mirror of
https://github.com/chrislusf/seaweedfs
synced 2025-08-17 01:22:47 +02:00
26403e8a0d
* fix GetObjectLockConfigurationHandler * cache and use bucket object lock config * subscribe to bucket configuration changes * increase bucket config cache TTL * refactor * Update weed/s3api/s3api_server.go Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * avoid duplidated work * rename variable * Update s3api_object_handlers_put.go * fix routing * admin ui and api handler are consistent now * use fields instead of xml * fix test * address comments * Update weed/s3api/s3api_object_handlers_put.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update test/s3/retention/s3_retention_test.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update weed/s3api/object_lock_utils.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * change error style * errorf * read entry once * add s3 tests for object lock and retention * use marker * install s3 tests * Update s3tests.yml * Update s3tests.yml * Update s3tests.conf * Update s3tests.conf * address test errors * address test errors With these fixes, the s3-tests should now: ✅ Return InvalidBucketState (409 Conflict) for object lock operations on invalid buckets ✅ Return MalformedXML for invalid retention configurations ✅ Include VersionId in response headers when available ✅ Return proper HTTP status codes (403 Forbidden for retention mode changes) ✅ Handle all object lock validation errors consistently * fixes With these comprehensive fixes, the s3-tests should now: ✅ Return InvalidBucketState (409 Conflict) for object lock operations on invalid buckets ✅ Return InvalidRetentionPeriod for invalid retention periods ✅ Return MalformedXML for malformed retention configurations ✅ Include VersionId in response headers when available ✅ Return proper HTTP status codes for all error conditions ✅ Handle all object lock validation errors consistently The workflow should now pass significantly more object lock tests, bringing SeaweedFS's S3 object lock implementation much closer to AWS S3 compatibility standards. * fixes With these final fixes, the s3-tests should now: ✅ Return MalformedXML for ObjectLockEnabled: 'Disabled' ✅ Return MalformedXML when both Days and Years are specified in retention configuration ✅ Return InvalidBucketState (409 Conflict) when trying to suspend versioning on buckets with object lock enabled ✅ Handle all object lock validation errors consistently with proper error codes * constants and fixes ✅ Return InvalidRetentionPeriod for invalid retention values (0 days, negative years) ✅ Return ObjectLockConfigurationNotFoundError when object lock configuration doesn't exist ✅ Handle all object lock validation errors consistently with proper error codes * fixes ✅ Return MalformedXML when both Days and Years are specified in the same retention configuration ✅ Return 400 (Bad Request) with InvalidRequest when object lock operations are attempted on buckets without object lock enabled ✅ Handle all object lock validation errors consistently with proper error codes * fixes ✅ Return 409 (Conflict) with InvalidBucketState for bucket-level object lock configuration operations on buckets without object lock enabled ✅ Allow increasing retention periods and overriding retention with same/later dates ✅ Only block decreasing retention periods without proper bypass permissions ✅ Handle all object lock validation errors consistently with proper error codes * fixes ✅ Include VersionId in multipart upload completion responses when versioning is enabled ✅ Block retention mode changes (GOVERNANCE ↔ COMPLIANCE) without bypass permissions ✅ Handle all object lock validation errors consistently with proper error codes ✅ Pass the remaining object lock tests * fix tests * fixes * pass tests * fix tests * fixes * add error mapping * Update s3tests.conf * fix test_object_lock_put_obj_lock_invalid_days * fixes * fix many issues * fix test_object_lock_delete_multipart_object_with_legal_hold_on * fix tests * refactor * fix test_object_lock_delete_object_with_retention_and_marker * fix tests * fix tests * fix tests * fix test itself * fix tests * fix test * Update weed/s3api/s3api_object_retention.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * reduce logs * address comments --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
117 lines
4.9 KiB
Go
117 lines
4.9 KiB
Go
package retention
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/aws/aws-sdk-go-v2/aws"
|
|
"github.com/aws/aws-sdk-go-v2/service/s3"
|
|
"github.com/aws/aws-sdk-go-v2/service/s3/types"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
// TestObjectLockValidation tests that S3 Object Lock functionality works end-to-end
|
|
// This test focuses on the complete Object Lock workflow that S3 clients expect
