CLDSRV-429: get apis updated for implicit deny

…denies

lib/api/api.js

@@ -114,6 +114,7 @@ const api = {
         // no need to check auth on website or cors preflight requests
         if (apiMethod === 'websiteGet' || apiMethod === 'websiteHead' ||
         apiMethod === 'corsPreflight') {
+            request.iamAuthzResults = false;
             return this[apiMethod](request, log, callback);
         }
 
@@ -136,15 +137,25 @@ const api = {
 
         const requestContexts = prepareRequestContexts(apiMethod, request,
             sourceBucket, sourceObject, sourceVersionId);
+        // Extract all the _apiMethods and store them in an array
+        const apiMethods = requestContexts ? requestContexts.map(context => context._apiMethod) : [];
+        // Attach the names to the current request
+        // eslint-disable-next-line no-param-reassign
+        request.apiMethods = apiMethods;
 
         function checkAuthResults(authResults) {
             let returnTagCount = true;
+            const isImplicitDeny = {};
+            let isOnlyImplicitDeny = true;
             if (apiMethod === 'objectGet') {
                 // first item checks s3:GetObject(Version) action
-                if (!authResults[0].isAllowed) {
+                if (!authResults[0].isAllowed && !authResults[0].isImplicit) {
                     log.trace('get object authorization denial from Vault');
                     return errors.AccessDenied;
                 }
+                // TODO add support for returnTagCount in the bucket policy
+                // checks
+                isImplicitDeny[authResults[0].action] = authResults[0].isImplicit;
                 // second item checks s3:GetObject(Version)Tagging action
                 if (!authResults[1].isAllowed) {
                     log.trace('get tagging authorization denial ' +
@@ -153,13 +164,25 @@ const api = {
                 }
             } else {
                 for (let i = 0; i < authResults.length; i++) {
-                    if (!authResults[i].isAllowed) {
+                    isImplicitDeny[authResults[i].action] = true;
+                    if (!authResults[i].isAllowed && !authResults[i].isImplicit) {
+                        // Any explicit deny rejects the current API call
                         log.trace('authorization denial from Vault');
                         return errors.AccessDenied;
+                    } else if (authResults[i].isAllowed) {
+                        // If the action is allowed, the result is not implicit
+                        // Deny.
+                        isImplicitDeny[authResults[i].action] = false;
+                        isOnlyImplicitDeny = false;
                     }
                 }
             }
-            return returnTagCount;
+            // These two APIs cannot use ACLs or Bucket Policies, hence, any
+            // implicit deny from vault must be treated as an explicit deny.
+            if ((apiMethod === 'bucketPut' || apiMethod === 'serviceGet') && isOnlyImplicitDeny) {
+                return errors.AccessDenied;
+            }
+            return { returnTagCount, isImplicitDeny };
         }
 
         return async.waterfall([
@@ -237,7 +260,14 @@ const api = {
                 if (checkedResults instanceof Error) {
                     return callback(checkedResults);
                 }
-                returnTagCount = checkedResults;
+                returnTagCount = checkedResults.returnTagCount;
+                request.iamAuthzResults = checkedResults.isImplicitDeny;
+            } else {
+                // create an object of keys apiMethods with all values to false
+                request.iamAuthzResults = apiMethods.reduce((acc, curr) => {
+                    acc[curr] = false;
+                    return acc;
+                }, {});
             }
             if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') {
                 request._response = response;

lib/api/apiUtils/authorization/permissionChecks.js

@@ -8,13 +8,32 @@ const { allAuthedUsersId, bucketOwnerActions, logId, publicId,
 const publicReadBuckets = process.env.ALLOW_PUBLIC_READ_BUCKETS ?
     process.env.ALLOW_PUBLIC_READ_BUCKETS.split(',') : [];
 
-function checkBucketAcls(bucket, requestType, canonicalID) {
+function checkBucketAcls(bucket, requestType, canonicalID, mainApiCall) {
+    // Same logic applies on the Versioned APIs, so let's simplify it.
+    const requestTypeParsed = requestType.endsWith('Version') ?
+        requestType.slice(0, -7) : requestType;
     if (bucket.getOwner() === canonicalID) {
         return true;
     }
+    // Backward compatibility
+    const arrayOfAllowed = [
+        'objectPutTagging',
+        'objectPutLegalHold',
+        'objectPutRetention',
+    ];
+    if (mainApiCall === 'objectGet') {
+        if (requestTypeParsed === 'objectGetTagging') {
+            return true;
+        }
+    }
+    if (mainApiCall === 'objectPut') {
+        if (arrayOfAllowed.includes(requestTypeParsed)) {
+            return true;
+        }
+    }
 
     const bucketAcl = bucket.getAcl();
-    if (requestType === 'bucketGet' || requestType === 'bucketHead') {
+    if (requestTypeParsed === 'bucketGet' || requestTypeParsed === 'bucketHead') {
         if (bucketAcl.Canned === 'public-read'
             || bucketAcl.Canned === 'public-read-write'
             || (bucketAcl.Canned === 'authenticated-read'
@@ -32,7 +51,7 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
             return true;
         }
     }
-    if (requestType === 'bucketGetACL') {
+    if (requestTypeParsed === 'bucketGetACL') {
         if ((bucketAcl.Canned === 'log-delivery-write'
             && canonicalID === logId)
             || bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
@@ -48,7 +67,7 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
         }
     }
 
-    if (requestType === 'bucketPutACL') {
+    if (requestTypeParsed === 'bucketPutACL') {
         if (bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
             || bucketAcl.WRITE_ACP.indexOf(canonicalID) > -1) {
             return true;
@@ -62,11 +81,7 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
         }
     }
 
-    if (requestType === 'bucketDelete' && bucket.getOwner() === canonicalID) {
+    if (requestTypeParsed === 'objectDelete' || requestTypeParsed === 'objectPut') {
-        return true;
-    }
-
-    if (requestType === 'objectDelete' || requestType === 'objectPut') {
         if (bucketAcl.Canned === 'public-read-write'
             || bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
             || bucketAcl.WRITE.indexOf(canonicalID) > -1) {
@@ -86,11 +101,12 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
     // objectPutACL, objectGetACL, objectHead or objectGet, the bucket
     // authorization check should just return true so can move on to check
     // rights at the object level.
-    return (requestType === 'objectPutACL' || requestType === 'objectGetACL' ||
+    return (requestTypeParsed === 'objectPutACL' || requestTypeParsed === 'objectGetACL' ||
-        requestType === 'objectGet' || requestType === 'objectHead');
+    requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead');
 }
 
-function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
+function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIsNotUser,
+    isUserUnauthenticated, mainApiCall) {
     const bucketOwner = bucket.getOwner();
     // acls don't distinguish between users and accounts, so both should be allowed
     if (bucketOwnerActions.includes(requestType)
@@ -100,6 +116,15 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
     if (objectMD['owner-id'] === canonicalID) {
         return true;
     }
+
+    // Backward compatibility
+    if (mainApiCall === 'objectGet') {
+        if ((isUserUnauthenticated || (requesterIsNotUser && bucketOwner === objectMD['owner-id']))
+            && requestType === 'objectGetTagging') {
+            return true;
+        }
+    }
+
     if (!objectMD.acl) {
         return false;
     }
@@ -268,7 +293,26 @@ function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, l
     return permission;
 }
 
-function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request) {
+function isBucketAuthorizedNew(bucket, requestTypes, canonicalID, authInfo, iamAuthzResults, log, request) {
+    if (!Array.isArray(requestTypes)) {
+        // eslint-disable-next-line no-param-reassign
+        requestTypes = [requestTypes];
+    }
+    if (iamAuthzResults === false) {
+        // eslint-disable-next-line no-param-reassign
+        iamAuthzResults = {};
+    }
+    // By default, all missing actions are defined as allowed from IAM, to be
+    // backward compatible
+    requestTypes.forEach(requestType => {
+        if (iamAuthzResults[requestType] === undefined) {
+            // eslint-disable-next-line no-param-reassign
+            iamAuthzResults[requestType] = false;
+        }
+    });
+    const mainApiCall = requestTypes[0];
+    const results = {};
+    requestTypes.forEach(_requestType => {
     // Check to see if user is authorized to perform a
     // particular action on bucket based on ACLs.
     // TODO: Add IAM checks
@@ -280,63 +324,178 @@ function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, req
     }
     // if the bucket owner is an account, users should not have default access
     if ((bucket.getOwner() === canonicalID) && requesterIsNotUser) {
-        return true;
+            results[_requestType] = iamAuthzResults[_requestType] === false;
+            return;
     }
-    const aclPermission = checkBucketAcls(bucket, requestType, canonicalID);
+        const aclPermission = checkBucketAcls(bucket, _requestType, canonicalID, mainApiCall);
     const bucketPolicy = bucket.getBucketPolicy();
     if (!bucketPolicy) {
-        return aclPermission;
+            results[_requestType] = iamAuthzResults[_requestType] === false && aclPermission;
+            return;
     }
-    const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, requestType,
+        const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, _requestType,
         canonicalID, arn, bucket.getOwner(), log, request);
     if (bucketPolicyPermission === 'explicitDeny') {
-        return false;
+            results[_requestType] = false;
+            return;
     }
-    return (aclPermission || (bucketPolicyPermission === 'allow'));
+        // If the bucket policy returns an allow, we accept the request, as the
+        // IAM response here is either Allow or implicit deny.
+        if (bucketPolicyPermission === 'allow') {
+            results[_requestType] = true;
+            return;
+}
+        results[_requestType] = iamAuthzResults[_requestType] === false && aclPermission;
+    });
+
+    // final result is true if all the results are true
+    return Object.keys(results).every(key => results[key] === true);
 }
 
-function isObjAuthorized(bucket, objectMD, requestType, canonicalID, authInfo, log, request) {
+function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request) {
+    const iamAuthzResults = {};
+    const result = isBucketAuthorizedNew(bucket, [requestType], canonicalID, authInfo, iamAuthzResults, log, request);
+
+    return result;
+}
+
+function isObjAuthorizedNew(bucket, objectMD, requestTypes, canonicalID, authInfo, iamAuthzResults, log, request) {
+    if (!Array.isArray(requestTypes)) {
+        // eslint-disable-next-line no-param-reassign
+        requestTypes = [requestTypes];
+    }
+    // By default, all missing actions are defined as allowed from IAM, to be
+    // backward compatible
+    if (iamAuthzResults === false) {
+        // eslint-disable-next-line no-param-reassign
+        iamAuthzResults = {};
+    }
+    requestTypes.forEach(requestType => {
+        if (iamAuthzResults[requestType] === undefined) {
+            // eslint-disable-next-line no-param-reassign
+            iamAuthzResults[requestType] = false;
+        }
+    });
+    const results = {};
+    const mainApiCall = requestTypes[0];
+    requestTypes.forEach(_requestType => {
+        const parsedMethodName = _requestType.endsWith('Version') ?
+            _requestType.slice(0, -7) : _requestType;
     const bucketOwner = bucket.getOwner();
     if (!objectMD) {
         // User is already authorized on the bucket for FULL_CONTROL or WRITE or
         // bucket has canned ACL public-read-write
-        if (requestType === 'objectPut' || requestType === 'objectDelete') {
+            if (parsedMethodName === 'objectPut' || parsedMethodName === 'objectDelete') {
-            return true;
+                results[_requestType] = iamAuthzResults[_requestType] === false;
+                return;
         }
         // check bucket has read access
         // 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions
-        return isBucketAuthorized(bucket, 'bucketGet', canonicalID, authInfo, log, request);
+            results[_requestType] = isBucketAuthorized(bucket, 'bucketGet', canonicalID, authInfo, false, log, request);
+            return;
     }
     let requesterIsNotUser = true;
     let arn = null;
+        let isUserUnauthenticated = false;
     if (authInfo) {
         requesterIsNotUser = !authInfo.isRequesterAnIAMUser();
         arn = authInfo.getArn();
+            isUserUnauthenticated = arn === undefined;
     }
     if (objectMD['owner-id'] === canonicalID && requesterIsNotUser) {
-        return true;
+            results[_requestType] = iamAuthzResults[_requestType] === false;
+            return;
     }
     // account is authorized if:
     // - requesttype is included in bucketOwnerActions and
     // - account is the bucket owner
     // - requester is account, not user
-    if (bucketOwnerActions.includes(requestType)
+        if (bucketOwnerActions.includes(parsedMethodName)
         && (bucketOwner === canonicalID)
         && requesterIsNotUser) {
-        return true;
+            results[_requestType] = iamAuthzResults[_requestType] === false;
+            return;
         }
-    const aclPermission = checkObjectAcls(bucket, objectMD, requestType,
+        const aclPermission = checkObjectAcls(bucket, objectMD, parsedMethodName,
-        canonicalID);
+            canonicalID, requesterIsNotUser, isUserUnauthenticated, mainApiCall);
         const bucketPolicy = bucket.getBucketPolicy();
         if (!bucketPolicy) {
-        return aclPermission;
+            results[_requestType] = iamAuthzResults[_requestType] === false && aclPermission;
+            return;
         }
-    const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, requestType,
+        const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, _requestType,
             canonicalID, arn, bucket.getOwner(), log, request);
         if (bucketPolicyPermission === 'explicitDeny') {
-        return false;
+            results[_requestType] = false;
+            return;
         }
-    return (aclPermission || (bucketPolicyPermission === 'allow'));
+        // If the bucket policy returns an allow, we accept the request, as the
+        // IAM response here is either Allow or implicit deny.
+        if (bucketPolicyPermission === 'allow') {
+            results[_requestType] = true;
+            return;
+        }
+        results[_requestType] = iamAuthzResults[_requestType] === false && aclPermission;
+    });
+
+    // final result is true if all the results are true
+    return Object.keys(results).every(key => results[key] === true);
+}
+
+function isObjAuthorized(bucket, objectMD, requestType, canonicalID, authInfo, log, request) {
+    const iamAuthzResults = {};
+    const result = isObjAuthorizedNew(bucket, objectMD,
+        [requestType], canonicalID, authInfo, iamAuthzResults, log, request);
+
+    return result;
+}
+
+function evaluateBucketPolicyWithIAM(bucket, requestTypes, canonicalID, authInfo, iamAuthzResults, log, request) {
+    if (!Array.isArray(requestTypes)) {
+        // eslint-disable-next-line no-param-reassign
+        requestTypes = [requestTypes];
+    }
+    if (iamAuthzResults === false) {
+        // eslint-disable-next-line no-param-reassign
+        iamAuthzResults = {};
+    }
+    // By default, all missing actions are defined as allowed from IAM, to be
+    // backward compatible
+    requestTypes.forEach(requestType => {
+        if (iamAuthzResults[requestType] === undefined) {
+            // eslint-disable-next-line no-param-reassign
+            iamAuthzResults[requestType] = false;
+        }
+    });
+
+    const results = {};
+    requestTypes.forEach(_requestType => {
+        let arn = null;
+        if (authInfo) {
+            arn = authInfo.getArn();
+    }
+    const bucketPolicy = bucket.getBucketPolicy();
+    if (!bucketPolicy) {
+            results[_requestType] = iamAuthzResults[_requestType] === false;
+            return;
+    }
+        const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, _requestType,
+        canonicalID, arn, bucket.getOwner(), log, request);
+    if (bucketPolicyPermission === 'explicitDeny') {
+            results[_requestType] = false;
+            return;
+    }
+        // If the bucket policy returns an allow, we accept the request, as the
+        // IAM response here is either Allow or implicit deny.
+        if (bucketPolicyPermission === 'allow') {
+            results[_requestType] = true;
+            return;
+        }
+        results[_requestType] = iamAuthzResults[_requestType] === false;
+    });
+
+    // final result is true if all the results are true
+    return Object.keys(results).every(key => results[key] === true);
 }
 
 function _checkResource(resource, bucketArn) {
@@ -395,4 +554,5 @@ module.exports = {
     checkObjectAcls,
     validatePolicyResource,
     isLifecycleSession,
+    evaluateBucketPolicyWithIAM,
 };

lib/api/bucketDeleteLifecycle.js

@@ -18,10 +18,10 @@ function bucketDeleteLifecycle(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketDeleteLifecycle',
+        requestType: request.apiMethods || 'bucketDeleteLifecycle',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

lib/api/bucketGet.js

@@ -328,7 +328,7 @@ function bucketGet(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketGet',
+        requestType: request.apiMethods || 'bucketGet',
         request,
     };
     const listParams = {
@@ -351,7 +351,7 @@ function bucketGet(authInfo, request, log, callback) {
         listParams.marker = params.marker;
     }
 
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {

lib/api/bucketGetACL.js

@@ -44,7 +44,7 @@ function bucketGetACL(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketGetACL',
+        requestType: request.apiMethods || 'bucketGetACL',
         request,
     };
     const grantInfo = {
@@ -55,7 +55,7 @@ function bucketGetACL(authInfo, request, log, callback) {
         },
     };
 
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {

lib/api/bucketGetCors.js

@@ -39,7 +39,8 @@ function bucketGetCors(authInfo, request, log, callback) {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
 
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
+            request.iamAuthzResults, log, request)) {
             log.debug('access denied for user on bucket', {
                 requestType,
                 method: 'bucketGetCors',

lib/api/bucketGetEncryption.js

@@ -22,12 +22,12 @@ function bucketGetEncryption(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketGetEncryption',
+        requestType: request.apiMethods || 'bucketGetEncryption',
         request,
     };
 
     return async.waterfall([
-        next => metadataValidateBucket(metadataValParams, log, next),
+        next => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, next),
         (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
         (bucket, next) => {
             // If sseInfo is present but the `mandatory` flag is not set

lib/api/bucketGetLifecycle.js

@@ -21,10 +21,10 @@ function bucketGetLifecycle(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketGetLifecycle',
+        requestType: request.apiMethods || 'bucketGetLifecycle',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

lib/api/bucketGetLocation.js

@@ -41,7 +41,8 @@ function bucketGetLocation(authInfo, request, log, callback) {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
 
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
+            request.iamAuthzResults, log, request)) {
             log.debug('access denied for account on bucket', {
                 requestType,
                 method: 'bucketGetLocation',

lib/api/bucketGetNotification.js

@@ -37,11 +37,11 @@ function bucketGetNotification(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketGetNotification',
+        requestType: request.apiMethods || 'bucketGetNotification',
         request,
     };
 
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

lib/api/bucketGetObjectLock.js

@@ -33,10 +33,10 @@ function bucketGetObjectLock(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketGetObjectLock',
+        requestType: request.apiMethods || 'bucketGetObjectLock',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

lib/api/bucketGetPolicy.js

@@ -17,11 +17,11 @@ function bucketGetPolicy(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketGetPolicy',
+        requestType: request.apiMethods || 'bucketGetPolicy',
         request,
     };
 
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

lib/api/bucketGetReplication.js

@@ -21,10 +21,10 @@ function bucketGetReplication(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketGetReplication',
+        requestType: request.apiMethods || 'bucketGetReplication',
         request,
     };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
         if (err) {
             log.debug('error processing request', {

lib/api/bucketGetTagging.js

@@ -70,7 +70,7 @@ async function bucketGetTagging(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketGetTagging',
+        requestType: request.apiMethods || 'bucketGetTagging',
         request,
     };
 
@@ -78,7 +78,7 @@ async function bucketGetTagging(authInfo, request, log, callback) {
     let xml = null;
 
     try {
-        bucket = await metadataValidateBucketPromise(metadataValParams, log);
+        bucket = await metadataValidateBucketPromise(metadataValParams, request.iamAuthzResults, log);
         // eslint-disable-next-line no-unused-expressions
         await checkExpectedBucketOwnerPromise(headers, bucket, log);
         const tags = bucket.getTags();

lib/api/bucketGetVersioning.js

@@ -54,11 +54,11 @@ function bucketGetVersioning(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketGetVersioning',
+        requestType: request.apiMethods || 'bucketGetVersioning',
         request,
     };
 
