Merge branch 'feature/S3C-4262_BackportZenkoMetrics' into tmp/octopus/w/7.9/feature/S3C-4262_BackportZenkoMetrics

Add 7.9 actions

errors/arsenalErrors.json

@@ -252,6 +252,10 @@
     "code": 404,
     "description": "The lifecycle configuration does not exist."
   },
+  "NoSuchObjectLockConfiguration": {
+    "code": 404,
+    "description": "The specified object does not have a ObjectLock configuration."
+  },
   "NoSuchWebsiteConfiguration": {
     "code": 404,
     "description": "The specified bucket does not have a website configuration"
@@ -268,6 +272,10 @@
     "code": 404,
     "description": "The replication configuration was not found"
   },
+  "ObjectLockConfigurationNotFoundError": {
+    "code": 404,
+    "description": "The object lock configuration was not found"
+  },
   "NotImplemented": {
     "code": 501,
     "description": "A header you provided implies functionality that is not implemented."
@@ -463,6 +471,22 @@
      "code": 400,
      "description": "The request was rejected because an invalid or out-of-range value was supplied for an input parameter."
   },
+  "MalformedPolicy": {
+    "code": 400,
+    "description": "This policy contains invalid Json"
+  },
+  "ReportExpired": {
+    "code": 410,
+    "description": "The request was rejected because the most recent credential report has expired. To generate a new credential report, use GenerateCredentialReport."
+  },
+  "ReportInProgress": {
+    "code": 404,
+    "description": "The request was rejected because the credential report is still being generated."
+  },
+  "ReportNotPresent": {
+    "code": 410,
+    "description": "The request was rejected because the credential report does not exist. To generate a credential report, use GenerateCredentialReport."
+  },
   "_comment": "-------------- Special non-AWS S3 errors --------------",
   "MPUinProgress": {
     "code": 409,

index.js

@@ -61,6 +61,8 @@ module.exports = {
             RESTClient: require('./lib/network/rest/RESTClient'),
         },
         RoundRobin: require('./lib/network/RoundRobin'),
+        kmip: require('./lib/network/kmip'),
+        kmipClient: require('./lib/network/kmip/Client'),
     },
     s3routes: {
         routes: require('./lib/s3routes/routes'),
@@ -70,6 +72,7 @@ module.exports = {
         userMetadata: require('./lib/s3middleware/userMetadata'),
         convertToXml: require('./lib/s3middleware/convertToXml'),
         escapeForXml: require('./lib/s3middleware/escapeForXml'),
+        objectLegalHold: require('./lib/s3middleware/objectLegalHold'),
         tagging: require('./lib/s3middleware/tagging'),
         validateConditionalHeaders:
             require('./lib/s3middleware/validateConditionalHeaders')
@@ -85,6 +88,7 @@ module.exports = {
             SubStreamInterface:
                 require('./lib/s3middleware/azureHelpers/SubStreamInterface'),
         },
+        retention: require('./lib/s3middleware/objectRetention'),
     },
     storage: {
         metadata: {
@@ -113,6 +117,11 @@ module.exports = {
           require('./lib/models/ReplicationConfiguration'),
         LifecycleConfiguration:
             require('./lib/models/LifecycleConfiguration'),
+        BucketPolicy: require('./lib/models/BucketPolicy'),
+        ObjectLockConfiguration:
+            require('./lib/models/ObjectLockConfiguration'),
+        NotificationConfiguration:
+            require('./lib/models/NotificationConfiguration'),
     },
     metrics: {
         StatsClient: require('./lib/metrics/StatsClient'),

lib/auth/v2/queryAuthCheck.js

@@ -34,8 +34,13 @@ function check(request, log, data) {
     }
 
     const currentTime = Date.now();
-    // 604800000 ms (seven days).
-    if (expirationTime > currentTime + 604800000) {
+
+    const preSignedURLExpiry = process.env.PRE_SIGN_URL_EXPIRY
+        && !Number.isNaN(process.env.PRE_SIGN_URL_EXPIRY)
+        ? Number.parseInt(process.env.PRE_SIGN_URL_EXPIRY, 10)
+        : constants.defaultPreSignedURLExpiry * 1000;
+
+    if (expirationTime > currentTime + preSignedURLExpiry) {
         log.debug('expires parameter too far in future',
         { expires: request.query.Expires });
         return { err: errors.AccessDenied };

lib/constants.js

@@ -72,6 +72,22 @@ module.exports = {
     permittedCapitalizedBuckets: {
         METADATA: true,
     },
+    // Default expiration value of the S3 pre-signed URL duration
+    // 604800 seconds (seven days).
+    defaultPreSignedURLExpiry: 7 * 24 * 60 * 60,
+    // Regex for ISO-8601 formatted date
+    shortIso8601Regex: /\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z/,
+    longIso8601Regex: /\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/,
+    supportedNotificationEvents: new Set([
+        's3:ObjectCreated:*',
+        's3:ObjectCreated:Put',
+        's3:ObjectCreated:Copy',
+        's3:ObjectCreated:CompleteMultipartUpload',
+        's3:ObjectRemoved:*',
+        's3:ObjectRemoved:Delete',
+        's3:ObjectRemoved:DeleteMarkerCreated',
+    ]),
+    notificationArnPrefix: 'arn:scality:bucketnotif',
     // HTTP server keep-alive timeout is set to a higher value than
     // client's free sockets timeout to avoid the risk of triggering
     // ECONNRESET errors if the server closes the connection at the

lib/models/BucketInfo.js

@@ -2,9 +2,12 @@ const assert = require('assert');
 const { WebsiteConfiguration } = require('./WebsiteConfiguration');
 const ReplicationConfiguration = require('./ReplicationConfiguration');
 const LifecycleConfiguration = require('./LifecycleConfiguration');
+const ObjectLockConfiguration = require('./ObjectLockConfiguration');
+const BucketPolicy = require('./BucketPolicy');
+const NotificationConfiguration = require('./NotificationConfiguration');
 
 // WHEN UPDATING THIS NUMBER, UPDATE MODELVERSION.MD CHANGELOG
-const modelVersion = 6;
+const modelVersion = 8;
 
 class BucketInfo {
     /**
@@ -47,12 +50,18 @@ class BucketInfo {
     * @param {string[]} [cors[].exposeHeaders] - headers expose to applications
     * @param {object} [replicationConfiguration] - replication configuration
     * @param {object} [lifecycleConfiguration] - lifecycle configuration
+    * @param {object} [bucketPolicy] - bucket policy
+    * @param {boolean} [objectLockEnabled] - true when object lock enabled
+    * @param {object} [objectLockConfiguration] - object lock configuration
+    * @param {object} [notificationConfiguration] - bucket notification configuration
     */
     constructor(name, owner, ownerDisplayName, creationDate,
                 mdBucketModelVersion, acl, transient, deleted,
                 serverSideEncryption, versioningConfiguration,
                 locationConstraint, websiteConfiguration, cors,
-                replicationConfiguration, lifecycleConfiguration) {
+                replicationConfiguration, lifecycleConfiguration,
+                bucketPolicy, objectLockEnabled, objectLockConfiguration,
+                notificationConfiguration) {
         assert.strictEqual(typeof name, 'string');
         assert.strictEqual(typeof owner, 'string');
         assert.strictEqual(typeof ownerDisplayName, 'string');
@@ -112,6 +121,15 @@ class BucketInfo {
         if (lifecycleConfiguration) {
             LifecycleConfiguration.validateConfig(lifecycleConfiguration);
         }
+        if (bucketPolicy) {
+            BucketPolicy.validatePolicy(bucketPolicy);
+        }
+        if (objectLockConfiguration) {
+            ObjectLockConfiguration.validateConfig(objectLockConfiguration);
+        }
+        if (notificationConfiguration) {
+            NotificationConfiguration.validateConfig(notificationConfiguration);
+        }
         const aclInstance = acl || {
             Canned: 'private',
             FULL_CONTROL: [],
@@ -137,6 +155,10 @@ class BucketInfo {
         this._replicationConfiguration = replicationConfiguration || null;
         this._cors = cors || null;
         this._lifecycleConfiguration = lifecycleConfiguration || null;
+        this._bucketPolicy = bucketPolicy || null;
+        this._objectLockEnabled = objectLockEnabled || false;
+        this._objectLockConfiguration = objectLockConfiguration || null;
+        this._notificationConfiguration = notificationConfiguration || null;
         return this;
     }
     /**
@@ -160,6 +182,10 @@ class BucketInfo {
             cors: this._cors,
             replicationConfiguration: this._replicationConfiguration,
             lifecycleConfiguration: this._lifecycleConfiguration,
+            bucketPolicy: this._bucketPolicy,
+            objectLockEnabled: this._objectLockEnabled,
+            objectLockConfiguration: this._objectLockConfiguration,
+            notificationConfiguration: this._notificationConfiguration,
         };
         if (this._websiteConfiguration) {
             bucketInfos.websiteConfiguration =
@@ -180,7 +206,9 @@ class BucketInfo {
             obj.creationDate, obj.mdBucketModelVersion, obj.acl,
             obj.transient, obj.deleted, obj.serverSideEncryption,
             obj.versioningConfiguration, obj.locationConstraint, websiteConfig,
-            obj.cors, obj.replicationConfiguration, obj.lifecycleConfiguration);
+            obj.cors, obj.replicationConfiguration, obj.lifecycleConfiguration,
+            obj.bucketPolicy, obj.objectLockEnabled,
+            obj.objectLockConfiguration, obj.notificationConfiguration);
     }
 
     /**
@@ -203,7 +231,9 @@ class BucketInfo {
             data._transient, data._deleted, data._serverSideEncryption,
             data._versioningConfiguration, data._locationConstraint,
             data._websiteConfiguration, data._cors,
-            data._replicationConfiguration, data._lifecycleConfiguration);
+            data._replicationConfiguration, data._lifecycleConfiguration,
+            data._bucketPolicy, data._objectLockEnabled,
+            data._objectLockConfiguration, data._notificationConfiguration);
     }
 
     /**
@@ -331,6 +361,57 @@ class BucketInfo {
         this._lifecycleConfiguration = lifecycleConfiguration;
         return this;
     }
+    /**
+     * Get bucket policy statement
+     * @return {object|null} bucket policy statement or `null` if the bucket
+     * does not have a bucket policy
+     */
+    getBucketPolicy() {
+        return this._bucketPolicy;
+    }
+    /**
+     * Set bucket policy statement
+     * @param {object} bucketPolicy - bucket policy
+     * @return {BucketInfo} - bucket info instance
+     */
+    setBucketPolicy(bucketPolicy) {
+        this._bucketPolicy = bucketPolicy;
+        return this;
+    }
+    /**
+     * Get object lock configuration
+     * @return {object|null} object lock configuration information or `null` if
+     * the bucket does not have an object lock configuration
+     */
+    getObjectLockConfiguration() {
+        return this._objectLockConfiguration;
+    }
+    /**
+     * Set object lock configuration
+     * @param {object} objectLockConfiguration - object lock information
+     * @return {BucketInfo} - bucket info instance
+     */
+    setObjectLockConfiguration(objectLockConfiguration) {
+        this._objectLockConfiguration = objectLockConfiguration;
+        return this;
+    }
+    /**
+     * Get notification configuration
+     * @return {object|null} notification configuration information or 'null' if
+     * the bucket does not have a notification configuration
+     */
+    getNotificationConfiguration() {
+        return this._notificationConfiguration;
+    }
+    /**
+     * Set notification configuraiton
+     * @param {object} notificationConfiguration - bucket notification information
+     * @return {BucketInfo} - bucket info instance
+     */
+    setNotificationConfiguration(notificationConfiguration) {
+        this._notificationConfiguration = notificationConfiguration;
+        return this;
+    }
     /**
      * Get cors resource
      * @return {object[]} cors
@@ -521,6 +602,22 @@ class BucketInfo {
         return this._versioningConfiguration &&
             this._versioningConfiguration.Status === 'Enabled';
     }
+    /**
+    * Check if object lock is enabled.
+    * @return {boolean} - depending on whether object lock is enabled
+    */
+    isObjectLockEnabled() {
+        return !!this._objectLockEnabled;
+    }
+    /**
+    * Set the value of objectLockEnabled field.
+    * @param {boolean} enabled - true if object lock enabled else false.
+    * @return {BucketInfo} - bucket info instance
+    */
+    setObjectLockEnabled(enabled) {
+        this._objectLockEnabled = enabled;
+        return this;
+    }
 }
 
 module.exports = BucketInfo;

lib/models/BucketPolicy.js

@@ -0,0 +1,143 @@
+const assert = require('assert');
+
+const errors = require('../errors');
+const { validateResourcePolicy } = require('../policy/policyValidator');
+
+/**
+ * Format of json policy:
+ *  {
+ *      "Id": "Policy id",
+ *      "Version": "version date",
+ *      "Statement": [
+ *          {
+ *              "Sid": "Statement id",
+ *              "Effect": "Allow",
+ *              "Principal": "*",
+ *              "Action": "s3:*",
+ *              "Resource": "arn:aws:s3:::examplebucket/bucket2/object"
+ *          },
+ *          {
+ *              "Sid": "Statement id",
+ *              "Effect": "Deny",
+ *              "Principal": {
+ *                  "AWS": ["arn:aws:iam::<account_id>", "different_account_id"]
+ *              },
+ *              "Action": [ "s3:*" ],
+ *              "Resource": [
+ *                  "arn:aws:s3:::examplebucket", "arn:aws:s3:::otherbucket/*"],
+ *              "Condition": {
+ *                 "StringNotLike": {
+ *                      "aws:Referer": [
+ *                          "http://www.example.com/", "http://example.com/*"]
+ *                  }
+ *              }
+ *          }
+ *      ]
+ *  }
+ */
+
+const objectActions = [
+    's3:AbortMultipartUpload',
+    's3:DeleteObject',
+    's3:DeleteObjectTagging',
+    's3:GetObject',
+    's3:GetObjectAcl',
+    's3:GetObjectTagging',
+    's3:ListMultipartUploadParts',
+    's3:PutObject',
+    's3:PutObjectAcl',
+    's3:PutObjectTagging',
+];
+
+class BucketPolicy {
+    /**
+     * Create a Bucket Policy instance
+     * @param {string} json - the json policy
+     * @return {object} - BucketPolicy instance
+     */
+    constructor(json) {
+        this._json = json;
+        this._policy = {};
+    }
+
+    /**
+     * Get the bucket policy
+     * @return {object} - the bucket policy or error
+     */
+    getBucketPolicy() {
+        const policy = this._getPolicy();
+        return policy;
+    }
+
+    /**
+     * Get the bucket policy array
+     * @return {object} - contains error if policy validation fails
+     */
+    _getPolicy() {
+        if (!this._json || this._json === '') {
+            return { error: errors.MalformedPolicy.customizeDescription(
+                'request json is empty or undefined') };
+        }
+        const validSchema = validateResourcePolicy(this._json);
+        if (validSchema.error) {
+            return validSchema;
+        }
+        this._setStatementArray();
+        const valAcRes = this._validateActionResource();
+        if (valAcRes.error) {
+            return valAcRes;
+        }
+
+        return this._policy;
+    }
+
+    _setStatementArray() {
+        this._policy = JSON.parse(this._json);
+        if (!Array.isArray(this._policy.Statement)) {
+            const statement = this._policy.Statement;
+            this._policy.Statement = [statement];
+        }
+    }
+
+    /**
+     * Validate action and resource are compatible
+     * @return {error} - contains error or empty obj
+     */
+    _validateActionResource() {
+        const invalid = this._policy.Statement.every(s => {
+            const actions = typeof s.Action === 'string' ?
+                [s.Action] : s.Action;
+            const resources = typeof s.Resource === 'string' ?
+                [s.Resource] : s.Resource;
+            const objectAction = actions.some(a =>
+                a.includes('Object') || objectActions.includes(a));
+            // wildcardObjectAction checks for actions such as 's3:*' or
+            // 's3:Put*' but will return false for actions such as
+            // 's3:PutBucket*'
+            const wildcardObjectAction = actions.some(
+                a => a.includes('*') && !a.includes('Bucket'));
+            const objectResource = resources.some(r => r.includes('/'));
+            return ((objectAction && !objectResource) ||
+                (objectResource && !objectAction && !wildcardObjectAction));
+        });
+        if (invalid) {
+            return { error: errors.MalformedPolicy.customizeDescription(
+                'Action does not apply to any resource(s) in statement') };
+        }
+        return {};
+    }
+
+    /**
+     * Call resource policy schema validation function
+     * @param {object} policy - the bucket policy object to validate
+     * @return {undefined}
+     */
+    static validatePolicy(policy) {
+        // only the BucketInfo constructor calls this function
+        // and BucketInfo will always be passed an object
+        const validated = validateResourcePolicy(JSON.stringify(policy));
+        assert.deepStrictEqual(validated, { error: null, valid: true });
+    }
+}
+
+module.exports = BucketPolicy;

lib/models/NotificationConfiguration.js

@@ -0,0 +1,311 @@
+const assert = require('assert');
+const UUID = require('uuid');
+
+const {
+    supportedNotificationEvents,
+    notificationArnPrefix,
+} = require('../constants');
+const errors = require('../errors');
+
+/**
+ * Format of xml request:
+ *
+ * <ONotificationConfiguration>
+ *      <QueueConfiguration>
+ *          <Event>array</Event>
+ *          <Filter>
+ *              <S3Key>
+ *                  <FilterRule>
+ *                      <Name>string</Name>
+ *                      <Value>string</Value>
+ *                  </FilterRule>
+ *              </S3Key>
+ *          </Filter>
+ *          <Id>string</Id>
+ *          <Queue>string</Queue>
+ *      </QueueConfiguration>
+ * </NotificationConfiguration>
+ */
+
+ /**
+  * Format of config:
+  *
+  * config = {
+  *     queueConfig: [
+  *         {
+  *         events: array,
+  *         queueArn: string,
+  *         filterRules: [
+  *             {
+  *                 name: string,
+  *                 value: string
+  *             },
+  *             {
+  *                 name: string,
+  *                 value:string
+  *             },
+  *         ],
+  *         id: string
+  *         }
+  *     ]
+  * }
+  */
+
+class NotificationConfiguration {
+    /**
+     * Create a Notification Configuration instance
+     * @param {string} xml - parsed configuration xml
+     * @return {object} - NotificationConfiguration instance
+     */
+    constructor(xml) {
+        this._parsedXml = xml;
+        this._config = {};
+        this._ids = new Set([]);
+    }
+
+    /**
+     * Get notification configuration
+     * @return {object} - contains error if parsing failed
+     */
+    getValidatedNotificationConfiguration() {
+        const validationError = this._parseNotificationConfig();
+        if (validationError) {
+            this._config.error = validationError;
+        }
+        return this._config;
+    }
+
+    /**
+     * Check that notification configuration is valid
+     * @return {error | null} - error if parsing failed, else undefined
+     */
+    _parseNotificationConfig() {
+        if (!this._parsedXml || this._parsedXml === '') {
+            return errors.MalformedXML.customizeDescription(
+                'request xml is undefined or empty');
+        }
+        const notificationConfig = this._parsedXml.NotificationConfiguration;
+        if (!notificationConfig || notificationConfig === '') {
+            return errors.MalformedXML.customizeDescription(
+                'request xml does not include NotificationConfiguration');
+        }
+        const queueConfig = notificationConfig.QueueConfiguration;
+        if (!queueConfig || !queueConfig[0]) {
+            // if undefined or empty QueueConfiguration, notif configuration is deleted
+            return null;
+        }
+        this._config.queueConfig = [];
+        let parseError;
+        for (let i = 0; i < queueConfig.length; i++) {
+            const eventObj = this._parseEvents(queueConfig[i].Event);
+            const filterObj = this._parseFilter(queueConfig[i].Filter);
+            const idObj = this._parseId(queueConfig[i].Id);
+            const arnObj = this._parseArn(queueConfig[i].Queue);
+
+            if (eventObj.error) {
+                parseError = eventObj.error;
+                this._config = {};
+                break;
+            }
+            if (filterObj.error) {
+                parseError = filterObj.error;
+                this._config = {};
+                break;
+            }
+            if (idObj.error) {
+                parseError = idObj.error;
+                this._config = {};
+                break;
+            }
+            if (arnObj.error) {
+                parseError = arnObj.error;
+                this._config = {};
+                break;
+            }
+            this._config.queueConfig.push({
+                events: eventObj.events,
+                queueArn: arnObj.arn,
+                id: idObj.id,
+                filterRules: filterObj.filterRules,
+            });
+        }
+        return parseError;
+    }
+
+    /**
+     * Check that events array is valid
+     * @param {array} events - event array
+     * @return {object} - contains error if parsing failed or events array
+     */
+    _parseEvents(events) {
+        const eventsObj = {
+            events: [],
+        };
+        if (!events || !events[0]) {
+            eventsObj.error = errors.MalformedXML.customizeDescription(
+                'each queue configuration must contain an event');
+            return eventsObj;
+        }
+        events.forEach(e => {
+            if (!supportedNotificationEvents.has(e)) {
+                eventsObj.error = errors.MalformedXML.customizeDescription(
+                    'event array contains invalid or unsupported event');
+            } else {
+                eventsObj.events.push(e);
+            }
+        });
+        return eventsObj;
+    }
+
+    /**
+     * Check that filter array is valid
+     * @param {array} filter - filter array
+     * @return {object} - contains error if parsing failed or filter array
+     */
+    _parseFilter(filter) {
+        if (!filter || !filter[0]) {
+            return {};
+        }
+        if (!filter[0].S3Key || !filter[0].S3Key[0]) {
+            return { error: errors.MalformedXML.customizeDescription(
+                'if included, queue configuration filter must contain S3Key') };
+        }
+        const filterRules = filter[0].S3Key[0];
+        if (!filterRules.FilterRule || !filterRules.FilterRule[0]) {
+            return { error: errors.MalformedXML.customizeDescription(
+                'if included, queue configuration filter must contain a rule') };
+        }
+        const filterObj = {
+            filterRules: [],
+        };
+        const ruleArray = filterRules.FilterRule;
+        for (let i = 0; i < ruleArray.length; i++) {
+            if (!ruleArray[i].Name
+                || !ruleArray[i].Name[0]
+                || !ruleArray[i].Value
+                || !ruleArray[i].Value[0]) {
+                return { error: errors.MalformedXML.customizeDescription(
+                    'each included filter must contain a name and value') };
+            }
+            if (!['Prefix', 'Suffix'].includes(ruleArray[i].Name[0])) {
+                return { error: errors.MalformedXML.customizeDescription(
+                    'filter Name must be one of Prefix or Suffix') };
+            }
+            filterObj.filterRules.push({
+                name: ruleArray[i].Name[0],
+                value: ruleArray[i].Value[0],
+            });
+        }
+        return filterObj;
+    }
+
+    /**
+     * Check that id string is valid
+     * @param {string} id - id string (optional)
+     * @return {object} - contains error if parsing failed or id
+     */
+    _parseId(id) {
+        if (id && id[0].length > 255) {
+            return { error: errors.InvalidArgument.customizeDescription(
+                'queue configuration ID is greater than 255 characters long') };
+        }
+        let validId;
+        if (!id || !id[0]) {
+            // id is optional property, so create one if not provided or is ''
+            // We generate 48-character alphanumeric, unique id for rule
+            validId = Buffer.from(UUID.v4()).toString('base64');
+        } else {
+            validId = id[0];
+        }
+        // Each ID in a list of rules must be unique.
+        if (this._ids.has(validId)) {
+            return { error: errors.InvalidRequest.customizeDescription(
+                'queue configuration ID must be unique') };
+        }
+        this._ids.add(validId);
+        return { id: validId };
+    }
+
+    /**
+     * Check that arn string is valid
+     * @param {string} arn - queue arn
+     * @return {object} - contains error if parsing failed or queue arn
+     */
+    _parseArn(arn) {
+        if (!arn || !arn[0]) {
+            return { error: errors.MalformedXML.customizeDescription(
+                'each queue configuration must contain a queue arn'),
+            };
+        }
+        const splitArn = arn[0].split(':');
+        const slicedArn = arn[0].slice(0, 23);
+        if (splitArn.length !== 6 || slicedArn !== notificationArnPrefix) {
+            return { error: errors.MalformedXML.customizeDescription(
+                'queue arn is invalid') };
+        }
+        // remaining 3 parts of arn are evaluated in cloudserver
+        return { arn: arn[0] };
+    }
+
+    /**
+     * Get XML representation of notification configuration object
+     * @param {object} config - notification configuration object
+     * @return {string} - XML representation of config
+     */
+    static getConfigXML(config) {
+        const xmlArray = [];
+        if (config && config.queueConfig) {
+            config.queueConfig.forEach(c => {
+                xmlArray.push('<QueueConfiguration>');
+                xmlArray.push(`<Id>${c.id}</Id>`);
+                xmlArray.push(`<Queue>${c.queueArn}</Queue>`);
+                c.events.forEach(e => {
+                    xmlArray.push(`<Event>${e}</Event>`);
+                });
+                if (c.filterRules) {
+                    xmlArray.push('<Filter><S3Key>');
+                    c.filterRules.forEach(r => {
+                        xmlArray.push(`<FilterRule><Name>${r.name}</Name>` +
+                            `<Value>${r.value}</Value></FilterRule>`);
+                    });
+                    xmlArray.push('</S3Key></Filter>');
+                }
+                xmlArray.push('</QueueConfiguration>');
+            });
+        }
+        const queueConfigXML = xmlArray.join('');
+        return '<?xml version="1.0" encoding="UTF-8"?>' +
+            '<NotificationConfiguration ' +
+            'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+            `${queueConfigXML}` +
+            '</NotificationConfiguration>';
+    }
+
+    /**
+     * Validate the bucket metadata notification configuration structure and
+     * value types
+     * @param {object} config - The notificationconfiguration to validate
+     * @return {undefined}
+     */
+    static validateConfig(config) {
+        assert.strictEqual(typeof config, 'object');
+        if (!config.queueConfig) {
+            return;
+        }
+        config.queueConfig.forEach(q => {
+            const { events, queueArn, filterRules, id } = q;
+            events.forEach(e => assert.strictEqual(typeof e, 'string'));
+            assert.strictEqual(typeof queueArn, 'string');
+            if (filterRules) {
+                filterRules.forEach(f => {
+                    assert.strictEqual(typeof f.name, 'string');
+                    assert.strictEqual(typeof f.value, 'string');
+                });
+            }
+            assert.strictEqual(typeof id, 'string');
+        });
+        return;
+    }
+}
+
+module.exports = NotificationConfiguration;

lib/models/ObjectLockConfiguration.js

@@ -0,0 +1,238 @@
+const assert = require('assert');
+
+const errors = require('../errors');
+
+/**
+ * Format of xml request:
+ *
+ * <ObjectLockConfiguration>
+ *      <ObjectLockEnabled>Enabled</ObjectLockEnabled>
+ *      <Rule>
+ *          <DefaultRetention>
+ *              <Mode>GOVERNANCE|COMPLIANCE</Mode>
+ *              <Days>1</Days>
+ *              <Years>1</Years>
+ *          </DefaultRetention>
+ *      </Rule>
+ * </ObjectLockConfiguration>
+ */
+
+ /**
+  * Format of config:
+  *
+  * config = {
+  *     rule: {
+  *         mode: GOVERNANCE|COMPLIANCE,
+  *         days|years: integer,
+  *     }
+  * }
+  */
+class ObjectLockConfiguration {
+    /**
+     * Create an Object Lock Configuration instance
+     * @param {string} xml - the parsed configuration xml
+     * @return {object} - ObjectLockConfiguration instance
+     */
+    constructor(xml) {
+        this._parsedXml = xml;
+        this._config = {};
+    }
+
+    /**
+     * Get the object lock configuration
+     * @return {object} - contains error if parsing failed
+     */
+    getValidatedObjectLockConfiguration() {
+        const validConfig = this._parseObjectLockConfig();
+        if (validConfig.error) {
+            this._config.error = validConfig.error;
+        }
+        return this._config;
+    }
+
+    /**
+     * Check that mode is valid
+     * @param {array} mode - array containing mode value
+     * @return {object} - contains error if parsing failed
+     */
+    _parseMode(mode) {
+        const validMode = {};
+        const expectedModes = ['GOVERNANCE', 'COMPLIANCE'];
+        if (!mode || !mode[0]) {
+            validMode.error = errors.MalformedXML.customizeDescription(
+                'request xml does not contain Mode');
+            return validMode;
+        }
+        if (mode.length > 1) {
+            validMode.error = errors.MalformedXML.customizeDescription(
+                'request xml contains more than one Mode');
+            return validMode;
+        }
+        if (!expectedModes.includes(mode[0])) {
+            validMode.error = errors.MalformedXML.customizeDescription(
+                'Mode request xml must be one of "GOVERNANCE", "COMPLIANCE"');
+            return validMode;
+        }
+        validMode.mode = mode[0];
+        return validMode;
+    }
+
+    /**
+     * Check that time limit is valid
+     * @param {object} dr - DefaultRetention object containing days or years
+     * @return {object} - contains error if parsing failed
+     */
+    _parseTime(dr) {
+        const validTime = {};
+        if (dr.Days && dr.Years) {
+            validTime.error = errors.MalformedXML.customizeDescription(
+                'request xml contains both Days and Years');
+            return validTime;
+        }
+        const timeType = dr.Days ? 'Days' : 'Years';
+        if (!dr[timeType] || !dr[timeType][0]) {
+            validTime.error = errors.MalformedXML.customizeDescription(
+                'request xml does not contain Days or Years');
+            return validTime;
+        }
+        if (dr[timeType].length > 1) {
+            validTime.error = errors.MalformedXML.customizeDescription(
+                'request xml contains more than one retention period');
+            return validTime;
+        }
+        const timeValue = Number.parseInt(dr[timeType][0], 10);
+        if (Number.isNaN(timeValue)) {
+            validTime.error = errors.MalformedXML.customizeDescription(
+                'request xml does not contain valid retention period');
+            return validTime;
+        }
+        if (timeValue < 1) {
+            validTime.error = errors.InvalidArgument.customizeDescription(
+                'retention period must be a positive integer');
+            return validTime;
+        }
+        if ((timeType === 'Days' && timeValue > 36500) ||
+        (timeType === 'Years' && timeValue > 100)) {
+            validTime.error = errors.InvalidArgument.customizeDescription(
+                'retention period is too large');
+            return validTime;
+        }
+        validTime.timeType = timeType.toLowerCase();
+        validTime.timeValue = timeValue;
+        return validTime;
+    }
+
+    /**
+     * Check that object lock configuration is valid
+     * @return {object} - contains error if parsing failed
+     */
+    _parseObjectLockConfig() {
+        const validConfig = {};
+        if (!this._parsedXml || this._parsedXml === '') {
+            validConfig.error = errors.MalformedXML.customizeDescription(
+                'request xml is undefined or empty');
+            return validConfig;
+        }
+        const objectLockConfig = this._parsedXml.ObjectLockConfiguration;
+        if (!objectLockConfig || objectLockConfig === '') {
+            validConfig.error = errors.MalformedXML.customizeDescription(
+                'request xml does not include ObjectLockConfiguration');
+            return validConfig;
+        }
+        const objectLockEnabled = objectLockConfig.ObjectLockEnabled;
+        if (!objectLockEnabled || objectLockEnabled[0] !== 'Enabled') {
+            validConfig.error = errors.MalformedXML.customizeDescription(
+                'request xml does not include valid ObjectLockEnabled');
+            return validConfig;
+        }
+        const ruleArray = objectLockConfig.Rule;
+        if (ruleArray) {
+            if (ruleArray.length > 1) {
+                validConfig.error = errors.MalformedXML.customizeDescription(
+                    'request xml contains more than one rule');
+                return validConfig;
+            }
+            const drArray = ruleArray[0].DefaultRetention;
+            if (!drArray || !drArray[0] || drArray[0] === '') {
+                validConfig.error = errors.MalformedXML.customizeDescription(
+                    'Rule request xml does not contain DefaultRetention');
+                return validConfig;
+            }
+            if (!drArray[0].Mode || (!drArray[0].Days && !drArray[0].Years)) {
+                validConfig.error = errors.MalformedXML.customizeDescription(
+                    'DefaultRetention request xml does not contain Mode or ' +
+                    'retention period (Days or Years)');
+                return validConfig;
+            }
+            const validMode = this._parseMode(drArray[0].Mode);
+            if (validMode.error) {
+                validConfig.error = validMode.error;
+                return validConfig;
+            }
+            const validTime = this._parseTime(drArray[0]);
+            if (validTime.error) {
+                validConfig.error = validTime.error;
+                return validConfig;
+            }
+            this._config.rule = {};
+            this._config.rule.mode = validMode.mode;
+            this._config.rule[validTime.timeType] = validTime.timeValue;
+        }
+        return validConfig;
+    }
+
+    /**
+     * Validate the bucket metadata object lock configuration structure and
+     * value types
+     * @param {object} config - The object lock configuration to validate
+     * @return {undefined}
+     */
+    static validateConfig(config) {
+        assert.strictEqual(typeof config, 'object');
+        const rule = config.rule;
+        if (rule) {
+            assert.strictEqual(typeof rule, 'object');
+            assert.strictEqual(typeof rule.mode, 'string');
+            if (rule.days) {
+                assert.strictEqual(typeof rule.days, 'number');
+            } else {
+                assert.strictEqual(typeof rule.years, 'number');
+            }
+        }
+    }
+
+    /**
+     * Get the XML representation of the configuration object
+     * @param {object} config - The bucket object lock configuration
+     * @return {string} - The XML representation of the configuration
+     */
+    static getConfigXML(config) {
+        // object lock is enabled on the bucket but object lock configuration
+        // not set
+        if (config.rule === undefined) {
+            return '<?xml version="1.0" encoding="UTF-8"?>' +
+                '<ObjectLockConfiguration ' +
+                'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+                '<ObjectLockEnabled>Enabled</ObjectLockEnabled>' +
+                '</ObjectLockConfiguration>';
+        }
+        const { days, years, mode } = config.rule;
+        const Mode = `<Mode>${mode}</Mode>`;
+        const Days = days !== undefined ? `<Days>${days}</Days>` : '';
+        const Years = years !== undefined ? `<Years>${years}</Years>` : '';
+        const Time = Days || Years;
+        return '<?xml version="1.0" encoding="UTF-8"?>' +
+            '<ObjectLockConfiguration ' +
+            'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+            '<ObjectLockEnabled>Enabled</ObjectLockEnabled>' +
+            '<Rule>' +
+            '<DefaultRetention>' +
+            `${Mode}` +
+            `${Time}` +
+            '</DefaultRetention>' +
+            '</Rule>' +
+            '</ObjectLockConfiguration>';
+    }
+}
+
+module.exports = ObjectLockConfiguration;

lib/models/ObjectMD.js

@@ -124,6 +124,7 @@ class ObjectMD {
                 dataStoreVersionId: '',
             },
             'dataStoreName': '',
+            'originOp': '',
         };
     }
 
@@ -883,6 +884,78 @@ class ObjectMD {
         return this;
     }
 
+    /**
+     * Set object legal hold status
+     * @param {boolean} legalHold - true if legal hold is 'ON' false if 'OFF'
+     * @return {ObjectMD} itself
+     */
+    setLegalHold(legalHold) {
+        this._data.legalHold = legalHold || false;
+        return this;
+    }
+
+    /**
+     * Get object legal hold status
+     * @return {boolean} legal hold status
+     */
+    getLegalHold() {
+        return this._data.legalHold || false;
+    }
+
+    /**
+     * Set object retention mode
+     * @param {string} mode - should be one of 'GOVERNANCE', 'COMPLIANCE'
+     * @return {ObjectMD} itself
+     */
+    setRetentionMode(mode) {
+        this._data.retentionMode = mode;
+        return this;
+    }
+
+    /**
+     * Set object retention retain until date
+     * @param {string} date - date in ISO-8601 format
+     * @return {ObjectMD} itself
+     */
+    setRetentionDate(date) {
+        this._data.retentionDate = date;
+        return this;
+    }
+
+    /**
+     * Returns object retention mode
+     * @return {string} retention mode string
+     */
+    getRetentionMode() {
+        return this._data.retentionMode;
+    }
+
+    /**
+     * Returns object retention retain until date
+     * @return {string} retention date string
+     */
+    getRetentionDate() {
+        return this._data.retentionDate;
+    }
+
+    /**
+     * Set origin operation for object
+     * @param {string} op - name of origin operation
+     * @return {ObjectMD} itself
+     */
+    setOriginOp(op) {
+        this._data.originOp = op;
+        return this;
+    }
+
+    /**
+     * Returns origin operation of object
+     * @return {string} origin operation string
+     */
+    getOriginOp() {
+        return this._data.originOp;
+    }
+
     /**
      * Returns metadata object
      *

