feat: implementes unit tests for all the bucket action controllers.

2026-01-07 04:06:23 +00:00 · 2025-07-07 21:23:27 +04:00
parent 65cd44aadd
commit 866b07b98f
13 changed files with 2931 additions and 26 deletions
--- a/s3api/controllers/base_test.go
+++ b/s3api/controllers/base_test.go
@@ -0,0 +1,150 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"bytes"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"path"
+	"testing"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/stretchr/testify/assert"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+var (
+	defaultLocals map[utils.ContextKey]any = map[utils.ContextKey]any{
+		utils.ContextKeyIsRoot: true,
+		utils.ContextKeyParsedAcl: auth.ACL{
+			Owner: "root",
+		},
+		utils.ContextKeyAccount: auth.Account{
+			Access: "root",
+			Role:   auth.RoleAdmin,
+		},
+	}
+
+	accessDeniedLocals map[utils.ContextKey]any = map[utils.ContextKey]any{
+		utils.ContextKeyIsRoot: false,
+		utils.ContextKeyParsedAcl: auth.ACL{
+			Owner: "root",
+		},
+		utils.ContextKeyAccount: auth.Account{
+			Access: "user",
+			Role:   auth.RoleUser,
+		},
+	}
+)
+
+type testInput struct {
+	bucket       string
+	object       string
+	body         []byte
+	locals       map[utils.ContextKey]any
+	headers      map[string]string
+	queries      map[string]string
+	beRes        any
+	beErr        error
+	extraMockErr error
+}
+
+type testOutput struct {
+	response *Response
+	err      error
+}
+
+type ctxInputs struct {
+	bucket  string
+	object  string
+	body    []byte
+	locals  map[utils.ContextKey]any
+	headers map[string]string
+	queries map[string]string
+}
+
+func testController(t *testing.T, ctrl Controller, resp *Response, expectedErr error, input ctxInputs) {
+	app := fiber.New()
+
+	app.Post("/:bucket/*", func(ctx *fiber.Ctx) error {
+		// set the request body
+		ctx.Request().SetBody(input.body)
+		// set the request locals
+		if input.locals != nil {
+			for key, local := range input.locals {
+				key.Set(ctx, local)
+			}
+		}
+
+		// call the controller by passing the ctx
+		res, err := ctrl(ctx)
+		assert.Equal(t, resp, res)
+		if expectedErr != nil {
+			assert.Error(t, err)
+
+			switch expectedErr.(type) {
+			case s3err.APIError:
+				assert.EqualValues(t, expectedErr, err)
+			default:
+				assert.ErrorContains(t, err, expectedErr.Error())
+			}
+		} else {
+			assert.NoError(t, err)
+		}
+
+		return nil
+	})
+
+	req := buildRequest(input.bucket, input.object, input.body, input.headers, input.queries)
+
+	_, err := app.Test(req)
+	assert.NoError(t, err)
+}
+
+func buildRequest(bucket, object string, body []byte, headers, queries map[string]string) *http.Request {
+	if bucket == "" {
+		bucket = "bucket"
+	}
+	if object == "" {
+		object = "object"
+	}
+	uri := url.URL{
+		Path: "/" + path.Join(bucket, object),
+	}
+
+	// set the request query params
+	if queries != nil {
+		q := uri.Query()
+		for key, val := range queries {
+			q.Set(key, val)
+		}
+
+		uri.RawQuery = q.Encode()
+	}
+
+	// create a new request
+	req := httptest.NewRequest(http.MethodPost, uri.String(), bytes.NewReader(body))
+
+	// set the request headers
+	for key, val := range headers {
+		req.Header.Add(key, val)
+	}
+
+	return req
+}
--- a/s3api/controllers/bucket-delete_test.go
+++ b/s3api/controllers/bucket-delete_test.go
@@ -0,0 +1,411 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"net/http"
+	"testing"
+
+	"github.com/versity/versitygw/s3err"
+)
+
+func TestS3ApiController_DeleteBucketTagging(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrAclNotSupported),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAclNotSupported),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketTaggingFunc: func(_ context.Context, _ string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucketTagging,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_DeleteBucketOwnershipControls(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketOwnershipControlsFunc: func(contextMoqParam context.Context, bucket