Merge branch 'improvement/CLDSRV-741-putversionretention' into tmp/octopus/w/9.1/improvement/CLDSRV-741-putversionretention

bert-e · bert-e · commit 7335f5fa1a4a · 2025-09-29T14:21:44.000Z
diff --git a/tests/functional/aws-node-sdk/lib/utility/bucket-util.js b/tests/functional/aws-node-sdk/lib/utility/bucket-util.js
@@ -82,7 +82,7 @@ class BucketUtility {
      * @returns {Promise.<T>}
      */
 
-    empty(bucketName) {
+    empty(bucketName, BypassGovernanceRetention = false) {
         const param = {
             Bucket: bucketName,
         };
@@ -99,6 +99,7 @@ class BucketUtility {
                                 Bucket: bucketName,
                                 Key: object.Key,
                                 VersionId: object.VersionId,
+                                ...(BypassGovernanceRetention && { BypassGovernanceRetention }),
                             }).promise()
                               .then(() => object)
                         )
@@ -110,6 +111,7 @@ class BucketUtility {
                                     Bucket: bucketName,
                                     Key: object.Key,
                                     VersionId: object.VersionId,
+                                    ...(BypassGovernanceRetention && { BypassGovernanceRetention }),
                                 }).promise()
                                 .then(() => object)
                             )
@@ -120,6 +122,7 @@ class BucketUtility {
                                      Bucket: bucketName,
                                      Key: object.Key,
                                      VersionId: object.VersionId,
+                                     ...(BypassGovernanceRetention && { BypassGovernanceRetention }),
                                  }).promise()
                                  .then(() => object)))
                 )
diff --git a/tests/functional/aws-node-sdk/test/object/putObjectLegalHold.js b/tests/functional/aws-node-sdk/test/object/putObjectLegalHold.js
@@ -1,9 +1,12 @@
 const assert = require('assert');
+const AWS = require('aws-sdk');
+const { errorInstances } = require('arsenal');
 
 const withV4 = require('../support/withV4');
 const BucketUtility = require('../../lib/utility/bucket-util');
 const checkError = require('../../lib/utility/checkError');
 const changeObjectLock = require('../../../../utilities/objectLock-util');
+const { VALIDATE_CREDENTIALS, SIGN } = AWS.EventListeners.Core;
 
