MB-61292: Fix for get_node_deks_info

timofey-barmin · timofey-barmin · commit 5ea7c3653166 · 2024-09-26T18:39:37.000Z
We should take deks from the most recent state. Also modify tests: We can't assume that secret is undeletable right after bucket encryption disablement, because we actually call garbage_collect_deks at every bucket encryption disablement. So, if the bucket hasn't used that key for some real data encryption, the garbage collect procedure will remove that key right after encryption disablement. Change-Id: I3f62ef98100c6af12bb8052d051ab4762f3152a5 Reviewed-on: https://review.couchbase.org/c/ns_server/+/216781 Reviewed-by: Navdeep S Boparai <navdeep.boparai@couchbase.com> Well-Formed: Build Bot <build@couchbase.com> Tested-by: Build Bot <build@couchbase.com> Tested-by: Timofey Barmin <timofey.barmin@couchbase.com>
diff --git a/apps/ns_server/src/cb_cluster_secrets.erl b/apps/ns_server/src/cb_cluster_secrets.erl
@@ -455,8 +455,8 @@ handle_call({call, {M, F, A} = MFA}, _From,
 handle_call(sync, _From, #state{proc_type = ?NODE_PROC} = State) ->
     {reply, ok, State};
 
-handle_call(get_node_deks_info, _From, #state{proc_type = ?NODE_PROC,
-                                              deks = Deks} = State) ->
+handle_call(get_node_deks_info, _From,
+            #state{proc_type = ?NODE_PROC} = State) ->
     NewState = run_jobs(State), %% Run jobs to make sure all deks are up to date
     maybe
         [] ?= NewState#state.jobs,
@@ -466,6 +466,7 @@ handle_call(get_node_deks_info, _From, #state{proc_type = ?NODE_PROC,
                               K#{info => maps:remove(key, Info)}
                           end, Keys)
             end,
+        #state{deks = Deks} = NewState,
         Res = maps:map(fun (_K, #{deks := Keys}) -> StripKeyMaterial(Keys) end,
                        Deks),
         {reply, Res, NewState}
diff --git a/cluster_tests/testsets/native_encryption_tests.py b/cluster_tests/testsets/native_encryption_tests.py
@@ -176,9 +176,6 @@ def bucket_without_encryption_test(self):
         delete_secret(self.random_node(), secret1_id, expected_code=400)
         self.cluster.update_bucket({'name': self.bucket_name,
                                     'encryptionAtRestSecretId': -1})
-        # Still can't delete because bucket's deks are still encrypted by
-        # secret1
-        delete_secret(self.random_node(), secret1_id, expected_code=400)
 
     def secret_not_allowed_to_encrypt_bucket_test(self):
         secret1_json = auto_generated_secret(usage=['bucket-encryption-wrong'])
