Object locking need to persist the tags and set the headers (#6994)

* fix object locking read and write

No logic to include object lock metadata in HEAD/GET response headers
No logic to extract object lock metadata from PUT request headers

* add tests for object locking

* Update weed/s3api/s3api_object_handlers_put.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update weed/s3api/s3api_object_handlers.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* refactor

* add unit tests

* sync versions

* Update s3_worm_integration_test.go

* fix legal hold values

* lint

* fix tests

* racing condition when enable versioning

* fix tests

* validate put object lock header

* allow check lock permissions for PUT

* default to OFF legal hold

* only set object lock headers for objects that are actually from object lock-enabled buckets

fix     --- FAIL: TestAddObjectLockHeadersToResponse/Handle_entry_with_no_object_lock_metadata (0.00s)

* address comments

* fix tests

* purge

* fix

* refactoring

* address comment

* address comment

* Update weed/s3api/s3api_object_handlers_put.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update weed/s3api/s3api_object_handlers_put.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update weed/s3api/s3api_object_handlers.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* avoid nil

* ensure locked objects cannot be overwritten

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

test/s3/retention/go.mod

@@ -1,31 +0,0 @@
-module github.com/seaweedfs/seaweedfs/test/s3/retention
-
-go 1.21
-
-require (
-	github.com/aws/aws-sdk-go-v2 v1.21.2
-	github.com/aws/aws-sdk-go-v2/config v1.18.45
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.43
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.40.0
-	github.com/stretchr/testify v1.8.4
-)
-
-require (
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 // indirect
-	github.com/aws/smithy-go v1.15.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-)

