REVISIT THIS COMMIT

The code in this commit causes an error in the 'implicit deny iam policy with "Allow" bucket policy for User ARN' test for PutObject, giving an AccessDenied because the implicitDent is true. It seems worth re-evaluating the ACL expectations at this point.
add evaluateBucketPolicyWithIAM omissions
2023-09-25 11:40:17 +02:00 · 2023-09-21 11:41:30 +02:00 · 2023-09-19 11:00:34 +02:00 · 2023-09-18 18:38:27 +02:00 · 2023-09-18 18:38:27 +02:00 · 2023-09-18 18:38:27 +02:00
128 changed files with 2306 additions and 1503 deletions
--- a/constants.js
+++ b/constants.js
@ -153,6 +153,8 @@ const constants = {
        'objectDeleteTagging',
        'objectGetTagging',
        'objectPutTagging',
        'objectPutLegalHold',
        'objectPutRetention',
    ],
    // response header to be sent when there are invalid
    // user metadata in the object's metadata
--- a/lib/api/api.js
+++ b/lib/api/api.js
@ -107,6 +107,7 @@ const api = {
        // no need to check auth on website or cors preflight requests
        if (apiMethod === 'websiteGet' || apiMethod === 'websiteHead' ||
        apiMethod === 'corsPreflight') {
            request.actionImplicitDenies = false;
            return this[apiMethod](request, log, callback);
        }
@ -129,15 +130,25 @@ const api = {
        const requestContexts = prepareRequestContexts(apiMethod, request,
            sourceBucket, sourceObject, sourceVersionId);
        // Extract all the _apiMethods and store them in an array
        const apiMethods = requestContexts ? requestContexts.map(context => context._apiMethod) : [];
        // Attach the names to the current request
        // eslint-disable-next-line no-param-reassign
        request.apiMethods = apiMethods;
        function checkAuthResults(authResults) {
            let returnTagCount = true;
            const isImplicitDeny = {};
            let isOnlyImplicitDeny = true;
            if (apiMethod === 'objectGet') {
                // first item checks s3:GetObject(Version) action
-                if (!authResults[0].isAllowed) {
+                if (!authResults[0].isAllowed && !authResults[0].isImplicit) {
                    log.trace('get object authorization denial from Vault');
                    return errors.AccessDenied;
                }
                // TODO add support for returnTagCount in the bucket policy
                // checks
                isImplicitDeny[authResults[0].action] = authResults[0].isImplicit;
                // second item checks s3:GetObject(Version)Tagging action
                if (!authResults[1].isAllowed) {
                    log.trace('get tagging authorization denial ' +
@ -146,13 +157,25 @@ const api = {
                }
            } else {
                for (let i = 0; i < authResults.length; i++) {
-                    if (!authResults[i].isAllowed) {
+                    isImplicitDeny[authResults[i].action] = true;
                    if (!authResults[i].isAllowed && !authResults[i].isImplicit) {
                        // Any explicit deny rejects the current API call
                        log.trace('authorization denial from Vault');
                        return errors.AccessDenied;
                    } else if (authResults[i].isAllowed) {
                        // If the action is allowed, the result is not implicit
                        // Deny.
                        isImplicitDeny[authResults[i].action] = false;
                        isOnlyImplicitDeny = false;
                    }
                }
            }
-            return returnTagCount;
+            // These two APIs cannot use ACLs or Bucket Policies, hence, any
            // implicit deny from vault must be treated as an explicit deny.
            if ((apiMethod === 'bucketPut' || apiMethod === 'serviceGet') && isOnlyImplicitDeny) {
                return errors.AccessDenied;
            }
            return { returnTagCount, isImplicitDeny };
        }
        return async.waterfall([
@ -230,7 +253,16 @@ const api = {
                if (checkedResults instanceof Error) {
                    return callback(checkedResults);
                }
-                returnTagCount = checkedResults;
+                returnTagCount = checkedResults.returnTagCount;
                request.actionImplicitDenies = checkedResults.isImplicitDeny;
            } else {
                // create an object of keys apiMethods with all values to false:
                // for backward compatibility, all apiMethods are allowed by default
                // thus it is explicitly allowed, so implicit deny is false
                request.actionImplicitDenies = apiMethods.reduce((acc, curr) => {
                    acc[curr] = false;
                    return acc;
                }, {});
            }
            if (apiMethod === 'objectPut' || apiMethod === 'objectPutPart') {
                request._response = response;
--- a/lib/api/apiUtils/authorization/permissionChecks.js
+++ b/lib/api/apiUtils/authorization/permissionChecks.js
@ -1,29 +1,50 @@
 const { evaluators, actionMaps, RequestContext } = require('arsenal').policies;
 const constants = require('../../../../constants');
-const { allAuthedUsersId, bucketOwnerActions, logId, publicId,
+const {
-    assumedRoleArnResourceType, backbeatLifecycleSessionName } = constants;
+    allAuthedUsersId, bucketOwnerActions, logId, publicId,
    assumedRoleArnResourceType, backbeatLifecycleSessionName,
 } = constants;
 // whitelist buckets to allow public read on objects
-const publicReadBuckets = process.env.ALLOW_PUBLIC_READ_BUCKETS ?
+const publicReadBuckets = process.env.ALLOW_PUBLIC_READ_BUCKETS
-    process.env.ALLOW_PUBLIC_READ_BUCKETS.split(',') : [];
+    ? process.env.ALLOW_PUBLIC_READ_BUCKETS.split(',') : [];
-function checkBucketAcls(bucket, requestType, canonicalID) {
+function checkBucketAcls(bucket, requestType, canonicalID, mainApiCall) {
    // Same logic applies on the Versioned APIs, so let's simplify it.
    const requestTypeParsed = requestType.endsWith('Version')
        ? requestType.slice(0, -7) : requestType;
    if (bucket.getOwner() === canonicalID) {
        return true;
    }
    // Backward compatibility
    const arrayOfAllowed = [
        'objectPutTagging',
        'objectPutLegalHold',
        'objectPutRetention',
    ];
    if (mainApiCall === 'objectGet') {
        if (requestTypeParsed === 'objectGetTagging') {
            return true;
        }
    }
    if (mainApiCall === 'objectPut') {
        if (arrayOfAllowed.includes(requestTypeParsed)) {
            return true;
        }
    }
    const bucketAcl = bucket.getAcl();
-    if (requestType === 'bucketGet' || requestType === 'bucketHead') {
+    if (requestTypeParsed === 'bucketGet' || requestTypeParsed === 'bucketHead') {
        if (bucketAcl.Canned === 'public-read'
            || bucketAcl.Canned === 'public-read-write'
            || (bucketAcl.Canned === 'authenticated-read'
                && canonicalID !== publicId)) {
            return true;
-        } else if (bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
+        } if (bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
            || bucketAcl.READ.indexOf(canonicalID) > -1) {
            return true;
-        } else if (bucketAcl.READ.indexOf(publicId) > -1
+        } if (bucketAcl.READ.indexOf(publicId) > -1
            || (bucketAcl.READ.indexOf(allAuthedUsersId) > -1
                && canonicalID !== publicId)
            || (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
@ -32,13 +53,13 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
            return true;
        }
    }
-    if (requestType === 'bucketGetACL') {
+    if (requestTypeParsed === 'bucketGetACL') {
        if ((bucketAcl.Canned === 'log-delivery-write'
            && canonicalID === logId)
            || bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
            || bucketAcl.READ_ACP.indexOf(canonicalID) > -1) {
            return true;
-        } else if (bucketAcl.READ_ACP.indexOf(publicId) > -1
+        } if (bucketAcl.READ_ACP.indexOf(publicId) > -1
            || (bucketAcl.READ_ACP.indexOf(allAuthedUsersId) > -1
                && canonicalID !== publicId)
            || (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
@ -48,11 +69,11 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
        }
    }
-    if (requestType === 'bucketPutACL') {
+    if (requestTypeParsed === 'bucketPutACL') {
        if (bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
            || bucketAcl.WRITE_ACP.indexOf(canonicalID) > -1) {
            return true;
-        } else if (bucketAcl.WRITE_ACP.indexOf(publicId) > -1
+        } if (bucketAcl.WRITE_ACP.indexOf(publicId) > -1
            || (bucketAcl.WRITE_ACP.indexOf(allAuthedUsersId) > -1
                && canonicalID !== publicId)
            || (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
@ -62,16 +83,12 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
        }
    }
-    if (requestType === 'bucketDelete' && bucket.getOwner() === canonicalID) {
+    if (requestTypeParsed === 'objectDelete' || requestTypeParsed === 'objectPut') {
        return true;
    }
    if (requestType === 'objectDelete' || requestType === 'objectPut') {
        if (bucketAcl.Canned === 'public-read-write'
            || bucketAcl.FULL_CONTROL.indexOf(canonicalID) > -1
            || bucketAcl.WRITE.indexOf(canonicalID) > -1) {
            return true;
-        } else if (bucketAcl.WRITE.indexOf(publicId) > -1
+        } if (bucketAcl.WRITE.indexOf(publicId) > -1
            || (bucketAcl.WRITE.indexOf(allAuthedUsersId) > -1
                && canonicalID !== publicId)
            || (bucketAcl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
@ -86,11 +103,12 @@ function checkBucketAcls(bucket, requestType, canonicalID) {
    // objectPutACL, objectGetACL, objectHead or objectGet, the bucket
    // authorization check should just return true so can move on to check
    // rights at the object level.
-    return (requestType === 'objectPutACL' || requestType === 'objectGetACL' ||
+    return (requestTypeParsed === 'objectPutACL' || requestTypeParsed === 'objectGetACL'
-        requestType === 'objectGet' || requestType === 'objectHead');
+    || requestTypeParsed === 'objectGet' || requestTypeParsed === 'objectHead');
 }
-function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
+function checkObjectAcls(bucket, objectMD, requestType, canonicalID, requesterIsNotUser,
    isUserUnauthenticated, mainApiCall) {
    const bucketOwner = bucket.getOwner();
    // acls don't distinguish between users and accounts, so both should be allowed
    if (bucketOwnerActions.includes(requestType)
@ -100,6 +118,15 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
    if (objectMD['owner-id'] === canonicalID) {
        return true;
    }
    // Backward compatibility
    if (mainApiCall === 'objectGet') {
        if ((isUserUnauthenticated || (requesterIsNotUser && bucketOwner === objectMD['owner-id']))
            && requestType === 'objectGetTagging') {
            return true;
        }
    }
    if (!objectMD.acl) {
        return false;
    }
@ -110,15 +137,15 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
            || (objectMD.acl.Canned === 'authenticated-read'
                && canonicalID !== publicId)) {
            return true;
-        } else if (objectMD.acl.Canned === 'bucket-owner-read'
+        } if (objectMD.acl.Canned === 'bucket-owner-read'
            && bucketOwner === canonicalID) {
            return true;
-        } else if ((objectMD.acl.Canned === 'bucket-owner-full-control'
+        } if ((objectMD.acl.Canned === 'bucket-owner-full-control'
            && bucketOwner === canonicalID)
            || objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
            || objectMD.acl.READ.indexOf(canonicalID) > -1) {
            return true;
-        } else if (objectMD.acl.READ.indexOf(publicId) > -1
+        } if (objectMD.acl.READ.indexOf(publicId) > -1
            || (objectMD.acl.READ.indexOf(allAuthedUsersId) > -1
                && canonicalID !== publicId)
            || (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
@ -140,7 +167,7 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
            || objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
            || objectMD.acl.WRITE_ACP.indexOf(canonicalID) > -1) {
            return true;
-        } else if (objectMD.acl.WRITE_ACP.indexOf(publicId) > -1
+        } if (objectMD.acl.WRITE_ACP.indexOf(publicId) > -1
            || (objectMD.acl.WRITE_ACP.indexOf(allAuthedUsersId) > -1
                && canonicalID !== publicId)
            || (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
@ -156,7 +183,7 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
            || objectMD.acl.FULL_CONTROL.indexOf(canonicalID) > -1
            || objectMD.acl.READ_ACP.indexOf(canonicalID) > -1) {
            return true;
-        } else if (objectMD.acl.READ_ACP.indexOf(publicId) > -1
+        } if (objectMD.acl.READ_ACP.indexOf(publicId) > -1
            || (objectMD.acl.READ_ACP.indexOf(allAuthedUsersId) > -1
                && canonicalID !== publicId)
            || (objectMD.acl.FULL_CONTROL.indexOf(allAuthedUsersId) > -1
@ -169,9 +196,9 @@ function checkObjectAcls(bucket, objectMD, requestType, canonicalID) {
    // allow public reads on buckets that are whitelisted for anonymous reads
    // TODO: remove this after bucket policies are implemented
    const bucketAcl = bucket.getAcl();
-    const allowPublicReads = publicReadBuckets.includes(bucket.getName()) &&
+    const allowPublicReads = publicReadBuckets.includes(bucket.getName())
-        bucketAcl.Canned === 'public-read' &&
+        && bucketAcl.Canned === 'public-read'
-        (requestType === 'objectGet' || requestType === 'objectHead');
+        && (requestType === 'objectGet' || requestType === 'objectHead');
    if (allowPublicReads) {
        return true;
    }
@ -246,9 +273,10 @@ function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, l
    let permission = 'defaultDeny';
    // if requester is user within bucket owner account, actions should be
    // allowed unless explicitly denied (assumes allowed by IAM policy)
-    if (bucketOwner === canonicalID) {
+    // Update: manual testing on the 18/9/2023 found this not to be the case
-        permission = 'allow';
+    // if (bucketOwner === canonicalID) {
-    }
+    //     permission = 'allow';
    // }
    let copiedStatement = JSON.parse(JSON.stringify(policy.Statement));
    while (copiedStatement.length > 0) {
        const s = copiedStatement[0];
@ -268,7 +296,26 @@ function checkBucketPolicy(policy, requestType, canonicalID, arn, bucketOwner, l
    return permission;
 }
-function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request) {
+function isBucketAuthorized(bucket, requestTypes, canonicalID, authInfo, actionImplicitDenies, log, request) {
    if (!Array.isArray(requestTypes)) {
        // eslint-disable-next-line no-param-reassign
        requestTypes = [requestTypes];
    }
    if (!actionImplicitDenies) {
        // eslint-disable-next-line no-param-reassign
        actionImplicitDenies = {};
    }
    // By default, all missing actions are defined as allowed from IAM, to be
    // backward compatible
    requestTypes.forEach(requestType => {
        if (actionImplicitDenies[requestType] === undefined) {
            // eslint-disable-next-line no-param-reassign
            actionImplicitDenies[requestType] = false;
        }
    });
    const mainApiCall = requestTypes[0];
    const results = {};
    requestTypes.forEach(_requestType => {
    // Check to see if user is authorized to perform a
    // particular action on bucket based on ACLs.
    // TODO: Add IAM checks
@ -280,63 +327,165 @@ function isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, req
        }
        // if the bucket owner is an account, users should not have default access
        if ((bucket.getOwner() === canonicalID) && requesterIsNotUser) {
-        return true;
+            results[_requestType] = actionImplicitDenies[_requestType] === false;
            return;
        }
-    const aclPermission = checkBucketAcls(bucket, requestType, canonicalID);
+        const aclPermission = checkBucketAcls(bucket, _requestType, canonicalID, mainApiCall);
        const bucketPolicy = bucket.getBucketPolicy();
        if (!bucketPolicy) {
-        return aclPermission;
+            results[_requestType] = actionImplicitDenies[_requestType] === false && aclPermission;
            return;
        }
-    const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, requestType,
+        const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, _requestType,
            canonicalID, arn, bucket.getOwner(), log, request);
        if (bucketPolicyPermission === 'explicitDeny') {
-        return false;
+            results[_requestType] = false;
            return;
        }
-    return (aclPermission || (bucketPolicyPermission === 'allow'));
+        // If the bucket policy returns an allow, we accept the request, as the
        // IAM response here is either Allow or implicit deny.
        if (bucketPolicyPermission === 'allow') {
            results[_requestType] = true;
            return;
        }
        results[_requestType] = actionImplicitDenies[_requestType] === false && aclPermission;
    });
    // final result is true if all the results are true
    return Object.keys(results).every(key => results[key] === true);
 }
-function isObjAuthorized(bucket, objectMD, requestType, canonicalID, authInfo, log, request) {
+
 function isObjAuthorized(bucket, objectMD, requestTypes, canonicalID, authInfo, actionImplicitDenies, log, request) {
    if (!Array.isArray(requestTypes)) {
        // eslint-disable-next-line no-param-reassign
        requestTypes = [requestTypes];
    }
    // By default, all missing actions are defined as allowed from IAM, to be
    // backward compatible
    if (!actionImplicitDenies) {
        // eslint-disable-next-line no-param-reassign
        actionImplicitDenies = {};
    }
    requestTypes.forEach(requestType => {
        if (actionImplicitDenies[requestType] === undefined) {
            // eslint-disable-next-line no-param-reassign
            actionImplicitDenies[requestType] = false;
        }
    });
    const results = {};
    const mainApiCall = requestTypes[0];
    requestTypes.forEach(_requestType => {
        const parsedMethodName = _requestType.endsWith('Version')
            ? _requestType.slice(0, -7) : _requestType;
        const bucketOwner = bucket.getOwner();
        if (!objectMD) {
        // User is already authorized on the bucket for FULL_CONTROL or WRITE or
        // bucket has canned ACL public-read-write
-        if (requestType === 'objectPut' || requestType === 'objectDelete') {
+            // if (parsedMethodName === 'objectPut' || parsedMethodName === 'objectDelete') {
-            return true;
+            //     results[_requestType] = actionImplicitDenies[_requestType] === false;
-        }
+            //     return;
            // }
            // check bucket has read access
            // 'bucketGet' covers listObjects and listMultipartUploads, bucket read actions
-        return isBucketAuthorized(bucket, 'bucketGet', canonicalID, authInfo, log, request);
+            results[_requestType] = isBucketAuthorized(bucket, 'bucketGet', canonicalID, authInfo,
                actionImplicitDenies, log, request);
            return;
        }
        let requesterIsNotUser = true;
        let arn = null;
        let isUserUnauthenticated = false;
        if (authInfo) {
            requesterIsNotUser = !authInfo.isRequesterAnIAMUser();
            arn = authInfo.getArn();
            isUserUnauthenticated = arn === undefined;
        }
        if (objectMD['owner-id'] === canonicalID && requesterIsNotUser) {
-        return true;
+            results[_requestType] = actionImplicitDenies[_requestType] === false;
            return;
        }
        // account is authorized if:
        // - requesttype is included in bucketOwnerActions and
        // - account is the bucket owner
        // - requester is account, not user
-    if (bucketOwnerActions.includes(requestType)
+        if (bucketOwnerActions.includes(parsedMethodName)
        && (bucketOwner === canonicalID)
        && requesterIsNotUser) {
-        return true;
+            results[_requestType] = actionImplicitDenies[_requestType] === false;
            return;
        }
-    const aclPermission = checkObjectAcls(bucket, objectMD, requestType,
+        const aclPermission = checkObjectAcls(bucket, objectMD, parsedMethodName,
-        canonicalID);
+            canonicalID, requesterIsNotUser, isUserUnauthenticated, mainApiCall);
        const bucketPolicy = bucket.getBucketPolicy();
        if (!bucketPolicy) {
-        return aclPermission;
+            results[_requestType] = actionImplicitDenies[_requestType] === false && aclPermission;
            return;
        }
-    const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, requestType,
+        const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, _requestType,
            canonicalID, arn, bucket.getOwner(), log, request);
        if (bucketPolicyPermission === 'explicitDeny') {
-        return false;
+            results[_requestType] = false;
            return;
        }
-    return (aclPermission || (bucketPolicyPermission === 'allow'));
+        // If the bucket policy returns an allow, we accept the request, as the
        // IAM response here is either Allow or implicit deny.
        if (bucketPolicyPermission === 'allow') {
            results[_requestType] = true;
            return;
        }
        results[_requestType] = actionImplicitDenies[_requestType] === false && aclPermission;
    });
    // final result is true if all the results are true
    return Object.keys(results).every(key => results[key] === true);
 }
 function evaluateBucketPolicyWithIAM(bucket, requestTypes, canonicalID, authInfo, actionImplicitDenies, log, request) {
    if (!Array.isArray(requestTypes)) {
        // eslint-disable-next-line no-param-reassign
        requestTypes = [requestTypes];
    }
    if (actionImplicitDenies === false) {
        // eslint-disable-next-line no-param-reassign
        actionImplicitDenies = {};
    }
    // By default, all missing actions are defined as allowed from IAM, to be
    // backward compatible
    requestTypes.forEach(requestType => {
        if (actionImplicitDenies[requestType] === undefined) {
            // eslint-disable-next-line no-param-reassign
            actionImplicitDenies[requestType] = false;
        }
    });
    const results = {};
    requestTypes.forEach(_requestType => {
        let arn = null;
        if (authInfo) {
            arn = authInfo.getArn();
        }
        const bucketPolicy = bucket.getBucketPolicy();
        if (!bucketPolicy) {
            results[_requestType] = actionImplicitDenies[_requestType] === false;
            return;
        }
        const bucketPolicyPermission = checkBucketPolicy(bucketPolicy, _requestType,
            canonicalID, arn, bucket.getOwner(), log, request);
        if (bucketPolicyPermission === 'explicitDeny') {
            results[_requestType] = false;
            return;
        }
        // If the bucket policy returns an allow, we accept the request, as the
        // IAM response here is either Allow or implicit deny.
        if (bucketPolicyPermission === 'allow') {
            results[_requestType] = true;
            return;
        }
        results[_requestType] = actionImplicitDenies[_requestType] === false;
    });
    // final result is true if all the results are true
    return Object.keys(results).every(key => results[key] === true);
 }
 function _checkResource(resource, bucketArn) {
@ -383,9 +532,9 @@ function isLifecycleSession(arn) {
    const resourceType = resourceNames[0];
    const sessionName = resourceNames[resourceNames.length - 1];
-    return (service === 'sts' &&
+    return (service === 'sts'
-        resourceType === assumedRoleArnResourceType &&
+        && resourceType === assumedRoleArnResourceType
-        sessionName === backbeatLifecycleSessionName);
+        && sessionName === backbeatLifecycleSessionName);
 }
 module.exports = {
@ -395,4 +544,5 @@ module.exports = {
    checkObjectAcls,
    validatePolicyResource,
    isLifecycleSession,
    evaluateBucketPolicyWithIAM,
 };
--- a/lib/api/apiUtils/bucket/bucketDeletion.js
+++ b/lib/api/apiUtils/bucket/bucketDeletion.js
@ -24,7 +24,7 @@ function _deleteMPUbucket(destinationBucketName, log, cb) {
    });
 }
-function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, log, cb) {
+function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, request, log, cb) {
    async.mapLimit(mpus, 1, (mpu, next) => {
        const splitterChar = mpu.key.includes(oldSplitter) ?
