feat: S3 server-side encryption

.github/workflows/object_store.yml

@@ -114,6 +114,7 @@ jobs:
       AWS_ALLOW_HTTP: true
       AWS_COPY_IF_NOT_EXISTS: dynamo:test-table:2000
       AWS_CONDITIONAL_PUT: dynamo:test-table:2000
+      AWS_SERVER_SIDE_ENCRYPTION: aws:kms
       HTTP_URL: "http://localhost:8080"
       GOOGLE_BUCKET: test-bucket
       GOOGLE_SERVICE_ACCOUNT: "/tmp/gcs.json"
@@ -142,6 +143,9 @@ jobs:
           aws --endpoint-url=http://localhost:4566 s3 mb s3://test-bucket
           aws --endpoint-url=http://localhost:4566 dynamodb create-table --table-name test-table --key-schema AttributeName=path,KeyType=HASH AttributeName=etag,KeyType=RANGE --attribute-definitions AttributeName=path,AttributeType=S AttributeName=etag,AttributeType=S --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5
 
+          KMS_KEY=$(aws --endpoint-url=http://localhost:4566 kms create-key --description "test key")
+          echo "AWS_SSE_KMS_KEY_ID=$(echo $KMS_KEY | jq -r .KeyMetadata.KeyId)" >> $GITHUB_ENV
+
       - name: Configure Azurite (Azure emulation)
         # the magical connection string is from
         # https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azurite?tabs=visual-studio#http-connection-strings

object_store/CONTRIBUTING.md

@@ -39,21 +39,21 @@ To test the S3 integration against [localstack](https://localstack.cloud/)
 First start up a container running localstack
 
 ```
-$ podman run -d -p 4566:4566 localstack/localstack:2.0
+$ LOCALSTACK_VERSION=sha256:a0b79cb2430f1818de2c66ce89d41bba40f5a1823410f5a7eaf3494b692eed97
+$ podman run -d -p 4566:4566 localstack/localstack@$LOCALSTACK_VERSION
 $ podman run -d -p 1338:1338 amazon/amazon-ec2-metadata-mock:v1.9.2 --imdsv2
 ```
 
 Setup environment
 
 ```
 export TEST_INTEGRATION=1
-export OBJECT_STORE_AWS_DEFAULT_REGION=us-east-1
-export OBJECT_STORE_AWS_ACCESS_KEY_ID=test
-export OBJECT_STORE_AWS_SECRET_ACCESS_KEY=test
-export OBJECT_STORE_AWS_ENDPOINT=http://localhost:4566
+export AWS_DEFAULT_REGION=us-east-1
 export AWS_ACCESS_KEY_ID=test
 export AWS_SECRET_ACCESS_KEY=test
-export OBJECT_STORE_BUCKET=test-bucket
+export AWS_ENDPOINT=http://localhost:4566
+export AWS_ALLOW_HTTP=true
+export AWS_BUCKET_NAME=test-bucket
 ```
 
 Create a bucket using the AWS CLI
@@ -66,6 +66,7 @@ Or directly with:
 
 ```
 aws s3 mb s3://test-bucket --endpoint-url=http://localhost:4566
+aws --endpoint-url=http://localhost:4566 dynamodb create-table --table-name test-table --key-schema AttributeName=path,KeyType=HASH AttributeName=etag,KeyType=RANGE --attribute-definitions AttributeName=path,AttributeType=S AttributeName=etag,AttributeType=S --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5
 ```
 
 Run tests
@@ -74,6 +75,32 @@ Run tests
 $ cargo test --features aws
 ```
 
+#### Encryption tests
+
+To create an encryption key for the tests, you can run the following command:
+
+```
+export AWS_SSE_KMS_KEY_ID=$(aws --endpoint-url=http://localhost:4566 \
+  kms create-key --description "test key" |
+  jq -r '.KeyMetadata.KeyId')
+```
+
+To run integration tests with encryption, you can set the following environment variables:
+
+```
+export AWS_SERVER_SIDE_ENCRYPTION=aws:kms
+export AWS_SSE_BUCKET_KEY=false
+cargo test --features aws
+```
+
+As well as:
+
+```
+unset AWS_SSE_BUCKET_KEY
+export AWS_SERVER_SIDE_ENCRYPTION=aws:kms:dsse
+cargo test --features aws
+```
+
 ### Azure
 
 To test the Azure integration