test/s3/retention/go.sum

@@ -1,62 +0,0 @@
-github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M=
-github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE7GA=
-github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13 h1:OPLEkmhXf6xFPiz0bLeDArZIDx1NNS4oJyG4nv3Gct0=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.13/go.mod h1:gpAbvyDGQFozTEmlTFO8XcQKHzubdq0LzRyJpG6MiXM=
-github.com/aws/aws-sdk-go-v2/config v1.18.45 h1:Aka9bI7n8ysuwPeFdm77nfbyHCAKQ3z9ghB3S/38zes=
-github.com/aws/aws-sdk-go-v2/config v1.18.45/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE=
-github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8=
-github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13/go.mod h1:f/Ib/qYjhV2/qdsf79H3QP/eRE4AkVyEf6sk7XfZ1tg=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41/go.mod h1:CrObHAuPneJBlfEJ5T3szXOUkLEThaGfvnhTf33buas=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 h1:nFBQlGtkbPzp/NjZLuFxRqmT91rLJkgvsEQs68h962Y=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35/go.mod h1:SJC1nEVVva1g3pHAIdCp7QsRIkMmLAgoDquQ9Rr8kYw=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 h1:JRVhO25+r3ar2mKGP7E0LDl8K9/G36gjlqca5iQbaqc=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 h1:hze8YsjSh8Wl1rYa1CJpRmXP21BvOBuc76YhW0HsuQ4=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45/go.mod h1:lD5M20o09/LCuQ2mE62Mb/iSdSlCNuj6H5ci7tW7OsE=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.4/go.mod h1:1PrKYwxTM+zjpw9Y41KFtoJCQrJ34Z47Y4VgVbfndjo=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6 h1:wmGLw2i8ZTlHLw7a9ULGfQbuccw8uIiNr6sol5bFzc8=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6/go.mod h1:Q0Hq2X/NuL7z8b1Dww8rmOFl+jzusKEcyvkKspwdpyc=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.14/go.mod h1:dDilntgHy9WnHXsh7dDtUPgHKEfTJIBUTHM8OWm0f/0=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 h1:7R8uRYyXzdD71KWVCL78lJZltah6VVznXBazvKjfH58=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15/go.mod h1:26SQUPcTNgV1Tapwdt4a1rOsYRsnBsJHLMPoxK2b0d8=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.36/go.mod h1:lGnOkH9NJATw0XEPcAknFBj3zzNTEGRHtSw+CwC1YTg=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38 h1:skaFGzv+3kA+v2BPKhuekeb1Hbb105+44r8ASC+q5SE=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38/go.mod h1:epIZoRSSbRIwLPJU5F+OldHhwZPBdpDeQkRdCeY3+00=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35/go.mod h1:QGF2Rs33W5MaN9gYdEQOBBFPLwTZkEhRwI33f7KIG0o=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 h1:WWZA/I2K4ptBS1kg0kV1JbBtG/umed0vwHRrmcr9z7k=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37/go.mod h1:vBmDnwWXWxNPFRMmG2m/3MKOe+xEcMDo1tanpaWCcck=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.4/go.mod h1:LhTyt8J04LL+9cIt7pYJ5lbS/U98ZmXovLOR/4LUsk8=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6 h1:9ulSU5ClouoPIYhDQdg9tpl83d5Yb91PXTKK+17q+ow=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6/go.mod h1:lnc2taBsR9nTlz9meD+lhFZZ9EWY712QHrRflWpTcOA=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.40.0 h1:wl5dxN1NONhTDQD9uaEvNsDRX29cBmGED/nl0jkWlt4=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.40.0/go.mod h1:rDGMZA7f4pbmTtPOk5v5UM2lmX6UAbRnMDJeDvnH7AM=
-github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 h1:JuPGc7IkOP4AaqcZSIcyqLpFSqBWK32rM9+a1g6u73k=
-github.com/aws/aws-sdk-go-v2/service/sso v1.15.2/go.mod h1:gsL4keucRCgW+xA85ALBpRFfdSLH4kHOVSnLMSuBECo=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 h1:HFiiRkf1SdaAmV3/BHOFZ9DjFynPHj8G/UIO1lQS+fk=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3/go.mod h1:a7bHA82fyUXOm+ZSWKU6PIoBxrjSprdLoM8xPYvzYVg=
-github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 h1:0BkLfgeDjfZnZ+MhB3ONb01u9pwFYTCZVhlsSSBvlbU=
-github.com/aws/aws-sdk-go-v2/service/sts v1.23.2/go.mod h1:Eows6e1uQEsc4ZaHANmsPRzAKcVDrcmjjWiih2+HUUQ=
-github.com/aws/smithy-go v1.14.2/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
-github.com/aws/smithy-go v1.15.0 h1:PS/durmlzvAFpQHDs4wi4sNNP9ExsqZh6IlfdHXgKK8=
-github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
-github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

test/s3/retention/object_lock_reproduce_test.go

@@ -25,7 +25,7 @@ func TestReproduceObjectLockIssue(t *testing.T) {
 
 	createResp, err := client.CreateBucket(context.TODO(), &s3.CreateBucketInput{
 		Bucket:                     aws.String(bucketName),
-		ObjectLockEnabledForBucket: true, // This sets the x-amz-bucket-object-lock-enabled header
+		ObjectLockEnabledForBucket: aws.Bool(true), // This sets the x-amz-bucket-object-lock-enabled header
 	})
 
 	if err != nil {

test/s3/retention/object_lock_validation_test.go

@@ -26,7 +26,7 @@ func TestObjectLockValidation(t *testing.T) {
 	t.Log("\n1. Creating bucket with x-amz-bucket-object-lock-enabled: true")
 	_, err := client.CreateBucket(context.TODO(), &s3.CreateBucketInput{
 		Bucket:                     aws.String(bucketName),
-		ObjectLockEnabledForBucket: true, // This sends x-amz-bucket-object-lock-enabled: true
+		ObjectLockEnabledForBucket: aws.Bool(true), // This sends x-amz-bucket-object-lock-enabled: true
 	})
 	require.NoError(t, err, "Bucket creation should succeed")
 	defer client.DeleteBucket(context.TODO(), &s3.DeleteBucketInput{Bucket: aws.String(bucketName)})