            oldSplitter : splitter;
@ -40,7 +40,7 @@ function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, log, cb) {
                    byteLength: partSizeSum,
                });
                next(err);
-            });
+            }, request);
    }, cb);
 }
 /**
@ -49,11 +49,13 @@ function _deleteOngoingMPUs(authInfo, bucketName, bucketMD, mpus, log, cb) {
 * @param {object} bucketMD - bucket attributes/metadata
 * @param {string} bucketName - bucket in which objectMetadata is stored
 * @param {string} canonicalID - account canonicalID of requester
 * @param {object} request - request object given by router
 *                           including normalized headers
 * @param {object} log - Werelogs logger
 * @param {function} cb - callback from async.waterfall in bucketDelete
 * @return {undefined}
 */
-function deleteBucket(authInfo, bucketMD, bucketName, canonicalID, log, cb) {
+function deleteBucket(authInfo, bucketMD, bucketName, canonicalID, request, log, cb) {
    log.trace('deleting bucket from metadata');
    assert.strictEqual(typeof bucketName, 'string');
    assert.strictEqual(typeof canonicalID, 'string');
@ -100,7 +102,7 @@ function deleteBucket(authInfo, bucketMD, bucketName, canonicalID, log, cb) {
                    }
                    if (objectsListRes.Contents.length) {
                        return _deleteOngoingMPUs(authInfo, bucketName,
-                            bucketMD, objectsListRes.Contents, log, err => {
+                            bucketMD, objectsListRes.Contents, request, log, err => {
                                if (err) {
                                    return next(err);
                                }
--- a/lib/api/apiUtils/object/abortMultipartUpload.js
+++ b/lib/api/apiUtils/object/abortMultipartUpload.js
@ -22,10 +22,11 @@ function abortMultipartUpload(authInfo, bucketName, objectKey, uploadId, log,
    // but the requestType is the more general 'objectDelete'
    const metadataValParams = Object.assign({}, metadataValMPUparams);
    metadataValParams.requestType = 'objectPut';
    const authzIdentityResult = request ? request.actionImplicitDenies : true;
    async.waterfall([
        function checkDestBucketVal(next) {
-            metadataValidateBucketAndObj(metadataValParams, log,
+            metadataValidateBucketAndObj(metadataValParams, authzIdentityResult, log,
                (err, destinationBucket) => {
                    if (err) {
                        return next(err, destinationBucket);
@ -56,9 +57,15 @@ function abortMultipartUpload(authInfo, bucketName, objectKey, uploadId, log,
        function abortExternalMpu(mpuBucket, mpuOverviewObj, destBucket,
        next) {
            const location = mpuOverviewObj.controllingLocationConstraint;
            const originalIdentityImpDenies = request.actionImplicitDenies;
            // eslint-disable-next-line no-param-reassign
            // eslint-disable-next-line no-param-reassign
            delete request.actionImplicitDenies;
            return data.abortMPU(objectKey, uploadId, location, bucketName,
                request, destBucket, locationConstraintCheck, log,
            (err, skipDataDelete) => {
                // eslint-disable-next-line no-param-reassign
                request.actionImplicitDenies = originalIdentityImpDenies;
                if (err) {
                    return next(err, destBucket);
                }
--- a/lib/api/apiUtils/object/objectLockHelpers.js
+++ b/lib/api/apiUtils/object/objectLockHelpers.js
@ -3,6 +3,7 @@ const moment = require('moment');
 const { config } = require('../../../Config');
 const vault = require('../../../auth/vault');
 const { evaluateBucketPolicyWithIAM } = require('../authorization/permissionChecks');
 /**
 * Calculates retain until date for the locked object version
@ -302,7 +303,11 @@ function checkUserGovernanceBypass(request, authInfo, bucketMD, objectKey, log,
            if (err) {
                return cb(err);
            }
-            if (authorizationResults[0].isAllowed !== true) {
+
            // Deny immediately if there is any explicit deny
            const explicitDenyExists = authorizationResults.some(
                authzResult => authzResult.isAllowed === false && authzResult.isImplicit === false);
            if (explicitDenyExists) {
                log.trace('authorization check failed for user',
                    {
                        'method': 'checkUserPolicyGovernanceBypass',
@ -310,7 +315,25 @@ function checkUserGovernanceBypass(request, authInfo, bucketMD, objectKey, log,
                    });
                return cb(errors.AccessDenied);
            }
-            return cb(null);
+
            // Convert authorization results into an easier to handle format
            const iamAuthzResults = authorizationResults.reduce((acc, curr, idx) => {
                // eslint-disable-next-line no-param-reassign
                acc[requestContextParams[idx].apiMethod] = curr.isImplicit;
                return acc;
            }, {});
            // Evaluate against the bucket policies
            const areAllActionsAllowed = evaluateBucketPolicyWithIAM(
                bucketMD,
                Object.keys(iamAuthzResults),
                authInfo.getCanonicalID(),
                authInfo,
                iamAuthzResults,
                log,
                request);
            return cb(areAllActionsAllowed ? null : errors.AccessDenied);
        });
 }
--- a/lib/api/bucketDelete.js
+++ b/lib/api/bucketDelete.js
@ -31,7 +31,7 @@ function bucketDelete(authInfo, request, log, cb) {
        request,
    };
-    return metadataValidateBucket(metadataValParams, log,
+    return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
        (err, bucketMD) => {
            const corsHeaders = collectCorsHeaders(request.headers.origin,
                request.method, bucketMD);
@ -43,7 +43,7 @@ function bucketDelete(authInfo, request, log, cb) {
            log.trace('passed checks',
                { method: 'metadataValidateBucket' });
            return deleteBucket(authInfo, bucketMD, bucketName,
-                authInfo.getCanonicalID(), log, err => {
+                authInfo.getCanonicalID(), request, log, err => {
                    if (err) {
                        return cb(err, corsHeaders);
                    }
--- a/lib/api/bucketDeleteCors.js
+++ b/lib/api/bucketDeleteCors.js
@ -33,7 +33,8 @@ function bucketDeleteCors(authInfo, request, log, callback) {
        }
        log.trace('found bucket in metadata');
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
            request.actionImplicitDenies, log, request)) {
            log.debug('access denied for user on bucket', {
                requestType,
                method: 'bucketDeleteCors',
--- a/lib/api/bucketDeleteEncryption.js
+++ b/lib/api/bucketDeleteEncryption.js
@ -26,7 +26,7 @@ function bucketDeleteEncryption(authInfo, request, log, callback) {
    };
    return async.waterfall([
-        next => metadataValidateBucket(metadataValParams, log, next),
+        next => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, next),
        (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
        (bucket, next) => {
            const sseConfig = bucket.getServerSideEncryption();
--- a/lib/api/bucketDeleteLifecycle.js
+++ b/lib/api/bucketDeleteLifecycle.js
@ -20,7 +20,7 @@ function bucketDeleteLifecycle(authInfo, request, log, callback) {
        requestType: 'bucketDeleteLifecycle',
        request,
    };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
        const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
        if (err) {
            log.debug('error processing request', {
--- a/lib/api/bucketDeletePolicy.js
+++ b/lib/api/bucketDeletePolicy.js
@ -19,7 +19,7 @@ function bucketDeletePolicy(authInfo, request, log, callback) {
        requestType: 'bucketDeletePolicy',
        request,
    };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
        const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
        if (err) {
            log.debug('error processing request', {
--- a/lib/api/bucketDeleteReplication.js
+++ b/lib/api/bucketDeleteReplication.js
@ -20,7 +20,7 @@ function bucketDeleteReplication(authInfo, request, log, callback) {
        requestType: 'bucketDeleteReplication',
        request,
    };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
        const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
        if (err) {
            log.debug('error processing request', {
--- a/lib/api/bucketDeleteWebsite.js
+++ b/lib/api/bucketDeleteWebsite.js
@ -25,7 +25,8 @@ function bucketDeleteWebsite(authInfo, request, log, callback) {
        }
        log.trace('found bucket in metadata');
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
            request.actionImplicitDenies, log, request)) {
            log.debug('access denied for user on bucket', {
                requestType,
                method: 'bucketDeleteWebsite',
--- a/lib/api/bucketGet.js
+++ b/lib/api/bucketGet.js
@ -345,7 +345,7 @@ function bucketGet(authInfo, request, log, callback) {
        listParams.marker = params.marker;
    }
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
        const corsHeaders = collectCorsHeaders(request.headers.origin,
            request.method, bucket);
        if (err) {
--- a/lib/api/bucketGetACL.js
+++ b/lib/api/bucketGetACL.js
@ -54,7 +54,7 @@ function bucketGetACL(authInfo, request, log, callback) {
        },
    };
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
        const corsHeaders = collectCorsHeaders(request.headers.origin,
            request.method, bucket);
        if (err) {
--- a/lib/api/bucketGetCors.js
+++ b/lib/api/bucketGetCors.js
@ -34,7 +34,8 @@ function bucketGetCors(authInfo, request, log, callback) {
        const corsHeaders = collectCorsHeaders(request.headers.origin,
            request.method, bucket);
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
            request.actionImplicitDenies, log, request)) {
            log.debug('access denied for user on bucket', {
                requestType,
                method: 'bucketGetCors',
--- a/lib/api/bucketGetEncryption.js
+++ b/lib/api/bucketGetEncryption.js
@ -27,7 +27,7 @@ function bucketGetEncryption(authInfo, request, log, callback) {
    };
    return async.waterfall([
-        next => metadataValidateBucket(metadataValParams, log, next),
+        next => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, next),
        (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
        (bucket, next) => {
            // If sseInfo is present but the `mandatory` flag is not set
--- a/lib/api/bucketGetLifecycle.js
+++ b/lib/api/bucketGetLifecycle.js
@ -23,7 +23,7 @@ function bucketGetLifecycle(authInfo, request, log, callback) {
        requestType: 'bucketGetLifecycle',
        request,
    };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
        const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
        if (err) {
            log.debug('error processing request', {
--- a/lib/api/bucketGetLocation.js
+++ b/lib/api/bucketGetLocation.js
@ -36,7 +36,8 @@ function bucketGetLocation(authInfo, request, log, callback) {
        const corsHeaders = collectCorsHeaders(request.headers.origin,
            request.method, bucket);
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
            request.actionImplicitDenies, log, request)) {
            log.debug('access denied for account on bucket', {
                requestType,
                method: 'bucketGetLocation',
--- a/lib/api/bucketGetNotification.js
+++ b/lib/api/bucketGetNotification.js
@ -41,7 +41,7 @@ function bucketGetNotification(authInfo, request, log, callback) {
        request,
    };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
        const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
        if (err) {
            log.debug('error processing request', {
--- a/lib/api/bucketGetObjectLock.js
+++ b/lib/api/bucketGetObjectLock.js
@ -36,7 +36,7 @@ function bucketGetObjectLock(authInfo, request, log, callback) {
        requestType: 'bucketGetObjectLock',
        request,
    };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
        const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
        if (err) {
            log.debug('error processing request', {
--- a/lib/api/bucketGetPolicy.js
+++ b/lib/api/bucketGetPolicy.js
@ -21,7 +21,7 @@ function bucketGetPolicy(authInfo, request, log, callback) {
        request,
    };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
        const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
        if (err) {
            log.debug('error processing request', {
--- a/lib/api/bucketGetReplication.js
+++ b/lib/api/bucketGetReplication.js
@ -23,7 +23,7 @@ function bucketGetReplication(authInfo, request, log, callback) {
        requestType: 'bucketGetReplication',
        request,
    };
-    return metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    return metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
        const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
        if (err) {
            log.debug('error processing request', {
--- a/lib/api/bucketGetVersioning.js
+++ b/lib/api/bucketGetVersioning.js
@ -57,7 +57,7 @@ function bucketGetVersioning(authInfo, request, log, callback) {
        request,
    };
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
        const corsHeaders = collectCorsHeaders(request.headers.origin,
            request.method, bucket);
        if (err) {
--- a/lib/api/bucketGetWebsite.js
+++ b/lib/api/bucketGetWebsite.js
@ -34,7 +34,8 @@ function bucketGetWebsite(authInfo, request, log, callback) {
        const corsHeaders = collectCorsHeaders(request.headers.origin,
            request.method, bucket);
-        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+        if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo,
            request.actionImplicitDenies, log, request)) {
            log.debug('access denied for user on bucket', {
                requestType,
                method: 'bucketGetWebsite',
--- a/lib/api/bucketHead.js
+++ b/lib/api/bucketHead.js
@ -21,7 +21,7 @@ function bucketHead(authInfo, request, log, callback) {
        requestType: 'bucketHead',
        request,
    };
-    metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+    metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
        const corsHeaders = collectCorsHeaders(request.headers.origin,
            request.method, bucket);
        if (err) {
--- a/lib/api/bucketPutACL.js
+++ b/lib/api/bucketPutACL.js
@ -43,7 +43,7 @@ const { pushMetric } = require('../utapi/utilities');
 function bucketPutACL(authInfo, request, log, callback) {
    log.debug('processing request', { method: 'bucketPutACL' });
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
    const canonicalID = authInfo.getCanonicalID();
    const newCannedACL = request.headers['x-amz-acl'];
    const possibleCannedACL = [
@ -53,17 +53,6 @@ function bucketPutACL(authInfo, request, log, callback) {
        'authenticated-read',
        'log-delivery-write',
    ];
    if (newCannedACL && possibleCannedACL.indexOf(newCannedACL) === -1) {
        log.trace('invalid canned acl argument', {
            acl: newCannedACL,
            method: 'bucketPutACL',
        });
        return callback(errors.InvalidArgument);
    }
    if (!aclUtils.checkGrantHeaderValidity(request.headers)) {
        log.trace('invalid acl header');
        return callback(errors.InvalidArgument);
    }
    const possibleGroups = [constants.allAuthedUsersId,
        constants.publicId,
        constants.logId,
@ -71,7 +60,7 @@ function bucketPutACL(authInfo, request, log, callback) {
    const metadataValParams = {
        authInfo,
        bucketName,
-        requestType: 'bucketPutACL',
+        requestType: request.apiMethods || 'bucketPutACL',
        request,
    };
    const possibleGrants = ['FULL_CONTROL', 'WRITE',
@ -85,24 +74,19 @@ function bucketPutACL(authInfo, request, log, callback) {
        READ_ACP: [],
    };
-    const grantReadHeader =
+    const grantReadHeader = aclUtils.parseGrant(request.headers[
        aclUtils.parseGrant(request.headers[
        'x-amz-grant-read'], 'READ');
-    const grantWriteHeader =
+    const grantWriteHeader = aclUtils.parseGrant(request.headers['x-amz-grant-write'], 'WRITE');
-        aclUtils.parseGrant(request.headers['x-amz-grant-write'], 'WRITE');
+    const grantReadACPHeader = aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
    const grantReadACPHeader =
        aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
        'READ_ACP');
-    const grantWriteACPHeader =
+    const grantWriteACPHeader = aclUtils.parseGrant(request.headers['x-amz-grant-write-acp'],
        aclUtils.parseGrant(request.headers['x-amz-grant-write-acp'],
        'WRITE_ACP');
-    const grantFullControlHeader =
+    const grantFullControlHeader = aclUtils.parseGrant(request.headers['x-amz-grant-full-control'],
        aclUtils.parseGrant(request.headers['x-amz-grant-full-control'],
        'FULL_CONTROL');
    return async.waterfall([
        function waterfall1(next) {
-            metadataValidateBucket(metadataValParams, log,
+            metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
                (err, bucket) => {
                    if (err) {
                        log.trace('request authorization failed', {
@ -111,6 +95,18 @@ function bucketPutACL(authInfo, request, log, callback) {
                        });
                        return next(err, bucket);
                    }
                    // if the API call is allowed, ensure that the parameters are valid
                    if (newCannedACL && possibleCannedACL.indexOf(newCannedACL) === -1) {
                        log.trace('invalid canned acl argument', {
                            acl: newCannedACL,
                            method: 'bucketPutACL',
                        });
                        return next(errors.InvalidArgument);
                    }
                    if (!aclUtils.checkGrantHeaderValidity(request.headers)) {
                        log.trace('invalid acl header');
                        return next(errors.InvalidArgument);
                    }
                    return next(null, bucket);
                });
        },
@ -193,13 +189,12 @@ function bucketPutACL(authInfo, request, log, callback) {
            } else {
                // If no canned ACL and no parsed xml, loop
                // through the access headers
-                const allGrantHeaders =
+                const allGrantHeaders = [].concat(grantReadHeader, grantWriteHeader,
                    [].concat(grantReadHeader, grantWriteHeader,
                    grantReadACPHeader, grantWriteACPHeader,
                    grantFullControlHeader);
-                usersIdentifiedByEmail = allGrantHeaders.filter(item =>
+                usersIdentifiedByEmail = allGrantHeaders.filter(item => item
-                    item && item.userIDType.toLowerCase() === 'emailaddress');
+                    && item.userIDType.toLowerCase() === 'emailaddress');
                usersIdentifiedByGroup = allGrantHeaders
                    .filter(itm => itm && itm.userIDType
@ -207,8 +202,10 @@ function bucketPutACL(authInfo, request, log, callback) {
                for (let i = 0; i < usersIdentifiedByGroup.length; i++) {
                    const userGroup = usersIdentifiedByGroup[i].identifier;
                    if (possibleGroups.indexOf(userGroup) < 0) {
-                        log.trace('invalid user group', { userGroup,
+                        log.trace('invalid user group', {
-                            method: 'bucketPutACL' });
+                            userGroup,
                            method: 'bucketPutACL',
                        });
                        return next(errors.InvalidArgument, bucket);
                    }
                }
@ -241,8 +238,8 @@ function bucketPutACL(authInfo, request, log, callback) {
                return vault.getCanonicalIds(justEmails, log,
                    (err, results) => {
                        if (err) {
-                            log.trace('error looking up canonical ids', {
+                            log.trace('error looking up canonical ids',
-                                error: err, method: 'vault.getCanonicalIDs' });
+                                { error: err, method: 'vault.getCanonicalIDs' });
                            return next(err, bucket);
                        }
                        const reconstructedUsersIdentifiedByEmail = aclUtils
@ -251,7 +248,8 @@ function bucketPutACL(authInfo, request, log, callback) {
                        const allUsers = [].concat(
                            reconstructedUsersIdentifiedByEmail,
                            usersIdentifiedByID,
-                            usersIdentifiedByGroup);
+                            usersIdentifiedByGroup,
                        );
                        const revisedAddACLParams = aclUtils
                            .sortHeaderGrants(allUsers, addACLParams);
                        return next(null, bucket, revisedAddACLParams);
@ -259,9 +257,9 @@ function bucketPutACL(authInfo, request, log, callback) {
            }
            const allUsers = [].concat(
                usersIdentifiedByID,
-                usersIdentifiedByGroup);
+                usersIdentifiedByGroup,
-            const revisedAddACLParams =
+            );
-                aclUtils.sortHeaderGrants(allUsers, addACLParams);
+            const revisedAddACLParams = aclUtils.sortHeaderGrants(allUsers, addACLParams);
            return next(null, bucket, revisedAddACLParams);
        },
        function waterfall4(bucket, addACLParams, next) {
@ -272,12 +270,10 @@ function bucketPutACL(authInfo, request, log, callback) {
            if (bucket.hasTransientFlag() || bucket.hasDeletedFlag()) {
                log.trace('transient or deleted flag so cleaning up bucket');
                bucket.setFullAcl(addACLParams);
-                return cleanUpBucket(bucket, canonicalID, log, err =>
+                return cleanUpBucket(bucket, canonicalID, log, err => next(err, bucket));
                    next(err, bucket));
            }
            // If no bucket flags, just add acl's to bucket metadata
-            return acl.addACL(bucket, addACLParams, log, err =>
+            return acl.addACL(bucket, addACLParams, log, err => next(err, bucket));
                next(err, bucket));
        },
    ], (err, bucket) => {
        const corsHeaders = collectCorsHeaders(request.headers.origin,
--- a/lib/api/bucketPutCors.js
+++ b/lib/api/bucketPutCors.js
@ -4,8 +4,7 @@ const { errors } = require('arsenal');
 const bucketShield = require('./apiUtils/bucket/bucketShield');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
-const { isBucketAuthorized } =
+const { isBucketAuthorized } = require('./apiUtils/authorization/permissionChecks');
    require('./apiUtils/authorization/permissionChecks');
 const metadata = require('../metadata/wrapper');
 const { parseCorsXml } = require('./apiUtils/bucket/bucketCors');
 const { pushMetric } = require('../utapi/utilities');
@ -22,7 +21,7 @@ const requestType = 'bucketPutCors';
 */
 function bucketPutCors(authInfo, request, log, callback) {
    log.debug('processing request', { method: 'bucketPutCors' });
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
    const canonicalID = authInfo.getCanonicalID();
    if (!request.post) {
@ -66,7 +65,8 @@ function bucketPutCors(authInfo, request, log, callback) {
            });
        },
        function validateBucketAuthorization(bucket, rules, corsHeaders, next) {
-            if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+            if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
                request.actionImplicitDenies, log, request)) {
                log.debug('access denied for account on bucket', {
                    requestType,
                });
@ -77,8 +77,7 @@ function bucketPutCors(authInfo, request, log, callback) {
        function updateBucketMetadata(bucket, rules, corsHeaders, next) {
            log.trace('updating bucket cors rules in metadata');
            bucket.setCors(rules);
-            metadata.updateBucket(bucketName, bucket, log, err =>
+            metadata.updateBucket(bucketName, bucket, log, err => next(err, corsHeaders));
                next(err, corsHeaders));
        },
    ], (err, corsHeaders) => {
        if (err) {
--- a/lib/api/bucketPutEncryption.js
+++ b/lib/api/bucketPutEncryption.js
@ -18,17 +18,17 @@ const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 */
 function bucketPutEncryption(authInfo, request, log, callback) {
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
    const metadataValParams = {
        authInfo,
        bucketName,
-        requestType: 'bucketPutEncryption',
+        requestType: request.apiMethods || 'bucketPutEncryption',
        request,
    };
    return async.waterfall([
-        next => metadataValidateBucket(metadataValParams, log, next),
+        next => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, next),
        (bucket, next) => checkExpectedBucketOwner(request.headers, bucket, log, err => next(err, bucket)),
        (bucket, next) => {
            log.trace('parsing encryption config', { method: 'bucketPutEncryption' });
--- a/lib/api/bucketPutLifecycle.js
+++ b/lib/api/bucketPutLifecycle.js
@ -1,7 +1,6 @@
 const { waterfall } = require('async');
 const uuid = require('uuid/v4');
-const LifecycleConfiguration =
+const { LifecycleConfiguration } = require('arsenal').models;
    require('arsenal').models.LifecycleConfiguration;
 const parseXML = require('../utilities/parseXML');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
@ -21,11 +20,11 @@ const { pushMetric } = require('../utapi/utilities');
 function bucketPutLifecycle(authInfo, request, log, callback) {
    log.debug('processing request', { method: 'bucketPutLifecycle' });
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
    const metadataValParams = {
        authInfo,
        bucketName,
-        requestType: 'bucketPutLifecycle',
+        requestType: request.apiMethods || 'bucketPutLifecycle',
        request,
    };
    return waterfall([
@ -42,7 +41,7 @@ function bucketPutLifecycle(authInfo, request, log, callback) {
                return next(null, configObj);
            });
        },
-        (lcConfig, next) => metadataValidateBucket(metadataValParams, log,
+        (lcConfig, next) => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
            (err, bucket) => {
                if (err) {
                    return next(err, bucket);
@ -54,8 +53,7 @@ function bucketPutLifecycle(authInfo, request, log, callback) {
                bucket.setUid(uuid());
            }
            bucket.setLifecycleConfiguration(lcConfig);
-            metadata.updateBucket(bucket.getName(), bucket, log, err =>
+            metadata.updateBucket(bucket.getName(), bucket, log, err => next(err, bucket));
                next(err, bucket));
        },
    ], (err, bucket) => {
        const corsHeaders = collectCorsHeaders(request.headers.origin,
--- a/lib/api/bucketPutNotification.js
+++ b/lib/api/bucketPutNotification.js
@ -19,11 +19,11 @@ const { pushMetric } = require('../utapi/utilities');
 function bucketPutNotification(authInfo, request, log, callback) {
    log.debug('processing request', { method: 'bucketPutNotification' });
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
    const metadataValParams = {
        authInfo,
        bucketName,
-        requestType: 'bucketPutNotification',
+        requestType: request.apiMethods || 'bucketPutNotification',
        request,
    };
@ -34,7 +34,7 @@ function bucketPutNotification(authInfo, request, log, callback) {
            const notifConfig = notificationConfig.error ? undefined : notificationConfig;
            process.nextTick(() => next(notificationConfig.error, notifConfig));
        },
-        (notifConfig, next) => metadataValidateBucket(metadataValParams, log,
+        (notifConfig, next) => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
            (err, bucket) => next(err, bucket, notifConfig)),
        (bucket, notifConfig, next) => {
            bucket.setNotificationConfiguration(notifConfig);
@ -45,8 +45,10 @@ function bucketPutNotification(authInfo, request, log, callback) {
        const corsHeaders = collectCorsHeaders(request.headers.origin,
            request.method, bucket);
        if (err) {
-            log.trace('error processing request', { error: err,
+            log.trace('error processing request', {
-                method: 'bucketPutNotification' });
+                error: err,
                method: 'bucketPutNotification',
            });
            return callback(err, corsHeaders);
        }
        pushMetric('putBucketNotification', log, {
--- a/lib/api/bucketPutObjectLock.js
+++ b/lib/api/bucketPutObjectLock.js
@ -1,8 +1,8 @@
 const { waterfall } = require('async');
 const arsenal = require('arsenal');
-const errors = arsenal.errors;
+const { errors } = arsenal;
-const ObjectLockConfiguration = arsenal.models.ObjectLockConfiguration;
+const { ObjectLockConfiguration } = arsenal.models;
 const parseXML = require('../utilities/parseXML');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
@ -22,11 +22,11 @@ const { pushMetric } = require('../utapi/utilities');
 function bucketPutObjectLock(authInfo, request, log, callback) {
    log.debug('processing request', { method: 'bucketPutObjectLock' });
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
    const metadataValParams = {
        authInfo,
        bucketName,
-        requestType: 'bucketPutObjectLock',
+        requestType: request.apiMethods || 'bucketPutObjectLock',
        request,
    };
    return waterfall([
@ -36,12 +36,12 @@ function bucketPutObjectLock(authInfo, request, log, callback) {
            // if there was an error getting object lock configuration,
            // returned configObj will contain 'error' key
            process.nextTick(() => {
-                const configObj = lockConfigClass.
