seddonm1
diff --git a/‎src/database.rs‎
Lines changed: 56 additions & 0 deletions b/‎src/database.rs‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎src/s3/bucket.rs‎
Lines changed: 51 additions & 1 deletion b/‎src/s3/bucket.rs‎
Lines changed: 51 additions & 1 deletion
diff --git a/‎src/s3/copy.rs‎
Lines changed: 40 additions & 1 deletion b/‎src/s3/copy.rs‎
Lines changed: 40 additions & 1 deletion
diff --git a/‎src/s3/cors.rs‎
Lines changed: 60 additions & 0 deletions b/‎src/s3/cors.rs‎
Lines changed: 60 additions & 0 deletions
@@ -946,6 +946,22 @@ mod tests {
         ));
     }
 
+    #[tokio::test]
+    async fn reader_open_failure_is_reported() {
+        let result = BucketConnectionInner::connect(
+            rusqlite::Connection::open_in_memory,
+            Arc::new(|| Err(rusqlite::Error::InvalidQuery)),
+            1,
+            1,
+            None,
+        )
+        .await;
+        assert!(matches!(
+            result,
+            Err(SqliteError::Rusqlite(rusqlite::Error::InvalidQuery))
+        ));
+    }
+
     fn sender_without_receiver() -> SyncSender<WorkerCommand> {
         let (sender, receiver) = sync_channel(1);
         drop(receiver);
@@ -974,6 +990,10 @@ mod tests {
         let execute = WorkerCommand::Execute(Box::new(|_| {}));
         assert_eq!(format!("{execute:?}"), "Execute");
         assert_eq!(format!("{:?}", WorkerCommand::Close), "Close");
+        let connection = BucketConnection {
+            inner: Arc::new(inner_with_handles(None, Vec::new(), Vec::new())),
+        };
+        assert!(format!("{connection:?}").contains("BucketConnection"));
         assert_eq!(WorkerRole::Writer.name(), "writer");
         assert_eq!(WorkerRole::Reader.name(), "reader");
         assert_eq!(WorkerRole::BlobReader.name(), "blob reader");
@@ -1075,6 +1095,42 @@ mod tests {
         Ok(())
     }
 
+    #[tokio::test]
+    async fn blob_read_stops_when_result_receiver_is_dropped() -> SqliteResult<()> {
+        let mut connection = rusqlite::Connection::open_in_memory()?;
+        connection.execute_batch(
+            "
+            CREATE TABLE blob_source (
+                sequence INTEGER PRIMARY KEY,
+                body BLOB NOT NULL
+            ) STRICT;
+            INSERT INTO blob_source (sequence, body) VALUES (1, X'010203');
+            ",
+        )?;
+        let (result_sender, result_receiver) = oneshot::channel();
+        drop(result_receiver);
+        let (chunk_sender, mut chunk_receiver) = tokio_mpsc::channel(1);
+        let timed_out = AtomicBool::new(false);
+
+        BucketConnectionInner::execute_blob_read(
+            &mut connection,
+            |_| {
+                Ok((
+                    (),
+                    vec![BlobReadRequest::new("blob_source", "body", 1, 0, 3, 3)],
+                ))
+            },
+            result_sender,
+            &chunk_sender,
+            None,
+            &timed_out,
+            &Handle::current(),
+        );
+        drop(chunk_sender);
+        assert!(chunk_receiver.recv().await.is_none());
+        Ok(())
+    }
+
     #[test]
     fn send_blob_chunk_waits_without_timeout_for_capacity() -> Result<(), Box<dyn std::error::Error>>
     {
 
@@ -510,7 +510,7 @@ pub(super) async fn list_buckets(
 
 #[cfg(test)]
 mod tests {
-    use super::is_valid_bucket_name;
+    use super::*;
 