test/s3/retention/s3_bucket_object_lock_test.go

@@ -32,7 +32,7 @@ func TestBucketCreationWithObjectLockEnabled(t *testing.T) {
 		// This simulates what S3 clients do when testing Object Lock support
 		createResp, err := client.CreateBucket(context.TODO(), &s3.CreateBucketInput{
 			Bucket:                     aws.String(bucketName),
-			ObjectLockEnabledForBucket: true, // This should set x-amz-bucket-object-lock-enabled header
+			ObjectLockEnabledForBucket: aws.Bool(true), // This should set x-amz-bucket-object-lock-enabled header
 		})
 		require.NoError(t, err)
 		require.NotNil(t, createResp)
@@ -122,7 +122,7 @@ func TestS3ObjectLockWorkflow(t *testing.T) {
 	t.Run("ClientCreatesBucket", func(t *testing.T) {
 		_, err := client.CreateBucket(context.TODO(), &s3.CreateBucketInput{
 			Bucket:                     aws.String(bucketName),
-			ObjectLockEnabledForBucket: true,
+			ObjectLockEnabledForBucket: aws.Bool(true),
 		})
 		require.NoError(t, err)
 	})

test/s3/retention/s3_object_lock_headers_test.go

@@ -0,0 +1,307 @@
+package retention
+
+import (
+	"context"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestPutObjectWithLockHeaders tests that object lock headers in PUT requests
+// are properly stored and returned in HEAD responses
+func TestPutObjectWithLockHeaders(t *testing.T) {
+	client := getS3Client(t)
+	bucketName := getNewBucketName()
+
+	// Create bucket with object lock enabled and versioning
+	createBucketWithObjectLock(t, client, bucketName)
+	defer deleteBucket(t, client, bucketName)
+
+	key := "test-object-lock-headers"
+	content := "test content with object lock headers"
+	retainUntilDate := time.Now().Add(24 * time.Hour)
+
+	// Test 1: PUT with COMPLIANCE mode and retention date
+	t.Run("PUT with COMPLIANCE mode", func(t *testing.T) {
+		testKey := key + "-compliance"
+
+		// PUT object with lock headers
+		putResp := putObjectWithLockHeaders(t, client, bucketName, testKey, content,
+			"COMPLIANCE", retainUntilDate, "")
+		require.NotNil(t, putResp.VersionId)
+
+		// HEAD object and verify lock headers are returned
+		headResp, err := client.HeadObject(context.TODO(), &s3.HeadObjectInput{
+			Bucket: aws.String(bucketName),
+			Key:    aws.String(testKey),
+		})
+		require.NoError(t, err)
+
+		// Verify object lock metadata is present in response
+		assert.Equal(t, types.ObjectLockModeCompliance, headResp.ObjectLockMode)
+		assert.NotNil(t, headResp.ObjectLockRetainUntilDate)
+		assert.WithinDuration(t, retainUntilDate, *headResp.ObjectLockRetainUntilDate, 5*time.Second)
+	})
+
+	// Test 2: PUT with GOVERNANCE mode and retention date
+	t.Run("PUT with GOVERNANCE mode", func(t *testing.T) {
+		testKey := key + "-governance"
+
+		putResp := putObjectWithLockHeaders(t, client, bucketName, testKey, content,
+			"GOVERNANCE", retainUntilDate, "")
+		require.NotNil(t, putResp.VersionId)
+
+		headResp, err := client.HeadObject(context.TODO(), &s3.HeadObjectInput{
+			Bucket: aws.String(bucketName),
+			Key:    aws.String(testKey),
+		})
+		require.NoError(t, err)
+
+		assert.Equal(t, types.ObjectLockModeGovernance, headResp.ObjectLockMode)
+		assert.NotNil(t, headResp.ObjectLockRetainUntilDate)
+		assert.WithinDuration(t, retainUntilDate, *headResp.ObjectLockRetainUntilDate, 5*time.Second)
+	})
+
+	// Test 3: PUT with legal hold
+	t.Run("PUT with legal hold", func(t *testing.T) {
+		testKey := key + "-legal-hold"
+
+		putResp := putObjectWithLockHeaders(t, client, bucketName, testKey, content,
+			"", time.Time{}, "ON")
+		require.NotNil(t, putResp.VersionId)
+
+		headResp, err := client.HeadObject(context.TODO(), &s3.HeadObjectInput{
+			Bucket: aws.String(bucketName),
+			Key:    aws.String(testKey),
+		})
+		require.NoError(t, err)
+
+		assert.Equal(t, types.ObjectLockLegalHoldStatusOn, headResp.ObjectLockLegalHoldStatus)
+	})
+
+	// Test 4: PUT with both retention and legal hold
+	t.Run("PUT with both retention and legal hold", func(t *testing.T) {
+		testKey := key + "-both"