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {

lib/api/bucketGetWebsite.js

@@ -39,7 +39,8 @@ function bucketGetWebsite(authInfo, request, log, callback) {
 
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
+            request.iamAuthzResults, log, request)) {
             log.debug('access denied for user on bucket', {
                 requestType,
                 method: 'bucketGetWebsite',

lib/api/bucketPutACL.js

@@ -44,7 +44,7 @@ const monitoring = require('../utilities/metrics');
 function bucketPutACL(authInfo, request, log, callback) {
     log.debug('processing request', { method: 'bucketPutACL' });
 
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
     const canonicalID = authInfo.getCanonicalID();
     const newCannedACL = request.headers['x-amz-acl'];
     const possibleCannedACL = [
@@ -54,19 +54,6 @@ function bucketPutACL(authInfo, request, log, callback) {
         'authenticated-read',
         'log-delivery-write',
     ];
-    if (newCannedACL && possibleCannedACL.indexOf(newCannedACL) === -1) {
-        log.trace('invalid canned acl argument', {
-            acl: newCannedACL,
-            method: 'bucketPutACL',
-        });
-        monitoring.promMetrics('PUT', bucketName, 400, 'bucketPutACL');
-        return callback(errors.InvalidArgument);
-    }
-    if (!aclUtils.checkGrantHeaderValidity(request.headers)) {
-        log.trace('invalid acl header');
-        monitoring.promMetrics('PUT', bucketName, 400, 'bucketPutACL');
-        return callback(errors.InvalidArgument);
-    }
     const possibleGroups = [constants.allAuthedUsersId,
         constants.publicId,
         constants.logId,
@@ -74,7 +61,7 @@ function bucketPutACL(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketPutACL',
+        requestType: request.apiMethods || 'bucketPutACL',
         request,
     };
     const possibleGrants = ['FULL_CONTROL', 'WRITE',
@@ -88,24 +75,19 @@ function bucketPutACL(authInfo, request, log, callback) {
         READ_ACP: [],
     };
 
-    const grantReadHeader =
+    const grantReadHeader = aclUtils.parseGrant(request.headers[
-        aclUtils.parseGrant(request.headers[
         'x-amz-grant-read'], 'READ');
-    const grantWriteHeader =
+    const grantWriteHeader = aclUtils.parseGrant(request.headers['x-amz-grant-write'], 'WRITE');
-        aclUtils.parseGrant(request.headers['x-amz-grant-write'], 'WRITE');
+    const grantReadACPHeader = aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
-    const grantReadACPHeader =
-        aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
         'READ_ACP');
-    const grantWriteACPHeader =
+    const grantWriteACPHeader = aclUtils.parseGrant(request.headers['x-amz-grant-write-acp'],
-        aclUtils.parseGrant(request.headers['x-amz-grant-write-acp'],
         'WRITE_ACP');
-    const grantFullControlHeader =
+    const grantFullControlHeader = aclUtils.parseGrant(request.headers['x-amz-grant-full-control'],
-        aclUtils.parseGrant(request.headers['x-amz-grant-full-control'],
         'FULL_CONTROL');
 
     return async.waterfall([
         function waterfall1(next) {
-            metadataValidateBucket(metadataValParams, log,
+            metadataValidateBucket(metadataValParams, request.iamAuthzResults, log,
                 (err, bucket) => {
                     if (err) {
                         log.trace('request authorization failed', {
@@ -114,6 +96,20 @@ function bucketPutACL(authInfo, request, log, callback) {
                         });
                         return next(err, bucket);
                     }
+                    // if the API call is allowed, ensure that the parameters are valid
+                    if (newCannedACL && possibleCannedACL.indexOf(newCannedACL) === -1) {
+                        log.trace('invalid canned acl argument', {
+                            acl: newCannedACL,
+                            method: 'bucketPutACL',
+                        });
+                        monitoring.promMetrics('PUT', bucketName, 400, 'bucketPutACL');
+                        return next(errors.InvalidArgument);
+                    }
+                    if (!aclUtils.checkGrantHeaderValidity(request.headers)) {
+                        log.trace('invalid acl header');
+                        monitoring.promMetrics('PUT', bucketName, 400, 'bucketPutACL');
+                        return next(errors.InvalidArgument);
+                    }
                     return next(null, bucket);
                 });
         },
@@ -196,13 +192,12 @@ function bucketPutACL(authInfo, request, log, callback) {
             } else {
                 // If no canned ACL and no parsed xml, loop
                 // through the access headers
-                const allGrantHeaders =
+                const allGrantHeaders = [].concat(grantReadHeader, grantWriteHeader,
-                    [].concat(grantReadHeader, grantWriteHeader,
                     grantReadACPHeader, grantWriteACPHeader,
                     grantFullControlHeader);
 
-                usersIdentifiedByEmail = allGrantHeaders.filter(item =>
+                usersIdentifiedByEmail = allGrantHeaders.filter(item => item
-                    item && item.userIDType.toLowerCase() === 'emailaddress');
+                    && item.userIDType.toLowerCase() === 'emailaddress');
 
                 usersIdentifiedByGroup = allGrantHeaders
                     .filter(itm => itm && itm.userIDType
@@ -210,8 +205,10 @@ function bucketPutACL(authInfo, request, log, callback) {
                 for (let i = 0; i < usersIdentifiedByGroup.length; i++) {
                     const userGroup = usersIdentifiedByGroup[i].identifier;
                     if (possibleGroups.indexOf(userGroup) < 0) {
-                        log.trace('invalid user group', { userGroup,
+                        log.trace('invalid user group', {
-                            method: 'bucketPutACL' });
+                            userGroup,
+                            method: 'bucketPutACL',
+                        });
                         return next(errors.InvalidArgument, bucket);
                     }
                 }
@@ -246,8 +243,8 @@ function bucketPutACL(authInfo, request, log, callback) {
                 return vault.getCanonicalIds(justEmails, log,
                     (err, results) => {
                         if (err) {
-                            log.trace('error looking up canonical ids', {
+                            log.trace('error looking up canonical ids',
-                                error: err, method: 'vault.getCanonicalIDs' });
+                                { error: err, method: 'vault.getCanonicalIDs' });
                             return next(err, bucket);
                         }
                         const reconstructedUsersIdentifiedByEmail = aclUtils
@@ -256,7 +253,8 @@ function bucketPutACL(authInfo, request, log, callback) {
                         const allUsers = [].concat(
                             reconstructedUsersIdentifiedByEmail,
                             usersIdentifiedByID,
-                            usersIdentifiedByGroup);
+                            usersIdentifiedByGroup,
+                        );
                         const revisedAddACLParams = aclUtils
                             .sortHeaderGrants(allUsers, addACLParams);
                         return next(null, bucket, revisedAddACLParams);
@@ -264,9 +262,9 @@ function bucketPutACL(authInfo, request, log, callback) {
             }
             const allUsers = [].concat(
                 usersIdentifiedByID,
-                usersIdentifiedByGroup);
+                usersIdentifiedByGroup,
-            const revisedAddACLParams =
+            );
-                aclUtils.sortHeaderGrants(allUsers, addACLParams);
+            const revisedAddACLParams = aclUtils.sortHeaderGrants(allUsers, addACLParams);
             return next(null, bucket, revisedAddACLParams);
         },
         function waterfall4(bucket, addACLParams, next) {
@@ -277,19 +275,19 @@ function bucketPutACL(authInfo, request, log, callback) {
             if (bucket.hasTransientFlag() || bucket.hasDeletedFlag()) {
                 log.trace('transient or deleted flag so cleaning up bucket');
                 bucket.setFullAcl(addACLParams);
-                return cleanUpBucket(bucket, canonicalID, log, err =>
+                return cleanUpBucket(bucket, canonicalID, log, err => next(err, bucket));
-                    next(err, bucket));
             }
             // If no bucket flags, just add acl's to bucket metadata
-            return acl.addACL(bucket, addACLParams, log, err =>
+            return acl.addACL(bucket, addACLParams, log, err => next(err, bucket));
-                next(err, bucket));
         },
     ], (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {
-            log.trace('error processing request', { error: err,
+            log.trace('error processing request', {
-                method: 'bucketPutACL' });
+                error: err,
+                method: 'bucketPutACL',
+            });
             monitoring.promMetrics('PUT', bucketName, err.code, 'bucketPutACL');
         } else {
             pushMetric('putBucketAcl', log, {

lib/api/bucketPutCors.js

@@ -4,8 +4,7 @@ const { errors } = require('arsenal');
 
 const bucketShield = require('./apiUtils/bucket/bucketShield');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
-const { isBucketAuthorized } =
+const { isBucketAuthorized } = require('./apiUtils/authorization/permissionChecks');
-    require('./apiUtils/authorization/permissionChecks');
 const metadata = require('../metadata/wrapper');
 const { parseCorsXml } = require('./apiUtils/bucket/bucketCors');
 const { pushMetric } = require('../utapi/utilities');
@@ -23,7 +22,7 @@ const requestType = 'bucketPutCors';
  */
 function bucketPutCors(authInfo, request, log, callback) {
     log.debug('processing request', { method: 'bucketPutCors' });
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
     const canonicalID = authInfo.getCanonicalID();
 
     if (!request.post) {
@@ -70,7 +69,8 @@ function bucketPutCors(authInfo, request, log, callback) {
             });
         },
         function validateBucketAuthorization(bucket, rules, corsHeaders, next) {
-            if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+            if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
+                request.iamAuthzResults, log, request)) {
                 log.debug('access denied for account on bucket', {
                     requestType,
                 });
@@ -81,13 +81,14 @@ function bucketPutCors(authInfo, request, log, callback) {
         function updateBucketMetadata(bucket, rules, corsHeaders, next) {
             log.trace('updating bucket cors rules in metadata');
             bucket.setCors(rules);
-            metadata.updateBucket(bucketName, bucket, log, err =>
+            metadata.updateBucket(bucketName, bucket, log, err => next(err, corsHeaders));
-                next(err, corsHeaders));
         },
     ], (err, corsHeaders) => {
         if (err) {
-            log.trace('error processing request', { error: err,
+            log.trace('error processing request', {
-                method: 'bucketPutCors' });
+                error: err,
+                method: 'bucketPutCors',
+            });
             monitoring.promMetrics('PUT', bucketName, err.code,
                 'putBucketCors');
         }

lib/api/bucketPutEncryption.js

@@ -18,17 +18,17 @@ const collectCorsHeaders = require('../utilities/collectCorsHeaders');
  */
 
 function bucketPutEncryption(authInfo, request, log, callback) {
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
 
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketPutEncryption',
+        requestType: request.apiMethods || 'bucketPutEncryption',
         request,
     };
 
     return async.waterfall([
-        next => metadataValidateBucket(metadataValParams, log, next),
+        next => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, next),
         (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
         (bucket, next) => {
             log.trace('parsing encryption config', { method: 'bucketPutEncryption' });

lib/api/bucketPutLifecycle.js

@@ -1,7 +1,6 @@
 const { waterfall } = require('async');
 const uuid = require('uuid/v4');
-const LifecycleConfiguration =
+const { LifecycleConfiguration } = require('arsenal').models;
-    require('arsenal').models.LifecycleConfiguration;
 
 const parseXML = require('../utilities/parseXML');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
@@ -22,11 +21,11 @@ const monitoring = require('../utilities/metrics');
 function bucketPutLifecycle(authInfo, request, log, callback) {
     log.debug('processing request', { method: 'bucketPutLifecycle' });
 
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketPutLifecycle',
+        requestType: request.apiMethods || 'bucketPutLifecycle',
         request,
     };
     return waterfall([
@@ -43,7 +42,7 @@ function bucketPutLifecycle(authInfo, request, log, callback) {
                 return next(null, configObj);
             });
         },
-        (lcConfig, next) => metadataValidateBucket(metadataValParams, log,
+        (lcConfig, next) => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log,
             (err, bucket) => {
                 if (err) {
                     return next(err, bucket);
@@ -55,17 +54,19 @@ function bucketPutLifecycle(authInfo, request, log, callback) {
                 bucket.setUid(uuid());
             }
             bucket.setLifecycleConfiguration(lcConfig);
-            metadata.updateBucket(bucket.getName(), bucket, log, err =>
+            metadata.updateBucket(bucket.getName(), bucket, log, err => next(err, bucket));
-                next(err, bucket));
         },
     ], (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {
-            log.trace('error processing request', { error: err,
+            log.trace('error processing request', {
-                method: 'bucketPutLifecycle' });
+                error: err,
+                method: 'bucketPutLifecycle',
+            });
             monitoring.promMetrics(
-                'PUT', bucketName, err.code, 'putBucketLifecycle');
+                'PUT', bucketName, err.code, 'putBucketLifecycle',
+            );
             return callback(err, corsHeaders);
         }
         pushMetric('putBucketLifecycle', log, {

lib/api/bucketPutNotification.js

@@ -19,11 +19,11 @@ const { pushMetric } = require('../utapi/utilities');
 function bucketPutNotification(authInfo, request, log, callback) {
     log.debug('processing request', { method: 'bucketPutNotification' });
 
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketPutNotification',
+        requestType: request.apiMethods || 'bucketPutNotification',
         request,
     };
 
@@ -34,7 +34,7 @@ function bucketPutNotification(authInfo, request, log, callback) {
             const notifConfig = notificationConfig.error ? undefined : notificationConfig;
             process.nextTick(() => next(notificationConfig.error, notifConfig));
         },
-        (notifConfig, next) => metadataValidateBucket(metadataValParams, log,
+        (notifConfig, next) => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log,
             (err, bucket) => next(err, bucket, notifConfig)),
         (bucket, notifConfig, next) => {
             bucket.setNotificationConfiguration(notifConfig);
@@ -45,8 +45,10 @@ function bucketPutNotification(authInfo, request, log, callback) {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {
-            log.trace('error processing request', { error: err,
+            log.trace('error processing request', {
-                method: 'bucketPutNotification' });
+                error: err,
+                method: 'bucketPutNotification',
+            });
             return callback(err, corsHeaders);
         }
         pushMetric('putBucketNotification', log, {

lib/api/bucketPutObjectLock.js

@@ -1,8 +1,8 @@
 const { waterfall } = require('async');
 const arsenal = require('arsenal');
 
-const errors = arsenal.errors;
+const { errors } = arsenal;
-const ObjectLockConfiguration = arsenal.models.ObjectLockConfiguration;
+const { ObjectLockConfiguration } = arsenal.models;
 
 const parseXML = require('../utilities/parseXML');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
@@ -22,11 +22,11 @@ const { pushMetric } = require('../utapi/utilities');
 function bucketPutObjectLock(authInfo, request, log, callback) {
     log.debug('processing request', { method: 'bucketPutObjectLock' });
 
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketPutObjectLock',
+        requestType: request.apiMethods || 'bucketPutObjectLock',
         request,
     };
     return waterfall([
@@ -36,12 +36,12 @@ function bucketPutObjectLock(authInfo, request, log, callback) {
             // if there was an error getting object lock configuration,
             // returned configObj will contain 'error' key
             process.nextTick(() => {
-                const configObj = lockConfigClass.
+                const configObj = lockConfigClass
-                    getValidatedObjectLockConfiguration();
+                    .getValidatedObjectLockConfiguration();
                 return next(configObj.error || null, configObj);
             });
         },
-        (objectLockConfig, next) => metadataValidateBucket(metadataValParams,
+        (objectLockConfig, next) => metadataValidateBucket(metadataValParams, request.iamAuthzResults,
             log, (err, bucket) => {
                 if (err) {
                     return next(err, bucket);
@@ -53,23 +53,25 @@ function bucketPutObjectLock(authInfo, request, log, callback) {
             process.nextTick(() => {
                 if (!isObjectLockEnabled) {
                     return next(errors.InvalidBucketState.customizeDescription(
-                        'Object Lock configuration cannot be enabled on ' +
+                        'Object Lock configuration cannot be enabled on '
-                        'existing buckets'), bucket);
+                        + 'existing buckets',
+                    ), bucket);
                 }
                 return next(null, bucket, objectLockConfig);
             });
         },
         (bucket, objectLockConfig, next) => {
             bucket.setObjectLockConfiguration(objectLockConfig);
-            metadata.updateBucket(bucket.getName(), bucket, log, err =>
+            metadata.updateBucket(bucket.getName(), bucket, log, err => next(err, bucket));
-                next(err, bucket));
         },
     ], (err, bucket) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {
-            log.trace('error processing request', { error: err,
+            log.trace('error processing request', {
-                method: 'bucketPutObjectLock' });
+                error: err,
+                method: 'bucketPutObjectLock',
+            });
             return callback(err, corsHeaders);
         }
         pushMetric('putBucketObjectLock', log, {

lib/api/bucketPutPolicy.js

@@ -17,8 +17,7 @@ const { BucketPolicy } = models;
 function _checkNotImplementedPolicy(policyString) {
     // bucket names and key names cannot include "", so including those
     // isolates not implemented keys
-    return policyString.includes('"Condition"')
+    return policyString.includes('"Service"')
-    || policyString.includes('"Service"')
     || policyString.includes('"Federated"');
 }
 
@@ -37,7 +36,7 @@ function bucketPutPolicy(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketPutPolicy',
+        requestType: request.apiMethods || 'bucketPutPolicy',
         request,
     };
 
@@ -70,7 +69,7 @@ function bucketPutPolicy(authInfo, request, log, callback) {
                 return next(null, bucketPolicy);
             });
         },
-        (bucketPolicy, next) => metadataValidateBucket(metadataValParams, log,
+        (bucketPolicy, next) => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log,
             (err, bucket) => {
                 if (err) {
                     return next(err, bucket);

lib/api/bucketPutReplication.js

@@ -28,7 +28,7 @@ function bucketPutReplication(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketPutReplication',
+        requestType: request.apiMethods || 'bucketPutReplication',
         request,
     };
     return waterfall([
@@ -37,7 +37,7 @@ function bucketPutReplication(authInfo, request, log, callback) {
         // Check bucket user privileges and ensure versioning is 'Enabled'.
         (config, next) =>
             // TODO: Validate that destination bucket exists and has versioning.
-            metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+            metadataValidateBucket(metadataValParams, request.iamAuthzResults, log, (err, bucket) => {
                 if (err) {
                     return next(err);
                 }

lib/api/bucketPutTagging.js

@@ -38,11 +38,11 @@ function bucketPutTagging(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketPutTagging',
+        requestType: request.apiMethods || 'bucketPutTagging',
     };
     let bucket = null;
     return waterfall([
-        next => metadataValidateBucket(metadataValParams, log,
+        next => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log,
             (err, b) => {
                 bucket = b;
                 return next(err);

lib/api/bucketPutVersioning.js

@@ -88,13 +88,13 @@ function bucketPutVersioning(authInfo, request, log, callback) {
     const metadataValParams = {
         authInfo,
         bucketName,
-        requestType: 'bucketPutVersioning',
+        requestType: request.apiMethods || 'bucketPutVersioning',
         request,
     };
 
     return waterfall([
         next => _parseXML(request, log, next),
-        next => metadataValidateBucket(metadataValParams, log,
+        next => metadataValidateBucket(metadataValParams, request.iamAuthzResults, log,
             (err, bucket) => next(err, bucket)), // ignore extra null object,
         (bucket, next) => parseString(request.post, (err, result) => {
             // just for linting; there should not be any parsing error here

lib/api/bucketPutWebsite.js

@@ -49,7 +49,8 @@ function bucketPutWebsite(authInfo, request, log, callback) {
             });
         },
         function validateBucketAuthorization(bucket, config, next) {
-            if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+            if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
+                request.iamAuthzResults, log, request)) {
                 log.debug('access denied for user on bucket', {
                     requestType,
                     method: 'bucketPutWebsite',

lib/api/objectGet.js

@@ -46,11 +46,11 @@ function objectGet(authInfo, request, returnTagCount, log, callback) {
         objectKey,
         versionId,
         getDeleteMarker: true,
-        requestType: 'objectGet',
+        requestType: request.apiMethods || 'objectGet',
         request,
     };
 