     #[test]
     fn validates_dns_bucket_names() {
@@ -535,4 +535,54 @@ mod tests {
             assert!(!is_valid_bucket_name(bucket), "{bucket}");
         }
     }
+
+    #[test]
+    fn bucket_encryption_validation_rejects_unsupported_shapes() {
+        assert!(
+            validate_sse_s3_bucket_encryption_configuration(&ServerSideEncryptionConfiguration {
+                rules: Vec::new()
+            })
+            .is_err()
+        );
+        assert!(
+            validate_sse_s3_bucket_encryption_configuration(&ServerSideEncryptionConfiguration {
+                rules: vec![ServerSideEncryptionRule {
+                    apply_server_side_encryption_by_default: Some(ServerSideEncryptionByDefault {
+                        kms_master_key_id: None,
+                        sse_algorithm: ServerSideEncryption::from_static(
+                            ServerSideEncryption::AES256
+                        ),
+                    },),
+                    bucket_key_enabled: Some(true),
+                }],
+            },)
+            .is_err()
+        );
+        assert!(
+            validate_sse_s3_bucket_encryption_configuration(&ServerSideEncryptionConfiguration {
+                rules: vec![ServerSideEncryptionRule {
+                    apply_server_side_encryption_by_default: None,
+                    bucket_key_enabled: None,
+                }],
+            },)
+            .is_err()
+        );
+        assert!(
+            validate_sse_s3_bucket_encryption_configuration(&ServerSideEncryptionConfiguration {
+                rules: vec![ServerSideEncryptionRule {
+                    apply_server_side_encryption_by_default: Some(ServerSideEncryptionByDefault {
+                        kms_master_key_id: Some("key".to_string()),
+                        sse_algorithm: ServerSideEncryption::from_static(
+                            ServerSideEncryption::AES256
+                        ),
+                    },),
+                    bucket_key_enabled: None,
+                }],
+            },)
+            .is_err()
+        );
+
+        let configuration = sse_s3_bucket_encryption_configuration();
+        assert!(validate_sse_s3_bucket_encryption_configuration(&configuration).is_ok());
+    }
 }
@@ -573,7 +573,10 @@ mod tests {
         s3::{ChecksumAlgorithmKind, FullObjectChecksum, StoredObjectLock},
         sqlite::KeyMetadata,
     };
-    use s3s::dto::{ChecksumAlgorithm, ETagCondition, ObjectCannedACL, Timestamp};
+    use s3s::dto::{
+        ChecksumAlgorithm, ETagCondition, ObjectCannedACL, ObjectLockLegalHoldStatus,
+        ObjectLockMode, Timestamp,
+    };
     use time::Duration;
 
     fn assert_error_code<T>(result: S3Result<T>, code: &S3ErrorCode) {
@@ -665,6 +668,18 @@ mod tests {
         assert!(matches!(result, Err(SqliteError::PreconditionFailed)));
     }
 
+    #[test]
+    #[should_panic(expected = "expected")]
+    fn assert_error_code_panics_on_success() {
+        assert_error_code(Ok(()), &S3ErrorCode::InvalidRequest);
+    }
+
+    #[test]
+    #[should_panic(expected = "assertion failed")]
+    fn assert_precondition_failed_panics_on_success() {
+        assert_precondition_failed(&Ok(()));
+    }
+
     #[test]
     fn parses_copy_object_request_defaults() {
         let request = match parse_copy_object_request(copy_input()) {
@@ -693,6 +708,7 @@ mod tests {
     #[test]
     fn parses_copy_object_replace_metadata_and_conditions() {
         let expires = Timestamp::from(OffsetDateTime::UNIX_EPOCH);
+        let retain_until = Timestamp::from(OffsetDateTime::now_utc() + Duration::days(1));
         let input = match CopyObjectInput::builder()
             .bucket("target-bucket".to_string())
             .key("target-key".to_string())
@@ -715,6 +731,13 @@ mod tests {
             .copy_source_if_none_match(Some(ETagCondition::ETag(ETag::Weak("other".to_string()))))
             .copy_source_if_modified_since(Some(Timestamp::from(OffsetDateTime::UNIX_EPOCH)))
             .copy_source_if_unmodified_since(Some(Timestamp::from(OffsetDateTime::UNIX_EPOCH)))
+            .object_lock_legal_hold_status(Some(ObjectLockLegalHoldStatus::from_static(
+                ObjectLockLegalHoldStatus::ON,
+            )))
+            .object_lock_mode(Some(ObjectLockMode::from_static(
+                ObjectLockMode::GOVERNANCE,
+            )))
+            .object_lock_retain_until_date(Some(retain_until))
             .build()
         {
             Ok(input) => input,
@@ -752,6 +775,7 @@ mod tests {
             Some(ETagCondition::ETag(ETag::Weak(value))) if value == "other"
         ));
         assert!(request.source_conditions.unmodified_since.is_some());
+        assert!(request.object_lock_headers.has_any());
     }
 
