aboutsummaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
Diffstat (limited to 'test')
-rw-r--r--test/s3/retention/object_lock_validation_test.go26
-rw-r--r--test/s3/retention/s3_retention_test.go86
-rw-r--r--test/s3/retention/s3_worm_integration_test.go27
3 files changed, 99 insertions, 40 deletions
diff --git a/test/s3/retention/object_lock_validation_test.go b/test/s3/retention/object_lock_validation_test.go
index f13d093ca..1480f33d4 100644
--- a/test/s3/retention/object_lock_validation_test.go
+++ b/test/s3/retention/object_lock_validation_test.go
@@ -77,20 +77,32 @@ func TestObjectLockValidation(t *testing.T) {
require.NoError(t, err, "Setting Object Lock retention should succeed")
t.Log(" ✅ Object Lock retention applied successfully")
- // Verify retention is in effect
+ // Verify retention allows simple DELETE (creates delete marker) but blocks version deletion
+ // AWS S3 behavior: Simple DELETE (without version ID) is ALWAYS allowed and creates delete marker
_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
})
- require.Error(t, err, "Object should be protected by retention and cannot be deleted")
- t.Log(" ✅ Object is properly protected by retention policy")
+ require.NoError(t, err, "Simple DELETE should succeed and create delete marker (AWS S3 behavior)")
+ t.Log(" ✅ Simple DELETE succeeded (creates delete marker - correct AWS behavior)")
- // Verify we can read the object (should still work)
+ // Now verify that DELETE with version ID is properly blocked by retention
+ _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
+ Bucket: aws.String(bucketName),
+ Key: aws.String(key),
+ VersionId: putResp.VersionId,
+ })
+ require.Error(t, err, "DELETE with version ID should be blocked by COMPLIANCE retention")
+ t.Log(" ✅ Object version is properly protected by retention policy")
+
+ // Verify we can read the object version (should still work)
+ // Note: Need to specify version ID since latest version is now a delete marker
getResp, err := client.GetObject(context.TODO(), &s3.GetObjectInput{
- Bucket: aws.String(bucketName),
- Key: aws.String(key),
+ Bucket: aws.String(bucketName),
+ Key: aws.String(key),
+ VersionId: putResp.VersionId,
})
- require.NoError(t, err, "Reading protected object should still work")
+ require.NoError(t, err, "Reading protected object version should still work")
defer getResp.Body.Close()
t.Log(" ✅ Protected object can still be read")
diff --git a/test/s3/retention/s3_retention_test.go b/test/s3/retention/s3_retention_test.go
index fd85921b7..8477a50bf 100644
--- a/test/s3/retention/s3_retention_test.go
+++ b/test/s3/retention/s3_retention_test.go
@@ -318,20 +318,29 @@ func TestRetentionModeCompliance(t *testing.T) {
require.NoError(t, err)
assert.Equal(t, types.ObjectLockRetentionModeCompliance, retentionResp.Retention.Mode)
- // Try to delete object with bypass - should still fail (compliance mode)
+ // Try simple DELETE - should succeed and create delete marker (AWS S3 behavior)
_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
- Bucket: aws.String(bucketName),
- Key: aws.String(key),
- BypassGovernanceRetention: aws.Bool(true),
+ Bucket: aws.String(bucketName),
+ Key: aws.String(key),
})
- require.Error(t, err)
+ require.NoError(t, err, "Simple DELETE should succeed and create delete marker")
- // Try to delete object without bypass - should also fail
+ // Try DELETE with version ID - should fail for COMPLIANCE mode
_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
- Bucket: aws.String(bucketName),
- Key: aws.String(key),
+ Bucket: aws.String(bucketName),
+ Key: aws.String(key),
+ VersionId: putResp.VersionId,
})
- require.Error(t, err)
+ require.Error(t, err, "DELETE with version ID should be blocked by COMPLIANCE retention")
+
+ // Try DELETE with version ID and bypass - should still fail (COMPLIANCE mode ignores bypass)
+ _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
+ Bucket: aws.String(bucketName),
+ Key: aws.String(key),
+ VersionId: putResp.VersionId,
+ BypassGovernanceRetention: aws.Bool(true),
+ })
+ require.Error(t, err, "COMPLIANCE mode should ignore governance bypass")
}
// TestLegalHoldWorkflow tests legal hold functionality
@@ -368,37 +377,48 @@ func TestLegalHoldWorkflow(t *testing.T) {
require.NoError(t, err)
assert.Equal(t, types.ObjectLockLegalHoldStatusOn, legalHoldResp.LegalHold.Status)
- // Try to delete object - should fail due to legal hold
+ // Try simple DELETE - should succeed and create delete marker (AWS S3 behavior)
_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
})
- require.Error(t, err)
+ require.NoError(t, err, "Simple DELETE should succeed and create delete marker")
- // Remove legal hold
+ // Try DELETE with version ID - should fail due to legal hold
+ _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
+ Bucket: aws.String(bucketName),
+ Key: aws.String(key),
+ VersionId: putResp.VersionId,
+ })
+ require.Error(t, err, "DELETE with version ID should be blocked by legal hold")
+
+ // Remove legal hold (must specify version ID since latest version is now delete marker)