+                const configObj = lockConfigClass
-                    getValidatedObjectLockConfiguration();
+                    .getValidatedObjectLockConfiguration();
                return next(configObj.error || null, configObj);
            });
        },
-        (objectLockConfig, next) => metadataValidateBucket(metadataValParams,
+        (objectLockConfig, next) => metadataValidateBucket(metadataValParams, request.actionImplicitDenies,
            log, (err, bucket) => {
                if (err) {
                    return next(err, bucket);
@ -53,23 +53,25 @@ function bucketPutObjectLock(authInfo, request, log, callback) {
            process.nextTick(() => {
                if (!isObjectLockEnabled) {
                    return next(errors.InvalidBucketState.customizeDescription(
-                        'Object Lock configuration cannot be enabled on ' +
+                        'Object Lock configuration cannot be enabled on '
-                        'existing buckets'), bucket);
+                        + 'existing buckets',
                    ), bucket);
                }
                return next(null, bucket, objectLockConfig);
            });
        },
        (bucket, objectLockConfig, next) => {
            bucket.setObjectLockConfiguration(objectLockConfig);
-            metadata.updateBucket(bucket.getName(), bucket, log, err =>
+            metadata.updateBucket(bucket.getName(), bucket, log, err => next(err, bucket));
                next(err, bucket));
        },
    ], (err, bucket) => {
        const corsHeaders = collectCorsHeaders(request.headers.origin,
            request.method, bucket);
        if (err) {
-            log.trace('error processing request', { error: err,
+            log.trace('error processing request', {
-                method: 'bucketPutObjectLock' });
+                error: err,
                method: 'bucketPutObjectLock',
            });
            return callback(err, corsHeaders);
        }
        pushMetric('putBucketObjectLock', log, {
--- a/lib/api/bucketPutPolicy.js
+++ b/lib/api/bucketPutPolicy.js
@ -17,8 +17,7 @@ const { BucketPolicy } = models;
 function _checkNotImplementedPolicy(policyString) {
    // bucket names and key names cannot include "", so including those
    // isolates not implemented keys
-    return policyString.includes('"Condition"')
+    return policyString.includes('"Service"')
    || policyString.includes('"Service"')
    || policyString.includes('"Federated"');
 }
@ -37,7 +36,7 @@ function bucketPutPolicy(authInfo, request, log, callback) {
    const metadataValParams = {
        authInfo,
        bucketName,
-        requestType: 'bucketPutPolicy',
+        requestType: request.apiMethods || 'bucketPutPolicy',
        request,
    };
@ -70,7 +69,7 @@ function bucketPutPolicy(authInfo, request, log, callback) {
                return next(null, bucketPolicy);
            });
        },
-        (bucketPolicy, next) => metadataValidateBucket(metadataValParams, log,
+        (bucketPolicy, next) => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
            (err, bucket) => {
                if (err) {
                    return next(err, bucket);
--- a/lib/api/bucketPutReplication.js
+++ b/lib/api/bucketPutReplication.js
@ -27,7 +27,7 @@ function bucketPutReplication(authInfo, request, log, callback) {
    const metadataValParams = {
        authInfo,
        bucketName,
-        requestType: 'bucketPutReplication',
+        requestType: request.apiMethods || 'bucketPutReplication',
        request,
    };
    return waterfall([
@ -36,7 +36,7 @@ function bucketPutReplication(authInfo, request, log, callback) {
        // Check bucket user privileges and ensure versioning is 'Enabled'.
        (config, next) =>
            // TODO: Validate that destination bucket exists and has versioning.
-            metadataValidateBucket(metadataValParams, log, (err, bucket) => {
+            metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
                if (err) {
                    return next(err);
                }
--- a/lib/api/bucketPutVersioning.js
+++ b/lib/api/bucketPutVersioning.js
@ -87,13 +87,13 @@ function bucketPutVersioning(authInfo, request, log, callback) {
    const metadataValParams = {
        authInfo,
        bucketName,
-        requestType: 'bucketPutVersioning',
+        requestType: request.apiMethods || 'bucketPutVersioning',
        request,
    };
    return waterfall([
        next => _parseXML(request, log, next),
-        next => metadataValidateBucket(metadataValParams, log,
+        next => metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
            (err, bucket) => next(err, bucket)), // ignore extra null object,
        (bucket, next) => parseString(request.post, (err, result) => {
            // just for linting; there should not be any parsing error here
--- a/lib/api/bucketPutWebsite.js
+++ b/lib/api/bucketPutWebsite.js
@ -46,7 +46,8 @@ function bucketPutWebsite(authInfo, request, log, callback) {
            });
        },
        function validateBucketAuthorization(bucket, config, next) {
-            if (!isBucketAuthorized(bucket, requestType, canonicalID, authInfo, log, request)) {
+            if (!isBucketAuthorized(bucket, request.apiMethods || requestType, canonicalID, authInfo,
                request.actionImplicitDenies, log, request)) {
                log.debug('access denied for user on bucket', {
                    requestType,
                    method: 'bucketPutWebsite',
--- a/lib/api/completeMultipartUpload.js
+++ b/lib/api/completeMultipartUpload.js
@ -120,7 +120,7 @@ function completeMultipartUpload(authInfo, request, log, callback) {
                // at the destinationBucket level are same as objectPut
                requestType: 'objectPut',
            };
-            metadataValidateBucketAndObj(metadataValParams, log, next);
+            metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log, next);
        },
        function validateMultipart(destBucket, objMD, next) {
            if (objMD) {
@ -190,9 +190,14 @@ function completeMultipartUpload(authInfo, request, log, callback) {
            const mdInfo = { storedParts, mpuOverviewKey, splitter };
            const mpuInfo =
                { objectKey, uploadId, jsonList, bucketName, destBucket };
            const originalIdentityImpDenies = request.actionImplicitDenies;
            // eslint-disable-next-line no-param-reassign
            delete request.actionImplicitDenies;
            return data.completeMPU(request, mpuInfo, mdInfo, location,
            null, null, null, locationConstraintCheck, log,
            (err, completeObjData) => {
                // eslint-disable-next-line no-param-reassign
                request.actionImplicitDenies = originalIdentityImpDenies;
                if (err) {
                    return next(err, destBucket);
                }
--- a/lib/api/initiateMultipartUpload.js
+++ b/lib/api/initiateMultipartUpload.js
@ -253,7 +253,7 @@ function initiateMultipartUpload(authInfo, request, log, callback) {
    }
    async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
            (error, destinationBucket) => {
                const corsHeaders = collectCorsHeaders(request.headers.origin,
                    request.method, destinationBucket);
--- a/lib/api/listMultipartUploads.js
+++ b/lib/api/listMultipartUploads.js
@ -104,7 +104,7 @@ function listMultipartUploads(authInfo, request, log, callback) {
        function waterfall1(next) {
            // Check final destination bucket for authorization rather
            // than multipart upload bucket
-            metadataValidateBucket(metadataValParams, log,
+            metadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
                (err, bucket) => next(err, bucket));
        },
        function getMPUBucket(bucket, next) {
--- a/lib/api/listParts.js
+++ b/lib/api/listParts.js
@ -112,7 +112,7 @@ function listParts(authInfo, request, log, callback) {
    async.waterfall([
        function checkDestBucketVal(next) {
-            metadataValidateBucketAndObj(metadataValParams, log,
+            metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
                (err, destinationBucket) => {
                    if (err) {
                        return next(err, destinationBucket, null);
@ -150,8 +150,13 @@ function listParts(authInfo, request, log, callback) {
                mpuOverviewObj,
                destBucket,
            };
            const originalIdentityImpDenies = request.actionImplicitDenies;
            // eslint-disable-next-line no-param-reassign
            delete request.actionImplicitDenies;
            return data.listParts(mpuInfo, request, locationConstraintCheck,
            log, (err, backendPartList) => {
                // eslint-disable-next-line no-param-reassign
                request.actionImplicitDenies = originalIdentityImpDenies;
                if (err) {
                    return next(err, destBucket);
                }
--- a/lib/api/multiObjectDelete.js
+++ b/lib/api/multiObjectDelete.js
@ -11,7 +11,7 @@ const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const metadata = require('../metadata/wrapper');
 const services = require('../services');
 const vault = require('../auth/vault');
-const { isBucketAuthorized } =
+const { isBucketAuthorized, evaluateBucketPolicyWithIAM } =
    require('./apiUtils/authorization/permissionChecks');
 const { preprocessingVersioningDelete }
    = require('./apiUtils/object/versioning');
@ -385,15 +385,37 @@ function multiObjectDelete(authInfo, request, log, callback) {
                    return next(null, quietSetting, objects);
                });
        },
-        function checkPolicies(quietSetting, objects, next) {
+        function checkBucketMetadata(quietSetting, objects, next) {
            const errorResults = [];
            return metadata.getBucket(bucketName, log, (err, bucketMD) => {
                if (err) {
                    log.trace('error retrieving bucket metadata', { error: err });
                    return next(err);
                }
                if (bucketShield(bucketMD, 'objectDelete')) {
                    return next(errors.NoSuchBucket);
                }
                if (!isBucketAuthorized(bucketMD, 'objectDelete', canonicalID, authInfo,
                    request.actionImplicitDenies, authInfo)) {
                    log.trace("access denied due to bucket acl's");
                    objects.forEach(entry => {
                        errorResults.push({
                            entry,
                            error: errors.AccessDenied,
                        });
                    });
                    return next(null, quietSetting, errorResults, [], bucketMD);
                }
                return next(null, quietSetting, errorResults, objects, bucketMD);
            });
        },
        function checkPolicies(quietSetting, errorResults, objects, bucketMD, next) {
            // track keys that are still on track to be deleted
            const inPlay = [];
-            const errorResults = [];
+
            // if request from account, no need to check policies
            // all objects are inPlay so send array of object keys
            // as inPlay argument
            if (!authInfo.isRequesterAnIAMUser()) {
-                return next(null, quietSetting, errorResults, objects);
+                return next(null, quietSetting, errorResults, objects, bucketMD);
            }
            // TODO: once arsenal's extractParams is separated from doAuth
@ -429,7 +451,6 @@ function multiObjectDelete(authInfo, request, log, callback) {
            };
            return vault.checkPolicies(requestContextParams, authInfo.getArn(),
                log, (err, authorizationResults) => {
                    // there were no policies so received a blanket AccessDenied
                    if (err && err.is.AccessDenied) {
                        objects.forEach(entry => {
                            errorResults.push({
@ -437,7 +458,7 @@ function multiObjectDelete(authInfo, request, log, callback) {
                                error: errors.AccessDenied });
                        });
                        // send empty array for inPlay
-                        return next(null, quietSetting, errorResults, []);
+                        return next(null, quietSetting, errorResults, [], bucketMD);
                    }
                    if (err) {
                        log.trace('error checking policies', {
@ -455,6 +476,16 @@ function multiObjectDelete(authInfo, request, log, callback) {
                        });
                        return next(errors.InternalError);
                    }
                    // Convert authorization results into an easier to handle format
                    const iamAuthzResults = authorizationResults.reduce((acc, curr, idx) => {
                        const apiMethod = requestContextParams[idx].apiMethod;
                        // eslint-disable-next-line no-param-reassign
                        acc[apiMethod] = curr.isImplicit;
                        return acc;
                    }, {});
                    for (let i = 0; i < authorizationResults.length; i++) {
                        const result = authorizationResults[i];
                        // result is { isAllowed: true,
@ -470,7 +501,27 @@ function multiObjectDelete(authInfo, request, log, callback) {
                            key: result.arn.slice(slashIndex + 1),
                            versionId: result.versionId,
                        };
-                        if (result.isAllowed) {
+
                        // Deny immediately if there is an explicit deny
                        if (!result.isImplicit && !result.isAllowed) {
                            errorResults.push({
                                entry,
                                error: errors.AccessDenied,
                            });
                            continue;
                        }
                        // Evaluate against the bucket policies
                        const areAllActionsAllowed = evaluateBucketPolicyWithIAM(
                            bucketMD,
                            Object.keys(iamAuthzResults),
                            canonicalID,
                            authInfo,
                            iamAuthzResults,
                            log,
                            request);
                        if (areAllActionsAllowed) {
                            inPlay.push(entry);
                        } else {
                            errorResults.push({
@ -479,47 +530,6 @@ function multiObjectDelete(authInfo, request, log, callback) {
                            });
                        }
                    }
                    return next(null, quietSetting, errorResults, inPlay);
                });
        },
        function checkBucketMetadata(quietSetting, errorResults, inPlay, next) {
            // if no objects in play, no need to check ACLs / get metadata,
            // just move on if there is no Origin header
            if (inPlay.length === 0 && !request.headers.origin) {
                return next(null, quietSetting, errorResults, inPlay,
                    undefined);
            }
            return metadata.getBucket(bucketName, log, (err, bucketMD) => {
                if (err) {
                    log.trace('error retrieving bucket metadata',
                        { error: err });
                    return next(err);
                }
                // check whether bucket has transient or deleted flag
                if (bucketShield(bucketMD, 'objectDelete')) {
                    return next(errors.NoSuchBucket);
                }
                // if no objects in play, no need to check ACLs
                if (inPlay.length === 0) {
                    return next(null, quietSetting, errorResults, inPlay,
                        bucketMD);
                }
                if (!isBucketAuthorized(bucketMD, 'objectDelete', canonicalID, authInfo, log, request)) {
                    log.trace("access denied due to bucket acl's");
                    // if access denied at the bucket level, no access for
                    // any of the objects so all results will be error results
                    inPlay.forEach(entry => {
                        errorResults.push({
                            entry,
                            error: errors.AccessDenied,
                        });
                    });
                    // by sending an empty array as the inPlay array
                    // async.forEachLimit below will not actually
                    // make any calls to metadata or data but will continue on
                    // to the next step to build xml
                    return next(null, quietSetting, errorResults, [], bucketMD);
                }
                    return next(null, quietSetting, errorResults, inPlay, bucketMD);
                });
        },
--- a/lib/api/objectCopy.js
+++ b/lib/api/objectCopy.js
@ -245,7 +245,7 @@ function objectCopy(authInfo, request, sourceBucket,
    }
    return async.waterfall([
        function checkDestAuth(next) {
-            return metadataValidateBucketAndObj(valPutParams, log,
+            return metadataValidateBucketAndObj(valPutParams, request.actionImplicitDenies, log,
                (err, destBucketMD, destObjMD) => {
                    if (err) {
                        log.debug('error validating put part of request',
@ -263,7 +263,7 @@ function objectCopy(authInfo, request, sourceBucket,
                });
        },
        function checkSourceAuthorization(destBucketMD, destObjMD, next) {
-            return metadataValidateBucketAndObj(valGetParams, log,
+            return metadataValidateBucketAndObj(valGetParams, request.actionImplicitDenies, log,
                (err, sourceBucketMD, sourceObjMD) => {
                    if (err) {
                        log.debug('error validating get part of request',
@ -408,10 +408,15 @@ function objectCopy(authInfo, request, sourceBucket,
                return next(null, storeMetadataParams, dataLocator, destObjMD,
                    serverSideEncryption, destBucketMD);
            }
            const originalIdentityImpDenies = request.actionImplicitDenies;
            // eslint-disable-next-line no-param-reassign
            delete request.actionImplicitDenies;
            return data.copyObject(request, sourceLocationConstraintName,
              storeMetadataParams, dataLocator, dataStoreContext,
              backendInfoDest, sourceBucketMD, destBucketMD, serverSideEncryption, log,
            (err, results) => {
                // eslint-disable-next-line no-param-reassign
                request.actionImplicitDenies = originalIdentityImpDenies;
                if (err) {
                    return next(err, destBucketMD);
                }
--- a/lib/api/objectDelete.js
+++ b/lib/api/objectDelete.js
@ -56,7 +56,7 @@ function objectDelete(authInfo, request, log, cb) {
    const canonicalID = authInfo.getCanonicalID();
    return async.waterfall([
        function validateBucketAndObj(next) {
-            return metadataValidateBucketAndObj(valParams, log,
+            return metadataValidateBucketAndObj(valParams, request.actionImplicitDenies, log,
                (err, bucketMD, objMD) => {
                if (err) {
                    return next(err, bucketMD);
--- a/lib/api/objectDeleteTagging.js
+++ b/lib/api/objectDeleteTagging.js
@ -46,7 +46,7 @@ function objectDeleteTagging(authInfo, request, log, callback) {
    };
    return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
          (err, bucket, objectMD) => {
              if (err) {
                  log.trace('request authorization failed',
--- a/lib/api/objectGet.js
+++ b/lib/api/objectGet.js
@ -48,7 +48,7 @@ function objectGet(authInfo, request, returnTagCount, log, callback) {
        request,
    };
-    return metadataValidateBucketAndObj(mdValParams, log,
+    return metadataValidateBucketAndObj(mdValParams, request.actionImplicitDenies, log,
    (err, bucket, objMD) => {
        const corsHeaders = collectCorsHeaders(request.headers.origin,
            request.method, bucket);
--- a/lib/api/objectGetACL.js
+++ b/lib/api/objectGetACL.js
@ -71,7 +71,7 @@ function objectGetACL(authInfo, request, log, callback) {
    return async.waterfall([
        function validateBucketAndObj(next) {
-            return metadataValidateBucketAndObj(metadataValParams, log,
+            return metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
                (err, bucket, objectMD) => {
                    if (err) {
                        log.trace('request authorization failed',
--- a/lib/api/objectGetLegalHold.js
+++ b/lib/api/objectGetLegalHold.js
@ -43,7 +43,7 @@ function objectGetLegalHold(authInfo, request, log, callback) {
    };
    return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
            (err, bucket, objectMD) => {
                if (err) {
                    log.trace('request authorization failed',
--- a/lib/api/objectGetRetention.js
+++ b/lib/api/objectGetRetention.js
@ -43,7 +43,7 @@ function objectGetRetention(authInfo, request, log, callback) {
    };
    return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
            (err, bucket, objectMD) => {
                if (err) {
                    log.trace('request authorization failed',
--- a/lib/api/objectGetTagging.js
+++ b/lib/api/objectGetTagging.js
@ -43,7 +43,7 @@ function objectGetTagging(authInfo, request, log, callback) {
    };
    return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
          (err, bucket, objectMD) => {
              if (err) {
                  log.trace('request authorization failed',
--- a/lib/api/objectHead.js
+++ b/lib/api/objectHead.js
@ -48,7 +48,7 @@ function objectHead(authInfo, request, log, callback) {
        request,
    };
-    return metadataValidateBucketAndObj(mdValParams, log,
+    return metadataValidateBucketAndObj(mdValParams, request.actionImplicitDenies, log,
        (err, bucket, objMD) => {
            const corsHeaders = collectCorsHeaders(request.headers.origin,
                request.method, bucket);
--- a/lib/api/objectPut.js
+++ b/lib/api/objectPut.js
@ -57,7 +57,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
    }
    const invalidSSEError = errors.InvalidArgument.customizeDescription(
        'The encryption method specified is not supported');
-    const requestType = 'objectPut';
+    const requestType = request.apiMethods || 'objectPut';
    const valParams = { authInfo, bucketName, objectKey, requestType, request };
    const canonicalID = authInfo.getCanonicalID();
@ -68,8 +68,7 @@ function objectPut(authInfo, request, streamingV4Params, log, callback) {
    }
    log.trace('owner canonicalID to send to data', { canonicalID });
-
+    return metadataValidateBucketAndObj(valParams, request.actionImplicitDenies, log,
    return metadataValidateBucketAndObj(valParams, log,
    (err, bucket, objMD) => {
        const responseHeaders = collectCorsHeaders(headers.origin,
            method, bucket);
--- a/lib/api/objectPutACL.js
+++ b/lib/api/objectPutACL.js
@ -7,8 +7,7 @@ const { pushMetric } = require('../utapi/utilities');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const constants = require('../../constants');
 const vault = require('../auth/vault');
-const { decodeVersionId, getVersionIdResHeader }
+const { decodeVersionId, getVersionIdResHeader } = require('./apiUtils/object/versioning');
    = require('./apiUtils/object/versioning');
 const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
 /*
@ -43,8 +42,8 @@ const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
 */
 function objectPutACL(authInfo, request, log, cb) {
    log.debug('processing request', { method: 'objectPutACL' });
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
-    const objectKey = request.objectKey;
+    const { objectKey } = request;
    const newCannedACL = request.headers['x-amz-acl'];
    const possibleCannedACL = [
        'private',
@ -82,8 +81,8 @@ function objectPutACL(authInfo, request, log, cb) {
        authInfo,
        bucketName,
        objectKey,
        requestType: 'objectPutACL',
        versionId: reqVersionId,
        requestType: request.apiMethods || 'objectPutACL',
    };
    const possibleGrants = ['FULL_CONTROL', 'WRITE_ACP', 'READ', 'READ_ACP'];
@ -95,26 +94,26 @@ function objectPutACL(authInfo, request, log, cb) {
        READ_ACP: [],
    };
-    const grantReadHeader =
+    const grantReadHeader = aclUtils.parseGrant(request.headers['x-amz-grant-read'], 'READ');
-        aclUtils.parseGrant(request.headers['x-amz-grant-read'], 'READ');
+    const grantReadACPHeader = aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
    const grantReadACPHeader =
        aclUtils.parseGrant(request.headers['x-amz-grant-read-acp'],
        'READ_ACP');
    const grantWriteACPHeader = aclUtils.parseGrant(
-        request.headers['x-amz-grant-write-acp'], 'WRITE_ACP');
+        request.headers['x-amz-grant-write-acp'], 'WRITE_ACP',
    );
    const grantFullControlHeader = aclUtils.parseGrant(
-        request.headers['x-amz-grant-full-control'], 'FULL_CONTROL');
+        request.headers['x-amz-grant-full-control'], 'FULL_CONTROL',
    );
    return async.waterfall([
        function validateBucketAndObj(next) {
-            return metadataValidateBucketAndObj(metadataValParams, log,
+            return metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
                (err, bucket, objectMD) => {
                    if (err) {
                        return next(err);
                    }
                    if (!objectMD) {
-                        const err = reqVersionId ? errors.NoSuchVersion :
+                        const err = reqVersionId ? errors.NoSuchVersion
-                            errors.NoSuchKey;
+                            : errors.NoSuchKey;
                        return next(err, bucket);
                    }
                    if (objectMD.isDeleteMarker) {
@ -216,22 +215,24 @@ function objectPutACL(authInfo, request, log, cb) {
            } else {
                // If no canned ACL and no parsed xml, loop
                // through the access headers
-                const allGrantHeaders =
+                const allGrantHeaders = [].concat(grantReadHeader,
                    [].concat(grantReadHeader,
                    grantReadACPHeader, grantWriteACPHeader,
                    grantFullControlHeader);
-                usersIdentifiedByEmail = allGrantHeaders.filter(item =>
+                usersIdentifiedByEmail = allGrantHeaders.filter(item => item
-                    item && item.userIDType.toLowerCase() === 'emailaddress');
