scality · BourgoisMickael · Apr 30, 2025 · May 5, 2025 · May 12, 2025 · May 12, 2025
diff --git a/.github/docker/docker-compose.yaml b/.github/docker/docker-compose.yaml
@@ -8,6 +8,9 @@ services:
       - /tmp/ssl-kmip:/ssl-kmip
       - ${HOME}/.aws/credentials:/root/.aws/credentials
       - /tmp/artifacts/${JOB_NAME}:/artifacts
+      # using artesca container, with persistent volumes for sse migration
+      - ../../localData:/usr/src/app/localData
+      - ../../localMetadata:/usr/src/app/localMetadata
     environment:
       - CI=true
       - ENABLE_LOCAL_CACHE=true
@@ -42,6 +45,16 @@ services:
     extra_hosts:
       - "bucketwebsitetester.s3-website-us-east-1.amazonaws.com:127.0.0.1"
       - "pykmip.local:127.0.0.1"
+  cloudserver-sse-migration:
+    extends: cloudserver
+    profiles: [sse-migration]
+    volumes:
+      # using artesca container
+      - ../../tests/functional/sse-kms-migration/config.${SSE_CONF}.json:/conf/config.json
+      - ../../localData:/usr/src/app/localData
+      - ../../localMetadata:/usr/src/app/localMetadata
+    environment:
+      - S3_CONFIG_FILE=/conf/config.json
   redis:
     image: redis:alpine
     network_mode: "host"

diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -218,6 +218,8 @@ jobs:
         source: /tmp/artifacts
       if: always()
 
+  # All tests use non federation images
+
   file-ft-tests:
     strategy:
       matrix:
@@ -345,3 +347,168 @@ jobs:
         password: ${{ secrets.ARTIFACTS_PASSWORD }}
         source: /tmp/artifacts
       if: always()
+
+  sse-kms-migration-tests:
+    strategy:
+      matrix:
+        include:
+          - kmsHideScalityArn: 'showArn'
+            job-name: sse-kms-migration-tests-show-arn
+          # To use this one, the test needs to stop expecting an Arn in rsponse headers
+          # But the check it should query the metadata directly to ensure the md has the arn
+          # - kmsHideScalityArn: 'hideArn'
+          #   job-name: sse-kms-migration-tests-hide-arn
+    name: ${{ matrix.job-name }}
+    runs-on: ubuntu-latest
+    needs: build
+    env:
+      S3BACKEND: file
+      S3VAULT: mem
+      CLOUDSERVER_IMAGE_BEFORE_SSE_MIGRATION: ghcr.io/${{ github.repository }}:7.70.21-11
+      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
+      MPU_TESTING: "yes"
+      JOB_NAME: ${{ matrix.job-name }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - uses: actions/setup-python@v5
+      with:
+        python-version: 3.9
+    - name: Setup CI environment
+      uses: ./.github/actions/setup-ci
+    - name: Setup matrix job artifacts directory
+      shell: bash
+      run: |
+        set -exu
+        mkdir -p /tmp/artifacts/${{ matrix.job-name }}/
+    - name: Setup CI services (with old cloudserver image before sse migration)
+      run: docker compose up -d
+      working-directory: .github/docker
+      env:
+        CLOUDSERVER_IMAGE: ${{ env.CLOUDSERVER_IMAGE_BEFORE_SSE_MIGRATION }}
+        SSE_CONF: before
+    - name: Run SSE before migration tests (setup buckets and objects)
+      env:
+        # yarn run does a cd into the test folder
+        S3_CONFIG_FILE: config.before.json
+      run: |-
+        set -o pipefail;
+        bash wait_for_local_port.bash 8000 40
+
+        echo Ensures the expected version of cloudserver is old one:
+        VERSION=$(docker compose -f .github/docker/docker-compose.yaml \
+            exec cloudserver cat package.json | jq -r .version)
+        if [[ "$VERSION" != "7.70.21-11" ]]; then
+          echo "bad version of container. Should be 7.70.21-11. Was $VERSION" >&2
+          exit 1
+        else
+          echo OK $VERSION
+        fi
+
+        yarn run ft_sse_before_migration | tee /tmp/artifacts/${{ matrix.job-name }}/beforeMigration.log
+    - name: Replace old cloudserver image with current one
+      run: |-
+        docker compose down cloudserver
+        mv /tmp/artifacts/${{ matrix.job-name }}/s3.log /tmp/artifacts/${{ matrix.job-name }}/s3.old.log
+        docker compose up -d cloudserver-sse-migration
+      working-directory: .github/docker
+      env:
+        SSE_CONF: sseMigration.${{ matrix.kmsHideScalityArn }}
+    - name: Run SSE migration tests
+      env:
+        # yarn run does a cd into the test folder
+        S3_CONFIG_FILE: config.sseMigration.${{ matrix.kmsHideScalityArn }}.json
+      run: |-
+        set -o pipefail;
+        bash wait_for_local_port.bash 8000 40
+
+        echo Ensures the expected version of cloudserver is NOT old one
+        VERSION=$(docker compose -f .github/docker/docker-compose.yaml \
+            exec cloudserver-sse-migration cat package.json | jq -r .version)
+        if [[ "$VERSION" == "7.70.21-11" ]]; then
+          echo "bad version of container. Should NOT be 7.70.21-11. Was $VERSION" >&2
+          exit 1
+        else
+          echo OK $VERSION
+        fi
+
+        yarn run ft_sse_migration | tee /tmp/artifacts/${{ matrix.job-name }}/migration.log
+    - name: Run SSE arnPrefix tests
+      env:
+        S3_CONFIG_FILE: config.sseMigration.${{ matrix.kmsHideScalityArn }}.json
+      run: |-
+        set -o pipefail;
+        yarn run ft_sse_arn | tee /tmp/artifacts/${{ matrix.job-name }}/arnPrefix.log
+    - name: Print docker compose logs
+      run: docker compose logs cloudserver cloudserver-sse-migration
+      working-directory: .github/docker
+      if: failure()
+    - name: Upload logs to artifacts
+      uses: scality/action-artifacts@v4
+      with:
+        method: upload
+        url: https://artifacts.scality.net
+        user: ${{ secrets.ARTIFACTS_USER }}
+        password: ${{ secrets.ARTIFACTS_PASSWORD }}
+        source: /tmp/artifacts
+      if: always()
+
+  # Temporary until I have a good test taking into account kmsHideScalityArn
+  tmp-kmsHideScalityArn-file-ft-tests:
+    strategy:
+      matrix:
+        include:
+          - enable-null-compat: ''
+            job-name: tmp-kmsHideScalityArn-file-ft-tests
+    name: ${{ matrix.job-name }}
+    runs-on: ubuntu-latest
+    needs: build
+    env:
+      S3BACKEND: file
+      S3VAULT: mem
+      CLOUDSERVER_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
+      MPU_TESTING: "yes"
+      ENABLE_NULL_VERSION_COMPAT_MODE: "${{ matrix.enable-null-compat }}"
+      JOB_NAME: ${{ matrix.job-name }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - uses: actions/setup-python@v5
+      with:
+        python-version: 3.9
+    - name: Setup CI environment
+      uses: ./.github/actions/setup-ci
+    - name: Setup matrix job artifacts directory
+      shell: bash
+      run: |
+        set -exu
+        mkdir -p /tmp/artifacts/${{ matrix.job-name }}/
+    - name: Setup python test environment
+      run: |
+        sudo apt-get install -y libdigest-hmac-perl
+        pip install 's3cmd==2.3.0'
+    - name: Setup CI services
+      run: |-
+        docker compose up -d
+        docker compose down cloudserver
+        docker compose up -d cloudserver-sse-migration
+      working-directory: .github/docker
+      env:
+        SSE_CONF: sseMigration.hideArn
+    - name: Run file ft tests
+      env:
+        # need absolute path as tests move into folders
+        S3_CONFIG_FILE: ${{ github.workspace }}/tests/functional/sse-kms-migration/config.sseMigration.hideArn.json
+      run: |-
+        set -o pipefail;
+        bash wait_for_local_port.bash 8000 40
+        yarn run ft_test | tee /tmp/artifacts/${{ matrix.job-name }}/tests.log
+    - name: Upload logs to artifacts
+      uses: scality/action-artifacts@v4
+      with:
+        method: upload
+        url: https://artifacts.scality.net
+        user: ${{ secrets.ARTIFACTS_USER }}
+        password: ${{ secrets.ARTIFACTS_PASSWORD }}
+        source: /tmp/artifacts
+      if: always()
diff --git a/lib/kms/wrapper.js b/lib/kms/wrapper.js
@@ -155,6 +155,11 @@ function getClientForKey(key, log) {
 }
 