string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucketOwnershipControls,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_DeleteBucketPolicy(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidDigest),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidDigest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucketPolicy,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_DeleteBucketCors(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrAdminMethodNotSupported),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAdminMethodNotSupported),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketCorsFunc: func(contextMoqParam context.Context, bucket string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucketCors,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_DeleteBucket(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrInvalidDigest),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidDigest),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteBucketFunc: func(contextMoqParam context.Context, bucket string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteBucket,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
--- a/s3api/controllers/bucket-get_test.go
+++ b/s3api/controllers/bucket-get_test.go
--- a/s3api/controllers/bucket-head_test.go
+++ b/s3api/controllers/bucket-head_test.go
@@ -0,0 +1,136 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+)
+
+func TestS3ApiController_HeadBucket(t *testing.T) {
+	region := "us-east-1"
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyIsRoot: false,
+					utils.ContextKeyParsedAcl: auth.ACL{
+						Owner: "root",
+					},
+					utils.ContextKeyAccount: auth.Account{
+						Access: "user",
+						Role:   auth.RoleUser,
+					},
+					utils.ContextKeyRegion: region,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyIsRoot: true,
+					utils.ContextKeyParsedAcl: auth.ACL{
+						Owner: "root",
+					},
+					utils.ContextKeyAccount: auth.Account{
+						Access: "root",
+						Role:   auth.RoleAdmin,
+					},
+					utils.ContextKeyRegion: region,
+				},
+				beErr: s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidAccessKeyID),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyIsRoot: true,
+					utils.ContextKeyParsedAcl: auth.ACL{
+						Owner: "root",
+					},
+					utils.ContextKeyAccount: auth.Account{
+						Access: "root",
+						Role:   auth.RoleAdmin,
+					},
+					utils.ContextKeyRegion: region,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Headers: map[string]*string{
+						"X-Amz-Access-Point-Alias": utils.GetStringPtr("false"),
+						"X-Amz-Bucket-Region":      utils.GetStringPtr(region),
+					},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				HeadBucketFunc: func(contextMoqParam context.Context, headBucketInput *s3.HeadBucketInput) (*s3.HeadBucketOutput, error) {
+					return &s3.HeadBucketOutput{}, tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.HeadBucket,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+				})
+		})
+	}
+}
--- a/s3api/controllers/bucket-list.go
+++ b/s3api/controllers/bucket-list.go
@@ -29,7 +29,6 @@ func (c S3ApiController) ListBuckets(ctx *fiber.Ctx) (*Response, error) {
 	cToken := ctx.Query("continuation-token")
 	prefix := ctx.Query("prefix")
 	maxBucketsStr := ctx.Query("max-buckets")
-
 	acct := utils.ContextKeyAccount.Get(ctx).(auth.Account)

 	var maxBuckets int32 = 10000
--- a/s3api/controllers/bucket-list_test.go
+++ b/s3api/controllers/bucket-list_test.go
@@ -0,0 +1,112 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"testing"
+
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
+)
+
+func TestS3ApiController_ListBuckets(t *testing.T) {
+	validRes := s3response.ListAllMyBucketsResult{
+		Owner: s3response.CanonicalUser{
+			ID: "root",
+		},
+		Buckets: s3response.ListAllMyBucketsList{
+			Bucket: []s3response.ListAllMyBucketsEntry{
+				{Name: "test"},
+			},
+		},
+	}
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "invalid max buckets",
+			input: testInput{
+				locals: defaultLocals,
+				queries: map[string]string{
+					"max-buckets": "-1",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidMaxBuckets),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  validRes,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					Data:     validRes,
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				beRes:  validRes,
+				queries: map[string]string{
+					"max-buckets": "3",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					Data:     validRes,