+
+		putResp := putObjectWithLockHeaders(t, client, bucketName, testKey, content,
+			"GOVERNANCE", retainUntilDate, "ON")
+		require.NotNil(t, putResp.VersionId)
+
+		headResp, err := client.HeadObject(context.TODO(), &s3.HeadObjectInput{
+			Bucket: aws.String(bucketName),
+			Key:    aws.String(testKey),
+		})
+		require.NoError(t, err)
+
+		assert.Equal(t, types.ObjectLockModeGovernance, headResp.ObjectLockMode)
+		assert.NotNil(t, headResp.ObjectLockRetainUntilDate)
+		assert.Equal(t, types.ObjectLockLegalHoldStatusOn, headResp.ObjectLockLegalHoldStatus)
+	})
+}
+
+// TestGetObjectWithLockHeaders verifies that GET requests also return object lock metadata
+func TestGetObjectWithLockHeaders(t *testing.T) {
+	client := getS3Client(t)
+	bucketName := getNewBucketName()
+
+	createBucketWithObjectLock(t, client, bucketName)
+	defer deleteBucket(t, client, bucketName)
+
+	key := "test-get-object-lock"
+	content := "test content for GET with lock headers"
+	retainUntilDate := time.Now().Add(24 * time.Hour)
+
+	// PUT object with lock headers
+	putResp := putObjectWithLockHeaders(t, client, bucketName, key, content,
+		"COMPLIANCE", retainUntilDate, "ON")
+	require.NotNil(t, putResp.VersionId)
+
+	// GET object and verify lock headers are returned
+	getResp, err := client.GetObject(context.TODO(), &s3.GetObjectInput{
+		Bucket: aws.String(bucketName),
+		Key:    aws.String(key),
+	})
+	require.NoError(t, err)
+	defer getResp.Body.Close()
+
+	// Verify object lock metadata is present in GET response
+	assert.Equal(t, types.ObjectLockModeCompliance, getResp.ObjectLockMode)
+	assert.NotNil(t, getResp.ObjectLockRetainUntilDate)
+	assert.WithinDuration(t, retainUntilDate, *getResp.ObjectLockRetainUntilDate, 5*time.Second)
+	assert.Equal(t, types.ObjectLockLegalHoldStatusOn, getResp.ObjectLockLegalHoldStatus)
+}
+
+// TestVersionedObjectLockHeaders tests object lock headers work with versioned objects
+func TestVersionedObjectLockHeaders(t *testing.T) {
+	client := getS3Client(t)
+	bucketName := getNewBucketName()
+
+	createBucketWithObjectLock(t, client, bucketName)
+	defer deleteBucket(t, client, bucketName)
+
+	key := "test-versioned-lock"
+	content1 := "version 1 content"
+	content2 := "version 2 content"
+	retainUntilDate1 := time.Now().Add(12 * time.Hour)
+	retainUntilDate2 := time.Now().Add(24 * time.Hour)
+
+	// PUT first version with GOVERNANCE mode
+	putResp1 := putObjectWithLockHeaders(t, client, bucketName, key, content1,
+		"GOVERNANCE", retainUntilDate1, "")
+	require.NotNil(t, putResp1.VersionId)
+
+	// PUT second version with COMPLIANCE mode
+	putResp2 := putObjectWithLockHeaders(t, client, bucketName, key, content2,
+		"COMPLIANCE", retainUntilDate2, "ON")
+	require.NotNil(t, putResp2.VersionId)
+	require.NotEqual(t, *putResp1.VersionId, *putResp2.VersionId)
+
+	// HEAD latest version (version 2)
+	headResp, err := client.HeadObject(context.TODO(), &s3.HeadObjectInput{
+		Bucket: aws.String(bucketName),
+		Key:    aws.String(key),
+	})
+	require.NoError(t, err)
+	assert.Equal(t, types.ObjectLockModeCompliance, headResp.ObjectLockMode)
+	assert.Equal(t, types.ObjectLockLegalHoldStatusOn, headResp.ObjectLockLegalHoldStatus)
+
+	// HEAD specific version 1
+	headResp1, err := client.HeadObject(context.TODO(), &s3.HeadObjectInput{
+		Bucket:    aws.String(bucketName),
+		Key:       aws.String(key),
+		VersionId: putResp1.VersionId,
+	})
+	require.NoError(t, err)
+	assert.Equal(t, types.ObjectLockModeGovernance, headResp1.ObjectLockMode)
+	assert.NotEqual(t, types.ObjectLockLegalHoldStatusOn, headResp1.ObjectLockLegalHoldStatus)
+}
+
+// TestObjectLockHeadersErrorCases tests various error scenarios
+func TestObjectLockHeadersErrorCases(t *testing.T) {
+	client := getS3Client(t)
+	bucketName := getNewBucketName()
+
+	createBucketWithObjectLock(t, client, bucketName)
+	defer deleteBucket(t, client, bucketName)
+
+	key := "test-error-cases"
+	content := "test content for error cases"
+