+                    && item.userIDType.toLowerCase() === 'emailaddress');
                usersIdentifiedByGroup = allGrantHeaders
                    .filter(itm => itm && itm.userIDType
                        .toLowerCase() === 'uri');
-                for (let i = 0; i < usersIdentifiedByGroup.length; i++) {
+                for (let i = 0; i < usersIdentifiedByGroup.length; i += 1) {
                    if (possibleGroups.indexOf(
-                            usersIdentifiedByGroup[i].identifier) < 0) {
+                        usersIdentifiedByGroup[i].identifier,
                    ) < 0) {
                        log.trace('invalid user group',
-                            { userGroup: usersIdentifiedByGroup[i]
+                            {
-                                 .identifier });
+                                userGroup: usersIdentifiedByGroup[i]
                                    .identifier,
                            });
                        return next(errors.InvalidArgument, bucket);
                    }
                }
@ -259,18 +260,20 @@ function objectPutACL(authInfo, request, log, cb) {
                        const allUsers = [].concat(
                            reconstructedUsersIdentifiedByEmail,
                            usersIdentifiedByID,
-                            usersIdentifiedByGroup);
+                            usersIdentifiedByGroup,
                        );
                        const revisedAddACLParams = aclUtils
                            .sortHeaderGrants(allUsers, addACLParams);
                        return next(null, bucket, objectMD,
                            revisedAddACLParams);
-                    });
+                    },
                );
            }
            const allUsers = [].concat(
                usersIdentifiedByID,
-                usersIdentifiedByGroup);
+                usersIdentifiedByGroup,
-            const revisedAddACLParams =
+            );
-                aclUtils.sortHeaderGrants(allUsers, addACLParams);
+            const revisedAddACLParams = aclUtils.sortHeaderGrants(allUsers, addACLParams);
            return next(null, bucket, objectMD, revisedAddACLParams);
        },
        function addAclsToObjMD(bucket, objectMD, ACLParams, next) {
@ -292,8 +295,7 @@ function objectPutACL(authInfo, request, log, cb) {
        }
        const verCfg = bucket.getVersioningConfiguration();
-        resHeaders['x-amz-version-id'] =
+        resHeaders['x-amz-version-id'] = getVersionIdResHeader(verCfg, objectMD);
            getVersionIdResHeader(verCfg, objectMD);
        log.trace('processed request successfully in object put acl api');
        pushMetric('putObjectAcl', log, {
--- a/lib/api/objectPutCopyPart.js
+++ b/lib/api/objectPutCopyPart.js
@ -1,12 +1,12 @@
 const async = require('async');
 const { errors, versioning, s3middleware } = require('arsenal');
 const validateHeaders = s3middleware.validateConditionalHeaders;
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const constants = require('../../constants');
 const { data } = require('../data/wrapper');
-const locationConstraintCheck =
+const locationConstraintCheck = require('./apiUtils/object/locationConstraintCheck');
    require('./apiUtils/object/locationConstraintCheck');
 const metadata = require('../metadata/wrapper');
 const { pushMetric } = require('../utapi/utilities');
 const logger = require('../utilities/logger');
@ -58,8 +58,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
    // Note that keys in the query object retain their case, so
    // request.query.uploadId must be called with that exact
    // capitalization
-    const uploadId = request.query.uploadId;
+    const { uploadId } = request.query;
    const valPutParams = {
        authInfo,
        bucketName: destBucketName,
@ -89,26 +88,26 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
    return async.waterfall([
        function checkDestAuth(next) {
-            return metadataValidateBucketAndObj(valPutParams, log,
+            return metadataValidateBucketAndObj(valPutParams, request.actionImplicitDenies, log,
                (err, destBucketMD) => {
                    if (err) {
-                        log.debug('error validating authorization for ' +
+                        log.debug('error validating authorization for '
-                        'destination bucket',
+                            + 'destination bucket',
                            { error: err });
                        return next(err, destBucketMD);
                    }
                    const flag = destBucketMD.hasDeletedFlag()
                        || destBucketMD.hasTransientFlag();
                    if (flag) {
-                        log.trace('deleted flag or transient flag ' +
+                        log.trace('deleted flag or transient flag '
-                        'on destination bucket', { flag });
+                            + 'on destination bucket', { flag });
                        return next(errors.NoSuchBucket);
                    }
                    return next(null, destBucketMD);
                });
        },
        function checkSourceAuthorization(destBucketMD, next) {
-            return metadataValidateBucketAndObj(valGetParams, log,
+            return metadataValidateBucketAndObj(valGetParams, request.actionImplicitDenies, log,
                (err, sourceBucketMD, sourceObjMD) => {
                    if (err) {
                        log.debug('error validating get part of request',
@ -117,28 +116,26 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                    }
                    if (!sourceObjMD) {
                        log.debug('no source object', { sourceObject });
-                        const err = reqVersionId ? errors.NoSuchVersion :
+                        const err = reqVersionId ? errors.NoSuchVersion
-                            errors.NoSuchKey;
+                            : errors.NoSuchKey;
                        return next(err, destBucketMD);
                    }
-                    let sourceLocationConstraintName =
+                    let sourceLocationConstraintName = sourceObjMD.dataStoreName;
                        sourceObjMD.dataStoreName;
                    // for backwards compatibility before storing dataStoreName
                    // TODO: handle in objectMD class
-                    if (!sourceLocationConstraintName &&
+                    if (!sourceLocationConstraintName
-                        sourceObjMD.location[0] &&
+                        && sourceObjMD.location[0]
-                        sourceObjMD.location[0].dataStoreName) {
+                        && sourceObjMD.location[0].dataStoreName) {
-                        sourceLocationConstraintName =
+                        sourceLocationConstraintName = sourceObjMD.location[0].dataStoreName;
                            sourceObjMD.location[0].dataStoreName;
                    }
                    if (sourceObjMD.isDeleteMarker) {
                        log.debug('delete marker on source object',
                            { sourceObject });
                        if (reqVersionId) {
                            const err = errors.InvalidRequest
-                            .customizeDescription('The source of a copy ' +
+                                .customizeDescription('The source of a copy '
-                            'request may not specifically refer to a delete' +
+                                    + 'request may not specifically refer to a delete'
-                            'marker by version id.');
+                                    + 'marker by version id.');
                            return next(err, destBucketMD);
                        }
                        // if user specifies a key in a versioned source bucket
@ -146,8 +143,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                        // delete marker, return NoSuchKey
                        return next(errors.NoSuchKey, destBucketMD);
                    }
-                    const headerValResult =
+                    const headerValResult = validateHeaders(request.headers,
                        validateHeaders(request.headers,
                        sourceObjMD['last-modified'],
                        sourceObjMD['content-md5']);
                    if (headerValResult.error) {
@ -162,15 +158,15 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                    // If specific version requested, include copy source
                    // version id in response. Include in request by default
                    // if versioning is enabled or suspended.
-                    if (sourceBucketMD.getVersioningConfiguration() ||
+                    if (sourceBucketMD.getVersioningConfiguration()
-                    reqVersionId) {
+                        || reqVersionId) {
                        if (sourceObjMD.isNull || !sourceObjMD.versionId) {
                            sourceVerId = 'null';
                        } else {
-                            sourceVerId =
+                            sourceVerId = versionIdUtils.encode(
                                versionIdUtils.encode(
                                sourceObjMD.versionId,
-                                    config.versionIdEncodingType);
+                                config.versionIdEncodingType,
                            );
                        }
                    }
                    return next(null, copyLocator.dataLocator, destBucketMD,
@ -195,7 +191,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                        });
                        return next(err);
                    }
-                    let splitter = constants.splitter;
+                    let { splitter } = constants;
                    if (mpuBucket.getMdBucketModelVersion() < 2) {
                        splitter = constants.oldSplitter;
                    }
@ -209,8 +205,7 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
        function getMpuOverviewObject(dataLocator, destBucketMD,
            copyObjectSize, sourceVerId, splitter,
            sourceLocationConstraintName, next) {
-            const mpuOverviewKey =
+            const mpuOverviewKey = `overview${splitter}${destObjectKey}${splitter}${uploadId}`;
                `overview${splitter}${destObjectKey}${splitter}${uploadId}`;
            return metadata.getObjectMD(mpuBucketName, mpuOverviewKey,
                null, log, (err, res) => {
                    if (err) {
@ -218,22 +213,21 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                        if (err.NoSuchKey) {
                            return next(errors.NoSuchUpload);
                        }
-                            log.error('error getting overview object from ' +
+                        log.error('error getting overview object from '
-                                'mpu bucket', {
+                            + 'mpu bucket', {
                                error: err,
-                                    method: 'objectPutCopyPart::' +
+                                method: 'objectPutCopyPart::'
-                                        'metadata.getObjectMD',
+                                + 'metadata.getObjectMD',
                            });
                        return next(err);
                    }
                    const initiatorID = res.initiator.ID;
-                        const requesterID = authInfo.isRequesterAnIAMUser() ?
+                    const requesterID = authInfo.isRequesterAnIAMUser()
-                            authInfo.getArn() : authInfo.getCanonicalID();
+                        ? authInfo.getArn() : authInfo.getCanonicalID();
                    if (initiatorID !== requesterID) {
                        return next(errors.AccessDenied);
                    }
-                        const destObjLocationConstraint =
+                    const destObjLocationConstraint = res.controllingLocationConstraint;
                            res.controllingLocationConstraint;
                    return next(null, dataLocator, destBucketMD,
                        destObjLocationConstraint, copyObjectSize,
                        sourceVerId, sourceLocationConstraintName, splitter);
@ -249,6 +243,9 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
            splitter,
            next,
        ) {
            const originalIdentityImpDenies = request.actionImplicitDenies;
            // eslint-disable-next-line no-param-reassign
            delete request.actionImplicitDenies;
            data.uploadPartCopy(
                request,
                log,
@ -259,6 +256,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                dataStoreContext,
                locationConstraintCheck,
                (error, eTag, lastModified, serverSideEncryption, locations) => {
                    // eslint-disable-next-line no-param-reassign
                    request.actionImplicitDenies = originalIdentityImpDenies;
                    if (error) {
                        if (error.message === 'skip') {
                            return next(skipError, destBucketMD, eTag,
@ -270,13 +269,13 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                    return next(null, destBucketMD, locations, eTag,
                        copyObjectSize, sourceVerId, serverSideEncryption,
                        lastModified, splitter);
-                });
+                },
            );
        },
        function getExistingPartInfo(destBucketMD, locations, totalHash,
            copyObjectSize, sourceVerId, serverSideEncryption, lastModified,
            splitter, next) {
-            const partKey =
+            const partKey = `${uploadId}${constants.splitter}${paddedPartNumber}`;
                `${uploadId}${constants.splitter}${paddedPartNumber}`;
            metadata.getObjectMD(mpuBucketName, partKey, {}, log,
                (err, result) => {
                    // If there is nothing being overwritten just move on
@ -294,8 +293,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
                        // Pull locations to clean up any potential orphans
                        // in data if object put is an overwrite of
                        // already existing object with same key and part number
-                        oldLocations = Array.isArray(oldLocations) ?
+                        oldLocations = Array.isArray(oldLocations)
-                            oldLocations : [oldLocations];
+                            ? oldLocations : [oldLocations];
                    }
                    return next(null, destBucketMD, locations, totalHash,
                        prevObjectSize, copyObjectSize, sourceVerId,
@ -370,7 +369,8 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
            // data locations) has been stored
            if (oldLocationsToDelete) {
                const delLog = logger.newRequestLoggerFromSerializedUids(
-                    log.getSerializedUids());
+                    log.getSerializedUids(),
                );
                return data.batchDelete(oldLocationsToDelete, request.method, null,
                    delLog, err => {
                        if (err) {
@ -409,11 +409,9 @@ function objectPutCopyPart(authInfo, request, sourceBucket,
        const additionalHeaders = corsHeaders || {};
        if (serverSideEncryption) {
-            additionalHeaders['x-amz-server-side-encryption'] =
+            additionalHeaders['x-amz-server-side-encryption'] = serverSideEncryption.algorithm;
                serverSideEncryption.algorithm;
            if (serverSideEncryption.algorithm === 'aws:kms') {
-                additionalHeaders['x-amz-server-side-encryption-aws-kms-key-id']
+                additionalHeaders['x-amz-server-side-encryption-aws-kms-key-id'] = serverSideEncryption.masterKeyId;
                    = serverSideEncryption.masterKeyId;
            }
        }
        additionalHeaders['x-amz-copy-source-version-id'] = sourceVerId;
--- a/lib/api/objectPutLegalHold.js
+++ b/lib/api/objectPutLegalHold.js
@ -40,13 +40,13 @@ function objectPutLegalHold(authInfo, request, log, callback) {
        authInfo,
        bucketName,
        objectKey,
        requestType: 'objectPutLegalHold',
        versionId,
        requestType: request.apiMethods || 'objectPutLegalHold',
        request,
    };
    return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
        (err, bucket, objectMD) => {
            if (err) {
                log.trace('request authorization failed',
--- a/lib/api/objectPutPart.js
+++ b/lib/api/objectPutPart.js
@ -87,6 +87,7 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
    const uploadId = request.query.uploadId;
    const mpuBucketName = `${constants.mpuBucketPrefix}${bucketName}`;
    const objectKey = request.objectKey;
    const originalIdentityImpDenies = request.actionImplicitDenies;
    return async.waterfall([
        // Get the destination bucket.
@ -109,7 +110,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
            // For validating the request at the destinationBucket level the
            // `requestType` is the general 'objectPut'.
            const requestType = 'objectPut';
-            if (!isBucketAuthorized(destinationBucket, requestType, canonicalID, authInfo, log, request)) {
+            if (!isBucketAuthorized(destinationBucket, request.apiMethods || requestType, canonicalID, authInfo,
                request.actionImplicitDenies, log, request)) {
                log.debug('access denied for user on bucket', { requestType });
                return next(errors.AccessDenied, destinationBucket);
            }
@ -196,6 +198,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
                partNumber,
                bucketName,
            };
            // eslint-disable-next-line no-param-reassign
            delete request.actionImplicitDenies;
            writeContinue(request, request._response);
            return data.putPart(request, mpuInfo, streamingV4Params,
                objectLocationConstraint, locationConstraintCheck, log,
@ -378,6 +382,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
    ], (err, destinationBucket, hexDigest, prevObjectSize) => {
        const corsHeaders = collectCorsHeaders(request.headers.origin,
            request.method, destinationBucket);
        // eslint-disable-next-line no-param-reassign
        request.actionImplicitDenies = originalIdentityImpDenies;
        if (err) {
            if (err === skipError) {
                return cb(null, hexDigest, corsHeaders);
--- a/lib/api/objectPutRetention.js
+++ b/lib/api/objectPutRetention.js
@ -41,13 +41,28 @@ function objectPutRetention(authInfo, request, log, callback) {
        authInfo,
        bucketName,
        objectKey,
        requestType: 'objectPutRetention',
        versionId: reqVersionId,
        requestType: request.apiMethods || 'objectPutRetention',
        request,
    };
    return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => {
            log.trace('parsing retention information');
            parseRetentionXml(request.post, log,
                (err, retentionInfo) => {
                    if (err) {
                        log.trace('error parsing retention information',
                            { error: err });
                        return next(err);
                    }
                    const remainingDays = Math.ceil(
                        (new Date(retentionInfo.date) - Date.now()) / (1000 * 3600 * 24));
                    metadataValParams.request.objectLockRetentionDays = remainingDays;
                    return next(null, retentionInfo);
                });
        },
        (retentionInfo, next) => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
            (err, bucket, objectMD) => {
                if (err) {
                    log.trace('request authorization failed',
@ -64,6 +79,8 @@ function objectPutRetention(authInfo, request, log, callback) {
                if (objectMD.isDeleteMarker) {
                    log.trace('version is a delete marker',
                        { method: 'objectPutRetention' });
                    // FIXME we should return a `x-amz-delete-marker: true` header,
                    // see S3C-7592
                    return next(errors.MethodNotAllowed, bucket);
                }
                if (!bucket.isObjectLockEnabled()) {
@ -73,13 +90,8 @@ function objectPutRetention(authInfo, request, log, callback) {
                        'Bucket is missing Object Lock Configuration'
                    ), bucket);
                }
-            return next(null, bucket, objectMD);
+                return next(null, bucket, retentionInfo, objectMD);
            }),
        (bucket, objectMD, next) => {
            log.trace('parsing retention information');
            parseRetentionXml(request.post, log,
                (err, retentionInfo) => next(err, bucket, retentionInfo, objectMD));
        },
        (bucket, retentionInfo, objectMD, next) => {
            const hasGovernanceBypass = hasGovernanceBypassHeader(request.headers);
            if (hasGovernanceBypass && authInfo.isRequesterAnIAMUser()) {
--- a/lib/api/objectPutTagging.js
+++ b/lib/api/objectPutTagging.js
@ -1,8 +1,7 @@
 const async = require('async');
 const { errors, s3middleware } = require('arsenal');
-const { decodeVersionId, getVersionIdResHeader } =
+const { decodeVersionId, getVersionIdResHeader } = require('./apiUtils/object/versioning');
  require('./apiUtils/object/versioning');
 const { metadataValidateBucketAndObj } = require('../metadata/metadataUtils');
 const { pushMetric } = require('../utapi/utilities');
@ -10,6 +9,7 @@ const getReplicationInfo = require('./apiUtils/object/getReplicationInfo');
 const collectCorsHeaders = require('../utilities/collectCorsHeaders');
 const metadata = require('../metadata/wrapper');
 const { data } = require('../data/wrapper');
 const { parseTagXml } = s3middleware.tagging;
 const REPLICATION_ACTION = 'PUT_TAGGING';
@ -24,8 +24,8 @@ const REPLICATION_ACTION = 'PUT_TAGGING';
 function objectPutTagging(authInfo, request, log, callback) {
    log.debug('processing request', { method: 'objectPutTagging' });
-    const bucketName = request.bucketName;
+    const { bucketName } = request;
-    const objectKey = request.objectKey;
+    const { objectKey } = request;
    const decodedVidResult = decodeVersionId(request.query);
    if (decodedVidResult instanceof Error) {
@ -41,13 +41,13 @@ function objectPutTagging(authInfo, request, log, callback) {
        authInfo,
        bucketName,
        objectKey,
        requestType: 'objectPutTagging',
        versionId: reqVersionId,
        requestType: request.apiMethods || 'objectPutTagging',
        request,
    };
    return async.waterfall([
-        next => metadataValidateBucketAndObj(metadataValParams, log,
+        next => metadataValidateBucketAndObj(metadataValParams, request.actionImplicitDenies, log,
          (err, bucket, objectMD) => {
              if (err) {
                  log.trace('request authorization failed',
@ -70,8 +70,7 @@ function objectPutTagging(authInfo, request, log, callback) {
          }),
        (bucket, objectMD, next) => {
            log.trace('parsing tag(s)');
-            parseTagXml(request.post, log, (err, tags) =>
+            parseTagXml(request.post, log, (err, tags) => next(err, bucket, tags, objectMD));
              next(err, bucket, tags, objectMD));
        },
        (bucket, tags, objectMD, next) => {
            // eslint-disable-next-line no-param-reassign
@ -88,12 +87,10 @@ function objectPutTagging(authInfo, request, log, callback) {
            // eslint-disable-next-line no-param-reassign
            objectMD.originOp = 's3:ObjectTagging:Put';
            metadata.putObjectMD(bucket.getName(), objectKey, objectMD, params,
-            log, err =>
+                log, err => next(err, bucket, objectMD));
                next(err, bucket, objectMD));
        },
        (bucket, objectMD, next) =>
        // if external backend handles tagging
-            data.objectTagging('Put', objectKey, bucket, objectMD,
+        (bucket, objectMD, next) => data.objectTagging('Put', objectKey, bucket, objectMD,
            log, err => next(err, bucket, objectMD)),
    ], (err, bucket, objectMD) => {
        const additionalResHeaders = collectCorsHeaders(request.headers.origin,
@ -110,8 +107,7 @@ function objectPutTagging(authInfo, request, log, callback) {
                location: objectMD ? objectMD.dataStoreName : undefined,
            });
            const verCfg = bucket.getVersioningConfiguration();
-            additionalResHeaders['x-amz-version-id'] =
+            additionalResHeaders['x-amz-version-id'] = getVersionIdResHeader(verCfg, objectMD);
                getVersionIdResHeader(verCfg, objectMD);
        }
        return callback(err, additionalResHeaders);
    });
--- a/lib/api/websiteGet.js
+++ b/lib/api/websiteGet.js
@ -21,12 +21,13 @@ const { pushMetric } = require('../utapi/utilities');
 * @param {string} objectKey - object key from request (or as translated in
 * websiteGet)
 * @param {object} corsHeaders - CORS-related response headers
 * @param {object} request - normalized request object
 * @param {object} log - Werelogs instance
 * @param {function} callback - callback to function in route
 * @return {undefined}
 */
 function _errorActions(err, errorDocument, routingRules,
-    bucket, objectKey, corsHeaders, log, callback) {
+    bucket, objectKey, corsHeaders, request, log, callback) {
    const bucketName = bucket.getName();
    const errRoutingRule = findRoutingRule(routingRules,
        objectKey, err.code);
@ -47,7 +48,7 @@ function _errorActions(err, errorDocument, routingRules,
                // return the default error message if the object is private
                // rather than sending a stored error file
                if (!isObjAuthorized(bucket, errObjMD, 'objectGet',
-                    constants.publicId, null, log)) {
+                    constants.publicId, null, request.actionImplicitDenies, log)) {
                    log.trace('errorObj not authorized', { error: err });
                    return callback(err, true, null, corsHeaders);
                }
@ -144,7 +145,7 @@ function websiteGet(request, log, callback) {
                    { error: err });
                    let returnErr = err;
                    const bucketAuthorized = isBucketAuthorized(bucket,
-                      'bucketGet', constants.publicId, null, log, request);
+                      'bucketGet', constants.publicId, null, request.actionImplicitDenies, log, request);
                    // if index object does not exist and bucket is private AWS
                    // returns 403 - AccessDenied error.
