Adding wrangler commands for R2 bucket lock rule configuration (#7977)

* Adding wrangler commands for R2 bucket lock rule configuration

* R2-2612: addressing feedback and adding tests

* R2-2612: updating lock date/days to retention date/days and explicitly making retention required instead of indefinite being implied

Author: jkoe-cf

.changeset/blue-foxes-notice.md

@@ -0,0 +1,5 @@
+---
+"wrangler": minor
+---
+
+Added wrangler r2 commands for bucket lock configuration

.changeset/weak-chairs-tap.md

@@ -0,0 +1,5 @@
+---
+"wrangler": patch
+---
+
+fixing the format of the R2 lifecycle rule date input to be parsed as string instead of number

packages/wrangler/src/__tests__/r2.test.ts

@@ -115,6 +115,13 @@ import {
 	r2BucketLifecycleRemoveCommand,
 	r2BucketLifecycleSetCommand,
 } from "./r2/lifecycle";
+import {
+	r2BucketLockAddCommand,
+	r2BucketLockListCommand,
+	r2BucketLockNamespace,
+	r2BucketLockRemoveCommand,
+	r2BucketLockSetCommand,
+} from "./r2/lock";
 import {
 	r2BucketNotificationCreateCommand,
 	r2BucketNotificationDeleteCommand,
@@ -713,6 +720,26 @@ export function createCLIParser(argv: string[]) {
 			command: "wrangler r2 bucket cors set",
 			definition: r2BucketCORSSetCommand,
 		},
+		{
+			command: "wrangler r2 bucket lock",
+			definition: r2BucketLockNamespace,
+		},
+		{
+			command: "wrangler r2 bucket lock list",
+			definition: r2BucketLockListCommand,
+		},
+		{
+			command: "wrangler r2 bucket lock add",
+			definition: r2BucketLockAddCommand,
+		},
+		{
+			command: "wrangler r2 bucket lock remove",
+			definition: r2BucketLockRemoveCommand,
+		},
+		{
+			command: "wrangler r2 bucket lock set",
+			definition: r2BucketLockSetCommand,
+		},
 	]);
 	registry.registerNamespace("r2");
 

packages/wrangler/src/index.ts

@@ -1067,6 +1067,99 @@ export async function putLifecycleRules(
 	});
 }
 
+// bucket lock rules
+
+export interface BucketLockRule {
+	id: string;
+	enabled: boolean;
+	prefix?: string;
+	condition: BucketLockRuleCondition;
+}
+
+export interface BucketLockRuleCondition {
+	type: "Age" | "Date" | "Indefinite";
+	maxAgeSeconds?: number;
+	date?: string;
+}
+
+export function tableFromBucketLockRulesResponse(rules: BucketLockRule[]): {
+	id: string;
+	enabled: string;
+	prefix: string;
+	condition: string;
+}[] {
+	const rows = [];
+	for (const rule of rules) {
+		const conditionString = formatLockCondition(rule.condition);
+		rows.push({
+			id: rule.id,
+			enabled: rule.enabled ? "Yes" : "No",
+			prefix: rule.prefix || "(all prefixes)",
+			condition: conditionString,
+		});
+	}
+	return rows;
+}
+
+function formatLockCondition(condition: BucketLockRuleCondition): string {
+	if (condition.type === "Age" && typeof condition.maxAgeSeconds === "number") {
+		const days = condition.maxAgeSeconds / 86400; // Convert seconds to days
+		if (days == 1) {
+			return `after ${days} day`;
+		} else {
+			return `after ${days} days`;
+		}
+	} else if (condition.type === "Date" && condition.date) {
+		const date = new Date(condition.date);
+		const displayDate = date.toISOString().split("T")[0];
+		return `on ${displayDate}`;
+	}
+
+	return `indefinitely`;
+}
+
+export async function getBucketLockRules(
+	accountId: string,
+	bucket: string,
+	jurisdiction?: string
+): Promise<BucketLockRule[]> {
+	const headers: HeadersInit = {};
+	if (jurisdiction) {
+		headers["cf-r2-jurisdiction"] = jurisdiction;
+	}
+
+	const result = await fetchResult<{ rules: BucketLockRule[] }>(
+		`/accounts/${accountId}/r2/buckets/${bucket}/lock`,
+		{
+			method: "GET",
+			headers,
+		}
+	);
+	return result.rules;
+}
+
+export async function putBucketLockRules(
+	accountId: string,
+	bucket: string,
+	rules: BucketLockRule[],
+	jurisdiction?: string
+): Promise<void> {
+	const headers: HeadersInit = {
+		"Content-Type": "application/json",
+	};
+	if (jurisdiction) {
+		headers["cf-r2-jurisdiction"] = jurisdiction;
+	}
+
+	await fetchResult(`/accounts/${accountId}/r2/buckets/${bucket}/lock`, {
+		method: "PUT",
+		headers,
+		body: JSON.stringify({ rules: rules }),
+	});
+}
+
+// bucket lock rules
+
 export function formatActionDescription(action: string): string {
 	switch (action) {
 		case "expire":

