refactor (#6999)

* fix GetObjectLockConfigurationHandler * cache and use bucket object lock config * subscribe to bucket configuration changes * increase bucket config cache TTL * refactor * Update weed/s3api/s3api_server.go Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * avoid duplidated work * rename variable * Update s3api_object_handlers_put.go * fix routing * admin ui and api handler are consistent now * use fields instead of xml * fix test * address comments * Update weed/s3api/s3api_object_handlers_put.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update test/s3/retention/s3_retention_test.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update weed/s3api/object_lock_utils.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * change error style * errorf * read entry once * add s3 tests for object lock and retention * use marker * install s3 tests * Update s3tests.yml * Update s3tests.yml * Update s3tests.conf * Update s3tests.conf * address test errors * address test errors With these fixes, the s3-tests should now: ✅ Return InvalidBucketState (409 Conflict) for object lock operations on invalid buckets ✅ Return MalformedXML for invalid retention configurations ✅ Include VersionId in response headers when available ✅ Return proper HTTP status codes (403 Forbidden for retention mode changes) ✅ Handle all object lock validation errors consistently * fixes With these comprehensive fixes, the s3-tests should now: ✅ Return InvalidBucketState (409 Conflict) for object lock operations on invalid buckets ✅ Return InvalidRetentionPeriod for invalid retention periods ✅ Return MalformedXML for malformed retention configurations ✅ Include VersionId in response headers when available ✅ Return proper HTTP status codes for all error conditions ✅ Handle all object lock validation errors consistently The workflow should now pass significantly more object lock tests, bringing SeaweedFS's S3 object lock implementation much closer to AWS S3 compatibility standards. * fixes With these final fixes, the s3-tests should now: ✅ Return MalformedXML for ObjectLockEnabled: 'Disabled' ✅ Return MalformedXML when both Days and Years are specified in retention configuration ✅ Return InvalidBucketState (409 Conflict) when trying to suspend versioning on buckets with object lock enabled ✅ Handle all object lock validation errors consistently with proper error codes * constants and fixes ✅ Return InvalidRetentionPeriod for invalid retention values (0 days, negative years) ✅ Return ObjectLockConfigurationNotFoundError when object lock configuration doesn't exist ✅ Handle all object lock validation errors consistently with proper error codes * fixes ✅ Return MalformedXML when both Days and Years are specified in the same retention configuration ✅ Return 400 (Bad Request) with InvalidRequest when object lock operations are attempted on buckets without object lock enabled ✅ Handle all object lock validation errors consistently with proper error codes * fixes ✅ Return 409 (Conflict) with InvalidBucketState for bucket-level object lock configuration operations on buckets without object lock enabled ✅ Allow increasing retention periods and overriding retention with same/later dates ✅ Only block decreasing retention periods without proper bypass permissions ✅ Handle all object lock validation errors consistently with proper error codes * fixes ✅ Include VersionId in multipart upload completion responses when versioning is enabled ✅ Block retention mode changes (GOVERNANCE ↔ COMPLIANCE) without bypass permissions ✅ Handle all object lock validation errors consistently with proper error codes ✅ Pass the remaining object lock tests * fix tests * fixes * pass tests * fix tests * fixes * add error mapping * Update s3tests.conf * fix test_object_lock_put_obj_lock_invalid_days * fixes * fix many issues * fix test_object_lock_delete_multipart_object_with_legal_hold_on * fix tests * refactor * fix test_object_lock_delete_object_with_retention_and_marker * fix tests * fix tests * fix tests * fix test itself * fix tests * fix test * Update weed/s3api/s3api_object_retention.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * reduce logs * address comments * refactor * rename --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-07-19 00:49:56 -07:00
parent 26403e8a0d
commit 0e4d803896
6 changed files with 179 additions and 152 deletions
--- a/weed/s3api/object_lock_utils.go
+++ b/weed/s3api/object_lock_utils.go
@@ -4,7 +4,9 @@ import (
 	"encoding/xml"
 	"fmt"
 	"strconv"
 	"time"
 	"github.com/seaweedfs/seaweedfs/weed/glog"
 	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
 )
@@ -237,3 +239,125 @@ func ValidateObjectLockParameters(enabled bool, mode string, duration int32) err
 	return nil
 }
 // ====================================================================
 // OBJECT LOCK VALIDATION FUNCTIONS
 // ====================================================================
 // These validation functions provide comprehensive validation for
 // all Object Lock related configurations and requests.