                    if (err.is.NoSuchKey && !bucketAuthorized) {
@ -152,16 +153,16 @@ function websiteGet(request, log, callback) {
                    }
                    return _errorActions(returnErr,
                      websiteConfig.getErrorDocument(), routingRules,
-                      bucket, reqObjectKey, corsHeaders, log,
+                      bucket, reqObjectKey, corsHeaders, request, log,
                      callback);
                }
                if (!isObjAuthorized(bucket, objMD, 'objectGet',
-                    constants.publicId, null, log, request)) {
+                    constants.publicId, null, request.actionImplicitDenies, log, request)) {
                    const err = errors.AccessDenied;
                    log.trace('request not authorized', { error: err });
                    return _errorActions(err, websiteConfig.getErrorDocument(),
                        routingRules, bucket,
-                        reqObjectKey, corsHeaders, log, callback);
+                        reqObjectKey, corsHeaders, request, log, callback);
                }
                const headerValResult = validateHeaders(request.headers,
@ -171,7 +172,7 @@ function websiteGet(request, log, callback) {
                    log.trace('header validation error', { error: err });
                    return _errorActions(err, websiteConfig.getErrorDocument(),
                        routingRules, bucket, reqObjectKey,
-                        corsHeaders, log, callback);
+                        corsHeaders, request, log, callback);
                }
                // check if object to serve has website redirect header
                // Note: AWS prioritizes website configuration rules over
--- a/lib/api/websiteHead.js
+++ b/lib/api/websiteHead.js
@ -104,7 +104,7 @@ function websiteHead(request, log, callback) {
                    { error: err });
                    let returnErr = err;
                    const bucketAuthorized = isBucketAuthorized(bucket,
-                      'bucketGet', constants.publicId, null, log, request);
+                      'bucketGet', constants.publicId, null, request.actionImplicitDenies, log, request);
                    // if index object does not exist and bucket is private AWS
                    // returns 403 - AccessDenied error.
                    if (err.is.NoSuchKey && !bucketAuthorized) {
@ -114,7 +114,7 @@ function websiteHead(request, log, callback) {
                        reqObjectKey, corsHeaders, log, callback);
                }
                if (!isObjAuthorized(bucket, objMD, 'objectGet',
-                    constants.publicId, null, log, request)) {
+                    constants.publicId, null, request.actionImplicitDenies, log, request)) {
                    const err = errors.AccessDenied;
                    log.trace('request not authorized', { error: err });
                    return _errorActions(err, routingRules, reqObjectKey,
--- a/lib/metadata/metadataUtils.js
+++ b/lib/metadata/metadataUtils.js
@ -42,7 +42,6 @@ function getNullVersion(objMD, bucketName, objectKey, log, cb) {
 * NOTE: If the value of `versionId` param is 'null', this function returns the
 * master version objMD. The null version object md must be retrieved in a
 * separate step using the master object md: see getNullVersion().
 * @param {string} requestType - type of request
 * @param {string} bucketName - name of bucket
 * @param {string} objectKey - name of object key
 * @param {string} [versionId] - version of object to retrieve
@ -50,7 +49,7 @@ function getNullVersion(objMD, bucketName, objectKey, log, cb) {
 * @param {function} cb - callback
 * @return {undefined} - and call callback with err, bucket md and object md
 */
-function metadataGetBucketAndObject(requestType, bucketName, objectKey,
+function metadataGetBucketAndObject(bucketName, objectKey,
    versionId, log, cb) {
    const options = {
        // if attempting to get 'null' version, must retrieve null version id
@ -73,13 +72,6 @@ function metadataGetBucketAndObject(requestType, bucketName, objectKey,
                });
                return cb(errors.NoSuchBucket);
            }
            if (bucketShield(bucket, requestType)) {
                log.debug('bucket is shielded from request', {
                    requestType,
                    method: 'metadataGetBucketAndObject',
                });
                return cb(errors.NoSuchBucket);
            }
            log.trace('found bucket in metadata');
            return cb(null, bucket, obj);
        });
@ -118,6 +110,35 @@ function metadataGetObject(bucketName, objectKey, versionId, log, cb) {
        });
 }
 function validateBucket(bucket, params, actionImplicitDenies, log) {
    const { authInfo, preciseRequestType, request } = params;
    let requestType = params.requestType;
    if (bucketShield(bucket, requestType)) {
        log.debug('bucket is shielded from request', {
            requestType,
            method: 'validateBucket',
        });
        return errors.NoSuchBucket;
    }
    // if requester is not bucket owner, bucket policy actions should be denied with
    // MethodNotAllowed error
    const onlyOwnerAllowed = ['bucketDeletePolicy', 'bucketGetPolicy', 'bucketPutPolicy'];
    const canonicalID = authInfo.getCanonicalID();
    if (!Array.isArray(requestType)) {
        requestType = [requestType];
    }
    if (bucket.getOwner() !== canonicalID && requestType.some(type => onlyOwnerAllowed.includes(type))) {
        return errors.MethodNotAllowed;
    }
    if (!isBucketAuthorized(bucket, (preciseRequestType || requestType), canonicalID,
                            authInfo, actionImplicitDenies, log, request)) {
        log.debug('access denied for user on bucket', { requestType });
        return errors.AccessDenied;
    }
    return null;
 }
 /** metadataValidateBucketAndObj - retrieve bucket and object md from metadata
 * and check if user is authorized to access them.
 * @param {object} params - function parameters
@ -127,41 +148,45 @@ function metadataGetObject(bucketName, objectKey, versionId, log, cb) {
 * @param {string} [params.versionId] - version id if getting specific version
 * @param {string} params.requestType - type of request
 * @param {object} params.request - http request object
 * @param {boolean} actionImplicitDenies - identity authorization results
 * @param {RequestLogger} log - request logger
 * @param {function} callback - callback
 * @return {undefined} - and call callback with params err, bucket md
 */
-function metadataValidateBucketAndObj(params, log, callback) {
+function metadataValidateBucketAndObj(params, actionImplicitDenies, log, callback) {
-    const { authInfo, bucketName, objectKey, versionId, requestType, preciseRequestType, request } = params;
+    const { authInfo, bucketName, objectKey, versionId, request } = params;
-    const canonicalID = authInfo.getCanonicalID();
+    let requestType = params.requestType;
-    async.waterfall([
+    if (!Array.isArray(requestType)) {
-        function getBucketAndObjectMD(next) {
+        requestType = [requestType];
            return metadataGetBucketAndObject(requestType, bucketName,
                objectKey, versionId, log, next);
        },
        function checkBucketAuth(bucket, objMD, next) {
            // if requester is not bucket owner, bucket policy actions should be denied with
            // MethodNotAllowed error
            const onlyOwnerAllowed = ['bucketDeletePolicy', 'bucketGetPolicy', 'bucketPutPolicy'];
            if (bucket.getOwner() !== canonicalID && onlyOwnerAllowed.includes(requestType)) {
                return next(errors.MethodNotAllowed, bucket);
    }
-            if (!isBucketAuthorized(bucket, (preciseRequestType || requestType), canonicalID,
+    async.waterfall([
-            authInfo, log, request)) {
+        next => metadataGetBucketAndObject(bucketName,
-                log.debug('access denied for user on bucket', { requestType });
+                objectKey, versionId, log, (err, bucket, objMD) => {
-                return next(errors.AccessDenied, bucket);
+                    if (err) {
                        // if some implicit actionImplicitDenies, return AccessDenied
                        // before leaking any state information
                        if (actionImplicitDenies && Object.values(actionImplicitDenies).some(v => v === true)) {
                            return next(errors.AccessDenied);
                        }
                        return next(err);
                    }
                    return next(null, bucket, objMD);
-        },
+                }),
-        function handleNullVersionGet(bucket, objMD, next) {
+        (bucket, objMD, next) => {
            const validationError = validateBucket(bucket, params, actionImplicitDenies, log);
            if (validationError) {
                return next(validationError, bucket);
            }
            if (objMD && versionId === 'null') {
                return getNullVersion(objMD, bucketName, objectKey, log,
                    (err, nullVer) => next(err, bucket, nullVer));
            }
            return next(null, bucket, objMD);
        },
-        function checkObjectAuth(bucket, objMD, next) {
+        (bucket, objMD, next) => {
-            if (!isObjAuthorized(bucket, objMD, requestType, canonicalID, authInfo, log, request)) {
+            const canonicalID = authInfo.getCanonicalID();
            if (!isObjAuthorized(bucket, objMD, requestType, canonicalID, authInfo, actionImplicitDenies,
                log, request)) {
                log.debug('access denied for user on object', { requestType });
                return next(errors.AccessDenied, bucket);
            }
@ -209,34 +234,25 @@ function metadataGetBucket(requestType, bucketName, log, cb) {
 * @param {string} params.bucketName - name of bucket
 * @param {string} params.requestType - type of request
 * @param {string} params.request - http request object
 * @param {boolean} actionImplicitDenies - identity authorization results
 * @param {RequestLogger} log - request logger
 * @param {function} callback - callback
 * @return {undefined} - and call callback with params err, bucket md
 */
-function metadataValidateBucket(params, log, callback) {
+function metadataValidateBucket(params, actionImplicitDenies, log, callback) {
-    const { authInfo, bucketName, requestType, preciseRequestType, request } = params;
+    const { bucketName, requestType } = params;
    const canonicalID = authInfo.getCanonicalID();
    return metadataGetBucket(requestType, bucketName, log, (err, bucket) => {
        if (err) {
            return callback(err);
        }
-        // if requester is not bucket owner, bucket policy actions should be denied with
+        const validationError = validateBucket(bucket, params, actionImplicitDenies, log);
-        // MethodNotAllowed error
+        return callback(validationError, bucket);
        const onlyOwnerAllowed = ['bucketDeletePolicy', 'bucketGetPolicy', 'bucketPutPolicy'];
        if (bucket.getOwner() !== canonicalID && onlyOwnerAllowed.includes(requestType)) {
            return callback(errors.MethodNotAllowed, bucket);
        }
        // still return bucket for cors headers
        if (!isBucketAuthorized(bucket, (preciseRequestType || requestType), canonicalID, authInfo, log, request)) {
            log.debug('access denied for user on bucket', { requestType });
            return callback(errors.AccessDenied, bucket);
        }
        return callback(null, bucket);
    });
 }
 module.exports = {
    metadataGetObject,
    validateBucket,
    metadataValidateBucketAndObj,
    metadataValidateBucket,
 };
--- a/lib/routes/routeBackbeat.js
+++ b/lib/routes/routeBackbeat.js
@ -1149,6 +1149,8 @@ function routeBackbeat(clientIP, request, response, log) {
    // Attach the apiMethod method to the request, so it can used by monitoring in the server
    // eslint-disable-next-line no-param-reassign
    request.apiMethod = 'routeBackbeat';
    // eslint-disable-next-line no-param-reassign
    request.actionImplicitDenies = false;
    log.debug('routing request', {
        method: 'routeBackbeat',
@ -1273,7 +1275,7 @@ function routeBackbeat(clientIP, request, response, log) {
                requestType: 'ReplicateObject',
                request,
            };
-            return metadataValidateBucketAndObj(mdValParams, log, next);
+            return metadataValidateBucketAndObj(mdValParams, request.actionImplicitDenies, log, next);
        },
        (bucketInfo, objMd, next) => {
            if (useMultipleBackend) {
--- a/package.json
+++ b/package.json
@ -20,7 +20,7 @@
  "homepage": "https://github.com/scality/S3#readme",
  "dependencies": {
    "@hapi/joi": "^17.1.0",
-    "arsenal": "git+https://github.com/scality/arsenal#7.10.47",
+    "arsenal": "git+https://github.com/scality/arsenal#1d74f512c86ca34ee7e662acdc213f18c86326b0",
    "async": "~2.5.0",
    "aws-sdk": "2.905.0",
    "azure-storage": "^2.1.0",
--- a/tests/functional/kmip/serverside_encryption.js
+++ b/tests/functional/kmip/serverside_encryption.js
@ -175,7 +175,6 @@ describe('KMIP backed server-side encryption', () => {
            done();
        });
    });
    it('should allow creating mpu with SSE header ' +
        'in encrypted bucket', done => {
        async.waterfall([
--- a/tests/functional/s3cmd/MPtmpfile
+++ b/tests/functional/s3cmd/MPtmpfile
--- a/tests/multipleBackend/multipartUpload.js
+++ b/tests/multipleBackend/multipartUpload.js
@ -54,6 +54,7 @@ const bucketPutRequest = {
    url: '/',
    post: '',
    parsedHost: 'localhost',
    actionImplicitDenies: false,
 };
 const awsETag = 'be747eb4b75517bf6b3cf7c5fbb62f3a';
@ -73,6 +74,7 @@ const completeBody = '<CompleteMultipartUpload>' +
 const basicParams = {
    bucketName,
    namespace,
    actionImplicitDenies: false,
 };
 function getObjectGetRequest(objectKey) {
@ -270,6 +272,7 @@ function mpuSetup(location, key, cb) {
            'x-amz-meta-scal-location-constraint': location },
        url: `/${key}?uploads`,
        parsedHost: 'localhost',
        actionImplicitDenies: false,
    };
    initiateMultipartUpload(authInfo, initiateRequest, log,
    (err, result) => {
@ -317,7 +320,6 @@ function abortMultipleMpus(backendsInfo, callback) {
        callback();
    });
 }
 describe('Multipart Upload API with AWS Backend', function mpuTestSuite() {
    this.timeout(60000);
@ -342,6 +344,7 @@ describe('Multipart Upload API with AWS Backend', function mpuTestSuite() {
                'x-amz-meta-scal-location-constraint': `${awsLocation}` },
            url: `/${objectKey}?uploads`,
            parsedHost: 'localhost',
            actionImplicitDenies: false,
        };
        initiateMultipartUpload(authInfo, initiateRequest, log,
@ -365,6 +368,7 @@ describe('Multipart Upload API with AWS Backend', function mpuTestSuite() {
                `${awsLocationMismatch}` },
            url: `/${objectKey}?uploads`,
            parsedHost: 'localhost',
            actionImplicitDenies: false,
        };
        initiateMultipartUpload(authInfo, initiateRequest, log,
@ -389,6 +393,7 @@ describe('Multipart Upload API with AWS Backend', function mpuTestSuite() {
            },
            url: `/${objectKey}?uploads`,
            parsedHost: 'localhost',
            actionImplicitDenies: false,
        };
        initiateMultipartUpload(authInfo, initiateRequest, log,
@ -612,6 +617,7 @@ describe('Multipart Upload API with AWS Backend', function mpuTestSuite() {
                        'x-amz-meta-scal-location-constraint': awsLocation },
                    url: `/${objectKey}?uploads`,
                    parsedHost: 'localhost',
                    actionImplicitDenies: false,
                };
                initiateMultipartUpload(authInfo, initiateRequest, log,
                err => {
@ -712,6 +718,7 @@ describe('Multipart Upload API with AWS Backend', function mpuTestSuite() {
                headers: { host: '/' },
                url: `/${bucketName}?uploads`,
                query: {},
                actionImplicitDenies: false,
            };
            listMultipartUploads(authInfo, listMpuParams, log,
            (err, mpuListXml) => {
--- a/tests/multipleBackend/objectCopy.js
+++ b/tests/multipleBackend/objectCopy.js
@ -71,7 +71,6 @@ function copySetup(params, cb) {
            callback),
    ], err => cb(err));
 }
 describe('ObjectCopy API with multiple backends', () => {
    before(() => {
        cleanup();
--- a/tests/multipleBackend/objectPutCopyPart.js
+++ b/tests/multipleBackend/objectPutCopyPart.js
@ -3,21 +3,19 @@ const async = require('async');
 const { parseString } = require('xml2js');
 const AWS = require('aws-sdk');
-const { cleanup, DummyRequestLogger, makeAuthInfo }
+const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
-    = require('../unit/helpers');
+const { cleanup, DummyRequestLogger, makeAuthInfo } = require('../unit/helpers');
 const { ds } = require('arsenal').storage.data.inMemory.datastore;
 const { bucketPut } = require('../../lib/api/bucketPut');
-const initiateMultipartUpload
+const initiateMultipartUpload = require('../../lib/api/initiateMultipartUpload');
    = require('../../lib/api/initiateMultipartUpload');
 const objectPut = require('../../lib/api/objectPut');
 const objectPutCopyPart = require('../../lib/api/objectPutCopyPart');
 const DummyRequest = require('../unit/DummyRequest');
 const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
 const constants = require('../../constants');
 const s3 = new AWS.S3();
-const splitter = constants.splitter;
+const { splitter } = constants;
 const log = new DummyRequestLogger();
 const canonicalID = 'accessKey1';
 const authInfo = makeAuthInfo(canonicalID);
@ -59,11 +57,11 @@ function copyPutPart(bucketLoc, mpuLoc, srcObjLoc, requestHost, cb,
    errorPutCopyPart) {
    const keys = getSourceAndDestKeys();
    const { sourceObjName, destObjName } = keys;
-    const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>' +
+    const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>'
-        '<CreateBucketConfiguration ' +
+        + '<CreateBucketConfiguration '
-        'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+        + 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
-        `<LocationConstraint>${bucketLoc}</LocationConstraint>` +
+        + `<LocationConstraint>${bucketLoc}</LocationConstraint>`
-        '</CreateBucketConfiguration>' : '';
+        + '</CreateBucketConfiguration>' : '';
    const bucketPutReq = new DummyRequest({
        bucketName,
        namespace,
@ -80,10 +78,13 @@ errorPutCopyPart) {
        objectKey: destObjName,
        headers: { host: `${bucketName}.s3.amazonaws.com` },
        url: `/${destObjName}?uploads`,
        actionImplicitDenies: false,
    };
    if (mpuLoc) {
-        initiateReq.headers = { 'host': `${bucketName}.s3.amazonaws.com`,
+        initiateReq.headers = {
-            'x-amz-meta-scal-location-constraint': `${mpuLoc}` };
+            'host': `${bucketName}.s3.amazonaws.com`,
            'x-amz-meta-scal-location-constraint': `${mpuLoc}`,
        };
    }
    if (requestHost) {
        initiateReq.parsedHost = requestHost;
@ -94,10 +95,13 @@ errorPutCopyPart) {
        objectKey: sourceObjName,
        headers: { host: `${bucketName}.s3.amazonaws.com` },
        url: '/',
        actionImplicitDenies: false,
    };
    if (srcObjLoc) {
-        sourceObjPutParams.headers = { 'host': `${bucketName}.s3.amazonaws.com`,
+        sourceObjPutParams.headers = {
-            'x-amz-meta-scal-location-constraint': `${srcObjLoc}` };
+            'host': `${bucketName}.s3.amazonaws.com`,
            'x-amz-meta-scal-location-constraint': `${srcObjLoc}`,
        };
    }
    const sourceObjPutReq = new DummyRequest(sourceObjPutParams, body);
    if (requestHost) {
@ -112,8 +116,7 @@ errorPutCopyPart) {
            });
        },
        next => {
-            objectPut(authInfo, sourceObjPutReq, undefined, log, err =>
+            objectPut(authInfo, sourceObjPutReq, undefined, log, err => next(err));
                next(err));
        },
        next => {
            initiateMultipartUpload(authInfo, initiateReq, log, next);
@ -130,8 +133,8 @@ errorPutCopyPart) {
        // Need to build request in here since do not have
        // uploadId until here
        assert.ifError(err, 'Error putting source object or initiate MPU');
-        const testUploadId = json.InitiateMultipartUploadResult.