 class KMS {
+    /** Access to client for tests (Integration needs to turn off _supportsDefaultKeyPerAccount) */
+    static get client() {
+        return client;
+    }
+
     /** Used for keys from current client */
     static get arnPrefix() {
         return client.backend.arnPrefix;

diff --git a/package.json b/package.json
@@ -74,6 +74,10 @@
     "ft_s3curl": "cd tests/functional/s3curl && mocha --reporter mocha-multi-reporters --reporter-options configFile=$INIT_CWD/tests/reporter-config.json -t 40000 *.js",
     "ft_test": "npm-run-all -s ft_awssdk ft_s3cmd ft_s3curl ft_node ft_healthchecks ft_management",
     "ft_kmip": "cd tests/functional/kmip && mocha --reporter mocha-multi-reporters --reporter-options configFile=$INIT_CWD/tests/reporter-config.json -t 40000 *.js",
+    "ft_sse_cleanup": "cd tests/functional/sse-kms-migration && mocha --reporter mocha-multi-reporters --reporter-options configFile=$INIT_CWD/tests/reporter-config.json -t 10000 cleanup.js",
+    "ft_sse_before_migration": "cd tests/functional/sse-kms-migration && mocha --reporter mocha-multi-reporters --reporter-options configFile=$INIT_CWD/tests/reporter-config.json -t 10000 cleanup.js beforeMigration.js",
+    "ft_sse_migration": "cd tests/functional/sse-kms-migration && mocha --reporter mocha-multi-reporters --reporter-options configFile=$INIT_CWD/tests/reporter-config.json -t 10000 migration.js",
+    "ft_sse_arn": "cd tests/functional/sse-kms-migration && mocha --reporter mocha-multi-reporters --reporter-options configFile=$INIT_CWD/tests/reporter-config.json -t 10000 cleanup.js arnPrefix.js",
     "install_ft_deps": "yarn install [email protected] [email protected] [email protected] [email protected] [email protected]",
     "lint": "eslint $(git ls-files '*.js')",
     "lint_md": "mdlint $(git ls-files '*.md')",