cloudserver/lib/api/bucketGetEncryption.js at 288b2d02dfb996e7984ad582635e7157f04c717e · scality/cloudserver · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
const { errors, s3middleware } = require('arsenal');
const async = require('async');

const { pushMetric } = require('../utapi/utilities');
const collectCorsHeaders = require('../utilities/collectCorsHeaders');
const { checkExpectedBucketOwner } = require('./apiUtils/authorization/bucketOwner');
const { metadataValidateBucket } = require('../metadata/metadataUtils');
const escapeForXml = s3middleware.escapeForXml;

/**
 * Bucket Get Encryption - Get bucket SSE configuration
 * @param {AuthInfo} authInfo - Instance of AuthInfo class with requester's info
 * @param {object} request - http request object
 * @param {object} log - Werelogs logger
 * @param {function} callback - callback to server
 * @return {undefined}
 */

function bucketGetEncryption(authInfo, request, log, callback) {
    const bucketName = request.bucketName;

    const metadataValParams = {
        authInfo,
        bucketName,
        requestType: 'bucketGetEncryption',
        request,
    };

    return async.waterfall([
        next => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, next),
        (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
        (bucket, next) => {
            // If sseInfo is present but the `mandatory` flag is not set
            // then this info was not created using bucketPutEncryption
            // or by using the x-amz-scal-server-side-encryption header at
            // bucket creation and should not be returned
            const sseInfo = bucket.getServerSideEncryption();
            if (sseInfo === null || !sseInfo.mandatory) {
                log.trace('no server side encryption config found', {
                    bucket: bucketName,
                    method: 'bucketGetEncryption',
                });
                return next(errors.ServerSideEncryptionConfigurationNotFoundError);
            }
            return next(null, bucket, sseInfo);
        },
    ],
    (error, bucket, sseInfo) => {
        const corsHeaders = collectCorsHeaders(request.headers.origin, request.method, bucket);
        if (error) {
            return callback(error, corsHeaders);
        }

        const xml = [
            '<?xml version="1.0" encoding="UTF-8"?>',
            '<ServerSideEncryptionConfiguration>',
            '<Rule>',
            '<ApplyServerSideEncryptionByDefault>',
            `<SSEAlgorithm>${escapeForXml(sseInfo.algorithm)}</SSEAlgorithm>`,
        ];

        if (sseInfo.configuredMasterKeyId) {
            xml.push(`<KMSMasterKeyID>${escapeForXml(sseInfo.configuredMasterKeyId)}</KMSMasterKeyID>`);
        }

        xml.push(
            '</ApplyServerSideEncryptionByDefault>',
            '<BucketKeyEnabled>false</BucketKeyEnabled>',
            '</Rule>',
            '</ServerSideEncryptionConfiguration>'
        );

        pushMetric('getBucketEncryption', log, {
            authInfo,
            bucket: bucketName,
        });

        return callback(null, xml.join(''), corsHeaders);
    });
}

module.exports = bucketGetEncryption;