-    return metadataValidateBucketAndObj(mdValParams, log,
+    return metadataValidateBucketAndObj(mdValParams, request.iamAuthzResults, log,
     (err, bucket, objMD) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);

lib/api/objectGetACL.js

@@ -61,7 +61,7 @@ function objectGetACL(authInfo, request, log, callback) {
         bucketName,
         objectKey,
         versionId,
-        requestType: 'objectGetACL',
+        requestType: request.apiMethods || 'objectGetACL',
         request,
     };
     const grantInfo = {
@@ -74,7 +74,7 @@ function objectGetACL(authInfo, request, log, callback) {
 
     return async.waterfall([
         function validateBucketAndObj(next) {
-            return metadataValidateBucketAndObj(metadataValParams, log,
+            return metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log,
                 (err, bucket, objectMD) => {
                     if (err) {
                         log.trace('request authorization failed',

lib/api/objectGetLegalHold.js

@@ -40,12 +40,12 @@ function objectGetLegalHold(authInfo, request, log, callback) {
         bucketName,
         objectKey,
         versionId,
-        requestType: 'objectGetLegalHold',
+        requestType: request.apiMethods || 'objectGetLegalHold',
         request,
     };
 
     return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log,
             (err, bucket, objectMD) => {
                 if (err) {
                     log.trace('request authorization failed',

lib/api/objectGetRetention.js

@@ -40,12 +40,12 @@ function objectGetRetention(authInfo, request, log, callback) {
         bucketName,
         objectKey,
         versionId: reqVersionId,
-        requestType: 'objectGetRetention',
+        requestType: request.apiMethods || 'objectGetRetention',
         request,
     };
 
     return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log,
             (err, bucket, objectMD) => {
                 if (err) {
                     log.trace('request authorization failed',

lib/api/objectGetTagging.js

@@ -41,12 +41,11 @@ function objectGetTagging(authInfo, request, log, callback) {
         bucketName,
         objectKey,
         versionId: reqVersionId,
-        requestType: 'objectGetTagging',
+        requestType: request.apiMethods || 'objectGetTagging',
         request,
     };
-
     return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log,
           (err, bucket, objectMD) => {
               if (err) {
                   log.trace('request authorization failed',

lib/api/objectPut.js

@@ -16,6 +16,7 @@ const { config } = require('../Config');
 const { setExpirationHeaders } = require('./apiUtils/object/expirationHeaders');
 const monitoring = require('../utilities/metrics');
 const writeContinue = require('../utilities/writeContinue');
+
 const versionIdUtils = versioning.VersionID;
 
 /**
@@ -59,7 +60,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
     }
     const invalidSSEError = errors.InvalidArgument.customizeDescription(
         'The encryption method specified is not supported');
-    const requestType = 'objectPut';
+    const requestType = request.apiMethods || 'objectPut';
     const valParams = { authInfo, bucketName, objectKey, requestType, request };
     const canonicalID = authInfo.getCanonicalID();
 
@@ -70,8 +71,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
     }
 
     log.trace('owner canonicalID to send to data', { canonicalID });
-
+    return metadataValidateBucketAndObj(valParams, request.iamAuthzResults, log,
-    return metadataValidateBucketAndObj(valParams, log,
         (err, bucket, objMD) => {
             const responseHeaders = collectCorsHeaders(headers.origin,
                 method, bucket);
@@ -168,8 +168,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
                 const isVersionedObj = vcfg && vcfg.Status === 'Enabled';
                 if (isVersionedObj) {
                     if (storingResult && storingResult.versionId) {
-                    responseHeaders['x-amz-version-id'] =
+                        responseHeaders['x-amz-version-id'] = versionIdUtils.encode(storingResult.versionId,
-                        versionIdUtils.encode(storingResult.versionId,
                             config.versionIdEncodingType);
                     }
                 }

lib/api/objectPutACL.js

@@ -7,8 +7,7 @@ const { pushMetric } = require('../utapi/utilities');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const constants = require('../../constants');
 const vault = require('../auth/vault');
-const { decodeVersionId, getVersionIdResHeader }
+const { decodeVersionId, getVersionIdResHeader } = require('./apiUtils/object/versioning');
-    = require('./apiUtils/object/versioning');
 const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
 const monitoring = require('../utilities/metrics');
 const { config } = require('../Config');
@@ -45,8 +44,8 @@ const { config } = require('../Config');
  */
 function objectPutACL(authInfo, request, log, cb) {
     log.debug('processing request', { method: 'objectPutACL' });
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
-    const objectKey = request.objectKey;
+    const { objectKey } = request;
     const newCannedACL = request.headers['x-amz-acl'];
     const possibleCannedACL = [
         'private',
@@ -88,7 +87,7 @@ function objectPutACL(authInfo, request, log, cb) {
         objectKey,
         versionId: reqVersionId,
         getDeleteMarker: true,
-        requestType: 'objectPutACL',
+        requestType: request.apiMethods || 'objectPutACL',
     };
 
     const possibleGrants = ['FULL_CONTROL', 'WRITE_ACP', 'READ', 'READ_ACP'];
@@ -100,26 +99,26 @@ function objectPutACL(authInfo, request, log, cb) {
         READ_ACP: [],
     };
 
-    const grantReadHeader =
+    const grantReadHeader = aclUtils.parseGrant(request.headers['x-amz-grant-read'], 'READ');
-        aclUtils.parseGrant(request.headers['x-amz-grant-read'], 'READ');
+    const grantReadACPHeader = aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
-    const grantReadACPHeader =
-        aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
         'READ_ACP');
     const grantWriteACPHeader = aclUtils.parseGrant(
-        request.headers['x-amz-grant-write-acp'], 'WRITE_ACP');
+        request.headers['x-amz-grant-write-acp'], 'WRITE_ACP',
+    );
     const grantFullControlHeader = aclUtils.parseGrant(
-        request.headers['x-amz-grant-full-control'], 'FULL_CONTROL');
+        request.headers['x-amz-grant-full-control'], 'FULL_CONTROL',
+    );
 
     return async.waterfall([
         function validateBucketAndObj(next) {
-            return metadataValidateBucketAndObj(metadataValParams, log,
+            return metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log,
                 (err, bucket, objectMD) => {
                     if (err) {
                         return next(err);
                     }
                     if (!objectMD) {
-                        const err = reqVersionId ? errors.NoSuchVersion :
+                        const err = reqVersionId ? errors.NoSuchVersion
-                            errors.NoSuchKey;
+                            : errors.NoSuchKey;
                         return next(err, bucket);
                     }
                     if (objectMD.isDeleteMarker) {
@@ -222,22 +221,24 @@ function objectPutACL(authInfo, request, log, cb) {
             } else {
                 // If no canned ACL and no parsed xml, loop
                 // through the access headers
-                const allGrantHeaders =
+                const allGrantHeaders = [].concat(grantReadHeader,
-                    [].concat(grantReadHeader,
                     grantReadACPHeader, grantWriteACPHeader,
                     grantFullControlHeader);
 
-                usersIdentifiedByEmail = allGrantHeaders.filter(item =>
+                usersIdentifiedByEmail = allGrantHeaders.filter(item => item
-                    item && item.userIDType.toLowerCase() === 'emailaddress');
+                    && item.userIDType.toLowerCase() === 'emailaddress');
                 usersIdentifiedByGroup = allGrantHeaders
                     .filter(itm => itm && itm.userIDType
                         .toLowerCase() === 'uri');
-                for (let i = 0; i < usersIdentifiedByGroup.length; i++) {
+                for (let i = 0; i < usersIdentifiedByGroup.length; i += 1) {
                     if (possibleGroups.indexOf(
-                            usersIdentifiedByGroup[i].identifier) < 0) {
+                        usersIdentifiedByGroup[i].identifier,
+                    ) < 0) {
                         log.trace('invalid user group',
-                            { userGroup: usersIdentifiedByGroup[i]
+                            {
-                                 .identifier });
+                                userGroup: usersIdentifiedByGroup[i]
+                                    .identifier,
+                            });
                         return next(errors.InvalidArgument, bucket);
                     }
                 }
@@ -265,18 +266,20 @@ function objectPutACL(authInfo, request, log, cb) {
                         const allUsers = [].concat(
                             reconstructedUsersIdentifiedByEmail,
                             usersIdentifiedByID,
-                            usersIdentifiedByGroup);
+                            usersIdentifiedByGroup,
+                        );
                         const revisedAddACLParams = aclUtils
                             .sortHeaderGrants(allUsers, addACLParams);
                         return next(null, bucket, objectMD,
                             revisedAddACLParams);
-                    });
+                    },
+                );
             }
             const allUsers = [].concat(
                 usersIdentifiedByID,
-                usersIdentifiedByGroup);
+                usersIdentifiedByGroup,
-            const revisedAddACLParams =
+            );
-                aclUtils.sortHeaderGrants(allUsers, addACLParams);
+            const revisedAddACLParams = aclUtils.sortHeaderGrants(allUsers, addACLParams);
             return next(null, bucket, objectMD, revisedAddACLParams);
         },
         function addAclsToObjMD(bucket, objectMD, ACLParams, next) {
@@ -300,13 +303,13 @@ function objectPutACL(authInfo, request, log, cb) {
                 method: 'objectPutACL',
             });
             monitoring.promMetrics(
-                'PUT', bucketName, err.code, 'putObjectAcl');
+                'PUT', bucketName, err.code, 'putObjectAcl',
+            );
             return cb(err, resHeaders);
         }
 
         const verCfg = bucket.getVersioningConfiguration();
-        resHeaders['x-amz-version-id'] =
+        resHeaders['x-amz-version-id'] = getVersionIdResHeader(verCfg, objectMD);
-            getVersionIdResHeader(verCfg, objectMD);
 
         log.trace('processed request successfully in object put acl api');
         pushMetric('putObjectAcl', log, {

lib/api/objectPutCopyPart.js

@@ -1,12 +1,12 @@
 const async = require('async');
 const { errors, versioning, s3middleware } = require('arsenal');
+
 const validateHeaders = s3middleware.validateConditionalHeaders;
 
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const constants = require('../../constants');
 const { data } = require('../data/wrapper');
-const locationConstraintCheck =
+const locationConstraintCheck = require('./apiUtils/object/locationConstraintCheck');
-    require('./apiUtils/object/locationConstraintCheck');
 const metadata = require('../metadata/wrapper');
 const { pushMetric } = require('../utapi/utilities');
 const logger = require('../utilities/logger');
@@ -62,8 +62,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
     // Note that keys in the query object retain their case, so
     // request.query.uploadId must be called with that exact
     // capitalization
-    const uploadId = request.query.uploadId;
+    const { uploadId } = request.query;
-
     const valPutParams = {
         authInfo,
         bucketName: destBucketName,
@@ -93,26 +92,26 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
 
     return async.waterfall([
         function checkDestAuth(next) {
-            return metadataValidateBucketAndObj(valPutParams, log,
+            return metadataValidateBucketAndObj(valPutParams, request.iamAuthzResults, log,
                 (err, destBucketMD) => {
                     if (err) {
-                        log.debug('error validating authorization for ' +
+                        log.debug('error validating authorization for '
-                        'destination bucket',
+                        + 'destination bucket',
                         { error: err });
                         return next(err, destBucketMD);
                     }
                     const flag = destBucketMD.hasDeletedFlag()
                         || destBucketMD.hasTransientFlag();
                     if (flag) {
-                        log.trace('deleted flag or transient flag ' +
+                        log.trace('deleted flag or transient flag '
-                        'on destination bucket', { flag });
+                        + 'on destination bucket', { flag });
                         return next(errors.NoSuchBucket);
                     }
                     return next(null, destBucketMD);
                 });
         },
         function checkSourceAuthorization(destBucketMD, next) {
-            return metadataValidateBucketAndObj(valGetParams, log,
+            return metadataValidateBucketAndObj(valGetParams, request.iamAuthzResults, log,
                 (err, sourceBucketMD, sourceObjMD) => {
                     if (err) {
                         log.debug('error validating get part of request',
@@ -121,28 +120,26 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                     }
                     if (!sourceObjMD) {
                         log.debug('no source object', { sourceObject });
-                        const err = reqVersionId ? errors.NoSuchVersion :
+                        const err = reqVersionId ? errors.NoSuchVersion
-                            errors.NoSuchKey;
+                            : errors.NoSuchKey;
                         return next(err, destBucketMD);
                     }
-                    let sourceLocationConstraintName =
+                    let sourceLocationConstraintName = sourceObjMD.dataStoreName;
-                        sourceObjMD.dataStoreName;
                     // for backwards compatibility before storing dataStoreName
                     // TODO: handle in objectMD class
-                    if (!sourceLocationConstraintName &&
+                    if (!sourceLocationConstraintName
-                        sourceObjMD.location[0] &&
+                        && sourceObjMD.location[0]
-                        sourceObjMD.location[0].dataStoreName) {
+                        && sourceObjMD.location[0].dataStoreName) {
-                        sourceLocationConstraintName =
+                        sourceLocationConstraintName = sourceObjMD.location[0].dataStoreName;
-                            sourceObjMD.location[0].dataStoreName;
                     }
                     if (sourceObjMD.isDeleteMarker) {
                         log.debug('delete marker on source object',
                             { sourceObject });
                         if (reqVersionId) {
                             const err = errors.InvalidRequest
-                            .customizeDescription('The source of a copy ' +
+                                .customizeDescription('The source of a copy '
-                            'request may not specifically refer to a delete' +
+                            + 'request may not specifically refer to a delete'
-                            'marker by version id.');
+                            + 'marker by version id.');
                             return next(err, destBucketMD);
                         }
                         // if user specifies a key in a versioned source bucket
@@ -150,8 +147,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                         // delete marker, return NoSuchKey
                         return next(errors.NoSuchKey, destBucketMD);
                     }
-                    const headerValResult =
+                    const headerValResult = validateHeaders(request.headers,
-                        validateHeaders(request.headers,
                         sourceObjMD['last-modified'],
                         sourceObjMD['content-md5']);
                     if (headerValResult.error) {
@@ -166,15 +162,15 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                     // If specific version requested, include copy source
                     // version id in response. Include in request by default
                     // if versioning is enabled or suspended.
-                    if (sourceBucketMD.getVersioningConfiguration() ||
+                    if (sourceBucketMD.getVersioningConfiguration()
-                    reqVersionId) {
+                    || reqVersionId) {
                         if (sourceObjMD.isNull || !sourceObjMD.versionId) {
                             sourceVerId = 'null';
                         } else {
-                            sourceVerId =
+                            sourceVerId = versionIdUtils.encode(
-                                versionIdUtils.encode(
                                 sourceObjMD.versionId,
-                                    config.versionIdEncodingType);
+                                config.versionIdEncodingType,
+                            );
                         }
                     }
                     return next(null, copyLocator.dataLocator, destBucketMD,
@@ -199,7 +195,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                         });
                         return next(err);
                     }
-                    let splitter = constants.splitter;
+                    let { splitter } = constants;
                     if (mpuBucket.getMdBucketModelVersion() < 2) {
                         splitter = constants.oldSplitter;
                     }
@@ -213,8 +209,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
         function getMpuOverviewObject(dataLocator, destBucketMD,
             copyObjectSize, sourceVerId, splitter,
             sourceLocationConstraintName, next) {
-            const mpuOverviewKey =
+            const mpuOverviewKey = `overview${splitter}${destObjectKey}${splitter}${uploadId}`;
-                `overview${splitter}${destObjectKey}${splitter}${uploadId}`;
             return metadata.getObjectMD(mpuBucketName, mpuOverviewKey,
                 null, log, (err, res) => {
                     if (err) {
@@ -222,22 +217,21 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                         if (err.NoSuchKey) {
                             return next(errors.NoSuchUpload);
                         }
-                            log.error('error getting overview object from ' +
+                        log.error('error getting overview object from '
-                                'mpu bucket', {
+                                + 'mpu bucket', {
                             error: err,
-                                    method: 'objectPutCopyPart::' +
+                            method: 'objectPutCopyPart::'
-                                        'metadata.getObjectMD',
+                                        + 'metadata.getObjectMD',
                         });
                         return next(err);
                     }
                     const initiatorID = res.initiator.ID;
-                        const requesterID = authInfo.isRequesterAnIAMUser() ?
+                    const requesterID = authInfo.isRequesterAnIAMUser()
-                            authInfo.getArn() : authInfo.getCanonicalID();
+                        ? authInfo.getArn() : authInfo.getCanonicalID();
                     if (initiatorID !== requesterID) {
                         return next(errors.AccessDenied);
                     }
-                        const destObjLocationConstraint =
+                    const destObjLocationConstraint = res.controllingLocationConstraint;
-                            res.controllingLocationConstraint;
                     return next(null, dataLocator, destBucketMD,
                         destObjLocationConstraint, copyObjectSize,
                         sourceVerId, sourceLocationConstraintName, splitter);
@@ -253,6 +247,9 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
             splitter,
             next,
         ) {
+            const originalIdentityAuthzResults = request.iamAuthzResults;
+            // eslint-disable-next-line no-param-reassign
+            delete request.iamAuthzResults;
             data.uploadPartCopy(
                 request,
                 log,
@@ -263,6 +260,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                 dataStoreContext,
                 locationConstraintCheck,
                 (error, eTag, lastModified, serverSideEncryption, locations) => {
+                    // eslint-disable-next-line no-param-reassign
+                    request.iamAuthzResults = originalIdentityAuthzResults;
                     if (error) {
                         if (error.message === 'skip') {
                             return next(skipError, destBucketMD, eTag,
@@ -274,13 +273,13 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                     return next(null, destBucketMD, locations, eTag,
                         copyObjectSize, sourceVerId, serverSideEncryption,
                         lastModified, splitter);
-                });
+                },
+            );
         },
         function getExistingPartInfo(destBucketMD, locations, totalHash,
             copyObjectSize, sourceVerId, serverSideEncryption, lastModified,
             splitter, next) {
-            const partKey =
+            const partKey = `${uploadId}${constants.splitter}${paddedPartNumber}`;
-                `${uploadId}${constants.splitter}${paddedPartNumber}`;
             metadata.getObjectMD(mpuBucketName, partKey, {}, log,
                 (err, result) => {
                     // If there is nothing being overwritten just move on
@@ -298,8 +297,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                         // Pull locations to clean up any potential orphans
                         // in data if object put is an overwrite of
                         // already existing object with same key and part number
-                        oldLocations = Array.isArray(oldLocations) ?
+                        oldLocations = Array.isArray(oldLocations)
-                            oldLocations : [oldLocations];
+                            ? oldLocations : [oldLocations];
                     }
                     return next(null, destBucketMD, locations, totalHash,
                         prevObjectSize, copyObjectSize, sourceVerId,
@@ -374,7 +373,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
             // data locations) has been stored
             if (oldLocationsToDelete) {
                 const delLog = logger.newRequestLoggerFromSerializedUids(
-                    log.getSerializedUids());
+                    log.getSerializedUids(),
+                );
                 return data.batchDelete(oldLocationsToDelete, request.method, null,
                     delLog, err => {
                         if (err) {
@@ -415,11 +415,9 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
 
         const additionalHeaders = corsHeaders || {};
         if (serverSideEncryption) {
-            additionalHeaders['x-amz-server-side-encryption'] =
+            additionalHeaders['x-amz-server-side-encryption'] = serverSideEncryption.algorithm;
-                serverSideEncryption.algorithm;
             if (serverSideEncryption.algorithm === 'aws:kms') {
-                additionalHeaders['x-amz-server-side-encryption-aws-kms-key-id']
+                additionalHeaders['x-amz-server-side-encryption-aws-kms-key-id'] = serverSideEncryption.masterKeyId;
-                    = serverSideEncryption.masterKeyId;
             }
         }
         additionalHeaders['x-amz-copy-source-version-id'] = sourceVerId;
@@ -433,7 +431,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
             location: destBucketMD.getLocationConstraint(),
         });
         monitoring.promMetrics(
-            'PUT', destBucketName, '200', 'putObjectCopyPart');
+            'PUT', destBucketName, '200', 'putObjectCopyPart',
+        );
         return callback(null, xml, additionalHeaders);
     });
 }