+					MetaOpts: &MetaOptions{},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				ListBucketsFunc: func(contextMoqParam context.Context, listBucketsInput s3response.ListBucketsInput) (s3response.ListAllMyBucketsResult, error) {
+					return tt.input.beRes.(s3response.ListAllMyBucketsResult), tt.input.beErr
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.ListBuckets,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					queries: tt.input.queries,
+				})
+		})
+	}
+}
--- a/s3api/controllers/bucket-post.go
+++ b/s3api/controllers/bucket-post.go
@@ -37,19 +37,7 @@ func (c S3ApiController) DeleteObjects(ctx *fiber.Ctx) (*Response, error) {
 	parsedAcl := utils.ContextKeyParsedAcl.Get(ctx).(auth.ACL)
 	IsBucketPublic := utils.ContextKeyPublicBucket.IsSet(ctx)

-	var dObj s3response.DeleteObjects
-
-	err := xml.Unmarshal(ctx.Body(), &dObj)
-	if err != nil {
-		debuglogger.Logf("error unmarshalling delete objects: %v", err)
-		return &Response{
-			MetaOpts: &MetaOptions{
-				BucketOwner: parsedAcl.Owner,
-			},
-		}, s3err.GetAPIError(s3err.ErrInvalidRequest)
-	}
-
-	err = auth.VerifyAccess(ctx.Context(), c.be,
+	err := auth.VerifyAccess(ctx.Context(), c.be,
 		auth.AccessOptions{
 			Readonly:       c.readonly,
 			Acl:            parsedAcl,
@@ -68,6 +56,17 @@ func (c S3ApiController) DeleteObjects(ctx *fiber.Ctx) (*Response, error) {
 		}, err
 	}

+	var dObj s3response.DeleteObjects
+	err = xml.Unmarshal(ctx.Body(), &dObj)
+	if err != nil {
+		debuglogger.Logf("error unmarshalling delete objects: %v", err)
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrInvalidRequest)
+	}
+
 	err = auth.CheckObjectAccess(ctx.Context(), bucket, acct.Access, dObj.Objects, bypass, IsBucketPublic, c.be)
 	if err != nil {
 		return &Response{
--- a/s3api/controllers/bucket-post_test.go
+++ b/s3api/controllers/bucket-post_test.go
@@ -0,0 +1,165 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"encoding/xml"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3event"
+	"github.com/versity/versitygw/s3response"
+)
+
+func TestS3ApiController_DeleteObjects(t *testing.T) {
+	validBody, err := xml.Marshal(s3response.DeleteObjects{
+		Objects: []types.ObjectIdentifier{
+			{Key: utils.GetStringPtr("obj")},
+		},
+	})
+	assert.NoError(t, err)
+
+	validRes := s3response.DeleteResult{
+		Deleted: []types.DeletedObject{
+			{Key: utils.GetStringPtr("key")},
+		},
+	}
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid request body",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte("invalid_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+		},
+		{
+			name: "check object access returns error",
+			input: testInput{
+				locals:       defaultLocals,
+				body:         validBody,
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLocked),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrObjectLocked),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals:       defaultLocals,
+				beRes:        s3response.DeleteResult{},
+				beErr:        s3err.GetAPIError(s3err.ErrNoSuchBucket),
+				body:         validBody,
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: s3response.DeleteResult{},
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						EventName:   s3event.EventObjectRemovedDeleteObjects,
+						ObjectCount: 1,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals:       defaultLocals,
+				body:         validBody,
+				beRes:        validRes,
+				extraMockErr: s3err.GetAPIError(s3err.ErrObjectLockConfigurationNotFound),
+			},
+			output: testOutput{
+				response: &Response{
+					Data: validRes,
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						EventName:   s3event.EventObjectRemovedDeleteObjects,
+						ObjectCount: 1,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				DeleteObjectsFunc: func(contextMoqParam context.Context, deleteObjectsInput *s3.DeleteObjectsInput) (s3response.DeleteResult, error) {
+					return tt.input.beRes.(s3response.DeleteResult), tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+				GetObjectLockConfigurationFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, tt.input.extraMockErr