lib/network/kmip/Client.js

@@ -0,0 +1,579 @@
+'use strict'; // eslint-disable-line
+/* eslint new-cap: "off" */
+
+const async = require('async');
+
+const errors = require('../../errors');
+const TTLVCodec = require('./codec/ttlv.js');
+const TlsTransport = require('./transport/tls.js');
+const KMIP = require('.');
+
+const CRYPTOGRAPHIC_OBJECT_TYPE = 'Symmetric Key';
+const CRYPTOGRAPHIC_ALGORITHM = 'AES';
+const CRYPTOGRAPHIC_CIPHER_MODE = 'CBC';
+const CRYPTOGRAPHIC_PADDING_METHOD = 'PKCS5';
+const CRYPTOGRAPHIC_LENGTH = 256;
+const CRYPTOGRAPHIC_USAGE_MASK = ['Encrypt', 'Decrypt'];
+const CRYPTOGRAPHIC_DEFAULT_IV = Buffer.alloc(16).fill(0);
+
+const searchFilter = {
+    protocolVersionMajor:
+    'Response Message/Batch Item/' +
+        'Response Payload/Protocol Version/' +
+        'Protocol Version Major',
+    protocolVersionMinor:
+    'Response Message/Batch Item/' +
+        'Response Payload/Protocol Version/' +
+        'Protocol Version Minor',
+    extensionName:
+    'Response Message/Batch Item/Response Payload' +
+        '/Extension Information/Extension Name',
+    extensionTag:
+    'Response Message/Batch Item/Response Payload' +
+        '/Extension Information/Extension Tag',
+    vendorIdentification:
+    'Response Message/Batch Item/Response Payload/Vendor Identification',
+    serverInformation:
+    'Response Message/Batch Item/Response Payload/Server Information',
+    operation:
+    'Response Message/Batch Item/Response Payload/Operation',
+    objectType:
+    'Response Message/Batch Item/Response Payload/Object Type',
+    uniqueIdentifier:
+    'Response Message/Batch Item/Response Payload/Unique Identifier',
+    data:
+    'Response Message/Batch Item/Response Payload/Data',
+};
+
+/**
+ * Normalize errors according to arsenal definitions
+ * @param {string | Error} err - an Error instance or a message string
+ * @returns {arsenal.errors} - arsenal error
+ */
+function _arsenalError(err) {
+    const messagePrefix = 'KMIP:';
+    if (typeof err === 'string') {
+        return errors.InternalError
+            .customizeDescription(`${messagePrefix} ${err}`);
+    } else if (err instanceof Error) {
+        return errors.InternalError
+            .customizeDescription(`${messagePrefix} ${err.message}`);
+    }
+    return errors.InternalError
+        .customizeDescription(`${messagePrefix} Unspecified error`);
+}
+
+
+/**
+ * Negotiate with the server the use of a recent version of the protocol and
+ * update the low level driver with this new knowledge.
+ * @param {Object} client - The Client instance
+ * @param {Object} logger - Werelog logger object
+ * @param {Function} cb - The callback triggered after the negotiation.
+ * @returns {undefined}
+ */
+function _negotiateProtocolVersion(client, logger, cb) {
+    return client.kmip.request(logger, 'Discover Versions', [
+        KMIP.Structure('Protocol Version', [
+            KMIP.Integer('Protocol Version Major', 1),
+            KMIP.Integer('Protocol Version Minor', 4),
+        ]),
+        KMIP.Structure('Protocol Version', [
+            KMIP.Integer('Protocol Version Major', 1),
+            KMIP.Integer('Protocol Version Minor', 3),
+        ]),
+        KMIP.Structure('Protocol Version', [
+            KMIP.Integer('Protocol Version Major', 1),
+            KMIP.Integer('Protocol Version Minor', 2),
+        ]),
+    ], (err, response) => {
+        if (err) {
+            const error = _arsenalError(err);
+            logger.error('KMIP::negotiateProtocolVersion',
+                         { error,
+                           vendorIdentification: client.vendorIdentification });
+            return cb(error);
+        }
+        const majorVersions =
+              response.lookup(searchFilter.protocolVersionMajor);
+        const minorVersions =
+              response.lookup(searchFilter.protocolVersionMinor);
+        if (majorVersions.length === 0 ||
+            majorVersions.length !== minorVersions.length) {
+            const error = _arsenalError('No suitable protocol version');
+            logger.error('KMIP::negotiateProtocolVersion',
+                         { error,
+                           vendorIdentification: client.vendorIdentification });
+            return cb(error);
+        }
+        client.kmip.changeProtocolVersion(majorVersions[0], minorVersions[0]);
+        return cb();
+    });
+}
+
+/**
+ * Obtain from the server the various extensions defined by the vendor
+ * and update the low level driver with this new knowledge.
+ * @param {Object} client - The Client instance
+ * @param {Object} logger - Werelog logger object
+ * @param {Function} cb - The callback triggered after the extension mapping
+ * @returns {undefined}
+ */
+function _mapExtensions(client, logger, cb) {
+    return client.kmip.request(logger, 'Query', [
+        KMIP.Enumeration('Query Function', 'Query Extension Map'),
+    ], (err, response) => {
+        if (err) {
+            const error = _arsenalError(err);
+            logger.error('KMIP::mapExtensions',
+                         { error,
+                           vendorIdentification: client.vendorIdentification });
+            return cb(error);
+        }
+        const extensionNames = response.lookup(searchFilter.extensionName);
+        const extensionTags = response.lookup(searchFilter.extensionTag);
+        if (extensionNames.length !== extensionTags.length) {
+            const error = _arsenalError('Inconsistent extension list');
+            logger.error('KMIP::mapExtensions',
+                         { error,
+                           vendorIdentification: client.vendorIdentification });
+            return cb(error);
+        }
+        extensionNames.forEach((extensionName, idx) => {
+            client.kmip.mapExtension(extensionName, extensionTags[idx]);
+        });
+        return cb();
+    });
+}
+
+/**
+ * Query the Server information and identify its vendor
+ * @param {Object} client - The Client instance
+ * @param {Object} logger - Werelog logger object
+ * @param {Function} cb - The callback triggered after the information discovery
+ * @returns {undefined}
+ */
+function _queryServerInformation(client, logger, cb) {
+    client.kmip.request(logger, 'Query', [
+        KMIP.Enumeration('Query Function', 'Query Server Information'),
+    ], (err, response) => {
+        if (err) {
+            const error = _arsenalError(err);
+            logger.warn('KMIP::queryServerInformation',
+                        { error });
+            /* no error returned, caller can keep going */
+            return cb();
+        }
+        client._setVendorIdentification(
+            response.lookup(searchFilter.vendorIdentification)[0]);
+        client._setServerInformation(
+            JSON.stringify(response.lookup(searchFilter.serverInformation)[0]));
+
+        logger.info('KMIP Server identified',
+                    { vendorIdentification: client.vendorIdentification,
+                      serverInformation: client.serverInformation,
+                      negotiatedProtocolVersion: client.kmip.protocolVersion });
+        return cb();
+    });
+}
+
+/**
+ * Query the Server for the supported operations and managed object types.
+ * The fact that a server doesn't announce the support for a required feature
+ * is not a show stopper because some vendor support more or less what they
+ * announce. If a subsequent request fails, this information can be used to
+ * figure out the reason for the failure.
+ * @param {Object} client - The Client instance
+ * @param {Object} logger - Werelog logger object
+ * @param {Function} cb - The callback triggered after the information discovery
+ * @returns {undefined}
+ */
+function _queryOperationsAndObjects(client, logger, cb) {
+    return client.kmip.request(logger, 'Query', [
+        KMIP.Enumeration('Query Function', 'Query Operations'),
+        KMIP.Enumeration('Query Function', 'Query Objects'),
+    ], (err, response) => {
+        if (err) {
+            const error = _arsenalError(err);
+            logger.error('KMIP::queryOperationsAndObjects',
+                         { error,
+                           vendorIdentification: client.vendorIdentification });
+            return cb(error);
+        }
+        const supportedOperations = response.lookup(searchFilter.operation);
+        const supportedObjectTypes = response.lookup(searchFilter.objectType);
+        const supportsEncrypt = supportedOperations.includes('Encrypt');
+        const supportsDecrypt = supportedOperations.includes('Decrypt');
+        const supportsActivate = supportedOperations.includes('Activate');
+        const supportsRevoke = supportedOperations.includes('Revoke');
+        const supportsCreate = supportedOperations.includes('Create');
+        const supportsDestroy = supportedOperations.includes('Destroy');
+        const supportsQuery = supportedOperations.includes('Query');
+        const supportsSymmetricKeys =
+              supportedObjectTypes.includes('Symmetric Key');
+        if (!supportsEncrypt || !supportsDecrypt ||
+            !supportsActivate || !supportsRevoke ||
+            !supportsCreate || !supportsDestroy ||
+            !supportsQuery || !supportsSymmetricKeys) {
+            /* This should not be considered as an error since some vendors
+             * are not consistent between what they really support and what
+             * they announce to support.
+             */
+            logger.warn('KMIP::queryOperationsAndObjects: ' +
+                        'The KMIP Server announces that it ' +
+                        'does not support all of the required features',
+                        { vendorIdentification: client.vendorIdentification,
+                          serverInformation: client.serverInformation,
+                          supportsEncrypt, supportsDecrypt,
+                          supportsActivate, supportsRevoke,
+                          supportsCreate, supportsDestroy,
+                          supportsQuery, supportsSymmetricKeys });
+        } else {
+            logger.info('KMIP Server provides the necessary feature set',
+                        { vendorIdentification: client.vendorIdentification });
+        }
+        return cb();
+    });
+}
+
+
+class Client {
+    /**
+     * Construct a high level KMIP driver suitable for cloudserver
+     * @param {Object} options - Instance options
+     * @param {Object} options.kmip - Low level driver options
+     * @param {Object} options.kmip.client - This high level driver options
+     * @param {Object} options.kmip.client.compoundCreateActivate -
+     *                 Depends on the server's ability. False offers the best
+     *                 compatibility. True does not offer a significant
+     *                 performance gain, but can be useful in case of unreliable
+     *                 time synchronization between the client and the server.
+     * @param {Object} options.kmip.client.bucketNameAttributeName -
+     *                 Depends on the server's ability. Not specifying this
+     *                 offers the best compatibility and disable the attachement
+     *                 of the bucket name as a key attribute.
+     * @param {Object} options.kmip.codec - KMIP Codec options
+     * @param {Object} options.kmip.transport - KMIP Transport options
+     * @param {Class} CodecClass - diversion for the Codec class,
+     *                             defaults to TTLVCodec
+     * @param {Class} TransportClass - diversion for the Transport class,
+     *                                 defaults to TlsTransport
+     */
+    constructor(options, CodecClass, TransportClass) {
+        this.options = options.kmip.client || {};
+        this.vendorIdentification = '';
+        this.serverInformation = [];
+        this.kmip = new KMIP(CodecClass || TTLVCodec,
+                             TransportClass || TlsTransport,
+                             options);
+        this.kmip.registerHandshakeFunction((logger, cb) => {
+            this._kmipHandshake(logger, cb);
+        });
+    }
+
+    /**
+     * Update this client with the vendor identification of the server
+     * @param {String} vendorIdentification - Vendor identification string
+     * @returns {undefined}
+     */
+    _setVendorIdentification(vendorIdentification) {
+        this.vendorIdentification = vendorIdentification;
+    }
+
+    /**
+     * Update this client with the information about the server
+     * @param {Object} serverInformation - Server information object
+     * @returns {undefined}
+     */
+    _setServerInformation(serverInformation) {
+        this.serverInformation = serverInformation;
+    }
+
+    /**
+     * Perform the KMIP level handshake with the server
+     * @param {Object} logger - Werelog logger object
+     * @param {Function} cb - Callback to be triggered at the end of the
+     *                        handshake. cb(err: Error)
+     * @returns {undefined}
+     */
+    _kmipHandshake(logger, cb) {
+        return async.waterfall([
+            next => _negotiateProtocolVersion(this, logger, next),
+            next => _mapExtensions(this, logger, next),
+            next => _queryServerInformation(this, logger, next),
+            next => _queryOperationsAndObjects(this, logger, next),
+        ], cb);
+    }
+
+
+    /**
+     * Activate a cryptographic key managed by the server,
+     * for a specific bucket. This is a required action to perform after
+     * the key creation.
+     * @param {string} keyIdentifier - The bucket key Id
+     * @param {object} logger - Werelog logger object
+     * @param {function} cb - The callback(err: Error)
+     * @returns {undefined}
+     */
+    _activateBucketKey(keyIdentifier, logger, cb) {
+        return this.kmip.request(logger, 'Activate', [
+            KMIP.TextString('Unique Identifier', keyIdentifier),
+        ], (err, response) => {
+            if (err) {
+                const error = _arsenalError(err);
+                logger.error('KMIP::_activateBucketKey',
+                             { error,
+                               serverInformation: this.serverInformation });
+                return cb(error);
+            }
+            const uniqueIdentifier =
+                  response.lookup(searchFilter.uniqueIdentifier)[0];
+            if (uniqueIdentifier !== keyIdentifier) {
+                const error = _arsenalError(
+                    'Server did not return the expected identifier');
+                logger.error('KMIP::cipherDataKey',
+                             { error, uniqueIdentifier });
+                return cb(error);
+            }
+            return cb(null, keyIdentifier);
+        });
+    }
+
+    /**
+     * Create a new cryptographic key managed by the server,
+     * for a specific bucket
+     * @param {string} bucketName - The bucket name
+     * @param {object} logger - Werelog logger object
+     * @param {function} cb - The callback(err: Error, bucketKeyId: String)
+     * @returns {undefined}
+     */
+    createBucketKey(bucketName, logger, cb) {
+        const attributes = [];
+        if (!!this.options.bucketNameAttributeName) {
+            attributes.push(KMIP.Attribute('TextString',
+                                           this.options.bucketNameAttributeName,
+                                           bucketName));
+        }
+        attributes.push(...[
+            KMIP.Attribute('Enumeration', 'Cryptographic Algorithm',
+                           CRYPTOGRAPHIC_ALGORITHM),
+            KMIP.Attribute('Integer', 'Cryptographic Length',
+                           CRYPTOGRAPHIC_LENGTH),
+            KMIP.Attribute('Integer', 'Cryptographic Usage Mask',
+                           this.kmip.encodeMask('Cryptographic Usage Mask',
+                                                CRYPTOGRAPHIC_USAGE_MASK))]);
+        if (this.options.compoundCreateActivate) {
+            attributes.push(KMIP.Attribute('Date-Time', 'Activation Date',
+                                           new Date(Date.UTC())));
+        }
+
+        return this.kmip.request(logger, 'Create', [
+            KMIP.Enumeration('Object Type', CRYPTOGRAPHIC_OBJECT_TYPE),
+            KMIP.Structure('Template-Attribute', attributes),
+        ], (err, response) => {
+            if (err) {
+                const error = _arsenalError(err);
+                logger.error('KMIP::createBucketKey',
+                             { error,
+                               serverInformation: this.serverInformation });
+                return cb(error);
+            }
+            const createdObjectType =
+                  response.lookup(searchFilter.objectType)[0];
+            const uniqueIdentifier =
+                  response.lookup(searchFilter.uniqueIdentifier)[0];
+            if (createdObjectType !== CRYPTOGRAPHIC_OBJECT_TYPE) {
+                const error = _arsenalError(
+                    'Server created an object of wrong type');
+                logger.error('KMIP::createBucketKey',
+                             { error, createdObjectType });
+                return cb(error);
+            }
+            if (!this.options.compoundCreateActivate) {
+                return this._activateBucketKey(uniqueIdentifier, logger, cb);
+            }
+            return cb(null, uniqueIdentifier);
+        });
+    }
+
+    /**
+     * Revoke a cryptographic key managed by the server, for a specific bucket.
+     * This is a required action to perform before being able to destroy the
+     * managed key.
+     * @param {string} bucketKeyId - The bucket key Id
+     * @param {object} logger - Werelog logger object
+     * @param {function} cb - The callback(err: Error)
+     * @returns {undefined}
+     */
+    _revokeBucketKey(bucketKeyId, logger, cb) {
+        // maybe revoke first
+        return this.kmip.request(logger, 'Revoke', [
+            KMIP.TextString('Unique Identifier', bucketKeyId),
+            KMIP.Structure('Revocation Reason', [
+                KMIP.Enumeration('Revocation Reason Code',
+                                 'Cessation of Operation'),
+                KMIP.TextString('Revocation Message',
+                                'About to be deleted'),
+            ]),
+        ], (err, response) => {
+            if (err) {
+                const error = _arsenalError(err);
+                logger.error('KMIP::_revokeBucketKey',
+                             { error,
+                               serverInformation: this.serverInformation });
+                return cb(error);
+            }
+            const uniqueIdentifier =
+                  response.lookup(searchFilter.uniqueIdentifier)[0];
+            if (uniqueIdentifier !== bucketKeyId) {
+                const error = _arsenalError(
+                    'Server did not return the expected identifier');
+                logger.error('KMIP::_revokeBucketKey',
+                             { error, uniqueIdentifier });
+                return cb(error);
+            }
+            return cb();
+        });
+    }
+
+    /**
+     * Destroy a cryptographic key managed by the server, for a specific bucket.
+     * @param {string} bucketKeyId - The bucket key Id
+     * @param {object} logger - Werelog logger object
+     * @param {function} cb - The callback(err: Error)
+     * @returns {undefined}
+     */
+    destroyBucketKey(bucketKeyId, logger, cb) {
+        return this._revokeBucketKey(bucketKeyId, logger, err => {
+            if (err) {
+                const error = _arsenalError(err);
+                logger.error('KMIP::destroyBucketKey: revocation failed',
+                             { error,
+                               serverInformation: this.serverInformation });
+                return cb(error);
+            }
+            return this.kmip.request(logger, 'Destroy', [
+                KMIP.TextString('Unique Identifier', bucketKeyId),
+            ], (err, response) => {
+                if (err) {
+                    const error = _arsenalError(err);
+                    logger.error('KMIP::destroyBucketKey',
+                                 { error,
+                                   serverInformation: this.serverInformation });
+                    return cb(error);
+                }
+                const uniqueIdentifier =
+                      response.lookup(searchFilter.uniqueIdentifier)[0];
+                if (uniqueIdentifier !== bucketKeyId) {
+                    const error = _arsenalError(
+                        'Server did not return the expected identifier');
+                    logger.error('KMIP::destroyBucketKey',
+                                 { error, uniqueIdentifier });
+                    return cb(error);
+                }
+                return cb();
+            });
+        });
+    }
+
+    /**
+     *
+     * @param {number} cryptoScheme - crypto scheme version number
+     * @param {string} masterKeyId - key to retrieve master key
+     * @param {buffer} plainTextDataKey - data key
+     * @param {object} logger - werelog logger object
+     * @param {function} cb - callback
+     * @returns {undefined}
+     * @callback called with (err, cipheredDataKey: Buffer)
+     */
+    cipherDataKey(cryptoScheme,
+                  masterKeyId,
+                  plainTextDataKey,
+                  logger,
+                  cb) {
+        return this.kmip.request(logger, 'Encrypt', [
+            KMIP.TextString('Unique Identifier', masterKeyId),
+            KMIP.Structure('Cryptographic Parameters', [
+                KMIP.Enumeration('Block Cipher Mode',
+                                CRYPTOGRAPHIC_CIPHER_MODE),
+                KMIP.Enumeration('Padding Method',
+                                CRYPTOGRAPHIC_PADDING_METHOD),
+                KMIP.Enumeration('Cryptographic Algorithm',
+                               CRYPTOGRAPHIC_ALGORITHM),
+            ]),
+            KMIP.ByteString('Data', plainTextDataKey),
+            KMIP.ByteString('IV/Counter/Nonce', CRYPTOGRAPHIC_DEFAULT_IV),
+        ], (err, response) => {
+            if (err) {
+                const error = _arsenalError(err);
+                logger.error('KMIP::cipherDataKey',
+                             { error,
+                               serverInformation: this.serverInformation });
+                return cb(error);
+            }
+            const uniqueIdentifier =
+                  response.lookup(searchFilter.uniqueIdentifier)[0];
+            const data = response.lookup(searchFilter.data)[0];
+            if (uniqueIdentifier !== masterKeyId) {
+                const error = _arsenalError(
+                    'Server did not return the expected identifier');
+                logger.error('KMIP::cipherDataKey',
+                             { error, uniqueIdentifier });
+                return cb(error);
+            }
+            return cb(null, data);
+        });
+    }
+
+    /**
+     *
+     * @param {number} cryptoScheme - crypto scheme version number
+     * @param {string} masterKeyId - key to retrieve master key
+     * @param {buffer} cipheredDataKey - data key
+     * @param {object} logger - werelog logger object
+     * @param {function} cb - callback
+     * @returns {undefined}
+     * @callback called with (err, plainTextDataKey: Buffer)
+     */
+    decipherDataKey(cryptoScheme,
+                    masterKeyId,
+                    cipheredDataKey,
+                    logger,
+                    cb) {
+        return this.kmip.request(logger, 'Decrypt', [
+            KMIP.TextString('Unique Identifier', masterKeyId),
+            KMIP.Structure('Cryptographic Parameters', [
+                KMIP.Enumeration('Block Cipher Mode',
+                                CRYPTOGRAPHIC_CIPHER_MODE),
+                KMIP.Enumeration('Padding Method',
+                                 CRYPTOGRAPHIC_PADDING_METHOD),
+                KMIP.Enumeration('Cryptographic Algorithm',
+                                 CRYPTOGRAPHIC_ALGORITHM),
+            ]),
+            KMIP.ByteString('Data', cipheredDataKey),
+            KMIP.ByteString('IV/Counter/Nonce', CRYPTOGRAPHIC_DEFAULT_IV),
+        ], (err, response) => {
+            if (err) {
+                const error = _arsenalError(err);
+                logger.error('KMIP::decipherDataKey',
+                             { error,
+                               serverInformation: this.serverInformation });
+                return cb(error);
+            }
+            const uniqueIdentifier =
+                  response.lookup(searchFilter.uniqueIdentifier)[0];
+            const data = response.lookup(searchFilter.data)[0];
+            if (uniqueIdentifier !== masterKeyId) {
+                const error = _arsenalError(
+                    'Server did not return the right identifier');
+                logger.error('KMIP::decipherDataKey',
+                             { error, uniqueIdentifier });
+                return cb(error);
+            }
+            return cb(null, data);
+        });
+    }
+
+}
+
+module.exports = Client;

lib/network/kmip/Message.js

@@ -0,0 +1,54 @@
+'use strict'; // eslint-disable-line
+
+const assert = require('assert');
+
+
+function _lookup(decodedTTLV, path) {
+    const xpath = path.split('/').filter(word => word.length > 0);
+    const canonicalPath = xpath.join('/');
+    const obj = decodedTTLV;
+    let res = [];
+    assert(Array.isArray(obj));
+    for (let current = xpath.shift(); current; current = xpath.shift()) {
+        for (let i = 0; i < obj.length; ++i) {
+            const cell = obj[i];
+            if (cell[current]) {
+                if (xpath.length === 0) {
+                    /* Skip if the search path has not been
+                     * completely consumed yet */
+                    res.push(cell[current].value);
+                } else {
+                    const subPath = xpath.join('/');
+                    assert(current.length + 1 + subPath.length ===
+                           canonicalPath.length);
+                    const intermediate =
+                          _lookup(cell[current].value, subPath);
+                    res = res.concat(intermediate);
+                }
+            }
+        }
+    }
+    return res;
+}
+
+class Message {
+    /**
+     * Construct a new abstract Message
+     * @param {Object} content - the content  of the message
+     */
+    constructor(content) {
+        this.content = content;
+    }
+
+    /**
+     * Lookup the values corresponding to the provided path
+     * @param {String} path - the path in the hierarchy of the values
+     *                        of interest
+     * @return {Object} - an array of the values matching the provided path
+     */
+    lookup(path) {
+        return _lookup(this.content, path);
+    }
+}
+
+module.exports = Message;

lib/network/kmip/README.md

@@ -0,0 +1,105 @@
+# KMIP
+
+Key Management Interoperability Protocol
+
+## Preliminary usage example
+
+```javascript
+const {
+    kmipServerHostName,
+    clientKey,
+    clientCert,
+    serverCert,
+    rootCa
+} = require('./myconfiguration.js');
+
+const assert = require('assert');
+const fs = require('fs');
+const tls = require('tls');
+const werelogs = require('werelogs');
+const KMIP = require('arsenal').network.kmip;
+
+const logger = new werelogs.Logger('kmiptest');
+const kmip = new KMIP;
+const options = {
+    host: kmipServerHostName,
+    key: fs.readFileSync(clientKey),
+    cert: fs.readFileSync(clientCert),
+    ca: [ fs.readFileSync(serverCert),
+          fs.readFileSync(rootCa), ],
+    checkServerIdentity: console.log,
+};
+
+const message = KMIP.Message([
+    KMIP.Structure('Request Message', [
+        KMIP.Structure('Request Header', [
+            KMIP.Structure('Protocol Version', [
+                KMIP.Integer('Protocol Version Major', 1),
+                KMIP.Integer('Protocol Version Minor', 3),
+            ]),
+            KMIP.Integer('Maximum Response Size', 3456),
+            KMIP.Integer('Batch Count', 1),
+        ]),
+        KMIP.Structure('Batch Item', [
+            KMIP.Enumeration('Operation', 'Query'),
+            KMIP.Structure('Request Payload', [
+                KMIP.Enumeration('Query Function', 'Query Operations'),
+                KMIP.Enumeration('Query Function', 'Query Objects'),
+                KMIP.Enumeration('Query Function', 'Query Server Information'),
+                KMIP.Enumeration('Query Function', 'Query Extension Map'),
+            ]),
+        ]),
+    ])
+]);
+
+const encodedMessage = kmip.encodeMessage(logger, message);
+
+const socket = tls.connect(5696, options, () => {
+    socket.write(encodedMessage);
+});
+
+socket.on('data', (data) => {
+    const decodedMessage = kmip.decodeMessage(logger, data);
+    const summary = {
+        major: decodedMessage.lookup(
+            'Response Message/Response Header/' +
+                'Protocol Version/Protocol Version Major')[0],
+        minor: decodedMessage.lookup(
+            'Response Message/Response Header/' +
+                'Protocol Version/Protocol Version Minor')[0],
+        supportedOperations: decodedMessage.lookup(
+            'Response Message/Batch Item/Response Payload/Operation'),
+        supportedObjectTypes: decodedMessage.lookup(
+            'Response Message/Batch Item/Response Payload/Object Type'),
+        serverInformation: decodedMessage.lookup(
+            'Response Message/Batch Item/Response Payload/Server Information'),
+    };
+
+    console.log(JSON.stringify(summary));
+    //console.log(JSON.stringify(decodedMessage.content));
+    //console.log(data.toString('hex'));
+
+    const protocolVersionMajor =
+        decodedMessage.lookup('Response Message/Response Header/' +
+                              'Protocol Version/Protocol Version Major');
+    const protocolVersionMinor =
+        decodedMessage.lookup('Response Message/Response Header/' +
+                              'Protocol Version/Protocol Version Minor');
+
+    assert(summary.supportedOperations.includes('Encrypt'));
+    assert(summary.supportedOperations.includes('Decrypt'));
+    assert(summary.supportedOperations.includes('Create'));
+    assert(summary.supportedOperations.includes('Destroy'));
+    assert(summary.supportedOperations.includes('Query'));
+    assert(summary.supportedObjectTypes.includes('Symmetric Key'));
+    assert(protocolVersionMajor[0] >= 2 ||
+           (protocolVersionMajor[0] === 1 &&
+            protocolVersionMinor[0] >= 2));
+
+    socket.end();
+});
+
+socket.on('end', () => {
+    console.log('server ends connection');
+});
+```

lib/network/kmip/codec/README.md

@@ -0,0 +1,367 @@
+# KMIP codecs
+
+The KMIP protocol is based on the exchange of structured messages between a
+client and a server.
+
+About the structure of the messages:
+
+* It is composed of fields and nested fields
+* It varies depending on the context of the request and who emits the message.
+* It follows the same encoding rules for both the client and the server
+* The set of primitive types is the cornerstone of the protocol, the structure
+  description is contained within the messages along with the actual payload.
+* The set of defined tags is the keystone of the protocol. It permits to
+  attribute a meaning to the fields of a structured message.
+
+The role of the codec is twofold.
+
+* To decode a message from a particular encoding, to an abstract
+  representation of the KMIP structured messages.
+* To encode a message from its abstract representation to the particular
+  encoding.
+
+The codecs are not responsible for sending the messages on the wire.
+This task is devoted to the transport layer.
+
+## Abstract representation
+
+The primitive data types defined by the protocol are represented internally
+as data structures following the form
+
+```javascript
+    const abstractKmipField = {
+        [tagName]: {
+            type,
+            value
+        }
+    };
+```
+
+The tag name `tagName` is a string. It is decoded from the tag value
+using the KMIP nomenclature and identify the meaning of the field in the message.
+
+The type name `type` is a string and is one of the primitive types
+defined by the KMIP protocol. This element of a field also implicitly carries
+the information of length for fixed size data types.
+
+The value `value` is decoded from the payload of the KMIP field. This
+element carries the length information for varying data types.
+
+## Constructing an abstract Message
+
+```javascript
+    const msg = KMIP.Message(content);
+```
+
+The static method `KMIP.Message` instantiates an object of the class
+`Message`. Message objects wrap the content of the message without
+alteration and offer a `lookup` method to search the message for
+named fields.
+
+### Structure
+
+```javascript
+    const field =
+        KMIP.Structure('Request Header', [
+            field_1,
+            ...,
+            field_n,
+        ]);
+    console.log(field);
+    {
+        'Request Header': {
+            type: 'Structure',
+            value: [
+                field_1,
+                ...,
+                field_n
+            ]
+        }
+    }
+```
+
+Fields in the array parameter must be provided in the order defined by the
+specification for the considered structure name.
+
+### Integer
+
+```javascript
+    const field = KMIP.Integer('Protocol Version Minor', 3);
+    console.log(field);
+    {
+        'Protocol Version Minor': {
+            type: "Integer",
+            value: 3
+        }
+    }
+```
+
+Integers are encoded as four-byte long (32 bit) binary signed numbers in 2's
+complement notation, transmitted big-endian.
+
+### LongInteger
+
+```javascript
+    const field = KMIP.LongInteger('Usage Limits Total', 10 ** 42);
+    console.log(field);
+    {
+        'Usage Limits Total': {
+            type: 'LongInteger',
+            value: 1e+42
+        }
+    }
+```
+
+Long Integers are encoded as eight-byte long (64 bit) binary signed numbers in
+2's complement notation, transmitted big-endian.
+
+Due to an accuracy limitation of number representation, `LongInteger` values
+cannot exceed 2^53. It's expected from the codec to throw an error when
+attempting to transcode a LongInteger greater than this value.
+
+### BigInteger
+
+```javascript
+    const field = KMIP.BigInteger('Usage Limits Total', value);
+    console.log(field);
+    {
+        'Usage Limits Total': {
+            type: 'LongInteger',
+            value: <Buffer ab cd ef ...>
+        }
+    }
+```
+
+Big Integers are encoded as a sequence of eight-bit bytes, in two's complement
+notation, transmitted big-endian. If the length of the sequence is not a
+multiple of eight bytes, then Big Integers SHALL be padded with the minimal
+number of leading sign-extended bytes to make the length a multiple of eight
+bytes. These padding bytes are part of the Item Value and SHALL be counted in
+the Item Length.
+
+### Enumeration
+
+```javascript
+    const field = KMIP.Enumeration('Operation', 'Discover Versions');
+    console.log(field);
+    {
+        'Operation': {
+            type: 'Enumeration',
+            value: 'Discover Versions'
+        }
+    }
+```
+
+### Boolean
+
+```javascript
+    const field = KMIP.Boolean('Asynchronous Indicator', false);
+    console.log(field);
+    {
+        'Asynchronous Indicator': {
+            type: 'Boolean',
+            value: false
+        }
+    }
+```
+
+### TextString
+
+```javascript
+    const field = KMIP.TextString('Username', 'alice');
+    console.log(field);
+    {
+        'Username': {
+            type: 'TextString',
+            value: 'alice'
+        }
+    }
+```
+
+Text Strings are sequences of bytes that encode character values according to
+the UTF-8 encoding standard. There SHALL NOT be null-termination at the end of
+such strings.
+
+### ByteString
+
+```javascript
+    const field = KMIP.ByteString('Asynchronous Correlation Value', buffer);
+    console.log(field);
+    {
+        'Username': {
+            type: 'ByteString',
+            value: <Buffer ab cd ef ...>
+        }
+    }
+```
+
+Byte Strings are sequences of bytes containing individual unspecified eight-bit
+binary values, and are interpreted in the same sequence order.
+
+### DateTime
+
+```javascript
+    const field = KMIP.DateTime('Activation Date', new Date);
+    console.log(field);
+    {
+        'Username': {
+            type: 'ByteString',
+            value: <Date 2019-01-10T20:41:36.914Z>
+        }
+    }
+```
+
+DateTime takes a Date object as its second parameter. The millisecond part of
+the date is silently discarded and not sent through the Network.
+
+For this particular example, the 'Activation Date' tag is used for illustration
+purpose. This is not the appropriate way to instanciate this attribute value and
+the special function `KMIP.Attribute` must be used instead of `KMIP.DateTime`.
+
+### Interval
+
+```javascript
+    const field = KMIP.Interval('Lease Time', 42);
+    console.log(field);
+    {
+        'Lease Time': {
+            type: "Interval",
+            value: 42
+        }
+    }
+```
+
+Intervals are encoded as four-byte long (32 bit) binary unsigned numbers,
+transmitted big-endian. They have a resolution of one second.
+
+### Special types
+
+#### Bit Mask
+
+Bit masks are encoded using the `Integer` primitive type relative to an instance
+of the KMIP class (e.g. `encodeMask` and `decodemask` are not static class
+function but regular methods).
+
+```javascript
+    const kmip = new KMIP;
+    const mask = ['Encrypt', 'Decrypt'];
+    const bitMask = kmip.encodeMask('Cryptographic Usage Mask', mask);
+    const decodedMask = kmip.decodeMask('Cryptographic Usage Mask', bitMask);
+    assert.deepStrictEqual(decodedMask, mask);
+    assert(bitMask === 12);
+```
+
+#### Attribute
+
+Attribute names and values are managed in a way that deviates from the general
+rule. Particularly when it comes associate the value of an enumeration to its
+tag. In the nominal form, the value of an enumeration in a field is retrieved
+from the tag of this field. For the case of an Attribute, the tag of the
+enumeration is referenced in the `Attribute Name` as a `TextString` and the
+encoded enumeration value is stored in the `Attribute value`, hence
+disconnecting the value from its tag.
+
+```javascript
+    const cryptographicAlgorithm =
+        KMIP.Attribute('Enumeration', 'Cryptographic Algorithm', 'AES'),
+    const requestPayload =
+        KMIP.Structure('Request Payload', [
+            KMIP.Enumeration('Object Type', 'Symmetric Key'),
+            KMIP.Structure('Template-Attribute', [
+                KMIP.Attribute('TextString', 'x-Name', 's3-thekey'),
+                cryptographicAlgorithm,
+                KMIP.Attribute('Integer', 'Cryptographic Length', 256),
+                KMIP.Attribute('Integer', 'Cryptographic Usage Mask',
+                               kmip.encodeMask('Cryptographic Usage Mask',
+                                               ['Encrypt', 'Decrypt'])),
+                KMIP.Attribute('Date-Time', 'Activation Date', new Date),
+            ]),
+        ]);
+    console.log(cryptographicAlgorithm);
+    {
+        'Attribute': {
+            type: 'Structure',
+            value: [
+                {
+                    'Attribute Name': {
+                        type: 'TextString',
+                        value: 'Cryptographic Algorithm'
+                    }
+                },
+                {
+                    'Attribute Value': {
+                        type: 'Enumeration'
+                        value: 'AES',
+                        diversion: 'Cryptographic Algorithm'
+                    }
+                }
+            ]
+        }
+    }
+```
+
+The `diversion` attribute in the `Attribute Value` structure is used by the
+codec to identify the `Enumeration` the value relates to.
+
+## Codec Interface
+
+```javascript
+class MyCodec {
+    /**
+     * Construct a new instance of the codec
+     */
+    constructor() {}
+
+    /**
+     * Encode a bitmask
+     * @param {String} tagName - name of the bit mask defining tag
+     * @param {Array of Strings} value - array of named bits to set in the mask
+     * @return {Integer} Integer encoded bitmask
+     */
+    encodeMask(tagName, value) {}
+
+    /**
+     * Decode a bitmask
+     * @param {string} tagName - name of the bit mask defining tag
+     * @param {Integer} givenMask - bit mask to decode
+     * @return {Array of Strings} array of named bits set in the given bit mask
+     */
+    decodeMask(tagName, givenMask) {}
+
+    /**
+     * Encode an abstract message
+     * @param {Object} message - Instance of a KMIP.Message
+     * @return {Buffer} the encoded message suitable for the transport layer
+     */
+    encode(message) {}
+
+    /**
+     * Decode a raw message, usually received from the transport layer
+     * @param {Object} logger - a Logger instance
+     * @param {Buffer} rawMessage - the message to decode
+     * @return {Object} the decoded message as an instance of KMIP.Message
+     */
+    decode(logger, rawMessage) {}
+
+    /**
+     * Amend the tag nomenclature with a vendor specific extension
+     * @param {String} tagName - Name of the tag to record
+     * @param {Integer} tagValue - Tag value represented as an integer
+     */
+    mapExtension(tagName, tagValue) {}
+}
+```
+
+## Encoding specification links
+
+### TTLV Encoding Baseline Profile
+
+[TTLV Encoding Specification](http://docs.oasis-open.org/kmip/spec/v1.4/os/kmip-spec-v1.4-os.html#_Toc490660911)
+
+### XML Encoding Profile
+
+[XML Encoding Profile Specification](http://docs.oasis-open.org/kmip/profiles/v1.4/csprd01/kmip-profiles-v1.4-csprd01.html#_Toc479342078)
+
+### JSON Encoding Profile
+
+[JSON Encoding Profile Specification](http://docs.oasis-open.org/kmip/profiles/v1.4/csprd01/kmip-profiles-v1.4-csprd01.html#_Toc479342090)

lib/network/kmip/codec/ttlv.js

@@ -0,0 +1,434 @@
+'use strict'; // eslint-disable-line
+/* eslint dot-notation: "off" */
+
+const KMIPTags = require('../tags.json');
+const KMIPMessage = require('../Message.js');
+
+const UINT32_MAX = Math.pow(2, 32);
+
+function _ttlvPadVector(vec) {
+    let length = 0;
+    vec.forEach(buf => {
+        if (!(buf instanceof Buffer)) {
+            throw Error('Not a Buffer');
+        }
+        length += buf.length;
+    });
+    const paddingLength = (Math.ceil(length / 8) * 8) - length;
+    if (paddingLength > 0) {
+        vec.push(Buffer.alloc(paddingLength).fill(0));
+    }
+    return vec;
+}
+
+function _throwError(logger, msg, data) {
+    logger.error(msg, data);
+    throw Error(msg);
+}
+
+function TTLVCodec() {
+    if (!new.target) {
+        return new TTLVCodec();
+    }
+
+    const TagDecoder = JSON.parse(JSON.stringify(KMIPTags));
+    const TagEncoder = {};
+
+    const TypeDecoder = {};
+    const TypeEncoder = {};
+
+    const PrimitiveTypes = {
+        '01': {
+            name: 'Structure',
+            decode: (logger, unusedTag, value) => {
+                const funcName = 'Structure::decode';
+                const length = value.length;
+                let i = 0;
+                const result = [];
+                let diversion = null;
+                while (i < length) {
+                    const element = {};
+                    const elementTag = value.slice(i, i + 3).toString('hex');
+                    const elementType =
+                          value.slice(i + 3, i + 4).toString('hex');
+                    const elementLength = value.readUInt32BE(i + 4);
+                    const property = {};
+                    if (!TypeDecoder[elementType]) {
+                        _throwError(logger,
+                                    'Unknown element type',
+                                    { funcName, elementTag, elementType });
+                    }
+                    const elementValue = value.slice(i + 8,
+                                                   i + 8 + elementLength);
+                    if (elementValue.length !== elementLength) {
+                        _throwError(logger, 'BUG: Wrong buffer size',
+                                    { funcName, elementLength,
+                                      bufferLength: elementValue.length });
+                    }
+                    property.type = TypeDecoder[elementType].name;
+                    property.value = TypeDecoder[elementType]
+                        .decode(logger, elementTag, elementValue, diversion);
+                    if (diversion) {
+                        property.diversion = diversion;
+                        diversion = null;
+                    }
+                    const tagInfo = TagDecoder[elementTag];
+                    if (!tagInfo) {
+                        logger.debug('Unknown element tag',
+                                     { funcName, elementTag });
+                        property.tag = elementTag;
+                        element['Unknown Tag'] = property;
+                    } else {
+                        element[tagInfo.name] = property;
+                        if (tagInfo.name === 'Attribute Name') {
+                            if (property.type !== 'TextString') {
+                                _throwError(logger,
+                                            'Invalide type',
+                                            { funcName, type: property.type });
+                            }
+                            diversion = property.value;
+                        }
+                    }
+                    i += Math.ceil((8 + elementLength) / 8.0) * 8;
+                    result.push(element);
+                }
+                return result;
+            },
+            encode: (tagName, value) => {
+                const tag = Buffer.from(TagEncoder[tagName].value, 'hex');
+                const type = Buffer.from(TypeEncoder['Structure'].value, 'hex');
+                const length = Buffer.alloc(4);
+                let vectorLength = 0;
+                let encodedValue = [];
+                value.forEach(item => {
+                    Object.keys(item).forEach(key => {
+                        const itemTagName = key;
+                        const itemType = item[key].type;
+                        const itemValue = item[key].value;
+                        const itemDiversion = item[key].diversion;
+                        if (!TagEncoder[itemTagName]) {
+                            throw Error(`Unknown Tag '${itemTagName}'`);
+                        }
+                        if (!TypeEncoder[itemType]) {
+                            throw Error(`Unknown Type '${itemType}'`);
+                        }
+                        const itemResult =
+                              TypeEncoder[itemType].encode(itemTagName,
+                                                           itemValue,
+                                                           itemDiversion);
+                        encodedValue = encodedValue
+                            .concat(_ttlvPadVector(itemResult));
+                    });
+                });
+                encodedValue = _ttlvPadVector(encodedValue);
+                encodedValue.forEach(buf => { vectorLength += buf.length; });
+                length.writeUInt32BE(vectorLength);
+                return _ttlvPadVector([tag, type, length, ...encodedValue]);
+            },
+        },
+        '02': {
+            name: 'Integer',
+            decode: (logger, tag, value) => {
+                const funcName = 'Integer::decode';
+                const fixedLength = 4;
+                if (fixedLength !== value.length) {
+                    _throwError(logger,
+                                'Length mismatch',
+                                { funcName, fixedLength,
+                                  bufferLength: value.length });
+                }
+                return value.readUInt32BE(0);
+            },
+            encode: (tagName, value) => {
+                const tag = Buffer.from(TagEncoder[tagName].value, 'hex');
+                const type = Buffer.from(TypeEncoder['Integer'].value, 'hex');
+                const length = Buffer.alloc(4);
+                length.writeUInt32BE(4);
+                const encodedValue = Buffer.alloc(4);
+                encodedValue.writeUInt32BE(value);
+                return _ttlvPadVector([tag, type, length, encodedValue]);
+            },
+        },
+        '03': {
+            name: 'LongInteger',
+            decode: (logger, tag, value) => {
+                const funcName = 'LongInteger::decode';
+                const fixedLength = 8;
+                if (fixedLength !== value.length) {
+                    _throwError(logger,
+                                'Length mismatch',
+                                { funcName, fixedLength,
+                                  bufferLength: value.length });
+                }
+                const longUInt = UINT32_MAX * value.readUInt32BE(0) +
+                      value.readUInt32BE(4);
+                if (longUInt > Number.MAX_SAFE_INTEGER) {
+                    _throwError(logger,
+                                '53-bit overflow',
+                                { funcName, longUInt });
+                }
+                return longUInt;
+            },
+            encode: (tagName, value) => {
+                const tag = Buffer.from(TagEncoder[tagName].value, 'hex');
+                const type =
+                      Buffer.from(TypeEncoder['LongInteger'].value, 'hex');
+                const length = Buffer.alloc(4);
+                length.writeUInt32BE(8);
+                const encodedValue = Buffer.alloc(8);
+                encodedValue.writeUInt32BE(Math.floor(value / UINT32_MAX), 0);
+                encodedValue.writeUInt32BE(value % UINT32_MAX, 4);
+                return _ttlvPadVector([tag, type, length, encodedValue]);
+            },
+        },
+        '04': {
+            name: 'BigInteger',
+            decode: (logger, tag, value) => value,
+            encode: (tagName, value) => {
+                const tag = Buffer.from(TagEncoder[tagName].value, 'hex');
+                const type =
+                      Buffer.from(TypeEncoder['BigInteger'].value, 'hex');
+                const length = Buffer.alloc(4);
+                length.writeUInt32BE(value.length);
+                return _ttlvPadVector([tag, type, length, value]);
+            },
+        },
+        '05': {
+            name: 'Enumeration',
+            decode: (logger, tag, value, diversion) => {
+                const funcName = 'Enumeration::decode';
+                const fixedLength = 4;
+                if (fixedLength !== value.length) {
+                    _throwError(logger,
+                                'Length mismatch',
+                                { funcName, fixedLength,
+                                  bufferLength: value.length });
+                }
+                const enumValue = value.toString('hex');
+                const actualTag = diversion ? TagEncoder[diversion].value : tag;
+                const enumInfo = TagDecoder[actualTag];
+                if (!enumInfo ||
+                    !enumInfo.enumeration ||
+                    !enumInfo.enumeration[enumValue]) {
+                    return { tag,
+                             value: enumValue,
+                             message: 'Unknown enumeration value',
+                             diversion,
+                           };
+                }
+                return enumInfo.enumeration[enumValue];
+            },
+            encode: (tagName, value, diversion) => {
+                const tag = Buffer.from(TagEncoder[tagName].value, 'hex');
+                const type =
+                      Buffer.from(TypeEncoder['Enumeration'].value, 'hex');
+                const length = Buffer.alloc(4);
+                length.writeUInt32BE(4);
+                const actualTag = diversion || tagName;
+                const encodedValue =
+                      Buffer.from(TagEncoder[actualTag].enumeration[value],
+                                  'hex');
+                return _ttlvPadVector([tag, type, length, encodedValue]);
+            },
+        },
+        '06': {
+            name: 'Boolean',
+            decode: (logger, tag, value) => {
+                const funcName = 'Boolean::decode';
+                const fixedLength = 8;
+                if (fixedLength !== value.length) {
+                    _throwError(logger,
+                                'Length mismatch',
+                                { funcName, fixedLength,
+                                  bufferLength: value.length });
+                }
+                const msUInt = value.readUInt32BE(0);
+                const lsUInt = value.readUInt32BE(4);
+                return !!(msUInt | lsUInt);
+            },
+            encode: (tagName, value) => {
+                const tag = Buffer.from(TagEncoder[tagName].value, 'hex');
+                const type = Buffer.from(TypeEncoder['Boolean'].value, 'hex');
+                const length = Buffer.alloc(4);
+                length.writeUInt32BE(8);
+                const encodedValue = Buffer.alloc(8);
+                encodedValue.writeUInt32BE(0, 0);
+                encodedValue.writeUInt32BE(value ? 1 : 0, 4);
+                return _ttlvPadVector([tag, type, length, encodedValue]);
+            },
+        },
+        '07': {
+            name: 'TextString',
+            decode: (logger, tag, value) => value.toString('utf8'),
+            encode: (tagName, value) => {
+                const tag = Buffer.from(TagEncoder[tagName].value, 'hex');
+                const type =
+                      Buffer.from(TypeEncoder['TextString'].value, 'hex');
+                const length = Buffer.alloc(4);
+                length.writeUInt32BE(value.length);
+                return _ttlvPadVector([tag, type, length,
+                               Buffer.from(value, 'utf8')]);
+            },
+        },
+        '08': {
+            name: 'ByteString',
+            decode: (logger, tag, value) => value,
+            encode: (tagName, value) => {
+                const tag = Buffer.from(TagEncoder[tagName].value, 'hex');
+                const type =
+                      Buffer.from(TypeEncoder['ByteString'].value, 'hex');
+                const length = Buffer.alloc(4);
+                length.writeUInt32BE(value.length);
+                return _ttlvPadVector([tag, type, length, value]);
+            },
+        },
+        '09': {
+            name: 'Date-Time',
+            decode: (logger, tag, value) => {
+                const funcName = 'Date-Time::decode';
+                const fixedLength = 8;
+                if (fixedLength !== value.length) {
+                    _throwError(logger,
+                                'Length mismatch',
+                                { funcName, fixedLength,
+                                  bufferLength: value.length });
+                }
+                const d = new Date(0);
+                const utcSeconds = UINT32_MAX * value.readUInt32BE(0) +
+                      value.readUInt32BE(4);
+                if (utcSeconds > Number.MAX_SAFE_INTEGER) {
+                    _throwError(logger,
+                                '53-bit overflow',
+                                { funcName, utcSeconds });
+                }
+                d.setUTCSeconds(utcSeconds);
+                return d;
+            },
+            encode: (tagName, value) => {
+                const tag = Buffer.from(TagEncoder[tagName].value, 'hex');
+                const type = Buffer.from(TypeEncoder['Date-Time'].value, 'hex');
+                const length = Buffer.alloc(4);
+                length.writeUInt32BE(8);
+                const encodedValue = Buffer.alloc(8);
+                const ts = value.getTime() / 1000;
+                encodedValue.writeUInt32BE(Math.floor(ts / UINT32_MAX), 0);
+                encodedValue.writeUInt32BE(ts % UINT32_MAX, 4);
+                return _ttlvPadVector([tag, type, length, encodedValue]);
+            },
+        },
+        '0a': {
+            name: 'Interval',
+            decode: (logger, tag, value) => {
+                const funcName = 'Interval::decode';
+                const fixedLength = 4;
+                if (fixedLength !== value.length) {
+                    _throwError(logger,
+                                'Length mismatch',
+                                { funcName, fixedLength,
+                                  bufferLength: value.length });
+                }
+                return value.readInt32BE(0);
+            },
+            encode: (tagName, value) => {
+                const tag = Buffer.from(TagEncoder[tagName].value, 'hex');
+                const type = Buffer.from(TypeEncoder['Interval'].value, 'hex');
+                const length = Buffer.alloc(4);
+                length.writeUInt32BE(4);
+                const encodedValue = Buffer.alloc(4);
+                encodedValue.writeUInt32BE(value);
+                return _ttlvPadVector([tag, type, length, encodedValue]);
+            },
+        },
+    };
+
+
+    /* Construct TagDecoder */
+    Object.keys(TagDecoder).forEach(key => {
+        const element = {};
+        element.value = key;
+        if (TagDecoder[key]['enumeration']) {
+            const enumeration = {};
+            Object.keys(TagDecoder[key]['enumeration']).forEach(enumValue => {
+                const enumKey = TagDecoder[key]['enumeration'][enumValue];
+                enumeration[enumKey] = enumValue;
+            });
+            element.enumeration = enumeration;
+        }
+        TagEncoder[TagDecoder[key].name] = element;
+    });
+
+
+    /* Construct TypeDecoder and TypeEncoder */
+    Object.keys(PrimitiveTypes).forEach(value => {
+        const name = PrimitiveTypes[value].name;
+        const encode = PrimitiveTypes[value].encode;
+        const decode = PrimitiveTypes[value].decode;
+        TypeDecoder[value] = { name, decode };
+        TypeEncoder[name] = { value, encode };
+    });
+
+
+    /* Public Methods Definition */
+
+    this.encodeMask = (tagName, value) => {
+        let mask = 0;
+        value.forEach(item => {
+            const enumValue = TagEncoder[tagName].enumeration[item];
+            if (!enumValue) {
+                throw Error('Invalid bit name');
+            }
+            mask |= parseInt(enumValue, 16);
+        });
+        return mask;
+    };
+
+    this.decodeMask = (tagName, givenMask) => {
+        let mask = givenMask;
+        const value = [];
+        const tag = TagEncoder[tagName].value;
+        Object.keys(TagDecoder[tag].enumeration).forEach(key => {
+            const bit = Buffer.from(key, 'hex').readUInt32BE(0);
+            if (bit & mask) {
+                mask &= ~bit;
+                value.push(TagDecoder[tag].enumeration[key]);
+            }
+        });
+        return value;
+    };
+
+    this.decode = (logger, rawMessage) => {
+        const messageContent =
+              TypeDecoder['01'].decode(logger, null, rawMessage);
+        return new KMIPMessage(messageContent);
+    };
+
+    this.encode = message => {
+        const value = message.content;
+        let result = [];
+        value.forEach(item => {
+            Object.keys(item).forEach(key => {
+                if (!TagEncoder[key]) {
+                    throw Error(`Unknown Tag '${key}'`);
+                }
+                const type = item[key].type;
+                if (!TypeEncoder[type]) {
+                    throw Error(`Unknown Type '${type}'`);
+                }
+                const itemValue = TypeEncoder[type].encode(key,
+                                                        item[key].value,
+                                                        item[key].diversion);
+                result = result.concat(_ttlvPadVector(itemValue));
+            });
+        });
+        return Buffer.concat(_ttlvPadVector(result));
+    };
+
+    this.mapExtension = (tagName, tagValue) => {
+        const tagValueStr = tagValue.toString(16);
+        TagDecoder[tagValueStr] = { name: tagName };
+        TagEncoder[tagName] = { value: tagValueStr };
+    };
+    return this;
+}
+
+module.exports = TTLVCodec;

