Added ExpectedBucketOwner parameter to Write-S3Object and Copy-S3Object

sankettangade · sankettangade · commit db23e577a8f0 · 2025-02-10T17:50:22.000-08:00
diff --git a/modules/AWSPowerShell/Cmdlets/S3/Advanced/Copy-S3Object-Cmdlet.cs b/modules/AWSPowerShell/Cmdlets/S3/Advanced/Copy-S3Object-Cmdlet.cs
@@ -236,6 +236,18 @@ public class CopyS3ObjectCmdlet : AmazonS3ClientCmdlet, IExecutor
         public SwitchParameter PublicReadWrite { get; set; }
         #endregion
 
+        #region Parameter ExpectedBucketOwner
+        /// <summary>
+        /// <para>
+        /// <para>The account ID of the expected bucket owner. If the account ID that you provide does
+        /// not match the actual owner of the bucket, the request fails with the HTTP status code
+        /// <code>403 Forbidden</code> (access denied).</para>
+        /// </para>
+        /// </summary>
+        [Parameter(ValueFromPipelineByPropertyName = true, ParameterSetName = CopyS3ObjectToS3Object)]
+        public System.String ExpectedBucketOwner { get; set; }
+        #endregion
+
         #region Parameter StorageClass
 
         // NOTE: This parameter does not use the marker attribute for automated validate set
@@ -636,6 +648,8 @@ protected override void ProcessRecord()
                     break;
             }
 
+            if (this.ExpectedBucketOwner != null)
+                context.ExpectedBucketOwner = this.ExpectedBucketOwner;
             if (ParameterWasBound("UtcModifiedSinceDate"))
                 context.UtcModifiedSinceDate = this.UtcModifiedSinceDate;
             if (ParameterWasBound("UtcUnmodifiedSinceDate"))
@@ -731,7 +745,6 @@ private GetObjectMetadataResponse GetSourceObjectData(CmdletContext cmdletContex
             {
                 request.RequestPayer = cmdletContext.RequestPayer;
             }
-
             base.UserAgentAddition = AmazonS3Helper.GetCleanKeyUserAgentAdditionString(objectKey, request.Key);
 
             var response = CallAWSServiceOperation(sourceRegionClient, request);
@@ -853,6 +866,8 @@ private object CopyS3ObjectToS3(ExecutorContext context)
             {
                 request.RequestPayer = cmdletContext.RequestPayer;
             }
+            if (cmdletContext.ExpectedBucketOwner !=  null)
+                request.ExpectedBucketOwner = cmdletContext.ExpectedBucketOwner;
 
             AmazonS3Helper.SetMetadataAndHeaders(request, cmdletContext.Metadata, cmdletContext.Headers);
 
@@ -951,6 +966,8 @@ private object MultipartCopyS3ObjectToS3(ExecutorContext context, long objectSiz
                 {
                     completeRequest.RequestPayer = cmdletContext.RequestPayer;
                 }
+                if (cmdletContext.ExpectedBucketOwner != null)
+                    initiateRequest.ExpectedBucketOwner = cmdletContext.ExpectedBucketOwner; 
 
                 CallAWSServiceOperation(Client, completeRequest);
                 uploadId = null;
@@ -1320,6 +1337,7 @@ internal class CmdletContext : ExecutorContext
             public S3MetadataDirective? MetadataDirective { get; set; }
             public S3CannedACL CannedACL { get; set; }
             public String SourceVersionId { get; set; }
+            public String ExpectedBucketOwner {get; set; }
             public S3StorageClass StorageClass { get; set; }
             public ServerSideEncryptionMethod ServerSideEncryptionMethod { get; set; }
             public string ServerSideEncryptionKeyManagementServiceKeyId { get; set; }
diff --git a/modules/AWSPowerShell/Cmdlets/S3/Advanced/Write-S3Object-Cmdlet.cs b/modules/AWSPowerShell/Cmdlets/S3/Advanced/Write-S3Object-Cmdlet.cs
@@ -246,6 +246,18 @@ public class WriteS3ObjectCmdlet : AmazonS3ClientCmdlet, IExecutor
 
