diff options
Diffstat (limited to 'weed/s3api/s3api_object_lock_headers_test.go')
| -rw-r--r-- | weed/s3api/s3api_object_lock_headers_test.go | 662 |
1 files changed, 662 insertions, 0 deletions
diff --git a/weed/s3api/s3api_object_lock_headers_test.go b/weed/s3api/s3api_object_lock_headers_test.go new file mode 100644 index 000000000..111aa0fa9 --- /dev/null +++ b/weed/s3api/s3api_object_lock_headers_test.go @@ -0,0 +1,662 @@ +package s3api + +import ( + "fmt" + "net/http/httptest" + "strconv" + "testing" + "time" + + "errors" + + "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb" + "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants" + "github.com/seaweedfs/seaweedfs/weed/s3api/s3err" + "github.com/stretchr/testify/assert" +) + +// TestExtractObjectLockMetadataFromRequest tests the function that extracts +// object lock headers from PUT requests and stores them in Extended attributes. +// This test would have caught the bug where object lock headers were ignored. +func TestExtractObjectLockMetadataFromRequest(t *testing.T) { + s3a := &S3ApiServer{} + + t.Run("Extract COMPLIANCE mode and retention date", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + retainUntilDate := time.Now().Add(24 * time.Hour) + req.Header.Set(s3_constants.AmzObjectLockMode, "COMPLIANCE") + req.Header.Set(s3_constants.AmzObjectLockRetainUntilDate, retainUntilDate.Format(time.RFC3339)) + + entry := &filer_pb.Entry{ + Extended: make(map[string][]byte), + } + + err := s3a.extractObjectLockMetadataFromRequest(req, entry) + assert.NoError(t, err) + + // Verify mode was stored + assert.Contains(t, entry.Extended, s3_constants.ExtObjectLockModeKey) + assert.Equal(t, "COMPLIANCE", string(entry.Extended[s3_constants.ExtObjectLockModeKey])) + + // Verify retention date was stored + assert.Contains(t, entry.Extended, s3_constants.ExtRetentionUntilDateKey) + storedTimestamp, err := strconv.ParseInt(string(entry.Extended[s3_constants.ExtRetentionUntilDateKey]), 10, 64) + assert.NoError(t, err) + storedTime := time.Unix(storedTimestamp, 0) + assert.WithinDuration(t, retainUntilDate, storedTime, 1*time.Second) + }) + + t.Run("Extract GOVERNANCE mode and retention date", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + retainUntilDate := time.Now().Add(12 * time.Hour) + req.Header.Set(s3_constants.AmzObjectLockMode, "GOVERNANCE") + req.Header.Set(s3_constants.AmzObjectLockRetainUntilDate, retainUntilDate.Format(time.RFC3339)) + + entry := &filer_pb.Entry{ + Extended: make(map[string][]byte), + } + + err := s3a.extractObjectLockMetadataFromRequest(req, entry) + assert.NoError(t, err) + + assert.Equal(t, "GOVERNANCE", string(entry.Extended[s3_constants.ExtObjectLockModeKey])) + assert.Contains(t, entry.Extended, s3_constants.ExtRetentionUntilDateKey) + }) + + t.Run("Extract legal hold ON", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + req.Header.Set(s3_constants.AmzObjectLockLegalHold, "ON") + + entry := &filer_pb.Entry{ + Extended: make(map[string][]byte), + } + + err := s3a.extractObjectLockMetadataFromRequest(req, entry) + assert.NoError(t, err) + + assert.Contains(t, entry.Extended, s3_constants.ExtLegalHoldKey) + assert.Equal(t, "ON", string(entry.Extended[s3_constants.ExtLegalHoldKey])) + }) + + t.Run("Extract legal hold OFF", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + req.Header.Set(s3_constants.AmzObjectLockLegalHold, "OFF") + + entry := &filer_pb.Entry{ + Extended: make(map[string][]byte), + } + + err := s3a.extractObjectLockMetadataFromRequest(req, entry) + assert.NoError(t, err) + + assert.Contains(t, entry.Extended, s3_constants.ExtLegalHoldKey) + assert.Equal(t, "OFF", string(entry.Extended[s3_constants.ExtLegalHoldKey])) + }) + + t.Run("Handle