Implement version/object level WORM operations (Legal hold & Immutability Policy) (#300)

* Implement Legal hold & Immutability Policy

* Add immutability policy options to relevant blob functions

* Fix tests, add on create tests

* Fix tests after merge

* Set environment variables

* Only scan for immutability if the container could have it

* Extend testing, close response bodies.

* Increase stack history size

* Larger history size

* Back to 7

* Only use SRP to cleanup immutability containers

* Handle containers not existing

* Add list testing

* Add immutability SAS and tests

* Disable race testing for now

* Added Generated Code | Service Version 2020-10-02 (#315)

* Added Generated Code | Service Version 2020-10-02

* Minor Edit

* TestListBlobsIncludeDeletedWithVersion

Co-authored-by: Mohit Sharma <[email protected]>

Author: adreed-msft

.gitignore

@@ -292,3 +292,5 @@ __pycache__/
 
 vendor/
 *.env
+
+*.bin

azblob/access_conditions.go

@@ -13,18 +13,18 @@ type ModifiedAccessConditions struct {
 }
 
 // pointers is for internal infrastructure. It returns the fields as pointers.
-func (ac ModifiedAccessConditions) pointers() (ims *time.Time, ius *time.Time, ime *ETag, inme *ETag) {
+func (ac ModifiedAccessConditions) pointers() (ims *time.Time, ius *time.Time, ime *string, inme *string) {
 	if !ac.IfModifiedSince.IsZero() {
 		ims = &ac.IfModifiedSince
 	}
 	if !ac.IfUnmodifiedSince.IsZero() {
 		ius = &ac.IfUnmodifiedSince
 	}
 	if ac.IfMatch != ETagNone {
-		ime = &ac.IfMatch
+		ime = (*string)(&ac.IfMatch)
 	}
 	if ac.IfNoneMatch != ETagNone {
-		inme = &ac.IfNoneMatch
+		inme = (*string)(&ac.IfNoneMatch)
 	}
 	return
 }