lib/api/objectPutLegalHold.js

@@ -43,12 +43,12 @@ function objectPutLegalHold(authInfo, request, log, callback) {
         objectKey,
         versionId,
         getDeleteMarker: true,
-        requestType: 'objectPutLegalHold',
+        requestType: request.apiMethods || 'objectPutLegalHold',
         request,
     };
 
     return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log,
             (err, bucket, objectMD) => {
                 if (err) {
                     log.trace('request authorization failed',

lib/api/objectPutPart.js

@@ -94,6 +94,7 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
     const uploadId = request.query.uploadId;
     const mpuBucketName = `${constants.mpuBucketPrefix}${bucketName}`;
     const objectKey = request.objectKey;
+    const originalIdentityAuthzResults = request.iamAuthzResults;
 
     return async.waterfall([
         // Get the destination bucket.
@@ -116,7 +117,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
             // For validating the request at the destinationBucket level the
             // `requestType` is the general 'objectPut'.
             const requestType = 'objectPut';
-            if (!isBucketAuthorized(destinationBucket, requestType, canonicalID, authInfo, log, request)) {
+            if (!isBucketAuthorized(destinationBucket, request.apiMethods || requestType, canonicalID, authInfo,
+                request.iamAuthzResults, log, request)) {
                 log.debug('access denied for user on bucket', { requestType });
                 return next(errors.AccessDenied, destinationBucket);
             }
@@ -203,6 +205,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
                 partNumber,
                 bucketName,
             };
+            // eslint-disable-next-line no-param-reassign
+            delete request.iamAuthzResults;
             writeContinue(request, request._response);
             return data.putPart(request, mpuInfo, streamingV4Params,
                 objectLocationConstraint, locationConstraintCheck, log,
@@ -385,6 +389,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
     ], (err, destinationBucket, hexDigest, prevObjectSize) => {
         const corsHeaders = collectCorsHeaders(request.headers.origin,
             request.method, destinationBucket);
+        // eslint-disable-next-line no-param-reassign
+        request.iamAuthzResults = originalIdentityAuthzResults;
         if (err) {
             if (err === skipError) {
                 return cb(null, hexDigest, corsHeaders);

lib/api/objectPutRetention.js

@@ -44,12 +44,27 @@ function objectPutRetention(authInfo, request, log, callback) {
         objectKey,
         versionId: reqVersionId,
         getDeleteMarker: true,
-        requestType: 'objectPutRetention',
+        requestType: request.apiMethods || 'objectPutRetention',
         request,
     };
 
     return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => {
+            log.trace('parsing retention information');
+            parseRetentionXml(request.post, log,
+                (err, retentionInfo) => {
+                    if (err) {
+                        log.trace('error parsing retention information',
+                            { error: err });
+                        return next(err);
+                    }
+                    const remainingDays = Math.ceil(
+                        (new Date(retentionInfo.date) - Date.now()) / (1000 * 3600 * 24));
+                    metadataValParams.request.objectLockRetentionDays = remainingDays;
+                    return next(null, retentionInfo);
+                });
+        },
+        (retentionInfo, next) => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log,
             (err, bucket, objectMD) => {
                 if (err) {
                     log.trace('request authorization failed',
@@ -77,13 +92,8 @@ function objectPutRetention(authInfo, request, log, callback) {
                         'Bucket is missing Object Lock Configuration'
                     ), bucket);
                 }
-            return next(null, bucket, objectMD);
+                return next(null, bucket, retentionInfo, objectMD);
             }),
-        (bucket, objectMD, next) => {
-            log.trace('parsing retention information');
-            parseRetentionXml(request.post, log,
-                (err, retentionInfo) => next(err, bucket, retentionInfo, objectMD));
-        },
         (bucket, retentionInfo, objectMD, next) => {
             const hasGovernanceBypass = hasGovernanceBypassHeader(request.headers);
             if (hasGovernanceBypass && authInfo.isRequesterAnIAMUser()) {

lib/api/objectPutTagging.js

@@ -1,8 +1,7 @@
 const async = require('async');
 const { errors, s3middleware } = require('arsenal');
 
-const { decodeVersionId, getVersionIdResHeader } =
+const { decodeVersionId, getVersionIdResHeader } = require('./apiUtils/object/versioning');
-  require('./apiUtils/object/versioning');
 
 const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
 const { pushMetric } = require('../utapi/utilities');
@@ -11,8 +10,10 @@ const getReplicationInfo = require('./apiUtils/object/getReplicationInfo');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const metadata = require('../metadata/wrapper');
 const { data } = require('../data/wrapper');
+
 const { parseTagXml } = s3middleware.tagging;
 const { config } = require('../Config');
+
 const REPLICATION_ACTION = 'PUT_TAGGING';
 
 /**
@@ -26,8 +27,8 @@ const REPLICATION_ACTION = 'PUT_TAGGING';
 function objectPutTagging(authInfo, request, log, callback) {
     log.debug('processing request', { method: 'objectPutTagging' });
 
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
-    const objectKey = request.objectKey;
+    const { objectKey } = request;
 
     const decodedVidResult = decodeVersionId(request.query);
     if (decodedVidResult instanceof Error) {
@@ -45,12 +46,12 @@ function objectPutTagging(authInfo, request, log, callback) {
         objectKey,
         versionId: reqVersionId,
         getDeleteMarker: true,
-        requestType: 'objectPutTagging',
+        requestType: request.apiMethods || 'objectPutTagging',
         request,
     };
 
     return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.iamAuthzResults, log,
             (err, bucket, objectMD) => {
                 if (err) {
                     log.trace('request authorization failed',
@@ -58,8 +59,8 @@ function objectPutTagging(authInfo, request, log, callback) {
                     return next(err);
                 }
                 if (!objectMD) {
-                  const err = reqVersionId ? errors.NoSuchVersion :
+                    const err = reqVersionId ? errors.NoSuchVersion
-                      errors.NoSuchKey;
+                        : errors.NoSuchKey;
                     log.trace('error no object metadata found',
                         { method: 'objectPutTagging', error: err });
                     return next(err, bucket);
@@ -75,8 +76,7 @@ function objectPutTagging(authInfo, request, log, callback) {
             }),
         (bucket, objectMD, next) => {
             log.trace('parsing tag(s)');
-            parseTagXml(request.post, log, (err, tags) =>
+            parseTagXml(request.post, log, (err, tags) => next(err, bucket, tags, objectMD));
-              next(err, bucket, tags, objectMD));
         },
         (bucket, tags, objectMD, next) => {
             // eslint-disable-next-line no-param-reassign
@@ -98,19 +98,19 @@ function objectPutTagging(authInfo, request, log, callback) {
             // eslint-disable-next-line no-param-reassign
             objectMD.originOp = 's3:ObjectTagging:Put';
             metadata.putObjectMD(bucket.getName(), objectKey, objectMD, params,
-            log, err =>
+                log, err => next(err, bucket, objectMD));
-                next(err, bucket, objectMD));
         },
-        (bucket, objectMD, next) =>
         // if external backend handles tagging
-            data.objectTagging('Put', objectKey, bucket, objectMD,
+        (bucket, objectMD, next) => data.objectTagging('Put', objectKey, bucket, objectMD,
             log, err => next(err, bucket, objectMD)),
     ], (err, bucket, objectMD) => {
         const additionalResHeaders = collectCorsHeaders(request.headers.origin,
             request.method, bucket);
         if (err) {
-            log.trace('error processing request', { error: err,
+            log.trace('error processing request', {
-                method: 'objectPutTagging' });
+                error: err,
+                method: 'objectPutTagging',
+            });
             monitoring.promMetrics('PUT', bucketName, err.code,
                 'putObjectTagging');
         } else {
@@ -122,10 +122,10 @@ function objectPutTagging(authInfo, request, log, callback) {
                 location: objectMD ? objectMD.dataStoreName : undefined,
             });
             monitoring.promMetrics(
-                'PUT', bucketName, '200', 'putObjectTagging');
+                'PUT', bucketName, '200', 'putObjectTagging',
+            );
             const verCfg = bucket.getVersioningConfiguration();
-            additionalResHeaders['x-amz-version-id'] =
+            additionalResHeaders['x-amz-version-id'] = getVersionIdResHeader(verCfg, objectMD);
-                getVersionIdResHeader(verCfg, objectMD);
         }
         return callback(err, additionalResHeaders);
     });

lib/api/websiteGet.js

@@ -22,12 +22,13 @@ const monitoring = require('../utilities/metrics');
  * @param {string} objectKey - object key from request (or as translated in
  * websiteGet)
  * @param {object} corsHeaders - CORS-related response headers
+ * @param {object} request - normalized request object
  * @param {object} log - Werelogs instance
  * @param {function} callback - callback to function in route
  * @return {undefined}
  */
 function _errorActions(err, errorDocument, routingRules,
-    bucket, objectKey, corsHeaders, log, callback) {
+    bucket, objectKey, corsHeaders, request, log, callback) {
     const bucketName = bucket.getName();
     const errRoutingRule = findRoutingRule(routingRules,
         objectKey, err.code);
@@ -51,8 +52,8 @@ function _errorActions(err, errorDocument, routingRules,
                 }
                 // return the default error message if the object is private
                 // rather than sending a stored error file
-                if (!isObjAuthorized(bucket, errObjMD, 'objectGet',
+                if (!isObjAuthorized(bucket, errObjMD, request.apiMethods || 'objectGet',
-                    constants.publicId, null, log)) {
+                    constants.publicId, null, request.iamAuthzResults, log)) {
                     log.trace('errorObj not authorized', { error: err });
                     monitoring.promMetrics(
                         'GET', bucketName, err.code, 'getObject');
@@ -162,8 +163,8 @@ function websiteGet(request, log, callback) {
                     monitoring.promMetrics(
                         'GET', bucketName, err.code, 'getObject');
                     let returnErr = err;
-                    const bucketAuthorized = isBucketAuthorized(bucket,
+                    const bucketAuthorized = isBucketAuthorized(bucket, request.apiMethods || 'bucketGet',
-                      'bucketGet', constants.publicId, null, log, request);
+                        constants.publicId, null, request.iamAuthzResults, log, request);
                     // if index object does not exist and bucket is private AWS
                     // returns 403 - AccessDenied error.
                     if (err.is.NoSuchKey && !bucketAuthorized) {
@@ -171,16 +172,16 @@ function websiteGet(request, log, callback) {
                     }
                     return _errorActions(returnErr,
                       websiteConfig.getErrorDocument(), routingRules,
-                      bucket, reqObjectKey, corsHeaders, log,
+                      bucket, reqObjectKey, corsHeaders, request, log,
                       callback);
                 }
-                if (!isObjAuthorized(bucket, objMD, 'objectGet',
+                if (!isObjAuthorized(bucket, objMD, request.apiMethods || 'objectGet',
-                    constants.publicId, null, log, request)) {
+                    constants.publicId, null, request.iamAuthzResults, log, request)) {
                     const err = errors.AccessDenied;
                     log.trace('request not authorized', { error: err });
                     return _errorActions(err, websiteConfig.getErrorDocument(),
                         routingRules, bucket,
-                        reqObjectKey, corsHeaders, log, callback);
+                        reqObjectKey, corsHeaders, request, log, callback);
                 }
 
                 const headerValResult = validateHeaders(request.headers,
@@ -190,7 +191,7 @@ function websiteGet(request, log, callback) {
                     log.trace('header validation error', { error: err });
                     return _errorActions(err, websiteConfig.getErrorDocument(),
                         routingRules, bucket, reqObjectKey,
-                        corsHeaders, log, callback);
+                        corsHeaders, request, log, callback);
                 }
                 // check if object to serve has website redirect header
                 // Note: AWS prioritizes website configuration rules over

tests/multipleBackend/objectPutCopyPart.js

@@ -3,21 +3,19 @@ const async = require('async');
 const { parseString } = require('xml2js');
 const AWS = require('aws-sdk');
 
-const { cleanup, DummyRequestLogger, makeAuthInfo }
+const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
-    = require('../unit/helpers');
+const { cleanup, DummyRequestLogger, makeAuthInfo } = require('../unit/helpers');
 const { ds } = require('arsenal').storage.data.inMemory.datastore;
 const { bucketPut } = require('../../lib/api/bucketPut');
-const initiateMultipartUpload
+const initiateMultipartUpload = require('../../lib/api/initiateMultipartUpload');
-    = require('../../lib/api/initiateMultipartUpload');
 const objectPut = require('../../lib/api/objectPut');
 const objectPutCopyPart = require('../../lib/api/objectPutCopyPart');
 const DummyRequest = require('../unit/DummyRequest');
-const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
 const constants = require('../../constants');
 
 const s3 = new AWS.S3();
 
-const splitter = constants.splitter;
+const { splitter } = constants;
 const log = new DummyRequestLogger();
 const canonicalID = 'accessKey1';
 const authInfo = makeAuthInfo(canonicalID);
@@ -56,14 +54,14 @@ function getAwsParamsBucketMismatch(destObjName, uploadId) {
 }
 
 function copyPutPart(bucketLoc, mpuLoc, srcObjLoc, requestHost, cb,
-errorPutCopyPart) {
+    errorPutCopyPart) {
     const keys = getSourceAndDestKeys();
     const { sourceObjName, destObjName } = keys;
-    const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>' +
+    const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>'
-        '<CreateBucketConfiguration ' +
+        + '<CreateBucketConfiguration '
-        'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+        + 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
-        `<LocationConstraint>${bucketLoc}</LocationConstraint>` +
+        + `<LocationConstraint>${bucketLoc}</LocationConstraint>`
-        '</CreateBucketConfiguration>' : '';
+        + '</CreateBucketConfiguration>' : '';
     const bucketPutReq = new DummyRequest({
         bucketName,
         namespace,
@@ -80,10 +78,13 @@ errorPutCopyPart) {
         objectKey: destObjName,
         headers: { host: `${bucketName}.s3.amazonaws.com` },
         url: `/${destObjName}?uploads`,
+        iamAuthzResults: false,
     };
     if (mpuLoc) {
-        initiateReq.headers = { 'host': `${bucketName}.s3.amazonaws.com`,
+        initiateReq.headers = {
-            'x-amz-meta-scal-location-constraint': `${mpuLoc}` };
+            'host': `${bucketName}.s3.amazonaws.com`,
+            'x-amz-meta-scal-location-constraint': `${mpuLoc}`,
+        };
     }
     if (requestHost) {
         initiateReq.parsedHost = requestHost;
@@ -94,10 +95,13 @@ errorPutCopyPart) {
         objectKey: sourceObjName,
         headers: { host: `${bucketName}.s3.amazonaws.com` },
         url: '/',
+        iamAuthzResults: false,
     };
     if (srcObjLoc) {
-        sourceObjPutParams.headers = { 'host': `${bucketName}.s3.amazonaws.com`,
+        sourceObjPutParams.headers = {
-            'x-amz-meta-scal-location-constraint': `${srcObjLoc}` };
+            'host': `${bucketName}.s3.amazonaws.com`,
+            'x-amz-meta-scal-location-constraint': `${srcObjLoc}`,
+        };
     }
     const sourceObjPutReq = new DummyRequest(sourceObjPutParams, body);
     if (requestHost) {
@@ -112,8 +116,7 @@ errorPutCopyPart) {
             });
         },
         next => {
-            objectPut(authInfo, sourceObjPutReq, undefined, log, err =>
+            objectPut(authInfo, sourceObjPutReq, undefined, log, err => next(err));
-                next(err));
         },
         next => {
             initiateMultipartUpload(authInfo, initiateReq, log, next);
@@ -130,8 +133,8 @@ errorPutCopyPart) {
         // Need to build request in here since do not have
         // uploadId until here
         assert.ifError(err, 'Error putting source object or initiate MPU');
-        const testUploadId = json.InitiateMultipartUploadResult.
+        const testUploadId = json.InitiateMultipartUploadResult
-            UploadId[0];
+            .UploadId[0];
         const copyPartParams = {
             bucketName,
             namespace,
@@ -172,7 +175,7 @@ function assertPartList(partList, uploadId) {
 }
 
 describeSkipIfE2E('ObjectCopyPutPart API with multiple backends',
-function testSuite() {
+    function testSuite() {
         this.timeout(60000);
 
         beforeEach(() => {
@@ -205,8 +208,8 @@ function testSuite() {
                     s3.listParts(awsReq, (err, partList) => {
                         assertPartList(partList, uploadId);
                         s3.abortMultipartUpload(awsReq, err => {
-                    assert.equal(err, null, `Error aborting MPU: ${err}. ` +
+                            assert.equal(err, null, `Error aborting MPU: ${err}. `
-                    `You must abort MPU with upload ID ${uploadId} manually.`);
+                    + `You must abort MPU with upload ID ${uploadId} manually.`);
                             done();
                         });
                     });
@@ -247,16 +250,16 @@ function testSuite() {
                 s3.listParts(awsReq, (err, partList) => {
                     assertPartList(partList, uploadId);
                     s3.abortMultipartUpload(awsReq, err => {
-                    assert.equal(err, null, `Error aborting MPU: ${err}. ` +
+                        assert.equal(err, null, `Error aborting MPU: ${err}. `
-                    `You must abort MPU with upload ID ${uploadId} manually.`);
+                    + `You must abort MPU with upload ID ${uploadId} manually.`);
                         done();
                     });
                 });
             });
         });
 
-    it('should copy part an object on AWS location that has bucketMatch ' +
+        it('should copy part an object on AWS location that has bucketMatch '
-    'equals false to a mpu with a different AWS location', done => {
+    + 'equals false to a mpu with a different AWS location', done => {
             copyPutPart(null, awsLocation, awsLocationMismatch, 'localhost',
                 (keys, uploadId) => {
                     assert.deepStrictEqual(ds, []);
@@ -264,16 +267,16 @@ function testSuite() {
                     s3.listParts(awsReq, (err, partList) => {
                         assertPartList(partList, uploadId);
                         s3.abortMultipartUpload(awsReq, err => {
-                    assert.equal(err, null, `Error aborting MPU: ${err}. ` +
+                            assert.equal(err, null, `Error aborting MPU: ${err}. `
-                    `You must abort MPU with upload ID ${uploadId} manually.`);
+                    + `You must abort MPU with upload ID ${uploadId} manually.`);
                             done();
                         });
                     });
                 });
         });
 
-    it('should copy part an object on AWS to a mpu with a different ' +
+        it('should copy part an object on AWS to a mpu with a different '
-    'AWS location that has bucketMatch equals false', done => {
+    + 'AWS location that has bucketMatch equals false', done => {
             copyPutPart(null, awsLocationMismatch, awsLocation, 'localhost',
                 (keys, uploadId) => {
                     assert.deepStrictEqual(ds, []);
@@ -282,16 +285,16 @@ function testSuite() {
                     s3.listParts(awsReq, (err, partList) => {
                         assertPartList(partList, uploadId);
                         s3.abortMultipartUpload(awsReq, err => {
-                    assert.equal(err, null, `Error aborting MPU: ${err}. ` +
+                            assert.equal(err, null, `Error aborting MPU: ${err}. `
-                    `You must abort MPU with upload ID ${uploadId} manually.`);
+                    + `You must abort MPU with upload ID ${uploadId} manually.`);
                             done();
                         });
                     });
                 });
         });
 
