Verify object tagging, fixes

Includes minor fixes.

Author: afranken

server/src/main/java/com/adobe/testing/s3mock/ObjectController.java

@@ -554,6 +554,7 @@ public ResponseEntity<Void> putObjectTagging(
     var bucket = bucketService.verifyBucketExists(bucketName);
 
     var s3ObjectMetadata = objectService.verifyObjectExists(bucketName, key.key(), versionId);
+    objectService.verifyObjectTags(body.tagSet().tags());
     objectService.setObjectTags(bucketName, key.key(), versionId, body.tagSet().tags());
     return ResponseEntity
         .ok()
@@ -673,8 +674,7 @@ public ResponseEntity<Retention> getObjectRetention(
       @RequestParam(value = VERSION_ID, required = false) @Nullable String versionId) {
     var bucket = bucketService.verifyBucketExists(bucketName);
     bucketService.verifyBucketObjectLockEnabled(bucketName);
-    var s3ObjectMetadata = objectService.verifyObjectLockConfiguration(bucketName, key.key(),
-        versionId);
+    var s3ObjectMetadata = objectService.verifyObjectLockConfiguration(bucketName, key.key(), versionId);
 
     return ResponseEntity
         .ok()

server/src/main/java/com/adobe/testing/s3mock/S3Exception.java

@@ -43,6 +43,11 @@ public class S3Exception extends RuntimeException {
           "The list of parts was not in ascending order. The parts list must be specified in "
               + "order by part number.");
 
+  public static final S3Exception INVALID_TAG =
+      new S3Exception(BAD_REQUEST.value(), "InvalidTag",
+          "Your request contains tag input that is not valid. For example, your request might contain "
+              + "duplicate keys, keys or values that are too long, or system tags.");
+
   public static S3Exception completeRequestMissingChecksum(String algorithm, Integer partNumber) {
     return new S3Exception(BAD_REQUEST.value(), BAD_REQUEST_CODE,
         "The upload was created using a " + algorithm + " checksum. "

server/src/main/java/com/adobe/testing/s3mock/service/ObjectService.java

@@ -19,6 +19,7 @@
 import static com.adobe.testing.s3mock.S3Exception.BAD_REQUEST_CONTENT;
 import static com.adobe.testing.s3mock.S3Exception.BAD_REQUEST_MD5;
 import static com.adobe.testing.s3mock.S3Exception.INVALID_REQUEST_RETAIN_DATE;
+import static com.adobe.testing.s3mock.S3Exception.INVALID_TAG;
 import static com.adobe.testing.s3mock.S3Exception.NOT_FOUND_OBJECT_LOCK;
 import static com.adobe.testing.s3mock.S3Exception.NOT_MODIFIED;
 import static com.adobe.testing.s3mock.S3Exception.NO_SUCH_KEY;
@@ -49,8 +50,10 @@
 import java.nio.file.Path;
 import java.time.Instant;
 import java.util.ArrayList;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.regex.Pattern;
 import org.jspecify.annotations.Nullable;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -59,6 +62,14 @@ public class ObjectService extends ServiceBase {
   static final String WILDCARD_ETAG = "\"*\"";
   static final String WILDCARD = "*";
   private static final Logger LOG = LoggerFactory.getLogger(ObjectService.class);
+  private static final Pattern TAG_ALLOWED_CHARS = Pattern.compile("[\\w+ \\-=.:/@]*");
+  private static final int MAX_ALLOWED_TAGS = 50;
+  private static final int MIN_ALLOWED_TAG_KEY_LENGTH = 1;
+  private static final int MAX_ALLOWED_TAG_KEY_LENGTH = 128;
+  private static final int MIN_ALLOWED_TAG_VALUE_LENGTH = 0;
+  private static final int MAX_ALLOWED_TAG_VALUE_LENGTH = 256;
+  private static final String DISALLOWED_TAG_KEY_PREFIX = "aws:";
+
   private final BucketStore bucketStore;
   private final ObjectStore objectStore;
 
