S3: fix exception from ObjectLock retention (#12165)

bentsku · web-flow · commit 44992c0762ed · 2025-01-23T22:34:20.000+01:00
diff --git a/localstack-core/localstack/services/s3/provider.py b/localstack-core/localstack/services/s3/provider.py
@@ -9,6 +9,7 @@
 from operator import itemgetter
 from typing import IO, Optional, Union
 from urllib import parse as urlparse
+from zoneinfo import ZoneInfo
 
 from localstack import config
 from localstack.aws.api import CommonServiceException, RequestContext, handler
@@ -2011,7 +2012,7 @@ def restore_object(
             return RestoreObjectOutput()
 
         restore_expiration_date = add_expiration_days_to_datetime(
-            datetime.datetime.utcnow(), restore_days
+            datetime.datetime.now(datetime.UTC), restore_days
         )
         # TODO: add a way to transition from ongoing-request=true to false? for now it is instant
         s3_object.restore = f'ongoing-request="false", expiry-date="{restore_expiration_date}"'
@@ -3552,6 +3553,16 @@ def put_object_retention(
         ):
             raise MalformedXML()
 
+        if retention and retention["RetainUntilDate"] < datetime.datetime.now(datetime.UTC):
+            # weirdly, this date is format as following: Tue Dec 31 16:00:00 PST 2019
+            # it contains the timezone as PST, even if you target a bucket in Europe or Asia
+            pst_datetime = retention["RetainUntilDate"].astimezone(tz=ZoneInfo("US/Pacific"))
+            raise InvalidArgument(
+                "The retain until date must be in the future!",
+                ArgumentName="RetainUntilDate",
+                ArgumentValue=pst_datetime.strftime("%a %b %d %H:%M:%S %Z %Y"),
+            )
+
         if (
             not retention
             or (s3_object.lock_until and s3_object.lock_until > retention["RetainUntilDate"])
diff --git a/tests/aws/services/s3/test_s3.py b/tests/aws/services/s3/test_s3.py
@@ -3606,12 +3606,8 @@ def test_delete_non_existing_keys(self, s3_bucket, snapshot, aws_client):
 
     @markers.aws.validated
     @markers.snapshot.skip_snapshot_verify(
-        path=[
-            "$..Deleted..VersionId",  # we cannot guarantee order nor we can sort it
-            "$..Delimiter",
-            "$..EncodingType",
-            "$..VersionIdMarker",
-        ]
+        # we cannot guarantee order nor we can sort it
+        path=["$..Deleted..VersionId"],
     )
     def test_delete_keys_in_versioned_bucket(self, s3_bucket, snapshot, aws_client):
         # see https://docs.aws.amazon.com/AmazonS3/latest/userguide/DeletingObjectVersions.html
@@ -4434,9 +4430,6 @@ def test_upload_big_file(self, s3_create_bucket, snapshot, aws_client):
         snapshot.match("head_object_key2", rs)
 
     @markers.aws.validated
-    @markers.snapshot.skip_snapshot_verify(
-        paths=["$..Delimiter", "$..EncodingType", "$..VersionIdMarker"]
-    )
     def test_get_bucket_versioning_order(self, s3_bucket, snapshot, aws_client):
         snapshot.add_transformer(snapshot.transform.s3_api())
         rs = aws_client.s3.list_object_versions(Bucket=s3_bucket, EncodingType="url")
@@ -4478,9 +4471,6 @@ def test_etag_on_get_object_call(self, s3_bucket, snapshot, aws_client):
         snapshot.match("get_object_range", rs)
 
     @markers.aws.validated
-    @markers.snapshot.skip_snapshot_verify(
-        paths=["$..Delimiter", "$..EncodingType", "$..VersionIdMarker"]
-    )
     def test_s3_delete_object_with_version_id(self, s3_bucket, snapshot, aws_client):
         snapshot.add_transformer(snapshot.transform.s3_api())
 
@@ -4527,9 +4517,6 @@ def test_s3_delete_object_with_version_id(self, s3_bucket, snapshot, aws_client)
         snapshot.match("get_bucket_versioning_suspended", rs)
 