lib/network/kmip/index.js

@@ -0,0 +1,350 @@
+'use strict'; // eslint-disable-line
+/* eslint new-cap: "off" */
+
+const uuidv4 = require('uuid/v4');
+
+const Message = require('./Message.js');
+
+/* This client requires at least a KMIP 1.2 compatible server */
+const DEFAULT_PROTOCOL_VERSION_MAJOR = 1;
+const DEFAULT_PROTOCOL_VERSION_MINOR = 2;
+/* Response is for one operation, consider raising this value if
+ * compounding ops */
+const DEFAULT_MAXIMUM_RESPONSE_SIZE = 8000;
+
+function _uniqueBatchItemID() {
+    const theUUID = Buffer.alloc(16);
+    return uuidv4(null, theUUID);
+}
+
+
+function _PrimitiveType(tagName, type, value) {
+    return { [tagName]: { type, value } };
+}
+
+class KMIP {
+    /**
+     * Construct a new KMIP Object
+     * @param {Class} Codec -
+     * @param {Class} Transport -
+     * @param {Object} options -
+     * @param {Function} cb -
+     */
+    constructor(Codec, Transport, options) {
+        this.protocolVersion = {
+            major: DEFAULT_PROTOCOL_VERSION_MAJOR,
+            minor: DEFAULT_PROTOCOL_VERSION_MINOR,
+        };
+        this.maximumResponseSize = DEFAULT_MAXIMUM_RESPONSE_SIZE;
+        this.options = options.kmip;
+        this.codec = new Codec(options.kmip.codec);
+        this.transport = new Transport(options.kmip.transport);
+    }
+
+    /* Static class methods */
+
+    /**
+     * create a new abstract message instance
+     * @param {Object} content - Most likely a call to KMIP.Structure
+     *                           with 'Request Message' as tagName
+     * @returns {Object} an instance of Message
+     */
+    static Message(content) {
+        return new Message(content);
+    }
+
+    /**
+     * Create a KMIP Structure field instance
+     * @param {String} tagName - Name of the KMIP field
+     * @param {Array} value - array of KMIP fields
+     * @returns {Object} an abstract KMIP field
+     */
+    static Structure(tagName, value) {
+        return _PrimitiveType(tagName, 'Structure', value);
+    }
+
+    /**
+     * Create a KMIP Integer field instance
+     * @param {String} tagName - Name of the KMIP field
+     * @param {Number} value - a number
+     * @returns {Object} an abstract KMIP field
+     */
+    static Integer(tagName, value) {
+        return _PrimitiveType(tagName, 'Integer', value);
+    }
+
+    /**
+     * Create a KMIP Long Integer field instance
+     * @param {String} tagName - Name of the KMIP field
+     * @param {Number} value - a number (beware of the 53-bit limitation)
+     * @returns {Object} an abstract KMIP field
+     */
+    static LongInteger(tagName, value) {
+        return _PrimitiveType(tagName, 'LongInteger', value);
+    }
+
+    /**
+     * Create a KMIP Big Integer field instance
+     * @param {String} tagName - Name of the KMIP field
+     * @param {Buffer} value - buffer containing the big integer
+     * @returns {Object} an abstract KMIP field
+     */
+    static BigInteger(tagName, value) {
+        if (value.length % 8 !== 0) {
+            throw Error('Big Integer value length must be a multiple of 8');
+        }
+        return _PrimitiveType(tagName, 'BigInteger', value);
+    }
+
+    /**
+     * Create a KMIP Enumeration field instance
+     * @param {String} tagName - Name of the KMIP Enumeration
+     * @param {String} value - Name of the KMIP Enumeration value
+     * @returns {Object} an abstract KMIP field
+     */
+    static Enumeration(tagName, value) {
+        return _PrimitiveType(tagName, 'Enumeration', value);
+    }
+
+    /**
+     * Create a KMIP Boolean field instance
+     * @param {String} tagName - Name of the KMIP field
+     * @param {Boolean} value - anything falsey or not (converted to a Boolean)
+     * @returns {Object} an abstract KMIP field
+     */
+    static Boolean(tagName, value) {
+        return _PrimitiveType(tagName, 'Boolean', !!value);
+    }
+
+    /**
+     * Create a KMIP Text String field instance
+     * @param {String} tagName - Name of the KMIP field
+     * @param {String} value - the text string
+     * @returns {Object} an abstract KMIP field
+     */
+    static TextString(tagName, value) {
+        return _PrimitiveType(tagName, 'TextString', value);
+    }
+
+    /**
+     * Create a KMIP Byte String field instance
+     * @param {String} tagName - Name of the KMIP field
+     * @param {Buffer} value - buffer containing the byte string
+     * @returns {Object} an abstract KMIP field
+     */
+    static ByteString(tagName, value) {
+        return _PrimitiveType(tagName, 'ByteString', value);
+    }
+
+    /**
+     * Create a KMIP Date-Time field instance
+     * @param {String} tagName - Name of the KMIP field
+     * @param {Date} value - instance of a Date (ms are discarded)
+     * @returns {Object} an abstract KMIP field
+     */
+    static DateTime(tagName, value) {
+        value.setMilliseconds(0);
+        return _PrimitiveType(tagName, 'Date-Time', value);
+    }
+
+    /**
+     * Create a KMIP Interval field instance
+     * @param {String} tagName - Name of the KMIP field
+     * @param {Integer} value - number of seconds of the interval
+     * @returns {Object} an abstract KMIP field
+     */
+    static Interval(tagName, value) {
+        return _PrimitiveType(tagName, 'Interval', value);
+    }
+
+    /**
+     * Create a KMIP Attribute field instance
+     * @param {String} type - type of the attribute value
+     * @param {String} name - Name of the attribute or KMIP field
+     * @param {Object} value - value of the field suitable for the
+     *                         specified type
+     * @returns {Object} an abstract KMIP field
+     */
+    static Attribute(type, name, value) {
+        if (type === 'Date-Time') {
+            value.setMilliseconds(0);
+        }
+        return {
+            Attribute: {
+                type: 'Structure',
+                value: [
+                    {
+                        'Attribute Name': {
+                            type: 'TextString',
+                            value: name,
+                        },
+                    },
+                    {
+                        'Attribute Value': {
+                            type,
+                            value,
+                            diversion: name,
+                        },
+                    },
+                ],
+            },
+        };
+    }
+
+    /* Object methods */
+
+    /**
+     * Register a higher level handshake function to be called
+     * after the connection is initialized and before the first
+     * message is sent.
+     * @param {Function} handshakeFunction - (logger: Object, cb: Function(err))
+     * @returns {undefined}
+     */
+    registerHandshakeFunction(handshakeFunction) {
+        this.transport.registerHandshakeFunction(handshakeFunction);
+    }
+
+    /**
+     * Decode a raw message, usually received from the transport layer
+     * @param {Object} logger - a Logger instance
+     * @param {Buffer} rawMessage - the message to decode
+     * @returns {Object} the decoded message as an instance of KMIP.Message
+     */
+    _decodeMessage(logger, rawMessage) {
+        return this.codec.decode(logger, rawMessage);
+    }
+
+    /**
+     * Encode an message
+     * @param {Object} message - Instance of a KMIP.Message
+     * @returns {Buffer} the encoded message suitable for the transport layer
+     */
+    _encodeMessage(message) {
+        return this.codec.encode(message);
+    }
+
+    /**
+     * Decode a bitmask
+     * @param {string} tagName - name of the bit mask defining tag
+     * @param {Integer} givenMask - bit mask to decode
+     * @returns {Array} array of named bits set in the given bit mask
+     */
+    decodeMask(tagName, givenMask) {
+        return this.codec.decodeMask(tagName, givenMask);
+    }
+
+    /**
+     * Encode a bitmask
+     * @param {String} tagName - name of the bit mask defining tag
+     * @param {Array} value - array of named bits to set in the mask
+     * @returns {Integer} Integer encoded bitmask
+     */
+    encodeMask(tagName, value) {
+        return this.codec.encodeMask(tagName, value);
+    }
+
+    /**
+     * Amend the tag nomenclature with a vendor specific extension
+     * @param {String} extensionName - Name of the tag to record
+     * @param {Integer} extensionTag - Tag value represented as an integer
+     * @returns {undefined}
+     */
+    mapExtension(extensionName, extensionTag) {
+        return this.codec.mapExtension(extensionName, extensionTag);
+    }
+
+    changeProtocolVersion(major, minor) {
+        this.protocolVersion = { major, minor };
+    }
+
+    /**
+     * Send an operation request message to the KMIP Server
+     * @param {Object} logger - Werelog logger object
+     * @param {String} operation - The name of the operation as defined in
+     *                             the KMIP protocol specification.
+     * @param {Object} payload - payload of the operation request. Specifically
+     *                           the content of the Request Payload as defined
+     *                           by the KMIP protocol specification.
+     * @param {Function} cb - The callback(error: Object, response: Object)
+     * @returns {undefined}
+     */
+    request(logger, operation, payload, cb) {
+        const uuid = _uniqueBatchItemID();
+        const message = KMIP.Message([
+            KMIP.Structure('Request Message', [
+                KMIP.Structure('Request Header', [
+                    KMIP.Structure('Protocol Version', [
+                        KMIP.Integer('Protocol Version Major',
+                                     this.protocolVersion.major),
+                        KMIP.Integer('Protocol Version Minor',
+                                     this.protocolVersion.minor)]),
+                    KMIP.Integer('Maximum Response Size',
+                                 this.maximumResponseSize),
+                    KMIP.Integer('Batch Count', 1)]),
+                KMIP.Structure('Batch Item', [
+                    KMIP.Enumeration('Operation', operation),
+                    KMIP.ByteString('Unique Batch Item ID', uuid),
+                    KMIP.Structure('Request Payload', payload),
+                ])])]);
+        const encodedMessage = this._encodeMessage(message);
+        this.transport.send(
+            logger, encodedMessage,
+            (err, conversation, rawResponse) => {
+                if (err) {
+                    logger.error('KMIP::request: Failed to encode message',
+                                 { error: err });
+                    return cb(err);
+                }
+                const response = this._decodeMessage(logger, rawResponse);
+                const performedOperation =
+                      response.lookup('Response Message/' +
+                                      'Batch Item/Operation')[0];
+                const resultStatus =
+                      response.lookup('Response Message/' +
+                                      'Batch Item/Result Status')[0];
+                const resultUniqueBatchItemID =
+                      response.lookup('Response Message/' +
+                                      'Batch Item/Unique Batch Item ID')[0];
+
+                if (!resultUniqueBatchItemID ||
+                    resultUniqueBatchItemID.compare(uuid) !== 0) {
+                    this.transport.abortPipeline(conversation);
+                    const error = Error('Invalid batch item ID returned');
+                    logger.error('KMIP::request: failed',
+                                 { resultUniqueBatchItemID, uuid, error });
+                    return cb(error);
+                }
+                if (performedOperation !== operation) {
+                    this.transport.abortPipeline(conversation);
+                    const error = Error('Operation mismatch',
+                                        { got: performedOperation,
+                                         expected: operation });
+                    logger.error('KMIP::request: Operation mismatch',
+                                 { error });
+                    return cb(error);
+                }
+                if (resultStatus !== 'Success') {
+                    const resultReason =
+                          response.lookup(
+                              'Response Message/Batch Item/Result Reason')[0];
+                    const resultMessage =
+                          response.lookup(
+                              'Response Message/Batch Item/Result Message')[0];
+                    const error = Error('KMIP request failure',
+                                        { resultStatus,
+                                          resultReason,
+                                          resultMessage });
+                    logger.error('KMIP::request: request failed',
+                                 { error, resultStatus,
+                                   resultReason, resultMessage });
+                    return cb(error);
+                }
+                return cb(null, response);
+            });
+    }
+
+
+}
+
+
+module.exports = KMIP;

lib/network/kmip/tags.json

@@ -0,0 +1,579 @@
+{
+    "420006": {
+        "name": "Asynchronous Correlation Value"
+    },
+    "420007": {
+        "name": "Asynchronous Indicator"
+    },
+    "420008": {
+        "name": "Attribute"
+    },
+    "420009": {
+        "name": "Attribute Index"
+    },
+    "42000a": {
+        "name": "Attribute Name"
+    },
+    "42000b": {
+        "name": "Attribute Value"
+    },
+    "42000c": {
+        "name": "Authentication"
+    },
+    "42000d": {
+        "name": "Batch Count"
+    },
+    "42000f": {
+        "name": "Batch Item"
+    },
+    "420011": {
+        "name": "Block Cipher Mode",
+        "enumeration": {
+            "00000001": "CBC",
+            "00000002": "ECB",
+            "00000003": "PCBC",
+            "00000004": "CFB",
+            "00000005": "OFB",
+            "00000006": "CTR",
+            "00000007": "CMAC",
+            "00000008": "CCM",
+            "00000009": "GCM",
+            "0000000a": "CBC-MAC",
+            "0000000b": "XTS",
+            "0000000c": "AESKeyWrapPadding",
+            "0000000d": "NISTKeyWrap",
+            "0000000e": "X9.102 AESKW",
+            "0000000f": "X9.102 TDKW",
+            "00000010": "X9.102 AKW1",
+            "00000011": "X9.102 AKW2",
+            "00000012": "AEAD"
+        }
+    },
+    "420028": {
+        "name": "Cryptographic Algorithm",
+        "enumeration": {
+            "00000001": "DES",
+            "00000002": "3DES",
+            "00000003": "AES",
+            "00000004": "RSA",
+            "00000005": "DSA",
+            "00000006": "ECDSA",
+            "00000007": "HMAC-SHA1",
+            "00000008": "HMAC-SHA224",
+            "00000009": "HMAC-SHA256",
+            "0000000a": "HMAC-SHA384",
+            "0000000b": "HMAC-SHA512",
+            "0000000c": "HMAC-MD5",
+            "0000000d": "DH",
+            "0000000e": "ECDH",
+            "0000000f": "ECMQV",
+            "00000010": "Blowfish",
+            "00000011": "Camellia",
+            "00000012": "CAST5",
+            "00000013": "IDEA",
+            "00000014": "MARS",
+            "00000015": "RC2",
+            "00000016": "RC4",
+            "00000017": "RC5",
+            "00000018": "SKIPJACK",
+            "00000019": "Twofish",
+            "0000001a": "EC",
+            "0000001b": "One Time Pad",
+            "0000001c": "ChaCha20",
+            "0000001d": "Poly1305",
+            "0000001e": "ChaCha20Poly1305",
+            "0000001f": "SHA3-224",
+            "00000020": "SHA3-256",
+            "00000021": "SHA3-384",
+            "00000022": "SHA3-512",
+            "00000023": "HMAC-SHA3-224",
+            "00000024": "HMAC-SHA3-256",
+            "00000025": "HMAC-SHA3-384",
+            "00000026": "HMAC-SHA3-512",
+            "00000027": "SHAKE-128",
+            "00000028": "SHAKE-256"
+        }
+    },
+    "42002b": {
+        "name": "Cryptographic Parameters"
+    },
+    "42002c": {
+        "name": "Cryptographic Usage Mask",
+        "enumeration": {
+            "00000001": "Sign",
+            "00000002": "Verify",
+            "00000004": "Encrypt",
+            "00000008": "Decrypt",
+            "00000010": "Wrap Key",
+            "00000020": "Unwrap Key",
+            "00000040": "Export",
+            "00000080": "MAC Generate",
+            "00000100": "MAC Verify",
+            "00000200": "Derive Key",
+            "00000400": "Content Commitment",
+            "00000800": "Key Agreement",
+            "00001000": "Certificate Sign",
+            "00002000": "CRL Sign",
+            "00004000": "Generate Cryptogram",
+            "00008000": "Validate Cryptogram",
+            "00010000": "Translate Encrypt",
+            "00020000": "Translate Decrypt",
+            "00040000": "Translate Wrap",
+            "00080000": "Translate Unwrap"
+        }
+    },
+    "42003d": {
+        "name": "IV/Counter/Nonce"
+    },
+    "420050": {
+        "name": "Maximum Response Size"
+    },
+    "420054": {
+        "name": "Name Type",
+        "enumeration": {
+            "00000001": "Uninterpreted Text String",
+            "00000002": "URI"
+        }
+    },
+    "420057": {
+        "name": "Object Type",
+        "enumeration": {
+            "00000001": "Certificate",
+            "00000002": "Symmetric Key",
+            "00000003": "Public Key",
+            "00000004": "Private Key",
+            "00000005": "Split Key",
+            "00000006": "Template",
+            "00000007": "Secret Data",
+            "00000008": "Opaque Object",
+            "00000009": "PGP Key"
+        }
+    },
+    "42005c": {
+        "name": "Operation",
+        "enumeration": {
+            "00000001": "Create",
+            "00000002": "Create Key Pair",
+            "00000003": "Register",
+            "00000004": "Re-key",
+            "00000005": "Derive Key",
+            "00000006": "Certify",
+            "00000007": "Re-certify",
+            "00000008": "Locate",
+            "00000009": "Check",
+            "0000000a": "Get",
+            "0000000b": "Get Attributes",
+            "0000000c": "Get Attribute List",
+            "0000000d": "Add Attribute",
+            "0000000e": "Modify Attribute",
+            "0000000f": "Delete Attribute",
+            "00000010": "Obtain Lease",
+            "00000011": "Get Usage Allocation",
+            "00000012": "Activate",
+            "00000013": "Revoke",
+            "00000014": "Destroy",
+            "00000015": "Archive",
+            "00000016": "Recover",
+            "00000017": "Validate",
+            "00000018": "Query",
+            "00000019": "Cancel",
+            "0000001a": "Poll",
+            "0000001b": "Notify",
+            "0000001c": "Put",
+            "0000001d": "Re-key Key Pair",
+            "0000001e": "Discover Versions",
+            "0000001f": "Encrypt",
+            "00000020": "Decrypt",
+            "00000021": "Sign",
+            "00000022": "Signature Verify",
+            "00000023": "MAC",
+            "00000024": "MAC Verify",
+            "00000025": "RNG Retrieve",
+            "00000026": "RNG Seed",
+            "00000027": "Hash",
+            "00000028": "Create Split Key",
+            "00000029": "Join Split Key",
+            "0000002a": "Import",
+            "0000002b": "Export"
+        }
+    },
+    "42005f": {
+        "name": "Padding Method",
+        "enumeration": {
+            "00000001": "None",
+            "00000002": "OAEP",
+            "00000003": "PKCS5",
+            "00000004": "SSL3",
+            "00000005": "Zeros",
+            "00000006": "ANSI X9.23",
+            "00000007": "ISO 10126",
+            "00000008": "PKCS1 v1.5",
+            "00000009": "X9.31",
+            "0000000a": "PSS"
+        }
+    },
+    "420069": {
+        "name": "Protocol Version"
+    },
+    "42006a": {
+        "name": "Protocol Version Major"
+    },
+    "42006b": {
+        "name": "Protocol Version Minor"
+    },
+    "420074": {
+        "name": "Query Function",
+        "enumeration": {
+            "00000001": "Query Operations",
+            "00000002": "Query Objects",
+            "00000003": "Query Server Information",
+            "00000004": "Query Application Namespaces",
+            "00000005": "Query Extension List",
+            "00000006": "Query Extension Map",
+            "00000007": "Query Attestation Types",
+            "00000008": "Query RNGs",
+            "00000009": "Query Validations",
+            "0000000a": "Query Profiles",
+            "0000000b": "Query Capabilities",
+            "0000000c": "Query Client Registration Methods"
+        }
+    },
+    "420077": {
+        "name": "Request Header"
+    },
+    "420078": {
+        "name": "Request Message"
+    },
+    "420079": {
+        "name": "Request Payload"
+    },
+    "42007a": {
+        "name": "Response Header"
+    },
+    "42007b": {
+        "name": "Response Message"
+    },
+    "42007c": {
+        "name": "Response Payload"
+    },
+    "42007d": {
+        "name": "Result Message"
+    },
+    "42007e": {
+        "name": "Result Reason",
+        "enumeration": {
+            "00000001": "Item Not Found",
+            "00000002": "Response Too Large",
+            "00000003": "Authentication Not Successful",
+            "00000004": "Invalid Message",
+            "00000005": "Operation Not Supported",
+            "00000006": "Missing Data",
+            "00000007": "Invalid Field",
+            "00000008": "Feature Not Supported",
+            "00000009": "Operation Canceled By Requester",
+            "0000000a": "Cryptographic Failure",
+            "0000000b": "Illegal Operation",
+            "0000000c": "Permission Denied",
+            "0000000d": "Object archived",
+            "0000000e": "Index Out of Bounds",
+            "0000000f": "Application Namespace Not Supported",
+            "00000010": "Key Format Type Not Supported",
+            "00000011": "Key Compression Type Not Supported",
+            "00000012": "Encoding Option Error",
+            "00000013": "Key Value Not Present",
+            "00000014": "Attestation Required",
+            "00000015": "Attestation Failed",
+            "00000016": "Sensitive",
+            "00000017": "Not Extractable",
+            "00000018": "Object Already Exists",
+            "00000100": "General Failure"
+        }
+    },
+    "42007f": {
+        "name": "Result Status",
+        "enumeration": {
+            "00000000": "Success",
+            "00000001": "Operation Failed",
+            "00000002": "Operation Pending",
+            "00000003": "Operation Undone"
+        }
+    },
+    "420080": {
+        "name": "Revocation Message"
+    },
+    "420081": {
+        "name": "Revocation Reason"
+    },
+    "420082": {
+        "name": "Revocation Reason Code",
+        "enumeration": {
+            "00000001": "Unspecified",
+            "00000002": "Key Compromise",
+            "00000003": "CA Compromise",
+            "00000004": "Affiliation Changed",
+            "00000005": "Superseded",
+            "00000006": "Cessation of Operation",
+            "00000007": "Privilege Withdrawn"
+        }
+    },
+    "420088": {
+        "name": "Server Information"
+    },
+    "420091": {
+        "name": "Template-Attribute"
+    },
+    "420092": {
+        "name": "Time Stamp"
+    },
+    "420093": {
+        "name": "Unique Batch Item ID"
+    },
+    "420094": {
+        "name": "Unique Identifier"
+    },
+    "42009d": {
+        "name": "Vendor Identification"
+    },
+    "4200a4": {
+        "name": "Extension Information"
+    },
+    "4200a5": {
+        "name": "Extension Name"
+    },
+    "4200a6": {
+        "name": "Extension Tag"
+    },
+    "4200a7": {
+        "name": "Extension Type"
+    },
+    "4200c2": {
+        "name": "Data"
+    },
+    "4200eb": {
+        "name": "Profile Information"
+    },
+    "4200ec": {
+        "name": "Profile Name",
+        "enumeration": {
+            "00000001": "Baseline Server Basic KMIP v1.2",
+            "00000002": "Baseline Server TLS v1.2 KMIP v1.2",
+            "00000003": "Baseline Client Basic KMIP v1.2",
+            "00000004": "Baseline Client TLS v1.2 KMIP v1.2",
+            "00000005": "Complete Server Basic KMIP v1.2",
+            "00000006": "Complete Server TLS v1.2 KMIP v1.2",
+            "00000007": "Tape Library Client KMIP v1.0",
+            "00000008": "Tape Library Client KMIP v1.1",
+            "00000009": "Tape Library Client KMIP v1.2",
+            "0000000a": "Tape Library Server KMIP v1.0",
+            "0000000b": "Tape Library Server KMIP v1.1",
+            "0000000c": "Tape Library Server KMIP v1.2",
+            "0000000d": "Symmetric Key Lifecycle Client KMIP v1.0",
+            "0000000e": "Symmetric Key Lifecycle Client KMIP v1.1",
+            "0000000f": "Symmetric Key Lifecycle Client KMIP v1.2",
+            "00000010": "Symmetric Key Lifecycle Server KMIP v1.0",
+            "00000011": "Symmetric Key Lifecycle Server KMIP v1.1",
+            "00000012": "Symmetric Key Lifecycle Server KMIP v1.2",
+            "00000013": "Asymmetric Key Lifecycle Client KMIP v1.0",
+            "00000014": "Asymmetric Key Lifecycle Client KMIP v1.1",
+            "00000015": "Asymmetric Key Lifecycle Client KMIP v1.2",
+            "00000016": "Asymmetric Key Lifecycle Server KMIP v1.0",
+            "00000017": "Asymmetric Key Lifecycle Server KMIP v1.1",
+            "00000018": "Asymmetric Key Lifecycle Server KMIP v1.2",
+            "00000019": "Basic Cryptographic Client KMIP v1.2",
+            "0000001a": "Basic Cryptographic Server KMIP v1.2",
+            "0000001b": "Advanced Cryptographic Client KMIP v1.2",
+            "0000001c": "Advanced Cryptographic Server KMIP v1.2",
+            "0000001d": "RNG Cryptographic Client KMIP v1.2",
+            "0000001e": "RNG Cryptographic Server KMIP v1.2",
+            "0000001f": "Basic Symmetric Key Foundry Client KMIP v1.0",
+            "00000020": "Intermediate Symmetric Key Foundry Client KMIP v1.0",
+            "00000021": "Advanced Symmetric Key Foundry Client KMIP v1.0",
+            "00000022": "Basic Symmetric Key Foundry Client KMIP v1.1",
+            "00000023": "Intermediate Symmetric Key Foundry Client KMIP v1.1",
+            "00000024": "Advanced Symmetric Key Foundry Client KMIP v1.1",
+            "00000025": "Basic Symmetric Key Foundry Client KMIP v1.2",
+            "00000026": "Intermediate Symmetric Key Foundry Client KMIP v1.2",
+            "00000027": "Advanced Symmetric Key Foundry Client KMIP v1.2",
+            "00000028": "Symmetric Key Foundry Server KMIP v1.0",
+            "00000029": "Symmetric Key Foundry Server KMIP v1.1",
+            "0000002a": "Symmetric Key Foundry Server KMIP v1.2",
+            "0000002b": "Opaque Managed Object Store Client KMIP v1.0",
+            "0000002c": "Opaque Managed Object Store Client KMIP v1.1",
+            "0000002d": "Opaque Managed Object Store Client KMIP v1.2",
+            "0000002e": "Opaque Managed Object Store Server KMIP v1.0",
+            "0000002f": "Opaque Managed Object Store Server KMIP v1.1",
+            "00000030": "Opaque Managed Object Store Server KMIP v1.2",
+            "00000031": "Suite B minLOS_128 Client KMIP v1.0",
+            "00000032": "Suite B minLOS_128 Client KMIP v1.1",
+            "00000033": "Suite B minLOS_128 Client KMIP v1.2",
+            "00000034": "Suite B minLOS_128 Server KMIP v1.0",
+            "00000035": "Suite B minLOS_128 Server KMIP v1.1",
+            "00000036": "Suite B minLOS_128 Server KMIP v1.2",
+            "00000037": "Suite B minLOS_192 Client KMIP v1.0",
+            "00000038": "Suite B minLOS_192 Client KMIP v1.1",
+            "00000039": "Suite B minLOS_192 Client KMIP v1.2",
+            "0000003a": "Suite B minLOS_192 Server KMIP v1.0",
+            "0000003b": "Suite B minLOS_192 Server KMIP v1.1",
+            "0000003c": "Suite B minLOS_192 Server KMIP v1.2",
+            "0000003d": "Storage Array with Self Encrypting Drive Client KMIP v1.0",
+            "0000003e": "Storage Array with Self Encrypting Drive Client KMIP v1.1",
+            "0000003f": "Storage Array with Self Encrypting Drive Client KMIP v1.2",
+            "00000040": "Storage Array with Self Encrypting Drive Server KMIP v1.0",
+            "00000041": "Storage Array with Self Encrypting Drive Server KMIP v1.1",
+            "00000042": "Storage Array with Self Encrypting Drive Server KMIP v1.2",
+            "00000043": "HTTPS Client KMIP v1.0",
+            "00000044": "HTTPS Client KMIP v1.1",
+            "00000045": "HTTPS Client KMIP v1.2",
+            "00000046": "HTTPS Server KMIP v1.0",
+            "00000047": "HTTPS Server KMIP v1.1",
+            "00000048": "HTTPS Server KMIP v1.2",
+            "00000049": "JSON Client KMIP v1.0",
+            "0000004a": "JSON Client KMIP v1.1",
+            "0000004b": "JSON Client KMIP v1.2",
+            "0000004c": "JSON Server KMIP v1.0",
+            "0000004d": "JSON Server KMIP v1.1",
+            "0000004e": "JSON Server KMIP v1.2",
+            "0000004f": "XML Client KMIP v1.0",
+            "00000050": "XML Client KMIP v1.1",
+            "00000051": "XML Client KMIP v1.2",
+            "00000052": "XML Server KMIP v1.0",
+            "00000053": "XML Server KMIP v1.1",
+            "00000054": "XML Server KMIP v1.2",
+            "00000055": "Baseline Server Basic KMIP v1.3",
+            "00000056": "Baseline Server TLS v1.2 KMIP v1.3",
+            "00000057": "Baseline Client Basic KMIP v1.3",
+            "00000058": "Baseline Client TLS v1.2 KMIP v1.3",
+            "00000059": "Complete Server Basic KMIP v1.3",
+            "0000005a": "Complete Server TLS v1.2 KMIP v1.3",
+            "0000005b": "Tape Library Client KMIP v1.3",
+            "0000005c": "Tape Library Server KMIP v1.3",
+            "0000005d": "Symmetric Key Lifecycle Client KMIP v1.3",
+            "0000005e": "Symmetric Key Lifecycle Server KMIP v1.3",
+            "0000005f": "Asymmetric Key Lifecycle Client KMIP v1.3",
+            "00000060": "Asymmetric Key Lifecycle Server KMIP v1.3",
+            "00000061": "Basic Cryptographic Client KMIP v1.3",
+            "00000062": "Basic Cryptographic Server KMIP v1.3",
+            "00000063": "Advanced Cryptographic Client KMIP v1.3",
+            "00000064": "Advanced Cryptographic Server KMIP v1.3",
+            "00000065": "RNG Cryptographic Client KMIP v1.3",
+            "00000066": "RNG Cryptographic Server KMIP v1.3",
+            "00000067": "Basic Symmetric Key Foundry Client KMIP v1.3",
+            "00000068": "Intermediate Symmetric Key Foundry Client KMIP v1.3",
+            "00000069": "Advanced Symmetric Key Foundry Client KMIP v1.3",
+            "0000006a": "Symmetric Key Foundry Server KMIP v1.3",
+            "0000006b": "Opaque Managed Object Store Client KMIP v1.3",
+            "0000006c": "Opaque Managed Object Store Server KMIP v1.3",
+            "0000006d": "Suite B minLOS_128 Client KMIP v1.3",
+            "0000006e": "Suite B minLOS_128 Server KMIP v1.3",
+            "0000006f": "Suite B minLOS_192 Client KMIP v1.3",
+            "00000070": "Suite B minLOS_192 Server KMIP v1.3",
+            "00000071": "Storage Array with Self Encrypting Drive Client KMIP v1.3",
+            "00000072": "Storage Array with Self Encrypting Drive Server KMIP v1.3",
+            "00000073": "HTTPS Client KMIP v1.3",
+            "00000074": "HTTPS Server KMIP v1.3",
+            "00000075": "JSON Client KMIP v1.3",
+            "00000076": "JSON Server KMIP v1.3",
+            "00000077": "XML Client KMIP v1.3",
+            "00000078": "XML Server KMIP v1.3",
+            "00000079": "Baseline Server Basic KMIP v1.4",
+            "0000007a": "Baseline Server TLS v1.2 KMIP v1.4",
+            "0000007b": "Baseline Client Basic KMIP v1.4",
+            "0000007c": "Baseline Client TLS v1.2 KMIP v1.4",
+            "0000007d": "Complete Server Basic KMIP v1.4",
+            "0000007e": "Complete Server TLS v1.2 KMIP v1.4",
+            "0000007f": "Tape Library Client KMIP v1.4",
+            "00000080": "Tape Library Server KMIP v1.4",
+            "00000081": "Symmetric Key Lifecycle Client KMIP v1.4",
+            "00000082": "Symmetric Key Lifecycle Server KMIP v1.4",
+            "00000083": "Asymmetric Key Lifecycle Client KMIP v1.4",
+            "00000084": "Asymmetric Key Lifecycle Server KMIP v1.4",
+            "00000085": "Basic Cryptographic Client KMIP v1.4",
+            "00000086": "Basic Cryptographic Server KMIP v1.4",
+            "00000087": "Advanced Cryptographic Client KMIP v1.4",
+            "00000088": "Advanced Cryptographic Server KMIP v1.4",
+            "00000089": "RNG Cryptographic Client KMIP v1.4",
+            "0000008a": "RNG Cryptographic Server KMIP v1.4",
+            "0000008b": "Basic Symmetric Key Foundry Client KMIP v1.4",
+            "0000008c": "Intermediate Symmetric Key Foundry Client KMIP v1.4",
+            "0000008d": "Advanced Symmetric Key Foundry Client KMIP v1.4",
+            "0000008e": "Symmetric Key Foundry Server KMIP v1.4",
+            "0000008f": "Opaque Managed Object Store Client KMIP v1.4",
+            "00000090": "Opaque Managed Object Store Server KMIP v1.4",
+            "00000091": "Suite B minLOS_128 Client KMIP v1.4",
+            "00000092": "Suite B minLOS_128 Server KMIP v1.4",
+            "00000093": "Suite B minLOS_192 Client KMIP v1.4",
+            "00000094": "Suite B minLOS_192 Server KMIP v1.4",
+            "00000095": "Storage Array with Self Encrypting Drive Client KMIP v1.4",
+            "00000096": "Storage Array with Self Encrypting Drive Server KMIP v1.4",
+            "00000097": "HTTPS Client KMIP v1.4",
+            "00000098": "HTTPS Server KMIP v1.4",
+            "00000099": "JSON Client KMIP v1.4",
+            "0000009a": "JSON Server KMIP v1.4",
+            "0000009b": "XML Client KMIP v1.4",
+            "0000009c": "XML Server KMIP v1.4"
+        }
+    },
+    "4200ed": {
+        "name": "Server URI"
+    },
+    "4200ee": {
+        "name": "Server Port"
+    },
+    "4200ef": {
+        "name": "Streaming Capability"
+    },
+    "4200f0": {
+        "name": "Asynchronous Capability"
+    },
+    "4200f1": {
+        "name": "Attestation Capability"
+    },
+    "4200f2": {
+        "name": "Unwrap Mode",
+        "enumeration": {
+            "00000001": "Unspecified",
+            "00000002": "Processed",
+            "00000003": "Not Processed"
+        }
+    },
+    "4200f3": {
+        "name": "Destroy Action",
+        "enumeration": {
+            "00000001": "Unspecified",
+            "00000002": "Key Material Deleted",
+            "00000003": "Key Material Shredded",
+            "00000004": "Meta Data Deleted",
+            "00000005": "Meta Data Shredded",
+            "00000006": "Deleted",
+            "00000007": "Shredded"
+        }
+    },
+    "4200f4": {
+        "name": "Shredding Algorithm",
+        "enumeration": {
+            "00000001": "Unspecified",
+            "00000002": "Cryptographic",
+            "00000003": "Unsupported"
+        }
+    },
+    "4200f5": {
+        "name": "RNG Mode",
+        "enumeration": {
+            "00000001": "Unspecified",
+            "00000002": "Shared Instantiation",
+            "00000003": "Non-Shared Instantiation"
+        }
+    },
+    "4200f6": {
+        "name": "Client Registration Method"
+    },
+    "4200f7": {
+        "name": "Capability Information"
+    },
+    "420105": {
+        "name": "Client Correlation Value"
+    },
+    "420106": {
+        "name": "Server Correlation Value"
+    }
+}