+	// Test 1: Invalid retention mode should be rejected
+	t.Run("Invalid retention mode", func(t *testing.T) {
+		_, err := client.PutObject(context.TODO(), &s3.PutObjectInput{
+			Bucket:                    aws.String(bucketName),
+			Key:                       aws.String(key + "-invalid-mode"),
+			Body:                      strings.NewReader(content),
+			ObjectLockMode:            "INVALID_MODE", // Invalid mode
+			ObjectLockRetainUntilDate: aws.Time(time.Now().Add(24 * time.Hour)),
+		})
+		require.Error(t, err)
+	})
+
+	// Test 2: Retention date in the past should be rejected
+	t.Run("Past retention date", func(t *testing.T) {
+		_, err := client.PutObject(context.TODO(), &s3.PutObjectInput{
+			Bucket:                    aws.String(bucketName),
+			Key:                       aws.String(key + "-past-date"),
+			Body:                      strings.NewReader(content),
+			ObjectLockMode:            "GOVERNANCE",
+			ObjectLockRetainUntilDate: aws.Time(time.Now().Add(-24 * time.Hour)), // Past date
+		})
+		require.Error(t, err)
+	})
+
+	// Test 3: Mode without date should be rejected
+	t.Run("Mode without retention date", func(t *testing.T) {
+		_, err := client.PutObject(context.TODO(), &s3.PutObjectInput{
+			Bucket:         aws.String(bucketName),
+			Key:            aws.String(key + "-no-date"),
+			Body:           strings.NewReader(content),
+			ObjectLockMode: "GOVERNANCE",
+			// Missing ObjectLockRetainUntilDate
+		})
+		require.Error(t, err)
+	})
+}
+
+// TestObjectLockHeadersNonVersionedBucket tests that object lock fails on non-versioned buckets
+func TestObjectLockHeadersNonVersionedBucket(t *testing.T) {
+	client := getS3Client(t)
+	bucketName := getNewBucketName()
+
+	// Create regular bucket without object lock/versioning
+	createBucket(t, client, bucketName)
+	defer deleteBucket(t, client, bucketName)
+
+	key := "test-non-versioned"
+	content := "test content"
+	retainUntilDate := time.Now().Add(24 * time.Hour)
+
+	// Attempting to PUT with object lock headers should fail
+	_, err := client.PutObject(context.TODO(), &s3.PutObjectInput{
+		Bucket:                    aws.String(bucketName),
+		Key:                       aws.String(key),
+		Body:                      strings.NewReader(content),
+		ObjectLockMode:            "GOVERNANCE",
+		ObjectLockRetainUntilDate: aws.Time(retainUntilDate),
+	})
+	require.Error(t, err)
+}
+
+// Helper Functions
+
+// putObjectWithLockHeaders puts an object with object lock headers
+func putObjectWithLockHeaders(t *testing.T, client *s3.Client, bucketName, key, content string,
+	mode string, retainUntilDate time.Time, legalHold string) *s3.PutObjectOutput {
+
+	input := &s3.PutObjectInput{
+		Bucket: aws.String(bucketName),
+		Key:    aws.String(key),
+		Body:   strings.NewReader(content),
+	}
+
+	// Add retention mode and date if specified
+	if mode != "" {
+		switch mode {
+		case "COMPLIANCE":
+			input.ObjectLockMode = types.ObjectLockModeCompliance
+		case "GOVERNANCE":
+			input.ObjectLockMode = types.ObjectLockModeGovernance
+		}
+		if !retainUntilDate.IsZero() {
+			input.ObjectLockRetainUntilDate = aws.Time(retainUntilDate)
+		}
+	}
+
+	// Add legal hold if specified
+	if legalHold != "" {
+		switch legalHold {
+		case "ON":
+			input.ObjectLockLegalHoldStatus = types.ObjectLockLegalHoldStatusOn
+		case "OFF":
+			input.ObjectLockLegalHoldStatus = types.ObjectLockLegalHoldStatusOff
+		}
+	}
+
+	resp, err := client.PutObject(context.TODO(), input)
+	require.NoError(t, err)
+	return resp
+}
+
+// createBucketWithObjectLock creates a bucket with object lock enabled
+func createBucketWithObjectLock(t *testing.T, client *s3.Client, bucketName string) {
+	_, err := client.CreateBucket(context.TODO(), &s3.CreateBucketInput{
+		Bucket:                     aws.String(bucketName),
+		ObjectLockEnabledForBucket: aws.Bool(true),
+	})
+	require.NoError(t, err)
+
+	// Enable versioning (required for object lock)
+	enableVersioning(t, client, bucketName)
+}