 // ValidateRetention validates retention configuration for object-level retention
 func ValidateRetention(retention *ObjectRetention) error {
 	// Check if mode is specified
 	if retention.Mode == "" {
 		return ErrRetentionMissingMode
 	}
 	// Check if retain until date is specified
 	if retention.RetainUntilDate == nil {
 		return ErrRetentionMissingRetainUntilDate
 	}
 	// Check if mode is valid
 	if retention.Mode != s3_constants.RetentionModeGovernance && retention.Mode != s3_constants.RetentionModeCompliance {
 		return ErrInvalidRetentionModeValue
 	}
 	// Check if retain until date is in the future
 	if retention.RetainUntilDate.Before(time.Now()) {
 		return ErrRetentionDateMustBeFuture
 	}
 	return nil
 }
 // ValidateLegalHold validates legal hold configuration
 func ValidateLegalHold(legalHold *ObjectLegalHold) error {
 	// Check if status is valid
 	if legalHold.Status != s3_constants.LegalHoldOn && legalHold.Status != s3_constants.LegalHoldOff {
 		return ErrInvalidLegalHoldStatus
 	}
 	return nil
 }
 // ValidateObjectLockConfiguration validates object lock configuration at bucket level
 func ValidateObjectLockConfiguration(config *ObjectLockConfiguration) error {
 	// ObjectLockEnabled is required for bucket-level configuration
 	if config.ObjectLockEnabled == "" {
 		return ErrObjectLockConfigurationMissingEnabled
 	}
 	// Validate ObjectLockEnabled value
 	if config.ObjectLockEnabled != s3_constants.ObjectLockEnabled {
 		// ObjectLockEnabled can only be 'Enabled', any other value (including 'Disabled') is malformed XML
 		return ErrInvalidObjectLockEnabledValue
 	}
 	// Validate Rule if present
 	if config.Rule != nil {
 		if config.Rule.DefaultRetention == nil {
 			return ErrRuleMissingDefaultRetention
 		}
 		return validateDefaultRetention(config.Rule.DefaultRetention)
 	}
 	return nil
 }
 // validateDefaultRetention validates default retention configuration for bucket-level settings
 func validateDefaultRetention(retention *DefaultRetention) error {
 	glog.V(2).Infof("validateDefaultRetention: Mode=%s, Days=%d (set=%v), Years=%d (set=%v)",
 		retention.Mode, retention.Days, retention.DaysSet, retention.Years, retention.YearsSet)
 	// Mode is required
 	if retention.Mode == "" {
 		return ErrDefaultRetentionMissingMode
 	}
 	// Mode must be valid
 	if retention.Mode != s3_constants.RetentionModeGovernance && retention.Mode != s3_constants.RetentionModeCompliance {
 		return ErrInvalidDefaultRetentionMode
 	}
 	// Check for invalid Years value (negative values are always invalid)
 	if retention.YearsSet && retention.Years < 0 {
 		return ErrInvalidRetentionPeriod
 	}
 	// Check for invalid Days value (negative values are invalid)
 	if retention.DaysSet && retention.Days < 0 {
 		return ErrInvalidRetentionPeriod
 	}
 	// Check for invalid Days value (zero is invalid when explicitly provided)
 	if retention.DaysSet && retention.Days == 0 {
 		return ErrInvalidRetentionPeriod
 	}
 	// Check for neither Days nor Years being specified
 	if !retention.DaysSet && !retention.YearsSet {
 		return ErrDefaultRetentionMissingPeriod
 	}
 	// Check for both Days and Years being specified
 	if retention.DaysSet && retention.YearsSet {
 		return ErrDefaultRetentionBothDaysAndYears
 	}
 	// Validate Days if specified
 	if retention.DaysSet && retention.Days > 0 {
 		if retention.Days > MaxRetentionDays {
 			return ErrDefaultRetentionDaysOutOfRange
 		}
 	}
 	// Validate Years if specified
 	if retention.YearsSet && retention.Years > 0 {
 		if retention.Years > MaxRetentionYears {
 			return ErrDefaultRetentionYearsOutOfRange
 		}
 	}
 	return nil
 }
--- a/weed/s3api/s3api_bucket_handlers_object_lock_config.go
+++ b/weed/s3api/s3api_bucket_handlers_object_lock_config.go
@@ -41,7 +41,7 @@ func (s3a *S3ApiServer) PutObjectLockConfigurationHandler(w http.ResponseWriter,
 	}
 	// Validate object lock configuration
-	if err := validateObjectLockConfiguration(config); err != nil {
+	if err := ValidateObjectLockConfiguration(config); err != nil {