azblob/blob.json

@@ -2127,7 +2127,7 @@
                 "type": "integer",
                 "description": "The number of committed blocks present in the blob. This header is returned only for append blobs."
               },
-	      "x-ms-server-encrypted": {
+              "x-ms-server-encrypted": {
                 "x-ms-client-name": "IsServerEncrypted",
                 "type": "boolean",
                 "description": "The value of this header is set to true if the blob data and application metadata are completely encrypted using the specified algorithm. Otherwise, the value is set to false (when the blob is unencrypted, or if only parts of the blob/application metadata are encrypted)."
@@ -2323,7 +2323,7 @@
                 "type": "integer",
                 "description": "The number of committed blocks present in the blob. This header is returned only for append blobs."
               },
-	      "x-ms-server-encrypted": {
+              "x-ms-server-encrypted": {
                 "x-ms-client-name": "IsServerEncrypted",
                 "type": "boolean",
                 "description": "The value of this header is set to true if the blob data and application metadata are completely encrypted using the specified algorithm. Otherwise, the value is set to false (when the blob is unencrypted, or if only parts of the blob/application metadata are encrypted)."
@@ -2581,7 +2581,7 @@
                 "type": "integer",
                 "description": "The number of committed blocks present in the blob. This header is returned only for append blobs."
               },
-	      "x-ms-server-encrypted": {
+              "x-ms-server-encrypted": {
                 "x-ms-client-name": "IsServerEncrypted",
                 "type": "boolean",
                 "description": "The value of this header is set to true if the blob data and application metadata are completely encrypted using the specified algorithm. Otherwise, the value is set to false (when the blob is unencrypted, or if only parts of the blob/application metadata are encrypted)."
@@ -2796,12 +2796,12 @@
                 "type": "string",
                 "format": "date-time-rfc1123",
                 "description": "UTC date/time value generated by the service that indicates the time at which the response was initiated"
-	      },
-	      "x-ms-request-server-encrypted": {
-		"x-ms-client-name": "IsServerEncrypted",
-		"type": "boolean",
-		"description": "The value of this header is set to true if the contents of the request are successfully encrypted using the specified algorithm, and false otherwise."
-	      }
+              },
+              "x-ms-request-server-encrypted": {
+                "x-ms-client-name": "IsServerEncrypted",
+                "type": "boolean",
+                "description": "The value of this header is set to true if the contents of the request are successfully encrypted using the specified algorithm, and false otherwise."
+              }
             }
           },
           "default": {
@@ -2930,7 +2930,7 @@
                 "type": "string",
                 "format": "date-time-rfc1123",
                 "description": "UTC date/time value generated by the service that indicates the time at which the response was initiated"
-	      },
+              },
               "x-ms-request-server-encrypted": {
                 "x-ms-client-name": "IsServerEncrypted",
                 "type": "boolean",
@@ -3067,7 +3067,7 @@
                 "type": "string",
                 "format": "date-time-rfc1123",
                 "description": "UTC date/time value generated by the service that indicates the time at which the response was initiated"
-	      },
+              },
               "x-ms-request-server-encrypted": {
                 "x-ms-client-name": "IsServerEncrypted",
                 "type": "boolean",
@@ -3351,7 +3351,7 @@
                 "type": "string",
                 "format": "date-time-rfc1123",
                 "description": "UTC date/time value generated by the service that indicates the time at which the response was initiated"
-	      },
+              },
               "x-ms-request-server-encrypted": {
                 "x-ms-client-name": "IsServerEncrypted",
                 "type": "boolean",
@@ -4602,7 +4602,7 @@
                 "type": "string",
                 "format": "date-time-rfc1123",
                 "description": "UTC date/time value generated by the service that indicates the time at which the response was initiated"
-	      },
+              },
               "x-ms-request-server-encrypted": {
                 "x-ms-client-name": "IsServerEncrypted",
                 "type": "boolean",
@@ -4665,7 +4665,7 @@
           {
             "$ref": "#/parameters/LeaseIdOptional"
           },
-           {
+          {
             "$ref": "#/parameters/SourceIfModifiedSince"
           },
           {
@@ -4682,7 +4682,7 @@
           },
           {
             "$ref": "#/parameters/ClientRequestId"
-    	    }
+          }
         ],
         "responses": {
           "201": {
@@ -4707,7 +4707,7 @@
                 "type": "string",
                 "format": "date-time-rfc1123",
                 "description": "UTC date/time value generated by the service that indicates the time at which the response was initiated"
-	            },
+              },
               "x-ms-request-server-encrypted": {
                 "x-ms-client-name": "IsServerEncrypted",
                 "type": "boolean",
@@ -4836,7 +4836,7 @@
                 "type": "string",
                 "format": "date-time-rfc1123",
                 "description": "UTC date/time value generated by the service that indicates the time at which the response was initiated"
-	      },
+              },
               "x-ms-request-server-encrypted": {
                 "x-ms-client-name": "IsServerEncrypted",
                 "type": "boolean",
@@ -5050,7 +5050,7 @@
                 "type": "string",
                 "format": "date-time-rfc1123",
                 "description": "UTC date/time value generated by the service that indicates the time at which the response was initiated"
-	      },
+              },
               "x-ms-request-server-encrypted": {
                 "x-ms-client-name": "IsServerEncrypted",
                 "type": "boolean",
@@ -7541,7 +7541,6 @@
       "x-ms-parameter-location": "method",
       "description": "The container name."
     },
-
     "ContentLength": {
       "name": "Content-Length",
       "in": "header",
@@ -7905,15 +7904,15 @@
       "type": "string",
       "x-ms-parameter-location": "method",
       "description": "Bytes of source data in the specified range."
-      },
-      "SourceRangeRequiredPutPageFromUrl": {
-        "name": "x-ms-source-range",
-        "x-ms-client-name": "sourceRange",
-        "in": "header",
-        "required": true,
-        "type": "string",
-        "x-ms-parameter-location": "method",
-        "description": "Bytes of source data in the specified range. The length of this range should match the ContentLength header and x-ms-range/Range destination range header."
+    },
+    "SourceRangeRequiredPutPageFromUrl": {
+      "name": "x-ms-source-range",
+      "x-ms-client-name": "sourceRange",
+      "in": "header",
+      "required": true,
+      "type": "string",
+      "x-ms-parameter-location": "method",
+      "description": "Bytes of source data in the specified range. The length of this range should match the ContentLength header and x-ms-range/Range destination range header."
     },
     "SourceIfMatch": {
       "name": "x-ms-source-if-match",
@@ -7967,15 +7966,15 @@
       },
       "description": "Specify this header value to operate only on a blob if it has not been modified since the specified date/time."
     },
-      "SourceLeaseId": {
-        "name": "x-ms-source-lease-id",
-        "x-ms-client-name": "sourceLeaseId",
-        "in": "header",
-        "required": false,
-        "type": "string",
-        "x-ms-parameter-location": "method",
-        "description": "A lease ID for the source path. If specified, the source path must have an active lease and the leaase ID must match."
-      },
+    "SourceLeaseId": {
+      "name": "x-ms-source-lease-id",
+      "x-ms-client-name": "sourceLeaseId",
+      "in": "header",
+      "required": false,
+      "type": "string",
+      "x-ms-parameter-location": "method",
+      "description": "A lease ID for the source path. If specified, the source path must have an active lease and the leaase ID must match."
+    },
     "SourceUrl": {
       "name": "x-ms-copy-source",
       "x-ms-client-name": "sourceUrl",
@@ -8004,6 +8003,6 @@
       "minimum": 0,
       "x-ms-parameter-location": "method",
       "description": "The timeout parameter is expressed in seconds. For more information, see <a href=\"https://docs.microsoft.com/en-us/rest/api/storageservices/fileservices/setting-timeouts-for-blob-service-operations\">Setting Timeouts for Blob Service Operations.</a>"
-      }
+    }
   }
 }