test/s3/retention/s3_retention_test.go

@@ -160,10 +160,10 @@ func deleteAllObjectVersions(t *testing.T, client *s3.Client, bucketName string)
 		if len(objectsToDelete) > 0 {
 			_, err := client.DeleteObjects(context.TODO(), &s3.DeleteObjectsInput{
 				Bucket:                    aws.String(bucketName),
-				BypassGovernanceRetention: true,
+				BypassGovernanceRetention: aws.Bool(true),
 				Delete: &types.Delete{
 					Objects: objectsToDelete,
-					Quiet:   true,
+					Quiet:   aws.Bool(true),
 				},
 			})
 			if err != nil {
@@ -174,7 +174,7 @@ func deleteAllObjectVersions(t *testing.T, client *s3.Client, bucketName string)
 						Bucket:                    aws.String(bucketName),
 						Key:                       obj.Key,
 						VersionId:                 obj.VersionId,
-						BypassGovernanceRetention: true,
+						BypassGovernanceRetention: aws.Bool(true),
 					})
 					if delErr != nil {
 						t.Logf("Warning: failed to delete object %s@%s: %v", *obj.Key, *obj.VersionId, delErr)
@@ -277,7 +277,7 @@ func TestBasicRetentionWorkflow(t *testing.T) {
 	_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
 		Bucket:                    aws.String(bucketName),
 		Key:                       aws.String(key),
-		BypassGovernanceRetention: true,
+		BypassGovernanceRetention: aws.Bool(true),
 	})
 	require.NoError(t, err)
 }
@@ -322,7 +322,7 @@ func TestRetentionModeCompliance(t *testing.T) {
 	_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
 		Bucket:                    aws.String(bucketName),
 		Key:                       aws.String(key),
-		BypassGovernanceRetention: true,
+		BypassGovernanceRetention: aws.Bool(true),
 	})
 	require.Error(t, err)
 