+        const testUploadId = json.InitiateMultipartUploadResult
-            UploadId[0];
+            .UploadId[0];
        const copyPartParams = {
            bucketName,
            namespace,
@ -205,8 +208,8 @@ function testSuite() {
                    s3.listParts(awsReq, (err, partList) => {
                        assertPartList(partList, uploadId);
                        s3.abortMultipartUpload(awsReq, err => {
-                    assert.equal(err, null, `Error aborting MPU: ${err}. ` +
+                            assert.equal(err, null, `Error aborting MPU: ${err}. `
-                    `You must abort MPU with upload ID ${uploadId} manually.`);
+                    + `You must abort MPU with upload ID ${uploadId} manually.`);
                            done();
                        });
                    });
@ -247,16 +250,16 @@ function testSuite() {
                s3.listParts(awsReq, (err, partList) => {
                    assertPartList(partList, uploadId);
                    s3.abortMultipartUpload(awsReq, err => {
-                    assert.equal(err, null, `Error aborting MPU: ${err}. ` +
+                        assert.equal(err, null, `Error aborting MPU: ${err}. `
-                    `You must abort MPU with upload ID ${uploadId} manually.`);
+                    + `You must abort MPU with upload ID ${uploadId} manually.`);
                        done();
                    });
                });
            });
        });
-    it('should copy part an object on AWS location that has bucketMatch ' +
+        it('should copy part an object on AWS location that has bucketMatch '
-    'equals false to a mpu with a different AWS location', done => {
+    + 'equals false to a mpu with a different AWS location', done => {
            copyPutPart(null, awsLocation, awsLocationMismatch, 'localhost',
                (keys, uploadId) => {
                    assert.deepStrictEqual(ds, []);
@ -264,16 +267,16 @@ function testSuite() {
                    s3.listParts(awsReq, (err, partList) => {
                        assertPartList(partList, uploadId);
                        s3.abortMultipartUpload(awsReq, err => {
-                    assert.equal(err, null, `Error aborting MPU: ${err}. ` +
+                            assert.equal(err, null, `Error aborting MPU: ${err}. `
-                    `You must abort MPU with upload ID ${uploadId} manually.`);
+                    + `You must abort MPU with upload ID ${uploadId} manually.`);
                            done();
                        });
                    });
                });
        });
-    it('should copy part an object on AWS to a mpu with a different ' +
+        it('should copy part an object on AWS to a mpu with a different '
-    'AWS location that has bucketMatch equals false', done => {
+    + 'AWS location that has bucketMatch equals false', done => {
            copyPutPart(null, awsLocationMismatch, awsLocation, 'localhost',
                (keys, uploadId) => {
                    assert.deepStrictEqual(ds, []);
@ -282,16 +285,16 @@ function testSuite() {
                    s3.listParts(awsReq, (err, partList) => {
                        assertPartList(partList, uploadId);
                        s3.abortMultipartUpload(awsReq, err => {
-                    assert.equal(err, null, `Error aborting MPU: ${err}. ` +
+                            assert.equal(err, null, `Error aborting MPU: ${err}. `
-                    `You must abort MPU with upload ID ${uploadId} manually.`);
+                    + `You must abort MPU with upload ID ${uploadId} manually.`);
                            done();
                        });
                    });
                });
        });
-    it('should return error 403 AccessDenied copying part to a ' +
+        it('should return error 403 AccessDenied copying part to a '
-    'different AWS location without object READ access',
+    + 'different AWS location without object READ access',
        done => {
            const errorPutCopyPart = { code: 'AccessDenied', statusCode: 403 };
            copyPutPart(null, awsLocation, awsLocation2, 'localhost', done,
--- a/tests/multipleBackend/objectPutPart.js
+++ b/tests/multipleBackend/objectPutPart.js
@ -3,20 +3,17 @@ const async = require('async');
 const crypto = require('crypto');
 const { parseString } = require('xml2js');
 const AWS = require('aws-sdk');
 const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
 const { config } = require('../../lib/Config');
-const { cleanup, DummyRequestLogger, makeAuthInfo }
+const { cleanup, DummyRequestLogger, makeAuthInfo } = require('../unit/helpers');
    = require('../unit/helpers');
 const { ds } = require('arsenal').storage.data.inMemory.datastore;
 const { bucketPut } = require('../../lib/api/bucketPut');
-const initiateMultipartUpload
+const initiateMultipartUpload = require('../../lib/api/initiateMultipartUpload');
    = require('../../lib/api/initiateMultipartUpload');
 const objectPutPart = require('../../lib/api/objectPutPart');
 const DummyRequest = require('../unit/DummyRequest');
 const { metadata } = require('arsenal').storage.metadata.inMemory.metadata;
 const mdWrapper = require('../../lib/metadata/wrapper');
 const constants = require('../../constants');
-const { getRealAwsConfig } =
+const { getRealAwsConfig } = require('../functional/aws-node-sdk/test/support/awsConfig');
    require('../functional/aws-node-sdk/test/support/awsConfig');
 const memLocation = 'scality-internal-mem';
 const fileLocation = 'scality-internal-file';
@ -25,7 +22,7 @@ const awsLocationMismatch = 'awsbackendmismatch';
 const awsConfig = getRealAwsConfig(awsLocation);
 const s3 = new AWS.S3(awsConfig);
-const splitter = constants.splitter;
+const { splitter } = constants;
 const log = new DummyRequestLogger();
 const canonicalID = 'accessKey1';
 const authInfo = makeAuthInfo(canonicalID);
@ -49,11 +46,11 @@ function _getOverviewKey(objectKey, uploadId) {
 function putPart(bucketLoc, mpuLoc, requestHost, cb,
    errorDescription) {
    const objectName = `objectName-${Date.now()}`;
-    const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>' +
+    const post = bucketLoc ? '<?xml version="1.0" encoding="UTF-8"?>'
-        '<CreateBucketConfiguration ' +
+        + '<CreateBucketConfiguration '
-        'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
+        + 'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">'
-        `<LocationConstraint>${bucketLoc}</LocationConstraint>` +
+        + `<LocationConstraint>${bucketLoc}</LocationConstraint>`
-        '</CreateBucketConfiguration>' : '';
+        + '</CreateBucketConfiguration>' : '';
    const bucketPutReq = {
        bucketName,
        namespace,
@ -70,10 +67,13 @@ errorDescription) {
        objectKey: objectName,
        headers: { host: `${bucketName}.s3.amazonaws.com` },
        url: `/${objectName}?uploads`,
        actionImplicitDenies: false,
    };
    if (mpuLoc) {
-        initiateReq.headers = { 'host': `${bucketName}.s3.amazonaws.com`,
+        initiateReq.headers = {
-            'x-amz-meta-scal-location-constraint': `${mpuLoc}` };
+            'host': `${bucketName}.s3.amazonaws.com`,
            'x-amz-meta-scal-location-constraint': `${mpuLoc}`,
        };
    }
    if (requestHost) {
        initiateReq.parsedHost = requestHost;
@ -123,9 +123,9 @@ errorDescription) {
        const partReq = new DummyRequest(partReqParams, body1);
        return objectPutPart(authInfo, partReq, undefined, log, err => {
            assert.strictEqual(err, null);
-            if (bucketLoc !== awsLocation && mpuLoc !== awsLocation &&
+            if (bucketLoc !== awsLocation && mpuLoc !== awsLocation
-            bucketLoc !== awsLocationMismatch &&
+            && bucketLoc !== awsLocationMismatch
-            mpuLoc !== awsLocationMismatch) {
+            && mpuLoc !== awsLocationMismatch) {
                const keysInMPUkeyMap = [];
                metadata.keyMaps.get(mpuBucket).forEach((val, key) => {
                    keysInMPUkeyMap.push(key);
@ -148,8 +148,8 @@ errorDescription) {
 }
 function listAndAbort(uploadId, calculatedHash2, objectName, done) {
-    const awsBucket = config.locationConstraints[awsLocation].
+    const awsBucket = config.locationConstraints[awsLocation]
-        details.bucketName;
+        .details.bucketName;
    const params = {
        Bucket: awsBucket,
        Key: objectName,
@ -162,13 +162,12 @@ function listAndAbort(uploadId, calculatedHash2, objectName, done) {
            assert.strictEqual(`"${calculatedHash2}"`, data.Parts[0].ETag);
        }
        s3.abortMultipartUpload(params, err => {
-            assert.equal(err, null, `Error aborting MPU: ${err}. ` +
+            assert.equal(err, null, `Error aborting MPU: ${err}. `
-            `You must abort MPU with upload ID ${uploadId} manually.`);
+            + `You must abort MPU with upload ID ${uploadId} manually.`);
            done();
        });
    });
 }
 describeSkipIfE2E('objectPutPart API with multiple backends',
    function testSuite() {
        this.timeout(5000);
@ -211,8 +210,10 @@ function testSuite() {
                            bucketName,
                            namespace,
                            objectKey: objectName,
-                headers: { 'host': `${bucketName}.s3.amazonaws.com`,
+                            headers: {
-                    'x-amz-meta-scal-location-constraint': awsLocation },
+                                'host': `${bucketName}.s3.amazonaws.com`,
                                'x-amz-meta-scal-location-constraint': awsLocation,
                            },
                            url: `/${objectName}?partNumber=1&uploadId=${uploadId}`,
                            query: {
                                partNumber: '1', uploadId,
@ -226,8 +227,8 @@ function testSuite() {
                    });
            });
-    it('should upload part based on mpu location even if part ' +
+        it('should upload part based on mpu location even if part '
-        'location constraint is specified ', done => {
+        + 'location constraint is specified ', done => {
            putPart(fileLocation, memLocation, 'localhost', () => {
                assert.deepStrictEqual(ds[1].value, body1);
                done();
@ -256,8 +257,8 @@ function testSuite() {
                });
        });
-    it('should put a part to AWS based on bucket location with bucketMatch ' +
+        it('should put a part to AWS based on bucket location with bucketMatch '
-    'set to true', done => {
+    + 'set to true', done => {
            putPart(null, awsLocation, 'localhost',
                (objectName, uploadId) => {
                    assert.deepStrictEqual(ds, []);
@ -265,8 +266,8 @@ function testSuite() {
                });
        });
-    it('should put a part to AWS based on bucket location with bucketMatch ' +
+        it('should put a part to AWS based on bucket location with bucketMatch '
-    'set to false', done => {
+    + 'set to false', done => {
            putPart(null, awsLocationMismatch, 'localhost',
                (objectName, uploadId) => {
                    assert.deepStrictEqual(ds, []);
--- a/tests/unit/DummyRequest.js
+++ b/tests/unit/DummyRequest.js
@ -16,7 +16,7 @@ class DummyRequest extends http.IncomingMessage {
                this.parsedContentLength = 0;
            }
        }
-
+        this.actionImplicitDenies = false;
        if (Array.isArray(msg)) {
            msg.forEach(part => {
                this.push(part);
--- a/tests/unit/api/apiUtils/tagConditionKeys.js
+++ b/tests/unit/api/apiUtils/tagConditionKeys.js
@ -24,6 +24,7 @@ const bucketPutReq = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 const taggingUtil = new TaggingConfigTester();
--- a/tests/unit/api/bucketACLauth.js
+++ b/tests/unit/api/bucketACLauth.js
@ -106,7 +106,7 @@ describe('bucket authorization for bucketGet, bucketHead, ' +
            }
            bucket.setCannedAcl(value.canned);
            const results = requestTypes.map(type =>
-                isBucketAuthorized(bucket, type, value.id, value.auth, log));
+                isBucketAuthorized(bucket, type, value.id, value.auth, false, log));
            assert.deepStrictEqual(results, value.response);
            done();
        });
@ -128,13 +128,13 @@ describe('bucket authorization for bucketGetACL', () => {
    it('should allow access to bucket owner', () => {
        const result = isBucketAuthorized(bucket, 'bucketGetACL',
-            ownerCanonicalId, authInfo);
+            ownerCanonicalId, authInfo, false);
        assert.strictEqual(result, true);
    });
    it('should allow access to user in bucket owner account', () => {
        const result = isBucketAuthorized(bucket, 'bucketGetACL',
-            ownerCanonicalId, userAuthInfo);
+            ownerCanonicalId, userAuthInfo, false);
        assert.strictEqual(result, true);
    });
@ -157,7 +157,7 @@ describe('bucket authorization for bucketGetACL', () => {
    orders.forEach(value => {
        it(`should allow access to ${value.it}`, done => {
            const noAuthResult = isBucketAuthorized(bucket, 'bucketGetACL',
-                                                    value.id);
+                                                    value.id, null, false);
            assert.strictEqual(noAuthResult, false);
            if (value.aclParam) {
                bucket.setSpecificAcl(value.aclParam[1], value.aclParam[0]);
@ -165,7 +165,7 @@ describe('bucket authorization for bucketGetACL', () => {
                bucket.setCannedAcl(value.canned);
            }
            const authorizedResult = isBucketAuthorized(bucket, 'bucketGetACL',
-                value.id, value.auth);
+                value.id, value.auth, false);
            assert.strictEqual(authorizedResult, true);
            done();
        });
@ -187,13 +187,13 @@ describe('bucket authorization for bucketPutACL', () => {
    it('should allow access to bucket owner', () => {
        const result = isBucketAuthorized(bucket, 'bucketPutACL',
-            ownerCanonicalId, authInfo);
+            ownerCanonicalId, authInfo, false);
        assert.strictEqual(result, true);
    });
    it('should allow access to user in bucket owner account', () => {
        const result = isBucketAuthorized(bucket, 'bucketPutACL',
-            ownerCanonicalId, userAuthInfo);
+            ownerCanonicalId, userAuthInfo, false);
        assert.strictEqual(result, true);
    });
@ -202,11 +202,11 @@ describe('bucket authorization for bucketPutACL', () => {
        it('should allow access to account if ' +
           `account was granted ${value} right`, done => {
            const noAuthResult = isBucketAuthorized(bucket, 'bucketPutACL',
-                accountToVet, altAcctAuthInfo);
+                accountToVet, altAcctAuthInfo, false);
            assert.strictEqual(noAuthResult, false);
            bucket.setSpecificAcl(accountToVet, value);
            const authorizedResult = isBucketAuthorized(bucket, 'bucketPutACL',
-                accountToVet, altAcctAuthInfo);
+                accountToVet, altAcctAuthInfo, false);
            assert.strictEqual(authorizedResult, true);
            done();
        });
@ -228,13 +228,13 @@ describe('bucket authorization for bucketOwnerAction', () => {
    it('should allow access to bucket owner', () => {
        const result = isBucketAuthorized(bucket, 'bucketDeleteCors',
-            ownerCanonicalId, authInfo);
+            ownerCanonicalId, authInfo, false);
        assert.strictEqual(result, true);
    });
    it('should allow access to user in bucket owner account', () => {
        const result = isBucketAuthorized(bucket, 'bucketDeleteCors',
-            ownerCanonicalId, userAuthInfo);
+            ownerCanonicalId, userAuthInfo, false);
        assert.strictEqual(result, true);
    });
@ -256,7 +256,7 @@ describe('bucket authorization for bucketOwnerAction', () => {
            }
            bucket.setCannedAcl(value.canned);
            const result = isBucketAuthorized(bucket, 'bucketDeleteCors',
-                value.id, value.auth);
+                value.id, value.auth, false);
            assert.strictEqual(result, false);
            done();
        });
@ -278,13 +278,13 @@ describe('bucket authorization for bucketDelete', () => {
    it('should allow access to bucket owner', () => {
        const result = isBucketAuthorized(bucket, 'bucketDelete',
-            ownerCanonicalId, authInfo);
+            ownerCanonicalId, authInfo, false);
        assert.strictEqual(result, true);
    });
    it('should allow access to user in bucket owner account', () => {
        const result = isBucketAuthorized(bucket, 'bucketDelete',
-            ownerCanonicalId, userAuthInfo);
+            ownerCanonicalId, userAuthInfo, false);
        assert.strictEqual(result, true);
    });
@ -305,7 +305,7 @@ describe('bucket authorization for bucketDelete', () => {
                bucket.setSpecificAcl(value.aclParam[1], value.aclParam[0]);
            }
            bucket.setCannedAcl(value.canned);
-            const result = isBucketAuthorized(bucket, 'bucketDelete', value.id, value.auth);
+            const result = isBucketAuthorized(bucket, 'bucketDelete', value.id, value.auth, false);
            assert.strictEqual(result, false);
            done();
        });
@ -329,13 +329,13 @@ describe('bucket authorization for objectDelete and objectPut', () => {
    it('should allow access to bucket owner', () => {
        const results = requestTypes.map(type =>
-            isBucketAuthorized(bucket, type, ownerCanonicalId, authInfo));
+            isBucketAuthorized(bucket, type, ownerCanonicalId, authInfo, false));
        assert.deepStrictEqual(results, [true, true]);
    });
    it('should allow access to user in bucket owner account', () => {
        const results = requestTypes.map(type =>
-            isBucketAuthorized(bucket, type, ownerCanonicalId, userAuthInfo));
+            isBucketAuthorized(bucket, type, ownerCanonicalId, userAuthInfo, false));
        assert.deepStrictEqual(results, [true, true]);
    });
@ -360,13 +360,13 @@ describe('bucket authorization for objectDelete and objectPut', () => {
        it(`should allow access to ${value.it}`, done => {
            bucket.setCannedAcl(value.canned);
            const noAuthResults = requestTypes.map(type =>
-                isBucketAuthorized(bucket, type, value.id, value.auth));
+                isBucketAuthorized(bucket, type, value.id, value.auth, false));
            assert.deepStrictEqual(noAuthResults, value.response);
            if (value.aclParam) {
                bucket.setSpecificAcl(value.aclParam[1], value.aclParam[0]);
            }
            const authResults = requestTypes.map(type =>
-                isBucketAuthorized(bucket, type, accountToVet, altAcctAuthInfo));
+                isBucketAuthorized(bucket, type, accountToVet, altAcctAuthInfo, false));
            assert.deepStrictEqual(authResults, [true, true]);
            done();
        });
@ -378,10 +378,10 @@ describe('bucket authorization for objectPutACL and objectGetACL', () => {
        'are done at object level', done => {
        const requestTypes = ['objectPutACL', 'objectGetACL'];
        const results = requestTypes.map(type =>
-            isBucketAuthorized(bucket, type, accountToVet, altAcctAuthInfo));
+            isBucketAuthorized(bucket, type, accountToVet, altAcctAuthInfo, false));
        assert.deepStrictEqual(results, [true, true]);
        const publicUserResults = requestTypes.map(type =>
-            isBucketAuthorized(bucket, type, constants.publicId));
+            isBucketAuthorized(bucket, type, constants.publicId, null, false));
        assert.deepStrictEqual(publicUserResults, [true, true]);
        done();
    });
--- a/tests/unit/api/bucketDelete.js
+++ b/tests/unit/api/bucketDelete.js
@ -77,7 +77,6 @@ function createMPU(testRequest, initiateRequest, deleteOverviewMPUObj, cb) {
        });
    });
 }
 describe('bucketDelete API', () => {
    beforeEach(() => {
        cleanup();
@ -88,6 +87,7 @@ describe('bucketDelete API', () => {
        namespace,
        headers: {},
        url: `/${bucketName}`,
        actionImplicitDenies: false,
    };
    const initiateRequest = {
@ -96,6 +96,7 @@ describe('bucketDelete API', () => {
        objectKey: objectName,
        headers: { host: `${bucketName}.s3.amazonaws.com` },
        url: `/${objectName}?uploads`,
        actionImplicitDenies: false,
    };
    it('should return an error if the bucket is not empty', done => {
--- a/tests/unit/api/bucketDeleteCors.js
+++ b/tests/unit/api/bucketDeleteCors.js
@ -19,12 +19,12 @@ const testBucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 const testBucketPutCorsRequest =
    corsUtil.createBucketCorsRequest('PUT', bucketName);
 const testBucketDeleteCorsRequest =
    corsUtil.createBucketCorsRequest('DELETE', bucketName);
 describe('deleteBucketCors API', () => {
    beforeEach(done => {
        cleanup();
--- a/tests/unit/api/bucketDeleteEncryption.js
+++ b/tests/unit/api/bucketDeleteEncryption.js
@ -13,8 +13,8 @@ const bucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 describe('bucketDeleteEncryption API', () => {
    before(() => cleanup());
--- a/tests/unit/api/bucketDeleteLifecycle.js
+++ b/tests/unit/api/bucketDeleteLifecycle.js
@ -19,6 +19,7 @@ function _makeRequest(includeXml) {
        bucketName,
        headers: { host: `${bucketName}.s3.amazonaws.com` },
        url: '/',
        actionImplicitDenies: false,
    };
    if (includeXml) {
        request.post = '<LifecycleConfiguration ' +
@ -30,7 +31,6 @@ function _makeRequest(includeXml) {
    }
    return request;
 }
 describe('deleteBucketLifecycle API', () => {
    before(() => cleanup());
    beforeEach(done => bucketPut(authInfo, _makeRequest(), log, done));
--- a/tests/unit/api/bucketDeletePolicy.js
+++ b/tests/unit/api/bucketDeletePolicy.js
@ -19,6 +19,7 @@ function _makeRequest(includePolicy) {
        bucketName,
        headers: { host: `${bucketName}.s3.amazonaws.com` },
        url: '/',
        actionImplicitDenies: false,
    };
    if (includePolicy) {
        const examplePolicy = {
@ -36,7 +37,6 @@ function _makeRequest(includePolicy) {
    }
    return request;
 }
 describe('deleteBucketPolicy API', () => {
    before(() => cleanup());
    beforeEach(done => bucketPut(authInfo, _makeRequest(), log, done));
--- a/tests/unit/api/bucketDeleteWebsite.js
+++ b/tests/unit/api/bucketDeleteWebsite.js
@ -20,6 +20,7 @@ const testBucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 const testBucketDeleteWebsiteRequest = {
    bucketName,
@ -28,10 +29,10 @@ const testBucketDeleteWebsiteRequest = {
    },
    url: '/?website',
    query: { website: '' },
    actionImplicitDenies: false,
 };
 const testBucketPutWebsiteRequest = Object.assign({ post: config.getXml() },
    testBucketDeleteWebsiteRequest);
 describe('deleteBucketWebsite API', () => {
    beforeEach(done => {
        cleanup();
--- a/tests/unit/api/bucketGet.js
+++ b/tests/unit/api/bucketGet.js
@ -63,6 +63,7 @@ const baseGetRequest = {
    bucketName,
    namespace,
    headers: { host: '/' },
    actionImplicitDenies: false,
 };
 const baseUrl = `/${bucketName}`;
@ -173,7 +174,6 @@ const tests = [
        },
    },
 ];
 describe('bucketGet API', () => {
    beforeEach(() => {
        cleanup();
--- a/tests/unit/api/bucketGetACL.js
+++ b/tests/unit/api/bucketGetACL.js
@ -14,7 +14,6 @@ const authInfo = makeAuthInfo(accessKey);
 const canonicalID = authInfo.getCanonicalID();
 const namespace = 'default';
 const bucketName = 'bucketname';
 describe('bucketGetACL API', () => {
    beforeEach(() => {
        cleanup();
@ -25,6 +24,7 @@ describe('bucketGetACL API', () => {
        namespace,
        headers: { host: `${bucketName}.s3.amazonaws.com` },
        url: '/',
        actionImplicitDenies: false,
    };
    const testGetACLRequest = {
        bucketName,
@ -32,6 +32,7 @@ describe('bucketGetACL API', () => {
        headers: { host: `${bucketName}.s3.amazonaws.com` },
        url: '/?acl',
        query: { acl: '' },
        actionImplicitDenies: false,
    };
    it('should get a canned private ACL', done => {
@ -44,6 +45,7 @@ describe('bucketGetACL API', () => {
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        async.waterfall([
@ -76,6 +78,7 @@ describe('bucketGetACL API', () => {
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        async.waterfall([
@ -119,6 +122,7 @@ describe('bucketGetACL API', () => {
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        async.waterfall([
@ -156,6 +160,7 @@ describe('bucketGetACL API', () => {
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        async.waterfall([
@ -194,6 +199,7 @@ describe('bucketGetACL API', () => {
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        async.waterfall([
@ -248,6 +254,7 @@ describe('bucketGetACL API', () => {
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        const canonicalIDforSample1 =
            '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be';
@ -338,6 +345,7 @@ describe('bucketGetACL API', () => {
                },
                url: '/?acl',
                query: { acl: '' },
                actionImplicitDenies: false,
            };
            async.waterfall([
@ -377,6 +385,7 @@ describe('bucketGetACL API', () => {
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        async.waterfall([
--- a/tests/unit/api/bucketGetCors.js
+++ b/tests/unit/api/bucketGetCors.js
@ -16,6 +16,7 @@ const testBucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 function _makeCorsRequest(xml) {
@ -26,6 +27,7 @@ function _makeCorsRequest(xml) {
        },
        url: '/?cors',
        query: { cors: '' },
        actionImplicitDenies: false,
    };
    if (xml) {
