CLDSRV-636: Option for KMS to hide scality arn

To avoid breaking changes for clients

Author: BourgoisMickael

config.json

@@ -88,6 +88,7 @@
         }
     ],
     "defaultEncryptionKeyPerAccount": true,
+    "kmsHideScalityArn": false,
     "kmsAWS": {
         "providerName": "aws",
         "region": "us-east-1", 

lib/Config.js

@@ -1248,6 +1248,11 @@ class Config extends EventEmitter {
         assert(typeof this.defaultEncryptionKeyPerAccount === 'boolean',
             'config.defaultEncryptionKeyPerAccount must be a boolean');
 
+        this.kmsHideScalityArn = Object.hasOwnProperty.call(config, 'kmsHideScalityArn')
+            ? config.kmsHideScalityArn
+            : true; // By default hide scality arn to keep backward compatibility and simplicity
+        assert.strictEqual(typeof this.kmsHideScalityArn, 'boolean');
+
         this.healthChecks = defaultHealthChecks;
         if (config.healthChecks && config.healthChecks.allowFrom) {
             assert(config.healthChecks.allowFrom instanceof Array,

lib/api/bucketGetEncryption.js

@@ -6,6 +6,8 @@ const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const { checkExpectedBucketOwner } = require('./apiUtils/authorization/bucketOwner');
 const { metadataValidateBucket } = require('../metadata/metadataUtils');
 const escapeForXml = s3middleware.escapeForXml;
+const { config } = require('../Config');
+const { getKeyIdFromArn } = require('arsenal/build/lib/network/KMSInterface');
 
 /**
  * Bucket Get Encryption - Get bucket SSE configuration
@@ -60,7 +62,11 @@ function bucketGetEncryption(authInfo, request, log, callback) {
         ];
 
         if (sseInfo.configuredMasterKeyId) {
-            xml.push(`<KMSMasterKeyID>${escapeForXml(sseInfo.configuredMasterKeyId)}</KMSMasterKeyID>`);
+            xml.push(`<KMSMasterKeyID>${escapeForXml(
+                config.kmsHideScalityArn
+                    ? getKeyIdFromArn(sseInfo.configuredMasterKeyId)
+                    : sseInfo.configuredMasterKeyId
+            )}</KMSMasterKeyID>`);
         }
 
         xml.push(

lib/utilities/collectResponseHeaders.js

@@ -1,7 +1,8 @@
 const { getVersionIdResHeader } = require('../api/apiUtils/object/versioning');
 const checkUserMetadataSize
     = require('../api/apiUtils/object/checkUserMetadataSize');
-
+const { config } = require('../Config');
+const { getKeyIdFromArn } = require('arsenal/build/lib/network/KMSInterface');
 /**
  * Pulls data from saved object metadata to send in response
  * @param {object} objectMD - object's metadata
@@ -40,10 +41,11 @@ function collectResponseHeaders(objectMD, corsHeaders, versioningCfg,
         responseMetaHeaders['x-amz-server-side-encryption']
             = objectMD['x-amz-server-side-encryption'];
     }
-    if (objectMD['x-amz-server-side-encryption-aws-kms-key-id'] &&
+    const kmsKey = objectMD['x-amz-server-side-encryption-aws-kms-key-id'];
+    if (kmsKey &&
         objectMD['x-amz-server-side-encryption'] === 'aws:kms') {
         responseMetaHeaders['x-amz-server-side-encryption-aws-kms-key-id']
-            = objectMD['x-amz-server-side-encryption-aws-kms-key-id'];
+            = config.kmsHideScalityArn ? getKeyIdFromArn(kmsKey) : kmsKey;
     }
 
     responseMetaHeaders['Accept-Ranges'] = 'bytes';