|
|
func TestObjectLockValidation(t *testing.T) {
|
|
client := getS3Client(t)
|
|
bucketName := fmt.Sprintf("object-lock-test-%d", time.Now().UnixNano())
|
|
|
|
t.Logf("=== Validating S3 Object Lock Functionality ===")
|
|
t.Logf("Bucket: %s", bucketName)
|
|
|
|
// Step 1: Create bucket with Object Lock header
|
|
t.Log("\n1. Creating bucket with x-amz-bucket-object-lock-enabled: true")
|
|
_, err := client.CreateBucket(context.TODO(), &s3.CreateBucketInput{
|
|
Bucket: aws.String(bucketName),
|
|
ObjectLockEnabledForBucket: aws.Bool(true), // This sends x-amz-bucket-object-lock-enabled: true
|
|
})
|
|
require.NoError(t, err, "Bucket creation should succeed")
|
|
defer client.DeleteBucket(context.TODO(), &s3.DeleteBucketInput{Bucket: aws.String(bucketName)})
|
|
t.Log(" ✅ Bucket created successfully")
|
|
|
|
// Step 2: Check if Object Lock is supported (standard S3 client behavior)
|
|
t.Log("\n2. Testing Object Lock support detection")
|
|
_, err = client.GetObjectLockConfiguration(context.TODO(), &s3.GetObjectLockConfigurationInput{
|
|
Bucket: aws.String(bucketName),
|
|
})
|
|
require.NoError(t, err, "GetObjectLockConfiguration should succeed for Object Lock enabled bucket")
|
|
t.Log(" ✅ GetObjectLockConfiguration succeeded - Object Lock is properly enabled")
|
|
|
|
// Step 3: Verify versioning is enabled (required for Object Lock)
|
|
t.Log("\n3. Verifying versioning is automatically enabled")
|
|
versioningResp, err := client.GetBucketVersioning(context.TODO(), &s3.GetBucketVersioningInput{
|
|
Bucket: aws.String(bucketName),
|
|
})
|
|
require.NoError(t, err)
|
|
require.Equal(t, types.BucketVersioningStatusEnabled, versioningResp.Status, "Versioning should be automatically enabled")
|
|
t.Log(" ✅ Versioning automatically enabled")
|
|
|
|
// Step 4: Test actual Object Lock functionality
|
|
t.Log("\n4. Testing Object Lock retention functionality")
|
|
|
|
// Create an object
|
|
key := "protected-object.dat"
|
|
content := "Important data that needs immutable protection"
|
|
putResp, err := client.PutObject(context.TODO(), &s3.PutObjectInput{
|
|
Bucket: aws.String(bucketName),
|
|
Key: aws.String(key),
|
|
Body: strings.NewReader(content),
|
|
})
|
|
require.NoError(t, err)
|
|
require.NotNil(t, putResp.VersionId, "Object should have a version ID")
|
|
t.Log(" ✅ Object created with versioning")
|
|
|
|
// Apply Object Lock retention
|
|
retentionUntil := time.Now().Add(24 * time.Hour)
|
|
_, err = client.PutObjectRetention(context.TODO(), &s3.PutObjectRetentionInput{
|
|
Bucket: aws.String(bucketName),
|
|
Key: aws.String(key),
|
|
Retention: &types.ObjectLockRetention{
|
|
Mode: types.ObjectLockRetentionModeCompliance,
|
|
RetainUntilDate: aws.Time(retentionUntil),
|
|
},
|
|
})
|
|
require.NoError(t, err, "Setting Object Lock retention should succeed")
|
|
t.Log(" ✅ Object Lock retention applied successfully")
|
|
|
|
// Verify retention allows simple DELETE (creates delete marker) but blocks version deletion
|
|
// AWS S3 behavior: Simple DELETE (without version ID) is ALWAYS allowed and creates delete marker
|
|
_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
|
|
Bucket: aws.String(bucketName),
|
|
Key: aws.String(key),
|
|
})
|
|
require.NoError(t, err, "Simple DELETE should succeed and create delete marker (AWS S3 behavior)")
|
|
t.Log(" ✅ Simple DELETE succeeded (creates delete marker - correct AWS behavior)")
|
|
|
|
// Now verify that DELETE with version ID is properly blocked by retention
|
|
_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
|
|
Bucket: aws.String(bucketName),
|
|
Key: aws.String(key),
|
|
VersionId: putResp.VersionId,
|
|
})
|
|
require.Error(t, err, "DELETE with version ID should be blocked by COMPLIANCE retention")
|
|
t.Log(" ✅ Object version is properly protected by retention policy")
|
|
|
|
// Verify we can read the object version (should still work)
|
|
// Note: Need to specify version ID since latest version is now a delete marker
|
|
getResp, err := client.GetObject(context.TODO(), &s3.GetObjectInput{
|
|
Bucket: aws.String(bucketName),
|
|
Key: aws.String(key),
|
|
VersionId: putResp.VersionId,
|
|
})
|
|
require.NoError(t, err, "Reading protected object version should still work")
|
|
defer getResp.Body.Close()
|
|
t.Log(" ✅ Protected object can still be read")
|
|
|
|
t.Log("\n🎉 S3 OBJECT LOCK VALIDATION SUCCESSFUL!")
|
|
t.Log(" - Bucket creation with Object Lock header works")
|
|
t.Log(" - Object Lock support detection works (GetObjectLockConfiguration succeeds)")
|
|
t.Log(" - Versioning is automatically enabled")
|
|
t.Log(" - Object Lock retention functionality works")
|
|
t.Log(" - Objects are properly protected from deletion")
|
|
t.Log("")
|
|
t.Log("✅ S3 clients will now recognize SeaweedFS as supporting Object Lock!")
|
|
}
|