-    it('should return error 403 AccessDenied copying part to a ' +
+        it('should return error 403 AccessDenied copying part to a '
-    'different AWS location without object READ access',
+    + 'different AWS location without object READ access',
         done => {
             const errorPutCopyPart = { code: 'AccessDenied', statusCode: 403 };
             copyPutPart(null, awsLocation, awsLocation2, 'localhost', done,
@@ -305,4 +308,4 @@ function testSuite() {
                 done();
             });
         });
-});
+    });

tests/multipleBackend/objectPutPart.js

@@ -3,20 +3,17 @@ const async = require('async');
 const crypto = require('crypto');
 const { parseString } = require('xml2js');
 const AWS = require('aws-sdk');
+const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
 const { config } = require('../../lib/Config');
-const { cleanup, DummyRequestLogger, makeAuthInfo }
+const { cleanup, DummyRequestLogger, makeAuthInfo } = require('../unit/helpers');
-    = require('../unit/helpers');
 const { ds } = require('arsenal').storage.data.inMemory.datastore;
 const { bucketPut } = require('../../lib/api/bucketPut');
-const initiateMultipartUpload
+const initiateMultipartUpload = require('../../lib/api/initiateMultipartUpload');
-    = require('../../lib/api/initiateMultipartUpload');
 const objectPutPart = require('../../lib/api/objectPutPart');
 const DummyRequest = require('../unit/DummyRequest');
-const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
 const mdWrapper = require('../../lib/metadata/wrapper');
 const constants = require('../../constants');
-const { getRealAwsConfig } =
+const { getRealAwsConfig } = require('../functional/aws-node-sdk/test/support/awsConfig');
-    require('../functional/aws-node-sdk/test/support/awsConfig');
 
 const memLocation = 'scality-internal-mem';
 const fileLocation = 'scality-internal-file';
@@ -25,7 +22,7 @@ const awsLocationMismatch = 'awsbackendmismatch';
 const awsConfig = getRealAwsConfig(awsLocation);
 const s3 = new AWS.S3(awsConfig);
 
-const splitter = constants.splitter;
+const { splitter } = constants;
 const log = new DummyRequestLogger();
 const canonicalID = 'accessKey1';
 const authInfo = makeAuthInfo(canonicalID);
@@ -47,13 +44,13 @@ function _getOverviewKey(objectKey, uploadId) {
 }
 
 function putPart(bucketLoc, mpuLoc, requestHost, cb,
-errorDescription) {
+    errorDescription) {
     const objectName = `objectName-${Date.now()}`;
-    const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>' +
+    const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>'
-        '<CreateBucketConfiguration ' +
+        + '<CreateBucketConfiguration '
-        'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+        + 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
-        `<LocationConstraint>${bucketLoc}</LocationConstraint>` +
+        + `<LocationConstraint>${bucketLoc}</LocationConstraint>`
-        '</CreateBucketConfiguration>' : '';
+        + '</CreateBucketConfiguration>' : '';
     const bucketPutReq = {
         bucketName,
         namespace,
@@ -70,10 +67,13 @@ errorDescription) {
         objectKey: objectName,
         headers: { host: `${bucketName}.s3.amazonaws.com` },
         url: `/${objectName}?uploads`,
+        iamAuthzResults: false,
     };
     if (mpuLoc) {
-        initiateReq.headers = { 'host': `${bucketName}.s3.amazonaws.com`,
+        initiateReq.headers = {
-            'x-amz-meta-scal-location-constraint': `${mpuLoc}` };
+            'host': `${bucketName}.s3.amazonaws.com`,
+            'x-amz-meta-scal-location-constraint': `${mpuLoc}`,
+        };
     }
     if (requestHost) {
         initiateReq.parsedHost = requestHost;
@@ -123,9 +123,9 @@ errorDescription) {
         const partReq = new DummyRequest(partReqParams, body1);
         return objectPutPart(authInfo, partReq, undefined, log, err => {
             assert.strictEqual(err, null);
-            if (bucketLoc !== awsLocation && mpuLoc !== awsLocation &&
+            if (bucketLoc !== awsLocation && mpuLoc !== awsLocation
-            bucketLoc !== awsLocationMismatch &&
+            && bucketLoc !== awsLocationMismatch
-            mpuLoc !== awsLocationMismatch) {
+            && mpuLoc !== awsLocationMismatch) {
                 const keysInMPUkeyMap = [];
                 metadata.keyMaps.get(mpuBucket).forEach((val, key) => {
                     keysInMPUkeyMap.push(key);
@@ -148,8 +148,8 @@ errorDescription) {
 }
 
 function listAndAbort(uploadId, calculatedHash2, objectName, done) {
-    const awsBucket = config.locationConstraints[awsLocation].
+    const awsBucket = config.locationConstraints[awsLocation]
-        details.bucketName;
+        .details.bucketName;
     const params = {
         Bucket: awsBucket,
         Key: objectName,
@@ -162,15 +162,15 @@ function listAndAbort(uploadId, calculatedHash2, objectName, done) {
             assert.strictEqual(`"${calculatedHash2}"`, data.Parts[0].ETag);
         }
         s3.abortMultipartUpload(params, err => {
-            assert.equal(err, null, `Error aborting MPU: ${err}. ` +
+            assert.equal(err, null, `Error aborting MPU: ${err}. `
-            `You must abort MPU with upload ID ${uploadId} manually.`);
+            + `You must abort MPU with upload ID ${uploadId} manually.`);
             done();
         });
     });
 }
 
 describeSkipIfE2E('objectPutPart API with multiple backends',
-function testSuite() {
+    function testSuite() {
         this.timeout(5000);
 
         beforeEach(() => {
@@ -211,8 +211,10 @@ function testSuite() {
                             bucketName,
                             namespace,
                             objectKey: objectName,
-                headers: { 'host': `${bucketName}.s3.amazonaws.com`,
+                            headers: {
-                    'x-amz-meta-scal-location-constraint': awsLocation },
+                                'host': `${bucketName}.s3.amazonaws.com`,
+                                'x-amz-meta-scal-location-constraint': awsLocation,
+                            },
                             url: `/${objectName}?partNumber=1&uploadId=${uploadId}`,
                             query: {
                                 partNumber: '1', uploadId,
@@ -226,8 +228,8 @@ function testSuite() {
                     });
             });
 
-    it('should upload part based on mpu location even if part ' +
+        it('should upload part based on mpu location even if part '
-        'location constraint is specified ', done => {
+        + 'location constraint is specified ', done => {
             putPart(fileLocation, memLocation, 'localhost', () => {
                 assert.deepStrictEqual(ds[1].value, body1);
                 done();
@@ -256,8 +258,8 @@ function testSuite() {
                 });
         });
 
-    it('should put a part to AWS based on bucket location with bucketMatch ' +
+        it('should put a part to AWS based on bucket location with bucketMatch '
-    'set to true', done => {
+    + 'set to true', done => {
             putPart(null, awsLocation, 'localhost',
                 (objectName, uploadId) => {
                     assert.deepStrictEqual(ds, []);
@@ -265,8 +267,8 @@ function testSuite() {
                 });
         });
 
-    it('should put a part to AWS based on bucket location with bucketMatch ' +
+        it('should put a part to AWS based on bucket location with bucketMatch '
-    'set to false', done => {
+    + 'set to false', done => {
             putPart(null, awsLocationMismatch, 'localhost',
                 (objectName, uploadId) => {
                     assert.deepStrictEqual(ds, []);
@@ -325,4 +327,4 @@ function testSuite() {
                             });
                     });
             });
-});
+    });

tests/unit/api/bucketGet.js

@@ -63,6 +63,7 @@ const baseGetRequest = {
     bucketName,
     namespace,
     headers: { host: '/' },
+    iamAuthzResults: false,
 };
 const baseUrl = `/${bucketName}`;
 

tests/unit/api/bucketGetACL.js

@@ -25,6 +25,7 @@ describe('bucketGetACL API', () => {
         namespace,
         headers: { host: `${bucketName}.s3.amazonaws.com` },
         url: '/',
+        iamAuthzResults: false,
     };
     const testGetACLRequest = {
         bucketName,
@@ -32,6 +33,7 @@ describe('bucketGetACL API', () => {
         headers: { host: `${bucketName}.s3.amazonaws.com` },
         url: '/?acl',
         query: { acl: '' },
+        iamAuthzResults: false,
     };
 
     it('should get a canned private ACL', done => {
@@ -44,6 +46,7 @@ describe('bucketGetACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         async.waterfall([
@@ -76,6 +79,7 @@ describe('bucketGetACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         async.waterfall([
@@ -119,6 +123,7 @@ describe('bucketGetACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         async.waterfall([
@@ -156,6 +161,7 @@ describe('bucketGetACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         async.waterfall([
@@ -194,6 +200,7 @@ describe('bucketGetACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         async.waterfall([
@@ -248,6 +255,7 @@ describe('bucketGetACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
         const canonicalIDforSample1 =
             '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be';
@@ -338,6 +346,7 @@ describe('bucketGetACL API', () => {
                 },
                 url: '/?acl',
                 query: { acl: '' },
+                iamAuthzResults: false,
             };
 
             async.waterfall([
@@ -377,6 +386,7 @@ describe('bucketGetACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         async.waterfall([

tests/unit/api/bucketGetCors.js

@@ -16,6 +16,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 function _makeCorsRequest(xml) {
@@ -26,6 +27,7 @@ function _makeCorsRequest(xml) {
         },
         url: '/?cors',
         query: { cors: '' },
+        iamAuthzResults: false,
     };
 
     if (xml) {

tests/unit/api/bucketGetLifecycle.js

@@ -17,6 +17,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 describe('getBucketLifecycle API', () => {

tests/unit/api/bucketGetLocation.js

@@ -16,6 +16,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 const testGetLocationRequest = {
@@ -25,6 +26,7 @@ const testGetLocationRequest = {
     },
     url: '/?location',
     query: { location: '' },
+    iamAuthzResults: false,
 };
 
 const locationConstraints = config.locationConstraints;

tests/unit/api/bucketGetNotification.js

@@ -15,6 +15,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 function getNotificationRequest(bucketName, xml) {
@@ -23,6 +24,7 @@ function getNotificationRequest(bucketName, xml) {
         headers: {
             host: `${bucketName}.s3.amazonaws.com`,
         },
+        iamAuthzResults: false,
     };
     if (xml) {
         request.post = xml;

tests/unit/api/bucketGetObjectLock.js

@@ -14,6 +14,7 @@ const bucketPutReq = {
         host: `${bucketName}.s3.amazonaws.com`,
     },
     url: '/',
+    iamAuthzResults: false,
 };
 
 const testBucketPutReqWithObjLock = {
@@ -23,6 +24,7 @@ const testBucketPutReqWithObjLock = {
         'x-amz-bucket-object-lock-enabled': 'True',
     },
     url: '/',
+    iamAuthzResults: false,
 };
 
 function getObjectLockConfigRequest(bucketName, xml) {
@@ -33,6 +35,7 @@ function getObjectLockConfigRequest(bucketName, xml) {
             'x-amz-bucket-object-lock-enabled': 'true',
         },
         url: '/?object-lock',
+        iamAuthzResults: false,
     };
     if (xml) {
         request.post = xml;

tests/unit/api/bucketGetPolicy.js

@@ -16,6 +16,7 @@ const testBasicRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 const expectedBucketPolicy = {
@@ -34,6 +35,7 @@ const testPutPolicyRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     post: JSON.stringify(expectedBucketPolicy),
+    iamAuthzResults: false,
 };
 
 describe('getBucketPolicy API', () => {

tests/unit/api/bucketGetWebsite.js

@@ -15,6 +15,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 function _makeWebsiteRequest(xml) {
@@ -25,6 +26,7 @@ function _makeWebsiteRequest(xml) {
         },
         url: '/?website',
         query: { website: '' },
+        iamAuthzResults: false,
     };
 
     if (xml) {

tests/unit/api/bucketPutACL.js

@@ -18,11 +18,10 @@ const testBucketPutRequest = {
     namespace,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
-const canonicalIDforSample1 =
+const canonicalIDforSample1 = '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be';
-    '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be';
+const canonicalIDforSample2 = '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2bf';
-const canonicalIDforSample2 =
-    '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2bf';
 
 const invalidIds = {
     'too short': 'id="invalid_id"',
@@ -42,11 +41,10 @@ describe('putBucketACL API', () => {
     afterEach(() => cleanup());
 
     it('should parse a grantheader', () => {
-        const grantRead =
+        const grantRead = `uri=${constants.logId}, `
-            `uri=${constants.logId}, ` +
+            + 'emailAddress="test@testing.com", '
-            'emailAddress="test@testing.com", ' +
+            + 'emailAddress="test2@testly.com", '
-            'emailAddress="test2@testly.com", ' +
+            + 'id="sdfsdfsfwwiieohefs"';
-            'id="sdfsdfsfwwiieohefs"';
         const grantReadHeader = aclUtils.parseGrant(grantRead, 'read');
         const firstIdentifier = grantReadHeader[0].identifier;
         assert.strictEqual(firstIdentifier, constants.logId);
@@ -58,7 +56,7 @@ describe('putBucketACL API', () => {
         assert.strictEqual(fourthIdentifier, 'sdfsdfsfwwiieohefs');
         const fourthType = grantReadHeader[3].userIDType;
         assert.strictEqual(fourthType, 'id');
-        const grantType = grantReadHeader[3].grantType;
+        const { grantType } = grantReadHeader[3];
         assert.strictEqual(grantType, 'read');
     });
 
@@ -72,6 +70,7 @@ describe('putBucketACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPutACL(authInfo, testACLRequest, log, err => {
@@ -90,6 +89,7 @@ describe('putBucketACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
         bucketPutACL(authInfo, testACLRequest, log, err => {
             assert.strictEqual(err, undefined);
@@ -111,6 +111,7 @@ describe('putBucketACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
         const testACLRequest2 = {
             bucketName,
@@ -121,6 +122,7 @@ describe('putBucketACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
         bucketPutACL(authInfo, testACLRequest, log, err => {
             assert.strictEqual(err, undefined);
@@ -138,8 +140,8 @@ describe('putBucketACL API', () => {
         });
     });
 
-    it('should set a canned private ACL ' +
+    it('should set a canned private ACL '
-        'followed by a log-delivery-write ACL', done => {
+        + 'followed by a log-delivery-write ACL', done => {
         const testACLRequest = {
             bucketName,
             namespace,
@@ -149,6 +151,7 @@ describe('putBucketACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
         const testACLRequest2 = {
             bucketName,
@@ -159,6 +162,7 @@ describe('putBucketACL API', () => {
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPutACL(authInfo, testACLRequest, log, err => {
@@ -184,19 +188,20 @@ describe('putBucketACL API', () => {
             headers: {
                 'host': `${bucketName}.s3.amazonaws.com`,
                 'x-amz-grant-full-control':
-                    'emailaddress="sampleaccount1@sampling.com"' +
+                    'emailaddress="sampleaccount1@sampling.com"'
-                    ',emailaddress="sampleaccount2@sampling.com"',
+                    + ',emailaddress="sampleaccount2@sampling.com"',
                 'x-amz-grant-read': `uri=${constants.logId}`,
                 'x-amz-grant-write': `uri=${constants.publicId}`,
                 'x-amz-grant-read-acp':
-                    'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' +
+                    'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
-                    'f8f8d5218e7cd47ef2be',
+                    + 'f8f8d5218e7cd47ef2be',
                 'x-amz-grant-write-acp':
-                    'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' +
+                    'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
-                    'f8f8d5218e7cd47ef2bf',
+                    + 'f8f8d5218e7cd47ef2bf',
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
         bucketPutACL(authInfo, testACLRequest, log, err => {
             assert.strictEqual(err, undefined);
@@ -223,21 +228,22 @@ describe('putBucketACL API', () => {
                 headers: {
                     'host': `${bucketName}.s3.amazonaws.com`,
                     'x-amz-grant-full-control':
-                        'emailaddress="sampleaccount1@sampling.com"' +
+                        'emailaddress="sampleaccount1@sampling.com"'
-                        ',emailaddress="sampleaccount2@sampling.com"',
+                        + ',emailaddress="sampleaccount2@sampling.com"',
                     'x-amz-grant-read':
                         'emailaddress="sampleaccount1@sampling.com"',
                     'x-amz-grant-write':
                         'emailaddress="sampleaccount1@sampling.com"',
                     'x-amz-grant-read-acp':
-                        'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' +
+                        'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
-                        'f8f8d5218e7cd47ef2be',
+                        + 'f8f8d5218e7cd47ef2be',
                     'x-amz-grant-write-acp':
-                        'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' +
+                        'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
-                        'f8f8d5218e7cd47ef2bf',
+                        + 'f8f8d5218e7cd47ef2bf',
                 },
                 url: '/?acl',
                 query: { acl: '' },
+                iamAuthzResults: false,
             };
             bucketPutACL(authInfo, testACLRequest, log, err => {
                 assert.strictEqual(err, undefined);
@@ -260,8 +266,8 @@ describe('putBucketACL API', () => {
         });
 
     Object.keys(invalidIds).forEach(idType => {
-        it('should return an error if grantee canonical ID provided in ACL ' +
+        it('should return an error if grantee canonical ID provided in ACL '
-        `request invalid because ${idType}`, done => {
+        + `request invalid because ${idType}`, done => {
             const testACLRequest = {
                 bucketName,
                 namespace,
@@ -271,6 +277,7 @@ describe('putBucketACL API', () => {
                 },
                 url: '/?acl',
                 query: { acl: '' },
+                iamAuthzResults: false,
             };
             return bucketPutACL(authInfo, testACLRequest, log, err => {
                 assert.deepStrictEqual(err, errors.InvalidArgument);
@@ -279,19 +286,20 @@ describe('putBucketACL API', () => {
         });
     });
 