packages/wrangler/src/r2/helpers.ts

@@ -97,7 +97,7 @@ export const r2BucketLifecycleAddCommand = createCommand({
 		},
 		"expire-date": {
 			describe: "Date after which objects expire (YYYY-MM-DD)",
-			type: "number",
+			type: "string",
 			requiresArg: true,
 		},
 		"ia-transition-days": {

packages/wrangler/src/r2/lifecycle.ts

@@ -0,0 +1,374 @@
+import { createCommand, createNamespace } from "../core/create-command";
+import { confirm, prompt } from "../dialogs";
+import { UserError } from "../errors";
+import { isNonInteractiveOrCI } from "../is-interactive";
+import { logger } from "../logger";
+import { ParseError, readFileSync } from "../parse";
+import { requireAuth } from "../user";
+import formatLabelledValues from "../utils/render-labelled-values";
+import {
+	getBucketLockRules,
+	isValidDate,
+	putBucketLockRules,
+	tableFromBucketLockRulesResponse,
+} from "./helpers";
+import type { BucketLockRule } from "./helpers";
+
+export const r2BucketLockNamespace = createNamespace({
+	metadata: {
+		description: "Manage lock rules for an R2 bucket",
+		status: "stable",
+		owner: "Product: R2",
+	},
+});
+
+export const r2BucketLockListCommand = createCommand({
+	metadata: {
+		description: "List lock rules for an R2 bucket",
+		status: "stable",
+		owner: "Product: R2",
+	},
+	positionalArgs: ["bucket"],
+	args: {
+		bucket: {
+			describe: "The name of the R2 bucket to list lock rules for",
+			type: "string",
+			demandOption: true,
+		},
+		jurisdiction: {
+			describe: "The jurisdiction where the bucket exists",
+			alias: "J",
+			requiresArg: true,
+			type: "string",
+		},
+	},
+	async handler(args, { config }) {
+		const accountId = await requireAuth(config);
+
+		const { bucket, jurisdiction } = args;
+
+		logger.log(`Listing lock rules for bucket '${bucket}'...`);
+
+		const rules = await getBucketLockRules(accountId, bucket, jurisdiction);
+
+		if (rules.length === 0) {
+			logger.log(`There are no lock rules for bucket '${bucket}'.`);
+		} else {
+			const tableOutput = tableFromBucketLockRulesResponse(rules);
+			logger.log(tableOutput.map((x) => formatLabelledValues(x)).join("\n\n"));
+		}
+	},
+});
+
+export const r2BucketLockAddCommand = createCommand({
+	metadata: {
+		description: "Add a lock rule to an R2 bucket",
+		status: "stable",
+		owner: "Product: R2",
+	},
+	positionalArgs: ["bucket", "id", "prefix"],
+	args: {
+		bucket: {
+			describe: "The name of the R2 bucket to add a bucket lock rule to",
+			type: "string",
+			demandOption: true,
+		},
+		id: {
+			describe: "A unique identifier for the bucket lock rule",
+			type: "string",
+			requiresArg: true,
+		},
+		prefix: {
+			describe:
+				'Prefix condition for the bucket lock rule (set to "" for all prefixes)',
+			type: "string",
+			requiresArg: true,
+		},
+		"retention-days": {
+			describe: "Number of days which objects will be retained for",
+			type: "number",
+			conflicts: ["retention-date", "retention-indefinite"],
+		},
+		"retention-date": {
+			describe: "Date after which objects will be retained until (YYYY-MM-DD)",
+			type: "string",
+			conflicts: ["retention-days", "retention-indefinite"],
+		},
+		"retention-indefinite": {
+			describe: "Retain objects indefinitely",
+			type: "boolean",
+			conflicts: ["retention-date", "retention-days"],
+		},
+		jurisdiction: {
+			describe: "The jurisdiction where the bucket exists",
+			alias: "J",
+			requiresArg: true,
+			type: "string",
+		},
+		force: {
+			describe: "Skip confirmation",
+			type: "boolean",
