cloudserver/lib/api/bucketPutEncryption.js at 5c1dc67f04936815d9f2d09b67fa3214c2f4f059 · scality/cloudserver · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
const async = require('async');

const { parseEncryptionXml } = require('./apiUtils/bucket/bucketEncryption');
const { checkExpectedBucketOwner } = require('./apiUtils/authorization/bucketOwner');
const metadata = require('../metadata/wrapper');
const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
const kms = require('../kms/wrapper');
const { pushMetric } = require('../utapi/utilities');
const collectCorsHeaders = require('../utilities/collectCorsHeaders');

/**
 * Bucket Put Encryption - Put bucket SSE configuration
 * @param {AuthInfo} authInfo - Instance of AuthInfo class with requester's info
 * @param {object} request - http request object
 * @param {object} log - Werelogs logger
 * @param {function} callback - callback to server
 * @return {undefined}
 */

function bucketPutEncryption(authInfo, request, log, callback) {
    const { bucketName } = request;

    const metadataValParams = {
        authInfo,
        bucketName,
        requestType: request.apiMethods || 'bucketPutEncryption',
        request,
    };

    return async.waterfall([
        next => standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, next),
        (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
        (bucket, next) => {
            log.trace('parsing encryption config', { method: 'bucketPutEncryption' });
            return parseEncryptionXml(request.post, log, (err, encryptionConfig) => {
                if (err) {
                    return next(err);
                }
                return next(null, bucket, encryptionConfig);
            });
        },
        (bucket, encryptionConfig, next) => {
            const existingConfig = bucket.getServerSideEncryption();
            if (existingConfig === null) {
                return kms.bucketLevelEncryption(bucket.getName(), encryptionConfig, log,
                    (err, updatedConfig) => {
                        if (err) {
                            return next(err);
                        }
                        return next(null, bucket, updatedConfig);
                    });
            }

            const updatedConfig = {
                mandatory: true,
                algorithm: encryptionConfig.algorithm,
                cryptoScheme: existingConfig.cryptoScheme,
                masterKeyId: existingConfig.masterKeyId,
            };

            const { configuredMasterKeyId } = encryptionConfig;
            if (configuredMasterKeyId) {
                updatedConfig.configuredMasterKeyId = configuredMasterKeyId;
            }

            return next(null, bucket, updatedConfig);
        },
        (bucket, updatedConfig, next) => {
            bucket.setServerSideEncryption(updatedConfig);
            metadata.updateBucket(bucket.getName(), bucket, log, err => next(err, bucket));
        },
    ],
    (err, bucket) => {
        const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucket);
        if (err) {
            log.trace('error processing request', { error: err, method: 'bucketPutEncryption' });
            return callback(err, corsHeaders);
        }
        pushMetric('putBucketEncryption', log, {
            authInfo,
            bucket: bucketName,
        });
        return callback(null, corsHeaders);
    });
}

module.exports = bucketPutEncryption;