-    it('should return an error if invalid email ' +
+    it('should return an error if invalid email '
-        'provided in ACL header request', done => {
+        + 'provided in ACL header request', done => {
         const testACLRequest = {
             bucketName,
             namespace,
             headers: {
                 'host': `${bucketName}.s3.amazonaws.com`,
                 'x-amz-grant-full-control':
-                    'emailaddress="sampleaccount1@sampling.com"' +
+                    'emailaddress="sampleaccount1@sampling.com"'
-                    ',emailaddress="nonexistentEmail@sampling.com"',
+                    + ',emailaddress="nonexistentEmail@sampling.com"',
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPutACL(authInfo, testACLRequest, log, err => {
@@ -305,52 +313,53 @@ describe('putBucketACL API', () => {
             bucketName,
             namespace,
             headers: { host: `${bucketName}.s3.amazonaws.com` },
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="CanonicalUser">' +
+                      + '<Grantee xsi:type="CanonicalUser">'
-                        '<ID>79a59df900b949e55d96a1e698fbaced' +
+                        + '<ID>79a59df900b949e55d96a1e698fbaced'
-                        'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                        + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                        '<DisplayName>OwnerDisplayName</DisplayName>' +
+                        + '<DisplayName>OwnerDisplayName</DisplayName>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>FULL_CONTROL</Permission>' +
+                      + '<Permission>FULL_CONTROL</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="Group">' +
+                      + '<Grantee xsi:type="Group">'
-                        `<URI>${constants.publicId}</URI>` +
+                        + `<URI>${constants.publicId}</URI>`
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>READ</Permission>' +
+                      + '<Permission>READ</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="Group">' +
+                      + '<Grantee xsi:type="Group">'
-                        `<URI>${constants.logId}</URI>` +
+                        + `<URI>${constants.logId}</URI>`
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>WRITE</Permission>' +
+                      + '<Permission>WRITE</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="AmazonCustomerByEmail">' +
+                      + '<Grantee xsi:type="AmazonCustomerByEmail">'
-                        '<EmailAddress>sampleaccount1@sampling.com' +
+                        + '<EmailAddress>sampleaccount1@sampling.com'
-                        '</EmailAddress>' +
+                        + '</EmailAddress>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>WRITE_ACP</Permission>' +
+                      + '<Permission>WRITE_ACP</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="CanonicalUser">' +
+                      + '<Grantee xsi:type="CanonicalUser">'
-                        '<ID>79a59df900b949e55d96a1e698fbacedfd' +
+                        + '<ID>79a59df900b949e55d96a1e698fbacedfd'
-                        '6e09d98eacf8f8d5218e7cd47ef2bf</ID>' +
+                        + '6e09d98eacf8f8d5218e7cd47ef2bf</ID>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>READ_ACP</Permission>' +
+                      + '<Permission>READ_ACP</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                  '</AccessControlList>' +
+                  + '</AccessControlList>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPutACL(authInfo, testACLRequest, log, err => {
@@ -375,17 +384,18 @@ describe('putBucketACL API', () => {
             bucketName,
             namespace,
             headers: { host: `${bucketName}.s3.amazonaws.com` },
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList></AccessControlList>' +
+                  + '<AccessControlList></AccessControlList>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPutACL(authInfo, testACLRequest, log, err => {
@@ -408,16 +418,17 @@ describe('putBucketACL API', () => {
                 bucketName,
                 namespace,
                 headers: { host: `${bucketName}.s3.amazonaws.com` },
-            post: '<AccessControlPolicy xmlns=' +
+                post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
                 url: '/?acl',
                 query: { acl: '' },
+                iamAuthzResults: false,
             };
 
             bucketPutACL(authInfo, testACLRequest, log, err => {
@@ -431,36 +442,37 @@ describe('putBucketACL API', () => {
             bucketName,
             namespace,
             headers: { host: `${bucketName}.s3.amazonaws.com` },
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="CanonicalUser">' +
+                      + '<Grantee xsi:type="CanonicalUser">'
-                        '<ID>79a59df900b949e55d96a1e698fbaced' +
+                        + '<ID>79a59df900b949e55d96a1e698fbaced'
-                        'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                        + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                        '<DisplayName>OwnerDisplayName</DisplayName>' +
+                        + '<DisplayName>OwnerDisplayName</DisplayName>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>FULL_CONTROL</Permission>' +
+                      + '<Permission>FULL_CONTROL</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                  '</AccessControlList>' +
+                  + '</AccessControlList>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="CanonicalUser">' +
+                      + '<Grantee xsi:type="CanonicalUser">'
-                        '<ID>79a59df900b949e55d96a1e698fbaced' +
+                        + '<ID>79a59df900b949e55d96a1e698fbaced'
-                        'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                        + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                        '<DisplayName>OwnerDisplayName</DisplayName>' +
+                        + '<DisplayName>OwnerDisplayName</DisplayName>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>READ</Permission>' +
+                      + '<Permission>READ</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                  '</AccessControlList>' +
+                  + '</AccessControlList>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPutACL(authInfo, testACLRequest, log, err => {
@@ -469,30 +481,31 @@ describe('putBucketACL API', () => {
         });
     });
 
-    it('should return an error if invalid grantee user ID ' +
+    it('should return an error if invalid grantee user ID '
-    'provided in ACL request body', done => {
+    + 'provided in ACL request body', done => {
         const testACLRequest = {
             bucketName,
             namespace,
             headers: { host: `${bucketName}.s3.amazonaws.com` },
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                  '<Grant>' +
+                  + '<Grant>'
-                    '<Grantee xsi:type="CanonicalUser">' +
+                    + '<Grantee xsi:type="CanonicalUser">'
-                      '<ID>invalid_id</ID>' +
+                      + '<ID>invalid_id</ID>'
-                    '</Grantee>' +
+                    + '</Grantee>'
-                    '<Permission>READ_ACP</Permission>' +
+                    + '<Permission>READ_ACP</Permission>'
-                  '</Grant>' +
+                  + '</Grant>'
-                  '</AccessControlList>' +
+                  + '</AccessControlList>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         return bucketPutACL(authInfo, testACLRequest, log, err => {
@@ -501,30 +514,31 @@ describe('putBucketACL API', () => {
         });
     });
 
-    it('should return an error if invalid email ' +
+    it('should return an error if invalid email '
-    'address provided in ACLs set out in request body', done => {
+    + 'address provided in ACLs set out in request body', done => {
         const testACLRequest = {
             bucketName,
             namespace,
             headers: { host: `${bucketName}.s3.amazonaws.com` },
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="AmazonCustomerByEmail">' +
+                      + '<Grantee xsi:type="AmazonCustomerByEmail">'
-                        '<EmailAddress>xyz@amazon.com</EmailAddress>' +
+                        + '<EmailAddress>xyz@amazon.com</EmailAddress>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>WRITE_ACP</Permission>' +
+                      + '<Permission>WRITE_ACP</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                  '</AccessControlList>' +
+                  + '</AccessControlList>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
         bucketPutACL(authInfo, testACLRequest, log, err => {
             assert.deepStrictEqual(err, errors.UnresolvableGrantByEmailAddress);
@@ -542,24 +556,25 @@ describe('putBucketACL API', () => {
             * "Grant" which is part of the s3 xml scheme for ACLs
             * so an error should be returned
             */
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                    '<PowerGrant>' +
+                    + '<PowerGrant>'
-                      '<Grantee xsi:type="AmazonCustomerByEmail">' +
+                      + '<Grantee xsi:type="AmazonCustomerByEmail">'
-                        '<EmailAddress>xyz@amazon.com</EmailAddress>' +
+                        + '<EmailAddress>xyz@amazon.com</EmailAddress>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>WRITE_ACP</Permission>' +
+                      + '<Permission>WRITE_ACP</Permission>'
-                    '</PowerGrant>' +
+                    + '</PowerGrant>'
-                  '</AccessControlList>' +
+                  + '</AccessControlList>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPutACL(authInfo, testACLRequest, log, err => {
@@ -579,32 +594,33 @@ describe('putBucketACL API', () => {
             * "Grant" which is part of the s3 xml scheme for ACLs
             * so an error should be returned
             */
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="CanonicalUser">' +
+                      + '<Grantee xsi:type="CanonicalUser">'
-                        '<ID>79a59df900b949e55d96a1e698fbaced' +
+                        + '<ID>79a59df900b949e55d96a1e698fbaced'
-                        'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                        + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                        '<DisplayName>OwnerDisplayName</DisplayName>' +
+                        + '<DisplayName>OwnerDisplayName</DisplayName>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>FULL_CONTROL</Permission>' +
+                      + '<Permission>FULL_CONTROL</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                    '<PowerGrant>' +
+                    + '<PowerGrant>'
-                      '<Grantee xsi:type="AmazonCustomerByEmail">' +
+                      + '<Grantee xsi:type="AmazonCustomerByEmail">'
-                        '<EmailAddress>xyz@amazon.com</EmailAddress>' +
+                        + '<EmailAddress>xyz@amazon.com</EmailAddress>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>WRITE_ACP</Permission>' +
+                      + '<Permission>WRITE_ACP</Permission>'
-                    '</PowerGrant>' +
+                    + '</PowerGrant>'
-                  '</AccessControlList>' +
+                  + '</AccessControlList>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPutACL(authInfo, testACLRequest, log, err => {
@@ -622,24 +638,25 @@ describe('putBucketACL API', () => {
             // so an error should be returned
             post: {
                 '<AccessControlPolicy xmlns':
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '<Owner>' +
+                  + '<Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="AmazonCustomerByEmail">' +
+                      + '<Grantee xsi:type="AmazonCustomerByEmail">'
-                        '<EmailAddress>xyz@amazon.com</EmailAddress>' +
+                        + '<EmailAddress>xyz@amazon.com</EmailAddress>'
-                      '<Grantee>' +
+                      + '<Grantee>'
-                      '<Permission>WRITE_ACP</Permission>' +
+                      + '<Permission>WRITE_ACP</Permission>'
-                    '<Grant>' +
+                    + '<Grant>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                '<AccessControlPolicy>',
+                + '<AccessControlPolicy>',
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPutACL(authInfo, testACLRequest, log, err => {
@@ -648,32 +665,33 @@ describe('putBucketACL API', () => {
         });
     });
 
-    it('should return an error if invalid group ' +
+    it('should return an error if invalid group '
-    'uri provided in ACLs set out in request body', done => {
+    + 'uri provided in ACLs set out in request body', done => {
         const testACLRequest = {
             bucketName,
             namespace,
             headers: { host: `${bucketName}.s3.amazonaws.com` },
             // URI in grant below is not valid group URI for s3
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                  '<Grant>' +
+                  + '<Grant>'
-                    '<Grantee xsi:type="Group">' +
+                    + '<Grantee xsi:type="Group">'
-                      '<URI>http://acs.amazonaws.com/groups/' +
+                      + '<URI>http://acs.amazonaws.com/groups/'
-                      'global/NOTAVALIDGROUP</URI>' +
+                      + 'global/NOTAVALIDGROUP</URI>'
-                    '</Grantee>' +
+                    + '</Grantee>'
-                    '<Permission>READ</Permission>' +
+                    + '<Permission>READ</Permission>'
-                  '</Grant>' +
+                  + '</Grant>'
-                  '</AccessControlList>' +
+                  + '</AccessControlList>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPutACL(authInfo, testACLRequest, log, err => {
@@ -682,19 +700,20 @@ describe('putBucketACL API', () => {
         });
     });
 
-    it('should return an error if invalid group uri' +
+    it('should return an error if invalid group uri'
-        'provided in ACL header request', done => {
+        + 'provided in ACL header request', done => {
         const testACLRequest = {
             bucketName,
             namespace,
             headers: {
                 'host': `${bucketName}.s3.amazonaws.com`,
                 'x-amz-grant-full-control':
-                    'uri="http://acs.amazonaws.com/groups/' +
+                    'uri="http://acs.amazonaws.com/groups/'
-                    'global/NOTAVALIDGROUP"',
+                    + 'global/NOTAVALIDGROUP"',
             },
             url: '/?acl',
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPutACL(authInfo, testACLRequest, log, err => {

tests/unit/api/bucketPutCors.js

@@ -3,13 +3,13 @@ const { errors } = require('arsenal');
 
 const { bucketPut } = require('../../../lib/api/bucketPut');
 const bucketPutCors = require('../../../lib/api/bucketPutCors');
-const { _validator, parseCorsXml }
+const { _validator, parseCorsXml } = require('../../../lib/api/apiUtils/bucket/bucketCors');
-    = require('../../../lib/api/apiUtils/bucket/bucketCors');
+const {
-const { cleanup,
+    cleanup,
     DummyRequestLogger,
     makeAuthInfo,
-    CorsConfigTester }
+    CorsConfigTester,
-    = require('../helpers');
+} = require('../helpers');
 const metadata = require('../../../lib/metadata/wrapper');
 
 const log = new DummyRequestLogger();
@@ -19,6 +19,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 function _testPutBucketCors(authInfo, request, log, errCode, cb) {
@@ -30,13 +31,13 @@ function _testPutBucketCors(authInfo, request, log, errCode, cb) {
 }
 
 function _generateSampleXml(value) {
-    const xml = '<CORSConfiguration>' +
+    const xml = '<CORSConfiguration>'
-    '<CORSRule>' +
+    + '<CORSRule>'
-    '<AllowedMethod>PUT</AllowedMethod>' +
+    + '<AllowedMethod>PUT</AllowedMethod>'
-    '<AllowedOrigin>www.example.com</AllowedOrigin>' +
+    + '<AllowedOrigin>www.example.com</AllowedOrigin>'
-    `${value}` +
+    + `${value}`
-    '</CORSRule>' +
+    + '</CORSRule>'
-    '</CORSConfiguration>';
+    + '</CORSConfiguration>';
 
     return xml;
 }
@@ -125,8 +126,8 @@ describe('PUT bucket cors :: helper validation functions ', () => {
 
         it('should return MalformedXML if more than one ID per rule', done => {
             const testValue = 'testid';
-            const xml = _generateSampleXml(`<ID>${testValue}</ID>` +
+            const xml = _generateSampleXml(`<ID>${testValue}</ID>`
-            `<ID>${testValue}</ID>`);
+            + `<ID>${testValue}</ID>`);
             parseCorsXml(xml, log, err => {
                 assert(err, 'Expected error but found none');
                 assert.deepStrictEqual(err, errors.MalformedXML);
@@ -157,8 +158,8 @@ describe('PUT bucket cors :: helper validation functions ', () => {
     describe('validateMaxAgeSeconds ', () => {
         it('should validate successfully for valid value', done => {
             const testValue = 60;
-            const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}` +
+            const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}`
-                '</MaxAgeSeconds>');
+                + '</MaxAgeSeconds>');
             parseCorsXml(xml, log, (err, result) => {
                 assert.strictEqual(err, null, `Found unexpected err ${err}`);
                 assert.strictEqual(typeof result[0].maxAgeSeconds, 'number');
@@ -167,12 +168,13 @@ describe('PUT bucket cors :: helper validation functions ', () => {
             });
         });
 
-        it('should return MalformedXML if more than one MaxAgeSeconds ' +
+        it('should return MalformedXML if more than one MaxAgeSeconds '
-        'per rule', done => {
+        + 'per rule', done => {
             const testValue = '60';
             const xml = _generateSampleXml(
-                `<MaxAgeSeconds>${testValue}</MaxAgeSeconds>` +
+                `<MaxAgeSeconds>${testValue}</MaxAgeSeconds>`
-                `<MaxAgeSeconds>${testValue}</MaxAgeSeconds>`);
+                + `<MaxAgeSeconds>${testValue}</MaxAgeSeconds>`,
+            );
             parseCorsXml(xml, log, err => {
                 assert(err, 'Expected error but found none');
                 assert.deepStrictEqual(err, errors.MalformedXML);
@@ -182,8 +184,8 @@ describe('PUT bucket cors :: helper validation functions ', () => {
 
         it('should validate & return undefined if empty value', done => {
             const testValue = '';
-            const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}` +
+            const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}`
-                '</MaxAgeSeconds>');
+                + '</MaxAgeSeconds>');
             parseCorsXml(xml, log, (err, result) => {
                 assert.strictEqual(err, null, `Found unexpected err ${err}`);
                 assert.strictEqual(result[0].MaxAgeSeconds, undefined);

tests/unit/api/bucketPutEncryption.js

@@ -14,6 +14,7 @@ const bucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 describe('bucketPutEncryption API', () => {
@@ -32,7 +33,8 @@ describe('bucketPutEncryption API', () => {
 
         it('should reject a config with no Rule', done => {
             bucketPutEncryption(authInfo, templateRequest(bucketName,
-            { post: `<?xml version="1.0" encoding="UTF-8"?>
+                {
+                    post: `<?xml version="1.0" encoding="UTF-8"?>
                 <ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
                 </ServerSideEncryptionConfiguration>`,
                 }), log, err => {
@@ -43,7 +45,8 @@ describe('bucketPutEncryption API', () => {
 
         it('should reject a config with no ApplyServerSideEncryptionByDefault section', done => {
             bucketPutEncryption(authInfo, templateRequest(bucketName,
-            { post: `<?xml version="1.0" encoding="UTF-8"?>
+                {
+                    post: `<?xml version="1.0" encoding="UTF-8"?>
                 <ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
                 <Rule></Rule>
                 </ServerSideEncryptionConfiguration>`,
@@ -155,8 +158,8 @@ describe('bucketPutEncryption API', () => {
             });
         });
 
-        it('should update SSEAlgorithm if existing SSEAlgorithm is AES256, ' +
+        it('should update SSEAlgorithm if existing SSEAlgorithm is AES256, '
-            'new SSEAlgorithm is aws:kms and no KMSMasterKeyID is provided',
+            + 'new SSEAlgorithm is aws:kms and no KMSMasterKeyID is provided',
         done => {
             const post = templateSSEConfig({ algorithm: 'AES256' });
             bucketPutEncryption(authInfo, templateRequest(bucketName, { post }), log, err => {
@@ -177,8 +180,7 @@ describe('bucketPutEncryption API', () => {
                                 });
                                 done();
                             });
-                            }
+                        });
-                        );
                 });
             });
         });

tests/unit/api/bucketPutLifecycle.js

@@ -17,6 +17,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 const expectedLifecycleConfig = {

tests/unit/api/bucketPutNotification.js

@@ -15,6 +15,7 @@ const bucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 const expectedNotifConfig = {
@@ -52,6 +53,7 @@ function getNotifRequest(empty) {
             host: `${bucketName}.s3.amazonaws.com`,
         },
         post: notifXml,
+        iamAuthzResults: false,
     };
     return putNotifConfigRequest;
 }

tests/unit/api/bucketPutObjectLock.js

@@ -15,6 +15,7 @@ const bucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 const objectLockXml = '<ObjectLockConfiguration ' +
@@ -30,6 +31,7 @@ const putObjLockRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     post: objectLockXml,
+    iamAuthzResults: false,
 };
 
 const expectedObjectLockConfig = {

tests/unit/api/bucketPutPolicy.js

@@ -15,6 +15,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 let expectedBucketPolicy = {};
@@ -25,6 +26,7 @@ function getPolicyRequest(policy) {
             host: `${bucketName}.s3.amazonaws.com`,
         },
         post: JSON.stringify(policy),
+        iamAuthzResults: false,
     };
 }
 
@@ -76,7 +78,7 @@ describe('putBucketPolicy API', () => {
         });
     });
 
-    it('should return error if policy contains conditions', done => {
+    it.skip('should return error if policy contains conditions', done => {
         expectedBucketPolicy.Statement[0].Condition =
             { StringEquals: { 's3:x-amz-acl': ['public-read'] } };
         bucketPutPolicy(authInfo, getPolicyRequest(expectedBucketPolicy), log,

tests/unit/api/bucketPutWebsite.js

@@ -19,6 +19,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 function _getPutWebsiteRequest(xml) {
@@ -29,6 +30,7 @@ function _getPutWebsiteRequest(xml) {
         },
         url: '/?website',
         query: { website: '' },
+        iamAuthzResults: false,
     };
     request.post = xml;
     return request;

tests/unit/api/objectGet.js

@@ -47,6 +47,7 @@ describe('objectGet API', () => {
         namespace,
         headers: {},
         url: `/${bucketName}`,
+        iamAuthzResults: false,
     };
     const userMetadataKey = 'x-amz-meta-test';
     const userMetadataValue = 'some metadata';
@@ -56,6 +57,7 @@ describe('objectGet API', () => {
         objectKey: objectName,
         headers: {},
         url: `/${bucketName}/${objectName}`,
+        iamAuthzResults: false,
     };
 
     it('should get the object metadata', done => {
@@ -84,6 +86,7 @@ describe('objectGet API', () => {
             'x-amz-bucket-object-lock-enabled': 'true',
         },
         url: `/${bucketName}`,
+        iamAuthzResults: false,
     };
 
     const createPutDummyRetention = (date, mode) => new DummyRequest({
@@ -245,6 +248,7 @@ describe('objectGet API', () => {
                 objectKey: objectName,
                 headers: { host: `${bucketName}.s3.amazonaws.com` },
                 url: `/${objectName}?uploads`,
+                iamAuthzResults: false,
             };
             async.waterfall([
                 next => bucketPut(authInfo, testPutBucketRequest, log, next),
@@ -321,6 +325,7 @@ describe('objectGet API', () => {
                         headers: { host: `${bucketName}.s3.amazonaws.com` },
                         query: { uploadId: testUploadId },
                         post: completeBody,
+                        iamAuthzResults: false,
                     };
                     completeMultipartUpload(authInfo, completeRequest,
                                             log, err => {

tests/unit/api/objectGetACL.js

@@ -36,6 +36,7 @@ describe('objectGetACL API', () => {
             'x-amz-acl': 'public-read-write',
         },
         url: '/',
+        iamAuthzResults: false,
     };
     const testGetACLRequest = {
         bucketName,
@@ -44,6 +45,7 @@ describe('objectGetACL API', () => {
         objectKey: objectName,
         url: `/${bucketName}/${objectName}?acl`,
         query: { acl: '' },
+        iamAuthzResults: false,
     };
 
     it('should get a canned private ACL', done => {

tests/unit/api/objectGetLegalHold.js

@@ -18,6 +18,7 @@ const bucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 const putObjectRequest = new DummyRequest({
@@ -37,12 +38,14 @@ const putObjectLegalHoldRequest = status => ({
     objectKey: objectName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     post: objectLegalHoldXml(status),
+    iamAuthzResults: false,
 });
 
 const getObjectLegalHoldRequest = {
     bucketName,
     objectKey: objectName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
+    iamAuthzResults: false,
 };
 
 describe('getObjectLegalHold API', () => {

tests/unit/api/objectGetRetention.js

@@ -21,6 +21,7 @@ const bucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 const putObjectRequest = new DummyRequest({
@@ -42,12 +43,14 @@ const putObjRetRequest = {
     objectKey: objectName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     post: objectRetentionXml,
+    iamAuthzResults: false,
 };
 
 const getObjRetRequest = {
     bucketName,
     objectKey: objectName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
+    iamAuthzResults: false,
 };
 
 describe('getObjectRetention API', () => {

tests/unit/api/objectGetTagging.js

@@ -21,6 +21,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 const testPutObjectRequest = new DummyRequest({

tests/unit/api/objectPut.js

@@ -4,14 +4,16 @@ const moment = require('moment');
 const { errors, s3middleware } = require('arsenal');
 const sinon = require('sinon');
 
