1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
|
package retention
import (
"context"
"strings"
"testing"
"time"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/aws/aws-sdk-go-v2/service/s3/types"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
// TestPutObjectWithLockHeaders tests that object lock headers in PUT requests
// are properly stored and returned in HEAD responses
func TestPutObjectWithLockHeaders(t *testing.T) {
client := getS3Client(t)
bucketName := getNewBucketName()
// Create bucket with object lock enabled and versioning
createBucketWithObjectLock(t, client, bucketName)
defer deleteBucket(t, client, bucketName)
key := "test-object-lock-headers"
content := "test content with object lock headers"
retainUntilDate := time.Now().Add(24 * time.Hour)
// Test 1: PUT with COMPLIANCE mode and retention date
t.Run("PUT with COMPLIANCE mode", func(t *testing.T) {
testKey := key + "-compliance"
// PUT object with lock headers
putResp := putObjectWithLockHeaders(t, client, bucketName, testKey, content,
"COMPLIANCE", retainUntilDate, "")
require.NotNil(t, putResp.VersionId)
// HEAD object and verify lock headers are returned
headResp, err := client.HeadObject(context.TODO(), &s3.HeadObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(testKey),
})
require.NoError(t, err)
// Verify object lock metadata is present in response
assert.Equal(t, types.ObjectLockModeCompliance, headResp.ObjectLockMode)
assert.NotNil(t, headResp.ObjectLockRetainUntilDate)
assert.WithinDuration(t, retainUntilDate, *headResp.ObjectLockRetainUntilDate, 5*time.Second)
})
// Test 2: PUT with GOVERNANCE mode and retention date
t.Run("PUT with GOVERNANCE mode", func(t *testing.T) {
testKey := key + "-governance"
putResp := putObjectWithLockHeaders(t, client, bucketName, testKey, content,
"GOVERNANCE", retainUntilDate, "")
require.NotNil(t, putResp.VersionId)
headResp, err := client.HeadObject(context.TODO(), &s3.HeadObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(testKey),
})
require.NoError(t, err)
assert.Equal(t, types.ObjectLockModeGovernance, headResp.ObjectLockMode)
assert.NotNil(t, headResp.ObjectLockRetainUntilDate)
assert.WithinDuration(t, retainUntilDate, *headResp.ObjectLockRetainUntilDate, 5*time.Second)
})
// Test 3: PUT with legal hold
t.Run("PUT with legal hold", func(t *testing.T) {
testKey := key + "-legal-hold"
putResp := putObjectWithLockHeaders(t, client, bucketName, testKey, content,
"", time.Time{}, "ON")
require.NotNil(t, putResp.VersionId)
headResp, err := client.HeadObject(context.TODO(), &s3.HeadObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(testKey),
})
require.NoError(t, err)
assert.Equal(t, types.ObjectLockLegalHoldStatusOn, headResp.ObjectLockLegalHoldStatus)
})
// Test 4: PUT with both retention and legal hold
t.Run("PUT with both retention and legal hold", func(t *testing.T) {
testKey := key + "-both"
putResp := putObjectWithLockHeaders(t, client, bucketName, testKey, content,
"GOVERNANCE", retainUntilDate, "ON")
require.NotNil(t, putResp.VersionId)
headResp, err := client.HeadObject(context.TODO(), &s3.HeadObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(testKey),
})
require.NoError(t, err)
assert.Equal(t, types.ObjectLockModeGovernance, headResp.ObjectLockMode)
assert.NotNil(t, headResp.ObjectLockRetainUntilDate)
assert.Equal(t, types.ObjectLockLegalHoldStatusOn, headResp.ObjectLockLegalHoldStatus)
})
}
// TestGetObjectWithLockHeaders verifies that GET requests also return object lock metadata
func TestGetObjectWithLockHeaders(t *testing.T) {
client := getS3Client(t)
bucketName := getNewBucketName()
createBucketWithObjectLock(t, client, bucketName)
defer deleteBucket(t, client, bucketName)
key := "test-get-object-lock"
content := "test content for GET with lock headers"
retainUntilDate := time.Now().Add(24 * time.Hour)
// PUT object with lock headers
putResp := putObjectWithLockHeaders(t, client, bucketName, key, content,
"COMPLIANCE", retainUntilDate, "ON")
require.NotNil(t, putResp.VersionId)
// GET object and verify lock headers are returned
getResp, err := client.GetObject(context.TODO(), &s3.GetObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
})
require.NoError(t, err)
defer getResp.Body.Close()
// Verify object lock metadata is present in GET response
assert.Equal(t, types.ObjectLockModeCompliance, getResp.ObjectLockMode)
assert.NotNil(t, getResp.ObjectLockRetainUntilDate)
assert.WithinDuration(t, retainUntilDate, *getResp.ObjectLockRetainUntilDate, 5*time.Second)
assert.Equal(t, types.ObjectLockLegalHoldStatusOn, getResp.ObjectLockLegalHoldStatus)
}
// TestVersionedObjectLockHeaders tests object lock headers work with versioned objects
func TestVersionedObjectLockHeaders(t *testing.T) {
client := getS3Client(t)
bucketName := getNewBucketName()
createBucketWithObjectLock(t, client, bucketName)
defer deleteBucket(t, client, bucketName)
key := "test-versioned-lock"
content1 := "version 1 content"
content2 := "version 2 content"
