codeperl
diff --git a/‎localstack/services/s3/provider.py
Lines changed: 77 additions & 0 deletions b/‎localstack/services/s3/provider.py
Lines changed: 77 additions & 0 deletions
diff --git a/‎tests/integration/s3/test_s3.py
Lines changed: 101 additions & 0 deletions b/‎tests/integration/s3/test_s3.py
Lines changed: 101 additions & 0 deletions
diff --git a/‎tests/integration/s3/test_s3.snapshot.json
Lines changed: 39 additions & 0 deletions b/‎tests/integration/s3/test_s3.snapshot.json
Lines changed: 39 additions & 0 deletions
@@ -66,6 +66,7 @@
     GetObjectAttributesRequest,
     GetObjectOutput,
     GetObjectRequest,
+    GetObjectRetentionOutput,
     GetObjectTaggingOutput,
     GetObjectTaggingRequest,
     HeadObjectOutput,
@@ -102,6 +103,7 @@
     NotificationConfiguration,
     ObjectIdentifier,
     ObjectKey,
+    ObjectLockRetention,
     ObjectLockToken,
     ObjectVersionId,
     OutputSerialization,
@@ -116,6 +118,7 @@
     PutObjectAclRequest,
     PutObjectOutput,
     PutObjectRequest,
+    PutObjectRetentionOutput,
     PutObjectTaggingOutput,
     PutObjectTaggingRequest,
     ReplicationConfiguration,
@@ -176,6 +179,7 @@
 from localstack.utils.collections import get_safe
 from localstack.utils.patch import patch
 from localstack.utils.strings import short_uid
+from localstack.utils.time import parse_timestamp
 from localstack.utils.urls import localstack_host
 
 LOG = logging.getLogger(__name__)
@@ -1104,6 +1108,62 @@ def get_bucket_acl(
 
         return response
 
+    def get_object_retention(
+        self,
+        context: RequestContext,
+        bucket: BucketName,
+        key: ObjectKey,
+        version_id: ObjectVersionId = None,
+        request_payer: RequestPayer = None,
+        expected_bucket_owner: AccountId = None,
+    ) -> GetObjectRetentionOutput:
+        moto_backend = get_moto_s3_backend(context)
+        key = get_key_from_moto_bucket(
+            get_bucket_from_moto(moto_backend, bucket=bucket), key=key, version_id=version_id
+        )
+        if not key.lock_mode and not key.lock_until:
+            raise InvalidRequest("Bucket is missing Object Lock Configuration")
+        return GetObjectRetentionOutput(
+            Retention=ObjectLockRetention(
+                Mode=key.lock_mode,
+                RetainUntilDate=parse_timestamp(key.lock_until),
+            )
+        )
+
+    @handler("PutObjectRetention")
+    def put_object_retention(
+        self,
+        context: RequestContext,
+        bucket: BucketName,
+        key: ObjectKey,
+        retention: ObjectLockRetention = None,
+        request_payer: RequestPayer = None,
+        version_id: ObjectVersionId = None,
+        bypass_governance_retention: BypassGovernanceRetention = None,
+        content_md5: ContentMD5 = None,
+        checksum_algorithm: ChecksumAlgorithm = None,
+        expected_bucket_owner: AccountId = None,
+    ) -> PutObjectRetentionOutput:
+        moto_backend = get_moto_s3_backend(context)
+        moto_bucket = get_bucket_from_moto(moto_backend, bucket=bucket)
+
+        try:
+            moto_key = get_key_from_moto_bucket(moto_bucket, key=key, version_id=version_id)
+        except NoSuchKey:
+            moto_key = None
+
+        if not moto_key and version_id:
+            raise InvalidArgument("Invalid version id specified")
+        if not moto_bucket.object_lock_enabled:
+            raise InvalidRequest("Bucket is missing Object Lock Configuration")
+        if not moto_key and not version_id:
+            raise NoSuchKey("The specified key does not exist.", Key=key)
+
+        moto_key.lock_mode = retention.get("Mode")
+        retention_date = retention.get("RetainUntilDate")
+        retention_date = retention_date.strftime("%Y-%m-%dT%H:%M:%S.%fZ")
+        moto_key.lock_until = retention_date
+
     @handler("PutBucketAcl", expand=False)
     def put_bucket_acl(
         self,
@@ -2177,6 +2237,23 @@ def bucket_get_permission(fn, self, *args, **kwargs):
 
         return fn(self, *args, **kwargs)
 
+    def key_is_locked(self):
+        """
+        Apply a patch to check if a key is locked
+        """
+        if self.lock_legal_status == "ON":
+            return True
+
+        if self.lock_mode in ["GOVERNANCE", "COMPLIANCE"]:
+            now = datetime.datetime.utcnow()
+            until = parse_timestamp(self.lock_until)
+            if until > now:
+                return True
+
+        return False
+
+    setattr(moto_s3_models.FakeKey, "is_locked", property(key_is_locked))
+
 
 def register_custom_handlers():
     serve_custom_service_request_handlers.append(s3_cors_request_handler)
 
@@ -4864,6 +4864,107 @@ def test_s3_get_object_headers(self, aws_client, s3_create_bucket, snapshot):
             aws_client.s3.get_object(Bucket=bucket, Key=key, IfMatch="etag")
         snapshot.match("if_match_err_1", e.value.response["Error"])
 