lib/network/kmip/transport/TransportTemplate.js

@@ -0,0 +1,181 @@
+'use strict'; // eslint-disable-line
+
+const assert = require('assert');
+
+const DEFAULT_PIPELINE_DEPTH = 8;
+const DEFAULT_KMIP_PORT = 5696;
+
+class TransportTemplate {
+    /**
+     * Construct a new object of the TransportTemplate class
+     * @param {Object} channel - Typically the tls object
+     * @param {Object} options - Instance options
+     * @param {Number} options.pipelineDepth - depth of the pipeline
+     * @param {Object} options.tls - Standard TLS socket initialization
+     *                               parameters
+     * @param {Number} options.tls.port - TLS server port to connect to
+     */
+    constructor(channel, options) {
+        this.channel = channel;
+        this.options = options;
+        this.pipelineDepth = Math.max(1, options.pipelineDepth ||
+                                      DEFAULT_PIPELINE_DEPTH);
+        this.callbackPipeline = [];
+        this.deferedRequests = [];
+        this.pipelineDrainedCallback = null;
+        this.handshakeFunction = null;
+        this.socket = null;
+    }
+
+    /**
+     * Drain the outstanding and defered request queues by
+     * calling the associated callback with an error
+     * @param {Error} error - the error to call the callback function with.
+     * @returns {undefined}
+     */
+    _drainQueuesWithError(error) {
+        this.callbackPipeline.forEach(queuedCallback => {
+            queuedCallback(error);
+        });
+        this.deferedRequests.forEach(deferedRequest => {
+            deferedRequest.cb(error);
+        });
+        this.callbackPipeline = [];
+        this.deferedRequests = [];
+    }
+
+    /**
+     * Register a higher level handshake function to be called
+     * after the connection is initialized and before the first
+     * message is sent.
+     * @param {Function} handshakeFunction - (logger: Object, cb: Function(err))
+     * @returns {undefined}
+     */
+    registerHandshakeFunction(handshakeFunction) {
+        this.handshakeFunction = handshakeFunction;
+    }
+
+    /**
+     * Create a new conversation (e.g. a socket) between the client
+     * and the server.
+     * @param {Object} logger - Werelogs logger object
+     * @param {Function} readyCallback - callback function to call when the
+     *                                   conversation is ready to be initiated
+     *                                   func(err: Error)
+     * @returns {undefined}
+     */
+    _createConversation(logger, readyCallback) {
+        try {
+            const socket = this.channel.connect(
+                this.options.tls.port || DEFAULT_KMIP_PORT,
+                this.options.tls,
+                () => {
+                    socket.on('data', data => {
+                        const queuedCallback = this.callbackPipeline.shift();
+                        queuedCallback(null, socket, data);
+
+                        if (this.callbackPipeline.length <
+                            this.pipelineDepth &&
+                            this.deferedRequests.length > 0) {
+                            const deferedRequest = this.deferedRequests.shift();
+                            process.nextTick(() => {
+                                this.send(logger,
+                                          deferedRequest.encodedMessage,
+                                          deferedRequest.cb);
+                            });
+                        } else if (this.callbackPipeline.length === 0 &&
+                                   this.deferedRequests.length === 0 &&
+                                   this.pipelineDrainedCallback) {
+                            this.pipelineDrainedCallback();
+                            this.pipelineDrainedCallback = null;
+                        }
+                    });
+                    socket.on('end', () => {
+                        const error = Error('Conversation interrupted');
+                        this._drainQueuesWithError(error);
+                        this.socket = null;
+                    });
+                    socket.on('error', err => {
+                        this._drainQueuesWithError(err);
+                    });
+                    if (this.handshakeFunction) {
+                        this.handshakeFunction(logger, readyCallback);
+                    } else {
+                        readyCallback(null);
+                    }
+                });
+            this.socket = socket;
+        } catch (err) {
+            logger.error();
+            readyCallback(err);
+        }
+    }
+
+    _doSend(logger, encodedMessage, cb) {
+        const socket = this.socket;
+        if (!socket || socket.destroyed) {
+            const error = new Error('Socket to server not available');
+            logger.error('TransportTemplate::_doSend', { error });
+            return cb(error);
+        }
+        this.callbackPipeline.push(cb);
+        socket.cork();
+        socket.write(encodedMessage);
+        socket.uncork();
+        return undefined;
+    }
+
+    /**
+     * Send an encoded message to the server
+     * @param {Object} logger - Werelogs logger object
+     * @param {Buffer} encodedMessage - the encoded message to send to the
+     *                                  server
+     * @param {Function} cb - (err, conversation, rawResponse)
+     * @returns {undefined}
+     */
+    send(logger, encodedMessage, cb) {
+        if (this.callbackPipeline.length >= this.pipelineDepth) {
+            return this.deferedRequests.push({ encodedMessage, cb });
+        }
+        assert(encodedMessage.length !== 0);
+        if (this.socket === null || this.socket.destroyed) {
+            return this._createConversation(logger, err => {
+                if (err) {
+                    return cb(err);
+                }
+                return this._doSend(logger, encodedMessage, cb);
+            });
+        }
+        return this._doSend(logger, encodedMessage, cb);
+    }
+
+    /**
+     * Gracefuly interrupt the conversation. If the caller keeps sending
+     * message after calling this function, the conversation won't
+     * converge to its end.
+     * @returns {undefined}
+     */
+    end() {
+        if (!this.socket) {
+            return;
+        }
+        if (this.callbackPipeline.length !== 0 ||
+            this.deferedRequests.length !== 0) {
+            this.pipelineDrainedCallback = this.socket.end.bind(this.socket);
+        } else {
+            this.socket.end();
+        }
+    }
+
+    /**
+     * Abruptly interrupt the conversation and cancel the outstanding and
+     * defered requests
+     * @param {Object} conversation - the conversation to abort
+     * @returns {undefined}
+     */
+    abortPipeline(conversation) {
+        conversation.end();
+    }
+}
+
+module.exports = TransportTemplate;

lib/network/kmip/transport/tls.js

@@ -0,0 +1,12 @@
+'use strict'; // eslint-disable-line
+
+const tls = require('tls');
+const TransportTemplate = require('./TransportTemplate.js');
+
+class TlsTransport extends TransportTemplate {
+    constructor(options) {
+        super(tls, options);
+    }
+}
+
+module.exports = TlsTransport;

lib/policy/policyValidator.js

@@ -2,12 +2,14 @@
 
 const Ajv = require('ajv');
 const userPolicySchema = require('./userPolicySchema');
+const resourcePolicySchema = require('./resourcePolicySchema');
 const errors = require('../errors');
 
 const ajValidate = new Ajv({ allErrors: true });
 ajValidate.addMetaSchema(require('ajv/lib/refs/json-schema-draft-06.json'));
 // compiles schema to functions and caches them for all cases
 const userPolicyValidate = ajValidate.compile(userPolicySchema);
+const resourcePolicyValidate = ajValidate.compile(resourcePolicySchema);
 
 const errDict = {
     required: {
@@ -25,33 +27,38 @@ const errDict = {
 };
 
 // parse ajv errors and return early with the first relevant error
-function _parseErrors(ajvErrors) {
-    // deep copy is needed as we have to assign custom error description
-    const parsedErr = Object.assign({}, errors.MalformedPolicyDocument);
-    parsedErr.description = 'Syntax errors in policy.';
+function _parseErrors(ajvErrors, policyType) {
+    let parsedErr;
+    if (policyType === 'user') {
+        // deep copy is needed as we have to assign custom error description
+        parsedErr = Object.assign({}, errors.MalformedPolicyDocument);
+    }
+    if (policyType === 'resource') {
+        parsedErr = Object.assign({}, errors.MalformedPolicy);
+    }
     ajvErrors.some(err => {
         const resource = err.dataPath;
         const field = err.params ? err.params.missingProperty : undefined;
         const errType = err.keyword;
         if (errType === 'type' && (resource === '.Statement' ||
-            resource === '.Statement.Resource' ||
-            resource === '.Statement.NotResource')) {
+            resource.includes('.Resource') ||
+            resource.includes('.NotResource'))) {
             // skip this as this doesn't have enough error context
             return false;
         }
         if (err.keyword === 'required' && field && errDict.required[field]) {
             parsedErr.description = errDict.required[field];
         } else if (err.keyword === 'pattern' &&
-            (resource === '.Statement.Action' ||
-                resource === '.Statement.NotAction')) {
+            (resource.includes('.Action') ||
+                resource.includes('.NotAction'))) {
             parsedErr.description = errDict.pattern.Action;
         } else if (err.keyword === 'pattern' &&
-            (resource === '.Statement.Resource' ||
-                resource === '.Statement.NotResource')) {
+            (resource.includes('.Resource') ||
+                resource.includes('.NotResource'))) {
             parsedErr.description = errDict.pattern.Resource;
         } else if (err.keyword === 'minItems' &&
-            (resource === '.Statement.Resource' ||
-                resource === '.Statement.NotResource')) {
+            (resource.includes('.Resource') ||
+                resource.includes('.NotResource'))) {
             parsedErr.description = errDict.minItems.Resource;
         }
         return true;
@@ -78,12 +85,24 @@ function _validatePolicy(type, policy) {
         }
         userPolicyValidate(parseRes);
         if (userPolicyValidate.errors) {
-            return { error: _parseErrors(userPolicyValidate.errors),
+            return { error: _parseErrors(userPolicyValidate.errors, 'user'),
                 valid: false };
         }
         return { error: null, valid: true };
     }
-    // TODO: add support for resource policies
+    if (type === 'resource') {
+        const parseRes = _safeJSONParse(policy);
+        if (parseRes instanceof Error) {
+            return { error: Object.assign({}, errors.MalformedPolicy),
+                valid: false };
+        }
+        resourcePolicyValidate(parseRes);
+        if (resourcePolicyValidate.errors) {
+            return { error: _parseErrors(resourcePolicyValidate.errors,
+                'resource'), valid: false };
+        }
+        return { error: null, valid: true };
+    }
     return { error: errors.NotImplemented, valid: false };
 }
 /**

lib/policy/resourcePolicySchema.json

@@ -0,0 +1,491 @@
+{
+    "$schema": "http://json-schema.org/draft-06/schema#",
+    "type": "object",
+    "title": "AWS Bucket Policy schema.",
+    "description": "This schema describes a bucket policy per AWS policy grammar rules",
+    "definitions": {
+        "principalService": {
+            "type": "object",
+            "properties": {
+                "Service": {
+                    "type": "string",
+                    "const": "backbeat"
+                }
+            },
+            "additionalProperties": false
+        },
+        "principalCanonicalUser": {
+            "type": "object",
+            "properties": {
+                "CanonicalUser": {
+                    "type": "string",
+                    "pattern": "^[0-9a-z]{64}$"
+                }
+            },
+            "additionalProperties": false
+        },
+        "principalAnonymous": {
+            "type": "string",
+            "pattern": "^\\*$"
+        },
+        "principalAWSAccountID": {
+            "type": "string",
+            "pattern": "^[0-9]{12}$"
+        },
+        "principalAWSAccountArn": {
+            "type": "string",
+            "pattern": "^arn:aws:iam::[0-9]{12}:root$"
+        },
+        "principalAWSUserArn": {
+            "type": "string",
+            "pattern": "^arn:aws:iam::[0-9]{12}:user/[\\w+=,.@ -]{1,64}$"
+        },
+        "principalAWSRoleArn": {
+            "type": "string",
+            "pattern": "^arn:aws:iam::[0-9]{12}:role/[\\w+=,.@ -]{1,64}$"
+        },
+        "principalAWSItem": {
+            "type": "object",
+            "properties": {
+                "AWS": {
+                    "oneOf": [
+                        {
+                            "$ref": "#/definitions/principalAWSAccountID"
+                        },
+                        {
+                            "$ref": "#/definitions/principalAnonymous"
+                        },
+                        {
+                            "$ref": "#/definitions/principalAWSAccountArn"
+                        },
+                        {
+                            "$ref": "#/definitions/principalAWSUserArn"
+                        },
+                        {
+                            "$ref": "#/definitions/principalAWSRoleArn"
+                        },
+                        {
+                            "type": "array",
+                            "minItems": 1,
+                            "items": {
+                                "$ref": "#/definitions/principalAWSAccountID"
+                            }
+                        },
+                        {
+                            "type": "array",
+                            "minItems": 1,
+                            "items": {
+                                "$ref": "#/definitions/principalAWSAccountArn"
+                            }
+                        },
+                        {
+                            "type": "array",
+                            "minItems": 1,
+                            "items": {
+                                "$ref": "#/definitions/principalAWSRoleArn"
+                            }
+                        },
+                        {
+                            "type": "array",
+                            "minItems": 1,
+                            "items": {
+                                "$ref": "#/definitions/principalAWSUserArn"
+                            }
+                        }
+                    ]
+                }
+            },
+            "additionalProperties": false
+        },
+        "principalItem": {
+            "oneOf": [
+                {
+                    "$ref": "#/definitions/principalAWSItem"
+                },
+                {
+                    "$ref": "#/definitions/principalAnonymous"
+                },
+                {
+                    "$ref": "#/definitions/principalService"
+                },
+                {
+                    "$ref": "#/definitions/principalCanonicalUser"
+                }
+            ]
+        },
+        "actionItem": {
+            "type": "string",
+            "pattern": "^[^*:]+:([^:])+|^\\*$"
+        },
+        "resourceItem": {
+            "type": "string",
+            "pattern": "^\\*|arn:(aws|scality)(:(\\*{1}|[a-z0-9\\*\\-]{2,})*?){3}:((?!\\$\\{\\}).)*?$"
+        },
+        "conditionKeys": {
+            "properties": {
+                "aws:CurrentTime": true,
+                "aws:EpochTime": true,
+                "aws:MultiFactorAuthAge": true,
+                "aws:MultiFactorAuthPresent": true,
+                "aws:PrincipalArn": true,
+                "aws:PrincipalOrgId": true,
+                "aws:PrincipalTag/${TagKey}": true,
+                "aws:PrincipalType": true,
+                "aws:Referer": true,
+                "aws:RequestTag/${TagKey}": true,
+                "aws:RequestedRegion": true,
+                "aws:SecureTransport": true,
+                "aws:SourceAccount": true,
+                "aws:SourceArn": true,
+                "aws:SourceIp": true,
+                "aws:SourceVpc": true,
+                "aws:SourceVpce": true,
+                "aws:TagKeys": true,
+                "aws:TokenIssueTime": true,
+                "aws:UserAgent": true,
+                "aws:userid": true,
+                "aws:username": true,
+                "s3:ExistingJobOperation": true,
+                "s3:ExistingJobPriority": true,
+                "s3:ExistingObjectTag/<key>": true,
+                "s3:JobSuspendedCause": true,
+                "s3:LocationConstraint": true,
+                "s3:RequestJobOperation": true,
+                "s3:RequestJobPriority": true,
+                "s3:RequestObjectTag/<key>": true,
+                "s3:RequestObjectTagKeys": true,
+                "s3:VersionId": true,
+                "s3:authtype": true,
+                "s3:delimiter": true,
+                "s3:locationconstraint": true,
+                "s3:max-keys": true,
+                "s3:object-lock-legal-hold": true,
+                "s3:object-lock-mode": true,
+                "s3:object-lock-remaining-retention-days": true,
+                "s3:object-lock-retain-until-date": true,
+                "s3:prefix": true,
+                "s3:signatureage": true,
+                "s3:signatureversion": true,
+                "s3:versionid": true,
+                "s3:x-amz-acl": true,
+                "s3:x-amz-content-sha256": true,
+                "s3:x-amz-copy-source": true,
+                "s3:x-amz-grant-full-control": true,
+                "s3:x-amz-grant-read": true,
+                "s3:x-amz-grant-read-acp": true,
+                "s3:x-amz-grant-write": true,
+                "s3:x-amz-grant-write-acp": true,
+                "s3:x-amz-metadata-directive": true,
+                "s3:x-amz-server-side-encryption": true,
+                "s3:x-amz-server-side-encryption-aws-kms-key-id": true,
+                "s3:x-amz-storage-class": true,
+                "s3:x-amz-website-redirect-location": true
+            },
+            "additionalProperties": false
+        },
+        "conditions": {
+            "type": "object",
+            "properties": {
+                "ArnEquals": {
+                    "type": "object"
+                },
+                "ArnEqualsIfExists": {
+                    "type": "object"
+                },
+                "ArnLike": {
+                    "type": "object"
+                },
+                "ArnLikeIfExists": {
+                    "type": "object"
+                },
+                "ArnNotEquals": {
+                    "type": "object"
+                },
+                "ArnNotEqualsIfExists": {
+                    "type": "object"
+                },
+                "ArnNotLike": {
+                    "type": "object"
+                },
+                "ArnNotLikeIfExists": {
+                    "type": "object"
+                },
+                "BinaryEquals": {
+                    "type": "object"
+                },
+                "BinaryEqualsIfExists": {
+                    "type": "object"
+                },
+                "BinaryNotEquals": {
+                    "type": "object"
+                },
+                "BinaryNotEqualsIfExists": {
+                    "type": "object"
+                },
+                "Bool": {
+                    "type": "object"
+                },
+                "BoolIfExists": {
+                    "type": "object"
+                },
+                "DateEquals": {
+                    "type": "object"
+                },
+                "DateEqualsIfExists": {
+                    "type": "object"
+                },
+                "DateGreaterThan": {
+                    "type": "object"
+                },
+                "DateGreaterThanEquals": {
+                    "type": "object"
+                },
+                "DateGreaterThanEqualsIfExists": {
+                    "type": "object"
+                },
+                "DateGreaterThanIfExists": {
+                    "type": "object"
+                },
+                "DateLessThan": {
+                    "type": "object"
+                },
+                "DateLessThanEquals": {
+                    "type": "object"
+                },
+                "DateLessThanEqualsIfExists": {
+                    "type": "object"
+                },
+                "DateLessThanIfExists": {
+                    "type": "object"
+                },
+                "DateNotEquals": {
+                    "type": "object"
+                },
+                "DateNotEqualsIfExists": {
+                    "type": "object"
+                },
+                "IpAddress": {
+                    "type": "object"
+                },
+                "IpAddressIfExists": {
+                    "type": "object"
+                },
+                "NotIpAddress": {
+                    "type": "object"
+                },
+                "NotIpAddressIfExists": {
+                    "type": "object"
+                },
+                "Null": {
+                    "type": "object"
+                },
+                "NumericEquals": {
+                    "type": "object"
+                },
+                "NumericEqualsIfExists": {
+                    "type": "object"
+                },
+                "NumericGreaterThan": {
+                    "type": "object"
+                },
+                "NumericGreaterThanEquals": {
+                    "type": "object"
+                },
+                "NumericGreaterThanEqualsIfExists": {
+                    "type": "object"
+                },
+                "NumericGreaterThanIfExists": {
+                    "type": "object"
+                },
+                "NumericLessThan": {
+                    "type": "object"
+                },
+                "NumericLessThanEquals": {
+                    "type": "object"
+                },
+                "NumericLessThanEqualsIfExists": {
+                    "type": "object"
+                },
+                "NumericLessThanIfExists": {
+                    "type": "object"
+                },
+                "NumericNotEquals": {
+                    "type": "object"
+                },
+                "NumericNotEqualsIfExists": {
+                    "type": "object"
+                },
+                "StringEquals": {
+                    "type": "object"
+                },
+                "StringEqualsIfExists": {
+                    "type": "object"
+                },
+                "StringEqualsIgnoreCase": {
+                    "type": "object"
+                },
+                "StringEqualsIgnoreCaseIfExists": {
+                    "type": "object"
+                },
+                "StringLike": {
+                    "type": "object"
+                },
+                "StringLikeIfExists": {
+                    "type": "object"
+                },
+                "StringNotEquals": {
+                    "type": "object"
+                },
+                "StringNotEqualsIfExists": {
+                    "type": "object"
+                },
+                "StringNotEqualsIgnoreCase": {
+                    "type": "object"
+                },
+                "StringNotEqualsIgnoreCaseIfExists": {
+                    "type": "object"
+                },
+                "StringNotLike": {
+                    "type": "object"
+                },
+                "StringNotLikeIfExists": {
+                    "type": "object"
+                }
+            },
+            "additionalProperties": false
+        }
+    },
+    "properties": {
+        "Version": {
+            "type": "string",
+            "const": "2012-10-17"
+        },
+        "Statement": {
+            "oneOf": [
+                {
+                    "type": [
+                        "array"
+                    ],
+                    "minItems": 1,
+                    "items": {
+                        "type": "object",
+                        "properties": {
+                            "Sid": {
+                                "type": "string",
+                                "pattern": "^[a-zA-Z0-9]+$"
+                            },
+                            "Action": {
+                                "oneOf": [
+                                    {
+                                        "$ref": "#/definitions/actionItem"
+                                    },
+                                    {
+                                        "type": "array",
+                                        "items": {
+                                            "$ref": "#/definitions/actionItem"
+                                        }
+                                    }
+                                ]
+                            },
+                            "Effect": {
+                                "type": "string",
+                                "enum": [
+                                    "Allow",
+                                    "Deny"
+                                ]
+                            },
+                            "Principal": {
+                                "$ref": "#/definitions/principalItem"
+                            },
+                            "Resource": {
+                                "oneOf": [
+                                    {
+                                        "$ref": "#/definitions/resourceItem"
+                                    },
+                                    {
+                                        "type": "array",
+                                        "items": {
+                                            "$ref": "#/definitions/resourceItem"
+                                        },
+                                        "minItems": 1
+                                    }
+                                ]
+                            },
+                            "Condition": {
+                                "$ref": "#/definitions/conditions"
+                            }
+                        },
+                        "required": [
+                            "Action",
+                            "Effect",
+                            "Principal",
+                            "Resource"
+                        ]
+                    }
+                },
+                {
+                    "type": [
+                        "object"
+                    ],
+                    "properties": {
+                        "Sid": {
+                            "type": "string",
+                            "pattern": "^[a-zA-Z0-9]+$"
+                        },
+                        "Action": {
+                            "oneOf": [
+                                {
+                                    "$ref": "#/definitions/actionItem"
+                                },
+                                {
+                                    "type": "array",
+                                    "items": {
+                                        "$ref": "#/definitions/actionItem"
+                                    }
+                                }
+                            ]
+                        },
+                        "Effect": {
+                            "type": "string",
+                            "enum": [
+                                "Allow",
+                                "Deny"
+                            ]
+                        },
+                        "Principal": {
+                            "$ref": "#/definitions/principalItem"
+                        },
+                        "Resource": {
+                            "oneOf": [
+                                {
+                                    "$ref": "#/definitions/resourceItem"
+                                },
+                                {
+                                    "type": "array",
+                                    "items": {
+                                        "$ref": "#/definitions/resourceItem"
+                                    },
+                                    "minItems": 1
+                                }
+                            ]
+                        },
+                        "Condition": {
+                            "$ref": "#/definitions/conditions"
+                        }
+                    },
+                    "required": [
+                        "Action",
+                        "Effect",
+                        "Resource",
+                        "Principal"
+                    ]
+                }
+            ]
+        }
+    },
+    "required": [
+        "Version",
+        "Statement"
+    ],
+    "additionalProperties": false
+}

lib/policy/userPolicySchema.json

@@ -1,7 +1,7 @@
 {
     "$schema": "http://json-schema.org/draft-06/schema#",
     "type": "object",
-    "title": "AWS Policy schema.",
+    "title": "AWS User Policy schema.",
     "description": "This schema describes a user policy per AWS policy grammar rules",
     "definitions": {
         "principalService": {

lib/policyEvaluator/RequestContext.js

@@ -134,7 +134,7 @@ class RequestContext {
         requesterIp, sslEnabled, apiMethod,
         awsService, locationConstraint, requesterInfo,
         signatureVersion, authType, signatureAge, securityToken, policyArn,
-        action) {
+        action, postXml) {
         this._headers = headers;
         this._query = query;
         this._requesterIp = requesterIp;
@@ -163,6 +163,10 @@ class RequestContext {
         this._policyArn = policyArn;
         this._action = action;
         this._needQuota = _actionNeedQuotaCheck[apiMethod] === true;
+        this._postXml = postXml;
+        this._requestObjTags = null;
+        this._existingObjTag = null;
+        this._needTagEval = false;
         return this;
     }
 
@@ -191,6 +195,10 @@ class RequestContext {
             securityToken: this._securityToken,
             policyArn: this._policyArn,
             action: this._action,
+            postXml: this._postXml,
+            requestObjTags: this._requestObjTags,
+            existingObjTag: this._existingObjTag,
+            needTagEval: this._needTagEval,
         };
         return JSON.stringify(requestInfo);
     }
@@ -216,7 +224,7 @@ class RequestContext {
             obj.apiMethod, obj.awsService, obj.locationConstraint,
             obj.requesterInfo, obj.signatureVersion,
             obj.authType, obj.signatureAge, obj.securityToken, obj.policyArn,
-            obj.action);
+            obj.action, obj.postXml);
     }
 
     /**
@@ -559,6 +567,86 @@ class RequestContext {
     isQuotaCheckNeeded() {
         return this._needQuota;
     }
+
+    /**
+     * Set request post
+     *
+     * @param {string} postXml - request post
+     * @return {RequestContext} itself
+     */
+    setPostXml(postXml) {
+        this._postXml = postXml;
+        return this;
+    }
+
+    /**
+     * Get request post
+     *
+     * @return {string} request post
+     */
+    getPostXml() {
+        return this._postXml;
+    }
+
+    /**
+     * Set request object tags
+     *
+     * @param {string} requestObjTags - object tag(s) included in request in query string form
+     * @return {RequestContext} itself
+     */
+    setRequestObjTags(requestObjTags) {
+        this._requestObjTags = requestObjTags;
+        return this;
+    }
+
+    /**
+     * Get request object tags
+     *
+     * @return {string} request object tag(s)
+     */
+    getRequestObjTags() {
+        return this._requestObjTags;
+    }
+
+    /**
+     * Set info on existing tag on object included in request
+     *
+     * @param {string} existingObjTag - existing object tag in query string form
+     * @return {RequestContext} itself
+     */
+    setExistingObjTag(existingObjTag) {
+        this._existingObjTag = existingObjTag;
+        return this;
+    }
+
+    /**
+     * Get existing object tag
+     *
+     * @return {string} existing object tag
+     */
+    getExistingObjTag() {
+        return this._existingObjTag;
+    }
+
+    /**
+     * Set whether IAM policy tag condition keys should be evaluated
+     *
+     * @param {boolean} needTagEval - whether to evaluate tags
+     * @return {RequestContext} itself
+     */
+    setNeedTagEval(needTagEval) {
+        this._needTagEval = needTagEval;
+        return this;
+    }
+
+    /**
+     * Get needTagEval param
+     *
+     * @return {boolean} needTagEval - whether IAM policy tags condition keys should be evaluated
+     */
+    getNeedTagEval() {
+        return this._needTagEval;
+    }
 }
 
 module.exports = RequestContext;

lib/policyEvaluator/evaluator.js

@@ -6,6 +6,7 @@ const conditions = require('./utils/conditions.js');
 const findConditionKey = conditions.findConditionKey;
 const convertConditionOperator = conditions.convertConditionOperator;
 const checkArnMatch = require('./utils/checkArnMatch.js');
+const { transformTagKeyValue } = require('./utils/objectTags');
 
 const evaluators = {};
 
@@ -16,6 +17,7 @@ const operatorsWithVariables = ['StringEquals', 'StringNotEquals',
 const operatorsWithNegation = ['StringNotEquals',
     'StringNotEqualsIgnoreCase', 'StringNotLike', 'ArnNotEquals',
     'ArnNotLike', 'NumericNotEquals'];
+const tagConditions = new Set(['s3:ExistingObjectTag', 's3:RequestObjectTagKey', 's3:RequestObjectTagKeys']);
 
 
 /**
@@ -67,7 +69,7 @@ function isResourceApplicable(requestContext, statementResource, log) {
  * @param {Object} log - logger
  * @return {boolean} true if applicable, false if not
  */
-function isActionApplicable(requestAction, statementAction, log) {
+evaluators.isActionApplicable = (requestAction, statementAction, log) => {
     if (!Array.isArray(statementAction)) {
         // eslint-disable-next-line no-param-reassign
         statementAction = [statementAction];
@@ -89,27 +91,34 @@ function isActionApplicable(requestAction, statementAction, log) {
         { requestAction });
     // If no match found, return false
     return false;
-}
+};
 
 /**
  * Check whether request meets policy conditions
  * @param {RequestContext} requestContext - info about request
  * @param {Object} statementCondition - Condition statement from policy
  * @param {Object} log - logger
- * @return {boolean} true if meet conditions, false if not
+ * @return {Object} contains whether conditions are allowed and whether they
+ * contain any tag condition keys
  */
 evaluators.meetConditions = (requestContext, statementCondition, log) => {
     // The Condition portion of a policy is an object with different
     // operators as keys
+    const conditionEval = {};
     const operators = Object.keys(statementCondition);
     const length = operators.length;
     for (let i = 0; i < length; i++) {
         const operator = operators[i];
+        const hasPrefix = operator.includes(':');
         const hasIfExistsCondition = operator.endsWith('IfExists');
-        // If has "IfExists" added to operator name, find operator name
-        // without "IfExists"
-        const bareOperator = hasIfExistsCondition ? operator.slice(0, -8) :
+        // If has "IfExists" added to operator name, or operator has "ForAnyValue" or
+        // "For All Values" prefix, find operator name without "IfExists" or prefix
+        let bareOperator = hasIfExistsCondition ? operator.slice(0, -8) :
             operator;
+        let prefix;
+        if (hasPrefix) {
+            [prefix, bareOperator] = bareOperator.split(':');
+        }
         const operatorCanHaveVariables =
             operatorsWithVariables.indexOf(bareOperator) > -1;
         const isNegationOperator =
@@ -118,6 +127,9 @@ evaluators.meetConditions = (requestContext, statementCondition, log) => {
         // Note: this should be the actual operator name, not the bareOperator
         const conditionsWithSameOperator = statementCondition[operator];
         const conditionKeys = Object.keys(conditionsWithSameOperator);
+        if (conditionKeys.some(key => tagConditions.has(key)) && !requestContext.getNeedTagEval()) {
+            conditionEval.tagConditions = true;
+        }
         const conditionKeysLength = conditionKeys.length;
         for (let j = 0; j < conditionKeysLength; j++) {
             const key = conditionKeys[j];
@@ -130,14 +142,18 @@ evaluators.meetConditions = (requestContext, statementCondition, log) => {
                 value = value.map(item =>
                     substituteVariables(item, requestContext));
             }
+            // if condition key is RequestObjectTag or ExistingObjectTag,
+            // tag key is included in condition key and needs to be
+            // moved to value for evaluation, otherwise key/value are unchanged
+            const [transformedKey, transformedValue] = transformTagKeyValue(key, value);
             // Pull key using requestContext
             // TODO: If applicable to S3, handle policy set operations
             // where a keyBasedOnRequestContext returns multiple values and
             // condition has "ForAnyValue" or "ForAllValues".
             // (see http://docs.aws.amazon.com/IAM/latest/UserGuide/
             // reference_policies_multi-value-conditions.html)
-            const keyBasedOnRequestContext =
-                findConditionKey(key, requestContext);
+            let keyBasedOnRequestContext =
+                findConditionKey(transformedKey, requestContext);
             // Handle IfExists and negation operators
             if ((keyBasedOnRequestContext === undefined ||
                 keyBasedOnRequestContext === null) &&
@@ -154,22 +170,27 @@ evaluators.meetConditions = (requestContext, statementCondition, log) => {
                 bareOperator !== 'Null') {
                 log.trace('condition not satisfied due to ' +
                 'missing info', { operator,
-                    conditionKey: key, policyValue: value });
-                return false;
+                    conditionKey: transformedKey, policyValue: transformedValue });
+                return { allow: false };
+            }
+            // If condition operator prefix is included, the key should be an array
+            if (prefix && !Array.isArray(keyBasedOnRequestContext)) {
+                keyBasedOnRequestContext = [keyBasedOnRequestContext];
             }
             // Transalate operator into function using bareOperator
             const operatorFunction = convertConditionOperator(bareOperator);
             // Note: Wildcards are handled in the comparison operator function
             // itself since StringLike, StringNotLike, ArnLike and ArnNotLike
             // are the only operators where wildcards are allowed
-            if (!operatorFunction(keyBasedOnRequestContext, value)) {
+            if (!operatorFunction(keyBasedOnRequestContext, transformedValue, prefix)) {
                 log.trace('did not satisfy condition', { operator: bareOperator,
-                    keyBasedOnRequestContext, policyValue: value });
-                return false;
+                    keyBasedOnRequestContext, policyValue: transformedValue });
+                return { allow: false };
             }
         }
     }
-    return true;
+    conditionEval.allow = true;
+    return conditionEval;
 };
 
 /**
@@ -209,21 +230,22 @@ evaluators.evaluatePolicy = (requestContext, policy, log) => {
         // If affirmative action is in policy and request action is not
         // applicable, move on to next statement
         if (currentStatement.Action &&
-            !isActionApplicable(requestContext.getAction(),
+            !evaluators.isActionApplicable(requestContext.getAction(),
             currentStatement.Action, log)) {
             continue;
         }
         // If NotAction is in policy and action matches NotAction in policy,
         // move on to next statement
         if (currentStatement.NotAction &&
-            isActionApplicable(requestContext.getAction(),
+            evaluators.isActionApplicable(requestContext.getAction(),
             currentStatement.NotAction, log)) {
             continue;
         }
+        const conditionEval = currentStatement.Condition ?
+            evaluators.meetConditions(requestContext, currentStatement.Condition, log) :
+            null;
         // If do not meet conditions move on to next statement
-        if (currentStatement.Condition &&
-            !evaluators.meetConditions(requestContext,
-            currentStatement.Condition, log)) {
+        if (conditionEval && !conditionEval.allow) {
             continue;
         }
         if (currentStatement.Effect === 'Deny') {
@@ -235,6 +257,9 @@ evaluators.evaluatePolicy = (requestContext, policy, log) => {
         // If statement is applicable, conditions are met and Effect is
         // to Allow, set verdict to Allow
         verdict = 'Allow';
+        if (conditionEval && conditionEval.tagConditions) {
+            verdict = 'NeedTagConditionEval';
+        }
     }
     log.trace('result of evaluating single policy', { verdict });
     return verdict;

lib/policyEvaluator/principal.js

@@ -35,7 +35,8 @@ class Principal {
                 // In case of anonymous NotPrincipal, this will neutral everyone
                 return 'Neutral';
             }
-            if (!Principal._evaluateCondition(params, statement)) {
+            const conditionEval = Principal._evaluateCondition(params, statement);
+            if (!conditionEval || conditionEval.allow === false) {
                 return 'Neutral';
             }
             return statement.Effect;
@@ -65,7 +66,8 @@ class Principal {
             if (reverse) {
                 return 'Neutral';
             }
-            if (!Principal._evaluateCondition(params, statement)) {
+            const conditionEval = Principal._evaluateCondition(params, statement);
+            if (!conditionEval || conditionEval.allow === false) {
                 return 'Neutral';
             }
             return statement.Effect;
@@ -76,7 +78,8 @@ class Principal {
                 if (reverse) {
                     return 'Neutral';
                 }
-                if (!Principal._evaluateCondition(params, statement)) {
+                const conditionEval = Principal._evaluateCondition(params, statement);
+                if (!conditionEval || conditionEval.allow === false) {
                     return 'Neutral';
                 }
                 return statement.Effect;

lib/policyEvaluator/utils/actionMaps.js

@@ -1,11 +1,15 @@
 const sharedActionMap = {
     bucketDelete: 's3:DeleteBucket',
+    bucketDeletePolicy: 's3:DeleteBucketPolicy',
     bucketDeleteWebsite: 's3:DeleteBucketWebsite',
     bucketGet: 's3:ListBucket',
     bucketGetACL: 's3:GetBucketAcl',
     bucketGetCors: 's3:GetBucketCORS',
     bucketGetLifecycle: 's3:GetLifecycleConfiguration',
     bucketGetLocation: 's3:GetBucketLocation',
+    bucketGetNotification: 's3:GetBucketNotificationConfiguration',
+    bucketGetObjectLock: 's3:GetBucketObjectLockConfiguration',
+    bucketGetPolicy: 's3:GetBucketPolicy',
     bucketGetReplication: 's3:GetReplicationConfiguration',
     bucketGetVersioning: 's3:GetBucketVersioning',
     bucketGetWebsite: 's3:GetBucketWebsite',
@@ -13,6 +17,9 @@ const sharedActionMap = {
     bucketPutACL: 's3:PutBucketAcl',
     bucketPutCors: 's3:PutBucketCORS',
     bucketPutLifecycle: 's3:PutLifecycleConfiguration',
+    bucketPutNotification: 's3:PutBucketNotificationConfiguration',
+    bucketPutObjectLock: 's3:PutBucketObjectLockConfiguration',
+    bucketPutPolicy: 's3:PutBucketPolicy',
     bucketPutReplication: 's3:PutReplicationConfiguration',
     bucketPutVersioning: 's3:PutBucketVersioning',
     bucketPutWebsite: 's3:PutBucketWebsite',
@@ -23,9 +30,13 @@ const sharedActionMap = {
     objectDeleteTagging: 's3:DeleteObjectTagging',
     objectGet: 's3:GetObject',
     objectGetACL: 's3:GetObjectAcl',
+    objectGetLegalHold: 's3:GetObjectLegalHold',
+    objectGetRetention: 's3:GetObjectRetention',
     objectGetTagging: 's3:GetObjectTagging',
     objectPut: 's3:PutObject',
     objectPutACL: 's3:PutObjectAcl',
+    objectPutLegalHold: 's3:PutObjectLegalHold',
+    objectPutRetention: 's3:PutObjectRetention',
     objectPutTagging: 's3:PutObjectTagging',
 };
 
@@ -54,17 +65,7 @@ const actionMapRQ = Object.assign({
 }, sharedActionMap);
 
 // action map used for bucket policies
-const actionMapBP = Object.assign({
-    bucketDeletePolicy: 's3:DeleteBucketPolicy',
-    bucketGetObjectLock: 's3:GetBucketObjectLockConfiguration',
-    bucketGetPolicy: 's3:GetBucketPolicy',
-    bucketPutObjectLock: 's3:PutBucketObjectLockConfiguration',
-    bucketPutPolicy: 's3:PutBucketPolicy',
-    objectGetLegalHold: 's3:GetObjectLegalHold',
-    objectGetRetention: 's3:GetObjectRetention',
-    objectPutLegalHold: 's3:PutObjectLegalHold',
-    objectPutRetention: 's3:PutObjectRetention',
-}, sharedActionMap);
+const actionMapBP = Object.assign({}, sharedActionMap);
 
 // action map for all relevant s3 actions
 const actionMapS3 = Object.assign({
@@ -76,6 +77,7 @@ const actionMonitoringMapS3 = {
     bucketDelete: 'DeleteBucket',
     bucketDeleteCors: 'DeleteBucketCors',
     bucketDeleteLifecycle: 'DeleteBucketLifecycle',
+    bucketDeletePolicy: 'DeleteBucketPolicy',
     bucketDeleteReplication: 'DeleteBucketReplication',
     bucketDeleteWebsite: 'DeleteBucketWebsite',
     bucketGet: 'ListObjects',
@@ -83,6 +85,9 @@ const actionMonitoringMapS3 = {
     bucketGetCors: 'GetBucketCors',
     bucketGetLifecycle: 'GetBucketLifecycleConfiguration',
     bucketGetLocation: 'GetBucketLocation',
+    bucketGetNotification: 'GetBucketNotificationConfiguration',
+    bucketGetObjectLock: 'GetObjectLockConfiguration',
+    bucketGetPolicy: 'GetBucketPolicy',
     bucketGetReplication: 'GetBucketReplication',
     bucketGetVersioning: 'GetBucketVersioning',
     bucketGetWebsite: 'GetBucketWebsite',
@@ -91,6 +96,9 @@ const actionMonitoringMapS3 = {
     bucketPutACL: 'PutBucketAcl',
     bucketPutCors: 'PutBucketCors',
     bucketPutLifecycle: 'PutBucketLifecycleConfiguration',
+    bucketPutNotification: 'PutBucketNotificationConfiguration',
+    bucketPutObjectLock: 'PutObjectLockConfiguration',
+    bucketPutPolicy: 'PutBucketPolicy',
     bucketPutReplication: 'PutBucketReplication',
     bucketPutVersioning: 'PutBucketVersioning',
     bucketPutWebsite: 'PutBucketWebsite',
@@ -105,12 +113,16 @@ const actionMonitoringMapS3 = {
     objectDeleteTagging: 'DeleteObjectTagging',
     objectGet: 'GetObject',
     objectGetACL: 'GetObjectAcl',
+    objectGetLegalHold: 'GetObjectLegalHold',
+    objectGetRetention: 'GetObjectRetention',
     objectGetTagging: 'GetObjectTagging',
     objectHead: 'HeadObject',
     objectPut: 'PutObject',
     objectPutACL: 'PutObjectAcl',
     objectPutCopyPart: 'UploadPartCopy',
+    objectPutLegalHold: 'PutObjectLegalHold',
     objectPutPart: 'UploadPart',
+    objectPutRetention: 'PutObjectRetention',
     objectPutTagging: 'PutObjectTagging',
     serviceGet: 'ListBuckets',
 };
@@ -145,6 +157,12 @@ const actionMapIAM = {
     listUsers: 'iam:ListUsers',
     putGroupPolicy: 'iam:PutGroupPolicy',
     removeUserFromGroup: 'iam:RemoveUserFromGroup',
+    updateAccessKey: 'iam:UpdateAccessKey',
+    updateGroup: 'iam:UpdateGroup',
+    updateUser: 'iam:UpdateUser',
+    getAccessKeyLastUsed: 'iam:GetAccessKeyLastUsed',
+    generateCredentialReport: 'iam:GenerateCredentialReport',
+    getCredentialReport: 'iam:GetCredentialReport',
 };
 
 const actionMapSSO = {

lib/policyEvaluator/utils/conditions.js

@@ -4,6 +4,7 @@
 const checkIPinRangeOrMatch = require('../../ipCheck').checkIPinRangeOrMatch;
 const handleWildcards = require('./wildcards.js').handleWildcards;
 const checkArnMatch = require('./checkArnMatch.js');
+const { getTagKeys } = require('./objectTags');
 const conditions = {};
 
