feat: Added integration tests for bypass governance retention functio…

…nality
versity · May 28, 2024 · 9e8458a · 9e8458a
1 parent fb27e27
commit 9e8458a
Show file tree

Hide file tree

Showing 5 changed files with 796 additions and 306 deletions.
diff --git a/auth/object_lock.go b/auth/object_lock.go
@@ -154,13 +154,26 @@ func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects [
 		return nil
 	}
 
-	objExists := true
+	checkDefaultRetention := false
+
+	if bucketLockConfig.DefaultRetention != nil && bucketLockConfig.CreatedAt != nil {
+		expirationDate := *bucketLockConfig.CreatedAt
+		if bucketLockConfig.DefaultRetention.Days != nil {
+			expirationDate = expirationDate.AddDate(0, 0, int(*bucketLockConfig.DefaultRetention.Days))
+		}
+		if bucketLockConfig.DefaultRetention.Years != nil {
+			expirationDate = expirationDate.AddDate(int(*bucketLockConfig.DefaultRetention.Years), 0, 0)
+		}
+
+		if expirationDate.After(time.Now()) {
+			checkDefaultRetention = true
+		}
+	}
 
 	for _, obj := range objects {
 		checkRetention := true
 		retentionData, err := be.GetObjectRetention(ctx, bucket, obj, "")
 		if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchKey)) {
-			objExists = false
 			continue
 		}
 		if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchObjectLockConfiguration)) {
@@ -185,14 +198,14 @@ func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects [
 						} else {
 							policy, err := be.GetBucketPolicy(ctx, bucket)
 							if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)) {
-								return s3err.GetAPIError(s3err.ErrAccessDenied)
+								return s3err.GetAPIError(s3err.ErrObjectLocked)
 							}
 							if err != nil {
 								return err
 							}
 							err = VerifyBucketPolicy(policy, userAccess, bucket, obj, BypassGovernanceRetentionAction)
 							if err != nil {
-								return s3err.GetAPIError(s3err.ErrAccessDenied)
+								return s3err.GetAPIError(s3err.ErrObjectLocked)
 							}
 						}
 					case types.ObjectLockRetentionModeCompliance:
@@ -202,46 +215,37 @@ func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects [
 			}
 		}
 
+		checkLegalHold := true
+
 		status, err := be.GetObjectLegalHold(ctx, bucket, obj, "")
-		if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchObjectLockConfiguration)) {
-			continue
-		}
 		if err != nil {
-			return err
+			if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchObjectLockConfiguration)) {
+				checkLegalHold = false
+			} else {
+				return err
+			}
 		}
 
-		if *status {
+		if checkLegalHold && *status {
 			return s3err.GetAPIError(s3err.ErrObjectLocked)
 		}
-	}
-
-	fmt.Println(objExists, "objExists")
-
-	if bucketLockConfig.DefaultRetention != nil && bucketLockConfig.CreatedAt != nil && objExists {
-		expirationDate := *bucketLockConfig.CreatedAt
-		if bucketLockConfig.DefaultRetention.Days != nil {
-			expirationDate = expirationDate.AddDate(0, 0, int(*bucketLockConfig.DefaultRetention.Days))
-		}
-		if bucketLockConfig.DefaultRetention.Years != nil {
-			expirationDate = expirationDate.AddDate(int(*bucketLockConfig.DefaultRetention.Years), 0, 0)
-		}
 
-		if expirationDate.After(time.Now()) {
+		if checkDefaultRetention {
 			switch bucketLockConfig.DefaultRetention.Mode {
 			case types.ObjectLockRetentionModeGovernance:
 				if !bypass {
 					return s3err.GetAPIError(s3err.ErrObjectLocked)
 				} else {
 					policy, err := be.GetBucketPolicy(ctx, bucket)
 					if errors.Is(err, s3err.GetAPIError(s3err.ErrNoSuchBucketPolicy)) {
-						return s3err.GetAPIError(s3err.ErrAccessDenied)
+						return s3err.GetAPIError(s3err.ErrObjectLocked)
 					}
 					if err != nil {
 						return err
 					}
-					err = VerifyBucketPolicy(policy, userAccess, bucket, "", BypassGovernanceRetentionAction)
+					err = VerifyBucketPolicy(policy, userAccess, bucket, obj, BypassGovernanceRetentionAction)
 					if err != nil {
-						return s3err.GetAPIError(s3err.ErrAccessDenied)
+						return s3err.GetAPIError(s3err.ErrObjectLocked)
 					}
 				}
 			case types.ObjectLockRetentionModeCompliance:
@@ -250,7 +254,5 @@ func CheckObjectAccess(ctx context.Context, bucket, userAccess string, objects [
 		}
 	}
 
-	fmt.Println("the code is hereeeeee")
-
 	return nil
 }
diff --git a/backend/posix/posix.go b/backend/posix/posix.go
@@ -1403,9 +1403,7 @@ func (p *Posix) PutObject(ctx context.Context, po *s3.PutObjectInput) (string, e
 		if err != nil {
 			return "", fmt.Errorf("parse object lock retention: %w", err)
 		}
-		fmt.Println("putting object retention")
 		if err := p.PutObjectRetention(ctx, *po.Bucket, *po.Key, "", true, retParsed); err != nil {
-			fmt.Println("put object retention error: ", err)
 			return "", err
 		}
 	}

diff --git a/s3api/controllers/base.go b/s3api/controllers/base.go
@@ -1383,7 +1383,7 @@ func (c S3ApiController) PutActions(ctx *fiber.Ctx) error {
 				})
 		}
 
-		bypassHdr := ctx.Get("")
+		bypassHdr := ctx.Get("X-Amz-Bypass-Governance-Retention")
 		bypass := bypassHdr == "true"
 		if bypass {
 			policy, err := c.be.GetBucketPolicy(ctx.Context(), bucket)
@@ -2053,7 +2053,6 @@ func (c S3ApiController) DeleteActions(ctx *fiber.Ctx) error {
 	isRoot := ctx.Locals("isRoot").(bool)
 	parsedAcl := ctx.Locals("parsedAcl").(auth.ACL)
 	bypass := ctx.Get("X-Amz-Bypass-Governance-Retention")
-	fmt.Println("bypass: ", bypass)
 
 	if keyEnd != "" {
 		key = strings.Join([]string{key, keyEnd}, "/")