Merge branch 'w/8.7/bugfix/CLDSRV-569/delete-bucket-encryption' into …

…tmp/octopus/w/8.8/bugfix/CLDSRV-569/delete-bucket-encryption
scality · Oct 22, 2024 · ec2e304 · ec2e304
2 parents a73290c + cd57399
commit ec2e304
Show file tree

Hide file tree

Showing 2 changed files with 78 additions and 0 deletions.
diff --git a/lib/api/bucketDeleteEncryption.js b/lib/api/bucketDeleteEncryption.js
@@ -42,6 +42,11 @@ function bucketDeleteEncryption(authInfo, request, log, callback) {
                 configuredMasterKeyId: sseConfig.configuredMasterKeyId,
             };
 
+            const { isAccountEncryptionEnabled } = sseConfig;
+            if (isAccountEncryptionEnabled) {
+                updatedConfig.isAccountEncryptionEnabled = isAccountEncryptionEnabled;
+            }
+
             bucket.setServerSideEncryption(updatedConfig);
             return metadata.updateBucket(bucketName, bucket, log, err => next(err, bucket));
         },

diff --git a/tests/unit/api/bucketDeleteEncryption.js b/tests/unit/api/bucketDeleteEncryption.js
@@ -1,10 +1,12 @@
 const assert = require('assert');
+const sinon = require('sinon');
 
 const { bucketPut } = require('../../../lib/api/bucketPut');
 const bucketPutEncryption = require('../../../lib/api/bucketPutEncryption');
 const bucketDeleteEncryption = require('../../../lib/api/bucketDeleteEncryption');
 const { cleanup, DummyRequestLogger, makeAuthInfo } = require('../helpers');
 const { templateSSEConfig, templateRequest, getSSEConfig } = require('../utils/bucketEncryption');
+const inMemory = require('../../../lib/kms/in_memory/backend').backend;
 const log = new DummyRequestLogger();
 const authInfo = makeAuthInfo('accessKey1');
 const bucketName = 'bucketname';
@@ -216,4 +218,75 @@ describe('bucketDeleteEncryption API', () => {
             });
         });
     });
+
+    describe('bucketDeleteEncryption API with account level encryption', () => {
+        beforeEach(() => {
+            sinon.stub(inMemory, 'supportsDefaultKeyPerAccount').value(true);
+        });
+
+        afterEach(() => {
+            sinon.restore();
+        });
+
+        it('should keep isAccountEncryptionEnabled after deleting AES256 bucket encryption', done => {
+            const post = templateSSEConfig({ algorithm: 'AES256' });
+            bucketPutEncryption(authInfo, templateRequest(bucketName, { post }), log, err => {
+                assert.ifError(err);
+                return getSSEConfig(bucketName, log, (err, sseInfo) => {
+                    assert.ifError(err);
+                    assert.strictEqual(sseInfo.isAccountEncryptionEnabled, true);
+                    bucketDeleteEncryption(authInfo, templateRequest(bucketName, {}), log, err => {
+                        assert.ifError(err);
+                        return getSSEConfig(bucketName, log, (err, sseInfoAfterDeletion) => {
+                            assert.ifError(err);
+                            assert.strictEqual(sseInfoAfterDeletion.isAccountEncryptionEnabled, true);
+                            done();
+                        });
+                    });
+                });
+            });
+        });
+
+        it('should keep isAccountEncryptionEnabled after deleting aws:kms bucket encryption', done => {
+            const post = templateSSEConfig({ algorithm: 'aws:kms' });
+            bucketPutEncryption(authInfo, templateRequest(bucketName, { post }), log, err => {
+                assert.ifError(err);
+                return getSSEConfig(bucketName, log, (err, sseInfo) => {
+                    assert.ifError(err);
+                    assert.strictEqual(sseInfo.isAccountEncryptionEnabled, true);
+                    bucketDeleteEncryption(authInfo, templateRequest(bucketName, {}), log, err => {
+                        assert.ifError(err);
+                        return getSSEConfig(bucketName, log, (err, sseInfoAfterDeletion) => {
+                            assert.ifError(err);
+                            assert.strictEqual(sseInfoAfterDeletion.isAccountEncryptionEnabled, true);
+                            done();
+                        });
+                    });
+                });
+            });
+        });
+
+        it('should keep isAccountEncryptionEnabled after deleting aws:kms and key id bucket encryption', done => {
+            const postAES256 = templateSSEConfig({ algorithm: 'AES256' });
+            bucketPutEncryption(authInfo, templateRequest(bucketName, { post: postAES256 }), log, err => {
+                assert.ifError(err);
+                const post = templateSSEConfig({ algorithm: 'aws:kms', keyId: '123' });
+                bucketPutEncryption(authInfo, templateRequest(bucketName, { post }), log, err => {
+                    assert.ifError(err);
+                    return getSSEConfig(bucketName, log, (err, sseInfo) => {
+                        assert.ifError(err);
+                        assert.strictEqual(sseInfo.isAccountEncryptionEnabled, true);
+                        bucketDeleteEncryption(authInfo, templateRequest(bucketName, {}), log, err => {
+                            assert.ifError(err);
+                            return getSSEConfig(bucketName, log, (err, sseInfoAfterDeletion) => {
+                                assert.ifError(err);
+                                assert.strictEqual(sseInfoAfterDeletion.isAccountEncryptionEnabled, true);
+                                done();
+                            });
+                        });
+                    });
+                });
+            });
+        });
+    });
 });