 /**
@@ -146,6 +147,25 @@ conditions.findConditionKey = (key, requestContext) => {
         headers['x-amz-meta-scal-location-constraint']);
     map.set('sts:ExternalId', requestContext.getRequesterExternalId());
     map.set('iam:PolicyArn', requestContext.getPolicyArn());
+    // s3:ExistingObjectTag - Used to check that existing object tag has
+    // specific tag key and value. Extraction of correct tag key is done in CloudServer.
+    // On first pass of policy evaluation, CloudServer information will not be included,
+    // so evaluation should be skipped
+    map.set('s3:ExistingObjectTag', requestContext.getNeedTagEval() ? requestContext.getExistingObjTag() : undefined);
+    // s3:RequestObjectTag - Used to limit putting object tags to specific
+    // tag key and value. N/A here.
+    // Requires information from CloudServer
+    // On first pass of policy evaluation, CloudServer information will not be included,
+    // so evaluation should be skipped
+    map.set('s3:RequestObjectTagKey', requestContext.getNeedTagEval() ? requestContext.getRequestObjTags() : undefined);
+    // s3:RequestObjectTagKeys - Used to limit putting object tags specific tag keys.
+    // Requires information from CloudServer.
+    // On first pass of policy evaluation, CloudServer information will not be included,
+    // so evaluation should be skipped
+    map.set('s3:RequestObjectTagKeys',
+        requestContext.getNeedTagEval() && requestContext.getRequestObjTags()
+        ? getTagKeys(requestContext.getRequestObjTags())
+        : undefined);
     return map.get(key);
 };
 
@@ -232,12 +252,21 @@ conditions.convertConditionOperator = operator => {
                 // eslint-disable-next-line new-cap
                 return !operatorMap.StringEqualsIgnoreCase(key, value);
             },
-        StringLike: function stringLike(key, value) {
-            return value.some(item => {
-                const wildItem = handleWildcards(item);
-                const wildRegEx = new RegExp(wildItem);
-                return wildRegEx.test(key);
-            });
+        StringLike: function stringLike(key, value, prefix) {
+            function policyValRegex(testKey) {
+                return value.some(item => {
+                    const wildItem = handleWildcards(item);
+                    const wildRegEx = new RegExp(wildItem);
+                    return wildRegEx.test(testKey);
+                });
+            }
+            if (prefix === 'ForAnyValue') {
+                return key.some(policyValRegex);
+            }
+            if (prefix === 'ForAllValues') {
+                return key.every(policyValRegex);
+            }
+            return policyValRegex(key);
         },
         StringNotLike: function stringNotLike(key, value) {
             // eslint-disable-next-line new-cap

lib/policyEvaluator/utils/objectTags.js

@@ -0,0 +1,33 @@
+/**
+ * Removes tag key value from condition key and adds it to value if needed
+ * @param {string} key - condition key
+ * @param {string} value - condition value
+ * @return {array} key/value pair to use
+ */
+function transformTagKeyValue(key, value) {
+    const patternKeys = ['s3:ExistingObjectTag/', 's3:RequestObjectTagKey/'];
+    if (!patternKeys.some(k => key.includes(k))) {
+        return [key, value];
+    }
+    // if key is RequestObjectTag or ExistingObjectTag,
+    // remove tag key from condition key and add to value
+    // and transform value into query string
+    const [conditionKey, tagKey] = key.split('/');
+    const transformedValue = [tagKey, value].join('=');
+    return [conditionKey, [transformedValue]];
+}
+
+/**
+ * Gets array of tag key names from request tag query string
+ * @param {string} tagQuery - request tags in query string format
+ * @return {array} array of tag key names
+ */
+function getTagKeys(tagQuery) {
+    return tagQuery.split('&')
+        .map(tag => tag.split('=')[0]);
+}
+
+module.exports = {
+    transformTagKeyValue,
+    getTagKeys,
+};

lib/s3middleware/objectLegalHold.js

@@ -0,0 +1,112 @@
+const { parseString } = require('xml2js');
+const errors = require('../errors');
+
+/*
+    Format of the xml request:
+    <LegalHold>
+        <Status>ON|OFF</Status>
+    </LegalHold>
+*/
+
+/**
+ * @param {string[]} status - legal hold status parsed from xml to be validated
+ * @return {Error|object} - legal hold status or error
+ */
+function _validateStatus(status) {
+    const validatedStatus = {};
+    const expectedValues = new Set(['OFF', 'ON']);
+    if (!status || status[0] === '') {
+        validatedStatus.error = errors.MalformedXML.customizeDescription(
+            'request xml does not contain Status');
+        return validatedStatus;
+    }
+    if (status.length > 1) {
+        validatedStatus.error = errors.MalformedXML.customizeDescription(
+            'request xml contains more than one Status');
+        return validatedStatus;
+    }
+    if (!expectedValues.has(status[0])) {
+        validatedStatus.error = errors.MalformedXML.customizeDescription(
+            'Status request xml must be one of "ON", "OFF"');
+        return validatedStatus;
+    }
+    validatedStatus.status = status[0];
+    return validatedStatus;
+}
+
+/**
+ * validate legal hold - validates legal hold xml
+ * @param {object} parsedXml - parsed legal hold xml object
+ * @return {object} - object with status or error
+ */
+function _validateLegalHold(parsedXml) {
+    const validatedLegalHold = {};
+    if (!parsedXml) {
+        validatedLegalHold.error = errors.MalformedXML.customizeDescription(
+            'request xml is undefined or empty');
+        return validatedLegalHold;
+    }
+    if (!parsedXml.LegalHold) {
+        validatedLegalHold.error = errors.MalformedXML.customizeDescription(
+            'request xml does not contain LegalHold');
+        return validatedLegalHold;
+    }
+    const validatedStatus = _validateStatus(parsedXml.LegalHold.Status);
+    if (validatedStatus.error) {
+        validatedLegalHold.error = validatedStatus.error;
+        return validatedLegalHold;
+    }
+    validatedLegalHold.status = validatedStatus.status;
+    return validatedLegalHold;
+}
+
+/**
+ * parse object legal hold - parse and validate xml body
+ * @param {string} xml - xml body to parse and validate
+ * @param {object} log - werelogs logger
+ * @param {function} cb - callback to server
+ * @return {undefined} - calls callback with legal hold status or error
+ */
+function parseLegalHoldXml(xml, log, cb) {
+    parseString(xml, (err, result) => {
+        if (err) {
+            log.debug('xml parsing failed', {
+                error: { message: err.message },
+                method: 'parseLegalHoldXml',
+                xml,
+            });
+            return cb(errors.MalformedXML);
+        }
+        const validatedLegalHold = _validateLegalHold(result);
+        const validatedLegalHoldStatus = validatedLegalHold.status === 'ON';
+        if (validatedLegalHold.error) {
+            log.debug('legal hold validation failed', {
+                error: { message: validatedLegalHold.error.message },
+                method: 'parseLegalHoldXml',
+                xml,
+            });
+            return cb(validatedLegalHold.error);
+        }
+        return cb(null, validatedLegalHoldStatus);
+    });
+}
+
+/**
+ * convert to xml - generates legal hold xml
+ * @param {(boolean|undefined)} legalHold - true if legal hold is on
+ * false if legal hold is off, undefined if legal hold is not set
+ * @return {string} - returns legal hold xml
+ */
+function convertToXml(legalHold) {
+    if (!legalHold && legalHold !== false) {
+        return '';
+    }
+    const xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>' +
+        `<LegalHold><Status>${legalHold ? 'ON' : 'OFF'}</Status></LegalHold>`;
+    return xml;
+}
+
+module.exports = {
+    convertToXml,
+    parseLegalHoldXml,
+};

lib/s3middleware/objectRetention.js

@@ -0,0 +1,156 @@
+const { parseString } = require('xml2js');
+
+const constants = require('../constants');
+const errors = require('../errors');
+
+/*
+    Format of xml request:
+    <Retention>
+      <Mode>COMPLIANCE|GOVERNANCE</Mode>
+      <RetainUntilDate>2020-05-20T04:58:45.413000Z</RetainUntilDate>
+    </Retention>
+*/
+
+/**
+ * validateMode - validate retention mode
+ * @param {array} mode - parsed xml mode array
+ * @return {object} - contains mode or error
+ */
+function validateMode(mode) {
+    const modeObj = {};
+    const expectedModes = new Set(['GOVERNANCE', 'COMPLIANCE']);
+    if (!mode || !mode[0]) {
+        modeObj.error = errors.MalformedXML.customizeDescription(
+            'request xml does not contain Mode');
+        return modeObj;
+    }
+    if (mode.length > 1) {
+        modeObj.error = errors.MalformedXML.customizeDescription(
+            'request xml contains more than one Mode');
+        return modeObj;
+    }
+    if (!expectedModes.has(mode[0])) {
+        modeObj.error = errors.MalformedXML.customizeDescription(
+            'Mode request xml must be one of "GOVERNANCE", "COMPLIANCE"');
+        return modeObj;
+    }
+    modeObj.mode = mode[0];
+    return modeObj;
+}
+
+/**
+ * validateRetainDate - validate retain until date
+ * @param {array} retainDate - parsed xml retention date array
+ * @return {object} - contains retain until date or error
+ */
+function validateRetainDate(retainDate) {
+    const dateObj = {};
+    if (!retainDate || !retainDate[0]) {
+        dateObj.error = errors.MalformedXML.customizeDescription(
+            'request xml does not contain RetainUntilDate');
+        return dateObj;
+    }
+    if (!constants.shortIso8601Regex.test(retainDate[0]) &&
+        !constants.longIso8601Regex.test(retainDate[0])) {
+        dateObj.error = errors.InvalidRequest.customizeDescription(
+            'RetainUntilDate timestamp must be ISO-8601 format');
+        return dateObj;
+    }
+    const date = new Date(retainDate[0]);
+    if (date < Date.now()) {
+        dateObj.error = errors.InvalidRequest.customizeDescription(
+            'RetainUntilDate must be in the future');
+        return dateObj;
+    }
+    dateObj.date = retainDate[0];
+    return dateObj;
+}
+
+/**
+ * validate retention - validate retention xml
+ * @param {object} parsedXml - parsed retention xml object
+ * @return {object} - contains retention information on success,
+ * error on failure
+ */
+function validateRetention(parsedXml) {
+    const retentionObj = {};
+    if (!parsedXml) {
+        retentionObj.error = errors.MalformedXML.customizeDescription(
+            'request xml is undefined or empty');
+        return retentionObj;
+    }
+    const retention = parsedXml.Retention;
+    if (!retention) {
+        retentionObj.error = errors.MalformedXML.customizeDescription(
+            'request xml does not contain Retention');
+        return retentionObj;
+    }
+    const modeObj = validateMode(retention.Mode);
+    if (modeObj.error) {
+        retentionObj.error = modeObj.error;
+        return retentionObj;
+    }
+    const dateObj = validateRetainDate(retention.RetainUntilDate);
+    if (dateObj.error) {
+        retentionObj.error = dateObj.error;
+        return retentionObj;
+    }
+    retentionObj.mode = modeObj.mode;
+    retentionObj.date = dateObj.date;
+    return retentionObj;
+}
+
+/**
+ * parseRetentionXml - Parse and validate xml body, returning callback with
+ * object retentionObj: { mode: <value>, date: <value> }
+ * @param {string} xml - xml body to parse and validate
+ * @param {object} log - Werelogs logger
+ * @param {function} cb - callback to server
+ * @return {undefined} - calls callback with object retention or error
+ */
+function parseRetentionXml(xml, log, cb) {
+    parseString(xml, (err, result) => {
+        if (err) {
+            log.trace('xml parsing failed', {
+                error: err,
+                method: 'parseRetentionXml',
+            });
+            log.debug('invalid xml', { xml });
+            return cb(errors.MalformedXML);
+        }
+        const retentionObj = validateRetention(result);
+        if (retentionObj.error) {
+            log.debug('retention validation failed', {
+                error: retentionObj.error,
+                method: 'validateRetention',
+                xml,
+            });
+            return cb(retentionObj.error);
+        }
+        return cb(null, retentionObj);
+    });
+}
+
+/**
+ * convertToXml - Convert retention info object to xml
+ * @param {string} mode - retention mode
+ * @param {string} date - retention retain until date
+ * @return {string} - returns retention information xml string
+ */
+function convertToXml(mode, date) {
+    const xml = [];
+    xml.push('<Retention xmlns="http://s3.amazonaws.com/doc/2006-03-01/">');
+    if (mode && date) {
+        xml.push(`<Mode>${mode}</Mode>`);
+        xml.push(`<RetainUntilDate>${date}</RetainUntilDate>`);
+    } else {
+        return '';
+    }
+    xml.push('</Retention>');
+    return xml.join('');
+}
+
+module.exports = {
+    parseRetentionXml,
+    convertToXml,
+};

lib/s3routes/routes/routeDELETE.js

@@ -45,6 +45,13 @@ function routeDELETE(request, response, api, log, statsClient) {
                 return routesUtils.responseNoBody(err, corsHeaders,
                     response, 204, log);
             });
+        } else if (request.query.policy !== undefined) {
+            return api.callApiMethod('bucketDeletePolicy', request,
+            response, log, (err, corsHeaders) => {
+                routesUtils.statsReport500(err, statsClient);
+                return routesUtils.responseNoBody(err, corsHeaders,
+                    response, 204, log);
+            });
         }
         api.callApiMethod('bucketDelete', request, response, log,
         (err, corsHeaders) => {

lib/s3routes/routes/routeGET.js

@@ -51,11 +51,11 @@ function routerGET(request, response, api, log, statsClient, dataRetrievalFn) {
                 });
         } else if (request.query.lifecycle !== undefined) {
             api.callApiMethod('bucketGetLifecycle', request, response, log,
-            (err, xml, corsHeaders) => {
-                routesUtils.statsReport500(err, statsClient);
-                routesUtils.responseXMLBody(err, xml, response, log,
-                    corsHeaders);
-            });
+                (err, xml, corsHeaders) => {
+                    routesUtils.statsReport500(err, statsClient);
+                    routesUtils.responseXMLBody(err, xml, response, log,
+                        corsHeaders);
+                });
         } else if (request.query.uploads !== undefined) {
             // List MultipartUploads
             api.callApiMethod('listMultipartUploads', request, response, log,
@@ -71,6 +71,27 @@ function routerGET(request, response, api, log, statsClient, dataRetrievalFn) {
                     return routesUtils.responseXMLBody(err, xml, response, log,
                       corsHeaders);
                 });
+        } else if (request.query.policy !== undefined) {
+            api.callApiMethod('bucketGetPolicy', request, response, log,
+                (err, xml, corsHeaders) => {
+                    routesUtils.statsReport500(err, statsClient);
+                    return routesUtils.responseXMLBody(err, xml, response,
+                        log, corsHeaders);
+                });
+        } else if (request.query['object-lock'] !== undefined) {
+            api.callApiMethod('bucketGetObjectLock', request, response, log,
+                (err, xml, corsHeaders) => {
+                    routesUtils.statsReport500(err, statsClient);
+                    return routesUtils.responseXMLBody(err, xml, response,
+                        log, corsHeaders);
+                });
+        } else if (request.query.notification !== undefined) {
+            api.callApiMethod('bucketGetNotification', request, response, log,
+                (err, xml, corsHeaders) => {
+                    routesUtils.statsReport500(err, statsClient);
+                    return routesUtils.responseXMLBody(err, xml, response,
+                        log, corsHeaders);
+                });
         } else {
             // GET bucket
             api.callApiMethod('bucketGet', request, response, log,
@@ -81,7 +102,6 @@ function routerGET(request, response, api, log, statsClient, dataRetrievalFn) {
                 });
         }
     } else {
-        /* eslint-disable no-lonely-if */
         if (request.query.acl !== undefined) {
             // GET object ACL
             api.callApiMethod('objectGetACL', request, response, log,
@@ -90,8 +110,14 @@ function routerGET(request, response, api, log, statsClient, dataRetrievalFn) {
                     return routesUtils.responseXMLBody(err, xml, response, log,
                         corsHeaders);
                 });
+        } else if (request.query['legal-hold'] !== undefined) {
+            api.callApiMethod('objectGetLegalHold', request, response, log,
+                (err, xml, corsHeaders) => {
+                    routesUtils.statsReport500(err, statsClient);
+                    return routesUtils.responseXMLBody(err, xml, response, log,
+                        corsHeaders);
+                });
         } else if (request.query.tagging !== undefined) {
-            // GET object Tagging
             api.callApiMethod('objectGetTagging', request, response, log,
                 (err, xml, corsHeaders) => {
                     routesUtils.statsReport500(err, statsClient);
@@ -106,6 +132,13 @@ function routerGET(request, response, api, log, statsClient, dataRetrievalFn) {
                     return routesUtils.responseXMLBody(err, xml, response, log,
                         corsHeaders);
                 });
+        } else if (request.query.retention !== undefined) {
+            api.callApiMethod('objectGetRetention', request, response, log,
+                (err, xml, corsHeaders) => {
+                    routesUtils.statsReport500(err, statsClient);
+                    return routesUtils.responseXMLBody(err, xml, response, log,
+                        corsHeaders);
+                });
         } else {
             // GET object
             api.callApiMethod('objectGet', request, response, log,
@@ -121,7 +154,6 @@ function routerGET(request, response, api, log, statsClient, dataRetrievalFn) {
                         range, log);
                 });
         }
-        /* eslint-enable */
     }
 }
 

lib/s3routes/routes/routePUT.js

@@ -16,7 +16,6 @@ function routePUT(request, response, api, log, statsClient) {
             return routesUtils.responseNoBody(
               errors.BadRequest, null, response, null, log);
         }
-
         // PUT bucket ACL
         if (request.query.acl !== undefined) {
             api.callApiMethod('bucketPutACL', request, response, log,
@@ -60,6 +59,27 @@ function routePUT(request, response, api, log, statsClient) {
                     routesUtils.responseNoBody(err, corsHeaders, response, 200,
                         log);
                 });
+        } else if (request.query.policy !== undefined) {
+            api.callApiMethod('bucketPutPolicy', request, response, log,
+                (err, corsHeaders) => {
+                    routesUtils.statsReport500(err, statsClient);
+                    routesUtils.responseNoBody(err, corsHeaders, response, 200,
+                        log);
+                });
+        } else if (request.query['object-lock'] !== undefined) {
+            api.callApiMethod('bucketPutObjectLock', request, response, log,
+                (err, corsHeaders) => {
+                    routesUtils.statsReport500(err, statsClient);
+                    routesUtils.responseNoBody(err, corsHeaders, response, 200,
+                        log);
+                });
+        } else if (request.query.notification !== undefined) {
+            api.callApiMethod('bucketPutNotification', request, response, log,
+                (err, corsHeaders) => {
+                    routesUtils.statsReport500(err, statsClient);
+                    routesUtils.responseNoBody(err, corsHeaders, response, 200,
+                        log);
+                });
         } else {
             // PUT bucket
             return api.callApiMethod('bucketPut', request, response, log,
@@ -73,8 +93,8 @@ function routePUT(request, response, api, log, statsClient) {
                 });
         }
     } else {
-        // PUT object, PUT object ACL, PUT object multipart or
-        // PUT object copy
+        // PUT object, PUT object ACL, PUT object multipart,
+        // PUT object copy or PUT object legal hold
         // if content-md5 is not present in the headers, try to
         // parse content-md5 from meta headers
 
@@ -132,6 +152,13 @@ function routePUT(request, response, api, log, statsClient) {
                     return routesUtils.responseNoBody(err, resHeaders,
                         response, 200, log);
                 });
+        } else if (request.query['legal-hold'] !== undefined) {
+            api.callApiMethod('objectPutLegalHold', request, response, log,
+                (err, resHeaders) => {
+                    routesUtils.statsReport500(err, statsClient);
+                    return routesUtils.responseNoBody(err, resHeaders,
+                        response, 200, log);
+                });
         } else if (request.query.tagging !== undefined) {
             api.callApiMethod('objectPutTagging', request, response, log,
                 (err, resHeaders) => {
@@ -139,6 +166,13 @@ function routePUT(request, response, api, log, statsClient) {
                     return routesUtils.responseNoBody(err, resHeaders,
                         response, 200, log);
                 });
+        } else if (request.query.retention !== undefined) {
+            api.callApiMethod('objectPutRetention', request, response, log,
+                (err, resHeaders) => {
+                    routesUtils.statsReport500(err, statsClient);
+                    return routesUtils.responseNoBody(err, resHeaders,
+                        response, 200, log);
+                });
         } else if (request.headers['x-amz-copy-source']) {
             return api.callApiMethod('objectCopy', request, response, log,
                 (err, xml, additionalHeaders) => {
@@ -160,7 +194,6 @@ function routePUT(request, response, api, log, statsClient) {
             log.end().addDefaultFields({
                 contentLength: request.parsedContentLength,
             });
-
             api.callApiMethod('objectPut', request, response, log,
             (err, resHeaders) => {
                 routesUtils.statsReport500(err, statsClient);

package.json

@@ -3,7 +3,7 @@
   "engines": {
     "node": ">=6.9.5"
   },
-  "version": "7.5.0",
+  "version": "7.7.0",
   "description": "Common utilities for the S3 project components",
   "main": "index.js",
   "repository": {
@@ -48,6 +48,7 @@
     "eslint-config-scality": "scality/Guidelines#ec33dfb",
     "eslint-plugin-react": "^4.3.0",
     "mocha": "2.5.3",
+    "sinon": "^9.0.2",
     "temp": "0.9.1"
   },
   "scripts": {

tests/functional/kmip/highlevel.js

@@ -0,0 +1,68 @@
+'use strict'; // eslint-disable-line strict
+
+const assert = require('assert');
+const crypto = require('crypto');
+const async = require('async');
+const TTLVCodec = require('../../../lib/network/kmip/codec/ttlv.js');
+const LoopbackServerChannel =
+      require('../../utils/kmip/LoopbackServerChannel.js');
+const TransportTemplate =
+      require('../../../lib/network/kmip/transport/TransportTemplate.js');
+const KMIP = require('../../../lib/network/kmip');
+const KMIPClient = require('../../../lib/network/kmip/Client.js');
+const {
+    logger,
+} = require('../../utils/kmip/ersatz.js');
+
+class LoopbackServerTransport extends TransportTemplate {
+    constructor(options) {
+        super(new LoopbackServerChannel(KMIP, TTLVCodec), options);
+    }
+}
+
+describe('KMIP High Level Driver', () => {
+    [null, 'dummyAttributeName'].forEach(bucketNameAttributeName => {
+        [false, true].forEach(compoundCreateActivate => {
+            const options = {
+                kmip: {
+                    client: {
+                        bucketNameAttributeName,
+                        compoundCreateActivate,
+                    },
+                    codec: {},
+                    transport: {
+                        pipelineDepth: 8,
+                        tls: {
+                            port: 5696,
+                        },
+                    },
+                },
+            };
+            it('should work with' +
+               ` x-name attribute: ${!!bucketNameAttributeName},` +
+               ` compound creation: ${compoundCreateActivate}`,
+               done => {
+                   const kmipClient = new KMIPClient(options, TTLVCodec,
+                                                     LoopbackServerTransport);
+                   const plaintext = Buffer.from(crypto.randomBytes(32));
+                   async.waterfall([
+                       next => kmipClient.createBucketKey('plop', logger, next),
+                       (id, next) =>
+                           kmipClient.cipherDataKey(1, id, plaintext,
+                                                    logger, (err, ciphered) => {
+                                                        next(err, id, ciphered);
+                                                    }),
+                       (id, ciphered, next) =>
+                           kmipClient.decipherDataKey(
+                               1, id, ciphered, logger, (err, deciphered) => {
+                                   assert(plaintext
+                                          .compare(deciphered) === 0);
+                                   next(err, id);
+                               }),
+                       (id, next) =>
+                           kmipClient.destroyBucketKey(id, logger, next),
+                   ], done);
+               });
+        });
+    });
+});

tests/functional/kmip/lowlevel.js

@@ -0,0 +1,52 @@
+'use strict'; // eslint-disable-line strict
+
+const assert = require('assert');
+const TTLVCodec = require('../../../lib/network/kmip/codec/ttlv.js');
+const TransportTemplate =
+      require('../../../lib/network/kmip/transport/TransportTemplate.js');
+const KMIP = require('../../../lib/network/kmip');
+const {
+    logger,
+    MirrorChannel,
+} = require('../../utils/kmip/ersatz.js');
+const lowlevelFixtures = require('../../utils/kmip/lowlevelFixtures.js');
+
+
+class MirrorTransport extends TransportTemplate {
+    constructor(options) {
+        super(new MirrorChannel(KMIP, TTLVCodec), options);
+    }
+}
+
+const options = {
+    kmip: {
+        codec: {},
+        transport: {
+            pipelineDepth: 8,
+            tls: {
+                port: 5696,
+            },
+        },
+    },
+};
+
+describe('KMIP Low Level Driver', () => {
+    lowlevelFixtures.forEach((fixture, n) => {
+        it(`should work with fixture #${n}`, done => {
+            const kmip = new KMIP(TTLVCodec, MirrorTransport, options);
+            const requestPayload = fixture.payload(kmip);
+            kmip.request(logger, fixture.operation,
+                         requestPayload, (err, response) => {
+                             if (err) {
+                                 return done(err);
+                             }
+                             const responsePayload = response.lookup(
+                                 'Response Message/Batch Item/Response Payload'
+                             )[0];
+                             assert.deepStrictEqual(responsePayload,
+                                                    requestPayload);
+                             return done();
+                         });
+        });
+    });
+});

tests/functional/kmip/transport.js

@@ -0,0 +1,82 @@
+'use strict'; // eslint-disable-line
+
+const async = require('async');
+const assert = require('assert');
+const TransportTemplate =
+      require('../../../lib/network/kmip/transport/TransportTemplate.js');
+const { logger, EchoChannel } = require('../../utils/kmip/ersatz.js');
+
+describe('KMIP Transport Template Class', () => {
+    const pipelineDepths = [1, 2, 4, 8, 16, 32];
+    const requestNumbers = [1, 37, 1021, 8191];
+
+    pipelineDepths.forEach(pipelineDepth => {
+        requestNumbers.forEach(iterations => {
+            it(`should survive ${iterations} iterations` +
+               ` with ${pipelineDepth}way pipeline`,
+               done => {
+                   const transport = new TransportTemplate(
+                       new EchoChannel,
+                       {
+                           pipelineDepth,
+                           tls: {
+                               port: 5696,
+                           },
+                       });
+                   const request = Buffer.alloc(10).fill(6);
+                   async.times(iterations, (n, next) => {
+                       transport.send(logger, request,
+                                      (err, conversation, response) => {
+                                          if (err) {
+                                              return next(err);
+                                          }
+                                          if (request.compare(response) !== 0) {
+                                              return next(Error('arg'));
+                                          }
+                                          return next();
+                                      });
+                   }, err => {
+                       transport.end();
+                       done(err);
+                   });
+               });
+
+            [true, false].forEach(doEmit => {
+                it('should report errors to outstanding requests.' +
+                   ` w:${pipelineDepth}, i:${iterations}, e:${doEmit}`,
+                   done => {
+                       const echoChannel = new EchoChannel;
+                       echoChannel.clog();
+                       const transport = new TransportTemplate(
+                           echoChannel,
+                           {
+                               pipelineDepth,
+                               tls: {
+                                   port: 5696,
+                               },
+                           });
+                       const request = Buffer.alloc(10).fill(6);
+                       /* Using a for loop here instead of anything
+                        * asynchronous, the callbacks get stuck in
+                        * the conversation queue and are unwind with
+                        * an error. It is the purpose of this test */
+                       for (let i = 0; i < iterations; ++i) {
+                           transport.send(
+                               logger, request,
+                               (err, conversation, response) => {
+                                   assert(err);
+                                   assert(!response);
+                               });
+                       }
+                       if (doEmit) {
+                           echoChannel.emit('error', new Error('awesome'));
+                       } else {
+                           transport.abortPipeline(echoChannel);
+                       }
+                       transport.end();
+                       done();
+                   });
+            });
+        });
+    });
+});

tests/unit/auth/v2/queryAuthCheck.js

@@ -1,4 +1,5 @@
 const assert = require('assert');
+const sinon = require('sinon');
 
 const queryAuthCheck =
     require('../../../../lib/auth/v2/queryAuthCheck').check;
@@ -26,3 +27,97 @@ describe('v2: queryAuthCheck', () => {
         }
     }));
 });
+
+describe('v2: queryAuthCheck', () => {
+    let clock;
+
+    beforeEach(() => {
+        clock = sinon.useFakeTimers();
+    });
+    afterEach(() => {
+        process.env.PRE_SIGN_URL_EXPIRY = 604800000;
+        clock.restore();
+    });
+    it('URL should not expire before 7 days with default expiry', () => {
+        const currentTime = Date.now() / 1000;
+        const expires = currentTime + 604799;  // in seconds
+        const mockRequest = {
+            method: 'GET',
+            url: 'mockurl',
+            query: {
+                Expires: expires,
+            },
+            headers: {
+                'Content-MD5': 'c',
+            },
+        };
+        const data = {
+            Expires: expires,
+            AWSAccessKeyId: 'keyId',
+            Signature: 'sign',
+        };
+        const res = queryAuthCheck(mockRequest, log, data);
+        assert.notStrictEqual(res.err.AccessDenied, true);
+        assert.notStrictEqual(res.err.RequestTimeTooSkewed, true);
+    });
+    it('URL should expire after 7 days with default expiry', () => {
+        clock.tick(604800000);  // take time 604800000ms (7 days) ahead
+        const currentTime = Date.now();
+        const request = { method: 'GET', query: { Expires: currentTime } };
+        const data = { Expires: currentTime };
+        const res = queryAuthCheck(request, log, data);
+        assert.notStrictEqual(res.err, null);
+        assert.notStrictEqual(res.err, undefined);
+        assert.strictEqual(res.err.AccessDenied, true);
+    });
+    it('URL should not expire before 7 days with custom expiry', () => {
+        process.env.PRE_SIGN_URL_EXPIRY = 31556952000; // in ms (1 year)
+        const currentTime = Date.now() / 1000;
+        const expires = currentTime + 604799;  // in seconds
+        const mockRequest = {
+            method: 'GET',
+            url: 'mockurl',
+            query: {
+                Expires: expires,
+            },
+            headers: {
+                'Content-MD5': 'c',
+            },
+        };
+        const data = {
+            Expires: expires,
+            AWSAccessKeyId: 'keyId',
+            Signature: 'sign',
+        };
+        const res = queryAuthCheck(mockRequest, log, data);
+        assert.notStrictEqual(res.err.AccessDenied, true);
+        assert.notStrictEqual(res.err.RequestTimeTooSkewed, true);
+    });
+    it('URL should still not expire after 7 days with custom expiry', () => {
+        clock.tick(604800000);  // take time 604800000ms (7 days) ahead
+        process.env.PRE_SIGN_URL_EXPIRY = 31556952000; // in ms (1 year)
+        const currentTime = Date.now() / 1000;
+        const request = { method: 'GET', query: { Expires: currentTime } };
+        const data = { Expires: currentTime };
+        const res = queryAuthCheck(request, log, data);
+        assert.notStrictEqual(res.err.AccessDenied, true);
+    });
+    it('should return RequestTimeTooSkewed with current time > expiry', () => {
+        clock.tick(123);
+        const expires = 0;
+        const request = { method: 'GET', query: { Expires: expires } };
+        const data = { Expires: expires };
+        const res = queryAuthCheck(request, log, data);
+        assert.notStrictEqual(res.err, null);
+        assert.notStrictEqual(res.err, undefined);
+        assert.strictEqual(res.err.RequestTimeTooSkewed, true);
+    });
+    it('should return MissingSecurityHeader with invalid expires param', () => {
+        const request = { method: 'GET', query: { Expires: 'a string' } };
+        const data = { Expires: 'a string' };
+        const res = queryAuthCheck(request, log, data);
+        assert.notStrictEqual(res.err, null);
+        assert.notStrictEqual(res.err, undefined);
+        assert.strictEqual(res.err.MissingSecurityHeader, true);
+    });
+});

tests/unit/kmip/ttlvCodec.js

@@ -0,0 +1,172 @@
+'use strict'; // eslint-disable-line strict
+/* eslint new-cap: "off" */
+
+const assert = require('assert');
+
+const TTLVCodec = require('../../../lib/network/kmip/codec/ttlv.js');
+const KMIP = require('../../../lib/network/kmip');
+const ttlvFixtures = require('../../utils/kmip/ttlvFixtures');
+const badTtlvFixtures = require('../../utils/kmip/badTtlvFixtures');
+const messageFixtures = require('../../utils/kmip/messageFixtures');
+const { logger } = require('../../utils/kmip/ersatz.js');
+
+function newKMIP() {
+    return new KMIP(TTLVCodec,
+                    class DummyTransport {},
+                    { kmip: {} }, () => {});
+}
+
+describe('KMIP TTLV Codec', () => {
+    it('should map, encode and decode an extension', done => {
+        const kmip = newKMIP();
+        kmip.mapExtension('Dummy Extension', 0x54a000);
+        const msg = KMIP.Message([
+            KMIP.TextString('Dummy Extension', 'beautiful'),
+        ]);
+        const encodedMsg = kmip._encodeMessage(msg);
+        const decodedMsg = kmip._decodeMessage(logger, encodedMsg);
+        assert.deepStrictEqual(msg, decodedMsg);
+        done();
+    });
+
+    ttlvFixtures.forEach((item, idx) => {
+        ['request', 'response'].forEach(fixture => {
+            it(`should decode the TTLV ${fixture} fixture[${idx}]`, done => {
+                const kmip = newKMIP();
+                const msg = kmip._decodeMessage(logger, item[fixture]);
+                if (!item.degenerated) {
+                    const encodedMsg = kmip._encodeMessage(msg);
+                    assert(encodedMsg.compare(item[fixture]) === 0);
+                }
+                done();
+            });
+        });
+    });
+
+    it('should validate supported operations', done => {
+        const kmip = newKMIP();
+        const msg = kmip._decodeMessage(logger, ttlvFixtures[1].response);
+
+        const supportedOperations =
+              msg.lookup('Response Message/Batch Item/' +
+                         'Response Payload/Operation');
+        const supportedObjectTypes =
+              msg.lookup('Response Message/Batch Item/' +
+                         'Response Payload/Object Type');
+        const protocolVersionMajor =
+              msg.lookup('Response Message/Response Header/' +
+                         'Protocol Version/Protocol Version Major');
+        const protocolVersionMinor =
+              msg.lookup('Response Message/Response Header/' +
+                         'Protocol Version/Protocol Version Minor');
+
+        assert(supportedOperations.includes('Encrypt'));
+        assert(supportedOperations.includes('Decrypt'));
+        assert(supportedOperations.includes('Create'));
+        assert(supportedOperations.includes('Destroy'));
+        assert(supportedOperations.includes('Query'));
+        assert(supportedObjectTypes.includes('Symmetric Key'));
+        assert(protocolVersionMajor[0] >= 2 ||
+               (protocolVersionMajor[0] === 1 &&
+                protocolVersionMinor[0] >= 2));
+        done();
+    });
+
+    it('should detect unsupported operations', done => {
+        const kmip = newKMIP();
+        const msg = kmip._decodeMessage(logger, ttlvFixtures[2].response);
+
+        const supportedOperations =
+              msg.lookup('Response Message/Batch Item/' +
+                         'Response Payload/Operation');
+
+        assert(!supportedOperations.includes('Encrypt'));
+        assert(!supportedOperations.includes('Decrypt'));
+        done();
+    });
+
+    it('should support non canonical search path', done => {
+        const kmip = newKMIP();
+        const msg = kmip._decodeMessage(logger, ttlvFixtures[1].response);
+
+        const supportedOperations =
+              msg.lookup('/Response Message/Batch Item/' +
+                         'Response Payload/Operation');
+        const supportedObjectTypes =
+              msg.lookup('Response Message/Batch Item/' +
+                         'Response Payload/Object Type/');
+        const protocolVersionMajor =
+              msg.lookup('Response Message//Response Header///' +
+                         'Protocol Version////Protocol Version Major');
+        const protocolVersionMinor =
+              msg.lookup('/Response Message////Response Header///' +
+                         'Protocol Version//Protocol Version Minor/');
+
+        assert(supportedOperations.includes('Encrypt'));
+        assert(supportedOperations.includes('Decrypt'));
+        assert(supportedOperations.includes('Create'));
+        assert(supportedOperations.includes('Destroy'));
+        assert(supportedOperations.includes('Query'));
+        assert(supportedObjectTypes.includes('Symmetric Key'));
+        assert(protocolVersionMajor[0] >= 2 ||
+               (protocolVersionMajor[0] === 1 &&
+                protocolVersionMinor[0] >= 2));
+        done();
+    });
+
+    it('should return nothing with an empty search path', done => {
+        const kmip = newKMIP();
+        const msg = kmip._decodeMessage(logger, ttlvFixtures[2].response);
+
+        const empty1 = msg.lookup('');
+        const empty2 = msg.lookup('////');
+        assert(empty1.length === 0);
+        assert(empty2.length === 0);
+        done();
+    });
+
+    it('should encode/decode a bit mask', done => {
+        const kmip = newKMIP();
+        const usageMask = ['Encrypt', 'Decrypt', 'Export'];
+        const decodedMask =
+              kmip.decodeMask('Cryptographic Usage Mask',
+                              kmip.encodeMask('Cryptographic Usage Mask',
+                                              usageMask));
+        assert.deepStrictEqual(usageMask.sort(), decodedMask.sort());
+        done();
+    });
+
+    it('should detect invalid bit name', done => {
+        const kmip = newKMIP();
+        const usageMask = ['Encrypt', 'Decrypt', 'Exprot'];
+        try {
+            kmip.encodeMask('Cryptographic Usage Mask', usageMask);
+            done(Error('Must not succeed'));
+        } catch (e) {
+            done();
+        }
+    });
+
+    messageFixtures.forEach((item, idx) => {
+        it(`should encode the KMIP message fixture[${idx}]`, done => {
+            const kmip = newKMIP();
+            const encodedMessage = kmip._encodeMessage(item);
+            const decodedMessage = kmip._decodeMessage(logger, encodedMessage);
+            assert.deepStrictEqual(item.content, decodedMessage.content);
+            done();
+        });
+    });
+
+    badTtlvFixtures.forEach((rawMessage, idx) => {
+        it(`should fail to parse invalid TTLV message fixture[${idx}]`,
+           done => {
+               const kmip = newKMIP();
+               try {
+                   kmip._decodeMessage(logger, rawMessage);
+                   done(Error('Must not succeed'));
+               } catch (e) {
+                   done();
+               }
+           });
+    });
+});

tests/unit/models/BucketInfo.js

@@ -115,8 +115,54 @@ const testLifecycleConfiguration = {
         },
     ],
 };
-// create a dummy bucket to test getters and setters
 