@@ -175,6 +186,48 @@ public void setObjectTags(String bucketName, String key, @Nullable String versio
     objectStore.storeObjectTags(bucketMetadata, uuid, versionId, tags);
   }
 
+  public void verifyObjectTags(List<Tag> tags) {
+    if (tags.size() > MAX_ALLOWED_TAGS) {
+      throw INVALID_TAG;
+    }
+    verifyDuplicateTagKeys(tags);
+    for (var tag : tags) {
+      verifyTagKeyPrefix(tag.key());
+      verifyTagLength(MIN_ALLOWED_TAG_KEY_LENGTH, MAX_ALLOWED_TAG_KEY_LENGTH, tag.key());
+      verifyTagChars(tag.key());
+
+      verifyTagLength(MIN_ALLOWED_TAG_VALUE_LENGTH, MAX_ALLOWED_TAG_VALUE_LENGTH, tag.value());
+      verifyTagChars(tag.value());
+    }
+  }
+
+  private void verifyDuplicateTagKeys(List<Tag> tags) {
+    var tagKeys = new HashSet<String>();
+    for (var tag : tags) {
+      if (!tagKeys.add(tag.key())) {
+        throw INVALID_TAG;
+      }
+    }
+  }
+
+  private void verifyTagKeyPrefix(String tagKey) {
+    if (tagKey.startsWith(DISALLOWED_TAG_KEY_PREFIX)) {
+      throw INVALID_TAG;
+    }
+  }
+
+  private void verifyTagLength(int minLength, int maxLength, String tag) {
+    if (tag.length() < minLength || tag.length() > maxLength) {
+      throw INVALID_TAG;
+    }
+  }
+
+  private void verifyTagChars(String tag) {
+    if (!TAG_ALLOWED_CHARS.matcher(tag).matches()) {
+      throw INVALID_TAG;
+    }
+  }
+
   public void setLegalHold(String bucketName, String key, @Nullable String versionId, LegalHold legalHold) {
     var bucketMetadata = bucketStore.getBucketMetadata(bucketName);
     var uuid = bucketMetadata.getID(key);

server/src/main/java/com/adobe/testing/s3mock/store/ObjectStore.java

@@ -100,11 +100,11 @@ public S3ObjectMetadata storeS3ObjectMetadata(
         var existingVersions = getS3ObjectVersions(bucket, id);
         if (existingVersions != null) {
           versionId = existingVersions.createVersion();
-          writeVersionsfile(bucket, id, existingVersions);
+          writeVersionsFile(bucket, id, existingVersions);
         } else {
           var newVersions = createS3ObjectVersions(bucket, id);
           versionId = newVersions.createVersion();
-          writeVersionsfile(bucket, id, newVersions);
+          writeVersionsFile(bucket, id, newVersions);
         }
       }
       var dataFile = inputPathToFile(path, getDataFilePath(bucket, id, versionId));
@@ -279,7 +279,9 @@ public void storeRetention(BucketMetadata bucket, UUID id, @Nullable String vers
   public S3ObjectMetadata getS3ObjectMetadata(BucketMetadata bucket, UUID id, @Nullable String versionId) {
     if (bucket.isVersioningEnabled() && versionId == null) {
       var s3ObjectVersions = getS3ObjectVersions(bucket, id);
-      versionId = s3ObjectVersions.getLatestVersion();
+      if (s3ObjectVersions != null) {
+        versionId = s3ObjectVersions.getLatestVersion();
+      }
     }
     var metaPath = getMetaFilePath(bucket, id, versionId);
 