@ -55,7 +57,6 @@ function _comparePutGetXml(sampleXml, done) {
        });
    });
 }
 describe('getBucketCors API', () => {
    beforeEach(done => {
        cleanup();
--- a/tests/unit/api/bucketGetLifecycle.js
+++ b/tests/unit/api/bucketGetLifecycle.js
@ -17,8 +17,8 @@ const testBucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 describe('getBucketLifecycle API', () => {
    before(() => cleanup());
    beforeEach(done => bucketPut(authInfo, testBucketPutRequest, log, done));
--- a/tests/unit/api/bucketGetLocation.js
+++ b/tests/unit/api/bucketGetLocation.js
@ -16,6 +16,7 @@ const testBucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 const testGetLocationRequest = {
@ -25,6 +26,7 @@ const testGetLocationRequest = {
    },
    url: '/?location',
    query: { location: '' },
    actionImplicitDenies: false,
 };
 const locationConstraints = config.locationConstraints;
@ -37,7 +39,6 @@ function getBucketRequestObject(location) {
        '</CreateBucketConfiguration>' : undefined;
    return Object.assign({ post }, testBucketPutRequest);
 }
 describe('getBucketLocation API', () => {
    Object.keys(locationConstraints).forEach(location => {
        if (location === 'us-east-1') {
--- a/tests/unit/api/bucketGetNotification.js
+++ b/tests/unit/api/bucketGetNotification.js
@ -15,6 +15,7 @@ const testBucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 function getNotificationRequest(bucketName, xml) {
@ -23,6 +24,7 @@ function getNotificationRequest(bucketName, xml) {
        headers: {
            host: `${bucketName}.s3.amazonaws.com`,
        },
        actionImplicitDenies: false,
    };
    if (xml) {
        request.post = xml;
@ -52,7 +54,6 @@ function getNotificationXml() {
        '</NotificationConfiguration>';
 }
 describe('getBucketNotification API', () => {
    before(cleanup);
    beforeEach(done => bucketPut(authInfo, testBucketPutRequest, log, done));
--- a/tests/unit/api/bucketGetObjectLock.js
+++ b/tests/unit/api/bucketGetObjectLock.js
@ -14,6 +14,7 @@ const bucketPutReq = {
        host: `${bucketName}.s3.amazonaws.com`,
    },
    url: '/',
    actionImplicitDenies: false,
 };
 const testBucketPutReqWithObjLock = {
@ -23,6 +24,7 @@ const testBucketPutReqWithObjLock = {
        'x-amz-bucket-object-lock-enabled': 'True',
    },
    url: '/',
    actionImplicitDenies: false,
 };
 function getObjectLockConfigRequest(bucketName, xml) {
@ -33,6 +35,7 @@ function getObjectLockConfigRequest(bucketName, xml) {
            'x-amz-bucket-object-lock-enabled': 'true',
        },
        url: '/?object-lock',
        actionImplicitDenies: false,
    };
    if (xml) {
        request.post = xml;
@ -65,7 +68,6 @@ function getObjectLockXml(mode, type, time) {
    xmlStr += xml.objLockConfigClose;
    return xmlStr;
 }
 describe('bucketGetObjectLock API', () => {
    before(done => bucketPut(authInfo, bucketPutReq, log, done));
    after(cleanup);
@ -79,7 +81,6 @@ describe('bucketGetObjectLock API', () => {
        });
    });
 });
 describe('bucketGetObjectLock API', () => {
    before(cleanup);
    beforeEach(done => bucketPut(authInfo, testBucketPutReqWithObjLock, log, done));
--- a/tests/unit/api/bucketGetPolicy.js
+++ b/tests/unit/api/bucketGetPolicy.js
@ -16,6 +16,7 @@ const testBasicRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 const expectedBucketPolicy = {
@ -34,8 +35,8 @@ const testPutPolicyRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    post: JSON.stringify(expectedBucketPolicy),
    actionImplicitDenies: false,
 };
 describe('getBucketPolicy API', () => {
    before(() => cleanup());
    beforeEach(done => bucketPut(authInfo, testBasicRequest, log, done));
--- a/tests/unit/api/bucketGetReplication.js
+++ b/tests/unit/api/bucketGetReplication.js
@ -53,7 +53,6 @@ function getReplicationConfig() {
        ],
    };
 }
 describe("'getReplicationConfigurationXML' function", () => {
    it('should return XML from the bucket replication configuration', done =>
        getAndCheckXML(getReplicationConfig(), done));
--- a/tests/unit/api/bucketGetWebsite.js
+++ b/tests/unit/api/bucketGetWebsite.js
@ -15,6 +15,7 @@ const testBucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 function _makeWebsiteRequest(xml) {
@ -25,6 +26,7 @@ function _makeWebsiteRequest(xml) {
        },
        url: '/?website',
        query: { website: '' },
        actionImplicitDenies: false,
    };
    if (xml) {
@ -53,7 +55,6 @@ function _comparePutGetXml(sampleXml, done) {
        });
    });
 }
 describe('getBucketWebsite API', () => {
    beforeEach(done => {
        cleanup();
--- a/tests/unit/api/bucketHead.js
+++ b/tests/unit/api/bucketHead.js
@ -14,6 +14,7 @@ const testRequest = {
    namespace,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 describe('bucketHead API', () => {
    beforeEach(() => {
--- a/tests/unit/api/bucketPolicyAuth.js
+++ b/tests/unit/api/bucketPolicyAuth.js
@ -244,7 +244,7 @@ describe('bucket policy authorization', () => {
    describe('isBucketAuthorized with no policy set', () => {
        it('should allow access to bucket owner', done => {
            const allowed = isBucketAuthorized(bucket, 'bucketPut',
-                bucketOwnerCanonicalId, null, log);
+                bucketOwnerCanonicalId, null, false, log);
            assert.equal(allowed, true);
            done();
        });
@ -252,7 +252,7 @@ describe('bucket policy authorization', () => {
        it('should deny access to non-bucket owner',
        done => {
            const allowed = isBucketAuthorized(bucket, 'bucketPut',
-                altAcctCanonicalId, null, log);
+                altAcctCanonicalId, null, false, log);
            assert.equal(allowed, false);
            done();
        });
@ -268,7 +268,7 @@ describe('bucket policy authorization', () => {
        it('should allow access to non-bucket owner if principal is set to "*"',
        done => {
            const allowed = isBucketAuthorized(bucket, bucAction,
-                altAcctCanonicalId, null, log);
+                altAcctCanonicalId, null, false, log);
            assert.equal(allowed, true);
            done();
        });
@ -276,7 +276,7 @@ describe('bucket policy authorization', () => {
        it('should allow access to public user if principal is set to "*"',
        done => {
            const allowed = isBucketAuthorized(bucket, bucAction,
-                constants.publicId, null, log);
+                constants.publicId, null, false, log);
            assert.equal(allowed, true);
            done();
        });
@ -287,7 +287,7 @@ describe('bucket policy authorization', () => {
                newPolicy.Statement[0][t.keyToChange] = t.bucketValue;
                bucket.setBucketPolicy(newPolicy);
                const allowed = isBucketAuthorized(bucket, bucAction,
-                    t.bucketId, t.bucketAuthInfo, log);
+                    t.bucketId, t.bucketAuthInfo, false, log);
                assert.equal(allowed, t.expected);
                done();
            });
@ -304,7 +304,7 @@ describe('bucket policy authorization', () => {
            };
            bucket.setBucketPolicy(newPolicy);
            const allowed = isBucketAuthorized(bucket, bucAction,
-                altAcctCanonicalId, null, log);
+                altAcctCanonicalId, null, false, log);
            assert.equal(allowed, false);
            done();
        });
@ -312,7 +312,7 @@ describe('bucket policy authorization', () => {
        it('should deny access to non-bucket owner with an unsupported action type',
        done => {
            const allowed = isBucketAuthorized(bucket, 'unsupportedAction',
-                altAcctCanonicalId, null, log);
+                altAcctCanonicalId, null, false, log);
            assert.equal(allowed, false);
            done();
        });
@ -325,7 +325,7 @@ describe('bucket policy authorization', () => {
        it('should allow access to object owner', done => {
            const allowed = isObjAuthorized(bucket, object, objAction,
-                objectOwnerCanonicalId, null, log);
+                objectOwnerCanonicalId, null, false, log);
            assert.equal(allowed, true);
            done();
        });
@ -333,7 +333,7 @@ describe('bucket policy authorization', () => {
        it('should deny access to non-object owner',
        done => {
            const allowed = isObjAuthorized(bucket, object, objAction,
-                altAcctCanonicalId, null, log);
+                altAcctCanonicalId, null, false, log);
            assert.equal(allowed, false);
            done();
        });
@ -352,7 +352,7 @@ describe('bucket policy authorization', () => {
        it('should allow access to non-object owner if principal is set to "*"',
        done => {
            const allowed = isObjAuthorized(bucket, object, objAction,
-                altAcctCanonicalId, null, log);
+                altAcctCanonicalId, null, false, log);
            assert.equal(allowed, true);
            done();
        });
@ -360,7 +360,7 @@ describe('bucket policy authorization', () => {
        it('should allow access to public user if principal is set to "*"',
        done => {
            const allowed = isObjAuthorized(bucket, object, objAction,
-                constants.publicId, null, log);
+                constants.publicId, null, false, log);
            assert.equal(allowed, true);
            done();
        });
@ -371,7 +371,7 @@ describe('bucket policy authorization', () => {
                newPolicy.Statement[0][t.keyToChange] = t.objectValue;
                bucket.setBucketPolicy(newPolicy);
                const allowed = isObjAuthorized(bucket, object, objAction,
-                    t.objectId, t.objectAuthInfo, log);
+                    t.objectId, t.objectAuthInfo, false, log);
                assert.equal(allowed, t.expected);
                done();
            });
@ -383,7 +383,7 @@ describe('bucket policy authorization', () => {
            newPolicy.Statement[0].Action = ['s3:GetObject'];
            bucket.setBucketPolicy(newPolicy);
            const allowed = isObjAuthorized(bucket, object, 'objectHead',
-                                            altAcctCanonicalId, altAcctAuthInfo, log);
+                                            altAcctCanonicalId, altAcctAuthInfo, false, log);
            assert.equal(allowed, true);
            done();
        });
@ -393,7 +393,7 @@ describe('bucket policy authorization', () => {
            newPolicy.Statement[0].Action = ['s3:PutObject'];
            bucket.setBucketPolicy(newPolicy);
            const allowed = isObjAuthorized(bucket, object, 'objectHead',
-                                            altAcctCanonicalId, altAcctAuthInfo, log);
+                                            altAcctCanonicalId, altAcctAuthInfo, false, log);
            assert.equal(allowed, false);
            done();
        });
@ -408,7 +408,7 @@ describe('bucket policy authorization', () => {
            };
            bucket.setBucketPolicy(newPolicy);
            const allowed = isObjAuthorized(bucket, object, objAction,
-                altAcctCanonicalId, null, log);
+                altAcctCanonicalId, null, false, log);
            assert.equal(allowed, false);
            done();
        });
@ -416,7 +416,7 @@ describe('bucket policy authorization', () => {
        it('should deny access to non-object owner with an unsupported action type',
        done => {
            const allowed = isObjAuthorized(bucket, object, 'unsupportedAction',
-                altAcctCanonicalId, null, log);
+                altAcctCanonicalId, null, false, log);
            assert.equal(allowed, false);
            done();
        });
--- a/tests/unit/api/bucketPutACL.js
+++ b/tests/unit/api/bucketPutACL.js
@ -18,11 +18,10 @@ const testBucketPutRequest = {
    namespace,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
-const canonicalIDforSample1 =
+const canonicalIDforSample1 = '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be';
-    '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be';
+const canonicalIDforSample2 = '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2bf';
 const canonicalIDforSample2 =
    '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2bf';
 const invalidIds = {
    'too short': 'id="invalid_id"',
@ -42,11 +41,10 @@ describe('putBucketACL API', () => {
    afterEach(() => cleanup());
    it('should parse a grantheader', () => {
-        const grantRead =
+        const grantRead = `uri=${constants.logId}, `
-            `uri=${constants.logId}, ` +
+            + 'emailAddress="test@testing.com", '
-            'emailAddress="test@testing.com", ' +
+            + 'emailAddress="test2@testly.com", '
-            'emailAddress="test2@testly.com", ' +
+            + 'id="sdfsdfsfwwiieohefs"';
            'id="sdfsdfsfwwiieohefs"';
        const grantReadHeader = aclUtils.parseGrant(grantRead, 'read');
        const firstIdentifier = grantReadHeader[0].identifier;
        assert.strictEqual(firstIdentifier, constants.logId);
@ -58,7 +56,7 @@ describe('putBucketACL API', () => {
        assert.strictEqual(fourthIdentifier, 'sdfsdfsfwwiieohefs');
        const fourthType = grantReadHeader[3].userIDType;
        assert.strictEqual(fourthType, 'id');
-        const grantType = grantReadHeader[3].grantType;
+        const { grantType } = grantReadHeader[3];
        assert.strictEqual(grantType, 'read');
    });
@ -72,6 +70,7 @@ describe('putBucketACL API', () => {
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
@ -90,6 +89,7 @@ describe('putBucketACL API', () => {
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
            assert.strictEqual(err, undefined);
@ -111,6 +111,7 @@ describe('putBucketACL API', () => {
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        const testACLRequest2 = {
            bucketName,
@ -121,6 +122,7 @@ describe('putBucketACL API', () => {
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
            assert.strictEqual(err, undefined);
@ -138,8 +140,8 @@ describe('putBucketACL API', () => {
        });
    });
-    it('should set a canned private ACL ' +
+    it('should set a canned private ACL '
-        'followed by a log-delivery-write ACL', done => {
+        + 'followed by a log-delivery-write ACL', done => {
        const testACLRequest = {
            bucketName,
            namespace,
@ -149,6 +151,7 @@ describe('putBucketACL API', () => {
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        const testACLRequest2 = {
            bucketName,
@ -159,6 +162,7 @@ describe('putBucketACL API', () => {
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
@ -184,19 +188,20 @@ describe('putBucketACL API', () => {
            headers: {
                'host': `${bucketName}.s3.amazonaws.com`,
                'x-amz-grant-full-control':
-                    'emailaddress="sampleaccount1@sampling.com"' +
+                    'emailaddress="sampleaccount1@sampling.com"'
-                    ',emailaddress="sampleaccount2@sampling.com"',
+                    + ',emailaddress="sampleaccount2@sampling.com"',
                'x-amz-grant-read': `uri=${constants.logId}`,
                'x-amz-grant-write': `uri=${constants.publicId}`,
                'x-amz-grant-read-acp':
-                    'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' +
+                    'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
-                    'f8f8d5218e7cd47ef2be',
+                    + 'f8f8d5218e7cd47ef2be',
                'x-amz-grant-write-acp':
-                    'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' +
+                    'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
-                    'f8f8d5218e7cd47ef2bf',
+                    + 'f8f8d5218e7cd47ef2bf',
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
            assert.strictEqual(err, undefined);
@ -223,21 +228,22 @@ describe('putBucketACL API', () => {
                headers: {
                    'host': `${bucketName}.s3.amazonaws.com`,
                    'x-amz-grant-full-control':
-                        'emailaddress="sampleaccount1@sampling.com"' +
+                        'emailaddress="sampleaccount1@sampling.com"'
-                        ',emailaddress="sampleaccount2@sampling.com"',
+                        + ',emailaddress="sampleaccount2@sampling.com"',
                    'x-amz-grant-read':
                        'emailaddress="sampleaccount1@sampling.com"',
                    'x-amz-grant-write':
                        'emailaddress="sampleaccount1@sampling.com"',
                    'x-amz-grant-read-acp':
-                        'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' +
+                        'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
-                        'f8f8d5218e7cd47ef2be',
+                        + 'f8f8d5218e7cd47ef2be',
                    'x-amz-grant-write-acp':
-                        'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac' +
+                        'id=79a59df900b949e55d96a1e698fbacedfd6e09d98eac'
-                        'f8f8d5218e7cd47ef2bf',
+                        + 'f8f8d5218e7cd47ef2bf',
                },
                url: '/?acl',
                query: { acl: '' },
                actionImplicitDenies: false,
            };
            bucketPutACL(authInfo, testACLRequest, log, err => {
                assert.strictEqual(err, undefined);
@ -260,8 +266,8 @@ describe('putBucketACL API', () => {
        });
    Object.keys(invalidIds).forEach(idType => {
-        it('should return an error if grantee canonical ID provided in ACL ' +
+        it('should return an error if grantee canonical ID provided in ACL '
-        `request invalid because ${idType}`, done => {
+        + `request invalid because ${idType}`, done => {
            const testACLRequest = {
                bucketName,
                namespace,
@ -271,6 +277,7 @@ describe('putBucketACL API', () => {
                },
                url: '/?acl',
                query: { acl: '' },
                actionImplicitDenies: false,
            };
            return bucketPutACL(authInfo, testACLRequest, log, err => {
                assert.deepStrictEqual(err, errors.InvalidArgument);
@ -279,19 +286,20 @@ describe('putBucketACL API', () => {
        });
    });
-    it('should return an error if invalid email ' +
+    it('should return an error if invalid email '
-        'provided in ACL header request', done => {
+        + 'provided in ACL header request', done => {
        const testACLRequest = {
            bucketName,
            namespace,
            headers: {
                'host': `${bucketName}.s3.amazonaws.com`,
                'x-amz-grant-full-control':
-                    'emailaddress="sampleaccount1@sampling.com"' +
+                    'emailaddress="sampleaccount1@sampling.com"'
-                    ',emailaddress="nonexistentEmail@sampling.com"',
+                    + ',emailaddress="nonexistentEmail@sampling.com"',
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
@ -305,52 +313,53 @@ describe('putBucketACL API', () => {
            bucketName,
            namespace,
            headers: { host: `${bucketName}.s3.amazonaws.com` },
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="CanonicalUser">' +
+                      + '<Grantee xsi:type="CanonicalUser">'
-                        '<ID>79a59df900b949e55d96a1e698fbaced' +
+                        + '<ID>79a59df900b949e55d96a1e698fbaced'
-                        'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                        + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                        '<DisplayName>OwnerDisplayName</DisplayName>' +
+                        + '<DisplayName>OwnerDisplayName</DisplayName>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>FULL_CONTROL</Permission>' +
+                      + '<Permission>FULL_CONTROL</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="Group">' +
+                      + '<Grantee xsi:type="Group">'
-                        `<URI>${constants.publicId}</URI>` +
+                        + `<URI>${constants.publicId}</URI>`
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>READ</Permission>' +
+                      + '<Permission>READ</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="Group">' +
+                      + '<Grantee xsi:type="Group">'
-                        `<URI>${constants.logId}</URI>` +
+                        + `<URI>${constants.logId}</URI>`
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>WRITE</Permission>' +
+                      + '<Permission>WRITE</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="AmazonCustomerByEmail">' +
+                      + '<Grantee xsi:type="AmazonCustomerByEmail">'
-                        '<EmailAddress>sampleaccount1@sampling.com' +
+                        + '<EmailAddress>sampleaccount1@sampling.com'
-                        '</EmailAddress>' +
+                        + '</EmailAddress>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>WRITE_ACP</Permission>' +
+                      + '<Permission>WRITE_ACP</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="CanonicalUser">' +
+                      + '<Grantee xsi:type="CanonicalUser">'
-                        '<ID>79a59df900b949e55d96a1e698fbacedfd' +
+                        + '<ID>79a59df900b949e55d96a1e698fbacedfd'
-                        '6e09d98eacf8f8d5218e7cd47ef2bf</ID>' +
+                        + '6e09d98eacf8f8d5218e7cd47ef2bf</ID>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>READ_ACP</Permission>' +
+                      + '<Permission>READ_ACP</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                  '</AccessControlList>' +
+                  + '</AccessControlList>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
@ -375,17 +384,18 @@ describe('putBucketACL API', () => {
            bucketName,
            namespace,
            headers: { host: `${bucketName}.s3.amazonaws.com` },
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList></AccessControlList>' +
+                  + '<AccessControlList></AccessControlList>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
@ -408,16 +418,17 @@ describe('putBucketACL API', () => {
                bucketName,
                namespace,
                headers: { host: `${bucketName}.s3.amazonaws.com` },
-            post: '<AccessControlPolicy xmlns=' +
+                post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
                url: '/?acl',
                query: { acl: '' },
                actionImplicitDenies: false,
            };
            bucketPutACL(authInfo, testACLRequest, log, err => {
@ -438,29 +449,10 @@ describe('putBucketACL API', () => {
                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
                    '<DisplayName>OwnerDisplayName</DisplayName>' +
                  '</Owner>' +
                  '<AccessControlList>' +
                    '<Grant>' +
                      '<Grantee xsi:type="CanonicalUser">' +
                        '<ID>79a59df900b949e55d96a1e698fbaced' +
                        'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
                        '<DisplayName>OwnerDisplayName</DisplayName>' +
                      '</Grantee>' +
                      '<Permission>FULL_CONTROL</Permission>' +
                    '</Grant>' +
                  '</AccessControlList>' +
                  '<AccessControlList>' +
                    '<Grant>' +
                      '<Grantee xsi:type="CanonicalUser">' +
                        '<ID>79a59df900b949e55d96a1e698fbaced' +
                        'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
                        '<DisplayName>OwnerDisplayName</DisplayName>' +
                      '</Grantee>' +
                      '<Permission>READ</Permission>' +
                    '</Grant>' +
                  '</AccessControlList>' +
                '</AccessControlPolicy>',
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
            bucketPutACL(authInfo, testACLRequest, log, err => {
@ -469,30 +461,75 @@ describe('putBucketACL API', () => {
            });
        });
-    it('should return an error if invalid grantee user ID ' +
+    it('should return an error if multiple AccessControlList section', done => {
    'provided in ACL request body', done => {
        const testACLRequest = {
            bucketName,
            namespace,
            headers: { host: `${bucketName}.s3.amazonaws.com` },
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                  '<Grant>' +
+                    + '<Grant>'
-                    '<Grantee xsi:type="CanonicalUser">' +
+                      + '<Grantee xsi:type="CanonicalUser">'
-                      '<ID>invalid_id</ID>' +
+                        + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    '</Grantee>' +
+                        + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<Permission>READ_ACP</Permission>' +
+                        + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Grant>' +
+                      + '</Grantee>'
-                  '</AccessControlList>' +
+                      + '<Permission>FULL_CONTROL</Permission>'
-                '</AccessControlPolicy>',
+                    + '</Grant>'
                  + '</AccessControlList>'
                  + '<AccessControlList>'
                    + '<Grant>'
                      + '<Grantee xsi:type="CanonicalUser">'
                        + '<ID>79a59df900b949e55d96a1e698fbaced'
                        + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
                        + '<DisplayName>OwnerDisplayName</DisplayName>'
                      + '</Grantee>'
