com.cloud.bridge.service.core.s3.S3Engine.java Source code

Java tutorial

Introduction

Here is the source code for com.cloud.bridge.service.core.s3.S3Engine.java

Source

/*
 * Copyright (C) 2011 Citrix Systems, Inc.  All rights reserved.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.cloud.bridge.service.core.s3;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;
import java.util.Random;
import java.util.Set;
import java.util.TimeZone;
import java.util.UUID;

import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;
import org.hibernate.LockMode;
import org.hibernate.Session;
import org.json.simple.parser.ParseException;

import com.cloud.bridge.io.S3FileSystemBucketAdapter;
import com.cloud.bridge.model.MHost;
import com.cloud.bridge.model.MHostMount;
import com.cloud.bridge.model.SAcl;
import com.cloud.bridge.model.SBucket;
import com.cloud.bridge.model.SHost;
import com.cloud.bridge.model.SMeta;
import com.cloud.bridge.model.SObject;
import com.cloud.bridge.model.SObjectItem;
import com.cloud.bridge.persist.PersistContext;
import com.cloud.bridge.persist.dao.BucketPolicyDao;
import com.cloud.bridge.persist.dao.MHostDao;
import com.cloud.bridge.persist.dao.MHostMountDao;
import com.cloud.bridge.persist.dao.MultipartLoadDao;
import com.cloud.bridge.persist.dao.SAclDao;
import com.cloud.bridge.persist.dao.SBucketDao;
import com.cloud.bridge.persist.dao.SHostDao;
import com.cloud.bridge.persist.dao.SMetaDao;
import com.cloud.bridge.persist.dao.SObjectDao;
import com.cloud.bridge.persist.dao.SObjectItemDao;
import com.cloud.bridge.service.S3Constants;
import com.cloud.bridge.service.UserContext;
import com.cloud.bridge.service.controller.s3.ServiceProvider;
import com.cloud.bridge.service.core.s3.S3BucketPolicy.PolicyAccess;
import com.cloud.bridge.service.core.s3.S3CopyObjectRequest.MetadataDirective;
import com.cloud.bridge.service.core.s3.S3PolicyAction.PolicyActions;
import com.cloud.bridge.service.core.s3.S3PolicyCondition.ConditionKeys;
import com.cloud.bridge.service.exception.HostNotMountedException;
import com.cloud.bridge.service.exception.InternalErrorException;
import com.cloud.bridge.service.exception.InvalidBucketName;
import com.cloud.bridge.service.exception.NoSuchObjectException;
import com.cloud.bridge.service.exception.ObjectAlreadyExistsException;
import com.cloud.bridge.service.exception.OutOfServiceException;
import com.cloud.bridge.service.exception.OutOfStorageException;
import com.cloud.bridge.service.exception.PermissionDeniedException;
import com.cloud.bridge.service.exception.UnsupportedException;
import com.cloud.bridge.util.DateHelper;
import com.cloud.bridge.util.PolicyParser;
import com.cloud.bridge.util.StringHelper;
import com.cloud.bridge.util.OrderedPair;
import com.cloud.bridge.util.Triple;

/**
 * @author Kelven Yang, John Zucker
 * The CRUD control actions to be invoked from S3BucketAction or S3ObjectAction.
 */
public class S3Engine {
    protected final static Logger logger = Logger.getLogger(S3Engine.class);

    private final int LOCK_ACQUIRING_TIMEOUT_SECONDS = 10; // ten seconds

    private final Map<Integer, S3BucketAdapter> bucketAdapters = new HashMap<Integer, S3BucketAdapter>();

    public S3Engine() {
        bucketAdapters.put(SHost.STORAGE_HOST_TYPE_LOCAL, new S3FileSystemBucketAdapter());
    }

    /**
     * Return a S3CopyObjectResponse which represents an object being copied from source
     * to destination bucket.    
     * Called from S3ObjectAction when copying an object.
     * This can be treated as first a GET followed by a PUT of the object the user wants to copy.
     */

    public S3CopyObjectResponse handleRequest(S3CopyObjectRequest request) {
        S3CopyObjectResponse response = new S3CopyObjectResponse();

        // [A] Get the object we want to copy
        S3GetObjectRequest getRequest = new S3GetObjectRequest();
        getRequest.setBucketName(request.getSourceBucketName());
        getRequest.setKey(request.getSourceKey());
        getRequest.setVersion(request.getVersion());
        getRequest.setConditions(request.getConditions());

        getRequest.setInlineData(true);
        getRequest.setReturnData(true);
        if (MetadataDirective.COPY == request.getDirective())
            getRequest.setReturnMetadata(true);
        else
            getRequest.setReturnMetadata(false);

        //-> before we do anything verify the permissions on a copy basis
        String destinationBucketName = request.getDestinationBucketName();
        String destinationKeyName = request.getDestinationKey();
        S3PolicyContext context = new S3PolicyContext(PolicyActions.PutObject, destinationBucketName);
        context.setKeyName(destinationKeyName);
        context.setEvalParam(ConditionKeys.MetaData, request.getDirective().toString());
        context.setEvalParam(ConditionKeys.CopySource,
                "/" + request.getSourceBucketName() + "/" + request.getSourceKey());
        if (PolicyAccess.DENY == verifyPolicy(context))
            throw new PermissionDeniedException("Access Denied - bucket policy DENY result");