+const testBucketPolicy = {
+    Version: '2012-10-17',
+    Statement: [
+        {
+            Effect: 'Allow',
+            Principal: '*',
+            Resource: 'arn:aws:s3:::examplebucket',
+            Action: 's3:*',
+        },
+    ],
+};
+
+const testobjectLockEnabled = false;
+
+const testObjectLockConfiguration = {
+    rule: {
+        mode: 'GOVERNANCE',
+        days: 1,
+    },
+};
+
+const testNotificationConfiguration = {
+    queueConfig: [
+        {
+            events: ['s3:ObjectCreated:*'],
+            queueArn: 'arn:scality:bucketnotif:::target1',
+            filterRules: [
+                {
+                    name: 'prefix',
+                    value: 'logs/',
+                },
+                {
+                    name: 'suffix',
+                    value: '.log',
+                },
+            ],
+            id: 'test-queue-config-1',
+        },
+        {
+            events: ['s3:ObjectRemoved:Delete', 's3:ObjectCreated:Copy'],
+            queueArn: 'arn:scality:bucketnotif:::target2',
+            id: 'test-queue-config-2',
+        },
+    ],
+};
+
+// create a dummy bucket to test getters and setters
 Object.keys(acl).forEach(
     aclObj => describe(`different acl configurations : ${aclObj}`, () => {
         const dummyBucket = new BucketInfo(
@@ -132,7 +178,11 @@ Object.keys(acl).forEach(
             testWebsiteConfiguration,
             testCorsConfiguration,
             testReplicationConfiguration,
-            testLifecycleConfiguration);
+            testLifecycleConfiguration,
+            testBucketPolicy,
+            testobjectLockEnabled,
+            testObjectLockConfiguration,
+            testNotificationConfiguration);
 
         describe('serialize/deSerialize on BucketInfo class', () => {
             const serialized = dummyBucket.serialize();
@@ -158,6 +208,11 @@ Object.keys(acl).forEach(
                         dummyBucket._replicationConfiguration,
                     lifecycleConfiguration:
                         dummyBucket._lifecycleConfiguration,
+                    bucketPolicy: dummyBucket._bucketPolicy,
+                    objectLockEnabled: dummyBucket._objectLockEnabled,
+                    objectLockConfiguration:
+                        dummyBucket._objectLockConfiguration,
+                    notificationConfiguration: dummyBucket._notificationConfiguration,
                 };
                 assert.strictEqual(serialized, JSON.stringify(bucketInfos));
                 done();
@@ -174,15 +229,16 @@ Object.keys(acl).forEach(
         });
 
         describe('constructor', () => {
-            it('this should have the right BucketInfo types',
-               () => {
-                   assert.strictEqual(typeof dummyBucket.getName(), 'string');
-                   assert.strictEqual(typeof dummyBucket.getOwner(), 'string');
-                   assert.strictEqual(typeof dummyBucket.getOwnerDisplayName(),
-                                      'string');
-                   assert.strictEqual(typeof dummyBucket.getCreationDate(),
-                                      'string');
-               });
+            it('this should have the right BucketInfo types', () => {
+                assert.strictEqual(typeof dummyBucket.getName(), 'string');
+                assert.strictEqual(typeof dummyBucket.getOwner(), 'string');
+                assert.strictEqual(typeof dummyBucket.getOwnerDisplayName(),
+                                    'string');
+                assert.strictEqual(typeof dummyBucket.getCreationDate(),
+                                    'string');
+                assert.strictEqual(typeof dummyBucket.isObjectLockEnabled(),
+                                    'boolean');
+            });
             it('this should have the right acl\'s types', () => {
                 assert.strictEqual(typeof dummyBucket.getAcl(), 'object');
                 assert.strictEqual(
@@ -257,6 +313,22 @@ Object.keys(acl).forEach(
                 assert.deepStrictEqual(dummyBucket.getLifecycleConfiguration(),
                     testLifecycleConfiguration);
             });
+            it('getBucketPolicy should return policy', () => {
+                assert.deepStrictEqual(
+                    dummyBucket.getBucketPolicy(), testBucketPolicy);
+            });
+            it('object lock should be disabled by default', () => {
+                assert.deepStrictEqual(
+                    dummyBucket.isObjectLockEnabled(), false);
+            });
+            it('getObjectLockConfiguration should return configuration', () => {
+                assert.deepStrictEqual(dummyBucket.getObjectLockConfiguration(),
+                    testObjectLockConfiguration);
+            });
+            it('getNotificationConfiguration should return configuration', () => {
+                assert.deepStrictEqual(dummyBucket.getNotificationConfiguration(),
+                    testNotificationConfiguration);
+            });
         });
 
         describe('setters on BucketInfo class', () => {
@@ -378,6 +450,61 @@ Object.keys(acl).forEach(
                 assert.deepStrictEqual(dummyBucket.getLifecycleConfiguration(),
                     newLifecycleConfig);
             });
+            it('setBucketPolicy should set bucket policy', () => {
+                const newBucketPolicy = {
+                    Version: '2012-10-17',
+                    Statement: [
+                        {
+                            Effect: 'Deny',
+                            Principal: '*',
+                            Resource: 'arn:aws:s3:::examplebucket',
+                            Action: 's3:*',
+                        },
+                    ],
+                };
+                dummyBucket.setBucketPolicy(newBucketPolicy);
+                assert.deepStrictEqual(
+                    dummyBucket.getBucketPolicy(), newBucketPolicy);
+            });
+            it('setObjectLockConfiguration should set object lock ' +
+                'configuration', () => {
+                const newObjectLockConfig = {
+                    rule: {
+                        mode: 'COMPLIANCE',
+                        years: 1,
+                    },
+                };
+                dummyBucket.setObjectLockConfiguration(newObjectLockConfig);
+                assert.deepStrictEqual(dummyBucket.getObjectLockConfiguration(),
+                    newObjectLockConfig);
+            });
+            [true, false].forEach(bool => {
+                it('setObjectLockEnabled should set object lock status', () => {
+                    dummyBucket.setObjectLockEnabled(bool);
+                    assert.deepStrictEqual(dummyBucket.isObjectLockEnabled(),
+                        bool);
+                });
+            });
+            it('setNotificationConfiguration should set notification configuration', () => {
+                const newNotifConfig = {
+                    queueConfig: [
+                        {
+                            events: ['s3:ObjectRemoved:*'],
+                            queueArn: 'arn:scality:bucketnotif:::target3',
+                            filterRules: [
+                                {
+                                    name: 'prefix',
+                                    value: 'configs/',
+                                },
+                            ],
+                            id: 'test-config-3',
+                        },
+                    ],
+                };
+                dummyBucket.setNotificationConfiguration(newNotifConfig);
+                assert.deepStrictEqual(
+                    dummyBucket.getNotificationConfiguration(), newNotifConfig);
+            });
         });
     })
 );

tests/unit/models/BucketPolicy.js

@@ -0,0 +1,105 @@
+const assert = require('assert');
+
+const BucketPolicy = require('../../../lib/models/BucketPolicy');
+
+const testBucketPolicy = {
+    Version: '2012-10-17',
+    Statement: [
+        {
+            Effect: 'Allow',
+            Principal: '*',
+            Resource: 'arn:aws:s3:::examplebucket',
+            Action: 's3:GetBucketLocation',
+        },
+    ],
+};
+const mismatchErr = 'Action does not apply to any resource(s) in statement';
+
+function createPolicy(key, value) {
+    const newPolicy = Object.assign({}, testBucketPolicy);
+    newPolicy.Statement[0][key] = value;
+    return newPolicy;
+}
+
+function checkErr(policy, err, message) {
+    assert.strictEqual(policy.error[err], true);
+    assert.strictEqual(policy.error.description, message);
+}
+
+describe('BucketPolicy class getBucketPolicy', () => {
+    beforeEach(() => {
+        testBucketPolicy.Statement[0].Resource = 'arn:aws:s3:::examplebucket';
+        testBucketPolicy.Statement[0].Action = 's3:GetBucketLocation';
+    });
+
+    it('should return MalformedPolicy error if request json is empty', done => {
+        const bucketPolicy = new BucketPolicy('').getBucketPolicy();
+        const errMessage = 'request json is empty or undefined';
+        checkErr(bucketPolicy, 'MalformedPolicy', errMessage);
+        done();
+    });
+
+    it('should return MalformedPolicy error if request action is for objects ' +
+    'but resource refers to bucket', done => {
+        const newPolicy = createPolicy('Action', 's3:GetObject');
+        const bucketPolicy = new BucketPolicy(JSON.stringify(newPolicy))
+            .getBucketPolicy();
+        checkErr(bucketPolicy, 'MalformedPolicy', mismatchErr);
+        done();
+    });
+
+    it('should return MalformedPolicy error if request action is for objects ' +
+    'but does\'t include \'Object\' and resource refers to bucket', done => {
+        const newPolicy = createPolicy('Action', 's3:AbortMultipartUpload');
+        const bucketPolicy = new BucketPolicy(JSON.stringify(newPolicy))
+            .getBucketPolicy();
+        checkErr(bucketPolicy, 'MalformedPolicy', mismatchErr);
+        done();
+    });
+
+    it('should return MalformedPolicy error if request action is for objects ' +
+    '(with wildcard) but resource refers to bucket', done => {
+        const newPolicy = createPolicy('Action', 's3:GetObject*');
+        const bucketPolicy = new BucketPolicy(JSON.stringify(newPolicy))
+            .getBucketPolicy();
+        checkErr(bucketPolicy, 'MalformedPolicy', mismatchErr);
+        done();
+    });
+
+    it('should return MalformedPolicy error if request resource refers to ' +
+    'object but action is for buckets', done => {
+        const newPolicy = createPolicy('Resource',
+            'arn:aws:s3:::examplebucket/*');
+        const bucketPolicy = new BucketPolicy(JSON.stringify(newPolicy))
+            .getBucketPolicy();
+        checkErr(bucketPolicy, 'MalformedPolicy', mismatchErr);
+        done();
+    });
+
+    it('should return MalformedPolicy error if request resource refers to ' +
+    'object but action is for buckets (with wildcard)', done => {
+        const newPolicy = createPolicy('Resource',
+            'arn:aws:s3:::examplebucket/*');
+        newPolicy.Statement[0].Action = 's3:GetBucket*';
+        const bucketPolicy = new BucketPolicy(JSON.stringify(newPolicy))
+            .getBucketPolicy();
+        checkErr(bucketPolicy, 'MalformedPolicy', mismatchErr);
+        done();
+    });
+
+    it('should successfully get a valid policy', done => {
+        const bucketPolicy = new BucketPolicy(JSON.stringify(testBucketPolicy))
+            .getBucketPolicy();
+        assert.deepStrictEqual(bucketPolicy, testBucketPolicy);
+        done();
+    });
+
+    it('should successfully get a valid policy with wildcard in action',
+    done => {
+        const newPolicy = createPolicy('Action', 's3:Get*');
+        const bucketPolicy = new BucketPolicy(JSON.stringify(newPolicy))
+            .getBucketPolicy();
+        assert.deepStrictEqual(bucketPolicy, newPolicy);
+        done();
+    });
+});

tests/unit/models/NotificationConfiguration.js

@@ -0,0 +1,214 @@
+const assert = require('assert');
+const { parseString } = require('xml2js');
+
+const NotificationConfiguration =
+    require('../../../lib/models/NotificationConfiguration.js');
+
+function checkError(parsedXml, err, errMessage, cb) {
+    const config = new NotificationConfiguration(parsedXml).
+        getValidatedNotificationConfiguration();
+    assert.strictEqual(config.error[err], true);
+    assert.strictEqual(config.error.description, errMessage);
+    cb();
+}
+
+function generateEvent(testParams) {
+    const event = [];
+    if (testParams.key === 'Event') {
+        if (Array.isArray(testParams.value)) {
+            testParams.value.forEach(v => {
+                event.push(`${event}<Event>${v}</Event>`);
+            });
+        } else {
+            event.push(`<Event>${testParams.value}</Event>`);
+        }
+    } else {
+        event.push('<Event>s3:ObjectCreated:*</Event>');
+    }
+    return event.join('');
+}
+
+function generateFilter(testParams) {
+    let filter = '';
+    if (testParams.key === 'Filter') {
+        filter = `<Filter>${testParams.value}</Filter>`;
+    }
+    if (testParams.key === 'S3Key') {
+        filter = `<Filter><S3Key>${testParams.value}</S3Key></Filter>`;
+    }
+    if (testParams.key === 'FilterRule') {
+        if (Array.isArray(testParams.value)) {
+            testParams.value.forEach(v => {
+                filter = `${filter}<Filter><S3Key><FilterRule>${v}` +
+                    '</FilterRule></S3Key></Filter>';
+            });
+        } else {
+            filter = `<Filter><S3Key><FilterRule>${testParams.value}` +
+                '</FilterRule></S3Key></Filter>';
+        }
+    }
+    return filter;
+}
+
+function generateXml(testParams) {
+    const id = testParams.key === 'Id' ? `<Id>${testParams.value}</Id>` : '<Id>queue-id</Id>';
+    const arn = testParams.key === 'QueueArn' ?
+        `<Queue>${testParams.value}</Queue>` :
+        '<Queue>arn:scality:bucketnotif:::target</Queue>';
+    const event = generateEvent(testParams);
+    const filter = generateFilter(testParams);
+    let queueConfig = `<QueueConfiguration>${id}${arn}${event}${filter}` +
+        '</QueueConfiguration>';
+    if (testParams.key === 'QueueConfiguration') {
+        if (testParams.value === 'double') {
+            queueConfig = `${queueConfig}${queueConfig}`;
+        } else {
+            queueConfig = testParams.value;
+        }
+    }
+    const notification = testParams.key === 'NotificationConfiguration' ? '' :
+        `<NotificationConfiguration>${queueConfig}</NotificationConfiguration>`;
+    return notification;
+}
+
+function generateParsedXml(testParams, cb) {
+    const xml = generateXml(testParams);
+    parseString(xml, (err, parsedXml) => {
+        assert.equal(err, null, 'Error parsing xml');
+        cb(parsedXml);
+    });
+}
+
+const failTests = [
+    {
+        name: 'fail with empty configuration',
+        params: { key: 'NotificationConfiguration' },
+        error: 'MalformedXML',
+        errorMessage: 'request xml is undefined or empty',
+    },
+    {
+        name: 'fail with invalid id',
+        params: { key: 'Id', value: 'a'.repeat(256) },
+        error: 'InvalidArgument',
+        errorMessage: 'queue configuration ID is greater than 255 characters long',
+    },
+    {
+        name: 'fail with repeated id',
+        params: { key: 'QueueConfiguration', value: 'double' },
+        error: 'InvalidRequest',
+        errorMessage: 'queue configuration ID must be unique',
+    },
+    {
+        name: 'fail with empty QueueArn',
+        params: { key: 'QueueArn', value: '' },
+        error: 'MalformedXML',
+        errorMessage: 'each queue configuration must contain a queue arn',
+    },
+    {
+        name: 'fail with invalid QueueArn',
+        params: { key: 'QueueArn', value: 'arn:scality:bucketnotif:target' },
+        error: 'MalformedXML',
+        errorMessage: 'queue arn is invalid',
+    },
+    {
+        name: 'fail with invalid QueueArn partition',
+        params: { key: 'QueueArn', value: 'arn:aws:bucketnotif:::target' },
+        error: 'MalformedXML',
+        errorMessage: 'queue arn is invalid',
+    },
+    {
+        name: 'fail with empty event',
+        params: { key: 'Event', value: '' },
+        error: 'MalformedXML',
+        errorMessage: 'each queue configuration must contain an event',
+    },
+    {
+        name: 'fail with invalid event',
+        params: { key: 'Event', value: 's3:BucketCreated:Put' },
+        error: 'MalformedXML',
+        errorMessage: 'event array contains invalid or unsupported event',
+    },
+    {
+        name: 'fail with unsupported event',
+        params: { key: 'Event', value: 's3:Replication:OperationNotTracked' },
+        error: 'MalformedXML',
+        errorMessage: 'event array contains invalid or unsupported event',
+    },
+    {
+        name: 'fail with filter that does not contain S3Key',
+        params: { key: 'Filter', value: '<FilterRule><Name>Prefix</Name><Value>logs/</Value></FilterRule>' },
+        error: 'MalformedXML',
+        errorMessage: 'if included, queue configuration filter must contain S3Key',
+    },
+    {
+        name: 'fail with filter that does not contain a rule',
+        params: { key: 'S3Key', value: '<Name>Prefix</Name><Value>logs/</Value>' },
+        error: 'MalformedXML',
+        errorMessage: 'if included, queue configuration filter must contain a rule',
+    },
+    {
+        name: 'fail with filter rule that does not contain name and value',
+        params: { key: 'FilterRule', value: '<Value>noname</Value>' },
+        error: 'MalformedXML',
+        errorMessage: 'each included filter must contain a name and value',
+    },
+    {
+        name: 'fail with invalid name in filter rule',
+        params: { key: 'FilterRule', value: '<Name>Invalid</Name><Value>logs/</Value>' },
+        error: 'MalformedXML',
+        errorMessage: 'filter Name must be one of Prefix or Suffix',
+    },
+];
+
+const passTests = [
+    {
+        name: 'pass with empty QueueConfiguration',
+        params: { key: 'QueueConfiguration', value: '[]' },
+    },
+    {
+        name: 'pass with multiple events in one queue configuration',
+        params: {
+            key: 'Event', value: ['s3:ObjectCreated:Put', 's3:ObjectCreated:Copy'],
+        },
+    },
+    {
+        name: 'pass with multiple filter rules',
+        params: {
+            key: 'FilterRule',
+            value: ['<Name>Prefix</Name><Value>logs/</Value>', '<Name>Suffix</Name><Value>.pdf</Value>'] },
+    },
+    {
+        name: 'pass with no id',
+        params: { key: 'Id', value: '' },
+    },
+    {
+        name: 'pass with basic config', params: {},
+    },
+];
+
+describe('NotificationConfiguration class getValidatedNotificationConfiguration',
+() => {
+    it('should return MalformedXML error if request xml is empty', done => {
+        const errMessage = 'request xml is undefined or empty';
+        checkError('', 'MalformedXML', errMessage, done);
+    });
+
+    failTests.forEach(test => {
+        it(`should ${test.name}`, done => {
+            generateParsedXml(test.params, xml => {
+                checkError(xml, test.error, test.errorMessage, done);
+            });
+        });
+    });
+
+    passTests.forEach(test => {
+        it(`should ${test.name}`, done => {
+            generateParsedXml(test.params, xml => {
+                const config = new NotificationConfiguration(xml).
+                    getValidatedNotificationConfiguration();
+                assert.ifError(config.error);
+                done();
+            });
+        });
+    });
+});

tests/unit/models/ObjectLockConfiguration.js

@@ -0,0 +1,265 @@
+const assert = require('assert');
+const { parseString } = require('xml2js');
+
+const ObjectLockConfiguration =
+    require('../../../lib/models/ObjectLockConfiguration.js');
+
+function checkError(parsedXml, err, errMessage, cb) {
+    const config = new ObjectLockConfiguration(parsedXml).
+        getValidatedObjectLockConfiguration();
+    assert.strictEqual(config.error[err], true);
+    assert.strictEqual(config.error.description, errMessage);
+    cb();
+}
+
+function generateRule(testParams) {
+    if (testParams.key === 'Rule') {
+        return `<Rule>${testParams.value}</Rule>`;
+    }
+    if (testParams.key === 'DefaultRetention') {
+        return `<Rule><DefaultRetention>${testParams.value} ` +
+            '</DefaultRetention></Rule>';
+    }
+    const mode = testParams.key === 'Mode' ?
+        `<Mode>${testParams.value}</Mode>` : '<Mode>GOVERNANCE</Mode>';
+
+    let time = '<Days>1</Days>';
+    if (testParams.key === 'Days') {
+        time = `<Days>${testParams.value}</Days>`;
+    }
+    if (testParams.key === 'Years') {
+        time = `<Years>${testParams.value}</Years>`;
+    }
+    if (testParams.key === 'NoRule') {
+        return '';
+    }
+    return `<Rule><DefaultRetention>${mode}${time}</DefaultRetention></Rule>`;
+}
+
+function generateXml(testParams) {
+    const Enabled = testParams.key === 'ObjectLockEnabled' ?
+        `<ObjectLockEnabled>${testParams.value}</ObjectLockEnabled>` :
+        '<ObjectLockEnabled>Enabled</ObjectLockEnabled>';
+    const Rule = generateRule(testParams);
+    const ObjectLock = testParams.key === 'ObjectLockConfiguration' ? '' :
+        `<ObjectLockConfiguration>${Enabled}${Rule}` +
+        '</ObjectLockConfiguration>';
+    return ObjectLock;
+}
+
+function generateParsedXml(testParams, cb) {
+    const xml = generateXml(testParams);
+    parseString(xml, (err, parsedXml) => {
+        assert.equal(err, null, 'Error parsing xml');
+        cb(parsedXml);
+    });
+}
+
+const expectedXml = (daysOrYears, time, mode) =>
+    '<?xml version="1.0" encoding="UTF-8"?>' +
+    '<ObjectLockConfiguration ' +
+    'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+    '<ObjectLockEnabled>Enabled</ObjectLockEnabled>' +
+    '<Rule><DefaultRetention>' +
+    `<Mode>${mode}</Mode>` +
+    `<${daysOrYears}>${time}</${daysOrYears}>` +
+    '</DefaultRetention></Rule>' +
+    '</ObjectLockConfiguration>';
+
+const failTests = [
+    {
+        name: 'fail with empty configuration',
+        params: { key: 'ObjectLockConfiguration' },
+        error: 'MalformedXML',
+        errorMessage: 'request xml is undefined or empty',
+    },
+    {
+        name: 'fail with empty ObjectLockEnabled',
+        params: { key: 'ObjectLockEnabled', value: '' },
+        error: 'MalformedXML',
+        errorMessage: 'request xml does not include valid ObjectLockEnabled',
+    },
+    {
+        name: 'fail with invalid value for ObjectLockEnabled',
+        params: { key: 'ObjectLockEnabled', value: 'Disabled' },
+        error: 'MalformedXML',
+        errorMessage: 'request xml does not include valid ObjectLockEnabled',
+    },
+    {
+        name: 'fail with empty rule',
+        params: { key: 'Rule', value: '' },
+        error: 'MalformedXML',
+        errorMessage: 'Rule request xml does not contain DefaultRetention',
+    },
+    {
+        name: 'fail with empty DefaultRetention',
+        params: { key: 'DefaultRetention', value: '' },
+        error: 'MalformedXML',
+        errorMessage: 'DefaultRetention request xml does not contain Mode or ' +
+            'retention period (Days or Years)',
+    },
+    {
+        name: 'fail with empty mode',
+        params: { key: 'Mode', value: '' },
+        error: 'MalformedXML',
+        errorMessage: 'request xml does not contain Mode',
+    },
+    {
+        name: 'fail with invalid mode',
+        params: { key: 'Mode', value: 'COMPLOVERNANCE' },
+        error: 'MalformedXML',
+        errorMessage: 'Mode request xml must be one of "GOVERNANCE", ' +
+            '"COMPLIANCE"',
+    },
+    {
+        name: 'fail with lowercase mode',
+        params: { key: 'Mode', value: 'governance' },
+        error: 'MalformedXML',
+        errorMessage: 'Mode request xml must be one of "GOVERNANCE", ' +
+            '"COMPLIANCE"',
+    },
+    {
+        name: 'fail with empty retention period',
+        params: { key: 'Days', value: '' },
+        error: 'MalformedXML',
+        errorMessage: 'request xml does not contain Days or Years',
+    },
+    {
+        name: 'fail with NaN retention period',
+        params: { key: 'Days', value: 'one' },
+        error: 'MalformedXML',
+        errorMessage: 'request xml does not contain valid retention period',
+    },
+    {
+        name: 'fail with retention period less than 1',
+        params: { key: 'Days', value: 0 },
+        error: 'InvalidArgument',
+        errorMessage: 'retention period must be a positive integer',
+    },
+    {
+        name: 'fail with Days retention period greater than 36500',
+        params: { key: 'Days', value: 36501 },
+        error: 'InvalidArgument',
+        errorMessage: 'retention period is too large',
+    },
+    {
+        name: 'fail with Years retention period great than 100',
+        params: { key: 'Years', value: 101 },
+        error: 'InvalidArgument',
+        errorMessage: 'retention period is too large',
+    },
+];
+
+const passTests = [
+    {
+        name: 'pass with GOVERNANCE retention mode and valid Days ' +
+            'retention period',
+        params: {},
+    },
+    {
+        name: 'pass with COMPLIANCE retention mode',
+        params: { key: 'Mode', value: 'COMPLIANCE' },
+    },
+    {
+        name: 'pass with valid Years retention period',
+        params: { key: 'Years', value: 1 },
+    },
+    {
+        name: 'pass without Rule',
+        params: { key: 'NoRule' },
+    },
+];
+
+const passTestsGetConfigXML = [
+    {
+        config: {
+            rule: {
+                mode: 'COMPLIANCE',
+                days: 90,
+            },
+        },
+        expectedXml: expectedXml('Days', 90, 'COMPLIANCE'),
+        description: 'with COMPLIANCE retention mode ' +
+            'and valid Days retention period',
+    },
+    {
+        config: {
+            rule: {
+                mode: 'GOVERNANCE',
+                days: 30,
+            },
+        },
+        expectedXml: expectedXml('Days', 30, 'GOVERNANCE'),
+        description: 'with GOVERNANCE retention mode ' +
+            'and valid Days retention period',
+    },
+    {
+        config: {
+            rule: {
+                mode: 'COMPLIANCE',
+                years: 1,
+            },
+        },
+        expectedXml: expectedXml('Years', 1, 'COMPLIANCE'),
+        description: 'with COMPLIANCE retention mode ' +
+            'and valid Years retention period',
+    },
+    {
+        config: {
+            rule: {
+                mode: 'GOVERNANCE',
+                years: 2,
+            },
+        },
+        expectedXml: expectedXml('Years', 2, 'GOVERNANCE'),
+        description: 'with GOVERNANCE retention mode ' +
+            'and valid Years retention period',
+    },
+    {
+        config: {},
+        expectedXml: '<?xml version="1.0" encoding="UTF-8"?>' +
+            '<ObjectLockConfiguration ' +
+            'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+            '<ObjectLockEnabled>Enabled</ObjectLockEnabled>' +
+            '</ObjectLockConfiguration>',
+        description: 'without rule if object lock ' +
+            'configuration has not been set',
+    },
+];
+
+describe('ObjectLockConfiguration class getValidatedObjectLockConfiguration',
+() => {
+    it('should return MalformedXML error if request xml is empty', done => {
+        const errMessage = 'request xml is undefined or empty';
+        checkError('', 'MalformedXML', errMessage, done);
+    });
+
+    failTests.forEach(test => {
+        it(`should ${test.name}`, done => {
+            generateParsedXml(test.params, xml => {
+                checkError(xml, test.error, test.errorMessage, done);
+            });
+        });
+    });
+
+    passTests.forEach(test => {
+        it(`should ${test.name}`, done => {
+            generateParsedXml(test.params, xml => {
+                const config = new ObjectLockConfiguration(xml).
+                    getValidatedObjectLockConfiguration();
+                assert.ifError(config.error);
+                done();
+            });
+        });
+    });
+});
+
+describe('ObjectLockConfiguration class getConfigXML', () => {
+    passTestsGetConfigXML.forEach(test => {
+        const { config, description, expectedXml } = test;
+        it(`should return correct XML ${description}`, () => {
+            const responseXml = ObjectLockConfiguration.getConfigXML(config);
+            assert.strictEqual(responseXml, expectedXml);
+        });
+    });
+});

tests/unit/models/object.js

@@ -2,6 +2,11 @@ const assert = require('assert');
 const ObjectMD = require('../../../lib/models/ObjectMD');
 const constants = require('../../../lib/constants');
 
+const retainDate = new Date();
+retainDate.setDate(retainDate.getDate() + 1);
+const laterDate = new Date();
+laterDate.setDate(laterDate.getDate() + 5);
+
 describe('ObjectMD class setters/getters', () => {
     let md = null;
 
@@ -99,6 +104,11 @@ describe('ObjectMD class setters/getters', () => {
             dataStoreVersionId: '',
         }],
         ['DataStoreName', null, ''],
+        ['LegalHold', null, false],
+        ['LegalHold', true],
+        ['RetentionMode', 'GOVERNANCE'],
+        ['RetentionDate', retainDate.toISOString()],
+        ['OriginOp', null, ''],
     ].forEach(test => {
         const property = test[0];
         const testValue = test[1];
@@ -192,6 +202,21 @@ describe('ObjectMD class setters/getters', () => {
         assert.strictEqual(
             md.getReplicationSiteDataStoreVersionId('zenko'), 'a');
     });
+
+    it('ObjectMD::set/getRetentionMode', () => {
+        md.setRetentionMode('COMPLIANCE');
+        assert.deepStrictEqual(md.getRetentionMode(), 'COMPLIANCE');
+    });
+
+    it('ObjectMD::set/getRetentionDate', () => {
+        md.setRetentionDate(laterDate.toISOString());
+        assert.deepStrictEqual(md.getRetentionDate(), laterDate.toISOString());
+    });
+
+    it('ObjectMD::set/getOriginOp', () => {
+        md.setOriginOp('Copy');
+        assert.deepStrictEqual(md.getOriginOp(), 'Copy');
+    });
 });
 
 describe('ObjectMD import from stored blob', () => {
@@ -313,7 +338,9 @@ describe('getAttributes static method', () => {
             'replicationInfo': true,
             'dataStoreName': true,
             'last-modified': true,
-            'md-model-version': true };
+            'md-model-version': true,
+            'originOp': true,
+        };
         assert.deepStrictEqual(attributes, expectedResult);
     });
 });

tests/unit/policy/test_policyValidator.js

@@ -4,8 +4,9 @@ const assert = require('assert');
 const policyValidator = require('../../../lib/policy/policyValidator');
 const errors = require('../../../lib/errors');
 const validateUserPolicy = policyValidator.validateUserPolicy;
+const validateResourcePolicy = policyValidator.validateResourcePolicy;
 const successRes = { error: null, valid: true };
-const samplePolicy = {
+const sampleUserPolicy = {
     Version: '2012-10-17',
     Statement: {
         Sid: 'FooBar1234',
@@ -15,6 +16,19 @@ const samplePolicy = {
         Condition: { NumericLessThanEquals: { 's3:max-keys': '10' } },
     },
 };
+const sampleResourcePolicy = {
+    Version: '2012-10-17',
+    Statement: [
+        {
+            Sid: 'ResourcePolicy1',
+            Effect: 'Allow',
+            Action: 's3:ListBucket',
+            Resource: 'arn:aws:s3:::example-bucket',
+            Condition: { StringLike: { 's3:prefix': 'foo' } },
+            Principal: '*',
+        },
+    ],
+};
 
 const errDict = {
     required: {
@@ -30,45 +44,84 @@ const errDict = {
         Resource: 'Policy statement must contain resources.',
     },
 };
-let policy;
 
-function failRes(errDescription) {
-    const error = Object.assign({}, errors.MalformedPolicyDocument);
+function failRes(policyType, errDescription) {
+    let error;
+    if (policyType === 'user') {
+        error = Object.assign({}, errors.MalformedPolicyDocument);
+    }
+    if (policyType === 'resource') {
+        error = Object.assign({}, errors.MalformedPolicy);
+    }
     error.description = errDescription || error.description;
     return { error, valid: false };
 }
 
-function check(input, expected) {
-    const result = validateUserPolicy(JSON.stringify(input));
+function check(input, expected, policyType) {
+    let result;
+    if (policyType === 'user') {
+        result = validateUserPolicy(JSON.stringify(input));
+    }
+    if (policyType === 'resource') {
+        result = validateResourcePolicy(JSON.stringify(input));
+    }
     assert.deepStrictEqual(result, expected);
 }
 
+let userPolicy;
+let resourcePolicy;
+const user = 'user';
+const resource = 'resource';
+
 beforeEach(() => {
-    policy = JSON.parse(JSON.stringify(samplePolicy));
+    userPolicy = JSON.parse(JSON.stringify(sampleUserPolicy));
+    resourcePolicy = JSON.parse(JSON.stringify(sampleResourcePolicy));
 });
 
 describe('Policies validation - Invalid JSON', () => {
-    it('should return error for invalid JSON', () => {
+    it('should return error for invalid user policy JSON', () => {
         const result = validateUserPolicy('{"Version":"2012-10-17",' +
         '"Statement":{"Effect":"Allow""Action":"s3:PutObject",' +
         '"Resource":"arn:aws:s3*"}}');
-        assert.deepStrictEqual(result, failRes());
+        assert.deepStrictEqual(result, failRes(user));
+    });
+    it('should return error for invaild resource policy JSON', () => {
+        const result = validateResourcePolicy('{"Version":"2012-10-17",' +
+        '"Statement":{"Effect":"Allow""Action":"s3:PutObject",' +
+        '"Resource":"arn:aws:s3*"}}');
+        assert.deepStrictEqual(result, failRes(resource));
     });
 });
 
 describe('Policies validation - Version', () => {
-    it('should validate with version date 2012-10-17', () => {
-        check(policy, successRes);
+    it('should validate user policy with version date 2012-10-17', () => {
+        check(userPolicy, successRes, user);
     });
 
-    it('should return error for other dates', () => {
-        policy.Version = '2012-11-17';
-        check(policy, failRes());
+    it('should validate resource policy with version date 2012-10-17', () => {
+        check(resourcePolicy, successRes, 'resource');
     });
 
-    it('should return error if Version field is missing', () => {
-        policy.Version = undefined;
-        check(policy, failRes(errDict.required.Version));
+    it('user policy should return error for other dates', () => {
+        userPolicy.Version = '2012-11-17';
+        check(userPolicy, failRes(user), user);
+    });
+
+    it('resource policy should return error for other dates', () => {
+        resourcePolicy.Version = '2012-11-17';
+        check(resourcePolicy, failRes(resource), resource);
+    });
+
+    it('should return error if Version field in user policy is missing', () => {
+        userPolicy.Version = undefined;
+        check(userPolicy, failRes(user, errDict.required.Version), user);
+    });
+
+    it('should return error if Version field in resource policy is missing',
+    () => {
+        resourcePolicy.Version = undefined;
+        check(resourcePolicy, failRes(resource, errDict.required.Version),
+            resource);
     });
 });
 
@@ -77,20 +130,24 @@ describe('Policies validation - Principal', () => {
         {
             name: 'an account id',
             value: { AWS: '111111111111' },
+            policyType: [user, resource],
         },
         {
             name: 'anonymous user AWS form',
             value: { AWS: '*' },
+            policyType: [user, resource],
         },
         {
             name: 'an account arn',
             value: { AWS: 'arn:aws:iam::111111111111:root' },
+            policyType: [user, resource],
         },
         {
             name: 'multiple account id',
             value: {
                 AWS: ['111111111111', '111111111112'],
             },
+            policyType: [user, resource],
         },
         {
             name: 'multiple account arn',
@@ -100,14 +157,17 @@ describe('Policies validation - Principal', () => {
                     'arn:aws:iam::111111111112:root',
                 ],
             },
+            policyType: [user, resource],
         },
         {
             name: 'anonymous user as string',
             value: '*',
+            policyType: [user, resource],
         },
         {
             name: 'user arn',
             value: { AWS: 'arn:aws:iam::111111111111:user/alex' },
+            policyType: [user, resource],
         },
         {
             name: 'multiple user arns',
@@ -117,12 +177,14 @@ describe('Policies validation - Principal', () => {
                     'arn:aws:iam::111111111111:user/thibault',
                 ],
             },
+            policyType: [user, resource],
         },
         {
             name: 'role arn',
             value: {
                 AWS: 'arn:aws:iam::111111111111:role/dev',
             },
+            policyType: [user, resource],
         },
         {
             name: 'multiple role arn',
@@ -132,6 +194,7 @@ describe('Policies validation - Principal', () => {
                     'arn:aws:iam::111111111111:role/prod',
                 ],
             },
+            policyType: [user, resource],
         },
         {
             name: 'saml provider',
@@ -139,57 +202,84 @@ describe('Policies validation - Principal', () => {
                 Federated:
                     'arn:aws:iam::111111111111:saml-provider/mysamlprovider',
             },
+            policyType: [user],
         },
         {
             name: 'with backbeat service',
             value: { Service: 'backbeat' },
+            policyType: [user, resource],
+        },
+        {
+            name: 'with canonical user id',
+            value: { CanonicalUser:
+                '1examplecanonicalid12345678909876' +
+                '54321qwerty12345asdfg67890z1x2c' },
+            policyType: [resource],
         },
     ].forEach(test => {
-        it(`should allow principal field with ${test.name}`, () => {
-            policy.Statement.Principal = test.value;
-            delete policy.Statement.Resource;
-            check(policy, successRes);
-        });
+        if (test.policyType.includes(user)) {
+            it(`should allow user policy principal field with ${test.name}`,
+            () => {
+                userPolicy.Statement.Principal = test.value;
+                delete userPolicy.Statement.Resource;
+                check(userPolicy, successRes, user);
+            });
 
-        it(`shoud allow notPrincipal field with ${test.name}`, () => {
-            policy.Statement.NotPrincipal = test.value;
-            delete policy.Statement.Resource;
-            check(policy, successRes);
-        });
+            it(`should allow user policy notPrincipal field with ${test.name}`,
+            () => {
+                userPolicy.Statement.NotPrincipal = test.value;
+                delete userPolicy.Statement.Resource;
+                check(userPolicy, successRes, user);
+            });
+        }
+        if (test.policyType.includes(resource)) {
+            it(`should allow resource policy principal field with ${test.name}`,
+            () => {
+                resourcePolicy.Statement[0].Principal = test.value;
+                check(resourcePolicy, successRes, resource);
+            });
+        }
     });
 
     [
         {
             name: 'wrong format account id',
             value: { AWS: '11111111111z' },
+            policyType: [user, resource],
         },
         {
             name: 'empty string',
             value: '',
+            policyType: [user, resource],
         },
         {
             name: 'anonymous user federated form',
             value: { federated: '*' },
+            policyType: [user, resource],
         },
         {
-            name: 'wildcard in ressource',
+            name: 'wildcard in resource',
             value: { AWS: 'arn:aws:iam::111111111111:user/*' },
+            policyType: [user, resource],
         },
         {
             name: 'a malformed account arn',
             value: { AWS: 'arn:aws:iam::111111111111:' },
+            policyType: [user, resource],
         },
         {
             name: 'multiple malformed account id',
             value: {
                 AWS: ['1111111111z1', '1111z1111112'],
             },
+            policyType: [user, resource],
         },
         {
             name: 'multiple anonymous',
             value: {
                 AWS: ['*', '*'],
             },
+            policyType: [user, resource],
         },
         {
             name: 'multiple malformed account arn',
@@ -199,18 +289,22 @@ describe('Policies validation - Principal', () => {
                     'arn:aws:iam::111111111112:',
                 ],
             },
+            policyType: [user, resource],
         },
         {
             name: 'account id as a string',
             value: '111111111111',
+            policyType: [user, resource],
         },
         {
             name: 'account arn as a string',
             value: 'arn:aws:iam::111111111111:root',
+            policyType: [user, resource],
         },
         {
             name: 'user arn as a string',
             value: 'arn:aws:iam::111111111111:user/alex',
+            policyType: [user, resource],
         },
         {
             name: 'multiple malformed user arns',
@@ -220,12 +314,14 @@ describe('Policies validation - Principal', () => {
                     'arn:aws:iam::111111111111:user/',
                 ],
             },
+            policyType: [user, resource],
         },
         {
             name: 'malformed role arn',
             value: {
                 AWS: 'arn:aws:iam::111111111111:role/',
             },
+            policyType: [user, resource],
         },
         {
             name: 'multiple malformed role arn',
@@ -235,36 +331,84 @@ describe('Policies validation - Principal', () => {
                     'arn:aws:iam::11111111z111:role/prod',
                 ],
             },
+            policyType: [user, resource],
         },
         {
             name: 'saml provider as a string',
             value: 'arn:aws:iam::111111111111:saml-provider/mysamlprovider',
+            policyType: [user],
         },
         {
             name: 'with other service than backbeat',
             value: { Service: 'non-existent-service' },
+            policyType: [user, resource],
+        },
+        {
+            name: 'invalid canonical user',
+            value: { CanonicalUser:
+                '12345invalid-canonical-id$$$//098' +
+                '7654321poiu1q2w3e4r5t6y7u8i9o0p' },
+            policyType: [resource],
         },
     ].forEach(test => {
-        it(`should fail with ${test.name}`, () => {
-            policy.Statement.Principal = test.value;
-            delete policy.Statement.Resource;
-            check(policy, failRes());
-        });
+        if (test.policyType.includes(user)) {
+            it(`user policy should fail with ${test.name}`, () => {
+                userPolicy.Statement.Principal = test.value;
+                delete userPolicy.Statement.Resource;
+                check(userPolicy, failRes(user), user);
+            });
+        }
+        if (test.policyType.includes(resource)) {
+            it(`resource policy should fail with ${test.name}`, () => {
+                resourcePolicy.Statement[0].Principal = test.value;
+                check(resourcePolicy, failRes(resource), resource);
+            });
+        }
     });
 
     it('should not allow Resource field', () => {
-        policy.Statement.Principal = '*';
-        check(policy, failRes());
+        userPolicy.Statement.Principal = '*';
+        check(userPolicy, failRes(user), user);
     });
 });
 
 describe('Policies validation - Statement', () => {
-    it('should succeed for a valid object', () => {
-        check(policy, successRes);
+    [
+        {
+            name: 'should return error for undefined',
+            value: undefined,
+        },
+        {
+            name: 'should return an error for an empty list',
+            value: [],
+        },
+        {
+            name: 'should return an error for an empty object',
+            value: {},
+            errMessage: errDict.required.Action,
+        },
+    ].forEach(test => {
+        it(`user policy ${test.name}`, () => {
+            userPolicy.Statement = test.value;
+            check(userPolicy, failRes(user, test.errMessage), user);
+        });
+
+        it(`resource policy ${test.name}`, () => {
+            resourcePolicy.Statement = test.value;
+            check(resourcePolicy, failRes(resource, test.errMessage), resource);
+        });
     });
 
-    it('should succeed for a valid array', () => {
-        policy.Statement = [
+    it('user policy should succeed for a valid object', () => {
+        check(userPolicy, successRes, user);
+    });
+
+    it('resource policy should succeed for a valid object', () => {
+        check(resourcePolicy, successRes, resource);
+    });
+
+    it('user policy should succeed for a valid object', () => {
+        userPolicy.Statement = [
             {
                 Effect: 'Allow',
                 Action: 's3:PutObject',
@@ -276,255 +420,373 @@ describe('Policies validation - Statement', () => {
                 Resource: 'arn:aws:s3:::my_bucket/uploads/widgetco/*',
             },
         ];
-        check(policy, successRes);
+        check(userPolicy, successRes, user);
     });
 
-    it('should return an error for undefined', () => {
-        policy.Statement = undefined;
-        check(policy, failRes());
+    it('resource policy should succeed for a valid object', () => {
+        resourcePolicy.Statement = [
+            {
+                Effect: 'Allow',
+                Action: 's3:PutObject',
+                Resource: 'arn:aws:s3:::my_bucket/uploads/widgetco/*',
+                Principal: '*',
+            },
+            {
+                Effect: 'Deny',
+                Action: 's3:DeleteObject',
+                Resource: 'arn:aws:s3:::my_bucket/uploads/widgetco/*',
+                Principal: '*',
+            },
+        ];
+        check(resourcePolicy, successRes, resource);
     });
 
-    it('should return an error for an empty list', () => {
-        policy.Statement = [];
-        check(policy, failRes());
-    });
+    [
+        {
+            name: 'should return error for missing a required field - Action',
+            toDelete: ['Action'],
+            expected: 'fail',
+            errMessage: errDict.required.Action,
+        },
+        {
+            name: 'should return error for missing a required field - Effect',
+            toDelete: ['Effect'],
+            expected: 'fail',
+        },
+        {
+            name: 'should return error for missing required field - Resource',
+            toDelete: ['Resource'],
+            expected: 'fail',
+        },
+        {
+            name: 'should return error for missing multiple required fields',
+            toDelete: ['Effect', 'Resource'],
+            expected: 'fail',
+        },
+        {
+            name: 'should succeed w optional fields missing - Sid, Condition',
+            toDelete: ['Sid', 'Condition'],
+            expected: successRes,
+        },
+    ].forEach(test => {
+        it(`user policy ${test.name}`, () => {
+            test.toDelete.forEach(p => delete userPolicy.Statement[p]);
+            if (test.expected === 'fail') {
+                check(userPolicy, failRes(user, test.errMessage), user);
+            } else {
+                check(userPolicy, test.expected, user);
+            }
+        });
 
