salesforce
diff --git a/‎blob/blob-aws/src/main/java/com/salesforce/multicloudj/blob/aws/AwsTransformer.java‎
Lines changed: 6 additions & 3 deletions b/‎blob/blob-aws/src/main/java/com/salesforce/multicloudj/blob/aws/AwsTransformer.java‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎blob/blob-aws/src/test/java/com/salesforce/multicloudj/blob/aws/AwsTransformerTest.java‎
Lines changed: 37 additions & 0 deletions b/‎blob/blob-aws/src/test/java/com/salesforce/multicloudj/blob/aws/AwsTransformerTest.java‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎blob/blob-client/src/main/java/com/salesforce/multicloudj/blob/driver/PresignedUrlRequest.java‎
Lines changed: 5 additions & 0 deletions b/‎blob/blob-client/src/main/java/com/salesforce/multicloudj/blob/driver/PresignedUrlRequest.java‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎blob/blob-gcp/src/main/java/com/salesforce/multicloudj/blob/gcp/GcpBlobStore.java‎
Lines changed: 8 additions & 0 deletions b/‎blob/blob-gcp/src/main/java/com/salesforce/multicloudj/blob/gcp/GcpBlobStore.java‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎blob/blob-gcp/src/test/java/com/salesforce/multicloudj/blob/gcp/GcpBlobStoreTest.java‎
Lines changed: 78 additions & 0 deletions b/‎blob/blob-gcp/src/test/java/com/salesforce/multicloudj/blob/gcp/GcpBlobStoreTest.java‎
Lines changed: 78 additions & 0 deletions
diff --git a/‎registry/registry-aws/pom.xml‎
Lines changed: 6 additions & 0 deletions b/‎registry/registry-aws/pom.xml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎registry/registry-aws/src/main/java/com/salesforce/multicloudj/registry/aws/AuthStrippingInterceptor.java‎
Lines changed: 44 additions & 0 deletions b/‎registry/registry-aws/src/main/java/com/salesforce/multicloudj/registry/aws/AuthStrippingInterceptor.java‎
Lines changed: 44 additions & 0 deletions
@@ -508,11 +508,14 @@ public PutObjectPresignRequest toPutObjectPresignRequest(PresignedUrlRequest req
   }
 
   public GetObjectPresignRequest toGetObjectPresignRequest(PresignedUrlRequest request) {
-    GetObjectRequest getObjectRequest =
-        GetObjectRequest.builder().bucket(getBucket()).key(request.getKey()).build();
+    GetObjectRequest.Builder getObjectBuilder =
+        GetObjectRequest.builder().bucket(getBucket()).key(request.getKey());
+    if (request.getContentDisposition() != null) {
+      getObjectBuilder.responseContentDisposition(request.getContentDisposition());
+    }
     return GetObjectPresignRequest.builder()
         .signatureDuration(request.getDuration())
-        .getObjectRequest(getObjectRequest)
+        .getObjectRequest(getObjectBuilder.build())
         .build();
   }
 
 
@@ -587,6 +587,43 @@ void testToGetObjectPresignRequest() {
     assertEquals(BUCKET, actualRequest.getObjectRequest().bucket());
     assertEquals("object-1", actualRequest.getObjectRequest().key());
     assertEquals(Duration.ofHours(4), actualRequest.signatureDuration());
+    assertNull(actualRequest.getObjectRequest().responseContentDisposition());
+  }
+
+  @Test
+  void testToGetObjectPresignRequest_WithContentDisposition() {
+    PresignedUrlRequest presignedUrlRequest =
+        PresignedUrlRequest.builder()
+            .type(PresignedOperation.DOWNLOAD)
+            .key("object-1")
+            .duration(Duration.ofHours(4))
+            .contentDisposition("attachment; filename=\"report.pdf\"")
+            .build();
+    GetObjectPresignRequest actualRequest =
+        transformer.toGetObjectPresignRequest(presignedUrlRequest);
+    assertEquals(BUCKET, actualRequest.getObjectRequest().bucket());
+    assertEquals("object-1", actualRequest.getObjectRequest().key());
+    assertEquals(Duration.ofHours(4), actualRequest.signatureDuration());
+    assertEquals(
+        "attachment; filename=\"report.pdf\"",
+        actualRequest.getObjectRequest().responseContentDisposition());
+  }
+
+  @Test
+  void testToPutObjectPresignRequest_IgnoresContentDisposition() {
+    PresignedUrlRequest presignedUrlRequest =
+        PresignedUrlRequest.builder()
+            .type(PresignedOperation.UPLOAD)
+            .key("object-1")
+            .duration(Duration.ofHours(4))
+            .contentDisposition("attachment; filename=\"report.pdf\"")
+            .build();
+    PutObjectPresignRequest actualRequest =
+        transformer.toPutObjectPresignRequest(presignedUrlRequest);
+    assertEquals(BUCKET, actualRequest.putObjectRequest().bucket());
+    assertEquals("object-1", actualRequest.putObjectRequest().key());
+    assertEquals(Duration.ofHours(4), actualRequest.signatureDuration());
+    assertNull(actualRequest.putObjectRequest().contentDisposition());
   }
 