 		glog.Errorf("PutObjectLockConfigurationHandler: invalid object lock config: %v", err)
 		s3err.WriteErrorResponse(w, r, mapValidationErrorToS3Error(err))
 		return
--- a/weed/s3api/s3api_object_handlers_legal_hold.go
+++ b/weed/s3api/s3api_object_handlers_legal_hold.go
@@ -34,7 +34,7 @@ func (s3a *S3ApiServer) PutObjectLegalHoldHandler(w http.ResponseWriter, r *http
 	}
 	// Validate legal hold configuration
-	if err := validateLegalHold(legalHold); err != nil {
+	if err := ValidateLegalHold(legalHold); err != nil {
 		glog.Errorf("PutObjectLegalHoldHandler: invalid legal hold config: %v", err)
 		s3err.WriteErrorResponse(w, r, mapValidationErrorToS3Error(err))
 		return
--- a/weed/s3api/s3api_object_handlers_retention.go
+++ b/weed/s3api/s3api_object_handlers_retention.go
@@ -37,7 +37,7 @@ func (s3a *S3ApiServer) PutObjectRetentionHandler(w http.ResponseWriter, r *http
 	}
 	// Validate retention configuration
-	if err := validateRetention(retention); err != nil {
+	if err := ValidateRetention(retention); err != nil {
 		glog.Errorf("PutObjectRetentionHandler: invalid retention config: %v", err)
 		s3err.WriteErrorResponse(w, r, mapValidationErrorToS3Error(err))
 		return
--- a/weed/s3api/s3api_object_retention.go
+++ b/weed/s3api/s3api_object_retention.go
@@ -15,6 +15,10 @@ import (
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
 )
 // ====================================================================
 // ERROR DEFINITIONS
 // ====================================================================
 // Sentinel errors for proper error handling instead of string matching
 var (
 	ErrNoRetentionConfiguration = errors.New("no retention configuration found")
@@ -47,6 +51,10 @@ const (
 	MaxRetentionYears = 100   // Maximum number of years for object retention
 )
 // ====================================================================
 // DATA STRUCTURES
 // ====================================================================
 // ObjectRetention represents S3 Object Retention configuration
 type ObjectRetention struct {
 	XMLName         xml.Name   `xml:"http://s3.amazonaws.com/doc/2006-03-01/ Retention"`
@@ -75,7 +83,6 @@ type ObjectLockRule struct {
 // DefaultRetention represents default retention settings
 // Implements custom XML unmarshal to track if Days/Years were present in XML
 type DefaultRetention struct {
 	XMLName  xml.Name `xml:"http://s3.amazonaws.com/doc/2006-03-01/ DefaultRetention"`
 	Mode     string   `xml:"http://s3.amazonaws.com/doc/2006-03-01/ Mode,omitempty"`
@@ -85,6 +92,12 @@ type DefaultRetention struct {
 	YearsSet bool     `xml:"-"`
 }
 // ====================================================================
 // XML PARSING
 // ====================================================================
 // UnmarshalXML implements custom XML unmarshaling for DefaultRetention
 // to track whether Days/Years fields were explicitly present in the XML
 func (dr *DefaultRetention) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error {
 	type Alias DefaultRetention
 	aux := &struct {
@@ -166,110 +179,9 @@ func parseObjectLockConfiguration(request *http.Request) (*ObjectLockConfigurati
 	return &config, nil
 }
-// validateRetention validates retention configuration
+// ====================================================================
-func validateRetention(retention *ObjectRetention) error {
+// OBJECT ENTRY OPERATIONS
-	// Check if mode is specified
+// ====================================================================
 	if retention.Mode == "" {
 		return ErrRetentionMissingMode
 	}
 	// Check if retain until date is specified
 	if retention.RetainUntilDate == nil {
 		return ErrRetentionMissingRetainUntilDate
 	}
 	// Check if mode is valid
 	if retention.Mode != s3_constants.RetentionModeGovernance && retention.Mode != s3_constants.RetentionModeCompliance {
 		return ErrInvalidRetentionModeValue
 	}
 	// Check if retain until date is in the future
 	if retention.RetainUntilDate.Before(time.Now()) {
 		return ErrRetentionDateMustBeFuture