-    it('should return an error for an empty object', () => {
-        policy.Statement = {};
-        check(policy, failRes(errDict.required.Action));
-    });
-
-    it('should return an error for missing a required field - Action', () => {
-        delete policy.Statement.Action;
-        check(policy, failRes(errDict.required.Action));
-    });
-
-    it('should return an error for missing a required field - Effect', () => {
-        delete policy.Statement.Effect;
-        check(policy, failRes());
-    });
-
-    it('should return an error for missing a required field - Resource', () => {
-        delete policy.Statement.Resource;
-        check(policy, failRes());
-    });
-
-    it('should return an error for missing multiple required fields', () => {
-        delete policy.Statement.Effect;
-        delete policy.Statement.Resource;
-        check(policy, failRes());
-    });
-
-    it('should succeed with optional fields missing - Sid, Condition', () => {
-        delete policy.Statement.Sid;
-        delete policy.Statement.Condition;
-        check(policy, successRes);
+        it(`resource policy ${test.name}`, () => {
+            test.toDelete.forEach(p => delete resourcePolicy.Statement[0][p]);
+            if (test.expected === 'fail') {
+                check(resourcePolicy, failRes(resource, test.errMessage),
+                    resource);
+            } else {
+                check(resourcePolicy, test.expected, resource);
+            }
+        });
     });
 });
 
 describe('Policies validation - Statement::Sid_block', () => {
-    it('should succeed if Sid is any alphanumeric string', () => {
-        check(policy, successRes);
+    it('user policy should succeed if Sid is any alphanumeric string', () => {
+        check(userPolicy, successRes, user);
     });
 
-    it('should fail if Sid is not a valid format', () => {
-        policy.Statement.Sid = 'foo bar()';
-        check(policy, failRes());
+    it('resource policy should succeed if Sid is any alphanumeric string',
+    () => {
+        check(resourcePolicy, successRes, resource);
     });
 
-    it('should fail if Sid is not a string', () => {
-        policy.Statement.Sid = 1234;
-        check(policy, failRes());
+    it('user policy should fail if Sid is not a valid format', () => {
+        userPolicy.Statement.Sid = 'foo bar()';
+        check(userPolicy, failRes(user), user);
+    });
+
+    it('resource policy should fail if Sid is not a valid format', () => {
+        resourcePolicy.Statement[0].Sid = 'foo bar()';
+        check(resourcePolicy, failRes(resource), resource);
+    });
+
+    it('user policy should fail if Sid is not a string', () => {
+        userPolicy.Statement.Sid = 1234;
+        check(userPolicy, failRes(user), user);
+    });
+
+    it('resource policy should fail if Sid is not a string', () => {
+        resourcePolicy.Statement[0].Sid = 1234;
+        check(resourcePolicy, failRes(resource), resource);
     });
 });
 
 describe('Policies validation - Statement::Effect_block', () => {
-    it('should succeed for Allow', () => {
-        check(policy, successRes);
+    it('user policy should succeed for Allow', () => {
+        check(userPolicy, successRes, user);
     });
 
-    it('should succeed for Deny', () => {
-        policy.Statement.Effect = 'Deny';
-        check(policy, successRes);
+    it('resource policy should succeed for Allow', () => {
+        check(resourcePolicy, successRes, resource);
     });
 
-    it('should fail for strings other than Allow/Deny', () => {
-        policy.Statement.Effect = 'Reject';
-        check(policy, failRes());
+    it('user policy should succeed for Deny', () => {
+        userPolicy.Statement.Effect = 'Deny';
+        check(userPolicy, successRes, user);
     });
 
-    it('should fail if Effect is not a string', () => {
-        policy.Statement.Effect = 1;
-        check(policy, failRes());
+    it('resource policy should succeed for Deny', () => {
+        resourcePolicy.Statement[0].Effect = 'Deny';
+        check(resourcePolicy, successRes, resource);
+    });
+
+    it('user policy should fail for strings other than Allow/Deny', () => {
+        userPolicy.Statement.Effect = 'Reject';
+        check(userPolicy, failRes(user), user);
+    });
+
+    it('resource policy should fail for strings other than Allow/Deny', () => {
+        resourcePolicy.Statement[0].Effect = 'Reject';
+        check(resourcePolicy, failRes(resource), resource);
+    });
+
+    it('user policy should fail if Effect is not a string', () => {
+        userPolicy.Statement.Effect = 1;
+        check(userPolicy, failRes(user), user);
+    });
+
+    it('resource policy should fail if Effect is not a string', () => {
+        resourcePolicy.Statement[0].Effect = 1;
+        check(resourcePolicy, failRes(resource), resource);
     });
 });
 
-describe('Policies validation - Statement::Action_block/' +
+const actionTests = [
+    {
+        name: 'should succeed for foo:bar',
+        value: 'foo:bar',
+        expected: successRes,
+    },
+    {
+        name: 'should succeed for foo:*',
+        value: 'foo:*',
+        expected: successRes,
+    },
+    {
+        name: 'should succeed for *',
+        value: '*',
+        expected: successRes,
+    },
+    {
+        name: 'should fail for **',
+        value: '**',
+        expected: 'fail',
+        errMessage: errDict.pattern.Action,
+    },
+    {
+        name: 'should fail for foobar',
+        value: 'foobar',
+        expected: 'fail',
+        errMessage: errDict.pattern.Action,
+    },
+];
+
+describe('User policies validation - Statement::Action_block/' +
     'Statement::NotAction_block', () => {
     beforeEach(() => {
-        policy.Statement.Action = undefined;
-        policy.Statement.NotAction = undefined;
+        userPolicy.Statement.Action = undefined;
+        userPolicy.Statement.NotAction = undefined;
     });
 
-    it('should succeed for foo:bar', () => {
-        policy.Statement.Action = 'foo:bar';
-        check(policy, successRes);
+    actionTests.forEach(test => {
+        it(`${test.name}`, () => {
+            userPolicy.Statement.Action = test.value;
+            if (test.expected === 'fail') {
+                check(userPolicy, failRes(user, test.errMessage), user);
+            } else {
+                check(userPolicy, test.expected, user);
+            }
 
-        policy.Statement.Action = undefined;
-        policy.Statement.NotAction = 'foo:bar';
-        check(policy, successRes);
-    });
-
-    it('should succeed for foo:*', () => {
-        policy.Statement.Action = 'foo:*';
-        check(policy, successRes);
-
-        policy.Statement.Action = undefined;
-        policy.Statement.NotAction = 'foo:*';
-        check(policy, successRes);
-    });
-
-    it('should succeed for *', () => {
-        policy.Statement.Action = '*';
-        check(policy, successRes);
-
-        policy.Statement.Action = undefined;
-        policy.Statement.NotAction = '*';
-        check(policy, successRes);
-    });
-
-    it('should fail for **', () => {
-        policy.Statement.Action = '**';
-        check(policy, failRes(errDict.pattern.Action));
-
-        policy.Statement.Action = undefined;
-        policy.Statement.NotAction = '**';
-        check(policy, failRes(errDict.pattern.Action));
-    });
-
-    it('should fail for foobar', () => {
-        policy.Statement.Action = 'foobar';
-        check(policy, failRes(errDict.pattern.Action));
-
-        policy.Statement.Action = undefined;
-        policy.Statement.NotAction = 'foobar';
-        check(policy, failRes(errDict.pattern.Action));
+            userPolicy.Statement.Action = undefined;
+            userPolicy.Statement.NotAction = test.value;
+            if (test.expected === 'fail') {
+                check(userPolicy, failRes(user, test.errMessage), user);
+            } else {
+                check(userPolicy, test.expected, user);
+            }
+        });
     });
 });
 
-describe('Policies validation - Statement::Resource_block' +
+describe('Resource policies validation - Statement::Action_block', () => {
+    actionTests.forEach(test => {
+        it(`${test.name}`, () => {
+            resourcePolicy.Statement[0].Action = test.value;
+            if (test.expected === 'fail') {
+                check(resourcePolicy, failRes(resource, test.errMessage),
+                    resource);
+            } else {
+                check(resourcePolicy, test.expected, resource);
+            }
+        });
+    });
+});
+
+const resourceTests = [
+    {
+        name: 'should succeed for arn:aws::s3:::*',
+        value: 'arn:aws:s3:::*',
+        expected: successRes,
+    },
+    {
+        name: 'should succeed for arn:aws:s3:::test/home/${aws:username}',
+        value: 'arn:aws:s3:::test/home/${aws:username}',
+        expected: successRes,
+    },
+    {
+        name: 'should succeed for arn:aws:ec2:us-west-1:1234567890:vol/*',
+        value: 'arn:aws:ec2:us-west-1:1234567890:vol/*',
+        expected: successRes,
+    },
+    {
+        name: 'should succeed for *',
+        value: '*',
+        expected: successRes,
+    },
+    {
+        name: 'should fail for arn:aws:ec2:us-west-1:vol/* - missing region',
+        value: 'arn:aws:ec2:us-west-1:vol/*',
+        expected: 'fail',
+        errMessage: errDict.pattern.Resource,
+    },
+    {
+        name: 'should fail for arn:aws:ec2:us-west-1:123456789:v/${} - ${}',
+        value: 'arn:aws:ec2:us-west-1:123456789:v/${}',
+        expected: 'fail',
+        errMessage: errDict.pattern.Resource,
+    },
+    {
+        name: 'should fail for ec2:us-west-1:qwerty:vol/* - missing arn:aws:',
+        value: 'ec2:us-west-1:123456789012:vol/*',
+        expected: 'fail',
+        errMessage: errDict.pattern.Resource,
+    },
+];
+
+describe('User policies validation - Statement::Resource_block' +
     'Statement::NotResource_block', () => {
     beforeEach(() => {
-        policy.Statement.Resource = undefined;
-        policy.Statement.NotResource = undefined;
+        userPolicy.Statement.Resource = undefined;
+        userPolicy.Statement.NotResource = undefined;
     });
 
-    it('should succeed for arn:aws:s3:::*', () => {
-        policy.Statement.Resource = 'arn:aws:s3:::*';
-        check(policy, successRes);
+    resourceTests.forEach(test => {
+        it(`${test.name}`, () => {
+            userPolicy.Statement.Resource = test.value;
+            if (test.expected === 'fail') {
+                check(userPolicy, failRes(user, test.errMessage), user);
+            } else {
+                check(userPolicy, test.expected, user);
+            }
 
-        policy.Statement.Resource = undefined;
-        policy.Statement.NotResource = 'arn:aws:s3:::*';
-        check(policy, successRes);
-    });
-
-    it('should succeed for arn:aws:s3:::test/home/${aws:username}', () => {
-        policy.Statement.Resource = 'arn:aws:s3:::test/home/${aws:username}';
-        check(policy, successRes);
-
-        policy.Statement.Resource = undefined;
-        policy.Statement.NotResource = 'arn:aws:s3:::test/home/${aws:username}';
-        check(policy, successRes);
-    });
-
-    it('should succeed for arn:aws:ec2:us-west-1:1234567890:vol/*', () => {
-        policy.Statement.Resource = 'arn:aws:ec2:us-west-1:1234567890:vol/*';
-        check(policy, successRes);
-
-        policy.Statement.Resource = undefined;
-        policy.Statement.NotResource = 'arn:aws:ec2:us-west-1:1234567890:vol/*';
-        check(policy, successRes);
-    });
-
-    it('should succeed for *', () => {
-        policy.Statement.Resource = '*';
-        check(policy, successRes);
-
-        policy.Statement.Resource = undefined;
-        policy.Statement.NotResource = '*';
-        check(policy, successRes);
-    });
-
-    it('should fail for arn:aws:ec2:us-west-1:vol/* - missing region', () => {
-        policy.Statement.Resource = 'arn:aws:ec2:1234567890:vol/*';
-        check(policy, failRes(errDict.pattern.Resource));
-
-        policy.Statement.Resource = undefined;
-        policy.Statement.NotResource = 'arn:aws:ec2:1234567890:vol/*';
-        check(policy, failRes(errDict.pattern.Resource));
-    });
-
-    it('should fail for arn:aws:ec2:us-west-1:123456789:v/${} - ${}', () => {
-        policy.Statement.Resource = 'arn:aws:ec2:us-west-1:123456789:v/${}';
-        check(policy, failRes(errDict.pattern.Resource));
-
-        policy.Statement.Resource = undefined;
-        policy.Statement.NotResource = 'arn:aws:ec2:us-west-1:123456789:v/${}';
-        check(policy, failRes(errDict.pattern.Resource));
-    });
-
-    it('should fail for ec2:us-west-1:qwerty:vol/* - missing arn:aws:', () => {
-        policy.Statement.Resource = 'ec2:us-west-1:123456789012:vol/*';
-        check(policy, failRes(errDict.pattern.Resource));
-
-        policy.Statement.Resource = undefined;
-        policy.Statement.NotResource = 'ec2:us-west-1:123456789012:vol/*';
-        check(policy, failRes(errDict.pattern.Resource));
+            userPolicy.Statement.Resource = undefined;
+            userPolicy.Statement.NotResource = test.value;
+            if (test.expected === 'fail') {
+                check(userPolicy, failRes(user, test.errMessage), user);
+            } else {
+                check(userPolicy, test.expected, user);
+            }
+        });
     });
 
     it('should fail for empty list of resources', () => {
-        policy.Statement.Resource = [];
-        check(policy, failRes(errDict.minItems.Resource));
+        userPolicy.Statement.Resource = [];
+        check(userPolicy, failRes(user, errDict.minItems.Resource), user);
+    });
+});
+
+describe('Resource policies validation - Statement::Resource_block', () => {
+    resourceTests.forEach(test => {
+        it(`${test.name}`, () => {
+            resourcePolicy.Statement[0].Resource = test.value;
+            if (test.expected === 'fail') {
+                check(resourcePolicy, failRes(resource, test.errMessage),
+                    resource);
+            } else {
+                check(resourcePolicy, test.expected, resource);
+            }
+        });
+    });
+
+    it('should fail for empty list of resources', () => {
+        resourcePolicy.Statement[0].Resource = [];
+        check(resourcePolicy, failRes(resource, errDict.minItems.Resource),
+            resource);
     });
 });
 
 describe('Policies validation - Statement::Condition_block', () => {
-    it('should succeed for single Condition', () => {
-        check(policy, successRes);
+    it('user policy should succeed for single Condition', () => {
+        check(userPolicy, successRes, user);
     });
 
-    it('should succeed for multiple Conditions', () => {
-        policy.Statement.Condition = {
-            StringNotLike: { 's3:prefix': ['Development/*'] },
-            Null: { 's3:prefix': false },
-        };
-        check(policy, successRes);
+    it('resource policy should succeed for single Condition', () => {
+        check(resourcePolicy, successRes, resource);
     });
 
-    it('should fail when Condition is not an Object', () => {
-        policy.Statement.Condition = 'NumericLessThanEquals';
-        check(policy, failRes());
-    });
+    [
+        {
+            name: 'should succeed for multiple Conditions',
+            value: {
+                StringNotLike: { 's3:prefix': ['Development/*'] },
+                Null: { 's3:prefix': false },
+            },
+            expected: successRes,
+        },
+        {
+            name: 'should fail when Condition is not an Object',
+            value: 'NumericLessThanEquals',
+            expected: 'fail',
+        },
+        {
+            name: 'should fail for an invalid Condition',
+            value: {
+                SomethingLike: { 's3:prefix': ['Development/*'] },
+            },
+            expected: 'fail',
+        },
+        {
+            name: 'should fail when one of the multiple conditions is invalid',
+            value: {
+                Null: { 's3:prefix': false },
+                SomethingLike: { 's3:prefix': ['Development/*'] },
+            },
+            expected: 'fail',
+        },
+        {
+            name: 'should fail when invalid property is assigned',
+            value: {
+                SomethingLike: { 's3:prefix': ['Development/*'] },
+            },
+            expected: 'fail',
+        },
+    ].forEach(test => {
+        it(`user policy ${test.name}`, () => {
+            userPolicy.Statement.Condition = test.value;
+            if (test.expected === 'fail') {
+                check(userPolicy, failRes(user), user);
+            } else {
+                check(userPolicy, test.expected, user);
+            }
+        });
 
-    it('should fail for an invalid Condition', () => {
-        policy.Statement.Condition = {
-            SomethingLike: { 's3:prefix': ['Development/*'] },
-        };
-        check(policy, failRes());
-    });
-
-    it('should fail when one of the multiple conditions is invalid', () => {
-        policy.Statement.Condition = {
-            Null: { 's3:prefix': false },
-            SomethingLike: { 's3:prefix': ['Development/*'] },
-        };
-        check(policy, failRes());
-    });
-
-    it('should fail when invalid property is assigned', () => {
-        policy.Condition = {
-            SomethingLike: { 's3:prefix': ['Development/*'] },
-        };
-        check(policy, failRes());
+        it(`resource policy ${test.name}`, () => {
+            resourcePolicy.Statement[0].Condition = test.value;
+            if (test.expected === 'fail') {
+                check(resourcePolicy, failRes(resource), resource);
+            } else {
+                check(resourcePolicy, test.expected, resource);
+            }
+        });
     });
 });

tests/unit/policyEvaluator.js

@@ -1161,6 +1161,85 @@ describe('policyEvaluator', () => {
                 };
                 check(requestContext, rcModifiers, policy, 'Neutral');
             });
+
+            it('should allow with StringEquals operator and ExistingObjectTag ' +
+            'key if meet condition', () => {
+                policy.Statement.Condition = {
+                    StringEquals: { 's3:ExistingObjectTag/tagKey': 'tagValue' },
+                };
+                const rcModifiers = {
+                    _existingObjTag: 'tagKey=tagValue',
+                    _needTagEval: true,
+                };
+                check(requestContext, rcModifiers, policy, 'Allow');
+            });
+
+            it('should allow StringEquals operator and RequestObjectTag ' +
+            'key if meet condition', () => {
+                policy.Statement.Condition = {
+                    StringEquals: { 's3:RequestObjectTagKey/tagKey': 'tagValue' },
+                };
+                const rcModifiers = {
+                    _requestObjTags: 'tagKey=tagValue',
+                    _needTagEval: true,
+                };
+                check(requestContext, rcModifiers, policy, 'Allow');
+            });
+
+            it('should allow with ForAnyValue prefix if meet condition', () => {
+                policy.Statement.Condition = {
+                    'ForAnyValue:StringLike': { 's3:RequestObjectTagKeys': ['tagOne', 'tagTwo'] },
+                };
+                const rcModifiers = {
+                    _requestObjTags: 'tagOne=keyOne&tagThree=keyThree',
+                    _needTagEval: true,
+                };
+                check(requestContext, rcModifiers, policy, 'Allow');
+            });
+
+            it('should allow with ForAllValues prefix if meet condition', () => {
+                policy.Statement.Condition = {
+                    'ForAllValues:StringLike': { 's3:RequestObjectTagKeys': ['tagOne', 'tagTwo'] },
+                };
+                const rcModifiers = {
+                    _requestObjTags: 'tagOne=keyOne&tagTwo=keyTwo',
+                    _needTagEval: true,
+                };
+                check(requestContext, rcModifiers, policy, 'Allow');
+            });
+
+            it('should not allow with ForAnyValue prefix if do not meet condition', () => {
+                policy.Statement.Condition = {
+                    'ForAnyValue:StringLike': { 's3:RequestObjectTagKeys': ['tagOne', 'tagTwo'] },
+                };
+                const rcModifiers = {
+                    _requestObjTags: 'tagThree=keyThree&tagFour=keyFour',
+                    _needTagEval: true,
+                };
+                check(requestContext, rcModifiers, policy, 'Neutral');
+            });
+
+            it('should not allow with ForAllValues prefix if do not meet condition', () => {
+                policy.Statement.Condition = {
+                    'ForAllValues:StringLike': { 's3:RequestObjectTagKeys': ['tagOne', 'tagTwo'] },
+                };
+                const rcModifiers = {
+                    _requestObjTags: 'tagThree=keyThree&tagFour=keyFour',
+                    _needTagEval: true,
+                };
+                check(requestContext, rcModifiers, policy, 'Neutral');
+            });
+
+            it('should be neutral with StringEquals if condition key does not exist', () => {
+                policy.Statement.Condition = {
+                    StringEquals: { 's3:Foobar/tagKey': 'tagValue' },
+                };
+                const rcModifiers = {
+                    _requestObjTags: 'tagKey=tagValue',
+                    _needTagEval: true,
+                };
+                check(requestContext, rcModifiers, policy, 'Neutral');
+            });
         });
     });
 

tests/unit/s3middleware/objectLegalHold.js

@@ -0,0 +1,92 @@
+const assert = require('assert');
+const { convertToXml, parseLegalHoldXml } =
+    require('../../../lib/s3middleware/objectLegalHold');
+const DummyRequestLogger = require('../helpers').DummyRequestLogger;
+
+const log = new DummyRequestLogger();
+
+const failTests = [
+    {
+        description: 'should fail with empty status',
+        params: { status: '' },
+        error: 'MalformedXML',
+        errMessage: 'request xml does not contain Status',
+    },
+    {
+        description: 'should fail with invalid status "on"',
+        params: { status: 'on' },
+        error: 'MalformedXML',
+        errMessage: 'Status request xml must be one of "ON", "OFF"',
+    },
+    {
+        description: 'should fail with invalid status "On"',
+        params: { status: 'On' },
+        error: 'MalformedXML',
+        errMessage: 'Status request xml must be one of "ON", "OFF"',
+    },
+    {
+        description: 'should fail with invalid status "off"',
+        params: { status: 'off' },
+        error: 'MalformedXML',
+        errMessage: 'Status request xml must be one of "ON", "OFF"',
+    },
+    {
+        description: 'should fail with invalid status "Off"',
+        params: { status: 'Off' },
+        error: 'MalformedXML',
+        errMessage: 'Status request xml must be one of "ON", "OFF"',
+    },
+];
+
+const generateXml = status =>
+    '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>' +
+    `<LegalHold><Status>${status}</Status></LegalHold>`;
+
+describe('object legal hold helpers: parseLegalHoldXml', () => {
+    failTests.forEach(test => {
+        it(test.description, done => {
+            const status = test.params.status;
+            parseLegalHoldXml(generateXml(status), log, err => {
+                assert(err[test.error]);
+                assert.strictEqual(err.description, test.errMessage);
+                done();
+            });
+        });
+    });
+
+    it('should pass with legal hold status "ON"', done => {
+        parseLegalHoldXml(generateXml('ON'), log, (err, result) => {
+            assert.ifError(err);
+            assert.strictEqual(result, true);
+            done();
+        });
+    });
+
+    it('should pass with legal hold status "OFF"', done => {
+        parseLegalHoldXml(generateXml('OFF'), log, (err, result) => {
+            assert.ifError(err);
+            assert.strictEqual(result, false);
+            done();
+        });
+    });
+});
+
+describe('object legal hold helpers: convertToXml', () => {
+    it('should return correct xml when legal hold status "ON"', () => {
+        const xml = convertToXml(true);
+        const expextedXml = generateXml('ON');
+        assert.strictEqual(xml, expextedXml);
+    });
+
+    it('should return correct xml when legal hold status "OFF"', () => {
+        const xml = convertToXml(false);
+        const expextedXml = generateXml('OFF');
+        assert.strictEqual(xml, expextedXml);
+    });
+
+    it('should return empty string when legal hold not set', () => {
+        const xml = convertToXml(undefined);
+        const expextedXml = '';
+        assert.strictEqual(xml, expextedXml);
+    });
+});

tests/unit/s3middleware/objectRetention.js

@@ -0,0 +1,127 @@
+const assert = require('assert');
+const {
+    parseRetentionXml,
+    convertToXml,
+} = require('../../../lib/s3middleware/objectRetention');
+const DummyRequestLogger = require('../helpers').DummyRequestLogger;
+
+const log = new DummyRequestLogger();
+
+const date = new Date();
+date.setDate(date.getDate() + 1);
+const failDate = new Date('05/01/2020');
+const passDate = new Date();
+passDate.setDate(passDate.getDate() + 2);
+
+
+function buildXml(key, value) {
+    const mode = key === 'Mode' ?
+        `<Mode>${value}</Mode>` :
+        '<Mode>GOVERNANCE</Mode>';
+    const retainDate = key === 'RetainDate' ?
+        `<RetainUntilDate>${value}</RetainUntilDate>` :
+        `<RetainUntilDate>${date}</RetainUntilDate>`;
+    const retention = key === 'Retention' ?
+        `<Retention>${value}</Retention>` :
+        `<Retention>${mode}${retainDate}</Retention>`;
+    return retention;
+}
+
+const expectedRetention = {
+    mode: 'GOVERNANCE',
+    date: passDate.toISOString(),
+};
+
+const expectedXml =
+    '<Retention xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+    '<Mode>GOVERNANCE</Mode>' +
+    `<RetainUntilDate>${passDate.toISOString()}</RetainUntilDate>` +
+    '</Retention>';
+
+const failTests = [
+    {
+        name: 'should fail with empty retention',
+        params: { key: 'Retention', value: '' },
+        error: 'MalformedXML',
+        errMessage: 'request xml does not contain Retention',
+    },
+    {
+        name: 'should fail with empty mode',
+        params: { key: 'Mode', value: '' },
+        error: 'MalformedXML',
+        errMessage: 'request xml does not contain Mode',
+    },
+    {
+        name: 'should fail with empty retain until date',
+        params: { key: 'RetainDate', value: '' },
+        error: 'MalformedXML',
+        errMessage: 'request xml does not contain RetainUntilDate',
+    },
+    {
+        name: 'should fail with invalid mode',
+        params: { key: 'Mode', value: 'GOVERPLIANCE' },
+        error: 'MalformedXML',
+        errMessage: 'Mode request xml must be one of "GOVERNANCE", ' +
+            '"COMPLIANCE"',
+    },
+    {
+        name: 'should fail with retain until date in UTC format',
+        params: { key: 'RetainDate', value: `${date.toUTCString()}` },
+        error: 'InvalidRequest',
+        errMessage: 'RetainUntilDate timestamp must be ISO-8601 format',
+    },
+    {
+        name: 'should fail with retain until date in GMT format',
+        params: { key: 'RetainDate', value: `${date.toString()}` },
+        error: 'InvalidRequest',
+        errMessage: 'RetainUntilDate timestamp must be ISO-8601 format',
+    },
+    {
+        name: 'should fail with retain until date in past',
+        params: { key: 'RetainDate', value: failDate.toISOString() },
+        error: 'InvalidRequest',
+        errMessage: 'RetainUntilDate must be in the future',
+    },
+];
+
+describe('object Retention validation', () => {
+    failTests.forEach(t => {
+        it(t.name, done => {
+            parseRetentionXml(buildXml(t.params.key, t.params.value), log,
+            err => {
+                assert(err[t.error]);
+                assert.strictEqual(err.description, t.errMessage);
+                done();
+            });
+        });
+    });
+
+    it('should pass with valid retention', done => {
+        parseRetentionXml(buildXml('RetainDate', passDate.toISOString()), log,
+        (err, result) => {
+            assert.ifError(err);
+            assert.deepStrictEqual(result, expectedRetention);
+            done();
+        });
+    });
+});
+
+describe('object Retention xml', () => {
+    it('should return empty string if no retention date', done => {
+        const xml = convertToXml('GOVERNANCE', '');
+        assert.equal(xml, '');
+        done();
+    });
+
+    it('should return empty string if no retention mode', done => {
+        const xml = convertToXml('', passDate.toISOString());
+        assert.equal(xml, '');
+        done();
+    });
+
+    it('should return xml string', done => {
+        const xml = convertToXml('GOVERNANCE', passDate.toISOString());
+        assert.strictEqual(xml, expectedXml);
+        done();
+    });
+});

tests/utils/kmip/LoopbackServerChannel.js

@@ -0,0 +1,372 @@
+'use strict'; // eslint-disable-line strict
+/* eslint new-cap: "off" */
+/* eslint dot-notation: "off" */
+
+const assert = require('assert');
+const crypto = require('crypto');
+const uuidv4 = require('uuid/v4');
+
+const {
+    EchoChannel,
+    logger,
+} = require('./ersatz.js');
+
+const expectedObjectType = 'Symmetric Key';
+const expectedAlgorithm = 'AES';
+const expectedLength = 256;
+const expectedBlockCipherMode = 'CBC';
+const expectedPaddingMethod = 'PKCS5';
+const expectedIV = Buffer.alloc(16).fill(0);
+const versionMajor = 1;
+const versionMinor = 4;
+const vendorIdentification = 'Scality Loopback KMIP Server';
+const serverExtensions = [
+    {
+        name: 'Security Level',
+        tag: 0x541976,
+        type: 7,
+        value: 'Gangsta Grade',
+    },
+    {
+        name: 'Prefered Algorithm',
+        tag: 0x542008,
+        type: 7,
+        value: 'Kevin Bacon',
+    },
+    {
+        name: 'Yo Dawg',
+        tag: 0x542011,
+        type: 7,
+        value: 'I heard you like kmip, so I put a server in your client ' +
+            'so you can do both ends of the conversation while you are ' +
+            'talking about server side encryption',
+    },
+];
+
+
+class DummyServerTransport {
+    registerHandshakeFunction() {
+        throw new Error('DummyServerTransport::registerHandshakeFunction: ' +
+                        'Client side operations not implemented');
+    }
+    send() {
+        throw new Error('DummyServerTransport::send: ' +
+                        'Client side operations not implemented');
+    }
+}
+
+
+class LoopbackServerChannel extends EchoChannel {
+    constructor(KMIPClass, Codec, options) {
+        super();
+        this.options = options || {
+            kmip: {
+                codec: {},
+                transport: {},
+            },
+        };
+        this.KMIP = KMIPClass;
+        this.kmip = new KMIPClass(Codec, DummyServerTransport,
+                                  this.options);
+        serverExtensions.forEach(extension => {
+            this.kmip.mapExtension(extension.name, extension.tag);
+        });
+        this.managedKeys = {};
+    }
+
+    write(data) {
+        const request = this.kmip._decodeMessage(logger, data);
+        const requestOperation = request.lookup(
+            'Request Message/Batch Item/Operation')[0];
+        this.routeRequest(
+            requestOperation, request, (err, responsePayload) => {
+                const uniqueBatchItemID = request.lookup(
+                    'Request Message/Batch Item/Unique Batch Item ID')[0];
+                const requestProtocolVersionMinor = request.lookup(
+                    'Request Message/Request Header/Protocol Version/' +
+                        'Protocol Version Minor')[0];
+                const requestProtocolVersionMajor = request.lookup(
+                    'Request Message/Request Header/Protocol Version/' +
+                        'Protocol Version Major')[0];
+
+                let result;
+                if (err) {
+                    logger.error('Request processing failed', { error: err });
+                    result = err;
+                } else {
+                    result = [
+                        this.KMIP.Enumeration('Result Status', 'Success'),
+                        this.KMIP.Structure('Response Payload',
+                                            responsePayload),
+                    ];
+                }
+
+                const response = this.KMIP.Message([
+                    this.KMIP.Structure('Response Message', [
+                        this.KMIP.Structure('Response Header', [
+                            this.KMIP.Structure('Protocol Version', [
+                                this.KMIP.Integer('Protocol Version Major',
+                                                  requestProtocolVersionMajor),
+                                this.KMIP.Integer('Protocol Version Minor',
+                                                  requestProtocolVersionMinor),
+                            ]),
+                            this.KMIP.DateTime('Time Stamp', new Date),
+                            this.KMIP.Integer('Batch Count', 1),
+                        ]),
+                        this.KMIP.Structure('Batch Item', [
+                            this.KMIP.Enumeration('Operation',
+                                                  requestOperation),
+                            this.KMIP.ByteString('Unique Batch Item ID',
+                                                 uniqueBatchItemID),
+                            ...result,
+                        ]),
+                    ]),
+                ]);
+                super.write(this.kmip._encodeMessage(response));
+            });
+        return this;
+    }
+
+    errorResponse(reason, message) {
+        return [
+            this.KMIP.Enumeration('Result Status', 'Operation Failed'),
+            this.KMIP.Enumeration('Result Reason', reason),
+            this.KMIP.Enumeration('Result Message', message),
+        ];
+    }
+
+    routeRequest(operation, request, cb) {
+        switch (operation) {
+        case 'Query': return this.routeQuery(request, cb);
+        case 'Discover Versions':
+            return this.routeDiscoverVersions(request, cb);
+        case 'Create': return this.routeCreate(request, cb);
+        case 'Activate': return this.routeActivate(request, cb);
+        case 'Encrypt': return this.routeEncrypt(request, cb);
+        case 'Decrypt': return this.routeDecrypt(request, cb);
+        case 'Revoke': return this.routeRevoke(request, cb);
+        case 'Destroy': return this.routeDestroy(request, cb);
+        default: return cb(new Error(`Unknown Operation: ${operation}`));
+        }
+    }
+
+    routeQuery(request, cb) {
+        const queryFunctions = request.lookup(
+            'Request Message/Batch Item/Request Payload/Query Function');
+        const response = [];
+        if (queryFunctions.includes('Query Operations')) {
+            response.push(
+                this.KMIP.Enumeration('Operation', 'Query'),
+                this.KMIP.Enumeration('Operation', 'Discover Versions'),
+                this.KMIP.Enumeration('Operation', 'Create'),
+                this.KMIP.Enumeration('Operation', 'Activate'),
+                this.KMIP.Enumeration('Operation', 'Encrypt'),
+                this.KMIP.Enumeration('Operation', 'Decrypt'),
+                this.KMIP.Enumeration('Operation', 'Revoke'),
+                this.KMIP.Enumeration('Operation', 'Destroy'));
+        }
+        if (queryFunctions.includes('Query Objects')) {
+            response.push(
+                this.KMIP.Enumeration('Object Type', 'Symmetric Key'));
+        }
+        if (queryFunctions.includes('Query Server Information')) {
+            response.push(
+                this.KMIP.TextString('Vendor Identification',
+                                     vendorIdentification),
+                this.KMIP.Structure('Server Information',
+                                    serverExtensions.map(extension =>
+                                                         this.KMIP.TextString(
+                                                             extension.name,
+                                                             extension.value)
+                                                        )));
+        }
+        if (queryFunctions.includes('Query Extension Map')) {
+            serverExtensions.forEach(extension => {
+                response.push(
+                    this.KMIP.Structure('Extension Information', [
+                        this.KMIP.TextString('Extension Name', extension.name),
+                        this.KMIP.Integer('Extension Tag', extension.tag),
+                        /* 7 is KMIP TextString, not really used anyway in
+                         * this implenetation, it could be anything
+                         * without changing the behavior of the client code. */
+                        this.KMIP.Integer('Extension Type', 7),
+                    ]));
+            });
+        }
+        return cb(null, response);
+    }
+
+    routeDiscoverVersions(request, cb) {
+        const response = [
+            this.KMIP.Structure('Protocol Version', [
+                this.KMIP.Integer('Protocol Version Major', versionMajor),
+                this.KMIP.Integer('Protocol Version Minor', versionMinor),
+            ]),
+        ];
+        return cb(null, response);
+    }
+
+    routeCreate(request, cb) {
+        let cryptographicAlgorithm;
+        let cryptographicLength;
+        let cryptographicUsageMask;
+        let activationDate;
+        const attributes = request.lookup(
+            'Request Message/Batch Item/Request Payload/Template-Attribute')[0];
+        attributes.forEach(item => {
+            const attribute = item['Attribute'];
+            const attributeValue = attribute.value[1]['Attribute Value'];
+            const diversion = attributeValue.diversion;
+            const value = attributeValue.value;
+            switch (diversion) {
+            case 'Cryptographic Algorithm':
+                assert(!cryptographicAlgorithm);
+                cryptographicAlgorithm = value;
+                break;
+            case 'Cryptographic Length':
+                assert(!cryptographicLength);
+                cryptographicLength = value;
+                break;
+            case 'Cryptographic Usage Mask':
+                assert(!cryptographicUsageMask);
+                cryptographicUsageMask = value;
+                break;
+            case 'Activation Date':
+                assert(!activationDate);
+                activationDate = value;
+                break;
+            default:
+            }
+        });
+        const decodedUsageMask =
+              this.kmip.decodeMask('Cryptographic Usage Mask',
+                                   cryptographicUsageMask);
+        assert(cryptographicAlgorithm === expectedAlgorithm);
+        assert(cryptographicLength === expectedLength);
+        assert(decodedUsageMask.includes('Encrypt'));
+        assert(decodedUsageMask.includes('Decrypt'));
+        const key = Buffer.from(crypto.randomBytes(cryptographicLength / 8));
+        const keyIdentifier = uuidv4();
+        this.managedKeys[keyIdentifier] = {
+            key,
+            activationDate,
+        };
+        const response = [
+            this.KMIP.Enumeration('Object Type', expectedObjectType),
+            this.KMIP.TextString('Unique Identifier', keyIdentifier),
+        ];
+        return cb(null, response);
+    }
+
+    routeActivate(request, cb) {
+        const keyIdentifier = (
+            request.lookup(
+                'Request Message/Batch Item/Request Payload/' +
+                    'Unique Identifier') || [undefined])[0];
+        this.managedKeys[keyIdentifier].activationDate =
+            new Date;
+        const response = [
+            this.KMIP.TextString('Unique Identifier', keyIdentifier),
+        ];
+        return cb(null, response);
+    }
+
+    _getIvCounterNonce(request) {
+        /* Having / in the path is not a good idea for the server side.
+         * Because of this, Message::lookup() cannot be directly used to
+         * extract the IV, hence this function */
+        const requestPayload = (
+            request.lookup(
+                'Request Message/Batch Item/Request Payload')
+                || [undefined])[0];
+        let ivCounterNonce;
+        requestPayload.forEach(attr => {
+            const ivCounterNonceAttr = attr['IV/Counter/Nonce'];
+            if (ivCounterNonceAttr) {
+                ivCounterNonce = ivCounterNonceAttr.value;
+            }
+        });
+        return ivCounterNonce;
+    }
+
+    _transform(cipherFunc, request, cb) {
+        const keyIdentifier = (
+            request.lookup(
+                'Request Message/Batch Item/Request Payload/' +
+                    'Unique Identifier') || [undefined])[0];
+        const blockCipherMode = (
+            request.lookup(
+                'Request Message/Batch Item/Request Payload/' +
+                    'Cryptographic Parameters/Block Cipher Mode')
+                || [undefined])[0];
+        const paddingMethod = (
+            request.lookup(
+                'Request Message/Batch Item/Request Payload/' +
+                    'Cryptographic Parameters/Padding Method')
+                || [undefined])[0];
+        const cryptographicAlgorithm = (
+            request.lookup(
+                'Request Message/Batch Item/Request Payload/' +
+                    'Cryptographic Parameters/Cryptographic Algorithm')
+                || [undefined])[0];
+        const ivCounterNonce = this._getIvCounterNonce(request);
+        const data = (
+            request.lookup(
+                'Request Message/Batch Item/Request Payload/' +
+                    'Data')
+                || [undefined])[0];
+        assert(blockCipherMode === expectedBlockCipherMode);
+        assert(paddingMethod === expectedPaddingMethod);
+        assert(cryptographicAlgorithm === expectedAlgorithm);
+        assert(expectedIV.compare(ivCounterNonce) === 0);
+        const keySpec = this.managedKeys[keyIdentifier];
+        const now = new Date;
+        assert(keySpec.activationDate && keySpec.activationDate <= now);
+        const cipher = cipherFunc('aes-256-cbc', keySpec.key, ivCounterNonce);
+        let cipheredData = cipher.update(data);
+        const final = cipher.final();
+        if (final.length !== 0) {
+            cipheredData = Buffer.concat([cipheredData, final]);
+        }
+        const response = [
+            this.KMIP.TextString('Unique Identifier', keyIdentifier),
+            this.KMIP.ByteString('Data', cipheredData),
+        ];
+        return cb(null, response);
+    }
+
+    routeEncrypt(request, cb) {
+        return this._transform(crypto.createCipheriv, request, cb);
+    }
+
+    routeDecrypt(request, cb) {
+        return this._transform(crypto.createDecipheriv, request, cb);
+    }
+
+    routeRevoke(request, cb) {
+        const keyIdentifier = (
+            request.lookup(
+                'Request Message/Batch Item/Request Payload/' +
+                    'Unique Identifier') || [undefined])[0];
+        this.managedKeys[keyIdentifier].activationDate = null;
+        const response = [
+            this.KMIP.TextString('Unique Identifier', keyIdentifier),
+        ];
+        return cb(null, response);
+    }
+
+    routeDestroy(request, cb) {
+        const keyIdentifier = (
+            request.lookup(
+                'Request Message/Batch Item/Request Payload/' +
+                    'Unique Identifier') || [undefined])[0];
+        assert(!this.managedKeys[keyIdentifier].activationDate);
+        this.managedKeys[keyIdentifier] = null;
+        const response = [
+            this.KMIP.TextString('Unique Identifier', keyIdentifier),
+        ];
+        return cb(null, response);
+    }
+}
+
+module.exports = LoopbackServerChannel;

