diff options
| author | Chris Lu <chrislusf@users.noreply.github.com> | 2025-07-18 22:25:58 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-07-18 22:25:58 -0700 |
| commit | 26403e8a0d2e4d58abf8acc6bbb1fd0accd93bdb (patch) | |
| tree | 88c3224431eebd7801aa4119c8d129ec6c79dbe9 /test | |
| parent | c6a22ce43a3c0318b7c6841bcbf97937fd11e27c (diff) | |
| download | seaweedfs-26403e8a0d2e4d58abf8acc6bbb1fd0accd93bdb.tar.xz seaweedfs-26403e8a0d2e4d58abf8acc6bbb1fd0accd93bdb.zip | |
Test object lock and retention (#6997)
* fix GetObjectLockConfigurationHandler
* cache and use bucket object lock config
* subscribe to bucket configuration changes
* increase bucket config cache TTL
* refactor
* Update weed/s3api/s3api_server.go
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
* avoid duplidated work
* rename variable
* Update s3api_object_handlers_put.go
* fix routing
* admin ui and api handler are consistent now
* use fields instead of xml
* fix test
* address comments
* Update weed/s3api/s3api_object_handlers_put.go
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update test/s3/retention/s3_retention_test.go
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update weed/s3api/object_lock_utils.go
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* change error style
* errorf
* read entry once
* add s3 tests for object lock and retention
* use marker
* install s3 tests
* Update s3tests.yml
* Update s3tests.yml
* Update s3tests.conf
* Update s3tests.conf
* address test errors
* address test errors
With these fixes, the s3-tests should now:
✅ Return InvalidBucketState (409 Conflict) for object lock operations on invalid buckets
✅ Return MalformedXML for invalid retention configurations
✅ Include VersionId in response headers when available
✅ Return proper HTTP status codes (403 Forbidden for retention mode changes)
✅ Handle all object lock validation errors consistently
* fixes
With these comprehensive fixes, the s3-tests should now:
✅ Return InvalidBucketState (409 Conflict) for object lock operations on invalid buckets
✅ Return InvalidRetentionPeriod for invalid retention periods
✅ Return MalformedXML for malformed retention configurations
✅ Include VersionId in response headers when available
✅ Return proper HTTP status codes for all error conditions
✅ Handle all object lock validation errors consistently
The workflow should now pass significantly more object lock tests, bringing SeaweedFS's S3 object lock implementation much closer to AWS S3 compatibility standards.
* fixes
With these final fixes, the s3-tests should now:
✅ Return MalformedXML for ObjectLockEnabled: 'Disabled'
✅ Return MalformedXML when both Days and Years are specified in retention configuration
✅ Return InvalidBucketState (409 Conflict) when trying to suspend versioning on buckets with object lock enabled
✅ Handle all object lock validation errors consistently with proper error codes
* constants and fixes
✅ Return InvalidRetentionPeriod for invalid retention values (0 days, negative years)
✅ Return ObjectLockConfigurationNotFoundError when object lock configuration doesn't exist
✅ Handle all object lock validation errors consistently with proper error codes
* fixes
✅ Return MalformedXML when both Days and Years are specified in the same retention configuration
✅ Return 400 (Bad Request) with InvalidRequest when object lock operations are attempted on buckets without object lock enabled
✅ Handle all object lock validation errors consistently with proper error codes
* fixes
✅ Return 409 (Conflict) with InvalidBucketState for bucket-level object lock configuration operations on buckets without object lock enabled
✅ Allow increasing retention periods and overriding retention with same/later dates
✅ Only block decreasing retention periods without proper bypass permissions
✅ Handle all object lock validation errors consistently with proper error codes
* fixes
✅ Include VersionId in multipart upload completion responses when versioning is enabled
✅ Block retention mode changes (GOVERNANCE ↔ COMPLIANCE) without bypass permissions
✅ Handle all object lock validation errors consistently with proper error codes
✅ Pass the remaining object lock tests
* fix tests
* fixes
* pass tests
* fix tests
* fixes
* add error mapping
* Update s3tests.conf
* fix test_object_lock_put_obj_lock_invalid_days
* fixes
* fix many issues
* fix test_object_lock_delete_multipart_object_with_legal_hold_on
* fix tests
* refactor
* fix test_object_lock_delete_object_with_retention_and_marker
* fix tests
* fix tests
* fix tests
* fix test itself
* fix tests
* fix test
* Update weed/s3api/s3api_object_retention.go
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* reduce logs
* address comments
---------
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Diffstat (limited to 'test')
| -rw-r--r-- | test/s3/retention/object_lock_validation_test.go | 26 | ||||
| -rw-r--r-- | test/s3/retention/s3_retention_test.go | 86 | ||||
| -rw-r--r-- | test/s3/retention/s3_worm_integration_test.go | 27 |
3 files changed, 99 insertions, 40 deletions