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.DeleteObjects,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+					body:   tt.input.body,
+				})
+		})
+	}
+}
--- a/s3api/controllers/bucket-put_test.go
+++ b/s3api/controllers/bucket-put_test.go
@@ -0,0 +1,813 @@
+// Copyright 2023 Versity Software
+// This file is licensed under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package controllers
+
+import (
+	"context"
+	"encoding/xml"
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/versity/versitygw/auth"
+	"github.com/versity/versitygw/s3api/utils"
+	"github.com/versity/versitygw/s3err"
+	"github.com/versity/versitygw/s3response"
+)
+
+func TestS3ApiController_PutBucketTagging(t *testing.T) {
+	validTaggingBody, err := xml.Marshal(s3response.TaggingInput{
+		TagSet: s3response.TagSet{
+			Tags: []s3response.Tag{
+				{
+					Key:   "key",
+					Value: "val",
+				},
+			},
+		},
+	})
+	assert.NoError(t, err)
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid request body",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte("invalid_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrMalformedXML),
+			},
+		},
+		{
+			name: "backend returns error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+				body:   validTaggingBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "successful response",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validTaggingBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+						Status:      http.StatusNoContent,
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				PutBucketTaggingFunc: func(contextMoqParam context.Context, bucket string, tags map[string]string) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(
+				t,
+				ctrl.PutBucketTagging,
+				tt.output.response,
+				tt.output.err,
+				ctxInputs{
+					locals: tt.input.locals,
+					body:   tt.input.body,
+				})
+		})
+	}
+}
+
+func TestS3ApiController_PutBucketOwnershipControls(t *testing.T) {
+	validOwnershipBody, err := xml.Marshal(
+		s3response.OwnershipControls{
+			Rules: []types.OwnershipControlsRule{
+				{ObjectOwnership: types.ObjectOwnershipBucketOwnerEnforced},
+			},
+		})
+	assert.NoError(t, err)
+
+	invalidRuleCountBody, err := xml.Marshal(
+		s3response.OwnershipControls{
+			Rules: []types.OwnershipControlsRule{
+				{ObjectOwnership: types.ObjectOwnershipBucketOwnerEnforced},
+				{ObjectOwnership: types.ObjectOwnershipBucketOwnerPreferred},
+			},
+		},
+	)
+	assert.NoError(t, err)
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid request body",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte("invalid_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: "root"},
+				},
+				err: s3err.GetAPIError(s3err.ErrMalformedXML),
+			},
+		},
+		{
+			name: "invalid rules count",
+			input: testInput{
+				locals: defaultLocals,
+				body:   invalidRuleCountBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: "root"},
+				},
+				err: s3err.GetAPIError(s3err.ErrMalformedXML),
+			},
+		},
+		{
+			name: "backend error",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validOwnershipBody,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: "root"},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "success",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validOwnershipBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				PutBucketOwnershipControlsFunc: func(contextMoqParam context.Context, bucket string, ownership types.ObjectOwnership) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(t, ctrl.PutBucketOwnershipControls, tt.output.response, tt.output.err, ctxInputs{
+				locals: tt.input.locals,
+				body:   tt.input.body,
+			})
+		})
+	}
+}
+
+func TestS3ApiController_PutBucketVersioning(t *testing.T) {
+	validVersioningBody, err := xml.Marshal(
+		types.VersioningConfiguration{
+			Status: types.BucketVersioningStatusEnabled,
+		},
+	)
+	assert.NoError(t, err)
+
+	invalidVersioningStatusBody, err := xml.Marshal(
+		types.VersioningConfiguration{
+			Status: types.BucketVersioningStatus("invalid_status"),
+		},
+	)
+	assert.NoError(t, err)
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid request body",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte("invalid_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: "root"},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidRequest),