 	}
 	return nil
 }
 // validateLegalHold validates legal hold configuration
 func validateLegalHold(legalHold *ObjectLegalHold) error {
 	// Check if status is valid
 	if legalHold.Status != s3_constants.LegalHoldOn && legalHold.Status != s3_constants.LegalHoldOff {
 		return ErrInvalidLegalHoldStatus
 	}
 	return nil
 }
 // validateObjectLockConfiguration validates object lock configuration
 func validateObjectLockConfiguration(config *ObjectLockConfiguration) error {
 	// ObjectLockEnabled is required for bucket-level configuration
 	if config.ObjectLockEnabled == "" {
 		return ErrObjectLockConfigurationMissingEnabled
 	}
 	// Validate ObjectLockEnabled value
 	if config.ObjectLockEnabled != s3_constants.ObjectLockEnabled {
 		// ObjectLockEnabled can only be 'Enabled', any other value (including 'Disabled') is malformed XML
 		return ErrInvalidObjectLockEnabledValue
 	}
 	// Validate Rule if present
 	if config.Rule != nil {
 		if config.Rule.DefaultRetention == nil {
 			return ErrRuleMissingDefaultRetention
 		}
 		return validateDefaultRetention(config.Rule.DefaultRetention)
 	}
 	return nil
 }
 // validateDefaultRetention validates default retention configuration
 func validateDefaultRetention(retention *DefaultRetention) error {
 	glog.V(2).Infof("validateDefaultRetention: Mode=%s, Days=%d (set=%v), Years=%d (set=%v)", retention.Mode, retention.Days, retention.DaysSet, retention.Years, retention.YearsSet)
 	// Mode is required
 	if retention.Mode == "" {
 		return ErrDefaultRetentionMissingMode
 	}
 	// Mode must be valid
 	if retention.Mode != s3_constants.RetentionModeGovernance && retention.Mode != s3_constants.RetentionModeCompliance {
 		return ErrInvalidDefaultRetentionMode
 	}
 	// Check for invalid Years value (negative values are always invalid)
 	if retention.YearsSet && retention.Years < 0 {
 		return ErrInvalidRetentionPeriod
 	}
 	// Check for invalid Days value (negative values are invalid)
 	if retention.DaysSet && retention.Days < 0 {
 		return ErrInvalidRetentionPeriod
 	}
 	// Check for invalid Days value (zero is invalid when explicitly provided)
 	if retention.DaysSet && retention.Days == 0 {
 		return ErrInvalidRetentionPeriod
 	}
 	// Check for neither Days nor Years being specified
 	if !retention.DaysSet && !retention.YearsSet {
 		return ErrDefaultRetentionMissingPeriod
 	}
 	// Check for both Days and Years being specified
 	if retention.DaysSet && retention.YearsSet && retention.Days > 0 && retention.Years > 0 {
 		return ErrDefaultRetentionBothDaysAndYears
 	}
 	// Validate Days if specified
 	if retention.DaysSet && retention.Days > 0 {
 		if retention.Days > MaxRetentionDays {
 			return ErrDefaultRetentionDaysOutOfRange
 		}
 	}
 	// Validate Years if specified
 	if retention.YearsSet && retention.Years > 0 {
 		if retention.Years > MaxRetentionYears {
 			return ErrDefaultRetentionYearsOutOfRange
 		}
 	}
 	return nil
 }
 // getObjectEntry retrieves the appropriate object entry based on versioning and versionId
 func (s3a *S3ApiServer) getObjectEntry(bucket, object, versionId string) (*filer_pb.Entry, error) {
@@ -300,7 +212,11 @@ func (s3a *S3ApiServer) getObjectEntry(bucket, object, versionId string) (*filer
 	return entry, nil
 }
-// getObjectRetention retrieves retention configuration from object metadata
+// ====================================================================
 // RETENTION OPERATIONS
 // ====================================================================
 // getObjectRetention retrieves object retention configuration
 func (s3a *S3ApiServer) getObjectRetention(bucket, object, versionId string) (*ObjectRetention, error) {
 	entry, err := s3a.getObjectEntry(bucket, object, versionId)
 	if err != nil {
@@ -333,7 +249,7 @@ func (s3a *S3ApiServer) getObjectRetention(bucket, object, versionId string) (*O
 	return retention, nil
 }
-// setObjectRetention sets retention configuration on object metadata
+// setObjectRetention sets object retention configuration