azblob/chunkwriting.go

@@ -18,7 +18,7 @@ import (
 // This allows us to provide a local implementation that fakes the server for hermetic testing.
 type blockWriter interface {
 	StageBlock(context.Context, string, io.ReadSeeker, LeaseAccessConditions, []byte, ClientProvidedKeyOptions) (*BlockBlobStageBlockResponse, error)
-	CommitBlockList(context.Context, []string, BlobHTTPHeaders, Metadata, BlobAccessConditions, AccessTierType, BlobTagsMap, ClientProvidedKeyOptions) (*BlockBlobCommitBlockListResponse, error)
+	CommitBlockList(context.Context, []string, BlobHTTPHeaders, Metadata, BlobAccessConditions, AccessTierType, BlobTagsMap, ClientProvidedKeyOptions, ImmutabilityPolicyOptions) (*BlockBlobCommitBlockListResponse, error)
 }
 
 // copyFromReader copies a source io.Reader to blob storage using concurrent uploads.
@@ -183,7 +183,7 @@ func (c *copier) close() error {
 	}
 
 	var err error
-	c.result, err = c.to.CommitBlockList(c.ctx, c.id.issued(), c.o.BlobHTTPHeaders, c.o.Metadata, c.o.AccessConditions, c.o.BlobAccessTier, c.o.BlobTagsMap, c.o.ClientProvidedKeyOptions)
+	c.result, err = c.to.CommitBlockList(c.ctx, c.id.issued(), c.o.BlobHTTPHeaders, c.o.Metadata, c.o.AccessConditions, c.o.BlobAccessTier, c.o.BlobTagsMap, c.o.ClientProvidedKeyOptions, c.o.ImmutabilityPolicyOptions)
 	return err
 }
 
@@ -206,7 +206,7 @@ func newID() *id {
 func (id *id) next() string {
 	defer atomic.AddUint32(&id.num, 1)
 
-	binary.BigEndian.PutUint32((id.u[len(guuid.UUID{}):]), atomic.LoadUint32(&id.num))
+	binary.BigEndian.PutUint32(id.u[len(guuid.UUID{}):], atomic.LoadUint32(&id.num))
 	str := base64.StdEncoding.EncodeToString(id.u[:])
 	id.all = append(id.all, str)
 

azblob/chunkwriting_test.go

@@ -60,7 +60,7 @@ func (f *fakeBlockWriter) StageBlock(ctx context.Context, blockID string, r io.R
 	return &BlockBlobStageBlockResponse{}, nil
 }
 
-func (f *fakeBlockWriter) CommitBlockList(ctx context.Context, blockIDs []string, headers BlobHTTPHeaders, meta Metadata, access BlobAccessConditions, tier AccessTierType, blobTagsMap BlobTagsMap, options ClientProvidedKeyOptions) (*BlockBlobCommitBlockListResponse, error) {
+func (f *fakeBlockWriter) CommitBlockList(ctx context.Context, blockIDs []string, headers BlobHTTPHeaders, meta Metadata, access BlobAccessConditions, tier AccessTierType, blobTagsMap BlobTagsMap, options ClientProvidedKeyOptions, immutability ImmutabilityPolicyOptions) (*BlockBlobCommitBlockListResponse, error) {
 	dst, err := os.OpenFile(filepath.Join(f.path, finalFileName), os.O_CREATE+os.O_WRONLY, 0600)
 	if err != nil {
 		return nil, err

azblob/highlevel.go

@@ -1,19 +1,17 @@
 package azblob
 
 import (
+	"bytes"
 	"context"
 	"encoding/base64"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
-
-	"bytes"
 	"os"
 	"sync"
 	"time"
 
-	"errors"
-
 	"github.com/Azure/azure-pipeline-go/pipeline"
 )
 
@@ -65,6 +63,10 @@ type UploadToBlockBlobOptions struct {
 	// ClientProvidedKeyOptions indicates the client provided key by name and/or by value to encrypt/decrypt data.
 	ClientProvidedKeyOptions ClientProvidedKeyOptions
 
