admin ui adds object lock permissions

weed/admin/view/app/object_store_users.templ

@@ -205,12 +205,21 @@ templ ObjectStoreUsers(data dash.ObjectStoreUsersData) {
                         </div>
                         <div class="mb-3">
                             <label for="actions" class="form-label">Permissions</label>
-                            <select multiple class="form-control" id="actions" name="actions">
+                            <select multiple class="form-control" id="actions" name="actions" size="10">
                                 <option value="Admin">Admin (Full Access)</option>
                                 <option value="Read">Read</option>
                                 <option value="Write">Write</option>
                                 <option value="List">List</option>
                                 <option value="Tagging">Tagging</option>
+                                <optgroup label="Object Lock Permissions">
+                                    <option value="BypassGovernanceRetention">Bypass Governance Retention</option>
+                                    <option value="GetObjectRetention">Get Object Retention</option>
+                                    <option value="PutObjectRetention">Put Object Retention</option>
+                                    <option value="GetObjectLegalHold">Get Object Legal Hold</option>
+                                    <option value="PutObjectLegalHold">Put Object Legal Hold</option>
+                                    <option value="GetBucketObjectLockConfiguration">Get Bucket Object Lock Configuration</option>
+                                    <option value="PutBucketObjectLockConfiguration">Put Bucket Object Lock Configuration</option>
+                                </optgroup>
                             </select>
                             <small class="form-text text-muted">Hold Ctrl/Cmd to select multiple permissions</small>
                         </div>
@@ -249,12 +258,21 @@ templ ObjectStoreUsers(data dash.ObjectStoreUsersData) {
                         </div>
                         <div class="mb-3">
                             <label for="editActions" class="form-label">Permissions</label>
-                            <select multiple class="form-control" id="editActions" name="actions">
+                            <select multiple class="form-control" id="editActions" name="actions" size="10">
                                 <option value="Admin">Admin (Full Access)</option>
                                 <option value="Read">Read</option>
                                 <option value="Write">Write</option>
                                 <option value="List">List</option>
                                 <option value="Tagging">Tagging</option>
+                                <optgroup label="Object Lock Permissions">
+                                    <option value="BypassGovernanceRetention">Bypass Governance Retention</option>
+                                    <option value="GetObjectRetention">Get Object Retention</option>
+                                    <option value="PutObjectRetention">Put Object Retention</option>
+                                    <option value="GetObjectLegalHold">Get Object Legal Hold</option>
+                                    <option value="PutObjectLegalHold">Put Object Legal Hold</option>
+                                    <option value="GetBucketObjectLockConfiguration">Get Bucket Object Lock Configuration</option>
+                                    <option value="PutBucketObjectLockConfiguration">Put Bucket Object Lock Configuration</option>
+                                </optgroup>
                             </select>
                         </div>
                     </form>

weed/s3api/policy_engine/integration.go

@@ -213,6 +213,50 @@ func convertSingleAction(action, bucketName string) (*PolicyStatement, error) {
 			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
 		}
 
+	case "GetObjectRetention":
+		s3Actions = []string{"s3:GetObjectRetention"}
+		if strings.HasSuffix(resourcePattern, "/*") {
+			bucket := strings.TrimSuffix(resourcePattern, "/*")
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+		} else {
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+		}
+
+	case "PutObjectRetention":
+		s3Actions = []string{"s3:PutObjectRetention"}
+		if strings.HasSuffix(resourcePattern, "/*") {
+			bucket := strings.TrimSuffix(resourcePattern, "/*")
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+		} else {
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+		}
+
+	case "GetObjectLegalHold":
+		s3Actions = []string{"s3:GetObjectLegalHold"}
+		if strings.HasSuffix(resourcePattern, "/*") {
+			bucket := strings.TrimSuffix(resourcePattern, "/*")
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+		} else {
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+		}
+
+	case "PutObjectLegalHold":
+		s3Actions = []string{"s3:PutObjectLegalHold"}
+		if strings.HasSuffix(resourcePattern, "/*") {
+			bucket := strings.TrimSuffix(resourcePattern, "/*")
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+		} else {
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+		}
+
+	case "GetBucketObjectLockConfiguration":
+		s3Actions = []string{"s3:GetBucketObjectLockConfiguration"}
+		resources = []string{fmt.Sprintf("arn:aws:s3:::%s", resourcePattern)}
+
+	case "PutBucketObjectLockConfiguration":
+		s3Actions = []string{"s3:PutBucketObjectLockConfiguration"}
+		resources = []string{fmt.Sprintf("arn:aws:s3:::%s", resourcePattern)}
+
 	default:
 		return nil, fmt.Errorf("unknown action type: %s", actionType)
 	}
@@ -280,6 +324,24 @@ func GetActionMappings() map[string][]string {
 		"BypassGovernanceRetention": {
 			"s3:BypassGovernanceRetention",
 		},
+		"GetObjectRetention": {
+			"s3:GetObjectRetention",
+		},
+		"PutObjectRetention": {
+			"s3:PutObjectRetention",
+		},
+		"GetObjectLegalHold": {
+			"s3:GetObjectLegalHold",
+		},
+		"PutObjectLegalHold": {
+			"s3:PutObjectLegalHold",
+		},
+		"GetBucketObjectLockConfiguration": {
+			"s3:GetBucketObjectLockConfiguration",
+		},
+		"PutBucketObjectLockConfiguration": {
+			"s3:PutBucketObjectLockConfiguration",
+		},
 	}
 }
 

weed/s3api/s3_constants/s3_actions.go

@@ -1,15 +1,21 @@
 package s3_constants
 
 const (
-	ACTION_READ                        = "Read"
-	ACTION_READ_ACP                    = "ReadAcp"
-	ACTION_WRITE                       = "Write"
-	ACTION_WRITE_ACP                   = "WriteAcp"
-	ACTION_ADMIN                       = "Admin"
-	ACTION_TAGGING                     = "Tagging"
-	ACTION_LIST                        = "List"
-	ACTION_DELETE_BUCKET               = "DeleteBucket"
-	ACTION_BYPASS_GOVERNANCE_RETENTION = "BypassGovernanceRetention"
+	ACTION_READ                          = "Read"
+	ACTION_READ_ACP                      = "ReadAcp"
+	ACTION_WRITE                         = "Write"
+	ACTION_WRITE_ACP                     = "WriteAcp"
+	ACTION_ADMIN                         = "Admin"
+	ACTION_TAGGING                       = "Tagging"
+	ACTION_LIST                          = "List"
+	ACTION_DELETE_BUCKET                 = "DeleteBucket"
+	ACTION_BYPASS_GOVERNANCE_RETENTION   = "BypassGovernanceRetention"
+	ACTION_GET_OBJECT_RETENTION          = "GetObjectRetention"
+	ACTION_PUT_OBJECT_RETENTION          = "PutObjectRetention"
+	ACTION_GET_OBJECT_LEGAL_HOLD         = "GetObjectLegalHold"
+	ACTION_PUT_OBJECT_LEGAL_HOLD         = "PutObjectLegalHold"
+	ACTION_GET_BUCKET_OBJECT_LOCK_CONFIG = "GetBucketObjectLockConfiguration"
+	ACTION_PUT_BUCKET_OBJECT_LOCK_CONFIG = "PutBucketObjectLockConfiguration"
 
 	SeaweedStorageDestinationHeader = "x-seaweedfs-destination"
 	MultipartUploadsFolder          = ".uploads"