retainUntilDate1 := time.Now().Add(12 * time.Hour)
retainUntilDate2 := time.Now().Add(24 * time.Hour)
// PUT first version with GOVERNANCE mode
putResp1 := putObjectWithLockHeaders(t, client, bucketName, key, content1,
"GOVERNANCE", retainUntilDate1, "")
require.NotNil(t, putResp1.VersionId)
// PUT second version with COMPLIANCE mode
putResp2 := putObjectWithLockHeaders(t, client, bucketName, key, content2,
"COMPLIANCE", retainUntilDate2, "ON")
require.NotNil(t, putResp2.VersionId)
require.NotEqual(t, *putResp1.VersionId, *putResp2.VersionId)
// HEAD latest version (version 2)
headResp, err := client.HeadObject(context.TODO(), &s3.HeadObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
})
require.NoError(t, err)
assert.Equal(t, types.ObjectLockModeCompliance, headResp.ObjectLockMode)
assert.Equal(t, types.ObjectLockLegalHoldStatusOn, headResp.ObjectLockLegalHoldStatus)
// HEAD specific version 1
headResp1, err := client.HeadObject(context.TODO(), &s3.HeadObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
VersionId: putResp1.VersionId,
})
require.NoError(t, err)
assert.Equal(t, types.ObjectLockModeGovernance, headResp1.ObjectLockMode)
assert.NotEqual(t, types.ObjectLockLegalHoldStatusOn, headResp1.ObjectLockLegalHoldStatus)
}
// TestObjectLockHeadersErrorCases tests various error scenarios
func TestObjectLockHeadersErrorCases(t *testing.T) {
client := getS3Client(t)
bucketName := getNewBucketName()
createBucketWithObjectLock(t, client, bucketName)
defer deleteBucket(t, client, bucketName)
key := "test-error-cases"
content := "test content for error cases"
// Test 1: Invalid retention mode should be rejected
t.Run("Invalid retention mode", func(t *testing.T) {
_, err := client.PutObject(context.TODO(), &s3.PutObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key + "-invalid-mode"),
Body: strings.NewReader(content),
ObjectLockMode: "INVALID_MODE", // Invalid mode
ObjectLockRetainUntilDate: aws.Time(time.Now().Add(24 * time.Hour)),
})
require.Error(t, err)
})
// Test 2: Retention date in the past should be rejected
t.Run("Past retention date", func(t *testing.T) {
_, err := client.PutObject(context.TODO(), &s3.PutObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key + "-past-date"),
Body: strings.NewReader(content),
ObjectLockMode: "GOVERNANCE",
ObjectLockRetainUntilDate: aws.Time(time.Now().Add(-24 * time.Hour)), // Past date
})
require.Error(t, err)
})
// Test 3: Mode without date should be rejected
t.Run("Mode without retention date", func(t *testing.T) {
_, err := client.PutObject(context.TODO(), &s3.PutObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key + "-no-date"),
Body: strings.NewReader(content),
ObjectLockMode: "GOVERNANCE",
// Missing ObjectLockRetainUntilDate
})
require.Error(t, err)
})
}
// TestObjectLockHeadersNonVersionedBucket tests that object lock fails on non-versioned buckets
func TestObjectLockHeadersNonVersionedBucket(t *testing.T) {
client := getS3Client(t)
bucketName := getNewBucketName()
// Create regular bucket without object lock/versioning
createBucket(t, client, bucketName)
defer deleteBucket(t, client, bucketName)
key := "test-non-versioned"
content := "test content"
retainUntilDate := time.Now().Add(24 * time.Hour)
// Attempting to PUT with object lock headers should fail
_, err := client.PutObject(context.TODO(), &s3.PutObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
Body: strings.NewReader(content),
ObjectLockMode: "GOVERNANCE",
ObjectLockRetainUntilDate: aws.Time(retainUntilDate),
})
require.Error(t, err)
}
// Helper Functions
// putObjectWithLockHeaders puts an object with object lock headers
func putObjectWithLockHeaders(t *testing.T, client *s3.Client, bucketName, key, content string,
mode string, retainUntilDate time.Time, legalHold string) *s3.PutObjectOutput {
input := &s3.PutObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
Body: strings.NewReader(content),
}
// Add retention mode and date if specified
if mode != "" {
switch mode {
case "COMPLIANCE":
input.ObjectLockMode = types.ObjectLockModeCompliance
case "GOVERNANCE":
input.ObjectLockMode = types.ObjectLockModeGovernance
}
if !retainUntilDate.IsZero() {
input.ObjectLockRetainUntilDate = aws.Time(retainUntilDate)
}
}
// Add legal hold if specified
if legalHold != "" {
switch legalHold {
case "ON":
input.ObjectLockLegalHoldStatus = types.ObjectLockLegalHoldStatusOn
case "OFF":
input.ObjectLockLegalHoldStatus = types.ObjectLockLegalHoldStatusOff
}
}
resp, err := client.PutObject(context.TODO(), input)
require.NoError(t, err)
return resp
}
// createBucketWithObjectLock creates a bucket with object lock enabled
func createBucketWithObjectLock(t *testing.T, client *s3.Client, bucketName string) {
_, err := client.CreateBucket(context.TODO(), &s3.CreateBucketInput{
Bucket: aws.String(bucketName),
ObjectLockEnabledForBucket: aws.Bool(true),
})
require.NoError(t, err)
// Enable versioning (required for object lock)
enableVersioning(t, client, bucketName)
}
|