+	// ImmutabilityPolicyOptions indicates a immutability policy or legal hold to be placed upon finishing upload.
+	// A container with object-level immutability enabled is required.
+	ImmutabilityPolicyOptions ImmutabilityPolicyOptions
+
 	// Parallelism indicates the maximum number of blocks to upload in parallel (0=default)
 	Parallelism uint16
 }
@@ -95,7 +97,7 @@ func uploadReaderAtToBlockBlob(ctx context.Context, reader io.ReaderAt, readerSi
 		if o.Progress != nil {
 			body = pipeline.NewRequestBodyProgress(body, o.Progress)
 		}
-		return blockBlobURL.Upload(ctx, body, o.BlobHTTPHeaders, o.Metadata, o.AccessConditions, o.BlobAccessTier, o.BlobTagsMap, o.ClientProvidedKeyOptions)
+		return blockBlobURL.Upload(ctx, body, o.BlobHTTPHeaders, o.Metadata, o.AccessConditions, o.BlobAccessTier, o.BlobTagsMap, o.ClientProvidedKeyOptions, o.ImmutabilityPolicyOptions)
 	}
 
 	var numBlocks = uint16(((readerSize - 1) / o.BlockSize) + 1)
@@ -139,7 +141,7 @@ func uploadReaderAtToBlockBlob(ctx context.Context, reader io.ReaderAt, readerSi
 		return nil, err
 	}
 	// All put blocks were successful, call Put Block List to finalize the blob
-	return blockBlobURL.CommitBlockList(ctx, blockIDList, o.BlobHTTPHeaders, o.Metadata, o.AccessConditions, o.BlobAccessTier, o.BlobTagsMap, o.ClientProvidedKeyOptions)
+	return blockBlobURL.CommitBlockList(ctx, blockIDList, o.BlobHTTPHeaders, o.Metadata, o.AccessConditions, o.BlobAccessTier, o.BlobTagsMap, o.ClientProvidedKeyOptions, o.ImmutabilityPolicyOptions)
 }
 
 // UploadBufferToBlockBlob uploads a buffer in blocks to a block blob.
@@ -507,13 +509,14 @@ type UploadStreamToBlockBlobOptions struct {
 	// BufferSize sizes the buffer used to read data from source. If < 1 MiB, defaults to 1 MiB.
 	BufferSize int
 	// MaxBuffers defines the number of simultaneous uploads will be performed to upload the file.
-	MaxBuffers               int
-	BlobHTTPHeaders          BlobHTTPHeaders
-	Metadata                 Metadata
-	AccessConditions         BlobAccessConditions
-	BlobAccessTier           AccessTierType
-	BlobTagsMap              BlobTagsMap
-	ClientProvidedKeyOptions ClientProvidedKeyOptions
+	MaxBuffers                int
+	BlobHTTPHeaders           BlobHTTPHeaders
+	Metadata                  Metadata
+	AccessConditions          BlobAccessConditions
+	BlobAccessTier            AccessTierType
+	BlobTagsMap               BlobTagsMap
+	ClientProvidedKeyOptions  ClientProvidedKeyOptions
+	ImmutabilityPolicyOptions ImmutabilityPolicyOptions
 }
 
 func (u *UploadStreamToBlockBlobOptions) defaults() error {

azblob/request_common.go

@@ -1,5 +1,9 @@
 package azblob
 
+import (
+	"time"
+)
+
 // ClientProvidedKeyOptions contains headers which may be be specified from service version 2019-02-02
 // or higher to encrypts the data on the service-side with the given key. Use of customer-provided keys
 // must be done over HTTPS. As the encryption key itself is provided in the request, a secure connection
@@ -31,3 +35,22 @@ func NewClientProvidedKeyOptions(ek *string, eksha256 *string, es *string) (cpk
 	cpk.EncryptionKey, cpk.EncryptionKeySha256, cpk.EncryptionAlgorithm, cpk.EncryptionScope = ek, eksha256, EncryptionAlgorithmAES256, es
 	return cpk
 }
+
+type ImmutabilityPolicyOptions struct {
+	// A container with object-level immutability enabled is required for any options.
+	// Both ImmutabilityPolicy options must be filled to set an immutability policy.
+	ImmutabilityPolicyUntilDate *time.Time
+	ImmutabilityPolicyMode      BlobImmutabilityPolicyModeType
+
+	LegalHold *bool
+}
+
+func NewImmutabilityPolicyOptions(untilDate *time.Time, policyMode BlobImmutabilityPolicyModeType, legalHold *bool) ImmutabilityPolicyOptions {
+	opt := ImmutabilityPolicyOptions{}
+	opt.ImmutabilityPolicyUntilDate, opt.ImmutabilityPolicyMode, opt.LegalHold = untilDate, policyMode, legalHold
+	return opt
+}
+
+func (pol *ImmutabilityPolicyOptions) pointers() (*time.Time, BlobImmutabilityPolicyModeType, *bool) {
+	return pol.ImmutabilityPolicyUntilDate, pol.ImmutabilityPolicyMode, pol.LegalHold
+}