     #[test]
@@ -801,6 +825,21 @@ mod tests {
             parse_copy_object_request(grant_header),
             &S3ErrorCode::AccessControlListNotSupported,
         );
+
+        let unsupported_sse = match CopyObjectInput::builder()
+            .bucket("target-bucket".to_string())
+            .key("target-key".to_string())
+            .copy_source(source("source-bucket", "source-key", None))
+            .ssekms_key_id(Some("key".to_string()))
+            .build()
+        {
+            Ok(input) => input,
+            Err(err) => panic!("unexpected build error: {err:?}"),
+        };
+        assert_error_code(
+            parse_copy_object_request(unsupported_sse),
+            &S3ErrorCode::InvalidArgument,
+        );
     }
 
     #[test]
 
@@ -871,6 +871,11 @@ mod tests {
         invalid_method.allowed_methods = vec!["PATCH".to_string()];
         assert!(validate_stored_cors_rules(&[invalid_method]).is_err());
 
+        let mut empty_origin = valid_rule();
+        empty_origin.allowed_origins = vec![String::new()];
+        assert!(validate_stored_cors_rules(&[empty_origin]).is_err());
+        assert!(validate_header_pattern("*").is_ok());
+
         let mut invalid_allowed_header = valid_rule();
         invalid_allowed_header.allowed_headers = vec!["bad header".to_string()];
         assert!(validate_stored_cors_rules(&[invalid_allowed_header]).is_err());
@@ -938,6 +943,61 @@ mod tests {
         assert!(bucket_preflight_headers(&rules, &origin, &headers).is_none());
     }
 
+    #[test]
+    fn fallback_and_configured_cors_helpers_cover_response_shapes() {
+        let origin = HeaderValue::from_static("https://app.example.test");
+        let mut headers = HeaderMap::new();
+        headers.insert(
+            ACCESS_CONTROL_REQUEST_METHOD,
+            HeaderValue::from_static("GET"),
+        );
+        headers.insert(
+            ACCESS_CONTROL_REQUEST_HEADERS,
+            HeaderValue::from_static("authorization"),
+        );
+        headers.insert(
+            hyper::header::HeaderName::from_static(ACCESS_CONTROL_REQUEST_PRIVATE_NETWORK),
+            HeaderValue::from_static(TRUE),
+        );
+
+        let permissive_preflight = permissive_preflight_headers(&origin, &headers);
+        assert!(permissive_preflight.allow_private_network);
+        let permissive_actual = permissive_actual_headers(&origin);
+        assert!(permissive_actual.allow_credentials);
+        assert!(!permissive_actual.allow_private_network);
+
+        let custom = ConfiguredCors {
+            rule: valid_rule(),
+            allow_credentials: true,
+            allow_private_network: true,
+        };
+        let custom_preflight = custom_preflight_headers(&custom, &origin, &headers);
+        assert!(custom_preflight.is_some_and(|headers| headers.allow_private_network));
+        assert!(
+            custom_preflight_headers(
+                &custom,
+                &HeaderValue::from_static("https://other.example.test"),
+                &headers,
+            )
+            .is_none()
+        );
+        assert!(custom_actual_headers(&custom, &origin, "PUT").is_none());
+        let custom_actual = custom_actual_headers(&custom, &origin, "GET");
+        assert!(custom_actual.is_some_and(|headers| headers.expose_headers.is_some()));
+
+        assert!(FallbackCors::Disabled.is_disabled());
+        assert!(CorsMatchSource::select(&FallbackCors::Disabled, None).is_none());
+        assert!(matches!(
+            CorsMatchSource::select(&FallbackCors::Permissive, None),
+            Some(CorsMatchSource::Permissive)
+        ));
+        let bucket_rules = vec![valid_rule()];
+        assert!(matches!(
+            CorsMatchSource::select(&FallbackCors::Disabled, Some(&bucket_rules)),
+            Some(CorsMatchSource::Bucket(_))
+        ));
+    }
+
     #[test]
     fn wildcard_matching_supports_s3_cors_patterns() {
         assert!(wildcard_match("*", "https://app.example.test"));