_, err = client.PutObjectLegalHold(context.TODO(), &s3.PutObjectLegalHoldInput{
- Bucket: aws.String(bucketName),
- Key: aws.String(key),
+ Bucket: aws.String(bucketName),
+ Key: aws.String(key),
+ VersionId: putResp.VersionId,
LegalHold: &types.ObjectLockLegalHold{
Status: types.ObjectLockLegalHoldStatusOff,
},
})
require.NoError(t, err)
- // Verify legal hold is off
+ // Verify legal hold is off (must specify version ID)
legalHoldResp, err = client.GetObjectLegalHold(context.TODO(), &s3.GetObjectLegalHoldInput{
- Bucket: aws.String(bucketName),
- Key: aws.String(key),
+ Bucket: aws.String(bucketName),
+ Key: aws.String(key),
+ VersionId: putResp.VersionId,
})
require.NoError(t, err)
assert.Equal(t, types.ObjectLockLegalHoldStatusOff, legalHoldResp.LegalHold.Status)
- // Now delete should succeed
+ // Now DELETE with version ID should succeed after legal hold removed
_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
- Bucket: aws.String(bucketName),
- Key: aws.String(key),
+ Bucket: aws.String(bucketName),
+ Key: aws.String(key),
+ VersionId: putResp.VersionId,
})
- require.NoError(t, err)
+ require.NoError(t, err, "DELETE with version ID should succeed after legal hold removed")
}
// TestObjectLockConfiguration tests bucket object lock configuration
@@ -560,31 +580,41 @@ func TestRetentionAndLegalHoldCombination(t *testing.T) {
})
require.NoError(t, err)
- // Try to delete with bypass governance - should still fail due to legal hold
+ // Try simple DELETE - should succeed and create delete marker (AWS S3 behavior)
+ _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
+ Bucket: aws.String(bucketName),
+ Key: aws.String(key),
+ })
+ require.NoError(t, err, "Simple DELETE should succeed and create delete marker")
+
+ // Try DELETE with version ID and bypass - should still fail due to legal hold
_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
+ VersionId: putResp.VersionId,
BypassGovernanceRetention: aws.Bool(true),
})
- require.Error(t, err)
+ require.Error(t, err, "Legal hold should prevent deletion even with governance bypass")
- // Remove legal hold
+ // Remove legal hold (must specify version ID since latest version is now delete marker)
_, err = client.PutObjectLegalHold(context.TODO(), &s3.PutObjectLegalHoldInput{
- Bucket: aws.String(bucketName),
- Key: aws.String(key),
+ Bucket: aws.String(bucketName),
+ Key: aws.String(key),
+ VersionId: putResp.VersionId,
LegalHold: &types.ObjectLockLegalHold{
Status: types.ObjectLockLegalHoldStatusOff,
},
})
require.NoError(t, err)
- // Now delete with bypass governance should succeed
+ // Now DELETE with version ID and bypass governance should succeed
_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
+ VersionId: putResp.VersionId,
BypassGovernanceRetention: aws.Bool(true),
})
- require.NoError(t, err)
+ require.NoError(t, err, "DELETE with version ID should succeed after legal hold removed and with governance bypass")
}
// TestExpiredRetention tests that objects can be deleted after retention expires
diff --git a/test/s3/retention/s3_worm_integration_test.go b/test/s3/retention/s3_worm_integration_test.go
index e43510751..19010092c 100644
--- a/test/s3/retention/s3_worm_integration_test.go
+++ b/test/s3/retention/s3_worm_integration_test.go
@@ -42,17 +42,26 @@ func TestWORMRetentionIntegration(t *testing.T) {
})
require.NoError(t, err)
- // Try to delete - should fail due to retention
+ // Try simple DELETE - should succeed and create delete marker (AWS S3 behavior)
_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
})
- require.Error(t, err)
+ require.NoError(t, err, "Simple DELETE should succeed and create delete marker")
- // Delete with bypass should succeed
+ // Try DELETE with version ID - should fail due to GOVERNANCE retention
+ _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
+ Bucket: aws.String(bucketName),
+ Key: aws.String(key),
+ VersionId: putResp.VersionId,
+ })
+ require.Error(t, err, "DELETE with version ID should be blocked by GOVERNANCE retention")
+
+ // Delete with version ID and bypass should succeed
_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
+ VersionId: putResp.VersionId,
BypassGovernanceRetention: aws.Bool(true),
})
require.NoError(t, err)
@@ -316,12 +325,20 @@ func TestRetentionWithMultipartUpload(t *testing.T) {
})
require.NoError(t, err)
- // Try to delete - should fail
+ // Try simple DELETE - should succeed and create delete marker (AWS S3 behavior)
_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
})
- require.Error(t, err)
+ require.NoError(t, err, "Simple DELETE should succeed and create delete marker")
+
+ // Try DELETE with version ID - should fail due to GOVERNANCE retention
+ _, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
+ Bucket: aws.String(bucketName),
+ Key: aws.String(key),
+ VersionId: completeResp.VersionId,
+ })
+ require.Error(t, err, "DELETE with version ID should be blocked by GOVERNANCE retention")
}
// TestRetentionExtendedAttributes tests that retention uses extended attributes correctly
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-24 18:58:11 +0000