     @markers.aws.validated
-    @markers.snapshot.skip_snapshot_verify(
-        paths=["$..Delimiter", "$..EncodingType", "$..VersionIdMarker"]
-    )
     def test_s3_put_object_versioned(self, s3_bucket, snapshot, aws_client):
         snapshot.add_transformer(snapshot.transform.s3_api())
 
@@ -4661,9 +4648,6 @@ def test_s3_batch_delete_objects_using_requests_with_acl(
         snapshot.match("list-remaining-objects", response)
 
     @markers.aws.validated
-    @markers.snapshot.skip_snapshot_verify(
-        paths=["$..DeleteResult.Deleted..VersionId", "$..Prefix", "$..DeleteResult.@xmlns"]
-    )
     def test_s3_batch_delete_public_objects_using_requests(
         self, s3_bucket, allow_bucket_acl, snapshot, aws_client, anonymous_client
     ):
@@ -4713,11 +4697,6 @@ def test_s3_batch_delete_public_objects_using_requests(
         snapshot.match("list-remaining-objects", response)
 
     @markers.aws.validated
-    @markers.snapshot.skip_snapshot_verify(
-        paths=[
-            "$..Prefix",
-        ]
-    )
     def test_s3_batch_delete_objects(self, s3_bucket, snapshot, aws_client):
         snapshot.add_transformer(snapshot.transform.s3_api())
         snapshot.add_transformer(snapshot.transform.key_value("Key"))
@@ -6179,7 +6158,6 @@ def _put_bucket_inventory_configuration(config_id: str):
         "use_virtual_address",
         [True, False],
     )
-    @markers.snapshot.skip_snapshot_verify(paths=["$..x-amz-server-side-encryption"])
     @markers.aws.validated
     def test_get_object_content_length_with_virtual_host(
         self,
@@ -9375,25 +9353,19 @@ def test_lifecycle_expired_object_delete_marker(self, s3_bucket, snapshot, aws_c
 
 class TestS3ObjectLockRetention:
     @markers.aws.validated
-    @markers.snapshot.skip_snapshot_verify(
-        paths=[
-            # TODO: fix the exception for update-retention-no-bypass
-            "$.update-retention-no-bypass..ArgumentName",
-            "$.update-retention-no-bypass..ArgumentValue",
-            "$.update-retention-no-bypass..Code",
-            "$.update-retention-no-bypass..HTTPStatusCode",
-            "$.update-retention-no-bypass..Message",
-        ]
-    )
     def test_s3_object_retention_exc(self, aws_client, s3_create_bucket, snapshot):
         snapshot.add_transformer(snapshot.transform.key_value("BucketName"))
         s3_bucket_locked = s3_create_bucket(ObjectLockEnabledForBucket=True)
+
+        current_year = datetime.datetime.now().year
+        future_datetime = datetime.datetime(current_year + 5, 1, 1)
+
         # non-existing bucket
         with pytest.raises(ClientError) as e:
             aws_client.s3.put_object_retention(
                 Bucket=f"non-existing-bucket-{long_uid()}",
                 Key="fake-key",
-                Retention={"Mode": "GOVERNANCE", "RetainUntilDate": datetime.datetime(2030, 1, 1)},
+                Retention={"Mode": "GOVERNANCE", "RetainUntilDate": future_datetime},
             )
         snapshot.match("put-object-retention-no-bucket", e.value.response)
 
@@ -9402,7 +9374,7 @@ def test_s3_object_retention_exc(self, aws_client, s3_create_bucket, snapshot):
             aws_client.s3.put_object_retention(
                 Bucket=s3_bucket_locked,
                 Key="non-existing-key",
-                Retention={"Mode": "GOVERNANCE", "RetainUntilDate": datetime.datetime(2030, 1, 1)},
+                Retention={"Mode": "GOVERNANCE", "RetainUntilDate": future_datetime},
             )
         snapshot.match("put-object-retention-no-key", e.value.response)
 