@@ -321,7 +323,7 @@ public S3ObjectVersions createS3ObjectVersions(BucketMetadata bucket, UUID id) {
     } else {
       synchronized (lockStore.get(id)) {
         try {
-          writeVersionsfile(bucket, id, new S3ObjectVersions(id));
+          writeVersionsFile(bucket, id, new S3ObjectVersions(id));
           return objectMapper.readValue(metaPath.toFile(), S3ObjectVersions.class);
         } catch (java.io.IOException e) {
           throw new IllegalArgumentException("Could not read object versions-file " + id, e);
@@ -458,22 +460,31 @@ public boolean deleteObject(
     }
   }
 
+  /**
+   * Deletes a specific version of an object, if found.
+   * If this is the last version of an object, it deletes the object.
+   * Returns true if the *LAST* version was deleted.
+   */
   private boolean doDeleteVersion(BucketMetadata bucket, UUID id, String versionId) {
     synchronized (lockStore.get(id)) {
       try {
         var existingVersions = getS3ObjectVersions(bucket, id);
+        if (existingVersions == null) {
+          //no versions exist, nothing to delete.
+          return false;
+        }
         if (existingVersions.versions().size() <= 1) {
           //this is the last version of an object, delete object completely.
           return doDeleteObject(bucket, id);
         } else {
           //there is at least one version of an object left, delete only the version.
           existingVersions.deleteVersion(versionId);
-          writeVersionsfile(bucket, id, existingVersions);
+          writeVersionsFile(bucket, id, existingVersions);
+          return false;
         }
       } catch (Exception e) {
         throw new IllegalStateException("Could not delete object-version " + id, e);
       }
-      return false;
     }
   }
 
@@ -502,7 +513,7 @@ private boolean insertDeleteMarker(
         var existingVersions = getS3ObjectVersions(bucket, id);
         if (existingVersions != null) {
           versionId = existingVersions.createVersion();
-          writeVersionsfile(bucket, id, existingVersions);
+          writeVersionsFile(bucket, id, existingVersions);
         }
         writeMetafile(bucket, S3ObjectMetadata.deleteMarker(s3ObjectMetadata, versionId));
       } catch (Exception e) {
@@ -575,7 +586,7 @@ private Path getVersionFilePath(BucketMetadata bucket, UUID id) {
     return getObjectFolderPath(bucket, id).resolve(VERSIONS_FILE);
   }
 
-  private void writeVersionsfile(BucketMetadata bucket, UUID id,
+  private void writeVersionsFile(BucketMetadata bucket, UUID id,
                                  S3ObjectVersions s3ObjectVersions) {
     try {
       synchronized (lockStore.get(id)) {

server/src/main/java/com/adobe/testing/s3mock/store/S3ObjectMetadata.java

@@ -76,7 +76,7 @@ public record S3ObjectMetadata(
     checksumType = checksumType == null ? ChecksumType.FULL_OBJECT : checksumType;
   }
 
-  public static S3ObjectMetadata deleteMarker(S3ObjectMetadata metadata, String versionId) {
+  public static S3ObjectMetadata deleteMarker(S3ObjectMetadata metadata, @Nullable String versionId) {
     return new S3ObjectMetadata(metadata.id,
         metadata.key(),
         metadata.size(),

server/src/test/kotlin/com/adobe/testing/s3mock/service/ObjectServiceTest.kt

@@ -17,11 +17,13 @@ package com.adobe.testing.s3mock.service
 
 import com.adobe.testing.s3mock.ChecksumTestUtil
 import com.adobe.testing.s3mock.S3Exception
+import com.adobe.testing.s3mock.S3Exception.INVALID_TAG
 import com.adobe.testing.s3mock.dto.ChecksumAlgorithm
 import com.adobe.testing.s3mock.dto.Delete
 import com.adobe.testing.s3mock.dto.Mode
 import com.adobe.testing.s3mock.dto.Retention
 import com.adobe.testing.s3mock.dto.S3ObjectIdentifier
+import com.adobe.testing.s3mock.dto.Tag
 import com.adobe.testing.s3mock.store.BucketMetadata
 import com.adobe.testing.s3mock.store.MultipartStore
 import com.adobe.testing.s3mock.util.AwsHttpHeaders
@@ -308,6 +310,90 @@ internal class ObjectServiceTest : ServiceTestBase() {
     assertThat(tempFileAndChecksum.right).contains("Y8S4/uAGut7vjdFZQjLKZ7P28V9EPWb4BIoeniuM0mY=")
   }
 