        S3GetObjectResponse originalObject = handleRequest(getRequest);
        int resultCode = originalObject.getResultCode();
        if (200 != resultCode) {
            response.setResultCode(resultCode);
            response.setResultDescription(originalObject.getResultDescription());
            return response;
        }

        response.setCopyVersion(originalObject.getVersion());

        // [B] Put the object into the destination bucket
        S3PutObjectInlineRequest putRequest = new S3PutObjectInlineRequest();
        putRequest.setBucketName(request.getDestinationBucketName());
        putRequest.setKey(destinationKeyName);
        if (MetadataDirective.COPY == request.getDirective())
            putRequest.setMetaEntries(originalObject.getMetaEntries());
        else
            putRequest.setMetaEntries(request.getMetaEntries());
        putRequest.setAcl(request.getAcl()); // -> if via a SOAP call
        putRequest.setCannedAccess(request.getCannedAccess()); // -> if via a REST call 
        putRequest.setContentLength(originalObject.getContentLength());
        putRequest.setData(originalObject.getData());

        S3PutObjectInlineResponse putResp = handleRequest(putRequest);
        response.setResultCode(putResp.resultCode);
        response.setResultDescription(putResp.getResultDescription());
        response.setETag(putResp.getETag());
        response.setLastModified(putResp.getLastModified());
        response.setPutVersion(putResp.getVersion());
        return response;
    }

    public S3CreateBucketResponse handleRequest(S3CreateBucketRequest request) {
        S3CreateBucketResponse response = new S3CreateBucketResponse();
        String cannedAccessPolicy = request.getCannedAccess();
        String bucketName = request.getBucketName();
        response.setBucketName(bucketName);

        verifyBucketName(bucketName, false);

        S3PolicyContext context = new S3PolicyContext(PolicyActions.CreateBucket, bucketName);
        context.setEvalParam(ConditionKeys.Acl, cannedAccessPolicy);
        if (PolicyAccess.DENY == verifyPolicy(context))
            throw new PermissionDeniedException("Access Denied - bucket policy DENY result");

        if (PersistContext.acquireNamedLock("bucket.creation", LOCK_ACQUIRING_TIMEOUT_SECONDS)) {
            OrderedPair<SHost, String> shost_storagelocation_pair = null;
            boolean success = false;
            try {
                SBucketDao bucketDao = new SBucketDao();
                SAclDao aclDao = new SAclDao();

                if (bucketDao.getByName(request.getBucketName()) != null)
                    throw new ObjectAlreadyExistsException("Bucket already exists");

                shost_storagelocation_pair = allocBucketStorageHost(request.getBucketName(), null);

                SBucket sbucket = new SBucket();
                sbucket.setName(request.getBucketName());
                sbucket.setCreateTime(DateHelper.currentGMTTime());
                sbucket.setOwnerCanonicalId(UserContext.current().getCanonicalUserId());
                sbucket.setShost(shost_storagelocation_pair.getFirst());
                shost_storagelocation_pair.getFirst().getBuckets().add(sbucket);
                bucketDao.save(sbucket);

                S3AccessControlList acl = request.getAcl();

                if (null != cannedAccessPolicy)
                    setCannedAccessControls(cannedAccessPolicy, "SBucket", sbucket.getId(), sbucket);
                else if (null != acl)
                    aclDao.save("SBucket", sbucket.getId(), acl);
                else
                    setSingleAcl("SBucket", sbucket.getId(), SAcl.PERMISSION_FULL);

                // explicitly commit the transaction
                PersistContext.commitTransaction();
                success = true;
            } finally {
                if (!success && shost_storagelocation_pair != null) {
                    S3BucketAdapter bucketAdapter = getStorageHostBucketAdapter(
                            shost_storagelocation_pair.getFirst());
                    bucketAdapter.deleteContainer(shost_storagelocation_pair.getSecond(), request.getBucketName());
                }
                PersistContext.rollbackTransaction(false);
                PersistContext.releaseNamedLock("bucket.creation");
            }

        } else {
            throw new OutOfServiceException("Unable to acquire synchronization lock");
        }

        return response;
    }

    /**
     * Return a S3Response which represents the effect of an object being deleted from its bucket.    
     * Called from S3BucketAction when deleting an object.
     */

    public S3Response handleRequest(S3DeleteBucketRequest request) {
        S3Response response = new S3Response();
        SBucketDao bucketDao = new SBucketDao();
        String bucketName = request.getBucketName();
        SBucket sbucket = bucketDao.getByName(bucketName);

        if (sbucket != null) {
            S3PolicyContext context = new S3PolicyContext(PolicyActions.DeleteBucket, bucketName);
            switch (verifyPolicy(context)) {
            case ALLOW:
                // The bucket policy can give users permission to delete a bucket whereas ACLs cannot
                break;

            case DENY:
                throw new PermissionDeniedException("Access Denied - bucket policy DENY result");

            case DEFAULT_DENY:
            default:
                // Irrespective of what the ACLs say, only the owner can delete a bucket
                String client = UserContext.current().getCanonicalUserId();
                if (!client.equals(sbucket.getOwnerCanonicalId())) {
                    throw new PermissionDeniedException("Access Denied - only the owner can delete a bucket");
                }
                break;
            }