diff --git a/test/s3/retention/object_lock_validation_test.go b/test/s3/retention/object_lock_validation_test.go index f13d093ca..1480f33d4 100644 --- a/test/s3/retention/object_lock_validation_test.go +++ b/test/s3/retention/object_lock_validation_test.go @@ -77,20 +77,32 @@ func TestObjectLockValidation(t *testing.T) { require.NoError(t, err, "Setting Object Lock retention should succeed") t.Log(" ✅ Object Lock retention applied successfully") - // Verify retention is in effect + // Verify retention allows simple DELETE (creates delete marker) but blocks version deletion + // AWS S3 behavior: Simple DELETE (without version ID) is ALWAYS allowed and creates delete marker _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ Bucket: aws.String(bucketName), Key: aws.String(key), }) - require.Error(t, err, "Object should be protected by retention and cannot be deleted") - t.Log(" ✅ Object is properly protected by retention policy") + require.NoError(t, err, "Simple DELETE should succeed and create delete marker (AWS S3 behavior)") + t.Log(" ✅ Simple DELETE succeeded (creates delete marker - correct AWS behavior)") - // Verify we can read the object (should still work) + // Now verify that DELETE with version ID is properly blocked by retention + _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ + Bucket: aws.String(bucketName), + Key: aws.String(key), + VersionId: putResp.VersionId, + }) + require.Error(t, err, "DELETE with version ID should be blocked by COMPLIANCE retention") + t.Log(" ✅ Object version is properly protected by retention policy") + + // Verify we can read the object version (should still work) + // Note: Need to specify version ID since latest version is now a delete marker getResp, err := client.GetObject(context.TODO(), &s3.GetObjectInput{ - Bucket: aws.String(bucketName), - Key: aws.String(key), + Bucket: aws.String(bucketName), + Key: aws.String(key), + VersionId: putResp.VersionId, }) - require.NoError(t, err, "Reading protected object should still work") + require.NoError(t, err, "Reading protected object version should still work") defer getResp.Body.Close() t.Log(" ✅ Protected object can still be read") diff --git a/test/s3/retention/s3_retention_test.go b/test/s3/retention/s3_retention_test.go index fd85921b7..8477a50bf 100644 --- a/test/s3/retention/s3_retention_test.go +++ b/test/s3/retention/s3_retention_test.go @@ -318,20 +318,29 @@ func TestRetentionModeCompliance(t *testing.T) { require.NoError(t, err) assert.Equal(t, types.ObjectLockRetentionModeCompliance, retentionResp.Retention.Mode) - // Try to delete object with bypass - should still fail (compliance mode) + // Try simple DELETE - should succeed and create delete marker (AWS S3 behavior) _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ - Bucket: aws.String(bucketName), - Key: aws.String(key), - BypassGovernanceRetention: aws.Bool(true), + Bucket: aws.String(bucketName), + Key: aws.String(key), }) - require.Error(t, err) + require.NoError(t, err, "Simple DELETE should succeed and create delete marker") - // Try to delete object without bypass - should also fail + // Try DELETE with version ID - should fail for COMPLIANCE mode _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ - Bucket: aws.String(bucketName), - Key: aws.String(key), + Bucket: aws.String(bucketName), + Key: aws.String(key), + VersionId: putResp.VersionId, }) - require.Error(t, err) + require.Error(t, err, "DELETE with version ID should be blocked by COMPLIANCE retention") + + // Try DELETE with version ID and bypass - should still fail (COMPLIANCE mode ignores bypass) + _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ + Bucket: aws.String(bucketName), + Key: aws.String(key), + VersionId: putResp.VersionId, + BypassGovernanceRetention: aws.Bool(true), + }) + require.Error(t, err, "COMPLIANCE mode should ignore governance bypass") } // TestLegalHoldWorkflow tests legal hold functionality @@ -368,37 +377,48 @@ func TestLegalHoldWorkflow(t *testing.T) { require.NoError(t, err) assert.Equal(t, types.ObjectLockLegalHoldStatusOn, legalHoldResp.LegalHold.Status) - // Try to delete object - should fail due to legal hold + // Try simple DELETE - should succeed and create delete marker (AWS S3 behavior) _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ Bucket: aws.String(bucketName), Key: aws.String(key), }) - require.Error(t, err) + require.NoError(t, err, "Simple DELETE should succeed and create delete marker") - // Remove legal hold + // Try DELETE with version ID - should fail due to legal hold + _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ + Bucket: aws.String(bucketName), + Key: aws.String(key), + VersionId: putResp.VersionId, + }) + require.Error(t, err, "DELETE with version ID should be blocked by legal hold") + + // Remove legal hold (must specify version ID since latest version is now delete marker) _, err = client.PutObjectLegalHold(context.TODO(), &s3.PutObjectLegalHoldInput{ - Bucket: aws.String(bucketName), - Key: aws.String(key), + Bucket: aws.String(bucketName), + Key: aws.String(key), + VersionId: putResp.VersionId, LegalHold: &types.ObjectLockLegalHold{ Status: types.ObjectLockLegalHoldStatusOff, }, }) require.NoError(t, err) - // Verify legal hold is off + // Verify legal hold is off (must specify version ID) legalHoldResp, err = client.GetObjectLegalHold(context.TODO(), &s3.GetObjectLegalHoldInput{ - Bucket: aws.String(bucketName), - Key: aws.String(key), + Bucket: aws.String(bucketName), + Key: aws.String(key), + VersionId: putResp.VersionId, }) require.NoError(t, err) assert.Equal(t, types.ObjectLockLegalHoldStatusOff, legalHoldResp.LegalHold.Status) - // Now delete should succeed + // Now DELETE with version ID should succeed after legal hold removed _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ - Bucket: aws.String(bucketName), - Key: aws.String(key), + Bucket: aws.String(bucketName), + Key: aws.String(key), + VersionId: putResp.VersionId, }) - require.NoError(t, err) + require.NoError(t, err, "DELETE with version ID should succeed after legal hold removed") } // TestObjectLockConfiguration tests bucket object lock configuration @@ -560,31 +580,41 @@ func TestRetentionAndLegalHoldCombination(t *testing.T) { }) require.NoError(t, err) - // Try to delete with bypass governance - should still fail due to legal hold + // Try simple DELETE - should succeed and create delete marker (AWS S3 behavior) + _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ + Bucket: aws.String(bucketName), + Key: aws.String(key), + }) + require.NoError(t, err, "Simple DELETE should succeed and create delete marker") + + // Try DELETE with version ID and bypass - should still fail due to legal hold _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ Bucket: aws.String(bucketName), Key: aws.String(key), + VersionId: putResp.VersionId, BypassGovernanceRetention: aws.Bool(true), }) - require.Error(t, err) + require.Error(t, err, "Legal hold should prevent deletion even with governance bypass") - // Remove legal hold + // Remove legal hold (must specify version ID since latest version is now delete marker) _, err = client.PutObjectLegalHold(context.TODO(), &s3.PutObjectLegalHoldInput{ - Bucket: aws.String(bucketName), - Key: aws.String(key), + Bucket: aws.String(bucketName), + Key: aws.String(key), + VersionId: putResp.VersionId, LegalHold: &types.ObjectLockLegalHold{ Status: types.ObjectLockLegalHoldStatusOff, }, }) require.NoError(t, err) - // Now delete with bypass governance should succeed + // Now DELETE with version ID and bypass governance should succeed _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ Bucket: aws.String(bucketName), Key: aws.String(key), + VersionId: putResp.VersionId, BypassGovernanceRetention: aws.Bool(true), }) - require.NoError(t, err) + require.NoError(t, err, "DELETE with version ID should succeed after legal hold removed and with governance bypass") } // TestExpiredRetention tests that objects can be deleted after retention expires diff --git a/test/s3/retention/s3_worm_integration_test.go b/test/s3/retention/s3_worm_integration_test.go index e43510751..19010092c 100644 --- a/test/s3/retention/s3_worm_integration_test.go +++ b/test/s3/retention/s3_worm_integration_test.go @@ -42,17 +42,26 @@ func TestWORMRetentionIntegration(t *testing.T) { }) require.NoError(t, err) - // Try to delete - should fail due to retention + // Try simple DELETE - should succeed and create delete marker (AWS S3 behavior) _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ Bucket: aws.String(bucketName), Key: aws.String(key), }) - require.Error(t, err) + require.NoError(t, err, "Simple DELETE should succeed and create delete marker") - // Delete with bypass should succeed + // Try DELETE with version ID - should fail due to GOVERNANCE retention + _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ + Bucket: aws.String(bucketName), + Key: aws.String(key), + VersionId: putResp.VersionId, + }) + require.Error(t, err, "DELETE with version ID should be blocked by GOVERNANCE retention") + + // Delete with version ID and bypass should succeed _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ Bucket: aws.String(bucketName), Key: aws.String(key), + VersionId: putResp.VersionId, BypassGovernanceRetention: aws.Bool(true), }) require.NoError(t, err) @@ -316,12 +325,20 @@ func TestRetentionWithMultipartUpload(t *testing.T) { }) require.NoError(t, err) - // Try to delete - should fail + // Try simple DELETE - should succeed and create delete marker (AWS S3 behavior) _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ Bucket: aws.String(bucketName), Key: aws.String(key), }) - require.Error(t, err) + require.NoError(t, err, "Simple DELETE should succeed and create delete marker") + + // Try DELETE with version ID - should fail due to GOVERNANCE retention + _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{ + Bucket: aws.String(bucketName), + Key: aws.String(key), + VersionId: completeResp.VersionId, + }) + require.Error(t, err, "DELETE with version ID should be blocked by GOVERNANCE retention") } // TestRetentionExtendedAttributes tests that retention uses extended attributes correctly |