+			alias: "y",
+			default: false,
+		},
+	},
+	async handler(
+		{
+			bucket,
+			retentionDays,
+			retentionDate,
+			retentionIndefinite,
+			jurisdiction,
+			force,
+			id,
+			prefix,
+		},
+		{ config }
+	) {
+		const accountId = await requireAuth(config);
+
+		const rules = await getBucketLockRules(accountId, bucket, jurisdiction);
+
+		if (!id && !isNonInteractiveOrCI() && !force) {
+			id = await prompt("Enter a unique identifier for the lock rule");
+		}
+
+		if (!id) {
+			throw new UserError("Must specify a rule ID.", {
+				telemetryMessage: true,
+			});
+		}
+
+		const newRule: BucketLockRule = {
+			id: id,
+			enabled: true,
+			condition: { type: "Indefinite" },
+		};
+		if (prefix === undefined && !force) {
+			prefix = await prompt(
+				'Enter a prefix for the bucket lock rule (set to "" for all prefixes)',
+				{ defaultValue: "" }
+			);
+			if (prefix === "") {
+				const confirmedAdd = await confirm(
+					`Are you sure you want to add lock rule '${id}' to bucket '${bucket}' without a prefix? ` +
+						`The lock rule will apply to all objects in your bucket.`,
+					{ defaultValue: false }
+				);
+				if (!confirmedAdd) {
+					logger.log("Add cancelled.");
+					return;
+				}
+			}
+		}
+
+		if (prefix) {
+			newRule.prefix = prefix;
+		}
+
+		if (
+			retentionDays === undefined &&
+			retentionDate === undefined &&
+			retentionIndefinite === undefined &&
+			!force
+		) {
+			retentionIndefinite = await confirm(
+				`Are you sure you want to add lock rule '${id}' to bucket '${bucket}' without retention? ` +
+					`The lock rule will apply to all matching objects indefinitely.`,
+				{ defaultValue: false }
+			);
+			if (retentionIndefinite !== true) {
+				logger.log("Add cancelled.");
+				return;
+			}
+		}
+
+		if (retentionDays !== undefined) {
+			if (!isNaN(retentionDays)) {
+				if (retentionDays > 0) {
+					const conditionDaysValue = Number(retentionDays) * 86400; // Convert days to seconds
+					newRule.condition = {
+						type: "Age",
+						maxAgeSeconds: conditionDaysValue,
+					};
+				} else {
+					throw new UserError(
+						`Days must be a positive number: ${retentionDays}`,
+						{
+							telemetryMessage: "Retention days not a positive number.",
+						}
+					);
+				}
+			} else {
+				throw new UserError(`Days must be a number.`, {
+					telemetryMessage: "Retention days not a positive number.",
+				});
+			}
+		} else if (retentionDate !== undefined) {
+			if (isValidDate(retentionDate)) {
+				const date = new Date(`${retentionDate}T00:00:00.000Z`);
+				const conditionDateValue = date.toISOString();
+				newRule.condition = {
+					type: "Date",
+					date: conditionDateValue,
+				};
+			} else {
+				throw new UserError(
+					`Date must be a valid date in the YYYY-MM-DD format: ${String(retentionDate)}`,
+					{
+						telemetryMessage:
+							"Retention date not a valid date in the YYYY-MM-DD format.",
+					}
+				);
+			}
+		} else if (
+			retentionIndefinite !== undefined &&
+			retentionIndefinite === true
+		) {
+			newRule.condition = {
+				type: "Indefinite",
+			};
+		} else {
+			throw new UserError(`Retention must be specified.`, {
+				telemetryMessage: "Lock retention not specified.",
+			});
+		}
+		rules.push(newRule);
+		logger.log(`Adding lock rule '${id}' to bucket '${bucket}'...`);
+		await putBucketLockRules(accountId, bucket, rules, jurisdiction);
+		logger.log(`✨ Added lock rule '${id}' to bucket '${bucket}'.`);
+	},
+});
+
+export const r2BucketLockRemoveCommand = createCommand({
