fix: support object-remaining-retention-days policy condition (#9259)

This PR also tries to simplify the approach taken in object-locking implementation by preferential treatment given towards full validation. This in-turn has fixed couple of bugs related to how policy should have been honored when ByPassGovernance is provided. Simplifies code a bit, but also duplicates code intentionally for clarity due to complex nature of object locking implementation.
2025-11-07 04:42:56 -05:00 · 2020-04-06 13:44:16 -07:00
parent b9b1bfefe7
commit 43a3778b45
13 changed files with 677 additions and 309 deletions
--- a/pkg/bucket/policy/action.go
+++ b/pkg/bucket/policy/action.go
@@ -263,12 +263,14 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
 			condition.S3ObjectLockMode,
 			condition.S3ObjectLockLegalHold,
 		}, condition.CommonKeys...)...),
+
+	// https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html
+	// LockLegalHold is not supported with PutObjectRetentionAction
 	PutObjectRetentionAction: condition.NewKeySet(
 		append([]condition.Key{
 			condition.S3ObjectLockRemainingRetentionDays,
 			condition.S3ObjectLockRetainUntilDate,
 			condition.S3ObjectLockMode,
-			condition.S3ObjectLockLegalHold,
 		}, condition.CommonKeys...)...),

 	GetObjectRetentionAction: condition.NewKeySet(condition.CommonKeys...),
@@ -277,6 +279,8 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
 			condition.S3ObjectLockLegalHold,
 		}, condition.CommonKeys...)...),
 	GetObjectLegalHoldAction: condition.NewKeySet(condition.CommonKeys...),
+
+	// https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html
 	BypassGovernanceRetentionAction: condition.NewKeySet(
 		append([]condition.Key{
 			condition.S3ObjectLockRemainingRetentionDays,
@@ -284,6 +288,7 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
 			condition.S3ObjectLockMode,
 			condition.S3ObjectLockLegalHold,
 		}, condition.CommonKeys...)...),
+
 	GetBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
 	PutBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
 	PutObjectTaggingAction:                 condition.NewKeySet(condition.CommonKeys...),
--- a/pkg/bucket/policy/condition/stringequalsfunc.go
+++ b/pkg/bucket/policy/condition/stringequalsfunc.go
@@ -112,7 +112,6 @@ func valuesToStringSlice(n name, values ValueSet) ([]string, error) {
 	valueStrings := []string{}

 	for value := range values {
-		// FIXME: if AWS supports non-string values, we would need to support it.
 		s, err := value.GetString()
 		if err != nil {
 			return nil, fmt.Errorf("value must be a string for %v condition", n)