 const bucket = 'mock-bucket-lock';
 const unlockedBucket = 'mock-bucket-no-lock';
@@ -190,3 +193,142 @@ describeSkipIfCeph('PUT object legal hold', () => {
         });
     });
 });
+
+// Use bucket policy to test iam action for putObjectLegalHold with version id
+// It used to need non standard s3:PutObjectVersionLegalHold action but was fixed
+// by ARSN-297 ARTESCA-7107
+describeSkipIfCeph('PUT object legal hold iam action and version id', () => {
+    withV4(sigCfg => {
+        const bucketUtil = new BucketUtility('default', sigCfg);
+        const s3 = bucketUtil.s3;
+        const testBucket = 'bucket-policy-legalhold-test';
+        let versionId;
+
+        const legalHoldConfig = { Status: 'ON' };
+
+        function awsRequest(auth, operation, params, callback) {
+            if (auth) {
+                bucketUtil.s3[operation](params, callback);
+            } else {
+                const unauthBucketUtil = new BucketUtility('default', sigCfg);
+                const request = unauthBucketUtil.s3[operation](params);
+                request.removeListener('validate', VALIDATE_CREDENTIALS);
+                request.removeListener('sign', SIGN);
+                request.send(callback);
+            }
+        }
+
+        function cbNoError(done) {
+            return err => {
+                assert.ifError(err);
+                done();
+            };
+        }
+
+        function cbWithError(done) {
+            return err => {
+                assert.strictEqual(err.statusCode, errorInstances.AccessDenied.code);
+                done();
+            };
+        }
+
+        beforeEach(() => {
+            process.stdout.write('Setting up bucket policy legal hold tests\n');
+            return s3.createBucket({
+                Bucket: testBucket,
+                ObjectLockEnabledForBucket: true,
+            }).promise()
+            .then(() => s3.putObject({ Bucket: testBucket, Key: key }).promise())
+            .then(res => {
+                versionId = res.VersionId;
+            })
+            .catch(err => {
+                process.stdout.write('Error in beforeEach\n');
+                throw err;
+            });
+        });
+
+        afterEach(() => {
+            process.stdout.write('Cleaning up bucket policy legal hold tests\n');
+            return bucketUtil.empty(testBucket)
+            .then(() => bucketUtil.deleteMany([testBucket]))
+            .catch(err => {
+                process.stdout.write('Error in afterEach\n');
+                throw err;
+            });
+        });
+
+        const policyTestCases = [
+            {
+                action: 's3:PutObjectLegalHold',
+                expectedResult: 'allow',
+                callback: cbNoError,
+            },
+            {
+                action: 's3:PutObjectVersionLegalHold',
+                expectedResult: 'deny',
+                callback: cbWithError,
+            },
+        ];
+
+        policyTestCases.forEach(testCase => {
+            describe(`with ${testCase.action} policy`, () => {
+                beforeEach(done => {
+                    const statement = {
+                        Sid: 'AllowLegalHold',
+                        Effect: 'Allow',
+                        Principal: '*',
+                        Action: [testCase.action],
+                        Resource: [`arn:aws:s3:::${testBucket}/*`],
+                    };
+                    const bucketPolicy = {
+                        Version: '2012-10-17',
+                        Statement: [statement],
+                    };
+                    s3.putBucketPolicy({
+                        Bucket: testBucket,
+                        Policy: JSON.stringify(bucketPolicy),
+                    }, err => {
+                        assert.ifError(err);
+                        done();
+                    });
+                });
+
+                if (testCase.expectedResult === 'allow') {
+                    afterEach(() =>
+                        s3.putObjectLegalHold({
+                            Bucket: testBucket,
+                            Key: key,
+                            LegalHold: { Status: 'OFF' },
+                        }).promise()
+                        .then(() => s3.putObjectLegalHold({
+                            Bucket: testBucket,
+                            Key: key,
+                            VersionId: versionId,
+                            LegalHold: { Status: 'OFF' },
+                        }).promise())
+                    );
+                }
+
+                it(`should ${testCase.expectedResult} unauthenticated putObjectLegalHold without VersionId`, done => {
+                    const params = {
+                        Bucket: testBucket,
+                        Key: key,
+                        LegalHold: legalHoldConfig,
+                    };
+                    awsRequest(false, 'putObjectLegalHold', params, testCase.callback(done));
+                });
+
+                it(`should ${testCase.expectedResult} unauthenticated putObjectLegalHold with VersionId`, done => {
+                    const params = {
+                        Bucket: testBucket,
+                        Key: key,
+                        LegalHold: legalHoldConfig,
+                        VersionId: versionId,
+                    };
+                    awsRequest(false, 'putObjectLegalHold', params, testCase.callback(done));
+                });
+            });
+        });
+    });
+});
diff --git a/tests/functional/aws-node-sdk/test/object/putRetention.js b/tests/functional/aws-node-sdk/test/object/putRetention.js
@@ -1,10 +1,13 @@
 const assert = require('assert');
 const moment = require('moment');
+const AWS = require('aws-sdk');
+const { errorInstances } = require('arsenal');
 
 const withV4 = require('../support/withV4');
 const BucketUtility = require('../../lib/utility/bucket-util');
 const checkError = require('../../lib/utility/checkError');
 const changeObjectLock = require('../../../../utilities/objectLock-util');
+const { VALIDATE_CREDENTIALS, SIGN } = AWS.EventListeners.Core;
 
