feat: adds not implemented routes for bucket ecryption actions

Closes #1439

Adds `NotImplemented` routes for bucket encryption S3 actions:

- `PutBucketEncryption`
- `GetBucketEncryption`
- `DeleteBucketEncryption`

auth/bucket_policy_actions.go

@@ -60,9 +60,12 @@ const (
 	GetBucketOwnershipControlsAction       Action = "s3:GetBucketOwnershipControls"
 	PutBucketCorsAction                    Action = "s3:PutBucketCORS"
 	GetBucketCorsAction                    Action = "s3:GetBucketCORS"
-	PutAnalyticsConfiguration              Action = "s3:PutAnalyticsConfiguration"
-	GetAnalyticsConfiguration              Action = "s3:GetAnalyticsConfiguration"
-	AllActions                             Action = "s3:*"
+	PutAnalyticsConfigurationAction        Action = "s3:PutAnalyticsConfiguration"
+	GetAnalyticsConfigurationAction        Action = "s3:GetAnalyticsConfiguration"
+	PutEncryptionConfigurationAction       Action = "s3:PutEncryptionConfiguration"
+	GetEncryptionConfigurationAction       Action = "s3:GetEncryptionConfiguration"
+
+	AllActions Action = "s3:*"
 )
 
 var supportedActionList = map[Action]struct{}{

metrics/actions.go

@@ -79,6 +79,9 @@ var (
 	ActionGetBucketAnalyticsConfiguration    = "s3_GetBucketAnalyticsConfiguration"
 	ActionListBucketAnalyticsConfigurations  = "s3_ListBucketAnalyticsConfigurations"
 	ActionDeleteBucketAnalyticsConfiguration = "s3_DeleteBucketAnalyticsConfiguration"
+	ActionPutBucketEncryption                = "s3_PutBucketEncryption"
+	ActionGetBucketEncryption                = "s3_GetBucketEncryption"
+	ActionDeleteBucketEncryption             = "s3_DeleteBucketEcryption"
 
 	// Admin actions
 	ActionAdminCreateUser        = "admin_CreateUser"

s3api/router.go

@@ -202,7 +202,21 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ
 			metrics.ActionPutBucketAnalyticsConfiguration,
 			services,
 			middlewares.BucketObjectNameValidator(),
-			middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAnalyticsConfiguration, auth.PutAnalyticsConfiguration, auth.PermissionWrite),
+			middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAnalyticsConfiguration, auth.PutAnalyticsConfigurationAction, auth.PermissionWrite),
+			middlewares.VerifyPresignedV4Signature(root, iam, region, debug),
+			middlewares.VerifyV4Signature(root, iam, region, debug),
+			middlewares.VerifyMD5Body(),
+			middlewares.ParseAcl(be),
+		),
+	)
+	bucketRouter.Put("",
+		middlewares.MatchQueryArgs("encryption"),
+		controllers.ProcessHandlers(
+			ctrl.HandleErrorRoute(s3err.GetAPIError(s3err.ErrNotImplemented)),
+			metrics.ActionPutBucketEncryption,
+			services,
+			middlewares.BucketObjectNameValidator(),
+			middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketEncryption, auth.PutEncryptionConfigurationAction, auth.PermissionWrite),
 			middlewares.VerifyPresignedV4Signature(root, iam, region, debug),
 			middlewares.VerifyV4Signature(root, iam, region, debug),
 			middlewares.VerifyMD5Body(),
@@ -295,7 +309,21 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ
 			metrics.ActionDeleteBucketAnalyticsConfiguration,
 			services,
 			middlewares.BucketObjectNameValidator(),
-			middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketAnalyticsConfiguration, auth.PutAnalyticsConfiguration, auth.PermissionWrite),
+			middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketAnalyticsConfiguration, auth.PutAnalyticsConfigurationAction, auth.PermissionWrite),
+			middlewares.VerifyPresignedV4Signature(root, iam, region, debug),
+			middlewares.VerifyV4Signature(root, iam, region, debug),
+			middlewares.VerifyMD5Body(),
+			middlewares.ParseAcl(be),
+		),
+	)
+	bucketRouter.Delete("",
+		middlewares.MatchQueryArgs("encryption"),
+		controllers.ProcessHandlers(
+			ctrl.HandleErrorRoute(s3err.GetAPIError(s3err.ErrNotImplemented)),
+			metrics.ActionDeleteBucketEncryption,
+			services,
+			middlewares.BucketObjectNameValidator(),
+			middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketEncryption, auth.PutEncryptionConfigurationAction, auth.PermissionWrite),
 			middlewares.VerifyPresignedV4Signature(root, iam, region, debug),
 			middlewares.VerifyV4Signature(root, iam, region, debug),
 			middlewares.VerifyMD5Body(),
@@ -440,7 +468,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ
 			metrics.ActionGetBucketAnalyticsConfiguration,
 			services,
 			middlewares.BucketObjectNameValidator(),
-			middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAnalyticsConfiguration, auth.GetAnalyticsConfiguration, auth.PermissionRead),
+			middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAnalyticsConfiguration, auth.GetAnalyticsConfigurationAction, auth.PermissionRead),
 			middlewares.VerifyPresignedV4Signature(root, iam, region, debug),
 			middlewares.VerifyV4Signature(root, iam, region, debug),
 			middlewares.VerifyMD5Body(),
@@ -454,7 +482,21 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ
 			metrics.ActionListBucketAnalyticsConfigurations,
 			services,
 			middlewares.BucketObjectNameValidator(),
-			middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketAnalyticsConfigurations, auth.GetAnalyticsConfiguration, auth.PermissionRead),
+			middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketAnalyticsConfigurations, auth.GetAnalyticsConfigurationAction, auth.PermissionRead),
+			middlewares.VerifyPresignedV4Signature(root, iam, region, debug),
+			middlewares.VerifyV4Signature(root, iam, region, debug),
+			middlewares.VerifyMD5Body(),
+			middlewares.ParseAcl(be),
+		),
+	)
+	bucketRouter.Get("",
+		middlewares.MatchQueryArgs("encryption"),
+		controllers.ProcessHandlers(
+			ctrl.HandleErrorRoute(s3err.GetAPIError(s3err.ErrNotImplemented)),
+			metrics.ActionGetBucketEncryption,
+			services,
+			middlewares.BucketObjectNameValidator(),
+			middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketEncryption, auth.GetEncryptionConfigurationAction, auth.PermissionRead),
 			middlewares.VerifyPresignedV4Signature(root, iam, region, debug),
 			middlewares.VerifyV4Signature(root, iam, region, debug),
 			middlewares.VerifyMD5Body(),