+const { ds } = require('arsenal').storage.data.inMemory.datastore;
 const { bucketPut } = require('../../../lib/api/bucketPut');
 const bucketPutObjectLock = require('../../../lib/api/bucketPutObjectLock');
 const bucketPutACL = require('../../../lib/api/bucketPutACL');
 const bucketPutVersioning = require('../../../lib/api/bucketPutVersioning');
+
 const { parseTagFromQuery } = s3middleware.tagging;
-const { cleanup, DummyRequestLogger, makeAuthInfo, versioningTestUtils }
+const {
-    = require('../helpers');
+    cleanup, DummyRequestLogger, makeAuthInfo, versioningTestUtils,
-const { ds } = require('arsenal').storage.data.inMemory.datastore;
+} = require('../helpers');
 const metadata = require('../metadataswitch');
 const objectPut = require('../../../lib/api/objectPut');
 const { objectLockTestUtils } = require('../helpers');
@@ -19,7 +21,7 @@ const DummyRequest = require('../DummyRequest');
 const mpuUtils = require('../utils/mpuUtils');
 const { lastModifiedHeader } = require('../../../constants');
 
-const any = sinon.match.any;
+const { any } = sinon.match;
 
 const log = new DummyRequestLogger();
 const canonicalID = 'accessKey1';
@@ -49,10 +51,8 @@ const originalputObjectMD = metadata.putObjectMD;
 const objectName = 'objectName';
 
 let testPutObjectRequest;
-const enableVersioningRequest =
+const enableVersioningRequest = versioningTestUtils.createBucketPutVersioningReq(bucketName, 'Enabled');
-    versioningTestUtils.createBucketPutVersioningReq(bucketName, 'Enabled');
+const suspendVersioningRequest = versioningTestUtils.createBucketPutVersioningReq(bucketName, 'Suspended');
-const suspendVersioningRequest =
-    versioningTestUtils.createBucketPutVersioningReq(bucketName, 'Suspended');
 
 function testAuth(bucketOwner, authUser, bucketPutReq, log, cb) {
     bucketPut(bucketOwner, bucketPutReq, log, () => {
@@ -74,8 +74,10 @@ describe('parseTagFromQuery', () => {
     const allowedChar = '+- =._:/';
     const tests = [
         { tagging: 'key1=value1', result: { key1: 'value1' } },
-        { tagging: `key1=${encodeURIComponent(allowedChar)}`,
+        {
-            result: { key1: allowedChar } },
+            tagging: `key1=${encodeURIComponent(allowedChar)}`,
+            result: { key1: allowedChar },
+        },
         { tagging: 'key1=value1=value2', error: invalidArgument },
         { tagging: '=value1', error: invalidArgument },
         { tagging: 'key1%=value1', error: invalidArgument },
@@ -143,16 +145,14 @@ describe('objectPut API', () => {
     it('should put object if user has FULL_CONTROL grant on bucket', done => {
         const bucketOwner = makeAuthInfo('accessKey2');
         const authUser = makeAuthInfo('accessKey3');
-        testPutBucketRequest.headers['x-amz-grant-full-control'] =
+        testPutBucketRequest.headers['x-amz-grant-full-control'] = `id=${authUser.getCanonicalID()}`;
-            `id=${authUser.getCanonicalID()}`;
         testAuth(bucketOwner, authUser, testPutBucketRequest, log, done);
     });
 
     it('should put object if user has WRITE grant on bucket', done => {
         const bucketOwner = makeAuthInfo('accessKey2');
         const authUser = makeAuthInfo('accessKey3');
-        testPutBucketRequest.headers['x-amz-grant-write'] =
+        testPutBucketRequest.headers['x-amz-grant-write'] = `id=${authUser.getCanonicalID()}`;
-            `id=${authUser.getCanonicalID()}`;
 
         testAuth(bucketOwner, authUser, testPutBucketRequest, log, done);
     });
@@ -240,8 +240,8 @@ describe('objectPut API', () => {
     ];
     testObjectLockConfigs.forEach(config => {
         const { testMode, type, val } = config;
-        it('should put an object with default retention if object does not ' +
+        it('should put an object with default retention if object does not '
-            'have retention configuration but bucket has', done => {
+            + 'have retention configuration but bucket has', done => {
             const testPutObjectRequest = new DummyRequest({
                 bucketName,
                 namespace,
@@ -255,6 +255,7 @@ describe('objectPut API', () => {
                 bucketName,
                 headers: { host: `${bucketName}.s3.amazonaws.com` },
                 post: objectLockTestUtils.generateXml(testMode, val, type),
+                iamAuthzResults: false,
             };
 
             bucketPut(authInfo, testPutBucketRequestLock, log, () => {
@@ -268,10 +269,8 @@ describe('objectPut API', () => {
                                     const mode = md.retentionMode;
                                     const retainDate = md.retentionDate;
                                     const date = moment();
-                                    const days
+                                    const days = type === 'Days' ? val : val * 365;
-                                        = type === 'Days' ? val : val * 365;
+                                    const expectedDate = date.add(days, 'days');
-                                    const expectedDate
-                                        = date.add(days, 'days');
                                     assert.ifError(err);
                                     assert.strictEqual(mode, testMode);
                                     assert.strictEqual(formatTime(retainDate),
@@ -534,8 +533,8 @@ describe('objectPut API', () => {
         });
     });
 
-    it('should not put object with retention configuration if object lock ' +
+    it('should not put object with retention configuration if object lock '
-        'is not enabled on the bucket', done => {
+        + 'is not enabled on the bucket', done => {
         const testPutObjectRequest = new DummyRequest({
             bucketName,
             namespace,
@@ -552,15 +551,14 @@ describe('objectPut API', () => {
             objectPut(authInfo, testPutObjectRequest, undefined, log, err => {
                 assert.deepStrictEqual(err, errors.InvalidRequest
                     .customizeDescription(
-                        'Bucket is missing ObjectLockConfiguration'));
+                        'Bucket is missing ObjectLockConfiguration',
+                    ));
                 done();
             });
         });
     });
     it('should forward a 400 back to client on metadata 408 response', () => {
-        metadata.putObjectMD =
+        metadata.putObjectMD = (bucketName, objName, objVal, params, log, cb) => cb({ httpCode: 408 });
-            (bucketName, objName, objVal, params, log, cb) =>
-                cb({ httpCode: 408 });
 
         bucketPut(authInfo, testPutBucketRequest, log, () => {
             objectPut(authInfo, testPutObjectRequest, undefined, log,
@@ -571,9 +569,7 @@ describe('objectPut API', () => {
     });
 
     it('should forward a 502 to the client for 4xx != 408', () => {
-        metadata.putObjectMD =
+        metadata.putObjectMD = (bucketName, objName, objVal, params, log, cb) => cb({ httpCode: 412 });
-            (bucketName, objName, objVal, params, log, cb) =>
-                cb({ httpCode: 412 });
 
         bucketPut(authInfo, testPutBucketRequest, log, () => {
             objectPut(authInfo, testPutObjectRequest, undefined, log,
@@ -589,13 +585,12 @@ describe('objectPut API with versioning', () => {
         cleanup();
     });
 
-    const objData = ['foo0', 'foo1', 'foo2'].map(str =>
+    const objData = ['foo0', 'foo1', 'foo2'].map(str => Buffer.from(str, 'utf8'));
-        Buffer.from(str, 'utf8'));
     const testPutObjectRequests = objData.map(data => versioningTestUtils
         .createPutObjectRequest(bucketName, objectName, data));
 
-    it('should delete latest version when creating new null version ' +
+    it('should delete latest version when creating new null version '
-    'if latest version is null version', done => {
+    + 'if latest version is null version', done => {
         async.series([
             callback => bucketPut(authInfo, testPutBucketRequest, log,
                 callback),
@@ -633,8 +628,7 @@ describe('objectPut API with versioning', () => {
     });
 
     describe('when null version is not the latest version', () => {
-        const objData = ['foo0', 'foo1', 'foo2'].map(str =>
+        const objData = ['foo0', 'foo1', 'foo2'].map(str => Buffer.from(str, 'utf8'));
-            Buffer.from(str, 'utf8'));
         const testPutObjectRequests = objData.map(data => versioningTestUtils
             .createPutObjectRequest(bucketName, objectName, data));
         beforeEach(done => {
@@ -677,8 +671,8 @@ describe('objectPut API with versioning', () => {
             });
     });
 
-    it('should return BadDigest error and not leave orphans in data when ' +
+    it('should return BadDigest error and not leave orphans in data when '
-    'contentMD5 and completedHash do not match', done => {
+    + 'contentMD5 and completedHash do not match', done => {
         const testPutObjectRequest = new DummyRequest({
             bucketName,
             namespace,

tests/unit/api/objectPutACL.js

@@ -3,11 +3,12 @@ const { errors } = require('arsenal');
 
 const { bucketPut } = require('../../../lib/api/bucketPut');
 const constants = require('../../../constants');
-const { cleanup,
+const {
+    cleanup,
     DummyRequestLogger,
     makeAuthInfo,
-    AccessControlPolicy }
+    AccessControlPolicy,
-    = require('../helpers');
+} = require('../helpers');
 const metadata = require('../metadataswitch');
 const objectPut = require('../../../lib/api/objectPut');
 const objectPutACL = require('../../../lib/api/objectPutACL');
@@ -17,8 +18,8 @@ const log = new DummyRequestLogger();
 const canonicalID = 'accessKey1';
 const authInfo = makeAuthInfo(canonicalID);
 const ownerID = authInfo.getCanonicalID();
-const anotherID = '79a59df900b949e55d96a1e698fba' +
+const anotherID = '79a59df900b949e55d96a1e698fba'
-    'cedfd6e09d98eacf8f8d5218e7cd47ef2bf';
+    + 'cedfd6e09d98eacf8f8d5218e7cd47ef2bf';
 const defaultAcpParams = {
     ownerID,
     ownerDisplayName: 'OwnerDisplayName',
@@ -56,6 +57,7 @@ describe('putObjectACL API', () => {
             headers: { 'x-amz-acl': 'invalid-option' },
             url: `/${bucketName}/${objectName}?acl`,
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPut(authInfo, testPutBucketRequest, log, () => {
@@ -79,6 +81,7 @@ describe('putObjectACL API', () => {
             headers: { 'x-amz-acl': 'public-read-write' },
             url: `/${bucketName}/${objectName}?acl`,
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPut(authInfo, testPutBucketRequest, log, () => {
@@ -108,6 +111,7 @@ describe('putObjectACL API', () => {
             headers: { 'x-amz-acl': 'public-read' },
             url: `/${bucketName}/${objectName}?acl`,
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         const testObjACLRequest2 = {
@@ -117,6 +121,7 @@ describe('putObjectACL API', () => {
             headers: { 'x-amz-acl': 'authenticated-read' },
             url: `/${bucketName}/${objectName}?acl`,
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPut(authInfo, testPutBucketRequest, log, () => {
@@ -154,14 +159,15 @@ describe('putObjectACL API', () => {
             objectKey: objectName,
             headers: {
                 'x-amz-grant-full-control':
-                    'emailaddress="sampleaccount1@sampling.com"' +
+                    'emailaddress="sampleaccount1@sampling.com"'
-                    ',emailaddress="sampleaccount2@sampling.com"',
+                    + ',emailaddress="sampleaccount2@sampling.com"',
                 'x-amz-grant-read': `uri=${constants.logId}`,
                 'x-amz-grant-read-acp': `id=${ownerID}`,
                 'x-amz-grant-write-acp': `id=${anotherID}`,
             },
             url: `/${bucketName}/${objectName}?acl`,
             query: { acl: '' },
+            iamAuthzResults: false,
         };
         bucketPut(authInfo, testPutBucketRequest, log, () => {
             objectPut(authInfo, testPutObjectRequest, undefined, log,
@@ -191,19 +197,20 @@ describe('putObjectACL API', () => {
         });
     });
 
-    it('should return an error if invalid email ' +
+    it('should return an error if invalid email '
-        'provided in ACL header request', done => {
+        + 'provided in ACL header request', done => {
         const testObjACLRequest = {
             bucketName,
             namespace,
             objectKey: objectName,
             headers: {
                 'x-amz-grant-full-control':
-                    'emailaddress="sampleaccount1@sampling.com"' +
+                    'emailaddress="sampleaccount1@sampling.com"'
-                    ',emailaddress="nonexistentemail@sampling.com"',
+                    + ',emailaddress="nonexistentemail@sampling.com"',
             },
             url: `/${bucketName}/${objectName}?acl`,
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPut(authInfo, testPutBucketRequest, log, () => {
@@ -234,6 +241,7 @@ describe('putObjectACL API', () => {
             url: `/${bucketName}/${objectName}?acl`,
             post: [Buffer.from(acp.getXml(), 'utf8')],
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPut(authInfo, testPutBucketRequest, log, () => {
@@ -260,8 +268,8 @@ describe('putObjectACL API', () => {
         });
     });
 
-    it('should return an error if wrong owner ID ' +
+    it('should return an error if wrong owner ID '
-    'provided in ACLs set out in request body', done => {
+    + 'provided in ACLs set out in request body', done => {
         const acp = new AccessControlPolicy({ ownerID: anotherID });
         const testObjACLRequest = {
             bucketName,
@@ -271,6 +279,7 @@ describe('putObjectACL API', () => {
             url: `/${bucketName}/${objectName}?acl`,
             post: [Buffer.from(acp.getXml(), 'utf8')],
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPut(authInfo, testPutBucketRequest, log, () => {
@@ -285,8 +294,8 @@ describe('putObjectACL API', () => {
         });
     });
 
-    it('should ignore if WRITE ACL permission is ' +
+    it('should ignore if WRITE ACL permission is '
-        'provided in request body', done => {
+        + 'provided in request body', done => {
         const acp = new AccessControlPolicy(defaultAcpParams);
         acp.addGrantee('CanonicalUser', ownerID, 'FULL_CONTROL',
             'OwnerDisplayName');
@@ -299,6 +308,7 @@ describe('putObjectACL API', () => {
             url: `/${bucketName}/${objectName}?acl`,
             post: [Buffer.from(acp.getXml(), 'utf8')],
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPut(authInfo, testPutBucketRequest, log, () => {
@@ -325,8 +335,8 @@ describe('putObjectACL API', () => {
         });
     });
 
-    it('should return an error if invalid email ' +
+    it('should return an error if invalid email '
-    'address provided in ACLs set out in request body', done => {
+    + 'address provided in ACLs set out in request body', done => {
         const acp = new AccessControlPolicy(defaultAcpParams);
         acp.addGrantee('AmazonCustomerByEmail', 'xyz@amazon.com', 'WRITE_ACP');
         const testObjACLRequest = {
@@ -337,6 +347,7 @@ describe('putObjectACL API', () => {
             url: `/${bucketName}/${objectName}?acl`,
             post: [Buffer.from(acp.getXml(), 'utf8')],
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
 
@@ -352,8 +363,8 @@ describe('putObjectACL API', () => {
         });
     });
 
-    it('should return an error if xml provided does not match s3 ' +
+    it('should return an error if xml provided does not match s3 '
-    'scheme for setting ACLs', done => {
+    + 'scheme for setting ACLs', done => {
         const acp = new AccessControlPolicy(defaultAcpParams);
         acp.addGrantee('AmazonCustomerByEmail', 'xyz@amazon.com', 'WRITE_ACP');
         const originalXml = acp.getXml();
@@ -366,6 +377,7 @@ describe('putObjectACL API', () => {
             url: `/${bucketName}/${objectName}?acl`,
             post: [Buffer.from(modifiedXml, 'utf8')],
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPut(authInfo, testPutBucketRequest, log, () => {
@@ -394,6 +406,7 @@ describe('putObjectACL API', () => {
             url: `/${bucketName}/${objectName}?acl`,
             post: [Buffer.from(modifiedXml, 'utf8')],
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
 
@@ -409,11 +422,11 @@ describe('putObjectACL API', () => {
         });
     });
 
-    it('should return an error if invalid group ' +
+    it('should return an error if invalid group '
-    'uri provided in ACLs set out in request body', done => {
+    + 'uri provided in ACLs set out in request body', done => {
         const acp = new AccessControlPolicy(defaultAcpParams);
-        acp.addGrantee('Group', 'http://acs.amazonaws.com/groups/' +
+        acp.addGrantee('Group', 'http://acs.amazonaws.com/groups/'
-        'global/NOTAVALIDGROUP', 'WRITE_ACP');
+        + 'global/NOTAVALIDGROUP', 'WRITE_ACP');
         const testObjACLRequest = {
             bucketName,
             namespace,
@@ -422,6 +435,7 @@ describe('putObjectACL API', () => {
             url: `/${bucketName}/${objectName}?acl`,
             post: [Buffer.from(acp.getXml(), 'utf8')],
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPut(authInfo, testPutBucketRequest, log, () => {
@@ -436,8 +450,8 @@ describe('putObjectACL API', () => {
         });
     });
 
-    it('should return an error if invalid group uri ' +
+    it('should return an error if invalid group uri '
-        'provided in ACL header request', done => {
+        + 'provided in ACL header request', done => {
         const testObjACLRequest = {
             bucketName,
             namespace,
@@ -445,11 +459,12 @@ describe('putObjectACL API', () => {
             headers: {
                 'host': 's3.amazonaws.com',
                 'x-amz-grant-full-control':
-                    'uri="http://acs.amazonaws.com/groups/' +
+                    'uri="http://acs.amazonaws.com/groups/'
-                    'global/NOTAVALIDGROUP"',
+                    + 'global/NOTAVALIDGROUP"',
             },
             url: `/${bucketName}/${objectName}?acl`,
             query: { acl: '' },
+            iamAuthzResults: false,
         };
 
         bucketPut(authInfo, testPutBucketRequest, log, () => {

tests/unit/api/objectPutLegalHold.js

@@ -19,6 +19,7 @@ const putBucketRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 const putObjectRequest = new DummyRequest({
@@ -29,16 +30,17 @@ const putObjectRequest = new DummyRequest({
     url: `/${bucketName}/${objectName}`,
 }, postBody);
 
-const objectLegalHoldXml = status => '<LegalHold ' +
+const objectLegalHoldXml = status => '<LegalHold '
-    'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+    + 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
-    `<Status>${status}</Status>` +
+    + `<Status>${status}</Status>`
-    '</LegalHold>';
+    + '</LegalHold>';
 
 const putLegalHoldReq = status => ({
     bucketName,
     objectKey: objectName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     post: objectLegalHoldXml(status),
+    iamAuthzResults: false,
 });
 
 describe('putObjectLegalHold API', () => {

tests/unit/api/objectPutRetention.js

@@ -23,6 +23,7 @@ const bucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 const putObjectRequest = new DummyRequest({
@@ -33,41 +34,42 @@ const putObjectRequest = new DummyRequest({
     url: `/${bucketName}/${objectName}`,
 }, postBody);
 