+			},
+		},
+		{
+			name: "invalid rules count",
+			input: testInput{
+				locals: defaultLocals,
+				body:   invalidVersioningStatusBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: "root"},
+				},
+				err: s3err.GetAPIError(s3err.ErrMalformedXML),
+			},
+		},
+		{
+			name: "backend error",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validVersioningBody,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: "root"},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "success",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validVersioningBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				PutBucketVersioningFunc: func(contextMoqParam context.Context, bucket string, status types.BucketVersioningStatus) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(t, ctrl.PutBucketVersioning, tt.output.response, tt.output.err, ctxInputs{
+				locals: tt.input.locals,
+				body:   tt.input.body,
+			})
+		})
+	}
+}
+
+func TestS3ApiController_PutObjectLockConfiguration(t *testing.T) {
+	validLockBody, err := xml.Marshal(
+		types.ObjectLockConfiguration{
+			ObjectLockEnabled: types.ObjectLockEnabledEnabled,
+		},
+	)
+	assert.NoError(t, err)
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid request body",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte("invalid_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: "root"},
+				},
+				err: s3err.GetAPIError(s3err.ErrMalformedXML),
+			},
+		},
+		{
+			name: "backend error",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validLockBody,
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: "root"},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "success",
+			input: testInput{
+				locals: defaultLocals,
+				body:   validLockBody,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				PutObjectLockConfigurationFunc: func(contextMoqParam context.Context, bucket string, config []byte) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(t, ctrl.PutObjectLockConfiguration, tt.output.response, tt.output.err, ctxInputs{
+				locals: tt.input.locals,
+				body:   tt.input.body,
+			})
+		})
+	}
+}
+
+func TestS3ApiController_PutBucketCors(t *testing.T) {
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "backend error",
+			input: testInput{
+				locals: defaultLocals,
+				beErr:  s3err.GetAPIError(s3err.ErrNotImplemented),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: "root"},
+				},
+				err: s3err.GetAPIError(s3err.ErrNotImplemented),
+			},
+		},
+		{
+			name: "success",
+			input: testInput{
+				locals: defaultLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				PutBucketCorsFunc: func(contextMoqParam context.Context, bytes []byte) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(t, ctrl.PutBucketCors, tt.output.response, tt.output.err, ctxInputs{
+				locals: tt.input.locals,
+			})
+		})
+	}
+}
+
+func TestS3ApiController_PutBucketPolicy(t *testing.T) {
+	validPolicyDocument :=
+		`{
+			"Version": "2012-10-17",
+			"Statement": [
+				{
+				"Sid": "PublicReadGetObject",
+				"Effect": "Allow",
+				"Principal": "*",
+				"Action": "s3:GetObject",
+				"Resource": "arn:aws:s3:::bucket/*"
+				}
+			]
+		}`
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "verify access fails",
+			input: testInput{
+				locals: accessDeniedLocals,
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid policy document",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte("invalid_body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: "root"},
+				},
+				err: s3err.APIError{
+					Code:           "MalformedPolicy",
+					Description:    "Policies must be valid JSON and the first byte must be '{'",
+					HTTPStatusCode: http.StatusBadRequest,
+				},
+			},
+		},
+		{
+			name: "backend error",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte(validPolicyDocument),
+				beErr:  s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: "root"},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "success",
+			input: testInput{
+				locals: defaultLocals,
+				body:   []byte(validPolicyDocument),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				PutBucketPolicyFunc: func(contextMoqParam context.Context, bucket string, policy []byte) error {