all object lock headers together", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + retainUntilDate := time.Now().Add(24 * time.Hour) + req.Header.Set(s3_constants.AmzObjectLockMode, "COMPLIANCE") + req.Header.Set(s3_constants.AmzObjectLockRetainUntilDate, retainUntilDate.Format(time.RFC3339)) + req.Header.Set(s3_constants.AmzObjectLockLegalHold, "ON") + + entry := &filer_pb.Entry{ + Extended: make(map[string][]byte), + } + + err := s3a.extractObjectLockMetadataFromRequest(req, entry) + assert.NoError(t, err) + + // All metadata should be stored + assert.Equal(t, "COMPLIANCE", string(entry.Extended[s3_constants.ExtObjectLockModeKey])) + assert.Contains(t, entry.Extended, s3_constants.ExtRetentionUntilDateKey) + assert.Equal(t, "ON", string(entry.Extended[s3_constants.ExtLegalHoldKey])) + }) + + t.Run("Handle no object lock headers", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + // No object lock headers set + + entry := &filer_pb.Entry{ + Extended: make(map[string][]byte), + } + + err := s3a.extractObjectLockMetadataFromRequest(req, entry) + assert.NoError(t, err) + + // No object lock metadata should be stored + assert.NotContains(t, entry.Extended, s3_constants.ExtObjectLockModeKey) + assert.NotContains(t, entry.Extended, s3_constants.ExtRetentionUntilDateKey) + assert.NotContains(t, entry.Extended, s3_constants.ExtLegalHoldKey) + }) + + t.Run("Handle invalid retention date - should return error", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + req.Header.Set(s3_constants.AmzObjectLockMode, "GOVERNANCE") + req.Header.Set(s3_constants.AmzObjectLockRetainUntilDate, "invalid-date") + + entry := &filer_pb.Entry{ + Extended: make(map[string][]byte), + } + + err := s3a.extractObjectLockMetadataFromRequest(req, entry) + assert.Error(t, err) + assert.True(t, errors.Is(err, ErrInvalidRetentionDateFormat)) + + // Mode should be stored but not invalid date + assert.Equal(t, "GOVERNANCE", string(entry.Extended[s3_constants.ExtObjectLockModeKey])) + assert.NotContains(t, entry.Extended, s3_constants.ExtRetentionUntilDateKey) + }) + + t.Run("Handle invalid legal hold value - should return error", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + req.Header.Set(s3_constants.AmzObjectLockLegalHold, "INVALID") + + entry := &filer_pb.Entry{ + Extended: make(map[string][]byte), + } + + err := s3a.extractObjectLockMetadataFromRequest(req, entry) + assert.Error(t, err) + assert.True(t, errors.Is(err, ErrInvalidLegalHoldStatus)) + + // No legal hold metadata should be stored due to error + assert.NotContains(t, entry.Extended, s3_constants.ExtLegalHoldKey) + }) +} + +// TestAddObjectLockHeadersToResponse tests the function that adds object lock +// metadata from Extended attributes to HTTP response headers. +// This test would have caught the bug where HEAD responses didn't include object lock metadata. +func TestAddObjectLockHeadersToResponse(t *testing.T) { + s3a := &S3ApiServer{} + + t.Run("Add COMPLIANCE mode and retention date to response", func(t *testing.T) { + w := httptest.NewRecorder() + retainUntilTime := time.Now().Add(24 * time.Hour) + + entry := &filer_pb.Entry{ + Extended: map[string][]byte{ + s3_constants.ExtObjectLockModeKey: []byte("COMPLIANCE"), + s3_constants.ExtRetentionUntilDateKey: []byte(strconv.FormatInt(retainUntilTime.Unix(), 10)), + }, + } + + s3a.addObjectLockHeadersToResponse(w, entry) + + // Verify headers were set + assert.Equal(t, "COMPLIANCE", w.Header().Get(s3_constants.AmzObjectLockMode)) + assert.NotEmpty(t, w.Header().Get(s3_constants.AmzObjectLockRetainUntilDate)) + + // Verify