+  @Test
+  fun `store tags succeeds`() {
+    val tags = listOf(Tag("key1", "value1"), Tag("key2", "value2"))
+    iut.verifyObjectTags(tags)
+  }
+
+  @Test
+  fun `store tags succeeds with min key and value length`() {
+    val tags = listOf(Tag("1", ""), Tag("2", ""))
+    iut.verifyObjectTags(tags)
+  }
+
+  @Test
+  fun `store tags succeeds with all allowed characters`() {
+    val tags = listOf(Tag("key1+-=._:/@ ", "value1"), Tag("key2", "value2"))
+    iut.verifyObjectTags(tags)
+  }
+
+  @Test
+  fun `store tags fails with too many tags`() {
+    val tags = mutableListOf<Tag>()
+    for (i in 0..60) {
+      tags.add(Tag("key$i", "value$i"))
+    }
+    assertThatThrownBy {
+      iut.verifyObjectTags(tags)
+    }.isInstanceOf(S3Exception::class.java)
+      .hasMessage(INVALID_TAG.message)
+  }
+
+  @Test
+  fun `store tags fails with duplicate keys`() {
+    val tags = listOf(Tag("key1", "value1"), Tag("key1", "value2"))
+    assertThatThrownBy {
+      iut.verifyObjectTags(tags)
+    }.isInstanceOf(S3Exception::class.java)
+      .hasMessage(INVALID_TAG.message)
+  }
+
+  @Test
+  fun `store tags fails with illegal characters`() {
+    val tags = listOf(Tag("key1%()", "value1"))
+    assertThatThrownBy {
+      iut.verifyObjectTags(tags)
+    }.isInstanceOf(S3Exception::class.java)
+      .hasMessage(INVALID_TAG.message)
+  }
+
+  @Test
+  fun `store tags fails with key gt 127 characters`() {
+    val tags = listOf(Tag("Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque pena", "value1"))
+    assertThatThrownBy {
+      iut.verifyObjectTags(tags)
+    }.isInstanceOf(S3Exception::class.java)
+      .hasMessage(INVALID_TAG.message)
+  }
+
+  @Test
+  fun `store tags fails with value gt 255 characters`() {
+    val tags = listOf(Tag("key1", "Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec quam felis, ultricies nec, pellentesque eu, pretium quis, s"))
+    assertThatThrownBy {
+      iut.verifyObjectTags(tags)
+    }.isInstanceOf(S3Exception::class.java)
+      .hasMessage(INVALID_TAG.message)
+  }
+
+  @Test
+  fun `store tags fails with invalid key prefix`() {
+    val tags = listOf(Tag("aws:key1", "value1"))
+    assertThatThrownBy {
+      iut.verifyObjectTags(tags)
+    }.isInstanceOf(S3Exception::class.java)
+      .hasMessage(INVALID_TAG.message)
+  }
+
+  @Test
+  fun `store tags fails with invalid key length`() {
+    val tags = listOf(Tag("", "value1"))
+    assertThatThrownBy {
+      iut.verifyObjectTags(tags)
+    }.isInstanceOf(S3Exception::class.java)
+      .hasMessage(INVALID_TAG.message)
+  }
+
   @Throws(IOException::class)
   private fun toTempFile(path: Path, algorithm: software.amazon.awssdk.checksums.spi.ChecksumAlgorithm): Path {
     val (inputStream, _) = ChecksumTestUtil.prepareInputStream(path.toFile(), false, algorithm)