feat: add enable/disable encryption s3-utils

src/bucket.ts

@@ -67,6 +67,10 @@ export class Bucket {
   public toString = () => this.name
   public urlForKey = (key:string) => this.utils.urlForKey({ key, bucket: this.name })
   public forEach = (opts) => this.utils.forEachItemInBucket({ bucket: this.name, ...opts })
+  public enableEncryption = (opts:any={}) => this.utils.enableEncryption({ bucket: this.name, ...opts })
+  public disableEncryption = (opts:any={}) => this.utils.disableEncryption({ bucket: this.name, ...opts })
+  public getEncryption = (opts:any={}) => this.utils.getEncryption({ bucket: this.name, ...opts })
+  // TODO: use head (to get ETag), and compare MD5
   public putIfDifferent = async (key, value):Promise<boolean> => {
     let current
     try {

src/init.ts

@@ -53,6 +53,15 @@ proto.ensureInitialized = co(function* (opts) {
 })
 
 proto.init = co(function* (opts={}) {
+  const [result] = yield Promise.all([
+    this.initIdentity(),
+    this.enableBucketEncryption()
+  ])
+
+  return result
+})
+
+proto.initIdentity = co(function* (opts) {
   const result = yield this.genIdentity()
   yield this.write({
     ...result,
@@ -73,6 +82,10 @@ proto.isInitialized = (function () {
   })
 }())
 
+proto.enableBucketEncryption = co(function* () {
+  yield this.buckets.Secrets.enableEncryption()
+})
+
 proto.genIdentity = co(function* () {
   const priv = yield genIdentity(getIdentitySpecs({
     networks: this.networks

src/s3-utils.ts

@@ -1,4 +1,4 @@
-import { omit } from 'lodash'
+import _ = require('lodash')
 import { TYPE } from '@tradle/constants'
 import Errors = require('./errors')
 import Env from './env'
@@ -172,7 +172,7 @@ export default function createUtils ({ s3, logger, env }: {
 
       opts = {
         ...defaultOpts,
-        ...omit(opts, ['force'])
+        ..._.omit(opts, ['force'])
       }
 
       if (etag) {
@@ -275,6 +275,24 @@ export default function createUtils ({ s3, logger, env }: {
     return `https://${bucket}.s3.amazonaws.com/${key}`
   }
 
+  const disableEncryption = async ({ bucket }) => {
+    logger.info(`disabling server-side encryption from bucket ${bucket}`)
+    await s3.deleteBucketEncryption({ Bucket: bucket }).promise()
+  }
+
+  const enableEncryption = async ({ bucket, kmsKeyId }: {
+    bucket:string,
+    kmsKeyId?:string
+  }) => {
+    logger.info(`enabling server-side encryption for bucket ${bucket}`)
+    const params = toEncryptionParams({ bucket, kmsKeyId })
+    await s3.putBucketEncryption(params).promise()
+  }
+
+  const getEncryption = async ({ bucket }) => {
+    return await s3.getBucketEncryption({ Bucket: bucket }).promise()
+  }
+
   return utils = timeMethods({
     get,
     getJSON,
@@ -291,7 +309,10 @@ export default function createUtils ({ s3, logger, env }: {
     createBucket,
     destroyBucket,
     urlForKey,
-    forEachItemInBucket
+    forEachItemInBucket,
+    enableEncryption,
+    disableEncryption,
+    getEncryption
   }, logger)
 }
 
@@ -304,3 +325,24 @@ const toStringOrBuf = (value) => {
 
   return JSON.stringify(value)
 }
+
+const toEncryptionParams = ({ bucket, kmsKeyId }):AWS.S3.PutBucketEncryptionRequest => {
+  const ApplyServerSideEncryptionByDefault:AWS.S3.ServerSideEncryptionByDefault = {
+    SSEAlgorithm: kmsKeyId ? 'aws:kms' : 'AES256'
+  }
+
+  if (kmsKeyId) {
+    ApplyServerSideEncryptionByDefault.KMSMasterKeyID = kmsKeyId
+  }
+
+  return {
+    Bucket: bucket,
+    ServerSideEncryptionConfiguration: {
+      Rules: [
+        {
+          ApplyServerSideEncryptionByDefault
+        }
+      ]
+    }
+  }
+}