPut.js b/lib/api/objectPut.js index 8b92e0e9a6..d34c3dadf6 100644 --- a/lib/api/objectPut.js +++ b/lib/api/objectPut.js @@ -17,6 +17,7 @@ const kms = require('../kms/wrapper'); const monitoring = require('../utilities/monitoringHandler'); const { validatePutVersionId } = require('./apiUtils/object/coldStorage'); const { setExpirationHeaders } = require('./apiUtils/object/expirationHeaders'); +const { setSSEHeaders } = require('./apiUtils/object/sseHeaders'); const validateChecksumHeaders = require('./apiUtils/object/validateChecksumHeaders'); const writeContinue = require('../utilities/writeContinue'); @@ -173,7 +174,15 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) { function createCipherBundle(serverSideEncryptionConfig, next) { if (serverSideEncryptionConfig) { return kms.createCipherBundle( - serverSideEncryptionConfig, log, next); + serverSideEncryptionConfig, log, (err, cipherBundle) => { + if (err) { + return next(err); + } + setSSEHeaders(responseHeaders, + cipherBundle.algorithm, + cipherBundle.configuredMasterKeyId || cipherBundle.masterKeyId); + return next(null, cipherBundle); + }); } return next(null, null); }, diff --git a/tests/functional/aws-node-sdk/test/object/encryptionHeaders.js b/tests/functional/aws-node-sdk/test/object/encryptionHeaders.js index 1bb7774e43..d4ec55375a 100644 --- a/tests/functional/aws-node-sdk/test/object/encryptionHeaders.js +++ b/tests/functional/aws-node-sdk/test/object/encryptionHeaders.js @@ -174,8 +174,16 @@ describe('per object encryption headers', () => { const hasKey = target.masterKeyId ? 'a' : 'no'; describe(`Test algorithm ${target.algo || 'none'} with ${hasKey} configuredMasterKeyId`, () => { it('should put an encrypted object in a unencrypted bucket', done => - putEncryptedObject(s3, bucket, object, target, kmsKeyId, error => { + putEncryptedObject(s3, bucket, object, target, kmsKeyId, (error, putResp) => { assert.ifError(error); + if (target.algo) { + assert.strictEqual(putResp.ServerSideEncryption, target.algo, + 'PutObject response should include ServerSideEncryption header'); + if (target.algo === 'aws:kms') { + assert(putResp.SSEKMSKeyId, + 'PutObject response should include SSEKMSKeyId for aws:kms'); + } + } return getSSEConfig( s3, bucket, @@ -239,8 +247,19 @@ describe('per object encryption headers', () => { (params, cb) => putBucketEncryption(s3, params, cb) : s3NoOp; s3Op(params, error => { assert.ifError(error); - return putEncryptedObject(s3, bucket, object, target, kmsKeyId, error => { + return putEncryptedObject(s3, bucket, object, target, kmsKeyId, (error, putResp) => { assert.ifError(error); + if (target.algo) { + assert.strictEqual(putResp.ServerSideEncryption, target.algo, + 'PutObject response should include ServerSideEncryption header'); + if (target.algo === 'aws:kms') { + assert(putResp.SSEKMSKeyId, + 'PutObject response should include SSEKMSKeyId for aws:kms'); + } + } else if (existing.algo) { + assert.strictEqual(putResp.ServerSideEncryption, existing.algo, + 'PutObject response should include ServerSideEncryption from bucket default'); + } return getSSEConfig( s3, bucket,