 func (s3a *S3ApiServer) setObjectRetention(bucket, object, versionId string, retention *ObjectRetention, bypassGovernance bool) error {
 	var entry *filer_pb.Entry
 	var err error
@@ -446,7 +362,11 @@ func (s3a *S3ApiServer) setObjectRetention(bucket, object, versionId string, ret
 	})
 }
-// getObjectLegalHold retrieves legal hold configuration from object metadata
+// ====================================================================
 // LEGAL HOLD OPERATIONS
 // ====================================================================
 // getObjectLegalHold retrieves object legal hold configuration
 func (s3a *S3ApiServer) getObjectLegalHold(bucket, object, versionId string) (*ObjectLegalHold, error) {
 	entry, err := s3a.getObjectEntry(bucket, object, versionId)
 	if err != nil {
@@ -468,7 +388,7 @@ func (s3a *S3ApiServer) getObjectLegalHold(bucket, object, versionId string) (*O
 	return legalHold, nil
 }
-// setObjectLegalHold sets legal hold configuration on object metadata
+// setObjectLegalHold sets object legal hold configuration
 func (s3a *S3ApiServer) setObjectLegalHold(bucket, object, versionId string, legalHold *ObjectLegalHold) error {
 	var entry *filer_pb.Entry
 	var err error
@@ -529,7 +449,11 @@ func (s3a *S3ApiServer) setObjectLegalHold(bucket, object, versionId string, leg
 	})
 }
-// isObjectRetentionActive checks if an object is currently under retention
+// ====================================================================
 // PROTECTION ENFORCEMENT
 // ====================================================================
 // isObjectRetentionActive checks if object has active retention
 func (s3a *S3ApiServer) isObjectRetentionActive(bucket, object, versionId string) (bool, error) {
 	retention, err := s3a.getObjectRetention(bucket, object, versionId)
 	if err != nil {
@@ -547,7 +471,7 @@ func (s3a *S3ApiServer) isObjectRetentionActive(bucket, object, versionId string
 	return false, nil
 }
-// getRetentionFromEntry extracts retention configuration from an existing entry
+// getRetentionFromEntry extracts retention configuration from filer entry
 func (s3a *S3ApiServer) getRetentionFromEntry(entry *filer_pb.Entry) (*ObjectRetention, bool, error) {
 	if entry.Extended == nil {
 		return nil, false, nil
@@ -577,7 +501,7 @@ func (s3a *S3ApiServer) getRetentionFromEntry(entry *filer_pb.Entry) (*ObjectRet
 	return retention, isActive, nil
 }
-// getLegalHoldFromEntry extracts legal hold configuration from an existing entry
+// getLegalHoldFromEntry extracts legal hold configuration from filer entry
 func (s3a *S3ApiServer) getLegalHoldFromEntry(entry *filer_pb.Entry) (*ObjectLegalHold, bool, error) {
 	if entry.Extended == nil {
 		return nil, false, nil
@@ -595,14 +519,11 @@ func (s3a *S3ApiServer) getLegalHoldFromEntry(entry *filer_pb.Entry) (*ObjectLeg
 	return legalHold, isActive, nil
 }
-// checkGovernanceBypassPermission validates if the user has IAM permission to bypass governance retention.
+// ====================================================================
-// This is the low-level permission check that integrates with the IAM system.
+// GOVERNANCE BYPASS
-//
+// ====================================================================
-// Returns true if:
+
-// - User has s3:BypassGovernanceRetention permission for the resource, OR
+// checkGovernanceBypassPermission checks if user has permission to bypass governance retention
 // - User has Admin permissions for the resource
 //
 // This function does NOT check if the bypass header is present - that's handled separately.
 func (s3a *S3ApiServer) checkGovernanceBypassPermission(request *http.Request, bucket, object string) bool {
 	// Use the existing IAM auth system to check the specific permission
 	// Create the governance bypass action with proper bucket/object concatenation
@@ -633,15 +554,7 @@ func (s3a *S3ApiServer) checkGovernanceBypassPermission(request *http.Request, b
 	return false
 }
-// evaluateGovernanceBypassRequest determines if a governance bypass should be allowed.