+	metadata: {
+		description: "Remove a bucket lock rule from an R2 bucket",
+		status: "stable",
+		owner: "Product: R2",
+	},
+	positionalArgs: ["bucket"],
+	args: {
+		bucket: {
+			describe: "The name of the R2 bucket to remove a bucket lock rule from",
+			type: "string",
+			demandOption: true,
+		},
+		id: {
+			describe: "The unique identifier of the bucket lock rule to remove",
+			type: "string",
+			demandOption: true,
+			requiresArg: true,
+		},
+		jurisdiction: {
+			describe: "The jurisdiction where the bucket exists",
+			alias: "J",
+			requiresArg: true,
+			type: "string",
+		},
+	},
+	async handler(args, { config }) {
+		const accountId = await requireAuth(config);
+
+		const { bucket, id, jurisdiction } = args;
+
+		const lockPolicies = await getBucketLockRules(
+			accountId,
+			bucket,
+			jurisdiction
+		);
+
+		const index = lockPolicies.findIndex((policy) => policy.id === id);
+
+		if (index === -1) {
+			throw new UserError(
+				`Lock rule with ID '${id}' not found in configuration for '${bucket}'.`,
+				{
+					telemetryMessage:
+						"Lock rule with ID not found in configuration for bucket.",
+				}
+			);
+		}
+
+		lockPolicies.splice(index, 1);
+
+		logger.log(`Removing lock rule '${id}' from bucket '${bucket}'...`);
+		await putBucketLockRules(accountId, bucket, lockPolicies, jurisdiction);
+		logger.log(`Lock rule '${id}' removed from bucket '${bucket}'.`);
+	},
+});
+
+export const r2BucketLockSetCommand = createCommand({
+	metadata: {
+		description: "Set the lock configuration for an R2 bucket from a JSON file",
+		status: "stable",
+		owner: "Product: R2",
+	},
+	positionalArgs: ["bucket"],
+	args: {
+		bucket: {
+			describe: "The name of the R2 bucket to set lock configuration for",
+			type: "string",
+			demandOption: true,
+		},
+		file: {
+			describe: "Path to the JSON file containing lock configuration",
+			type: "string",
+			demandOption: true,
+			requiresArg: true,
+		},
+		jurisdiction: {
+			describe: "The jurisdiction where the bucket exists",
+			alias: "J",
+			requiresArg: true,
+			type: "string",
+		},
+		force: {
+			describe: "Skip confirmation",
+			type: "boolean",
+			alias: "y",
+			default: false,
+		},
+	},
+	async handler(args, { config }) {
+		const accountId = await requireAuth(config);
+
+		const { bucket, file, jurisdiction, force } = args;
+		let lockRule: { rules: BucketLockRule[] };
+		try {
+			lockRule = JSON.parse(readFileSync(file));
+		} catch (e) {
+			if (e instanceof Error) {
+				throw new ParseError({
+					text: `Failed to read or parse the lock configuration config file: '${e.message}'`,
+					telemetryMessage:
+						"Failed to read or parse the lock configuration config file.",
+				});
+			} else {
+				throw e;
+			}
+		}
+
+		if (!lockRule.rules || !Array.isArray(lockRule.rules)) {
+			throw new UserError(
+				"The lock configuration file must contain a 'rules' array.",
+				{ telemetryMessage: true }
+			);
+		}
+
+		if (!force) {
+			const confirmedRemoval = await confirm(
+				`Are you sure you want to overwrite all existing lock rules for bucket '${bucket}'?`,
+				{ defaultValue: true }
+			);
+			if (!confirmedRemoval) {
+				logger.log("Set cancelled.");
+				return;
+			}
+		}
+		logger.log(
+			`Setting lock configuration (${lockRule.rules.length} rules) for bucket '${bucket}'...`
+		);
+		await putBucketLockRules(accountId, bucket, lockRule.rules, jurisdiction);
+		logger.log(`✨ Set lock configuration for bucket '${bucket}'.`);
+	},
+});