Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11692 Commits
38 Branches
310 Tags
185 MiB
 
 
 
 
 
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
seaweedfs/test/s3/retention/s3_bucket_object_lock_test.go

185 lines
7.2 KiB
Raw Permalink Blame History

package retention
import (
"context"
"strings"
"testing"
"time"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/aws/aws-sdk-go-v2/service/s3/types"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
// TestBucketCreationWithObjectLockEnabled tests creating a bucket with the
// x-amz-bucket-object-lock-enabled header, which is required for S3 Object Lock compatibility
func TestBucketCreationWithObjectLockEnabled(t *testing.T) {
// This test verifies that bucket creation with
// x-amz-bucket-object-lock-enabled header should automatically enable Object Lock
client := getS3Client(t)
bucketName := getNewBucketName()
defer func() {
// Best effort cleanup
deleteBucket(t, client, bucketName)
}()
// Test 1: Create bucket with Object Lock enabled header using custom HTTP client
t.Run("CreateBucketWithObjectLockHeader", func(t *testing.T) {
// Create bucket with x-amz-bucket-object-lock-enabled header
// This simulates what S3 clients do when testing Object Lock support
createResp, err := client.CreateBucket(context.TODO(), &s3.CreateBucketInput{
Bucket: aws.String(bucketName),
ObjectLockEnabledForBucket: aws.Bool(true), // This should set x-amz-bucket-object-lock-enabled header
})
require.NoError(t, err)
require.NotNil(t, createResp)
// Verify bucket was created
_, err = client.HeadBucket(context.TODO(), &s3.HeadBucketInput{
Bucket: aws.String(bucketName),
})
require.NoError(t, err)
})
// Test 2: Verify that Object Lock is automatically enabled for the bucket
t.Run("VerifyObjectLockAutoEnabled", func(t *testing.T) {
// Try to get the Object Lock configuration
// If the header was processed correctly, this should return an enabled configuration
configResp, err := client.GetObjectLockConfiguration(context.TODO(), &s3.GetObjectLockConfigurationInput{
Bucket: aws.String(bucketName),
})
require.NoError(t, err, "GetObjectLockConfiguration should not fail if Object Lock is enabled")
require.NotNil(t, configResp.ObjectLockConfiguration, "ObjectLockConfiguration should not be nil")
assert.Equal(t, types.ObjectLockEnabledEnabled, configResp.ObjectLockConfiguration.ObjectLockEnabled, "Object Lock should be enabled")
})
// Test 3: Verify versioning is automatically enabled (required for Object Lock)
t.Run("VerifyVersioningAutoEnabled", func(t *testing.T) {
// Object Lock requires versioning to be enabled
// When Object Lock is enabled via header, versioning should also be enabled automatically
versioningResp, err := client.GetBucketVersioning(context.TODO(), &s3.GetBucketVersioningInput{
Bucket: aws.String(bucketName),
})
require.NoError(t, err)
// Versioning should be automatically enabled for Object Lock
assert.Equal(t, types.BucketVersioningStatusEnabled, versioningResp.Status, "Versioning should be automatically enabled for Object Lock")
})
}
// TestBucketCreationWithoutObjectLockHeader tests normal bucket creation
// to ensure we don't break existing functionality
func TestBucketCreationWithoutObjectLockHeader(t *testing.T) {
client := getS3Client(t)
bucketName := getNewBucketName()
defer deleteBucket(t, client, bucketName)
// Create bucket without Object Lock header
_, err := client.CreateBucket(context.TODO(), &s3.CreateBucketInput{
Bucket: aws.String(bucketName),
})
require.NoError(t, err)
// Verify bucket was created
_, err = client.HeadBucket(context.TODO(), &s3.HeadBucketInput{
Bucket: aws.String(bucketName),
})
require.NoError(t, err)
// Object Lock should NOT be enabled
_, err = client.GetObjectLockConfiguration(context.TODO(), &s3.GetObjectLockConfigurationInput{
Bucket: aws.String(bucketName),
})
// This should fail since Object Lock is not enabled
require.Error(t, err)
t.Logf("GetObjectLockConfiguration correctly failed for bucket without Object Lock: %v", err)
// Versioning should not be enabled by default
versioningResp, err := client.GetBucketVersioning(context.TODO(), &s3.GetBucketVersioningInput{
Bucket: aws.String(bucketName),
})
require.NoError(t, err)
// Should be either empty/unset or Suspended, but not Enabled
if versioningResp.Status != types.BucketVersioningStatusEnabled {
t.Logf("Versioning correctly not enabled: %v", versioningResp.Status)
} else {
t.Errorf("Versioning should not be enabled for bucket without Object Lock header")
}
}
// TestS3ObjectLockWorkflow tests the complete Object Lock workflow that S3 clients would use
func TestS3ObjectLockWorkflow(t *testing.T) {
client := getS3Client(t)
bucketName := getNewBucketName()
defer deleteBucket(t, client, bucketName)
// Step 1: Client creates bucket with Object Lock enabled
t.Run("ClientCreatesBucket", func(t *testing.T) {
_, err := client.CreateBucket(context.TODO(), &s3.CreateBucketInput{
Bucket: aws.String(bucketName),
ObjectLockEnabledForBucket: aws.Bool(true),
})
require.NoError(t, err)
})
// Step 2: Client checks if Object Lock is supported by getting the configuration
t.Run("ClientChecksObjectLockSupport", func(t *testing.T) {
configResp, err := client.GetObjectLockConfiguration(context.TODO(), &s3.GetObjectLockConfigurationInput{
Bucket: aws.String(bucketName),
})
require.NoError(t, err, "Object Lock configuration check should succeed")
// S3 clients should see Object Lock is enabled
require.NotNil(t, configResp.ObjectLockConfiguration)
assert.Equal(t, types.ObjectLockEnabledEnabled, configResp.ObjectLockConfiguration.ObjectLockEnabled)
t.Log("Object Lock configuration retrieved successfully - S3 clients would see this as supported")
})
// Step 3: Client would then configure retention policies and use Object Lock
t.Run("ClientConfiguresRetention", func(t *testing.T) {
// Verify versioning is automatically enabled (required for Object Lock)
versioningResp, err := client.GetBucketVersioning(context.TODO(), &s3.GetBucketVersioningInput{
Bucket: aws.String(bucketName),
})
require.NoError(t, err)
require.Equal(t, types.BucketVersioningStatusEnabled, versioningResp.Status, "Versioning should be automatically enabled")
// Create an object
key := "protected-backup-object"
content := "Backup data with Object Lock protection"
putResp, err := client.PutObject(context.TODO(), &s3.PutObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
Body: strings.NewReader(content),
})
require.NoError(t, err)
require.NotNil(t, putResp.VersionId)
// Set Object Lock retention (what backup clients do to protect data)
retentionUntil := time.Now().Add(24 * time.Hour)
_, err = client.PutObjectRetention(context.TODO(), &s3.PutObjectRetentionInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
Retention: &types.ObjectLockRetention{
Mode: types.ObjectLockRetentionModeCompliance,
RetainUntilDate: aws.Time(retentionUntil),
},
})
require.NoError(t, err)
// Verify object is protected
_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
Bucket: aws.String(bucketName),
Key: aws.String(key),
})
require.Error(t, err, "Object should be protected by retention policy")
t.Log("Object Lock retention successfully applied - data is immutable")
})
}