   @Test
 
@@ -30,4 +30,9 @@ public class PresignedUrlRequest {
 
   /** Optional: Specify the KMS key ID to be used for encryption in a presignedUrl upload */
   private final String kmsKeyId;
+
+  /**
+   * Optional: Specify the Content-Disposition header to override in a presigned download URL. 
+   */
+  private final String contentDisposition;
 }
@@ -57,6 +57,7 @@
 import com.salesforce.multicloudj.blob.driver.MultipartUploadRequest;
 import com.salesforce.multicloudj.blob.driver.MultipartUploadResponse;
 import com.salesforce.multicloudj.blob.driver.ObjectLockInfo;
+import com.salesforce.multicloudj.blob.driver.PresignedOperation;
 import com.salesforce.multicloudj.blob.driver.PresignedUrlRequest;
 import com.salesforce.multicloudj.blob.driver.RetentionMode;
 import com.salesforce.multicloudj.blob.driver.UploadRequest;
@@ -109,6 +110,7 @@ public class GcpBlobStore extends AbstractBlobStore {
   private final MultipartUploadClient multipartUploadClient;
   private final GcpTransformer transformer;
   private static final String TAG_PREFIX = "gcp-tag-";
+  private static final String RESPONSE_CONTENT_DISPOSITION = "response-content-disposition";
 
   public GcpBlobStore() {
     this(new Builder(), null, null);
@@ -565,6 +567,12 @@ protected URL doGeneratePresignedUrl(PresignedUrlRequest request) {
     if (request.getMetadata() != null) {
       options.add(Storage.SignUrlOption.withExtHeaders(request.getMetadata()));
     }
+    if (request.getContentDisposition() != null
+        && request.getType() == PresignedOperation.DOWNLOAD) {
+      Map<String, String> queryParams = new HashMap<>();
+      queryParams.put(RESPONSE_CONTENT_DISPOSITION, request.getContentDisposition());
+      options.add(Storage.SignUrlOption.withQueryParams(queryParams));
+    }
 
     return storage.signUrl(
         blobInfo,
 
@@ -1268,6 +1268,84 @@ void testDoGeneratePresignedUrl_WithoutKmsKey() throws Exception {
             any(Storage.SignUrlOption[].class));
   }
 