tests/integration/group-tests.go

@@ -584,10 +584,15 @@ func TestGetObjectLegalHold(s *S3Conf) {
 }
 
 func TestNotImplementedActions(s *S3Conf) {
+	// bucket analytics actions
 	PutBucketAnalyticsConfiguration_not_implemented(s)
 	GetBucketAnalyticsConfiguration_not_implemented(s)
 	ListBucketAnalyticsConfiguration_not_implemented(s)
 	DeleteBucketAnalyticsConfiguration_not_implemented(s)
+	// bucket encryption actions
+	PutBucketEncryption_not_implemented(s)
+	GetBucketEncryption_not_implemented(s)
+	DeleteBucketEncryption_not_implemented(s)
 }
 
 func TestWORMProtection(s *S3Conf) {
@@ -1299,6 +1304,9 @@ func GetIntTests() IntTests {
 		"GetBucketAnalyticsConfiguration_not_implemented":                         GetBucketAnalyticsConfiguration_not_implemented,
 		"ListBucketAnalyticsConfiguration_not_implemented":                        ListBucketAnalyticsConfiguration_not_implemented,
 		"DeleteBucketAnalyticsConfiguration_not_implemented":                      DeleteBucketAnalyticsConfiguration_not_implemented,
+		"PutBucketEncryption_not_implemented":                                     PutBucketEncryption_not_implemented,
+		"GetBucketEncryption_not_implemented":                                     GetBucketEncryption_not_implemented,
+		"DeleteBucketEncryption_not_implemented":                                  DeleteBucketEncryption_not_implemented,
 		"WORMProtection_bucket_object_lock_configuration_compliance_mode":         WORMProtection_bucket_object_lock_configuration_compliance_mode,
 		"WORMProtection_bucket_object_lock_configuration_governance_mode":         WORMProtection_bucket_object_lock_configuration_governance_mode,
 		"WORMProtection_bucket_object_lock_governance_bypass_delete":              WORMProtection_bucket_object_lock_governance_bypass_delete,

tests/integration/tests.go

@@ -14667,6 +14667,57 @@ func DeleteBucketAnalyticsConfiguration_not_implemented(s *S3Conf) error {
 	})
 }
 
+func PutBucketEncryption_not_implemented(s *S3Conf) error {
+	testName := "PutBucketEncryption_not_implemented"
+	return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error {
+		ctx, cancel := context.WithTimeout(context.Background(), shortTimeout)
+		_, err := s3client.PutBucketEncryption(ctx,
+			&s3.PutBucketEncryptionInput{
+				Bucket: &bucket,
+				ServerSideEncryptionConfiguration: &types.ServerSideEncryptionConfiguration{
+					Rules: []types.ServerSideEncryptionRule{
+						{
+							ApplyServerSideEncryptionByDefault: &types.ServerSideEncryptionByDefault{
+								SSEAlgorithm: types.ServerSideEncryptionAes256,
+							},
+						},
+					},
+				},
+			})
+		cancel()
+
+		return checkApiErr(err, s3err.GetAPIError(s3err.ErrNotImplemented))
+	})
+}
+
+func GetBucketEncryption_not_implemented(s *S3Conf) error {
+	testName := "GetBucketEncryption_not_implemented"
+	return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error {
+		ctx, cancel := context.WithTimeout(context.Background(), shortTimeout)
+		_, err := s3client.GetBucketEncryption(ctx,
+			&s3.GetBucketEncryptionInput{
+				Bucket: &bucket,
+			})
+		cancel()
+
+		return checkApiErr(err, s3err.GetAPIError(s3err.ErrNotImplemented))
+	})
+}
+
+func DeleteBucketEncryption_not_implemented(s *S3Conf) error {
+	testName := "DeleteBucketEncryption_not_implemented"
+	return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error {
+		ctx, cancel := context.WithTimeout(context.Background(), shortTimeout)
+		_, err := s3client.DeleteBucketEncryption(ctx,
+			&s3.DeleteBucketEncryptionInput{
+				Bucket: &bucket,
+			})
+		cancel()
+
+		return checkApiErr(err, s3err.GetAPIError(s3err.ErrNotImplemented))
+	})
+}
+
 func WORMProtection_bucket_object_lock_configuration_compliance_mode(s *S3Conf) error {
 	testName := "WORMProtection_bucket_object_lock_configuration_compliance_mode"
 	return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error {