1 files changed, 146 insertions, 0 deletions

diff --git a/test/s3/sse/setup_openbao_sse.sh b/test/s3/sse/setup_openbao_sse.sh
new file mode 100755
index 000000000..99ea09e63
--- /dev/null
+++ b/test/s3/sse/setup_openbao_sse.sh
@@ -0,0 +1,146 @@
+#!/bin/bash
+
+# Setup OpenBao for SSE Integration Testing
+# This script configures OpenBao with encryption keys for S3 SSE testing
+
+set -e
+
+# Configuration
+OPENBAO_ADDR="${OPENBAO_ADDR:-http://127.0.0.1:8200}"
+OPENBAO_TOKEN="${OPENBAO_TOKEN:-root-token-for-testing}"
+TRANSIT_PATH="${TRANSIT_PATH:-transit}"
+
+echo "🚀 Setting up OpenBao for S3 SSE integration testing..."
+echo "OpenBao Address: $OPENBAO_ADDR"
+echo "Transit Path: $TRANSIT_PATH"
+
+# Export for API calls
+export VAULT_ADDR="$OPENBAO_ADDR"
+export VAULT_TOKEN="$OPENBAO_TOKEN"
+
+# Wait for OpenBao to be ready
+echo "⏳ Waiting for OpenBao to be ready..."
+for i in {1..30}; do
+    if curl -s "$OPENBAO_ADDR/v1/sys/health" > /dev/null 2>&1; then
+        echo "✅ OpenBao is ready!"
+        break
+    fi
+    if [ $i -eq 30 ]; then
+        echo "❌ OpenBao failed to start within 60 seconds"
+        exit 1
+    fi
+    sleep 2
+done
+
+# Enable transit secrets engine (ignore error if already enabled)
+echo "🔧 Setting up transit secrets engine..."
+curl -s -X POST \
+    -H "X-Vault-Token: $OPENBAO_TOKEN" \
+    -H "Content-Type: application/json" \
+    -d "{\"type\":\"transit\"}" \
+    "$OPENBAO_ADDR/v1/sys/mounts/$TRANSIT_PATH" || echo "Transit engine may already be enabled"
+
+# Create encryption keys for S3 SSE testing
+echo "🔑 Creating encryption keys for SSE testing..."
+
+# Test keys that match the existing test expectations
+declare -a keys=(
+    "test-key-123:SSE-KMS basic integration test key"
+    "source-test-key-123:SSE-KMS copy source key"
+    "dest-test-key-456:SSE-KMS copy destination key"
+    "test-multipart-key:SSE-KMS multipart upload test key"
+    "invalid-test-key:SSE-KMS error testing key"
+    "test-kms-range-key:SSE-KMS range request test key"
+    "seaweedfs-test-key:General SeaweedFS SSE test key"
+    "bucket-default-key:Default bucket encryption key"
+    "high-security-key:High security encryption key"
+    "performance-key:Performance testing key"
+)
+
+for key_info in "${keys[@]}"; do
+    IFS=':' read -r key_name description <<< "$key_info"
+    echo "   Creating key: $key_name ($description)"
+    
+    # Create key
+    response=$(curl -s -X POST \
+        -H "X-Vault-Token: $OPENBAO_TOKEN" \
+        -H "Content-Type: application/json" \
+        -d "{\"type\":\"aes256-gcm96\",\"description\":\"$description\"}" \
+        "$OPENBAO_ADDR/v1/$TRANSIT_PATH/keys/$key_name")
+    
+    if echo "$response" | grep -q "errors"; then
+        echo "     Warning: $response"
+    fi
+    
+    # Verify key was created
+    verify_response=$(curl -s \
+        -H "X-Vault-Token: $OPENBAO_TOKEN" \
+        "$OPENBAO_ADDR/v1/$TRANSIT_PATH/keys/$key_name")
+    
+    if echo "$verify_response" | grep -q "\"name\":\"$key_name\""; then
+        echo "     ✅ Key $key_name created successfully"
+    else
+        echo "     ❌ Failed to verify key $key_name"
+        echo "     Response: $verify_response"
+    fi
+done
+
+# Test basic encryption/decryption functionality
+echo "🧪 Testing basic encryption/decryption..."
+test_plaintext="Hello, SeaweedFS SSE Integration!"
+test_key="test-key-123"
+
+# Encrypt
+encrypt_response=$(curl -s -X POST \
+    -H "X-Vault-Token: $OPENBAO_TOKEN" \
+    -H "Content-Type: application/json" \
+    -d "{\"plaintext\":\"$(echo -n "$test_plaintext" | base64)\"}" \
+    "$OPENBAO_ADDR/v1/$TRANSIT_PATH/encrypt/$test_key")
+
+if echo "$encrypt_response" | grep -q "ciphertext"; then
+    ciphertext=$(echo "$encrypt_response" | grep -o '"ciphertext":"[^"]*"' | cut -d'"' -f4)
+    echo "   ✅ Encryption successful: ${ciphertext:0:50}..."
+    
+    # Decrypt to verify
+    decrypt_response=$(curl -s -X POST \
+        -H "X-Vault-Token: $OPENBAO_TOKEN" \
+        -H "Content-Type: application/json" \
+        -d "{\"ciphertext\":\"$ciphertext\"}" \
+        "$OPENBAO_ADDR/v1/$TRANSIT_PATH/decrypt/$test_key")
+    
+    if echo "$decrypt_response" | grep -q "plaintext"; then
+        decrypted_b64=$(echo "$decrypt_response" | grep -o '"plaintext":"[^"]*"' | cut -d'"' -f4)
+        decrypted=$(echo "$decrypted_b64" | base64 -d)
+        if [ "$decrypted" = "$test_plaintext" ]; then
+            echo "   ✅ Decryption successful: $decrypted"
+        else
+            echo "   ❌ Decryption failed: expected '$test_plaintext', got '$decrypted'"
+        fi
+    else
+        echo "   ❌ Decryption failed: $decrypt_response"
+    fi
+else
+    echo "   ❌ Encryption failed: $encrypt_response"
+fi
+
+echo ""
+echo "📊 OpenBao SSE setup summary:"
+echo "   Address: $OPENBAO_ADDR"
+echo "   Transit Path: $TRANSIT_PATH"
+echo "   Keys Created: ${#keys[@]}"
+echo "   Status: Ready for S3 SSE integration testing"
+echo ""
+echo "🎯 Ready to run S3 SSE integration tests!"
+echo ""
+echo "Usage:"
+echo "   # Run with Docker Compose"
+echo "   make test-with-kms"
+echo ""
+echo "   # Run specific test suites"
+echo "   make test-ssekms-integration"
+echo ""
+echo "   # Check status"
+echo "   curl $OPENBAO_ADDR/v1/sys/health"
+echo ""
+
+echo "✅ OpenBao SSE setup complete!"