Merge pull request #353 from Backblaze/object_lock

Object lock bucket upgrade

Author: ppolewicz

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 * Logging performance summary of parallel download threads
 * Add `max_download_streams_per_file` parameter to B2Api class and underlying structures
+* Add `is_file_lock_enabled` parameter to `Bucket.update()` and related methods
 
 ### Fixed
 * Replace `ReplicationScanResult.source_has_sse_c_enabled` with `source_encryption_mode`

b2sdk/_v3/exception.py

@@ -26,17 +26,18 @@
 from b2sdk.exception import BadJson
 from b2sdk.exception import BadRequest
 from b2sdk.exception import BadUploadUrl
-from b2sdk.exception import BucketIdNotFound
 from b2sdk.exception import BrokenPipe
+from b2sdk.exception import BucketIdNotFound
 from b2sdk.exception import BucketNotAllowed
-from b2sdk.exception import CapabilityNotAllowed
 from b2sdk.exception import CapExceeded
+from b2sdk.exception import CapabilityNotAllowed
 from b2sdk.exception import ChecksumMismatch
 from b2sdk.exception import ClockSkew
 from b2sdk.exception import Conflict
 from b2sdk.exception import ConnectionReset
 from b2sdk.exception import CopyArgumentsMismatch
 from b2sdk.exception import DestFileNewer
+from b2sdk.exception import DisablingFileLockNotSupported
 from b2sdk.exception import DuplicateBucketName
 from b2sdk.exception import FileAlreadyHidden
 from b2sdk.exception import FileNameNotAllowed
@@ -54,11 +55,14 @@
 from b2sdk.exception import PartSha1Mismatch
 from b2sdk.exception import RestrictedBucket
 from b2sdk.exception import RetentionWriteError
+from b2sdk.exception import SSECKeyError
+from b2sdk.exception import SSECKeyIdMismatchInCopy
 from b2sdk.exception import ServiceError
+from b2sdk.exception import SourceReplicationConflict
 from b2sdk.exception import StorageCapExceeded
 from b2sdk.exception import TooManyRequests
-from b2sdk.exception import TransientErrorMixin
 from b2sdk.exception import TransactionCapExceeded
+from b2sdk.exception import TransientErrorMixin
 from b2sdk.exception import TruncatedOutput
 from b2sdk.exception import Unauthorized
 from b2sdk.exception import UnexpectedCloudBehaviour
@@ -67,8 +71,6 @@
 from b2sdk.exception import UnrecognizedBucketType
 from b2sdk.exception import UnsatisfiableRange
 from b2sdk.exception import UnusableFileName
-from b2sdk.exception import SSECKeyIdMismatchInCopy
-from b2sdk.exception import SSECKeyError
 from b2sdk.exception import WrongEncryptionModeForBucketDefault
 from b2sdk.exception import interpret_b2_error
 from b2sdk.sync.exception import IncompleteSync
@@ -100,15 +102,16 @@
     'BrokenPipe',
     'BucketIdNotFound',
     'BucketNotAllowed',
-    'CapabilityNotAllowed',
     'CapExceeded',
+    'CapabilityNotAllowed',
     'ChecksumMismatch',
     'ClockSkew',
     'Conflict',
     'ConnectionReset',
     'CopyArgumentsMismatch',
     'CorruptAccountInfo',
     'DestFileNewer',
+    'DisablingFileLockNotSupported',
     'DuplicateBucketName',
     'EmptyDirectory',
     'EnvironmentEncodingError',
@@ -133,19 +136,20 @@
     'RestrictedBucket',
     'RetentionWriteError',
     'ServiceError',
+    'SourceReplicationConflict',
     'StorageCapExceeded',
     'TooManyRequests',
     'TransactionCapExceeded',
     'TransientErrorMixin',
     'TruncatedOutput',
+    'UnableToCreateDirectory',
     'Unauthorized',
     'UnexpectedCloudBehaviour',
     'UnknownError',
     'UnknownHost',
     'UnrecognizedBucketType',
-    'UnableToCreateDirectory',
-    'UnsupportedFilename',
     'UnsatisfiableRange',
+    'UnsupportedFilename',
     'UnusableFileName',
     'interpret_b2_error',
     'check_invalid_argument',

