From fdfefafacdbf2ee4e9a8b9318c19e0f35c080b54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Vandecr=C3=A8me?= Date: Mon, 12 Feb 2024 15:24:31 +0000 Subject: [PATCH] FT: Add config to set buckets default SSE config This config allows enabling encryption by default. It currently only allows AES256. If the user provide the x-amz-scal-server-side-encryption header on bucket creation, the header's value takes precedence. --- lib/Config.js | 16 ++++++++++++++++ lib/api/apiUtils/bucket/bucketCreation.js | 3 +++ 2 files changed, 19 insertions(+) diff --git a/lib/Config.js b/lib/Config.js index 6e1e853889..e480dd40d8 100644 --- a/lib/Config.js +++ b/lib/Config.js @@ -1296,6 +1296,22 @@ class Config extends EventEmitter { 'bad config: maxScannedLifecycleListingEntries must be greater than 2'); this.maxScannedLifecycleListingEntries = config.maxScannedLifecycleListingEntries; } + + this.defaultBucketSseConfig = {}; + if (config.defaultBucketSseConfig) { + const algorithm = config.defaultBucketSseConfig.algorithm; + if (algorithm !== undefined) { + assert(algorithm === 'AES256', + 'bad config: defaultBucketSseConfig.algorithm must be AES256'); + this.defaultBucketSseConfig.algorithm = algorithm; + } + const mandatory = config.defaultBucketSseConfig.mandatory; + if (mandatory !== undefined) { + assert(typeof mandatory === 'boolean', + 'bad config: defaultBucketSseConfig.mandatory must be a boolean'); + this.defaultBucketSseConfig.mandatory = mandatory; + } + } } _configureBackends() { diff --git a/lib/api/apiUtils/bucket/bucketCreation.js b/lib/api/apiUtils/bucket/bucketCreation.js index 455261314b..8ecbc7256d 100644 --- a/lib/api/apiUtils/bucket/bucketCreation.js +++ b/lib/api/apiUtils/bucket/bucketCreation.js @@ -10,6 +10,7 @@ const { parseBucketEncryptionHeaders } = require('./bucketEncryption'); const metadata = require('../../../metadata/wrapper'); const kms = require('../../../kms/wrapper'); const isLegacyAWSBehavior = require('../../../utilities/legacyAWSBehavior'); +const { config } = require('../../../Config'); const usersBucket = constants.usersBucket; const oldUsersBucket = constants.oldUsersBucket; @@ -230,6 +231,8 @@ function createBucket(authInfo, bucketName, headers, const newBucketMD = results.prepareNewBucketMD; if (existingBucketMD === 'NoBucketYet') { const sseConfig = parseBucketEncryptionHeaders(headers); + sseConfig.algorithm = sseConfig.algorithm ?? config.defaultBucketSseConfig.algorithm ?? null; + sseConfig.mandatory = sseConfig.mandatory ?? config.defaultBucketSseConfig.mandatory ?? false; return bucketLevelServerSideEncryption( bucketName, sseConfig, log, (err, sseInfo) => {