3 files changed, 53 insertions, 6 deletions

diff --git a/weed/s3api/cors/cors_test.go b/weed/s3api/cors/cors_test.go
index 8494a284d..7b72ee482 100644
--- a/weed/s3api/cors/cors_test.go
+++ b/weed/s3api/cors/cors_test.go
@@ -263,6 +263,49 @@ func TestMatchesOrigin(t *testing.T) {
 			origin:         "http://other.com",
 			want:           true,
 		},
+		// HTTPS test cases
+		{
+			name:           "https exact match",
+			allowedOrigins: []string{"https://example.com"},
+			origin:         "https://example.com",
+			want:           true,
+		},
+		{
+			name:           "https no match",
+			allowedOrigins: []string{"https://example.com"},
+			origin:         "https://other.com",
+			want:           false,
+		},
+		{
+			name:           "https wildcard subdomain match",
+			allowedOrigins: []string{"https://*.example.com"},
+			origin:         "https://api.example.com",
+			want:           true,
+		},
+		{
+			name:           "https wildcard subdomain no match - base domain",
+			allowedOrigins: []string{"https://*.example.com"},
+			origin:         "https://example.com",
+			want:           false,
+		},
+		{
+			name:           "https wildcard subdomain no match - different domain",
+			allowedOrigins: []string{"https://*.example.com"},
+			origin:         "https://api.other.com",
+			want:           false,
+		},
+		{
+			name:           "protocol mismatch - http pattern https origin",
+			allowedOrigins: []string{"http://*.example.com"},
+			origin:         "https://api.example.com",
+			want:           false,
+		},
+		{
+			name:           "protocol mismatch - https pattern http origin",
+			allowedOrigins: []string{"https://*.example.com"},
+			origin:         "http://api.example.com",
+			want:           false,
+		},
 	}
 
 	for _, tt := range tests {
@@ -480,7 +523,7 @@ func TestApplyHeaders(t *testing.T) {
 				"Access-Control-Allow-Headers":  "Content-Type",
 				"Access-Control-Expose-Headers": "ETag",
 				"Access-Control-Max-Age":        "3600",
-				"Vary":        					 "Origin",
+				"Vary":                          "Origin",
 			},
 		},
 		{
@@ -494,7 +537,7 @@ func TestApplyHeaders(t *testing.T) {
 				"Access-Control-Allow-Origin":      "http://example.com",
 				"Access-Control-Allow-Methods":     "GET",
 				"Access-Control-Allow-Credentials": "true",
-				"Vary":        					    "Origin",
+				"Vary":                             "Origin",
 			},
 		},
 	}
diff --git a/weed/s3api/s3_bucket_encryption.go b/weed/s3api/s3_bucket_encryption.go
index 0d54c2cd5..cc9a0220f 100644
--- a/weed/s3api/s3_bucket_encryption.go
+++ b/weed/s3api/s3_bucket_encryption.go
@@ -218,13 +218,14 @@ func (s3a *S3ApiServer) getEncryptionConfiguration(bucket string) (*s3_pb.Encryp
 // updateEncryptionConfiguration updates the encryption configuration for a bucket
 func (s3a *S3ApiServer) updateEncryptionConfiguration(bucket string, encryptionConfig *s3_pb.EncryptionConfiguration) s3err.ErrorCode {
 	// Update using structured API
+	// Note: UpdateBucketEncryption -> UpdateBucketMetadata -> setBucketMetadata
+	// already invalidates the cache synchronously after successful update
 	err := s3a.UpdateBucketEncryption(bucket, encryptionConfig)
 	if err != nil {
 		glog.Errorf("updateEncryptionConfiguration: failed to update encryption config for bucket %s: %v", bucket, err)
 		return s3err.ErrInternalError
 	}
 
-	// Cache will be updated automatically via metadata subscription
 	return s3err.ErrNone
 }
 
@@ -242,13 +243,14 @@ func (s3a *S3ApiServer) removeEncryptionConfiguration(bucket string) s3err.Error
 	}
 
 	// Update using structured API
+	// Note: ClearBucketEncryption -> UpdateBucketMetadata -> setBucketMetadata
+	// already invalidates the cache synchronously after successful update
 	err = s3a.ClearBucketEncryption(bucket)
 	if err != nil {
 		glog.Errorf("removeEncryptionConfiguration: failed to remove encryption config for bucket %s: %v", bucket, err)
 		return s3err.ErrInternalError
 	}
 
-	// Cache will be updated automatically via metadata subscription
 	return s3err.ErrNone
 }
 
diff --git a/weed/s3api/s3api_bucket_config.go b/weed/s3api/s3api_bucket_config.go
index 6076f0108..94fd493a8 100644
--- a/weed/s3api/s3api_bucket_config.go
+++ b/weed/s3api/s3api_bucket_config.go
@@ -612,26 +612,28 @@ func (s3a *S3ApiServer) getCORSConfiguration(bucket string) (*cors.CORSConfigura
 // updateCORSConfiguration updates the CORS configuration for a bucket
 func (s3a *S3ApiServer) updateCORSConfiguration(bucket string, corsConfig *cors.CORSConfiguration) s3err.ErrorCode {
 	// Update using structured API
+	// Note: UpdateBucketCORS -> UpdateBucketMetadata -> setBucketMetadata
+	// already invalidates the cache synchronously after successful update
 	err := s3a.UpdateBucketCORS(bucket, corsConfig)
 	if err != nil {
 		glog.Errorf("updateCORSConfiguration: failed to update CORS config for bucket %s: %v", bucket, err)
 		return s3err.ErrInternalError
 	}
 
-	// Cache will be updated automatically via metadata subscription
 	return s3err.ErrNone
 }
 
 // removeCORSConfiguration removes the CORS configuration for a bucket
 func (s3a *S3ApiServer) removeCORSConfiguration(bucket string) s3err.ErrorCode {
 	// Update using structured API
+	// Note: ClearBucketCORS -> UpdateBucketMetadata -> setBucketMetadata
+	// already invalidates the cache synchronously after successful update
 	err := s3a.ClearBucketCORS(bucket)
 	if err != nil {
 		glog.Errorf("removeCORSConfiguration: failed to remove CORS config for bucket %s: %v", bucket, err)
 		return s3err.ErrInternalError
 	}
 
-	// Cache will be updated automatically via metadata subscription
 	return s3err.ErrNone
 }