+    @pytest.mark.aws_validated
+    def test_s3_object_hold(self, aws_client, s3_create_bucket, snapshot):
+        bucket_name_with_lock = f"bucket-with-lock-{short_uid()}"
+        bucket_name_without_lock = f"bucket-without-lock-{short_uid()}"
+        key_1 = "test1.txt"
+        key_2 = "test2.txt"
+
+        s3_create_bucket(Bucket=bucket_name_with_lock, ObjectLockEnabledForBucket=True)
+        aws_client.s3.put_object(Bucket=bucket_name_with_lock, Key=key_1, Body="test")
+        key_1_version_id = aws_client.s3.get_object(Bucket=bucket_name_with_lock, Key=key_1)[
+            "VersionId"
+        ]
+        key_2_version_id = aws_client.s3.put_object(Bucket=bucket_name_with_lock, Key=key_2)[
+            "VersionId"
+        ]
+
+        s3_create_bucket(Bucket=bucket_name_without_lock, ObjectLockEnabledForBucket=False)
+        aws_client.s3.put_object(Bucket=bucket_name_without_lock, Key=key_1, Body="test")
+
+        # non-existing bucket
+        with pytest.raises(ClientError) as exc:
+            aws_client.s3.put_object_retention(
+                Bucket="non-existing-bucket",
+                Key=key_1,
+                Retention={"Mode": "GOVERNANCE", "RetainUntilDate": datetime.datetime(2030, 1, 1)},
+            )
+        snapshot.match("put_object_retention_1", exc.value.response["Error"])
+
+        # non-existing key
+        with pytest.raises(ClientError) as exc:
+            aws_client.s3.put_object_retention(
+                Bucket=bucket_name_with_lock,
+                Key="non-existing-key",
+                Retention={"Mode": "GOVERNANCE", "RetainUntilDate": datetime.datetime(2030, 1, 1)},
+            )
+        snapshot.match("put_object_retention_2", exc.value.response["Error"])
+
+        # no lock on bucket
+        with pytest.raises(ClientError) as exc:
+            aws_client.s3.get_object_retention(Bucket=bucket_name_without_lock, Key=key_1)
+        snapshot.match("get_object_retention_1", exc.value.response["Error"])
+
+        response = aws_client.s3.put_object_retention(
+            Bucket=bucket_name_with_lock,
+            Key=key_1,
+            Retention={"Mode": "GOVERNANCE", "RetainUntilDate": datetime.datetime(2030, 1, 1)},
+        )
+        snapshot.match("put_object_retention_4", response["ResponseMetadata"]["HTTPStatusCode"])
+
+        response = aws_client.s3.get_object_retention(Bucket=bucket_name_with_lock, Key=key_1)
+        snapshot.match("get_object_retention_2", response)
+
+        # delete object with lock without bypass
+        with pytest.raises(ClientError) as exc:
+            aws_client.s3.delete_object(
+                Bucket=bucket_name_with_lock, Key=key_1, VersionId=key_1_version_id
+            )
+        snapshot.match("delete_object_1", exc.value.response["Error"])
+
+        # delete object with lock with bypass
+        response = aws_client.s3.delete_object(
+            Bucket=bucket_name_with_lock,
+            Key=key_1,
+            VersionId=key_1_version_id,
+            BypassGovernanceRetention=True,
+        )
+        snapshot.match("delete_object_2", response["ResponseMetadata"]["HTTPStatusCode"])
+
+        # add object retention to key_2 with 5 seconds retention
+        aws_client.s3.put_object_retention(
+            Bucket=bucket_name_with_lock,
+            Key=key_2,
+            Retention={
+                "Mode": "GOVERNANCE",
+                "RetainUntilDate": datetime.datetime.utcnow() + datetime.timedelta(seconds=5),
+            },
+        )
+
+        # delete object with lock without bypass before 5 seconds
+        with pytest.raises(ClientError):
+            aws_client.s3.delete_object(
+                Bucket=bucket_name_with_lock, Key=key_2, VersionId=key_2_version_id
+            )
+
+        # delete object with lock without bypass after 5 seconds
+        time.sleep(6)
+        aws_client.s3.delete_object(
+            Bucket=bucket_name_with_lock,
+            Key=key_2,
+            VersionId=key_2_version_id,
+        )
+
+        # put object retention on bucket without lock configured
+        with pytest.raises(ClientError) as exc:
+            aws_client.s3.put_object_retention(
+                Bucket=bucket_name_without_lock,
+                Key=key_1,
+                Retention={"Mode": "GOVERNANCE", "RetainUntilDate": datetime.datetime(2030, 1, 1)},
+            )
+        snapshot.match("put_object_retention_5", exc.value.response["Error"])
+
     @pytest.mark.aws_validated
     def test_put_bucket_logging(self, aws_client, s3_create_bucket, snapshot):
         snapshot.add_transformer(
 
@@ -8595,5 +8595,44 @@
         }
       }
     }
+  },
+  "tests/integration/s3/test_s3.py::TestS3::test_s3_object_hold": {
+    "recorded-date": "08-07-2023, 00:52:18",
+    "recorded-content": {
+      "put_object_retention_1": {
+        "BucketName": "non-existing-bucket",
+        "Code": "NoSuchBucket",
+        "Message": "The specified bucket does not exist"
+      },
+      "put_object_retention_2": {
+        "Code": "NoSuchKey",
+        "Key": "non-existing-key",
+        "Message": "The specified key does not exist."
+      },
+      "get_object_retention_1": {
+        "Code": "InvalidRequest",
+        "Message": "Bucket is missing Object Lock Configuration"
+      },
+      "put_object_retention_4": 200,
+      "get_object_retention_2": {
+        "Retention": {
+          "Mode": "GOVERNANCE",
+          "RetainUntilDate": "datetime"
+        },
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 200
+        }
+      },
+      "delete_object_1": {
+        "Code": "AccessDenied",
+        "Message": "Access Denied"
+      },
+      "delete_object_2": 204,
+      "put_object_retention_5": {
+        "Code": "InvalidRequest",
+        "Message": "Bucket is missing Object Lock Configuration"
+      }
+    }
   }
 }