                      + '<Permission>READ</Permission>'
                    + '</Grant>'
                  + '</AccessControlList>'
                + '</AccessControlPolicy>',
            url: '/?acl',
            query: { acl: '' },
            iamAuthzResults: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
            assert.deepStrictEqual(err, errors.MalformedACLError);
            done();
        });
    });
    it('should return an error if invalid grantee user ID '
    + 'provided in ACL request body', done => {
        const testACLRequest = {
            bucketName,
            namespace,
            headers: { host: `${bucketName}.s3.amazonaws.com` },
            post: '<AccessControlPolicy xmlns='
                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
                  + '<Owner>'
                    + '<ID>79a59df900b949e55d96a1e698fbaced'
                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
                    + '<DisplayName>OwnerDisplayName</DisplayName>'
                  + '</Owner>'
                  + '<AccessControlList>'
                  + '<Grant>'
                    + '<Grantee xsi:type="CanonicalUser">'
                      + '<ID>invalid_id</ID>'
                    + '</Grantee>'
                    + '<Permission>READ_ACP</Permission>'
                  + '</Grant>'
                  + '</AccessControlList>'
                + '</AccessControlPolicy>',
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        return bucketPutACL(authInfo, testACLRequest, log, err => {
@ -501,30 +538,31 @@ describe('putBucketACL API', () => {
        });
    });
-    it('should return an error if invalid email ' +
+    it('should return an error if invalid email '
-    'address provided in ACLs set out in request body', done => {
+    + 'address provided in ACLs set out in request body', done => {
        const testACLRequest = {
            bucketName,
            namespace,
            headers: { host: `${bucketName}.s3.amazonaws.com` },
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="AmazonCustomerByEmail">' +
+                      + '<Grantee xsi:type="AmazonCustomerByEmail">'
-                        '<EmailAddress>xyz@amazon.com</EmailAddress>' +
+                        + '<EmailAddress>xyz@amazon.com</EmailAddress>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>WRITE_ACP</Permission>' +
+                      + '<Permission>WRITE_ACP</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                  '</AccessControlList>' +
+                  + '</AccessControlList>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
            assert.deepStrictEqual(err, errors.UnresolvableGrantByEmailAddress);
@ -542,24 +580,25 @@ describe('putBucketACL API', () => {
            * "Grant" which is part of the s3 xml scheme for ACLs
            * so an error should be returned
            */
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                    '<PowerGrant>' +
+                    + '<PowerGrant>'
-                      '<Grantee xsi:type="AmazonCustomerByEmail">' +
+                      + '<Grantee xsi:type="AmazonCustomerByEmail">'
-                        '<EmailAddress>xyz@amazon.com</EmailAddress>' +
+                        + '<EmailAddress>xyz@amazon.com</EmailAddress>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>WRITE_ACP</Permission>' +
+                      + '<Permission>WRITE_ACP</Permission>'
-                    '</PowerGrant>' +
+                    + '</PowerGrant>'
-                  '</AccessControlList>' +
+                  + '</AccessControlList>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
@ -579,32 +618,33 @@ describe('putBucketACL API', () => {
            * "Grant" which is part of the s3 xml scheme for ACLs
            * so an error should be returned
            */
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="CanonicalUser">' +
+                      + '<Grantee xsi:type="CanonicalUser">'
-                        '<ID>79a59df900b949e55d96a1e698fbaced' +
+                        + '<ID>79a59df900b949e55d96a1e698fbaced'
-                        'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                        + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                        '<DisplayName>OwnerDisplayName</DisplayName>' +
+                        + '<DisplayName>OwnerDisplayName</DisplayName>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>FULL_CONTROL</Permission>' +
+                      + '<Permission>FULL_CONTROL</Permission>'
-                    '</Grant>' +
+                    + '</Grant>'
-                    '<PowerGrant>' +
+                    + '<PowerGrant>'
-                      '<Grantee xsi:type="AmazonCustomerByEmail">' +
+                      + '<Grantee xsi:type="AmazonCustomerByEmail">'
-                        '<EmailAddress>xyz@amazon.com</EmailAddress>' +
+                        + '<EmailAddress>xyz@amazon.com</EmailAddress>'
-                      '</Grantee>' +
+                      + '</Grantee>'
-                      '<Permission>WRITE_ACP</Permission>' +
+                      + '<Permission>WRITE_ACP</Permission>'
-                    '</PowerGrant>' +
+                    + '</PowerGrant>'
-                  '</AccessControlList>' +
+                  + '</AccessControlList>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
@ -622,24 +662,25 @@ describe('putBucketACL API', () => {
            // so an error should be returned
            post: {
                '<AccessControlPolicy xmlns':
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '<Owner>' +
+                  + '<Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                    '<Grant>' +
+                    + '<Grant>'
-                      '<Grantee xsi:type="AmazonCustomerByEmail">' +
+                      + '<Grantee xsi:type="AmazonCustomerByEmail">'
-                        '<EmailAddress>xyz@amazon.com</EmailAddress>' +
+                        + '<EmailAddress>xyz@amazon.com</EmailAddress>'
-                      '<Grantee>' +
+                      + '<Grantee>'
-                      '<Permission>WRITE_ACP</Permission>' +
+                      + '<Permission>WRITE_ACP</Permission>'
-                    '<Grant>' +
+                    + '<Grant>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                '<AccessControlPolicy>',
+                + '<AccessControlPolicy>',
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
@ -648,32 +689,33 @@ describe('putBucketACL API', () => {
        });
    });
-    it('should return an error if invalid group ' +
+    it('should return an error if invalid group '
-    'uri provided in ACLs set out in request body', done => {
+    + 'uri provided in ACLs set out in request body', done => {
        const testACLRequest = {
            bucketName,
            namespace,
            headers: { host: `${bucketName}.s3.amazonaws.com` },
            // URI in grant below is not valid group URI for s3
-            post: '<AccessControlPolicy xmlns=' +
+            post: '<AccessControlPolicy xmlns='
-                    '"http://s3.amazonaws.com/doc/2006-03-01/">' +
+                    + '"http://s3.amazonaws.com/doc/2006-03-01/">'
-                  '<Owner>' +
+                  + '<Owner>'
-                    '<ID>79a59df900b949e55d96a1e698fbaced' +
+                    + '<ID>79a59df900b949e55d96a1e698fbaced'
-                    'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>' +
+                    + 'fd6e09d98eacf8f8d5218e7cd47ef2be</ID>'
-                    '<DisplayName>OwnerDisplayName</DisplayName>' +
+                    + '<DisplayName>OwnerDisplayName</DisplayName>'
-                  '</Owner>' +
+                  + '</Owner>'
-                  '<AccessControlList>' +
+                  + '<AccessControlList>'
-                  '<Grant>' +
+                  + '<Grant>'
-                    '<Grantee xsi:type="Group">' +
+                    + '<Grantee xsi:type="Group">'
-                      '<URI>http://acs.amazonaws.com/groups/' +
+                      + '<URI>http://acs.amazonaws.com/groups/'
-                      'global/NOTAVALIDGROUP</URI>' +
+                      + 'global/NOTAVALIDGROUP</URI>'
-                    '</Grantee>' +
+                    + '</Grantee>'
-                    '<Permission>READ</Permission>' +
+                    + '<Permission>READ</Permission>'
-                  '</Grant>' +
+                  + '</Grant>'
-                  '</AccessControlList>' +
+                  + '</AccessControlList>'
-                '</AccessControlPolicy>',
+                + '</AccessControlPolicy>',
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
@ -682,19 +724,20 @@ describe('putBucketACL API', () => {
        });
    });
-    it('should return an error if invalid group uri' +
+    it('should return an error if invalid group uri'
-        'provided in ACL header request', done => {
+        + 'provided in ACL header request', done => {
        const testACLRequest = {
            bucketName,
            namespace,
            headers: {
                'host': `${bucketName}.s3.amazonaws.com`,
                'x-amz-grant-full-control':
-                    'uri="http://acs.amazonaws.com/groups/' +
+                    'uri="http://acs.amazonaws.com/groups/'
-                    'global/NOTAVALIDGROUP"',
+                    + 'global/NOTAVALIDGROUP"',
            },
            url: '/?acl',
            query: { acl: '' },
            actionImplicitDenies: false,
        };
        bucketPutACL(authInfo, testACLRequest, log, err => {
--- a/tests/unit/api/bucketPutCors.js
+++ b/tests/unit/api/bucketPutCors.js
@ -3,13 +3,13 @@ const { errors } = require('arsenal');
 const { bucketPut } = require('../../../lib/api/bucketPut');
 const bucketPutCors = require('../../../lib/api/bucketPutCors');
-const { _validator, parseCorsXml }
+const { _validator, parseCorsXml } = require('../../../lib/api/apiUtils/bucket/bucketCors');
-    = require('../../../lib/api/apiUtils/bucket/bucketCors');
+const {
-const { cleanup,
+    cleanup,
    DummyRequestLogger,
    makeAuthInfo,
-    CorsConfigTester }
+    CorsConfigTester,
-    = require('../helpers');
+} = require('../helpers');
 const metadata = require('../../../lib/metadata/wrapper');
 const log = new DummyRequestLogger();
@ -19,6 +19,7 @@ const testBucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 function _testPutBucketCors(authInfo, request, log, errCode, cb) {
@ -30,13 +31,13 @@ function _testPutBucketCors(authInfo, request, log, errCode, cb) {
 }
 function _generateSampleXml(value) {
-    const xml = '<CORSConfiguration>' +
+    const xml = '<CORSConfiguration>'
-    '<CORSRule>' +
+    + '<CORSRule>'
-    '<AllowedMethod>PUT</AllowedMethod>' +
+    + '<AllowedMethod>PUT</AllowedMethod>'
-    '<AllowedOrigin>www.example.com</AllowedOrigin>' +
+    + '<AllowedOrigin>www.example.com</AllowedOrigin>'
-    `${value}` +
+    + `${value}`
-    '</CORSRule>' +
+    + '</CORSRule>'
-    '</CORSConfiguration>';
+    + '</CORSConfiguration>';
    return xml;
 }
@ -125,8 +126,8 @@ describe('PUT bucket cors :: helper validation functions ', () => {
        it('should return MalformedXML if more than one ID per rule', done => {
            const testValue = 'testid';
-            const xml = _generateSampleXml(`<ID>${testValue}</ID>` +
+            const xml = _generateSampleXml(`<ID>${testValue}</ID>`
-            `<ID>${testValue}</ID>`);
+            + `<ID>${testValue}</ID>`);
            parseCorsXml(xml, log, err => {
                assert(err, 'Expected error but found none');
                assert.deepStrictEqual(err, errors.MalformedXML);
@ -157,8 +158,8 @@ describe('PUT bucket cors :: helper validation functions ', () => {
    describe('validateMaxAgeSeconds ', () => {
        it('should validate successfully for valid value', done => {
            const testValue = 60;
-            const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}` +
+            const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}`
-                '</MaxAgeSeconds>');
+                + '</MaxAgeSeconds>');
            parseCorsXml(xml, log, (err, result) => {
                assert.strictEqual(err, null, `Found unexpected err ${err}`);
                assert.strictEqual(typeof result[0].maxAgeSeconds, 'number');
@ -167,12 +168,13 @@ describe('PUT bucket cors :: helper validation functions ', () => {
            });
        });
-        it('should return MalformedXML if more than one MaxAgeSeconds ' +
+        it('should return MalformedXML if more than one MaxAgeSeconds '
-        'per rule', done => {
+        + 'per rule', done => {
            const testValue = '60';
            const xml = _generateSampleXml(
-                `<MaxAgeSeconds>${testValue}</MaxAgeSeconds>` +
+                `<MaxAgeSeconds>${testValue}</MaxAgeSeconds>`
-                `<MaxAgeSeconds>${testValue}</MaxAgeSeconds>`);
+                + `<MaxAgeSeconds>${testValue}</MaxAgeSeconds>`,
            );
            parseCorsXml(xml, log, err => {
                assert(err, 'Expected error but found none');
                assert.deepStrictEqual(err, errors.MalformedXML);
@ -182,8 +184,8 @@ describe('PUT bucket cors :: helper validation functions ', () => {
        it('should validate & return undefined if empty value', done => {
            const testValue = '';
-            const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}` +
+            const xml = _generateSampleXml(`<MaxAgeSeconds>${testValue}`
-                '</MaxAgeSeconds>');
+                + '</MaxAgeSeconds>');
            parseCorsXml(xml, log, (err, result) => {
                assert.strictEqual(err, null, `Found unexpected err ${err}`);
                assert.strictEqual(result[0].MaxAgeSeconds, undefined);
--- a/tests/unit/api/bucketPutEncryption.js
+++ b/tests/unit/api/bucketPutEncryption.js
@ -14,6 +14,7 @@ const bucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 describe('bucketPutEncryption API', () => {
@ -32,7 +33,8 @@ describe('bucketPutEncryption API', () => {
        it('should reject a config with no Rule', done => {
            bucketPutEncryption(authInfo, templateRequest(bucketName,
-            { post: `<?xml version="1.0" encoding="UTF-8"?>
+                {
                    post: `<?xml version="1.0" encoding="UTF-8"?>
                <ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
                </ServerSideEncryptionConfiguration>`,
                }), log, err => {
@ -43,7 +45,8 @@ describe('bucketPutEncryption API', () => {
        it('should reject a config with no ApplyServerSideEncryptionByDefault section', done => {
            bucketPutEncryption(authInfo, templateRequest(bucketName,
-            { post: `<?xml version="1.0" encoding="UTF-8"?>
+                {
                    post: `<?xml version="1.0" encoding="UTF-8"?>
                <ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
                <Rule></Rule>
                </ServerSideEncryptionConfiguration>`,
@ -155,8 +158,8 @@ describe('bucketPutEncryption API', () => {
            });
        });
-        it('should update SSEAlgorithm if existing SSEAlgorithm is AES256, ' +
+        it('should update SSEAlgorithm if existing SSEAlgorithm is AES256, '
-            'new SSEAlgorithm is aws:kms and no KMSMasterKeyID is provided',
+            + 'new SSEAlgorithm is aws:kms and no KMSMasterKeyID is provided',
        done => {
            const post = templateSSEConfig({ algorithm: 'AES256' });
            bucketPutEncryption(authInfo, templateRequest(bucketName, { post }), log, err => {
@ -177,8 +180,7 @@ describe('bucketPutEncryption API', () => {
                                });
                                done();
                            });
-                            }
+                        });
                        );
                });
            });
        });
--- a/tests/unit/api/bucketPutLifecycle.js
+++ b/tests/unit/api/bucketPutLifecycle.js
@ -17,6 +17,7 @@ const testBucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 const expectedLifecycleConfig = {
--- a/tests/unit/api/bucketPutNotification.js
+++ b/tests/unit/api/bucketPutNotification.js
@ -15,6 +15,7 @@ const bucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 const expectedNotifConfig = {
@ -52,6 +53,7 @@ function getNotifRequest(empty) {
            host: `${bucketName}.s3.amazonaws.com`,
        },
        post: notifXml,
        actionImplicitDenies: false,
    };
    return putNotifConfigRequest;
 }
--- a/tests/unit/api/bucketPutObjectLock.js
+++ b/tests/unit/api/bucketPutObjectLock.js
@ -15,6 +15,7 @@ const bucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 const objectLockXml = '<ObjectLockConfiguration ' +
@ -30,6 +31,7 @@ const putObjLockRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    post: objectLockXml,
    actionImplicitDenies: false,
 };
 const expectedObjectLockConfig = {
--- a/tests/unit/api/bucketPutPolicy.js
+++ b/tests/unit/api/bucketPutPolicy.js
@ -15,6 +15,7 @@ const testBucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 let expectedBucketPolicy = {};
@ -25,6 +26,7 @@ function getPolicyRequest(policy) {
            host: `${bucketName}.s3.amazonaws.com`,
        },
        post: JSON.stringify(policy),
        actionImplicitDenies: false,
    };
 }
@ -76,7 +78,7 @@ describe('putBucketPolicy API', () => {
        });
    });
-    it('should return error if policy contains conditions', done => {
+    it.skip('should return error if policy contains conditions', done => {
        expectedBucketPolicy.Statement[0].Condition =
            { StringEquals: { 's3:x-amz-acl': ['public-read'] } };
        bucketPutPolicy(authInfo, getPolicyRequest(expectedBucketPolicy), log,
--- a/tests/unit/api/bucketPutWebsite.js
+++ b/tests/unit/api/bucketPutWebsite.js
@ -19,6 +19,7 @@ const testBucketPutRequest = {
    bucketName,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 };
 function _getPutWebsiteRequest(xml) {
@ -29,6 +30,7 @@ function _getPutWebsiteRequest(xml) {
        },
        url: '/?website',
        query: { website: '' },
        actionImplicitDenies: false,
    };
    request.post = xml;
    return request;
--- a/tests/unit/api/deleteMarker.js
+++ b/tests/unit/api/deleteMarker.js
@ -28,6 +28,7 @@ const testPutBucketRequest = new DummyRequest({
    namespace,
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    url: '/',
    actionImplicitDenies: false,
 });
 const testDeleteRequest = new DummyRequest({
    bucketName,
@ -35,6 +36,7 @@ const testDeleteRequest = new DummyRequest({
    objectKey: objectName,
    headers: {},
    url: `/${bucketName}/${objectName}`,
    actionImplicitDenies: false,
 });
 function _createBucketPutVersioningReq(status) {
@ -45,6 +47,7 @@ function _createBucketPutVersioningReq(status) {
        },
        url: '/?versioning',
        query: { versioning: '' },
        actionImplicitDenies: false,
    };
    const xml = '<VersioningConfiguration ' +
    'xmlns="http://s3.amazonaws.com/doc/2006-03-01/">' +
@ -62,6 +65,7 @@ function _createMultiObjectDeleteRequest(numObjects) {
        },
        url: '/?delete',
        query: { delete: '' },
        actionImplicitDenies: false,
    };
    const xml = [];
    xml.push('<?xml version="1.0" encoding="UTF-8"?>');
--- a/tests/unit/api/deletedFlagBucket.js
+++ b/tests/unit/api/deletedFlagBucket.js
@ -58,11 +58,13 @@ const baseTestRequest = {
    post: '',
    headers: { host: `${bucketName}.s3.amazonaws.com` },
    query: {},
    actionImplicitDenies: false,
 };
 const serviceGetRequest = {
    parsedHost: 's3.amazonaws.com',
    headers: { host: 's3.amazonaws.com' },
    url: '/',
    actionImplicitDenies: false,
 };
 const userBucketOwner = 'admin';
@ -103,7 +105,6 @@ function confirmDeleted(done) {
    });
 }
 describe('deleted flag bucket handling', () => {
    beforeEach(done => {
        cleanup();
--- a/tests/unit/api/listMultipartUploads.js
+++ b/tests/unit/api/listMultipartUploads.js
@ -32,6 +32,7 @@ describe('listMultipartUploads API', () => {
        namespace,
        headers: {},
        url: `/${bucketName}`,
        actionImplicitDenies: false,
    };
    const testInitiateMPURequest1 = {
        bucketName,
@ -39,6 +40,7 @@ describe('listMultipartUploads API', () => {
        objectKey: objectName1,
        headers: {},
        url: `/${bucketName}/${objectName1}?uploads`,
        actionImplicitDenies: false,
    };
    const testInitiateMPURequest2 = {
        bucketName,
@ -46,6 +48,7 @@ describe('listMultipartUploads API', () => {
        objectKey: objectName2,
        headers: {},
        url: `/${bucketName}/${objectName2}?uploads`,
        actionImplicitDenies: false,
    };
    const testInitiateMPURequest3 = {
        bucketName,
@ -53,6 +56,7 @@ describe('listMultipartUploads API', () => {
        objectKey: objectName3,
        headers: {},
        url: `/${bucketName}/${objectName3}?uploads`,
        actionImplicitDenies: false,
    };
    it('should return the name of the common prefix ' +
@ -65,6 +69,7 @@ describe('listMultipartUploads API', () => {
            headers: { host: '/' },
            url: `/${bucketName}?uploads&delimiter=/&prefix=sub`,
            query: { delimiter, prefix },
            actionImplicitDenies: false,
        };
        async.waterfall([
@ -94,6 +99,7 @@ describe('listMultipartUploads API', () => {
            headers: { host: '/' },
            url: `/${bucketName}?uploads`,
            query: {},
            actionImplicitDenies: false,
        };
@ -127,6 +133,7 @@ describe('listMultipartUploads API', () => {
            headers: { host: '/' },
            url: `/${bucketName}?uploads`,
            query: { 'max-uploads': '1' },
            actionImplicitDenies: false,
        };
        async.waterfall([
@ -163,6 +170,7 @@ describe('listMultipartUploads API', () => {
            headers: { host: '/' },
            url: `/${bucketName}?uploads`,
            query: { 'encoding-type': 'url' },
            actionImplicitDenies: false,
        };
        async.waterfall([
@ -195,6 +203,7 @@ describe('listMultipartUploads API', () => {
            headers: { host: '/' },
            url: `/${bucketName}?uploads`,
            query: { 'key-marker': objectName1 },
            actionImplicitDenies: false,
        };
        async.waterfall([
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Will Toozs	f817122415	REVISIT THIS COMMIT The code in this commit causes an error in the 'implicit deny iam policy with "Allow" bucket policy for User ARN' test for PutObject, giving an AccessDenied because the implicitDent is true. It seems worth re-evaluating the ACL expectations at this point.	2023-09-25 11:40:17 +02:00
Will Toozs	3773bcf61c	add evaluateBucketPolicyWithIAM omissions	2023-09-21 11:41:30 +02:00
Will Toozs	c82ce08fdb	permission fix: no allow on user from account by default	2023-09-19 11:00:34 +02:00
Will Toozs	9bf9130ca9	change variable name	2023-09-18 18:38:27 +02:00
Will Toozs	b4a986ec3a	fixup: remove skips	2023-09-18 18:38:27 +02:00
Will Toozs	8725888bbd	fixup: remove skips	2023-09-18 18:38:27 +02:00
Will Toozs	111ecf875b	CLDSRV-431: updatye other API impDeny test logic	2023-09-18 18:38:27 +02:00
Will Toozs	15ddc02c25	CLDSRV-431: implment other API impDeny logic	2023-09-18 18:38:26 +02:00
Will Toozs	482e6576b1	variable name change	2023-09-18 18:34:16 +02:00
Will Toozs	5f3fa488d5	fixup: skips	2023-09-18 18:34:16 +02:00
Will Toozs	e035d5550b	fixup: skips	2023-09-18 18:34:15 +02:00
Will Toozs	b119898ed1	CLDSRV-429: update get apis tests with impDenylogic	2023-09-18 18:34:15 +02:00
Will Toozs	e9d5c17707	CLDSRV-429: update get apis with impDeny logic	2023-09-18 18:34:15 +02:00
Will Toozs	a7ce187499	update variable name	2023-09-18 18:31:12 +02:00
Will Toozs	6f7b2d6638	fixup: skips	2023-09-18 18:31:12 +02:00
Will Toozs	f10cacb033	CLDSRV-430: update delete API tests for impDeny logic	2023-09-18 18:31:11 +02:00
Will Toozs	9bf18d806a	CLDSRV-430: add delete API implicit deny logic	2023-09-18 18:31:11 +02:00
Will Toozs	dfa80a41ed	update variable name	2023-09-18 18:28:35 +02:00
Will Toozs	9f753af13a	lint	2023-09-18 18:28:35 +02:00
Will Toozs	c214bb8ee1	lint	2023-09-18 18:28:34 +02:00
Will Toozs	3fcd479639	test skips	2023-09-18 18:28:34 +02:00
Will Toozs	1bb2f11f6c	lint	2023-09-18 18:28:34 +02:00
Will Toozs	bfe9d34547	skip irrelevant apis	2023-09-18 18:28:33 +02:00
Will Toozs	cc8f8a7213	api updates	2023-09-18 18:28:29 +02:00
Will Toozs	f53a8ea8c7	linting	2023-09-18 18:25:10 +02:00
Will Toozs	1d55be193a	fixup: missing constants change	2023-09-18 18:25:09 +02:00
Will Toozs	00ba0d9377	CLDSRV-428: put apis updated for implicit deny	2023-09-18 18:25:09 +02:00
Will Toozs	fe6578b276	change variable name	2023-09-18 18:24:09 +02:00
Will Toozs	da526b5092	fixup: retrocompatibility changes	2023-09-18 18:24:09 +02:00
Will Toozs	159906dc74	fixup: retrocompatibility changes	2023-09-18 18:24:09 +02:00
Will Toozs	3ff2b5e9ed	fixup: retrocompatibility changes	2023-09-18 18:24:08 +02:00
Will Toozs	f69f72363b	fixup: retrocompatibility changes	2023-09-18 18:24:08 +02:00
Will Toozs	7f9562bfda	fixup: lint	2023-09-18 18:24:08 +02:00
Will Toozs	c01898f1a0	CLDSRV-427: update bucket/object perm checks to account for implicit … …denies	2023-09-18 18:24:08 +02:00
Will Toozs	0f64e7c337	CLDSRV-426: add tests for ACL permission check updates	2023-09-18 18:23:45 +02:00
Will Toozs	de334d16e9	CLDSRV-426: update ACL permission checks for implicitDeny logic	2023-09-18 18:23:44 +02:00
Will Toozs	e99bb1e1cc	change variable names for clarity	2023-09-15 17:52:03 +02:00
Will Toozs	cd6320c432	edit: update arsenal package	2023-09-12 11:14:45 +02:00
Will Toozs	3bc66f8cea	CLDSRV-424: api call updated with implicit deny logic	2023-09-11 18:05:21 +02:00