@@ -9431,26 +9403,38 @@ def test_s3_object_retention_exc(self, aws_client, s3_create_bucket, snapshot):
         aws_client.s3.put_object_retention(
             Bucket=s3_bucket_locked,
             Key=object_key,
-            Retention={"Mode": "GOVERNANCE", "RetainUntilDate": datetime.datetime(2030, 1, 1)},
+            Retention={"Mode": "GOVERNANCE", "RetainUntilDate": future_datetime},
         )
-        # update a retention without bypass
+
+        # update a retention to be lower than the existing one without bypass
+        earlier_datetime = future_datetime - datetime.timedelta(days=365)
         with pytest.raises(ClientError) as e:
             aws_client.s3.put_object_retention(
                 Bucket=s3_bucket_locked,
                 Key=object_key,
                 VersionId=version_id,
-                Retention={"Mode": "GOVERNANCE", "RetainUntilDate": datetime.datetime(2025, 1, 1)},
+                Retention={"Mode": "GOVERNANCE", "RetainUntilDate": earlier_datetime},
             )
         snapshot.match("update-retention-no-bypass", e.value.response)
 
+        # update a retention with date in the past
+        with pytest.raises(ClientError) as e:
+            aws_client.s3.put_object_retention(
+                Bucket=s3_bucket_locked,
+                Key=object_key,
+                VersionId=version_id,
+                Retention={"Mode": "GOVERNANCE", "RetainUntilDate": datetime.datetime(2020, 1, 1)},
+            )
+        snapshot.match("update-retention-past-date", e.value.response)
+
         s3_bucket_basic = s3_create_bucket(ObjectLockEnabledForBucket=False)  # same as default
         aws_client.s3.put_object(Bucket=s3_bucket_basic, Key=object_key, Body="test")
         # put object retention in a object in bucket without lock configured
         with pytest.raises(ClientError) as e:
             aws_client.s3.put_object_retention(
                 Bucket=s3_bucket_basic,
                 Key=object_key,
-                Retention={"Mode": "GOVERNANCE", "RetainUntilDate": datetime.datetime(2030, 1, 1)},
+                Retention={"Mode": "GOVERNANCE", "RetainUntilDate": future_datetime},
             )
         snapshot.match("put-object-retention-regular-bucket", e.value.response)
 
diff --git a/tests/aws/services/s3/test_s3.snapshot.json b/tests/aws/services/s3/test_s3.snapshot.json
@@ -9608,7 +9608,7 @@
     }
   },
   "tests/aws/services/s3/test_s3.py::TestS3ObjectLockRetention::test_s3_object_retention_exc": {
-    "recorded-date": "21-01-2025, 18:17:43",
+    "recorded-date": "23-01-2025, 11:12:34",
     "recorded-content": {
       "put-object-retention-no-bucket": {
         "Error": {
@@ -9653,9 +9653,19 @@
         }
       },
       "update-retention-no-bypass": {
+        "Error": {
+          "Code": "AccessDenied",
+          "Message": "Access Denied because object protected by object lock."
+        },
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 403
+        }
+      },
+      "update-retention-past-date": {
         "Error": {
           "ArgumentName": "RetainUntilDate",
-          "ArgumentValue": "Tue Dec 31 16:00:00 PST 2024",
+          "ArgumentValue": "Tue Dec 31 16:00:00 PST 2019",
           "Code": "InvalidArgument",
           "Message": "The retain until date must be in the future!"
         },
diff --git a/tests/aws/services/s3/test_s3.validation.json b/tests/aws/services/s3/test_s3.validation.json
@@ -594,7 +594,7 @@
     "last_validated_date": "2025-01-21T18:17:58+00:00"
   },
   "tests/aws/services/s3/test_s3.py::TestS3ObjectLockRetention::test_s3_object_retention_exc": {
-    "last_validated_date": "2025-01-21T18:17:43+00:00"
+    "last_validated_date": "2025-01-23T11:12:34+00:00"
   },
   "tests/aws/services/s3/test_s3.py::TestS3PresignedPost::test_post_object_policy_conditions_validation_eq": {
     "last_validated_date": "2024-09-23T11:02:16+00:00"
