use super::*;
impl BucketWarden {
pub fn console_api_legal_hold(
&mut self,
access_key_id: &str,
bucket: &str,
key: &str,
version_id: Option<&str>,
) -> Result<ConsoleApiObjectGovernanceSummary, RuntimeError> {
self.console_api_object_governance_summary(access_key_id, bucket, key, version_id)
}
pub fn console_api_put_legal_hold(
&mut self,
access_key_id: &str,
bucket: &str,
key: &str,
version_id: Option<&str>,
enabled: bool,
reason: String,
) -> Result<ConsoleApiObjectGovernanceSummary, RuntimeError> {
let principal = self.console_api_principal(access_key_id)?;
self.require_operator_action(
&principal,
OperatorAction::ManageSecurity,
bucket,
"ui:PutLegalHold",
)?;
self.require_object_lock_enabled(bucket)?;
let resource = object_resource(bucket, key);
let version = if let Some(version_id) = version_id {
self.version_by_id_mut(bucket, key, version_id)?
} else {
self.current_version_mut(bucket, key)?
};
if version.delete_marker {
return Err(RuntimeError::NoSuchKey(resource));
}
version.lock.set_legal_hold(enabled);
let updated_version_id = version.version_id.clone();
self.audit.append(
&principal,
if enabled {
"ui:ApplyLegalHold"
} else {
"ui:LiftLegalHold"
},
&object_resource(bucket, key),
AuditOutcome::Allowed,
Some(format!("version={updated_version_id},reason={reason}")),
);
self.emit_notification_event(
"s3:ObjectLock:LegalHoldUpdated",
bucket,
key,
&updated_version_id,
);
self.object_governance_summary(bucket, key, Some(&updated_version_id))
}
}