 const bucketName = 'lockenabledputbucket';
 const unlockedBucket = 'locknotenabledputbucket';
@@ -144,3 +147,124 @@ describeSkipIfCeph('PUT object retention', () => {
         });
     });
 });
+
+// Use bucket policy to test iam action for putObjectRetention with version id
+// It used to need non standard s3:PutObjectVersionRetention action but was fixed
+// by ARSN-297 ARTESCA-7107
+describeSkipIfCeph('PUT object retention iam action and version id', () => {
+    withV4(sigCfg => {
+        const bucketUtil = new BucketUtility('default', sigCfg);
+        const s3 = bucketUtil.s3;
+        const testBucket = 'bucket-policy-retention-test';
+        let versionId;
+
+        function awsRequest(auth, operation, params, callback) {
+            if (auth) {
+                bucketUtil.s3[operation](params, callback);
+            } else {
+                const unauthBucketUtil = new BucketUtility('default', sigCfg);
+                const request = unauthBucketUtil.s3[operation](params);
+                request.removeListener('validate', VALIDATE_CREDENTIALS);
+                request.removeListener('sign', SIGN);
+                request.send(callback);
+            }
+        }
+
+        function cbNoError(done) {
+            return err => {
+                assert.ifError(err);
+                done();
+            };
+        }
+
+        function cbWithError(done) {
+            return err => {
+                assert.strictEqual(err.statusCode, errorInstances.AccessDenied.code);
+                done();
+            };
+        }
+
+        beforeEach(() => {
+            process.stdout.write('Setting up bucket policy retention tests\n');
+            return s3.createBucket({
+                Bucket: testBucket,
+                ObjectLockEnabledForBucket: true,
+            }).promise()
+            .then(() => s3.putObject({ Bucket: testBucket, Key: objectName }).promise())
+            .then(res => {
+                versionId = res.VersionId;
+            })
+            .catch(err => {
+                process.stdout.write('Error in beforeEach\n');
+                throw err;
+            });
+        });
+
+        afterEach(() => {
+            process.stdout.write('Cleaning up bucket policy retention tests\n');
+            return bucketUtil.empty(testBucket, true)
+            .then(() => bucketUtil.deleteMany([testBucket]))
+            .catch(err => {
+                process.stdout.write('Error in afterEach\n');
+                throw err;
+            });
+        });
+
+        const policyTestCases = [
+            {
+                action: 's3:PutObjectRetention',
+                expectedResult: 'allow',
+                callback: cbNoError,
+            },
+            {
+                action: 's3:PutObjectVersionRetention',
+                expectedResult: 'deny',
+                callback: cbWithError,
+            },
+        ];
+
+        policyTestCases.forEach(testCase => {
+            describe(`with ${testCase.action} policy`, () => {
+                beforeEach(done => {
+                    const statement = {
+                        Sid: 'AllowRetention',
+                        Effect: 'Allow',
+                        Principal: '*',
+                        Action: [testCase.action],
+                        Resource: [`arn:aws:s3:::${testBucket}/*`],
+                    };
+                    const bucketPolicy = {
+                        Version: '2012-10-17',
+                        Statement: [statement],
+                    };
+                    s3.putBucketPolicy({
+                        Bucket: testBucket,
+                        Policy: JSON.stringify(bucketPolicy),
+                    }, err => {
+                        assert.ifError(err);
+                        done();
+                    });
+                });
+
+                it(`should ${testCase.expectedResult} unauthenticated putObjectRetention without VersionId`, done => {
+                    const params = {
+                        Bucket: testBucket,
+                        Key: objectName,
+                        Retention: retentionConfig,
+                    };
+                    awsRequest(false, 'putObjectRetention', params, testCase.callback(done));
+                });
+
+                it(`should ${testCase.expectedResult} unauthenticated putObjectRetention with VersionId`, done => {
+                    const params = {
+                        Bucket: testBucket,
+                        Key: objectName,
+                        Retention: retentionConfig,
+                        VersionId: versionId,
+                    };
+                    awsRequest(false, 'putObjectRetention', params, testCase.callback(done));
+                });
+            });
+        });
+    });
+});