         #endregion
 
+        #region Parameter ExpectedBucketOwner
+        /// <summary>
+        /// <para>
+        /// <para>The account ID of the expected bucket owner. If the account ID that you provide does
+        /// not match the actual owner of the bucket, the request fails with the HTTP status code
+        /// <code>403 Forbidden</code> (access denied).</para>
+        /// </para>
+        /// </summary>
+        [Parameter(ValueFromPipelineByPropertyName = true, ParameterSetName = ParamSet_FromContent)]
+        public System.String ExpectedBucketOwner { get; set; }
+        #endregion
+
         #region Shared Params
 
         #region Parameter ContentType 
@@ -566,6 +578,9 @@ protected override void ProcessRecord()
             else if (this.PublicReadWrite.IsPresent)
                 context.CannedACL = S3CannedACL.PublicReadWrite;
 
+            if (this.ExpectedBucketOwner != null)
+                context.ExpectedBucketOwner = this.ExpectedBucketOwner;
+
             context.ContentType = this.ContentType;
 
             if (ParameterWasBound("StorageClass"))
@@ -699,6 +714,9 @@ CmdletOutput UploadTextToS3(ExecutorContext context)
                 request.ChecksumAlgorithm = cmdletContext.ChecksumAlgorithm;
             if (!string.IsNullOrEmpty(cmdletContext.IfNoneMatch))
                 request.IfNoneMatch = cmdletContext.IfNoneMatch;
+            if (cmdletContext.ExpectedBucketOwner != null)
+                request.ExpectedBucketOwner = cmdletContext.ExpectedBucketOwner;
+            
 
 #pragma warning disable CS0618 // A class member was marked with the Obsolete attribute
             request.CalculateContentMD5Header = cmdletContext.CalculateContentMD5Header;
@@ -886,6 +904,7 @@ private CmdletOutput UploadFolderToS3(ExecutorContext context)
             {
                 request.RequestPayer = cmdletContext.RequestPayer;
             }
+            
 
             AmazonS3Helper.SetExtraRequestFields(request, cmdletContext);
 
@@ -964,6 +983,7 @@ internal class CmdletContext : ExecutorContext
             public String ChecksumValue { get; set; }
             public long? MpuObjectSize { get; set; }
 
+            public string ExpectedBucketOwner { get; set;}
             public Hashtable Metadata { get; set; }
             public Hashtable Headers { get; set; }
 
diff --git a/tests/S3/S3.Tests.ps1 b/tests/S3/S3.Tests.ps1
@@ -66,6 +66,11 @@ Describe -Tag "Smoke" "S3" {
                 Write-S3Object -BucketName $script:bucketName -Key foo.txt -Content "this is a test" -ServerSideEncryption Naan
             } | Should -Throw
         }
+
+        It "Can verify bucket ownership during write operations" {
+            $accountId = (Get-S3Bucket -BucketName $script:bucketName).Owner.ID
+            Write-S3Object -BucketName $script:bucketName -Key "ownership-test.txt" -ExpectedBucketOwner $accountId -Content "testing bucket ownership verification"
+        }
     }
 
     Context "Reading" {
@@ -197,6 +202,15 @@ Describe -Tag "Smoke" "S3" {
             ($tagCollection[0].Key) | Should -Be "testtag"
             ($tagCollection[0].Value) | Should -Be "testvalue"
         }
+        It "Can copy with ExpectedBucketOwner parameter" {
+            $accountId = (Get-S3Bucket -BucketName $script:bucketName).Owner.ID
+            Copy-S3Object -BucketName $eastBucketName -Key key -DestinationBucket $westBucketName -DestinationKey "key-copy-owner" -Region us-east-1 -ExpectedBucketOwner $accountId
+            Read-S3Object -BucketName $westBucketName -Key "key-copy-owner" -File "temp\owner-copy.txt"
+            (Get-Content "temp\owner-copy.txt") | Should -Be $content
+
+            $incorrectAccountId = "000000000000"
+            { Copy-S3Object -BucketName $eastBucketName -Key key -DestinationBucket $westBucketName -DestinationKey "key-copy-owner-fail" -Region us-east-1 -ExpectedBucketOwner $incorrectAccountId } | Should -Throw 
+        }
     }
 
     Context "Checksums" {