-const objectRetentionXmlGovernance = '<Retention ' +
+const objectRetentionXmlGovernance = '<Retention '
-    'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+    + 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
-    '<Mode>GOVERNANCE</Mode>' +
+    + '<Mode>GOVERNANCE</Mode>'
-    `<RetainUntilDate>${expectedDate}</RetainUntilDate>` +
+    + `<RetainUntilDate>${expectedDate}</RetainUntilDate>`
-    '</Retention>';
+    + '</Retention>';
 
-const objectRetentionXmlCompliance = '<Retention ' +
+const objectRetentionXmlCompliance = '<Retention '
-    'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+    + 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
-    '<Mode>COMPLIANCE</Mode>' +
+    + '<Mode>COMPLIANCE</Mode>'
-    `<RetainUntilDate>${expectedDate}</RetainUntilDate>` +
+    + `<RetainUntilDate>${expectedDate}</RetainUntilDate>`
-    '</Retention>';
+    + '</Retention>';
 
-const objectRetentionXmlGovernanceLonger = '<Retention ' +
+const objectRetentionXmlGovernanceLonger = '<Retention '
-    'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+    + 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
-    '<Mode>GOVERNANCE</Mode>' +
+    + '<Mode>GOVERNANCE</Mode>'
-    `<RetainUntilDate>${moment().add(5, 'days').toISOString()}</RetainUntilDate>` +
+    + `<RetainUntilDate>${moment().add(5, 'days').toISOString()}</RetainUntilDate>`
-    '</Retention>';
+    + '</Retention>';
 
-const objectRetentionXmlGovernanceShorter = '<Retention ' +
+const objectRetentionXmlGovernanceShorter = '<Retention '
-    'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+    + 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
-    '<Mode>GOVERNANCE</Mode>' +
+    + '<Mode>GOVERNANCE</Mode>'
-    `<RetainUntilDate>${moment().add(1, 'days').toISOString()}</RetainUntilDate>` +
+    + `<RetainUntilDate>${moment().add(1, 'days').toISOString()}</RetainUntilDate>`
-    '</Retention>';
+    + '</Retention>';
 
-const objectRetentionXmlComplianceShorter = '<Retention ' +
+const objectRetentionXmlComplianceShorter = '<Retention '
-    'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+    + 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
-    '<Mode>COMPLIANCE</Mode>' +
+    + '<Mode>COMPLIANCE</Mode>'
-    `<RetainUntilDate>${moment().add(1, 'days').toISOString()}</RetainUntilDate>` +
+    + `<RetainUntilDate>${moment().add(1, 'days').toISOString()}</RetainUntilDate>`
-    '</Retention>';
+    + '</Retention>';
 
 const putObjRetRequestGovernance = {
     bucketName,
     objectKey: objectName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     post: objectRetentionXmlGovernance,
+    iamAuthzResults: false,
 };
 
 const putObjRetRequestGovernanceWithHeader = {
@@ -78,6 +80,7 @@ const putObjRetRequestGovernanceWithHeader = {
         'x-amz-bypass-governance-retention': 'true',
     },
     post: objectRetentionXmlGovernance,
+    iamAuthzResults: false,
 };
 
 const putObjRetRequestCompliance = {
@@ -85,6 +88,7 @@ const putObjRetRequestCompliance = {
     objectKey: objectName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     post: objectRetentionXmlCompliance,
+    iamAuthzResults: false,
 };
 
 const putObjRetRequestComplianceShorter = {
@@ -92,6 +96,7 @@ const putObjRetRequestComplianceShorter = {
     objectKey: objectName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     post: objectRetentionXmlComplianceShorter,
+    iamAuthzResults: false,
 };
 
 const putObjRetRequestGovernanceLonger = {
@@ -99,6 +104,7 @@ const putObjRetRequestGovernanceLonger = {
     objectKey: objectName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     post: objectRetentionXmlGovernanceLonger,
+    iamAuthzResults: false,
 };
 
 const putObjRetRequestGovernanceShorter = {
@@ -106,6 +112,7 @@ const putObjRetRequestGovernanceShorter = {
     objectKey: objectName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     post: objectRetentionXmlGovernanceShorter,
+    iamAuthzResults: false,
 };
 
 describe('putObjectRetention API', () => {

tests/unit/api/objectPutTagging.js

@@ -3,16 +3,15 @@ const assert = require('assert');
 const { bucketPut } = require('../../../lib/api/bucketPut');
 const objectPut = require('../../../lib/api/objectPut');
 const objectPutTagging = require('../../../lib/api/objectPutTagging');
-const { _validator, parseTagXml }
+const { _validator, parseTagXml } = require('arsenal').s3middleware.tagging;
-    = require('arsenal').s3middleware.tagging;
+const {
-const { cleanup,
+    cleanup,
     DummyRequestLogger,
     makeAuthInfo,
-    TaggingConfigTester }
+    TaggingConfigTester,
-    = require('../helpers');
+} = require('../helpers');
 const metadata = require('../../../lib/metadata/wrapper');
-const { taggingTests }
+const { taggingTests } = require('../../functional/aws-node-sdk/lib/utility/tagging.js');
-    = require('../../functional/aws-node-sdk/lib/utility/tagging.js');
 const DummyRequest = require('../DummyRequest');
 
 const log = new DummyRequestLogger();
@@ -25,6 +24,7 @@ const testBucketPutRequest = {
     bucketName,
     headers: { host: `${bucketName}.s3.amazonaws.com` },
     url: '/',
+    iamAuthzResults: false,
 };
 
 const testPutObjectRequest = new DummyRequest({
@@ -42,14 +42,14 @@ function _checkError(err, code, errorName) {
 }
 
 function _generateSampleXml(key, value) {
-    const xml = '<Tagging>' +
+    const xml = '<Tagging>'
-      '<TagSet>' +
+      + '<TagSet>'
-         '<Tag>' +
+         + '<Tag>'
-           `<Key>${key}</Key>` +
+           + `<Key>${key}</Key>`
-           `<Value>${value}</Value>` +
+           + `<Value>${value}</Value>`
-         '</Tag>' +
+         + '</Tag>'
-      '</TagSet>' +
+      + '</TagSet>'
-    '</Tagging>';
+    + '</Tagging>';
 
     return xml;
 }
@@ -101,12 +101,18 @@ describe('PUT object tagging :: helper validation functions ', () => {
                     { tagTest: { Key: ['foo'] }, isValid: false },
                     { tagTest: { Value: ['bar'] }, isValid: false },
                     { tagTest: { Keys: ['foo'], Value: ['bar'] }, isValid: false },
-                { tagTest: { Key: ['foo', 'boo'], Value: ['bar'] },
+                    {
-                    isValid: false },
+                        tagTest: { Key: ['foo', 'boo'], Value: ['bar'] },
-                { tagTest: { Key: ['foo'], Value: ['bar', 'boo'] },
+                        isValid: false,
-                    isValid: false },
+                    },
-                { tagTest: { Key: ['foo', 'boo'], Value: ['bar', 'boo'] },
+                    {
-                    isValid: false },
+                        tagTest: { Key: ['foo'], Value: ['bar', 'boo'] },
+                        isValid: false,
+                    },
+                    {
+                        tagTest: { Key: ['foo', 'boo'], Value: ['bar', 'boo'] },
+                        isValid: false,
+                    },
                     { tagTest: { Key: ['foo'], Values: ['bar'] }, isValid: false },
                     { tagTest: { Keys: ['foo'], Values: ['bar'] }, isValid: false },
                 ];
@@ -124,26 +130,66 @@ describe('PUT object tagging :: helper validation functions ', () => {
             });
 
         describe('validateXMLStructure ', () => {
-            it('should return expected true if tag is valid false/undefined ' +
+            it('should return expected true if tag is valid false/undefined '
-            'if not', done => {
+            + 'if not', done => {
                 const tags = [
-                    { tagging: { Tagging: { TagSet: [{ Tag: [] }] } }, isValid:
+                    {
-                    true },
+                        tagging: { Tagging: { TagSet: [{ Tag: [] }] } },
+                        isValid:
+                    true,
+                    },
                     { tagging: { Tagging: { TagSet: [''] } }, isValid: true },
                     { tagging: { Tagging: { TagSet: [] } }, isValid: false },
                     { tagging: { Tagging: { TagSet: [{}] } }, isValid: false },
-                    { tagging: { Tagging: { Tagset: [{ Tag: [] }] } }, isValid:
+                    {
-                    false },
+                        tagging: { Tagging: { Tagset: [{ Tag: [] }] } },
-                    { tagging: { Tagging: { Tagset: [{ Tag: [] }] },
+                        isValid:
-                        ExtraTagging: 'extratagging' }, isValid: false },
+                    false,
-                    { tagging: { Tagging: { Tagset: [{ Tag: [] }], ExtraTagset:
+                    },
-                    'extratagset' } }, isValid: false },
+                    {
-                    { tagging: { Tagging: { Tagset: [{ Tag: [] }], ExtraTagset:
+                        tagging: {
-                    'extratagset' } }, isValid: false },
+                            Tagging: { Tagset: [{ Tag: [] }] },
-                    { tagging: { Tagging: { Tagset: [{ Tag: [], ExtraTag:
+                            ExtraTagging: 'extratagging',
-                    'extratag' }] } }, isValid: false },
+                        },
-                    { tagging: { Tagging: { Tagset: [{ Tag: {} }] } }, isValid:
+                        isValid: false,
-                    false },
+                    },
+                    {
+                        tagging: {
+                            Tagging: {
+                                Tagset: [{ Tag: [] }],
+                                ExtraTagset:
+                    'extratagset',
+                            },
+                        },
+                        isValid: false,
+                    },
+                    {
+                        tagging: {
+                            Tagging: {
+                                Tagset: [{ Tag: [] }],
+                                ExtraTagset:
+                    'extratagset',
+                            },
+                        },
+                        isValid: false,
+                    },
+                    {
+                        tagging: {
+                            Tagging: {
+                                Tagset: [{
+                                    Tag: [],
+                                    ExtraTag:
+                    'extratag',
+                                }],
+                            },
+                        },
+                        isValid: false,
+                    },
+                    {
+                        tagging: { Tagging: { Tagset: [{ Tag: {} }] } },
+                        isValid:
+                    false,
+                    },
                 ];
 
                 for (let i = 0; i < tags.length; i++) {
@@ -172,8 +218,8 @@ describe('PUT object tagging :: helper validation functions ', () => {
 
         taggingTests.forEach(taggingTest => {
             it(taggingTest.it, done => {
-                const key = taggingTest.tag.key;
+                const { key } = taggingTest.tag;
-                const value = taggingTest.tag.value;
+                const { value } = taggingTest.tag;
                 const xml = _generateSampleXml(key, value);
                 parseTagXml(xml, log, (err, result) => {
                     if (taggingTest.error) {

tests/unit/api/serviceGet.js

@@ -24,6 +24,7 @@ describe('serviceGet API', () => {
         parsedHost: 's3.amazonaws.com',
         headers: { host: 's3.amazonaws.com' },
         url: '/',
+        iamAuthzResults: false,
     };
 
     it('should return the list of buckets owned by the user', done => {

tests/unit/auth/permissionChecks.js

@@ -0,0 +1,236 @@
+const assert = require('assert');
+const { checkBucketAcls, checkObjectAcls } = require('../../../lib/api/apiUtils/authorization/permissionChecks');
+const constants = require('../../../constants');
+
+const { bucketOwnerActions } = constants;
+
+describe('checkBucketAcls', () => {
+    const mockBucket = {
+        getOwner: () => 'ownerId',
+        getAcl: () => ({
+            Canned: '',
+            FULL_CONTROL: [],
+            READ: [],
+            READ_ACP: [],
+            WRITE: [],
+            WRITE_ACP: [],
+        }),
+    };
+
+    const testScenarios = [
+        {
+            description: 'should return true if bucket owner matches canonicalID',
+            input: {
+                bucketAcl: {}, requestType: 'anyType', canonicalID: 'ownerId', mainApiCall: 'anyApiCall',
+            },
+            expected: true,
+        },
+        {
+            description: 'should return true for objectGetTagging when mainApiCall is objectGet',
+            input: {
+                bucketAcl: {}, requestType: 'objectGetTagging', canonicalID: 'anyId', mainApiCall: 'objectGet',
+            },
+            expected: true,
+        },
+        {
+            description: 'should return true for objectPutTagging when mainApiCall is objectPut',
+            input: {
+                bucketAcl: {}, requestType: 'objectPutTagging', canonicalID: 'anyId', mainApiCall: 'objectPut',
+            },
+            expected: true,
+        },
+        {
+            description: 'should return true for objectPutLegalHold when mainApiCall is objectPut',
+            input: {
+                bucketAcl: {}, requestType: 'objectPutLegalHold', canonicalID: 'anyId', mainApiCall: 'objectPut',
+            },
+            expected: true,
+        },
+        {
+            description: 'should return true for objectPutRetention when mainApiCall is objectPut',
+            input: {
+                bucketAcl: {}, requestType: 'objectPutRetention', canonicalID: 'anyId', mainApiCall: 'objectPut',
+            },
+            expected: true,
+        },
+        {
+            description: 'should return true for bucketGet if canned acl is public-read-write',
+            input: {
+                bucketAcl: { Canned: 'public-read-write' },
+                requestType: 'bucketGet',
+                canonicalID: 'anyId',
+                mainApiCall: 'anyApiCall',
+            },
+            expected: true,
+        },
+        {
+            description: 'should return true for bucketGet if canned acl is authenticated-read and id is not publicId',
+            input: {
+                bucketAcl: { Canned: 'authenticated-read' },
+                requestType: 'bucketGet',
+                canonicalID: 'anyIdNotPublic',
+                mainApiCall: 'anyApiCall',
+            },
+            expected: true,
+        },
+        {
+            description: 'should return true for bucketGet if canonicalID has FULL_CONTROL access',
+            input: {
+                bucketAcl: { FULL_CONTROL: ['anyId'], READ: [] },
+                requestType: 'bucketGet',
+                canonicalID: 'anyId',
+                mainApiCall: 'anyApiCall',
+            },
+            expected: true,
+        },
+        {
+            description: 'should return true for bucketGetACL if canonicalID has FULL_CONTROL',
+            input: {
+                bucketAcl: { FULL_CONTROL: ['anyId'], READ_ACP: [] },
+                requestType: 'bucketGetACL',
+                canonicalID: 'anyId',
+                mainApiCall: 'anyApiCall',
+            },
+            expected: true,
+        },
+        {
+            description: 'should return true for objectDelete if bucketAcl.Canned is public-read-write',
+            input: {
+                bucketAcl: { Canned: 'public-read-write' },
+                requestType: 'objectDelete',
+                canonicalID: 'anyId',
+                mainApiCall: 'anyApiCall',
+            },
+            expected: true,
+        },
+        {
+            description: 'should return true for requestType ending with "Version"',
+            input: {
+                bucketAcl: {},
+                requestType: 'objectGetVersion',
+                canonicalID: 'anyId',
+                mainApiCall: 'objectGet',
+            },
+            expected: true,
+        },
+        {
+            description: 'should return false for unmatched scenarios',
+            input: {
+                bucketAcl: {},
+                requestType: 'unmatchedRequest',
+                canonicalID: 'anyId',
+                mainApiCall: 'anyApiCall',
+            },
+            expected: false,
+        },
+    ];
+
+    testScenarios.forEach(scenario => {
+        it(scenario.description, () => {
+            // Mock the bucket based on the test scenario's input
+            mockBucket.getAcl = () => scenario.input.bucketAcl;
+
+            const result = checkBucketAcls(mockBucket,
+                scenario.input.requestType, scenario.input.canonicalID, scenario.input.mainApiCall);
+            assert.strictEqual(result, scenario.expected);
+        });
+    });
+});
+
+describe('checkObjectAcls', () => {
+    const mockBucket = {
+        getOwner: () => 'bucketOwnerId',
+        getName: () => 'bucketName',
+        getAcl: () => ({ Canned: '' }),
+    };
+    const mockObjectMD = {
+        'owner-id': 'objectOwnerId',
+        'acl': {
+            Canned: '',
+            FULL_CONTROL: [],
+            READ: [],
+            READ_ACP: [],
+            WRITE: [],
+            WRITE_ACP: [],
+        },
+    };
+
+    it('should return true if request type is in bucketOwnerActions and bucket owner matches canonicalID', () => {
+        assert.strictEqual(checkObjectAcls(mockBucket, mockObjectMD, bucketOwnerActions[0],
+            'bucketOwnerId', false, false, 'anyApiCall'), true);
+    });
+
+    it('should return true if objectMD owner matches canonicalID', () => {
+        assert.strictEqual(checkObjectAcls(mockBucket, mockObjectMD, 'anyType',
+            'objectOwnerId', false, false, 'anyApiCall'), true);
+    });
+
+    it('should return true for objectGetTagging when mainApiCall is objectGet and conditions met', () => {
+        assert.strictEqual(checkObjectAcls(mockBucket, mockObjectMD, 'objectGetTagging',
+            'anyIdNotPublic', true, true, 'objectGet'), true);
+    });
+
+    it('should return false if no acl provided in objectMD', () => {
+        const objMDWithoutAcl = Object.assign({}, mockObjectMD);
+        delete objMDWithoutAcl.acl;
+        assert.strictEqual(checkObjectAcls(mockBucket, objMDWithoutAcl, 'anyType',
+            'anyId', false, false, 'anyApiCall'), false);
+    });
+
+    const tests = [
+        {
+            acl: 'public-read', reqType: 'objectGet', id: 'anyIdNotPublic', expected: true,
+        },
+        {
+            acl: 'public-read-write', reqType: 'objectGet', id: 'anyIdNotPublic', expected: true,
+        },
+        {
+            acl: 'authenticated-read', reqType: 'objectGet', id: 'anyIdNotPublic', expected: true,
+        },
+        {
+            acl: 'bucket-owner-read', reqType: 'objectGet', id: 'bucketOwnerId', expected: true,
+        },
+        {
+            acl: 'bucket-owner-full-control', reqType: 'objectGet', id: 'bucketOwnerId', expected: true,
+        },
+        {
+            aclList: ['someId', 'anyIdNotPublic'],
+            aclField: 'FULL_CONTROL',
+            reqType: 'objectGet',
+            id: 'anyIdNotPublic',
+            expected: true,
+        },
+        {
+            aclList: ['someId', 'anyIdNotPublic'],
+            aclField: 'READ',
+            reqType: 'objectGet',
+            id: 'anyIdNotPublic',
+            expected: true,
+        },
+        { reqType: 'objectPut', id: 'anyId', expected: true },
+        { reqType: 'objectDelete', id: 'anyId', expected: true },
+        {
+            aclList: ['anyId'], aclField: 'FULL_CONTROL', reqType: 'objectPutACL', id: 'anyId', expected: true,
+        },
+        {
+            acl: '', reqType: 'objectGet', id: 'randomId', expected: false,
+        },
+    ];
+
+    tests.forEach(test => {
+        it(`should return ${test.expected} for ${test.reqType} with ACL as ${test.acl
+            || (`${test.aclField}:${JSON.stringify(test.aclList)}`)}`, () => {
+            if (test.acl) {
+                mockObjectMD.acl.Canned = test.acl;
+            } else if (test.aclList && test.aclField) {
+                mockObjectMD.acl[test.aclField] = test.aclList;
+            }
+
+            assert.strictEqual(
+                checkObjectAcls(mockBucket, mockObjectMD, test.reqType, test.id, false, false, 'anyApiCall'),
+                test.expected,
+            );
+        });
+    });
+});
+