b2sdk/bucket.py

@@ -150,6 +150,7 @@ def update(
         default_server_side_encryption: Optional[EncryptionSetting] = None,
         default_retention: Optional[BucketRetentionSetting] = None,
         replication: Optional[ReplicationConfiguration] = None,
+        is_file_lock_enabled: Optional[bool] = None,
     ) -> 'Bucket':
         """
         Update various bucket parameters.
@@ -161,7 +162,8 @@ def update(
         :param if_revision_is: revision number, update the info **only if** *revision* equals to *if_revision_is*
         :param default_server_side_encryption: default server side encryption settings (``None`` if unknown)
         :param default_retention: bucket default retention setting
-        :param replication: replication rules for the bucket;
+        :param replication: replication rules for the bucket
+        :param bool is_file_lock_enabled: specifies whether bucket should get File Lock-enabled
         """
         account_id = self.api.account_info.get_account_id()
         return self.api.BUCKET_FACTORY_CLASS.from_api_bucket_dict(
@@ -177,6 +179,7 @@ def update(
                 default_server_side_encryption=default_server_side_encryption,
                 default_retention=default_retention,
                 replication=replication,
+                is_file_lock_enabled=is_file_lock_enabled,
             )
         )
 

b2sdk/exception.py

@@ -12,6 +12,7 @@
 
 import logging
 import re
+import warnings
 from typing import Any, Dict, Optional
 
 from .utils import camelcase_to_underscore, trace_call
@@ -517,6 +518,21 @@ class CopyArgumentsMismatch(InvalidUserInput):
     pass
 
 
+class DisablingFileLockNotSupported(B2Error):
+    def __str__(self):
+        return "Disabling file lock is not supported"
+
+
+class SourceReplicationConflict(B2Error):
+    def __str__(self):
+        return "Operation not supported for buckets with source replication"
+
+
+class EnablingFileLockOnRestrictedBucket(B2Error):
+    def __str__(self):
+        return "Turning on file lock for a restricted bucket is not allowed"
+
+
 @trace_call(logger)
 def interpret_b2_error(
     status: int,
@@ -555,21 +571,41 @@ def interpret_b2_error(
         return PartSha1Mismatch(post_params.get('fileId'))
     elif status == 400 and code == "bad_bucket_id":
         return BucketIdNotFound(post_params.get('bucketId'))
-    elif status == 400 and code in ('bad_request', 'auth_token_limit', 'source_too_large'):
-        # it's "bad_request" on 2022-03-29, but will become 'auth_token_limit' in 2022-04  # TODO: cleanup after 2022-05-01
+    elif status == 400 and code == "auth_token_limit":
         matcher = UPLOAD_TOKEN_USED_CONCURRENTLY_ERROR_MESSAGE_RE.match(message)
-        if matcher is not None:
-            token = matcher.group('token')
-            return UploadTokenUsedConcurrently(token)
-
-        # it's "bad_request" on 2022-03-29, but will become 'source_too_large' in 2022-04  # TODO: cleanup after 2022-05-01
+        assert matcher is not None, f"unexpected error message: {message}"
+        token = matcher.group('token')
+        return UploadTokenUsedConcurrently(token)
+    elif status == 400 and code == "source_too_large":
         matcher = COPY_SOURCE_TOO_BIG_ERROR_MESSAGE_RE.match(message)
-        if matcher is not None:
-            size = int(matcher.group('size'))
-            return CopySourceTooBig(message, code, size)
+        assert matcher is not None, f"unexpected error message: {message}"
+        size = int(matcher.group('size'))
+        return CopySourceTooBig(message, code, size)
+    elif status == 400 and code == 'file_lock_conflict':
+        return DisablingFileLockNotSupported()
+    elif status == 400 and code == 'source_replication_conflict':
+        return SourceReplicationConflict()
+    elif status == 400 and code == 'restricted_bucket_conflict':
+        return EnablingFileLockOnRestrictedBucket()
+    elif status == 400 and code == 'bad_request':
+
+        # it's "bad_request" on 2022-09-14, but will become 'disabling_file_lock_not_allowed'  # TODO: cleanup after 2022-09-22
+        if message == 'fileLockEnabled value of false is not allowed when bucket is already file lock enabled.':
+            return DisablingFileLockNotSupported()
+
+        # it's "bad_request" on 2022-09-14, but will become 'source_replication_conflict'  # TODO: cleanup after 2022-09-22
+        if message == 'Turning on file lock for an existing bucket having source replication configuration is not allowed.':
+            return SourceReplicationConflict()
+
+        # it's "bad_request" on 2022-09-14, but will become 'restricted_bucket_conflict'  # TODO: cleanup after 2022-09-22
+        if message == 'Turning on file lock for a restricted bucket is not allowed.':
+            return EnablingFileLockOnRestrictedBucket()
 
