From 3bb511aec6c31f6e769fe510b416d437224a28f4 Mon Sep 17 00:00:00 2001 From: Vinayakswami Hariharmath Date: Wed, 23 Oct 2024 15:54:24 +0530 Subject: [PATCH] Set default bucket encryption during bucket creation All S3 buckets have encryption configured by default, and objects are automatically encrypted by using server side encryption. When we do get-bucker-encryption on any bucket we get the the default encryption configuration. With this patch we set default encryption on bucket while creating the bucket and follow the behavior of S3 bucket Signed-off-by: Vinayakswami Hariharmath --- src/server/system_services/bucket_server.js | 3 +++ .../s3-tests-lists/s3_tests_pending_list.txt | 4 +++- src/test/unit_tests/test_s3_encryption.js | 18 +++++++++++++----- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/server/system_services/bucket_server.js b/src/server/system_services/bucket_server.js index f4f994d73b..f4cd2d75ef 100644 --- a/src/server/system_services/bucket_server.js +++ b/src/server/system_services/bucket_server.js @@ -294,6 +294,9 @@ async function create_bucket(req) { bucket.bucket_claim = req.rpc_params.bucket_claim; } bucket.force_md5_etag = req.rpc_params.force_md5_etag; + bucket.encryption = { + "algorithm": "AES256", + }; changes.insert.buckets = [bucket]; changes.insert.master_keys = [bucket_m_key]; diff --git a/src/test/system_tests/ceph_s3_tests/s3-tests-lists/s3_tests_pending_list.txt b/src/test/system_tests/ceph_s3_tests/s3-tests-lists/s3_tests_pending_list.txt index 3bb3389001..ffabfa6b42 100644 --- a/src/test/system_tests/ceph_s3_tests/s3-tests-lists/s3_tests_pending_list.txt +++ b/src/test/system_tests/ceph_s3_tests/s3-tests-lists/s3_tests_pending_list.txt @@ -140,4 +140,6 @@ s3tests_boto3/functional/test_s3.py::test_lifecycle_expiration_size_lt s3tests_boto3/functional/test_s3.py::test_object_lock_delete_multipart_object_with_retention s3tests_boto3/functional/test_s3.py::test_object_lock_delete_multipart_object_with_legal_hold_on s3tests_boto3/functional/test_s3.py::test_get_undefined_public_block -s3tests_boto3/functional/test_s3.py::test_get_public_block_deny_bucket_policy \ No newline at end of file +s3tests_boto3/functional/test_s3.py::test_get_public_block_deny_bucket_policy +s3tests_boto3/functional/test_s3.py::test_get_bucket_encryption_s3 +s3tests_boto3/functional/test_s3.py::test_get_bucket_encryption_kms \ No newline at end of file diff --git a/src/test/unit_tests/test_s3_encryption.js b/src/test/unit_tests/test_s3_encryption.js index ea731e8be0..6882e8a87b 100644 --- a/src/test/unit_tests/test_s3_encryption.js +++ b/src/test/unit_tests/test_s3_encryption.js @@ -71,14 +71,22 @@ mocha.describe('Bucket Encryption Operations', async () => { await local_s3.createBucket({ Bucket: BKT }); }); - mocha.it('should get bucket encryption error without encryption configured', async () => { + mocha.it('getBucketEncryption should return the default server side encryption configuration', async () => { try { const res = await local_s3.getBucketEncryption({ Bucket: BKT }); - throw new Error(`Expected to get error with unconfigured bucket encryption ${res}`); + const expected_response = { + ServerSideEncryptionConfiguration: { + Rules: [{ + ApplyServerSideEncryptionByDefault: { + SSEAlgorithm: 'AES256' + } + }] + } + }; + const res_without_metadata = _.omit(res, '$metadata'); + assert.deepEqual(res_without_metadata, expected_response); } catch (error) { - assert(error.message === 'The server side encryption configuration was not found.', `Error message does not match got: ${error.message}`); - assert(error.Code === 'ServerSideEncryptionConfigurationNotFoundError', `Error code does not match got: ${error.Code}`); - assert(error.$metadata.httpStatusCode === 404, `Error status code does not match got: ${error.$metadata.httpStatusCode}`); + throw new Error(`The server side encryption configuration was not found ${error.message}`); } });