the date format is correct + returnedDate := w.Header().Get(s3_constants.AmzObjectLockRetainUntilDate) + parsedTime, err := time.Parse(time.RFC3339, returnedDate) + assert.NoError(t, err) + assert.WithinDuration(t, retainUntilTime, parsedTime, 1*time.Second) + }) + + t.Run("Add GOVERNANCE mode to response", func(t *testing.T) { + w := httptest.NewRecorder() + entry := &filer_pb.Entry{ + Extended: map[string][]byte{ + s3_constants.ExtObjectLockModeKey: []byte("GOVERNANCE"), + }, + } + + s3a.addObjectLockHeadersToResponse(w, entry) + + assert.Equal(t, "GOVERNANCE", w.Header().Get(s3_constants.AmzObjectLockMode)) + }) + + t.Run("Add legal hold ON to response", func(t *testing.T) { + w := httptest.NewRecorder() + entry := &filer_pb.Entry{ + Extended: map[string][]byte{ + s3_constants.ExtLegalHoldKey: []byte("ON"), + }, + } + + s3a.addObjectLockHeadersToResponse(w, entry) + + assert.Equal(t, "ON", w.Header().Get(s3_constants.AmzObjectLockLegalHold)) + }) + + t.Run("Add legal hold OFF to response", func(t *testing.T) { + w := httptest.NewRecorder() + entry := &filer_pb.Entry{ + Extended: map[string][]byte{ + s3_constants.ExtLegalHoldKey: []byte("OFF"), + }, + } + + s3a.addObjectLockHeadersToResponse(w, entry) + + assert.Equal(t, "OFF", w.Header().Get(s3_constants.AmzObjectLockLegalHold)) + }) + + t.Run("Add all object lock headers to response", func(t *testing.T) { + w := httptest.NewRecorder() + retainUntilTime := time.Now().Add(12 * time.Hour) + + entry := &filer_pb.Entry{ + Extended: map[string][]byte{ + s3_constants.ExtObjectLockModeKey: []byte("GOVERNANCE"), + s3_constants.ExtRetentionUntilDateKey: []byte(strconv.FormatInt(retainUntilTime.Unix(), 10)), + s3_constants.ExtLegalHoldKey: []byte("ON"), + }, + } + + s3a.addObjectLockHeadersToResponse(w, entry) + + // All headers should be set + assert.Equal(t, "GOVERNANCE", w.Header().Get(s3_constants.AmzObjectLockMode)) + assert.NotEmpty(t, w.Header().Get(s3_constants.AmzObjectLockRetainUntilDate)) + assert.Equal(t, "ON", w.Header().Get(s3_constants.AmzObjectLockLegalHold)) + }) + + t.Run("Handle entry with no object lock metadata", func(t *testing.T) { + w := httptest.NewRecorder() + entry := &filer_pb.Entry{ + Extended: map[string][]byte{ + "other-metadata": []byte("some-value"), + }, + } + + s3a.addObjectLockHeadersToResponse(w, entry) + + // No object lock headers should be set for entries without object lock metadata + assert.Empty(t, w.Header().Get(s3_constants.AmzObjectLockMode)) + assert.Empty(t, w.Header().Get(s3_constants.AmzObjectLockRetainUntilDate)) + assert.Empty(t, w.Header().Get(s3_constants.AmzObjectLockLegalHold)) + }) + + t.Run("Handle entry with object lock mode but no legal hold - should default to OFF", func(t *testing.T) { + w := httptest.NewRecorder() + entry := &filer_pb.Entry{ + Extended: map[string][]byte{ + s3_constants.ExtObjectLockModeKey: []byte("GOVERNANCE"), + }, + } + + s3a.addObjectLockHeadersToResponse(w, entry) + + // Should set mode and default legal hold to OFF + assert.Equal(t, "GOVERNANCE", w.Header().Get(s3_constants.AmzObjectLockMode)) + assert.Empty(t, w.Header().Get(s3_constants.AmzObjectLockRetainUntilDate)) + assert.Equal(t, "OFF", w.Header().Get(s3_constants.AmzObjectLockLegalHold)) + }) + + t.Run("Handle entry with retention date but no legal hold - should default to OFF", func(t *testing.T) { + w := httptest.NewRecorder() + retainUntilTime := time.Now().Add(24 * time.Hour) + entry := &filer_pb.Entry{ + Extended: map[string][]byte{ + s3_constants.ExtRetentionUntilDateKey: []byte(strconv.FormatInt(retainUntilTime.Unix(), 10)), + }, + } + + s3a.addObjectLockHeadersToResponse(w, entry) + + // Should set retention date and default legal hold to OFF + assert.Empty(t, w.Header().Get(s3_constants.AmzObjectLockMode)) + assert.NotEmpty(t, w.Header().Get(s3_constants.AmzObjectLockRetainUntilDate)) + assert.Equal(t, "OFF", w.Header().Get(s3_constants.AmzObjectLockLegalHold)) + }) + + t.Run("Handle nil entry gracefully", func(t *testing.T) { + w := httptest.NewRecorder() + + // Should not panic + s3a.addObjectLockHeadersToResponse(w, nil) + + // No headers should be set + assert.Empty(t, w.Header().Get(s3_constants.AmzObjectLockMode)) + assert.Empty(t, w.Header().Get(s3_constants.AmzObjectLockRetainUntilDate)) + assert.Empty(t, w.Header().Get(s3_constants.AmzObjectLockLegalHold)) + }) + + t.Run("Handle entry with nil Extended map gracefully", func(t *testing.T) { + w := httptest.NewRecorder() + entry := &filer_pb.Entry{ + Extended: nil, + } + + // Should not panic + s3a.addObjectLockHeadersToResponse(w, entry) + + // No headers should be set + assert.Empty(t, w.Header().Get(s3_constants.AmzObjectLockMode)) + assert.Empty(t, w.Header().Get(s3_constants.AmzObjectLockRetainUntilDate)) + assert.Empty(t, w.Header().Get(s3_constants.AmzObjectLockLegalHold)) + }) + + t.Run("Handle invalid retention timestamp gracefully", func(t *testing.T) { + w := httptest.NewRecorder() + entry := &filer_pb.Entry{ + Extended: map[string][]byte{ + s3_constants.ExtObjectLockModeKey: []byte("COMPLIANCE"), + s3_constants.ExtRetentionUntilDateKey: []byte("invalid-timestamp"), + }, + } + + s3a.addObjectLockHeadersToResponse(w, entry) + + // Mode should be set but not retention date due to invalid timestamp + assert.Equal(t, "COMPLIANCE", w.Header().Get(s3_constants.AmzObjectLockMode)) + assert.Empty(t, w.Header().Get(s3_constants.AmzObjectLockRetainUntilDate)) + }) +} + +// TestObjectLockHeaderRoundTrip tests the complete round trip: +// extract from request → store in Extended attributes → add to response +func TestObjectLockHeaderRoundTrip(t *testing.T) { + s3a := &S3ApiServer{} + + t.Run("Complete round trip for COMPLIANCE mode", func(t *testing.T) { + // 1. Create request with object lock headers + req := httptest.NewRequest("PUT", "/bucket/object", nil) + retainUntilDate := time.Now().Add(24 * time.Hour) + req.Header.Set(s3_constants.AmzObjectLockMode, "COMPLIANCE") + req.Header.Set(s3_constants.AmzObjectLockRetainUntilDate, retainUntilDate.Format(time.RFC3339)) + req.Header.Set(s3_constants.AmzObjectLockLegalHold, "ON") + + // 2. Extract and store in Extended attributes + entry := &filer_pb.Entry{ + Extended: make(map[string][]byte), + } + err := s3a.extractObjectLockMetadataFromRequest(req, entry) + assert.NoError(t, err) + + // 3. Add to response headers + w := httptest.NewRecorder() + s3a.addObjectLockHeadersToResponse(w, entry) + + // 4. Verify round trip preserved all data + assert.Equal(t, "COMPLIANCE", w.Header().Get(s3_constants.AmzObjectLockMode)) + assert.Equal(t, "ON", w.Header().Get(s3_constants.AmzObjectLockLegalHold)) + + returnedDate := w.Header().Get(s3_constants.AmzObjectLockRetainUntilDate) + parsedTime, err := time.Parse(time.RFC3339, returnedDate) + assert.NoError(t, err) + assert.WithinDuration(t, retainUntilDate, parsedTime, 1*time.Second) + }) + + t.Run("Complete round trip for GOVERNANCE mode", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + retainUntilDate := time.Now().Add(12 * time.Hour) + req.Header.Set(s3_constants.AmzObjectLockMode, "GOVERNANCE") + req.Header.Set(s3_constants.AmzObjectLockRetainUntilDate, retainUntilDate.Format(time.RFC3339)) + + entry := &filer_pb.Entry{Extended: make(map[string][]byte)} + err := s3a.extractObjectLockMetadataFromRequest(req, entry) + assert.NoError(t, err) + + w := httptest.NewRecorder() + s3a.addObjectLockHeadersToResponse(w, entry) + + assert.Equal(t, "GOVERNANCE", w.Header().Get(s3_constants.AmzObjectLockMode)) + assert.NotEmpty(t, w.Header().Get(s3_constants.AmzObjectLockRetainUntilDate)) + }) +} + +// TestValidateObjectLockHeaders tests the validateObjectLockHeaders function +// to ensure proper validation of object lock headers in PUT requests +func TestValidateObjectLockHeaders(t *testing.T) { + s3a := &S3ApiServer{} + + t.Run("Valid COMPLIANCE mode with retention date on versioned bucket", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + retainUntilDate := time.Now().Add(24 * time.Hour) + req.Header.Set(s3_constants.AmzObjectLockMode, "COMPLIANCE") + req.Header.Set(s3_constants.AmzObjectLockRetainUntilDate, retainUntilDate.Format(time.RFC3339)) + + err := s3a.validateObjectLockHeaders(req, true) // versioned bucket + assert.NoError(t, err) + }) + + t.Run("Valid GOVERNANCE mode with retention date on versioned bucket", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + retainUntilDate := time.Now().Add(12 * time.Hour) + req.Header.Set(s3_constants.AmzObjectLockMode, "GOVERNANCE") + req.Header.Set(s3_constants.AmzObjectLockRetainUntilDate, retainUntilDate.Format(time.RFC3339)) + + err := s3a.validateObjectLockHeaders(req, true) // versioned bucket + assert.NoError(t, err) + }) + + t.Run("Valid legal hold ON on versioned bucket", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + req.Header.Set(s3_constants.AmzObjectLockLegalHold, "ON") + + err := s3a.validateObjectLockHeaders(req, true) // versioned bucket + assert.NoError(t, err) + }) + + t.Run("Valid legal hold OFF on versioned bucket", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + req.Header.Set(s3_constants.AmzObjectLockLegalHold, "OFF") + + err := s3a.validateObjectLockHeaders(req, true) // versioned bucket + assert.NoError(t, err) + }) + + t.Run("Invalid object lock mode", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + req.Header.Set(s3_constants.AmzObjectLockMode, "INVALID_MODE") + retainUntilDate := time.Now().Add(24 * time.Hour) + req.Header.Set(s3_constants.AmzObjectLockRetainUntilDate, retainUntilDate.Format(time.RFC3339)) + + err := s3a.validateObjectLockHeaders(req, true) // versioned bucket + assert.Error(t, err) + assert.True(t, errors.Is(err, ErrInvalidObjectLockMode)) + }) + + t.Run("Invalid legal hold status", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + req.Header.Set(s3_constants.AmzObjectLockLegalHold, "INVALID_STATUS") + + err := s3a.validateObjectLockHeaders(req, true) // versioned bucket + assert.Error(t, err) + assert.True(t, errors.Is(err, ErrInvalidLegalHoldStatus)) + }) + + t.Run("Object lock headers on non-versioned bucket", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + req.Header.Set(s3_constants.AmzObjectLockMode, "COMPLIANCE") + retainUntilDate := time.Now().Add(24 * time.Hour) + req.Header.Set(s3_constants.AmzObjectLockRetainUntilDate, retainUntilDate.Format(time.RFC3339)) + + err := s3a.validateObjectLockHeaders(req, false) // non-versioned bucket + assert.Error(t, err) + assert.True(t, errors.Is(err, ErrObjectLockVersioningRequired)) + }) + + t.Run("Invalid retention date format", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + req.Header.Set(s3_constants.AmzObjectLockMode, "COMPLIANCE") + req.Header.Set(s3_constants.AmzObjectLockRetainUntilDate, "invalid-date-format") + + err := s3a.validateObjectLockHeaders(req, true) // versioned bucket + assert.Error(t, err) + assert.True(t, errors.Is(err, ErrInvalidRetentionDateFormat)) + }) + + t.Run("Retention date in the past", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + req.Header.Set(s3_constants.AmzObjectLockMode, "COMPLIANCE") + pastDate := time.Now().Add(-24 * time.Hour) + req.Header.Set(s3_constants.AmzObjectLockRetainUntilDate, pastDate.Format(time.RFC3339)) + + err := s3a.validateObjectLockHeaders(req, true) // versioned bucket + assert.Error(t, err) + assert.True(t, errors.Is(err, ErrRetentionDateMustBeFuture)) + }) + + t.Run("Mode without retention date", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + req.Header.Set(s3_constants.AmzObjectLockMode, "COMPLIANCE") + + err := s3a.validateObjectLockHeaders(req, true) // versioned bucket + assert.Error(t, err) + assert.True(t, errors.Is(err, ErrObjectLockModeRequiresDate)) + }) + + t.Run("Retention date without mode", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + retainUntilDate := time.Now().Add(24 * time.Hour) + req.Header.Set(s3_constants.AmzObjectLockRetainUntilDate, retainUntilDate.Format(time.RFC3339)) + + err := s3a.validateObjectLockHeaders(req, true) // versioned bucket + assert.Error(t, err) + assert.True(t, errors.Is(err, ErrRetentionDateRequiresMode)) + }) + + t.Run("Governance bypass header on non-versioned bucket", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + req.Header.Set("x-amz-bypass-governance-retention", "true") + + err := s3a.validateObjectLockHeaders(req, false) // non-versioned bucket + assert.Error(t, err) + assert.True(t, errors.Is(err, ErrGovernanceBypassVersioningRequired)) + }) + + t.Run("Governance bypass header on versioned bucket should pass", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + req.Header.Set("x-amz-bypass-governance-retention", "true") + + err := s3a.validateObjectLockHeaders(req, true) // versioned bucket + assert.NoError(t, err) + }) + + t.Run("No object lock headers should pass", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + // No object lock headers set + + err := s3a.validateObjectLockHeaders(req, true) // versioned bucket + assert.NoError(t, err) + }) + + t.Run("Mixed valid headers should pass", func(t *testing.T) { + req := httptest.NewRequest("PUT", "/bucket/object", nil) + retainUntilDate := time.Now().Add(48 * time.Hour) + req.Header.Set(s3_constants.AmzObjectLockMode, "GOVERNANCE") + req.Header.Set(s3_constants.AmzObjectLockRetainUntilDate, retainUntilDate.Format(time.RFC3339)) + req.Header.Set(s3_constants.AmzObjectLockLegalHold, "ON") + + err := s3a.validateObjectLockHeaders(req, true) // versioned bucket + assert.NoError(t, err) + }) +} + +// TestMapValidationErrorToS3Error tests the error mapping function +func TestMapValidationErrorToS3Error(t *testing.T) { + tests := []struct { + name string + inputError error + expectedCode s3err.ErrorCode + }{ + { + name: "ErrObjectLockVersioningRequired", + inputError: ErrObjectLockVersioningRequired, + expectedCode: s3err.ErrInvalidRequest, + }, + { + name: "ErrInvalidObjectLockMode", + inputError: ErrInvalidObjectLockMode, + expectedCode: s3err.ErrInvalidRequest, + }, + { + name: "ErrInvalidLegalHoldStatus", + inputError: ErrInvalidLegalHoldStatus, + expectedCode: s3err.ErrInvalidRequest, + }, + { + name: "ErrInvalidRetentionDateFormat", + inputError: ErrInvalidRetentionDateFormat, + expectedCode: s3err.ErrMalformedDate, + }, + { + name: "ErrRetentionDateMustBeFuture", + inputError: ErrRetentionDateMustBeFuture, + expectedCode: s3err.ErrInvalidRequest, + }, + { + name: "ErrObjectLockModeRequiresDate", + inputError: ErrObjectLockModeRequiresDate, + expectedCode: s3err.ErrInvalidRequest, + }, + { + name: "ErrRetentionDateRequiresMode", + inputError: ErrRetentionDateRequiresMode, + expectedCode: s3err.ErrInvalidRequest, + }, + { + name: "ErrGovernanceBypassVersioningRequired", + inputError: ErrGovernanceBypassVersioningRequired, + expectedCode: s3err.ErrInvalidRequest, + }, + { + name: "Unknown error defaults to ErrInvalidRequest", + inputError: fmt.Errorf("unknown error"), + expectedCode: s3err.ErrInvalidRequest, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := mapValidationErrorToS3Error(tt.inputError) + assert.Equal(t, tt.expectedCode, result) + }) + } +} + +// TestObjectLockPermissionLogic documents the correct behavior for object lock permission checks +// in PUT operations for both versioned and non-versioned buckets +func TestObjectLockPermissionLogic(t *testing.T) { + t.Run("Non-versioned bucket PUT operation logic", func(t *testing.T) { + // In non-versioned buckets, PUT operations overwrite existing objects + // Therefore, we MUST check if the existing object has object lock protections + // that would prevent overwrite before allowing the PUT operation. + // + // This test documents the expected behavior: + // 1. Check object lock headers validity (handled by validateObjectLockHeaders) + // 2. Check if existing object has object lock protections (handled by checkObjectLockPermissions) + // 3. If existing object is under retention/legal hold, deny the PUT unless governance bypass is valid + + t.Log("For non-versioned buckets:") + t.Log("- PUT operations overwrite existing objects") + t.Log("- Must check existing object lock protections before allowing overwrite") + t.Log("- Governance bypass headers can be used to override GOVERNANCE mode retention") + t.Log("- COMPLIANCE mode retention and legal holds cannot be bypassed") + }) + + t.Run("Versioned bucket PUT operation logic", func(t *testing.T) { + // In versioned buckets, PUT operations create new versions without overwriting existing ones + // Therefore, we do NOT need to check existing object permissions since we're not modifying them. + // We only need to validate the object lock headers for the new version being created. + // + // This test documents the expected behavior: + // 1. Check object lock headers validity (handled by validateObjectLockHeaders) + // 2. Skip checking existing object permissions (since we're creating a new version) + // 3. Apply object lock metadata to the new version being created + + t.Log("For versioned buckets:") + t.Log("- PUT operations create new versions without overwriting existing objects") + t.Log("- No need to check existing object lock protections") + t.Log("- Only validate object lock headers for the new version being created") + t.Log("- Each version has independent object lock settings") + }) + + t.Run("Governance bypass header validation", func(t *testing.T) { + // Governance bypass headers should only be used in specific scenarios: + // 1. Only valid on versioned buckets (consistent with object lock headers) + // 2. For non-versioned buckets: Used to override existing object's GOVERNANCE retention + // 3. For versioned buckets: Not typically needed since new versions don't conflict with existing ones + + t.Log("Governance bypass behavior:") + t.Log("- Only valid on versioned buckets (header validation)") + t.Log("- For non-versioned buckets: Allows overwriting objects under GOVERNANCE retention") + t.Log("- For versioned buckets: Not typically needed for PUT operations") + t.Log("- Must have s3:BypassGovernanceRetention permission") + }) +} |