+  @Test
+  void testDoGeneratePresignedUrl_WithContentDisposition() throws Exception {
+    Duration duration = Duration.ofHours(4);
+    String contentDisposition = "attachment; filename=\"report.pdf\"";
+    PresignedUrlRequest presignedUrlRequest =
+        PresignedUrlRequest.builder()
+            .type(PresignedOperation.DOWNLOAD)
+            .key(TEST_KEY)
+            .duration(duration)
+            .contentDisposition(contentDisposition)
+            .build();
+
+    URL expectedUrl = new URL("https://signed-url-with-cd.example.com");
+
+    when(mockTransformer.toBlobInfo(presignedUrlRequest)).thenReturn(mockBlobInfo);
+    when(mockStorage.signUrl(
+            eq(mockBlobInfo),
+            any(Long.class),
+            eq(TimeUnit.MILLISECONDS),
+            any(Storage.SignUrlOption[].class)))
+        .thenReturn(expectedUrl);
+
+    URL actualUrl = gcpBlobStore.doGeneratePresignedUrl(presignedUrlRequest);
+
+    assertEquals(expectedUrl, actualUrl);
+    ArgumentCaptor<Storage.SignUrlOption[]> optionsCaptor =
+        ArgumentCaptor.forClass(Storage.SignUrlOption[].class);
+    verify(mockStorage)
+        .signUrl(
+            eq(mockBlobInfo),
+            eq(duration.toMillis()),
+            eq(TimeUnit.MILLISECONDS),
+            optionsCaptor.capture());
+    Storage.SignUrlOption[] options = optionsCaptor.getValue();
+    assertEquals(
+        3, options.length, "Download with contentDisposition should have httpMethod, v4Signature,"
+            + " and queryParams options");
+  }
+
+  @Test
+  void testDoGeneratePresignedUrl_UploadIgnoresContentDisposition() throws Exception {
+    Duration duration = Duration.ofHours(4);
+    String contentDisposition = "attachment; filename=\"report.pdf\"";
+    PresignedUrlRequest presignedUrlRequest =
+        PresignedUrlRequest.builder()
+            .type(PresignedOperation.UPLOAD)
+            .key(TEST_KEY)
+            .duration(duration)
+            .contentDisposition(contentDisposition)
+            .build();
+
+    URL expectedUrl = new URL("https://signed-url-for-upload.example.com");
+
+    when(mockTransformer.toBlobInfo(presignedUrlRequest)).thenReturn(mockBlobInfo);
+    when(mockStorage.signUrl(
+            eq(mockBlobInfo),
+            any(Long.class),
+            eq(TimeUnit.MILLISECONDS),
+            any(Storage.SignUrlOption[].class)))
+        .thenReturn(expectedUrl);
+
+    URL actualUrl = gcpBlobStore.doGeneratePresignedUrl(presignedUrlRequest);
+
+    assertEquals(expectedUrl, actualUrl);
+    ArgumentCaptor<Storage.SignUrlOption[]> optionsCaptor =
+        ArgumentCaptor.forClass(Storage.SignUrlOption[].class);
+    verify(mockStorage)
+        .signUrl(
+            eq(mockBlobInfo),
+            eq(duration.toMillis()),
+            eq(TimeUnit.MILLISECONDS),
+            optionsCaptor.capture());
+    Storage.SignUrlOption[] options = optionsCaptor.getValue();
+    assertEquals(
+        2, options.length,
+        "Upload should only have httpMethod and v4Signature options, no queryParams");
+  }
+
   // Test class to access protected methods
   private static class TestGcpBlobStore extends GcpBlobStore {
     public TestGcpBlobStore(Builder builder, Storage storage, MultipartUploadClient client) {
 
@@ -90,6 +90,12 @@
             <version>5.12.1</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-params</artifactId>
+            <version>5.12.1</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-junit-jupiter</artifactId>
 
@@ -0,0 +1,44 @@
+package com.salesforce.multicloudj.registry.aws;
+
+import java.net.URI;
+import org.apache.http.HttpHeaders;
+import org.apache.http.HttpHost;
+import org.apache.http.HttpRequest;
+import org.apache.http.HttpRequestInterceptor;
+import org.apache.http.client.protocol.HttpClientContext;
+import org.apache.http.protocol.HttpContext;
+
+/**
+ * HTTP request interceptor that strips Authorization headers when the request target is not the
+ * registry host.
+ *
+ * <p>This is necessary because AWS ECR redirects blob downloads to S3 pre-signed URLs, which
+ * already contain authentication in query parameters. Sending an Authorization header to S3 causes
+ * a 400 error ("Only one auth mechanism allowed").
+ */
+public class AuthStrippingInterceptor implements HttpRequestInterceptor {
+  private final String registryHost;
+
+  /**
+   * @param registryEndpoint the registry base URL
+   */
+  public AuthStrippingInterceptor(String registryEndpoint) {
+    this.registryHost = extractHost(registryEndpoint);
+  }
+
+  @Override
+  public void process(HttpRequest request, HttpContext context) {
+    HttpHost targetHost = (HttpHost) context.getAttribute(HttpClientContext.HTTP_TARGET_HOST);
+    if (targetHost == null) {
+      return;
+    }
+    if (!registryHost.equalsIgnoreCase(targetHost.getHostName())) {
+      request.removeHeaders(HttpHeaders.AUTHORIZATION);
+    }
+  }
+
+  /** Extracts the hostname from a URL, stripping scheme, port, and path. */
+  private static String extractHost(String url) {
+    return URI.create(url).getHost();
+  }
+}
Original file line number	Diff line number	Diff line change
`@@ -30,4 +30,9 @@ public class PresignedUrlRequest {`
`30`	`30`
`31`	`31`	`/** Optional: Specify the KMS key ID to be used for encryption in a presignedUrl upload */`
`32`	`32`	`private final String kmsKeyId;`
	`33`	`+`
	`34`	`+ /**`
	`35`	`+ * Optional: Specify the Content-Disposition header to override in a presigned download URL.`
	`36`	`+ */`
	`37`	`+ private final String contentDisposition;`
`33`	`38`	`}`