tests/utils/kmip/badTtlvFixtures.js

@@ -0,0 +1,127 @@
+'use strict'; // eslint-disable-line strict
+
+module.exports = [
+
+    /* Invalid type */
+
+    Buffer.from('2100000000000000', 'hex'),
+    Buffer.from('2100000b00000000', 'hex'),
+
+    /* Structure */
+    // too short
+    Buffer.from('42', 'hex'),
+    Buffer.from('4200', 'hex'),
+    Buffer.from('420078', 'hex'),
+    Buffer.from('42007801', 'hex'),
+    Buffer.from('4200780100', 'hex'),
+    Buffer.from('420078010000', 'hex'),
+    Buffer.from('4200780100000001', 'hex'),
+    Buffer.from('420078010000000100', 'hex'),
+    Buffer.from('4200780100000008', 'hex'),
+    Buffer.from('420078010000000800', 'hex'),
+    Buffer.from('42007801000000080000', 'hex'),
+    Buffer.from('4200780100000008000000', 'hex'),
+    Buffer.from('420078010000000800000000', 'hex'),
+    Buffer.from('4200780100000010', 'hex'),
+
+    /* Integer */
+    // too short
+    Buffer.from('4200780200000004', 'hex'),
+    Buffer.from('420078020000000400', 'hex'),
+    Buffer.from('42007802000000040000', 'hex'),
+    Buffer.from('4200780200000004000000', 'hex'),
+    // invalid length for the type
+    Buffer.from('42007802000000080000000000000000', 'hex'),
+    Buffer.from('42007802000000020000000000000000', 'hex'),
+    Buffer.from('42007802000000000000000000000000', 'hex'),
+
+    /* Long Integer */
+    // too short
+    Buffer.from('4200780300000008', 'hex'),
+    Buffer.from('420078030000000810', 'hex'),
+    Buffer.from('42007803000000081000', 'hex'),
+    Buffer.from('4200780300000008100000', 'hex'),
+    Buffer.from('420078030000000810000000', 'hex'),
+    Buffer.from('42007803000000081000000000', 'hex'),
+    Buffer.from('4200780300000008100000000000', 'hex'),
+    Buffer.from('420078030000000810000000000000', 'hex'),
+    // 53bit overflow
+    Buffer.from('42007803000000081000000000000000', 'hex'),
+    Buffer.from('4200780300000008ffffffffffffffff', 'hex'),
+    // invalid length for the type
+    Buffer.from('420078030000000400000001', 'hex'),
+    Buffer.from('42007803000000100000000000000000100000000000000000', 'hex'),
+
+    /* Big Integer */
+    // too short
+    Buffer.from('4200780400000001', 'hex'),
+    Buffer.from('420078040000000200', 'hex'),
+
+    /* Enumeration */
+    // too short
+    Buffer.from('4200740500000004', 'hex'),
+    Buffer.from('4200740500000004000000', 'hex'),
+    // invalid length for the type
+    Buffer.from('42007405000000020000', 'hex'),
+    Buffer.from('4200740500000006000000000000', 'hex'),
+    // non existing tag and enum value with invalid length
+    Buffer.from('45007405000000020000', 'hex'),
+    Buffer.from('4500740500000006000000000000', 'hex'),
+
+    /* Boolean */
+    // too short
+    Buffer.from('4200740600000008', 'hex'),
+    Buffer.from('420074060000000800', 'hex'),
+    Buffer.from('42007406000000080000', 'hex'),
+    Buffer.from('4200740600000008000000', 'hex'),
+    Buffer.from('420074060000000800000000', 'hex'),
+    Buffer.from('42007406000000080000000000', 'hex'),
+    Buffer.from('4200740600000008000000000000', 'hex'),
+    // invalid length
+    Buffer.from('420074060000000400000000', 'hex'),
+    Buffer.from('420074060000001000000000000000000000000000000000', 'hex'),
+
+    /* TextString */
+    // too short
+    Buffer.from('4200740700000008', 'hex'),
+    Buffer.from('420074070000000800', 'hex'),
+    Buffer.from('42007407000000080000', 'hex'),
+    Buffer.from('4200740700000008000000', 'hex'),
+    Buffer.from('420074070000000800000000', 'hex'),
+    Buffer.from('42007407000000080000000000', 'hex'),
+    Buffer.from('4200740700000008000000000000', 'hex'),
+
+    /* ByteString */
+    // too short
+    Buffer.from('4200740800000008', 'hex'),
+    Buffer.from('420074080000000800', 'hex'),
+    Buffer.from('42007408000000080000', 'hex'),
+    Buffer.from('4200740800000008000000', 'hex'),
+    Buffer.from('420074080000000800000000', 'hex'),
+    Buffer.from('42007408000000080000000000', 'hex'),
+    Buffer.from('4200740800000008000000000000', 'hex'),
+
+    /* Date-Time */
+    // too short
+    Buffer.from('4200740900000008', 'hex'),
+    Buffer.from('420074090000000800', 'hex'),
+    Buffer.from('42007409000000080000', 'hex'),
+    Buffer.from('4200740900000008000000', 'hex'),
+    Buffer.from('420074090000000800000000', 'hex'),
+    Buffer.from('42007409000000080000000000', 'hex'),
+    Buffer.from('4200740900000008000000000000', 'hex'),
+    // invalid length
+    Buffer.from('420074090000000400000000', 'hex'),
+    Buffer.from('420074090000001000000000000000000000000000000000', 'hex'),
+
+    /* Interval */
+    // too short
+    Buffer.from('4200780a00000004', 'hex'),
+    Buffer.from('4200780a0000000400', 'hex'),
+    Buffer.from('4200780a000000040000', 'hex'),
+    Buffer.from('4200780a00000004000000', 'hex'),
+    // invalid length for the type
+    Buffer.from('4200780a000000080000000000000000', 'hex'),
+    Buffer.from('4200780a000000020000000000000000', 'hex'),
+    Buffer.from('4200780a000000000000000000000000', 'hex'),
+];

tests/utils/kmip/ersatz.js

@@ -0,0 +1,125 @@
+'use strict'; // eslint-disable-line
+/* eslint new-cap: "off" */
+
+
+const logger = {
+    info: () => {},
+    debug: () => {},
+    warn: () => {},
+    error: () => {},
+};
+
+/* Fake tls AND socket objects, duck type */
+class EchoChannel {
+    constructor() {
+        this.clogged = false;
+        this.eventHandler = {};
+        this.deferedSignal = {};
+    }
+
+    /* tls object members substitutes */
+
+    connect(port, options, cb) {
+        process.nextTick(cb);
+        return this;
+    }
+
+    on(event, cb) {
+        this.eventHandler[event] = cb;
+        if (this.deferedSignal[event] &&
+            this.deferedSignal[event].length > 0) {
+            this.deferedSignal[event].forEach(this.eventHandler[event]);
+            this.deferedSignal[event] = undefined;
+        }
+        return this;
+    }
+
+    /* socket object members substitutes */
+
+    cork() {
+        return this;
+    }
+
+    uncork() {
+        return this;
+    }
+
+    write(data) {
+        if (!this.clogged) {
+            return this.emit('data', data);
+        }
+        return this;
+    }
+
+    end() {
+        return this.emit('end');
+    }
+
+    /* Instrumentation member functions */
+
+    emit(event, data) {
+        if (this.eventHandler[event]) {
+            this.eventHandler[event](data);
+        } else {
+            if (!this.deferedSignal[event]) {
+                this.deferedSignal[event] = [];
+            }
+            this.deferedSignal[event].push(data);
+        }
+        return this;
+    }
+
+    clog() {
+        this.clogged = true;
+        return this;
+    }
+
+}
+
+class MirrorChannel extends EchoChannel {
+    constructor(KMIPClass, Codec) {
+        super();
+        this.codec = new Codec({});
+        this.KMIP = KMIPClass;
+    }
+    write(data) {
+        const request = this.codec.decode(logger, data);
+        const uniqueBatchItemID = request.lookup(
+            'Request Message/Batch Item/Unique Batch Item ID')[0];
+        const requestPayload = request.lookup(
+            'Request Message/Batch Item/Request Payload')[0];
+        const requestProtocolVersionMinor = request.lookup(
+            'Request Message/Request Header/Protocol Version/' +
+                'Protocol Version Minor')[0];
+        const requestProtocolVersionMajor = request.lookup(
+            'Request Message/Request Header/Protocol Version/' +
+                'Protocol Version Major')[0];
+        const requestOperation = request.lookup(
+            'Request Message/Batch Item/Operation')[0];
+        const response = this.KMIP.Message([
+            this.KMIP.Structure('Response Message', [
+                this.KMIP.Structure('Response Header', [
+                    this.KMIP.Structure('Protocol Version', [
+                        this.KMIP.Integer('Protocol Version Major',
+                                          requestProtocolVersionMajor),
+                        this.KMIP.Integer('Protocol Version Minor',
+                                          requestProtocolVersionMinor),
+                    ]),
+                    this.KMIP.DateTime('Time Stamp', new Date),
+                    this.KMIP.Integer('Batch Count', 1),
+                ]),
+                this.KMIP.Structure('Batch Item', [
+                    this.KMIP.Enumeration('Operation', requestOperation),
+                    this.KMIP.ByteString('Unique Batch Item ID',
+                                         uniqueBatchItemID),
+                    this.KMIP.Enumeration('Result Status', 'Success'),
+                    this.KMIP.Structure('Response Payload', requestPayload),
+                ]),
+            ]),
+        ]);
+        super.write(this.codec.encode(response));
+        return this;
+    }
+}
+
+module.exports = { logger, EchoChannel, MirrorChannel };

tests/utils/kmip/lowlevelFixtures.js

@@ -0,0 +1,82 @@
+'use strict'; // eslint-disable-line strict
+/* eslint new-cap: "off" */
+
+const KMIP = require('../../../lib/network/kmip');
+
+module.exports = [
+    {
+        operation: 'Query',
+        payload: () => [
+            KMIP.Enumeration('Query Function', 'Query Operations'),
+            KMIP.Enumeration('Query Function', 'Query Objects'),
+        ],
+    },
+    {
+        operation: 'Query',
+        payload: () => [
+            KMIP.Enumeration('Query Function', 'Query Operations'),
+            KMIP.Enumeration('Query Function', 'Query Objects'),
+            KMIP.Enumeration('Query Function',
+                             'Query Server Information'),
+            KMIP.Enumeration('Query Function', 'Query Profiles'),
+            KMIP.Enumeration('Query Function', 'Query Capabilities'),
+            KMIP.Enumeration('Query Function',
+                             'Query Application Namespaces'),
+            KMIP.Enumeration('Query Function', 'Query Extension List'),
+            KMIP.Enumeration('Query Function', 'Query Extension Map'),
+            KMIP.Enumeration('Query Function',
+                             'Query Attestation Types'),
+            KMIP.Enumeration('Query Function', 'Query RNGs'),
+            KMIP.Enumeration('Query Function', 'Query Validations'),
+            KMIP.Enumeration('Query Function',
+                             'Query Client Registration Methods'),
+        ],
+    },
+    {
+        operation: 'Discover Versions',
+        payload: () => [
+            KMIP.Structure('Protocol Version', [
+                KMIP.Integer('Protocol Version Major', 2),
+                KMIP.Integer('Protocol Version Minor', 0),
+            ]),
+            KMIP.Structure('Protocol Version', [
+                KMIP.Integer('Protocol Version Major', 1),
+                KMIP.Integer('Protocol Version Minor', 4),
+            ]),
+            KMIP.Structure('Protocol Version', [
+                KMIP.Integer('Protocol Version Major', 1),
+                KMIP.Integer('Protocol Version Minor', 3),
+            ]),
+            KMIP.Structure('Protocol Version', [
+                KMIP.Integer('Protocol Version Major', 1),
+                KMIP.Integer('Protocol Version Minor', 2),
+            ]),
+            KMIP.Structure('Protocol Version', [
+                KMIP.Integer('Protocol Version Major', 1),
+                KMIP.Integer('Protocol Version Minor', 1),
+            ]),
+            KMIP.Structure('Protocol Version', [
+                KMIP.Integer('Protocol Version Major', 1),
+                KMIP.Integer('Protocol Version Minor', 0),
+            ]),
+        ],
+    },
+    {
+        operation: 'Create',
+        payload: kmip => [
+            KMIP.Enumeration('Object Type', 'Symmetric Key'),
+            KMIP.Structure('Template-Attribute', [
+                KMIP.Attribute('TextString', 'x-Name', 's3-thekey'),
+                KMIP.Attribute('Enumeration', 'Cryptographic Algorithm',
+                               'AES'),
+                KMIP.Attribute('Integer', 'Cryptographic Length', 256),
+                KMIP.Attribute('Integer', 'Cryptographic Usage Mask',
+                               kmip.encodeMask(
+                                   'Cryptographic Usage Mask',
+                                   ['Encrypt', 'Decrypt'])),
+                KMIP.Attribute('Date-Time', 'Activation Date',
+                               new Date),
+            ]),
+        ],
+    },
+];

tests/utils/kmip/messageFixtures.js

@@ -0,0 +1,120 @@
+'use strict'; // eslint-disable-line strict
+/* eslint new-cap: "off" */
+
+const TTLVCodec = require('../../../lib/network/kmip/codec/ttlv.js');
+const KMIP = require('../../../lib/network/kmip');
+
+const kmip = new KMIP(TTLVCodec,
+                      class DummyTransport {},
+                      { kmip: {} }, () => {});
+
+module.exports = [
+    KMIP.Message([
+        KMIP.Structure('Request Message', [
+            KMIP.Structure('Request Header', [
+                KMIP.Structure('Protocol Version', [
+                    KMIP.Integer('Protocol Version Major', 1),
+                    KMIP.Integer('Protocol Version Minor', 3),
+                ]),
+                KMIP.Integer('Maximum Response Size', 256),
+                KMIP.Integer('Batch Count', 1),
+            ]),
+            KMIP.Structure('Batch Item', [
+                KMIP.Enumeration('Operation', 'Query'),
+                KMIP.Structure('Request Payload', [
+                    KMIP.Enumeration('Query Function', 'Query Operations'),
+                    KMIP.Enumeration('Query Function', 'Query Objects'),
+                ]),
+            ]),
+        ]),
+    ]),
+    KMIP.Message([
+        KMIP.Structure('Request Message', [
+            KMIP.Structure('Request Header', [
+                KMIP.Structure('Protocol Version', [
+                    KMIP.Integer('Protocol Version Major', 1),
+                    KMIP.Integer('Protocol Version Minor', 2),
+                ]),
+                KMIP.Integer('Maximum Response Size', 2048),
+                KMIP.Boolean('Asynchronous Indicator', false),
+                KMIP.Integer('Batch Count', 3),
+                KMIP.ByteString('Asynchronous Correlation Value',
+                                Buffer.from('Arrggg...', 'utf8')),
+            ]),
+            KMIP.Structure('Batch Item', [
+                KMIP.Enumeration('Operation', 'Query'),
+                KMIP.ByteString('Unique Batch Item ID',
+                                Buffer.from('foo', 'utf8')),
+                KMIP.Structure('Request Payload', [
+                    KMIP.Enumeration('Query Function', 'Query Operations'),
+                    KMIP.Enumeration('Query Function', 'Query Objects'),
+                    KMIP.Enumeration('Query Function',
+                                     'Query Server Information'),
+                    KMIP.Enumeration('Query Function', 'Query Profiles'),
+                    KMIP.Enumeration('Query Function', 'Query Capabilities'),
+                    KMIP.Enumeration('Query Function',
+                                     'Query Application Namespaces'),
+                    KMIP.Enumeration('Query Function', 'Query Extension List'),
+                    KMIP.Enumeration('Query Function', 'Query Extension Map'),
+                    KMIP.Enumeration('Query Function',
+                                     'Query Attestation Types'),
+                    KMIP.Enumeration('Query Function', 'Query RNGs'),
+                    KMIP.Enumeration('Query Function', 'Query Validations'),
+                    KMIP.Enumeration('Query Function',
+                                     'Query Client Registration Methods'),
+                ]),
+            ]),
+            KMIP.Structure('Batch Item', [
+                KMIP.Enumeration('Operation', 'Discover Versions'),
+                KMIP.ByteString('Unique Batch Item ID',
+                                Buffer.from('bar', 'utf8')),
+                KMIP.Structure('Request Payload', [
+                    KMIP.Structure('Protocol Version', [
+                        KMIP.Integer('Protocol Version Major', 2),
+                        KMIP.Integer('Protocol Version Minor', 0),
+                    ]),
+                    KMIP.Structure('Protocol Version', [
+                        KMIP.Integer('Protocol Version Major', 1),
+                        KMIP.Integer('Protocol Version Minor', 4),
+                    ]),
+                    KMIP.Structure('Protocol Version', [
+                        KMIP.Integer('Protocol Version Major', 1),
+                        KMIP.Integer('Protocol Version Minor', 3),
+                    ]),
+                    KMIP.Structure('Protocol Version', [
+                        KMIP.Integer('Protocol Version Major', 1),
+                        KMIP.Integer('Protocol Version Minor', 2),
+                    ]),
+                    KMIP.Structure('Protocol Version', [
+                        KMIP.Integer('Protocol Version Major', 1),
+                        KMIP.Integer('Protocol Version Minor', 1),
+                    ]),
+                    KMIP.Structure('Protocol Version', [
+                        KMIP.Integer('Protocol Version Major', 1),
+                        KMIP.Integer('Protocol Version Minor', 0),
+                    ]),
+                ]),
+            ]),
+            KMIP.Structure('Batch Item', [
+                KMIP.Enumeration('Operation', 'Create'),
+                KMIP.ByteString('Unique Batch Item ID',
+                                Buffer.from('baz', 'utf8')),
+                KMIP.Structure('Request Payload', [
+                    KMIP.Enumeration('Object Type', 'Symmetric Key'),
+                    KMIP.Structure('Template-Attribute', [
+                        KMIP.Attribute('TextString', 'x-Name', 's3-thekey'),
+                        KMIP.Attribute('Enumeration', 'Cryptographic Algorithm',
+                                       'AES'),
+                        KMIP.Attribute('Integer', 'Cryptographic Length', 256),
+                        KMIP.Attribute('Integer', 'Cryptographic Usage Mask',
+                                       kmip.encodeMask(
+                                           'Cryptographic Usage Mask',
+                                           ['Encrypt', 'Decrypt'])),
+                        KMIP.Attribute('Date-Time', 'Activation Date',
+                                       new Date),
+                    ]),
+                ]),
+            ]),
+        ]),
+    ]),
+];

tests/utils/kmip/ttlvFixtures.js

@@ -0,0 +1,247 @@
+'use strict'; // eslint-disable-line strict
+
+module.exports = [
+    {
+        request: Buffer.from('42007801000000904200770100000048' +
+                             '420069010000002042006a0200000004' +
+                             '000000010000000042006b0200000004' +
+                             '00000003000000004200500200000004' +
+                             '000001000000000042000d0200000004' +
+                             '000000010000000042000f0100000038' +
+                             '42005c05000000040000001800000000' +
+                             '42007901000000204200740500000004' +
+                             '00000001000000004200740500000004' +
+                             '0000000200000000', 'hex'),
+        response: Buffer.from('42007b01000000a042007a0100000048' +
+                              '420069010000002042006a0200000004' +
+                              '000000010000000042006b0200000004' +
+                              '00000003000000004200920900000008' +
+                              '00000000568a5be242000d0200000004' +
+                              '000000010000000042000f0100000048' +
+                              '42005c05000000040000001800000000' +
+                              '42007f05000000040000000100000000' +
+                              '42007e05000000040000000200000000' +
+                              '42007d0700000009544f4f5f4c415247' +
+                              '4500000000000000', 'hex'),
+    },
+    {
+        request: Buffer.from('42007801000000904200770100000048' +
+                             '420069010000002042006a0200000004' +
+                             '000000010000000042006b0200000004' +
+                             '00000003000000004200500200000004' +
+                             '000008000000000042000d0200000004' +
+                             '000000010000000042000f0100000038' +
+                             '42005c05000000040000001800000000' +
+                             '42007901000000204200740500000004' +
+                             '00000001000000004200740500000004' +
+                             '0000000200000000', 'hex'),
+        response: Buffer.from('42007b010000038042007a0100000048' +
+                              '420069010000002042006a0200000004' +
+                              '000000010000000042006b0200000004' +
+                              '00000003000000004200920900000008' +
+                              '00000000568a5be242000d0200000004' +
+                              '000000010000000042000f0100000328' +
+                              '42005c05000000040000001800000000' +
+                              '42007f05000000040000000000000000' +
+                              '42007c010000030042005c0500000004' +
+                              '000000180000000042005c0500000004' +
+                              '000000080000000042005c0500000004' +
+                              '000000140000000042005c0500000004' +
+                              '0000000a0000000042005c0500000004' +
+                              '000000010000000042005c0500000004' +
+                              '000000030000000042005c0500000004' +
+                              '0000000b0000000042005c0500000004' +
+                              '0000000c0000000042005c0500000004' +
+                              '0000000d0000000042005c0500000004' +
+                              '0000000e0000000042005c0500000004' +
+                              '0000000f0000000042005c0500000004' +
+                              '000000120000000042005c0500000004' +
+                              '000000130000000042005c0500000004' +
+                              '0000001a0000000042005c0500000004' +
+                              '000000190000000042005c0500000004' +
+                              '000000090000000042005c0500000004' +
+                              '000000110000000042005c0500000004' +
+                              '000000020000000042005c0500000004' +
+                              '000000040000000042005c0500000004' +
+                              '000000150000000042005c0500000004' +
+                              '000000160000000042005c0500000004' +
+                              '000000100000000042005c0500000004' +
+                              '0000001d0000000042005c0500000004' +
+                              '000000060000000042005c0500000004' +
+                              '000000070000000042005c0500000004' +
+                              '0000001e0000000042005c0500000004' +
+                              '0000001b0000000042005c0500000004' +
+                              '0000001c0000000042005c0500000004' +
+                              '000000250000000042005c0500000004' +
+                              '000000260000000042005c0500000004' +
+                              '0000001f0000000042005c0500000004' +
+                              '000000200000000042005c0500000004' +
+                              '000000210000000042005c0500000004' +
+                              '000000220000000042005c0500000004' +
+                              '000000230000000042005c0500000004' +
+                              '000000240000000042005c0500000004' +
+                              '000000270000000042005c0500000004' +
+                              '000000280000000042005c0500000004' +
+                              '00000029000000004200570500000004' +
+                              '00000001000000004200570500000004' +
+                              '00000002000000004200570500000004' +
+                              '00000007000000004200570500000004' +
+                              '00000003000000004200570500000004' +
+                              '00000004000000004200570500000004' +
+                              '00000006000000004200570500000004' +
+                              '00000008000000004200570500000004' +
+                              '00000005000000004200570500000004' +
+                              '0000000900000000', 'hex'),
+    },
+    {
+        request: Buffer.from('42007801000000d04200770100000048' +
+                             '420069010000002042006a0200000004' +
+                             '000000010000000042006b0200000004' +
+                             '00000003000000004200500200000004' +
+                             '000008000000000042000d0200000004' +
+                             '000000020000000042000f0100000048' +
+                             '4200930800000003666f6f0000000000' +
+                             '42005c05000000040000001800000000' +
+                             '42007901000000204200740500000004' +
+                             '00000001000000004200740500000004' +
+                             '000000020000000042000f0100000028' +
+                             '42005c05000000040000001800000000' +
+                             '42007901000000104200740500000004' +
+                             '0000000300000000', 'hex'),
+        response: Buffer.from('42007b010000028042007a0100000048' +
+                              '420069010000002042006a0200000004' +
+                              '000000010000000042006b0200000004' +
+                              '00000003000000004200920900000008' +
+                              '000000005c2d3df242000d0200000004' +
+                              '000000020000000042000f0100000188' +
+                              '42005c05000000040000001800000000' +
+                              '4200930800000003666f6f0000000000' +
+                              '42007f05000000040000000000000000' +
+                              '42007c010000015042005c0500000004' +
+                              '000000010000000042005c0500000004' +
+                              '000000020000000042005c0500000004' +
+                              '000000030000000042005c0500000004' +
+                              '000000080000000042005c0500000004' +
+                              '0000000a0000000042005c0500000004' +
+                              '0000000b0000000042005c0500000004' +
+                              '0000000c0000000042005c0500000004' +
+                              '0000000d0000000042005c0500000004' +
+                              '0000000e0000000042005c0500000004' +
+                              '0000000f0000000042005c0500000004' +
+                              '000000120000000042005c0500000004' +
+                              '000000130000000042005c0500000004' +
+                              '000000140000000042005c0500000004' +
+                              '000000180000000042005c0500000004' +
+                              '0000001e000000004200570500000004' +
+                              '00000001000000004200570500000004' +
+                              '00000002000000004200570500000004' +
+                              '00000003000000004200570500000004' +
+                              '00000004000000004200570500000004' +
+                              '00000006000000004200570500000004' +
+                              '000000070000000042000f0100000098' +
+                              '42005c05000000040000001800000000' +
+                              '42009308000000036261720000000000' +
+                              '42007f05000000040000000000000000' +
+                              '42007c010000006042009d070000000c' +
+                              '4b4b4b4b4b4b4b4b4b4b4b4b00000000' +
+                              '4200880100000040420088070000000d' +
+                              '4b4b4b4b4b4b4b4b4b4b4b4b4b000000' +
+                              '420088070000000c4b4b4b4b4b4b4b4b' +
+                              '4b4b4b4b000000004200880700000005' +
+                              '4b4b4b4b4b000000', 'hex'),
+    },
+    {
+        request: Buffer.from('', 'hex'),
+        response: Buffer.from('', 'hex'),
+    },
+    {
+        request: Buffer.from('4200780100000000', 'hex'),
+        response: Buffer.from('4200780100000000', 'hex'),
+    },
+    {
+        /* Valid message with unknown tag */
+        request: Buffer.from('56000002000000040000000100000000', 'hex'),
+        response: Buffer.from('56000006000000080000000000000001', 'hex'),
+        degenerated: true,
+    },
+    {
+        /* Valid message with unknown enum */
+        /* on a non-enumeration tag */
+        request: Buffer.from('42007805000000040000000100000000', 'hex'),
+        /* on an enumeration tag */
+        response: Buffer.from('42007405000000040000000000000000', 'hex'),
+        degenerated: true,
+    },
+    {
+        /* padding is missing at the end of the message */
+        request: Buffer.from('42000f080000000400000001', 'hex'),
+        response: Buffer.from('42000f0a0000000400000001', 'hex'),
+        degenerated: true,
+    },
+    {
+        request: Buffer.from('42000f08000000040000000100000000', 'hex'),
+        response: Buffer.from('42000f0a000000040000000100000000', 'hex'),
+        degenerated: false,
+    },
+    {
+        /* chained message, shouldn't happen but validate the structure loop */
+        request: Buffer.from('42000f08000000040000000100000000' +
+                             '42000f08000000040000000100000000' +
+                             '42000f08000000040000000100000000' +
+                             '42000f08000000040000000100000000'
+                             , 'hex'),
+        response: Buffer.from('42000f0a000000040000000100000000' +
+                              '42000f0a000000040000000100000000' +
+                              '42000f0a000000040000000100000000' +
+                              '42000f0a000000040000000100000000'
+                              , 'hex'),
+        degenerated: false,
+    },
+    {
+        /* zero-length payload */
+        request: Buffer.from('4200780400000000', 'hex'),
+        response: Buffer.from('4200780400000000', 'hex'),
+        degenerated: false,
+    },
+    {
+        /* no padding */
+        request: Buffer.from('420078040000000100', 'hex'),
+        response: Buffer.from('420078040000000100', 'hex'),
+        degenerated: true,
+    },
+    {
+        request: Buffer.from('42007406000000080000000000000001', 'hex'),
+        response: Buffer.from('42007406000000080000000000000000', 'hex'),
+        degenerated: false,
+    },
+    {
+        request: Buffer.from('42007406000000081111111111111111', 'hex'),
+        response: Buffer.from('42007406000000080101010101010101', 'hex'),
+        degenerated: true,
+    },
+    {
+        request: Buffer.from('4200740700000000', 'hex'),
+        response: Buffer.from('42007407000000010100000000000000', 'hex'),
+        degenerated: false,
+    },
+    {
+        request: Buffer.from('42007407000000010000000000000000', 'hex'),
+        response: Buffer.from('42007407000000020100000000000000', 'hex'),
+        degenerated: false,
+    },
+    {
+        request: Buffer.from('4200740800000000', 'hex'),
+        response: Buffer.from('42007408000000010100000000000000', 'hex'),
+        degenerated: false,
+    },
+    {
+        request: Buffer.from('42007408000000010000000000000000', 'hex'),
+        response: Buffer.from('42007408000000020100000000000000', 'hex'),
+        degenerated: false,
+    },
+    {
+        request: Buffer.from('42007409000000080000000000000001', 'hex'),
+        response: Buffer.from('42007409000000080000000000000000', 'hex'),
+        degenerated: false,
+    },
+];

yarn.lock

@@ -39,20 +39,42 @@
   dependencies:
     "@hapi/hoek" "8.x.x"
 
-"@sinonjs/commons@^1.7.0":
-  version "1.8.0"
-  resolved "https://registry.yarnpkg.com/@sinonjs/commons/-/commons-1.8.0.tgz#c8d68821a854c555bba172f3b06959a0039b236d"
-  integrity sha512-wEj54PfsZ5jGSwMX68G8ZXFawcSglQSXqCftWX3ec8MDUzQdHgcKvw97awHbY0efQEL5iKUOAmmVtoYgmrSG4Q==
+"@sinonjs/commons@^1", "@sinonjs/commons@^1.6.0", "@sinonjs/commons@^1.7.0", "@sinonjs/commons@^1.7.2":
+  version "1.7.2"
+  resolved "https://registry.yarnpkg.com/@sinonjs/commons/-/commons-1.7.2.tgz#505f55c74e0272b43f6c52d81946bed7058fc0e2"
+  integrity sha512-+DUO6pnp3udV/v2VfUWgaY5BIE1IfT7lLfeDzPVeMT1XKkaAp9LgSI9x5RtrFQoZ9Oi0PgXQQHPaoKu7dCjVxw==
   dependencies:
     type-detect "4.0.8"
 
-"@sinonjs/fake-timers@^6.0.1":
+"@sinonjs/fake-timers@^6.0.0", "@sinonjs/fake-timers@^6.0.1":
   version "6.0.1"
   resolved "https://registry.yarnpkg.com/@sinonjs/fake-timers/-/fake-timers-6.0.1.tgz#293674fccb3262ac782c7aadfdeca86b10c75c40"
   integrity sha512-MZPUxrmFubI36XS1DI3qmI0YdN1gks62JtFZvxR67ljjSNCeK6U08Zx4msEWOXuofgqUt6zPHSi1H9fbjR/NRA==
   dependencies:
     "@sinonjs/commons" "^1.7.0"
 
+"@sinonjs/formatio@^5.0.1":
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/@sinonjs/formatio/-/formatio-5.0.1.tgz#f13e713cb3313b1ab965901b01b0828ea6b77089"
+  integrity sha512-KaiQ5pBf1MpS09MuA0kp6KBQt2JUOQycqVG1NZXvzeaXe5LGFqAKueIS0bw4w0P9r7KuBSVdUk5QjXsUdu2CxQ==
+  dependencies:
+    "@sinonjs/commons" "^1"
+    "@sinonjs/samsam" "^5.0.2"
+
+"@sinonjs/samsam@^5.0.2", "@sinonjs/samsam@^5.0.3":
+  version "5.0.3"
+  resolved "https://registry.yarnpkg.com/@sinonjs/samsam/-/samsam-5.0.3.tgz#86f21bdb3d52480faf0892a480c9906aa5a52938"
+  integrity sha512-QucHkc2uMJ0pFGjJUDP3F9dq5dx8QIaqISl9QgwLOh6P9yv877uONPGXh/OH/0zmM3tW1JjuJltAZV2l7zU+uQ==
+  dependencies:
+    "@sinonjs/commons" "^1.6.0"
+    lodash.get "^4.4.2"
+    type-detect "^4.0.8"
+
+"@sinonjs/text-encoding@^0.7.1":
+  version "0.7.1"
+  resolved "https://registry.yarnpkg.com/@sinonjs/text-encoding/-/text-encoding-0.7.1.tgz#8da5c6530915653f3a1f38fd5f101d8c3f8079c5"
+  integrity sha512-+iTbntw2IZPb/anVDbypzfQa+ay64MW0Zo8aJ8gZPWMMK6/OubMVb6lUPMagqjOPnmtauXnFCACVl3O7ogjeqQ==
+
 JSONStream@^1.0.0:
   version "1.3.5"
   resolved "https://registry.yarnpkg.com/JSONStream/-/JSONStream-1.3.5.tgz#3208c1f08d3a4d99261ab64f92302bc15e111ca0"
@@ -468,6 +490,11 @@ diff@1.4.0:
   resolved "https://registry.yarnpkg.com/diff/-/diff-1.4.0.tgz#7f28d2eb9ee7b15a97efd89ce63dcfdaa3ccbabf"
   integrity sha1-fyjS657nsVqX79ic5j3P2qPMur8=
 
+diff@^4.0.2:
+  version "4.0.2"
+  resolved "https://registry.yarnpkg.com/diff/-/diff-4.0.2.tgz#60f3aecb89d5fae520c11aa19efc2bb982aade7d"
+  integrity sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==
+
 diskusage@^1.1.1:
   version "1.1.3"
   resolved "https://registry.yarnpkg.com/diskusage/-/diskusage-1.1.3.tgz#680d7dbf1b679168a195c9240eb3552cbd2c067b"
@@ -822,7 +849,7 @@ glob@3.2.11:
     inherits "2"
     minimatch "0.3"
 
-glob@^7.0.3, glob@^7.1.2, glob@^7.1.3:
+glob@^7.0.3, glob@^7.1.2:
   version "7.1.6"
   resolved "https://registry.yarnpkg.com/glob/-/glob-7.1.6.tgz#141f33b81a7c2492e125594307480c46679278a6"
   integrity sha512-LwaxwyZ72Lk7vZINtNNrywX0ZuLyStrdDtabefZKAY5ZGJhVtgdznluResxNmPitE0SAO+O26sWTHeKSI2wMBA==
@@ -834,6 +861,18 @@ glob@^7.0.3, glob@^7.1.2, glob@^7.1.3:
     once "^1.3.0"
     path-is-absolute "^1.0.0"
 
+glob@^7.1.3:
+  version "7.1.4"
+  resolved "https://registry.yarnpkg.com/glob/-/glob-7.1.4.tgz#aa608a2f6c577ad357e1ae5a5c26d9a8d1969255"
+  integrity sha512-hkLPepehmnKk41pUGm3sYxoFs/umurYfYJCerbXEyFIWcAzvpipAgVkBqqT9RBKMGjnq6kMuyYwha6csxbiM1A==
+  dependencies:
+    fs.realpath "^1.0.0"
+    inflight "^1.0.4"
+    inherits "2"
+    minimatch "^3.0.4"
+    once "^1.3.0"
+    path-is-absolute "^1.0.0"
+
 globals@^9.2.0:
   version "9.18.0"
   resolved "https://registry.yarnpkg.com/globals/-/globals-9.18.0.tgz#aa3896b3e69b487f17e31ed2143d69a8e30c2d8a"
@@ -868,6 +907,11 @@ has-cors@1.1.0:
   resolved "https://registry.yarnpkg.com/has-cors/-/has-cors-1.1.0.tgz#5e474793f7ea9843d1bb99c23eef49ff126fff39"
   integrity sha1-XkdHk/fqmEPRu5nCPu9J/xJv/zk=
 
+has-flag@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/has-flag/-/has-flag-4.0.0.tgz#944771fd9c81c81265c4d6941860da06bb59479b"
+  integrity sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==
+
 humanize-ms@^1.2.1:
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/humanize-ms/-/humanize-ms-1.2.1.tgz#c46e3159a293f6b896da29316d8b6fe8bb79bbed"
@@ -1056,6 +1100,11 @@ jsonpointer@^4.0.0:
   resolved "https://registry.yarnpkg.com/jsonpointer/-/jsonpointer-4.0.1.tgz#4fd92cb34e0e9db3c89c8622ecf51f9b978c6cb9"
   integrity sha1-T9kss04OnbPInIYi7PUfm5eMbLk=
 
+just-extend@^4.0.2:
+  version "4.1.0"
+  resolved "https://registry.yarnpkg.com/just-extend/-/just-extend-4.1.0.tgz#7278a4027d889601640ee0ce0e5a00b992467da4"
+  integrity sha512-ApcjaOdVTJ7y4r08xI5wIqpvwS48Q0PBG4DJROcEkH1f8MdAiNFyFxz3xoL0LWAVwjrwPYZdVHHxhRHcx/uGLA==
+
 keypress@0.1.x:
   version "0.1.0"
   resolved "https://registry.yarnpkg.com/keypress/-/keypress-0.1.0.tgz#4a3188d4291b66b4f65edb99f806aa9ae293592a"
@@ -1199,6 +1248,11 @@ lodash.flatten@^4.4.0:
   resolved "https://registry.yarnpkg.com/lodash.flatten/-/lodash.flatten-4.4.0.tgz#f31c22225a9632d2bbf8e4addbef240aa765a61f"
   integrity sha1-8xwiIlqWMtK7+OSt2+8kCqdlph8=
 
+lodash.get@^4.4.2:
+  version "4.4.2"
+  resolved "https://registry.yarnpkg.com/lodash.get/-/lodash.get-4.4.2.tgz#2d177f652fa31e939b4438d5341499dfa3825e99"
+  integrity sha1-LRd/ZS+jHpObRDjVNBSZ36OCXpk=
+
 lodash.union@^4.6.0:
   version "4.6.0"
   resolved "https://registry.yarnpkg.com/lodash.union/-/lodash.union-4.6.0.tgz#48bb5088409f16f1821666641c44dd1aaae3cd88"
@@ -1374,6 +1428,17 @@ next-tick@~1.0.0:
   resolved "https://registry.yarnpkg.com/next-tick/-/next-tick-1.0.0.tgz#ca86d1fe8828169b0120208e3dc8424b9db8342c"
   integrity sha1-yobR/ogoFpsBICCOPchCS524NCw=
 
+nise@^4.0.1:
+  version "4.0.3"
+  resolved "https://registry.yarnpkg.com/nise/-/nise-4.0.3.tgz#9f79ff02fa002ed5ffbc538ad58518fa011dc913"
+  integrity sha512-EGlhjm7/4KvmmE6B/UFsKh7eHykRl9VH+au8dduHLCyWUO/hr7+N+WtTvDUwc9zHuM1IaIJs/0lQ6Ag1jDkQSg==
+  dependencies:
+    "@sinonjs/commons" "^1.7.0"
+    "@sinonjs/fake-timers" "^6.0.0"
+    "@sinonjs/text-encoding" "^0.7.1"
+    just-extend "^4.0.2"
+    path-to-regexp "^1.7.0"
+
 node-forge@^0.7.1:
   version "0.7.6"
   resolved "https://registry.yarnpkg.com/node-forge/-/node-forge-0.7.6.tgz#fdf3b418aee1f94f0ef642cd63486c77ca9724ac"
@@ -1457,6 +1522,13 @@ path-is-inside@^1.0.1:
   resolved "https://registry.yarnpkg.com/path-is-inside/-/path-is-inside-1.0.2.tgz#365417dede44430d1c11af61027facf074bdfc53"
   integrity sha1-NlQX3t5EQw0cEa9hAn+s8HS9/FM=
 
+path-to-regexp@^1.7.0:
+  version "1.8.0"
+  resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-1.8.0.tgz#887b3ba9d84393e87a0a0b9f4cb756198b53548a"
+  integrity sha512-n43JRhlUKUAlibEJhPeir1ncUID16QnEjNpwzNdO3Lm4ywrBpBZ5oLD0I6br9evr1Y9JTqwRtAh7JLoOzAQdVA==
+  dependencies:
+    isarray "0.0.1"
+
 pluralize@^1.2.1:
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/pluralize/-/pluralize-1.2.1.tgz#d1a21483fd22bb41e58a12fa3421823140897c45"
@@ -1685,6 +1757,19 @@ simple-glob@^0.2:
     lodash.flatten "^4.4.0"
     lodash.union "^4.6.0"
 
+sinon@^9.0.2:
+  version "9.0.2"
+  resolved "https://registry.yarnpkg.com/sinon/-/sinon-9.0.2.tgz#b9017e24633f4b1c98dfb6e784a5f0509f5fd85d"
+  integrity sha512-0uF8Q/QHkizNUmbK3LRFqx5cpTttEVXudywY9Uwzy8bTfZUhljZ7ARzSxnRHWYWtVTeh4Cw+tTb3iU21FQVO9A==
+  dependencies:
+    "@sinonjs/commons" "^1.7.2"
+    "@sinonjs/fake-timers" "^6.0.1"
+    "@sinonjs/formatio" "^5.0.1"
+    "@sinonjs/samsam" "^5.0.3"
+    diff "^4.0.2"
+    nise "^4.0.1"
+    supports-color "^7.1.0"
+
 slice-ansi@0.0.4:
   version "0.0.4"
   resolved "https://registry.yarnpkg.com/slice-ansi/-/slice-ansi-0.0.4.tgz#edbf8903f66f7ce2f8eafd6ceed65e264c831b35"
@@ -1828,6 +1913,13 @@ supports-color@^2.0.0:
   resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-2.0.0.tgz#535d045ce6b6363fa40117084629995e9df324c7"
   integrity sha1-U10EXOa2Nj+kARcIRimZXp3zJMc=
 
+supports-color@^7.1.0:
+  version "7.1.0"
+  resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-7.1.0.tgz#68e32591df73e25ad1c4b49108a2ec507962bfd1"
+  integrity sha512-oRSIpR8pxT1Wr2FquTNnGet79b3BWljqOuoW/h4oBhxJ/HUbX5nX6JSruTkvXDCFMwDPvsaTTbvMLKZWSy0R5g==
+  dependencies:
+    has-flag "^4.0.0"
+
 table@^3.7.8:
   version "3.8.3"
   resolved "https://registry.yarnpkg.com/table/-/table-3.8.3.tgz#2bbc542f0fda9861a755d3947fefd8b3f513855f"
@@ -1881,7 +1973,7 @@ type-check@~0.3.2:
   dependencies:
     prelude-ls "~1.1.2"
 
-type-detect@4.0.8:
+type-detect@4.0.8, type-detect@^4.0.8:
   version "4.0.8"
   resolved "https://registry.yarnpkg.com/type-detect/-/type-detect-4.0.8.tgz#7646fb5f18871cfbb7749e69bd39a6388eb7450c"
   integrity sha512-0fr/mIH1dlO+x7TlcMy+bIDqKPsw/70tVyeHW787goQjhmqaZe10uwLujubK9q9Lg6Fiho1KUKDYz0Z7k7g5/g==