         return BadRequest(message, code)
     elif status == 400:
+        warnings.warn(
+            f"bad request exception with an unknown `code`. message={message}, code={code}"
+        )
         return BadRequest(message, code)
     elif status == 401 and code in ("bad_auth_token", "expired_auth_token"):
         return InvalidAuthToken(message, code)

b2sdk/raw_api.py

@@ -288,6 +288,7 @@ def update_bucket(
         default_server_side_encryption: Optional[EncryptionSetting] = None,
         default_retention: Optional[BucketRetentionSetting] = None,
         replication: Optional[ReplicationConfiguration] = None,
+        is_file_lock_enabled: Optional[bool] = None,
     ):
         pass
 
@@ -740,6 +741,7 @@ def update_bucket(
         default_server_side_encryption: Optional[EncryptionSetting] = None,
         default_retention: Optional[BucketRetentionSetting] = None,
         replication: Optional[ReplicationConfiguration] = None,
+        is_file_lock_enabled: Optional[bool] = None,
     ):
         kwargs = {}
         if if_revision_is is not None:
@@ -761,6 +763,8 @@ def update_bucket(
             kwargs['defaultRetention'] = default_retention.serialize_to_json_for_request()
         if replication is not None:
             kwargs['replicationConfiguration'] = replication.serialize_to_json_for_request()
+        if is_file_lock_enabled is not None:
+            kwargs['fileLockEnabled'] = is_file_lock_enabled
 
         assert kwargs
 

b2sdk/raw_simulator.py

@@ -33,6 +33,7 @@
     ChecksumMismatch,
     Conflict,
     CopySourceTooBig,
+    DisablingFileLockNotSupported,
     DuplicateBucketName,
     FileNotPresent,
     FileSha1Mismatch,
@@ -42,6 +43,7 @@
     NonExistentBucket,
     PartSha1Mismatch,
     SSECKeyError,
+    SourceReplicationConflict,
     Unauthorized,
     UnsatisfiableRange,
 )
@@ -946,10 +948,23 @@ def _update_bucket(
         default_server_side_encryption: Optional[EncryptionSetting] = None,
         default_retention: Optional[BucketRetentionSetting] = None,
         replication: Optional[ReplicationConfiguration] = None,
+        is_file_lock_enabled: Optional[bool] = None,
     ):
         if if_revision_is is not None and self.revision != if_revision_is:
             raise Conflict()
 
+        if is_file_lock_enabled is not None:
+            if self.is_file_lock_enabled and not is_file_lock_enabled:
+                raise DisablingFileLockNotSupported()
+
+            if (
+                not self.is_file_lock_enabled and is_file_lock_enabled and self.replication and
+                self.replication.is_source
+            ):
+                raise SourceReplicationConflict()
+
+            self.is_file_lock_enabled = is_file_lock_enabled
+
         if bucket_type is not None:
             self.bucket_type = bucket_type
         if bucket_info is not None:
@@ -962,8 +977,10 @@ def _update_bucket(
             self.default_server_side_encryption = default_server_side_encryption
         if default_retention:
             self.default_retention = default_retention
+        if replication is not None:
+            self.replication = replication
+
         self.revision += 1
-        self.replication = replication
         return self.bucket_dict(self.api.current_token)
 