@@ -420,7 +420,7 @@ func TestObjectLockConfiguration(t *testing.T) {
 			Rule: &types.ObjectLockRule{
 				DefaultRetention: &types.DefaultRetention{
 					Mode: types.ObjectLockRetentionModeGovernance,
-					Days: 30,
+					Days: aws.Int32(30),
 				},
 			},
 		},
@@ -513,7 +513,7 @@ func TestRetentionWithVersions(t *testing.T) {
 		Bucket:                    aws.String(bucketName),
 		Key:                       aws.String(key),
 		VersionId:                 putResp1.VersionId,
-		BypassGovernanceRetention: true,
+		BypassGovernanceRetention: aws.Bool(true),
 	})
 	require.NoError(t, err)
 }
@@ -562,7 +562,7 @@ func TestRetentionAndLegalHoldCombination(t *testing.T) {
 	_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
 		Bucket:                    aws.String(bucketName),
 		Key:                       aws.String(key),
-		BypassGovernanceRetention: true,
+		BypassGovernanceRetention: aws.Bool(true),
 	})
 	require.Error(t, err)
 
@@ -580,7 +580,7 @@ func TestRetentionAndLegalHoldCombination(t *testing.T) {
 	_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
 		Bucket:                    aws.String(bucketName),
 		Key:                       aws.String(key),
-		BypassGovernanceRetention: true,
+		BypassGovernanceRetention: aws.Bool(true),
 	})
 	require.NoError(t, err)
 }

test/s3/retention/s3_worm_integration_test.go

@@ -53,7 +53,7 @@ func TestWORMRetentionIntegration(t *testing.T) {
 	_, err = client.DeleteObject(context.TODO(), &s3.DeleteObjectInput{
 		Bucket:                    aws.String(bucketName),
 		Key:                       aws.String(key),
-		BypassGovernanceRetention: true,
+		BypassGovernanceRetention: aws.Bool(true),
 	})
 	require.NoError(t, err)
 }
@@ -190,7 +190,7 @@ func TestRetentionBulkOperations(t *testing.T) {
 		Bucket: aws.String(bucketName),
 		Delete: &types.Delete{
 			Objects: objectsToDelete,
-			Quiet:   false,
+			Quiet:   aws.Bool(false),
 		},
 	})
 
@@ -209,10 +209,10 @@ func TestRetentionBulkOperations(t *testing.T) {
 	// Try bulk delete with bypass - should succeed
 	_, err = client.DeleteObjects(context.TODO(), &s3.DeleteObjectsInput{
 		Bucket:                    aws.String(bucketName),
-		BypassGovernanceRetention: true,
+		BypassGovernanceRetention: aws.Bool(true),
 		Delete: &types.Delete{
 			Objects: objectsToDelete,
-			Quiet:   false,
+			Quiet:   aws.Bool(false),
 		},
 	})
 	if err != nil {
@@ -246,7 +246,7 @@ func TestRetentionWithMultipartUpload(t *testing.T) {
 	uploadResp, err := client.UploadPart(context.TODO(), &s3.UploadPartInput{
 		Bucket:     aws.String(bucketName),
 		Key:        aws.String(key),
-		PartNumber: 1,
+		PartNumber: aws.Int32(1),
 		UploadId:   uploadId,
 		Body:       strings.NewReader(partContent),
 	})
@@ -261,7 +261,7 @@ func TestRetentionWithMultipartUpload(t *testing.T) {
 			Parts: []types.CompletedPart{
 				{
 					ETag:       uploadResp.ETag,
-					PartNumber: 1,
+					PartNumber: aws.Int32(1),
 				},
 			},
 		},
@@ -415,7 +415,7 @@ func TestRetentionBucketDefaults(t *testing.T) {
 			Rule: &types.ObjectLockRule{
 				DefaultRetention: &types.DefaultRetention{
 					Mode: types.ObjectLockRetentionModeGovernance,
-					Days: 1, // 1 day default
+					Days: aws.Int32(1), // 1 day default
 				},
 			},
 		},