+					return tt.input.beErr
+				},
+				GetBucketPolicyFunc: func(contextMoqParam context.Context, bucket string) ([]byte, error) {
+					return nil, s3err.GetAPIError(s3err.ErrAccessDenied)
+				},
+			}
+
+			ctrl := S3ApiController{
+				be: be,
+			}
+
+			testController(t, ctrl.PutBucketPolicy, tt.output.response, tt.output.err, ctxInputs{
+				locals: tt.input.locals,
+				body:   tt.input.body,
+			})
+		})
+	}
+}
+
+func TestS3ApiController_CreateBucket(t *testing.T) {
+	adminAcc := auth.Account{
+		Access: "root",
+		Role:   auth.RoleAdmin,
+	}
+	userAcc := auth.Account{
+		Access: "user",
+		Role:   auth.RoleUser,
+	}
+
+	tests := []struct {
+		name   string
+		input  testInput
+		output testOutput
+	}{
+		{
+			name: "access denied",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyAccount: userAcc,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrAccessDenied),
+			},
+		},
+		{
+			name: "invalid bucket name",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyAccount: adminAcc,
+				},
+				bucket: "invalid_bucket_name",
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidBucketName),
+			},
+		},
+		{
+			name: "invalid ownership",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyAccount: adminAcc,
+				},
+				headers: map[string]string{
+					"X-Amz-Object-Ownership": "invalid_ownership",
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{},
+				},
+				err: s3err.APIError{
+					Code:           "InvalidArgument",
+					Description:    "Invalid x-amz-object-ownership header: invalid_ownership",
+					HTTPStatusCode: http.StatusBadRequest,
+				},
+			},
+		},
+		{
+			name: "invalid ownership + acl",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyAccount: adminAcc,
+				},
+				headers: map[string]string{
+					"X-Amz-Object-Ownership": string(types.ObjectOwnershipBucketOwnerEnforced),
+					"X-Amz-Acl":              string(types.BucketCannedACLPublicRead),
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: adminAcc.Access},
+				},
+				err: s3err.GetAPIError(s3err.ErrInvalidBucketAclWithObjectOwnership),
+			},
+		},
+		{
+			name: "both grants and canned acl",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyAccount: adminAcc,
+				},
+				headers: map[string]string{
+					"X-Amz-Acl":              string(types.BucketCannedACLPublicRead),
+					"X-Amz-Grant-Read":       userAcc.Access,
+					"X-Amz-Object-Ownership": string(types.ObjectOwnershipBucketOwnerPreferred),
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: adminAcc.Access},
+				},
+				err: s3err.GetAPIError(s3err.ErrBothCannedAndHeaderGrants),
+			},
+		},
+		{
+			name: "fail to update the acl",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyAccount: adminAcc,
+				},
+				headers: map[string]string{
+					"X-Amz-Grant-Read":       userAcc.Access,
+					"X-Amz-Object-Ownership": string(types.ObjectOwnershipBucketOwnerPreferred),
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: adminAcc.Access},
+				},
+				err: fmt.Errorf("accounts does not exist: %s", userAcc.Access),
+			},
+		},
+		{
+			name: "backend error",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyAccount: adminAcc,
+				},
+				beErr: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{BucketOwner: adminAcc.Access},
+				},
+				err: s3err.GetAPIError(s3err.ErrNoSuchBucket),
+			},
+		},
+		{
+			name: "success",
+			input: testInput{
+				locals: map[utils.ContextKey]any{
+					utils.ContextKeyAccount: adminAcc,
+				},
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: adminAcc.Access,
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			be := &BackendMock{
+				CreateBucketFunc: func(contextMoqParam context.Context, createBucketInput *s3.CreateBucketInput, defaultACL []byte) error {
+					return tt.input.beErr
+				},
+			}
+
+			ctrl := S3ApiController{
+				be:  be,
+				iam: auth.NewIAMServiceSingle(adminAcc),
+			}
+
+			testController(t, ctrl.CreateBucket, tt.output.response, tt.output.err,
+				ctxInputs{
+					locals:  tt.input.locals,
+					body:    tt.input.body,
+					bucket:  tt.input.bucket,
+					headers: tt.input.headers,
+				})
+		})
+	}
+}
+
+// TODO: add a test for PutBucketAcl