+// evaluateGovernanceBypassRequest evaluates if governance bypass is requested and permitted
 // This is the high-level validation that combines header checking with permission validation.
 //
 // AWS S3 requires BOTH conditions:
 // 1. Client sends x-amz-bypass-governance-retention: true header (intent)
 // 2. User has s3:BypassGovernanceRetention IAM permission (authorization)
 //
 // Returns true only if both conditions are met.
 // Used by all handlers that need to check governance bypass (DELETE, PUT, etc.).
 func (s3a *S3ApiServer) evaluateGovernanceBypassRequest(r *http.Request, bucket, object string) bool {
 	// Step 1: Check if governance bypass was requested via header
 	bypassRequested := r.Header.Get("x-amz-bypass-governance-retention") == "true"
@@ -661,18 +574,7 @@ func (s3a *S3ApiServer) evaluateGovernanceBypassRequest(r *http.Request, bucket,
 	return true
 }
-// enforceObjectLockProtections checks if an object operation should be blocked by object lock.
+// enforceObjectLockProtections enforces object lock protections for operations
 // This function enforces retention and legal hold policies based on pre-validated permissions.
 //
 // Parameters:
 //   - request: HTTP request (for logging/context only - permissions already validated)
 //   - bucket, object, versionId: Object identifier
 //   - governanceBypassAllowed: Pre-validated governance bypass permission (from evaluateGovernanceBypassRequest)
 //
 // Important: The governanceBypassAllowed parameter is TRUSTED - it should only be set to true
 // if evaluateGovernanceBypassRequest() has already validated both header presence and IAM permissions.
 //
 // Returns error if operation should be blocked, nil if operation is allowed.
 func (s3a *S3ApiServer) enforceObjectLockProtections(request *http.Request, bucket, object, versionId string, governanceBypassAllowed bool) error {
 	// Get the object entry to check both retention and legal hold
 	// For delete operations without versionId, we need to check the latest version
@@ -735,8 +637,11 @@ func (s3a *S3ApiServer) enforceObjectLockProtections(request *http.Request, buck
 	return nil
 }
-// isObjectLockAvailable checks if Object Lock features are available for the bucket
+// ====================================================================
-// Object Lock requires versioning to be enabled (AWS S3 requirement)
+// AVAILABILITY CHECKS
 // ====================================================================
 // isObjectLockAvailable checks if object lock is available for the bucket
 func (s3a *S3ApiServer) isObjectLockAvailable(bucket string) error {
 	versioningEnabled, err := s3a.isVersioningEnabled(bucket)
 	if err != nil {
@@ -753,9 +658,7 @@ func (s3a *S3ApiServer) isObjectLockAvailable(bucket string) error {
 	return nil
 }
-// handleObjectLockAvailabilityCheck is a helper function to check object lock availability
+// handleObjectLockAvailabilityCheck handles object lock availability checks for API endpoints
 // and write the appropriate error response if not available. This reduces code duplication
 // across all retention handlers.
 func (s3a *S3ApiServer) handleObjectLockAvailabilityCheck(w http.ResponseWriter, request *http.Request, bucket, handlerName string) bool {
 	if err := s3a.isObjectLockAvailable(bucket); err != nil {
 		glog.Errorf("%s: object lock not available for bucket %s: %v", handlerName, bucket, err)
--- a/weed/s3api/s3api_object_retention_test.go
+++ b/weed/s3api/s3api_object_retention_test.go
@@ -80,7 +80,7 @@ func TestValidateRetention(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := validateRetention(tt.retention)
+			err := ValidateRetention(tt.retention)
 			if tt.expectError {
 				if err == nil {
@@ -154,7 +154,7 @@ func TestValidateLegalHold(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := validateLegalHold(tt.legalHold)
+			err := ValidateLegalHold(tt.legalHold)
 			if tt.expectError {
 				if err == nil {
@@ -631,7 +631,7 @@ func TestValidateObjectLockConfiguration(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := validateObjectLockConfiguration(tt.config)
+			err := ValidateObjectLockConfiguration(tt.config)
 			if tt.expectError {
 				if err == nil {