     def upload_file(
@@ -1716,8 +1733,9 @@ def update_bucket(
         default_server_side_encryption: Optional[EncryptionSetting] = None,
         default_retention: Optional[BucketRetentionSetting] = None,
         replication: Optional[ReplicationConfiguration] = None,
+        is_file_lock_enabled: Optional[bool] = None,
     ):
-        assert bucket_type or bucket_info or cors_rules or lifecycle_rules or default_server_side_encryption or replication
+        assert bucket_type or bucket_info or cors_rules or lifecycle_rules or default_server_side_encryption or replication or is_file_lock_enabled is not None
         bucket = self._get_bucket_by_id(bucket_id)
         self._assert_account_auth(api_url, account_auth_token, bucket.account_id, 'writeBuckets')
         return bucket._update_bucket(
@@ -1729,6 +1747,7 @@ def update_bucket(
             default_server_side_encryption=default_server_side_encryption,
             default_retention=default_retention,
             replication=replication,
+            is_file_lock_enabled=is_file_lock_enabled,
         )
 
     @classmethod

b2sdk/session.py

@@ -320,6 +320,7 @@ def update_bucket(
         default_server_side_encryption: Optional[EncryptionSetting] = None,
         default_retention: Optional[BucketRetentionSetting] = None,
         replication: Optional[ReplicationConfiguration] = None,
+        is_file_lock_enabled: Optional[bool] = None,
     ):
         return self._wrap_default_token(
             self.raw_api.update_bucket,
@@ -333,6 +334,7 @@ def update_bucket(
             default_server_side_encryption=default_server_side_encryption,
             default_retention=default_retention,
             replication=replication,
+            is_file_lock_enabled=is_file_lock_enabled,
         )
 
     def upload_file(

b2sdk/v1/bucket.py

@@ -209,6 +209,7 @@ def update(
         if_revision_is: Optional[int] = None,
         default_server_side_encryption: Optional[v2.EncryptionSetting] = None,
         default_retention: Optional[v2.BucketRetentionSetting] = None,
+        is_file_lock_enabled: Optional[bool] = None,
         **kwargs
     ):
         """
@@ -221,6 +222,7 @@ def update(
         :param if_revision_is: revision number, update the info **only if** *revision* equals to *if_revision_is*
         :param default_server_side_encryption: default server side encryption settings (``None`` if unknown)
         :param default_retention: bucket default retention setting
+        :param bool is_file_lock_enabled: specifies whether bucket should get File Lock-enabled
         """
         # allow common tests to execute without hitting attributeerror
 
@@ -240,6 +242,7 @@ def update(
             if_revision_is=if_revision_is,
             default_server_side_encryption=default_server_side_encryption,
             default_retention=default_retention,
+            is_file_lock_enabled=is_file_lock_enabled,
         )
 
     def ls(

test/integration/test_raw_api.py

@@ -19,6 +19,7 @@
 
 from b2sdk.b2http import B2Http
 from b2sdk.encryption.setting import EncryptionAlgorithm, EncryptionMode, EncryptionSetting
+from b2sdk.exception import DisablingFileLockNotSupported
 from b2sdk.replication.setting import ReplicationConfiguration, ReplicationRule
 from b2sdk.replication.types import ReplicationStatus
 from b2sdk.file_lock import BucketRetentionSetting, NO_RETENTION_FILE_SETTING, RetentionMode, RetentionPeriod
@@ -519,9 +520,24 @@ def raw_api_test_helper(raw_api, should_cleanup_old_buckets):
         default_retention=BucketRetentionSetting(
             mode=RetentionMode.GOVERNANCE, period=RetentionPeriod(days=1)
         ),
+        is_file_lock_enabled=True,
     )
     assert first_bucket_revision < updated_bucket['revision']
 
+    # NOTE: this update_bucket call is only here to be able to find out the error code returned by
+    # the server if an attempt is made to disable file lock.  It has to be done here since the CLI
+    # by design does not allow disabling file lock at all (i.e. there is no --fileLockEnabled=false
+    # option or anything equivalent to that).
+    with pytest.raises(DisablingFileLockNotSupported):
+        raw_api.update_bucket(
+            api_url,
+            account_auth_token,
+            account_id,
+            bucket_id,
+            'allPrivate',
+            is_file_lock_enabled=False,
+        )
+
     # Clean up this test.
     _clean_and_delete_bucket(raw_api, api_url, account_auth_token, account_id, bucket_id)