            // Delete the file from its storage location
            OrderedPair<SHost, String> host_storagelocation_pair = getBucketStorageHost(sbucket);
            S3BucketAdapter bucketAdapter = getStorageHostBucketAdapter(host_storagelocation_pair.getFirst());
            bucketAdapter.deleteContainer(host_storagelocation_pair.getSecond(), request.getBucketName());

            // Cascade-deleting can delete related SObject/SObjectItem objects, but not SAcl, SMeta and policy objects.
            // To delete SMeta & SAcl objects: 
            // (1)Get all the objects in the bucket, 
            // (2)then all the items in each object, 
            // (3) then all meta & acl data for each item
            Set<SObject> objectsInBucket = sbucket.getObjectsInBucket();
            Iterator<SObject> it = objectsInBucket.iterator();
            while (it.hasNext()) {
                SObject oneObject = (SObject) it.next();
                Set<SObjectItem> itemsInObject = oneObject.getItems();
                Iterator<SObjectItem> is = itemsInObject.iterator();
                while (is.hasNext()) {
                    SObjectItem oneItem = (SObjectItem) is.next();
                    deleteMetaData(oneItem.getId());
                    deleteObjectAcls("SObjectItem", oneItem.getId());
                }
            }

            // Delete all the policy state associated with the bucket
            try {
                ServiceProvider.getInstance().deleteBucketPolicy(bucketName);
                BucketPolicyDao policyDao = new BucketPolicyDao();
                policyDao.deletePolicy(bucketName);
            } catch (Exception e) {
                logger.error("When deleting a bucket we must try to delete its policy: ", e);
            }

            deleteBucketAcls(sbucket.getId());
            bucketDao.delete(sbucket);
            response.setResultCode(204);
            response.setResultDescription("OK");
        } else {
            response.setResultCode(404);
            response.setResultDescription("Bucket does not exist");
        }
        return response;
    }

    /**
     * Return a S3ListBucketResponse which represents a list of up to 1000 objects contained ins  the bucket.    
     * Called from S3BucketAction for GETting objects and for GETting object versions.
     */

    public S3ListBucketResponse listBucketContents(S3ListBucketRequest request, boolean includeVersions) {
        S3ListBucketResponse response = new S3ListBucketResponse();
        String bucketName = request.getBucketName();
        String prefix = request.getPrefix();
        if (prefix == null)
            prefix = StringHelper.EMPTY_STRING;
        String marker = request.getMarker();
        if (marker == null)
            marker = StringHelper.EMPTY_STRING;

        String delimiter = request.getDelimiter();
        int maxKeys = request.getMaxKeys();
        if (maxKeys <= 0)
            maxKeys = 1000;

        SBucketDao bucketDao = new SBucketDao();
        SBucket sbucket = bucketDao.getByName(bucketName);
        if (sbucket == null)
            throw new NoSuchObjectException("Bucket " + bucketName + " does not exist");

        PolicyActions action = (includeVersions ? PolicyActions.ListBucketVersions : PolicyActions.ListBucket);
        S3PolicyContext context = new S3PolicyContext(action, bucketName);
        context.setEvalParam(ConditionKeys.MaxKeys, new String("" + maxKeys));
        context.setEvalParam(ConditionKeys.Prefix, prefix);
        context.setEvalParam(ConditionKeys.Delimiter, delimiter);
        verifyAccess(context, "SBucket", sbucket.getId(), SAcl.PERMISSION_READ);

        // Wen execting the query, request one more item so that we know how to set isTruncated flag 
        SObjectDao sobjectDao = new SObjectDao();
        List<SObject> l = null;

        if (includeVersions)
            l = sobjectDao.listAllBucketObjects(sbucket, prefix, marker, maxKeys + 1);
        else
            l = sobjectDao.listBucketObjects(sbucket, prefix, marker, maxKeys + 1);

        response.setBucketName(bucketName);
        response.setMarker(marker);
        response.setMaxKeys(maxKeys);
        response.setPrefix(prefix);
        response.setDelimiter(delimiter);
        response.setTruncated(l.size() > maxKeys);
        if (l.size() > maxKeys) {
            response.setNextMarker(l.get(l.size() - 1).getNameKey());
        }

        // If needed - SOAP response does not support versioning
        response.setContents(composeListBucketContentEntries(l, prefix, delimiter, maxKeys, includeVersions,
                request.getVersionIdMarker()));
        response.setCommonPrefixes(composeListBucketPrefixEntries(l, prefix, delimiter, maxKeys));
        return response;
    }

    /**
     * Return a S3ListAllMyBucketResponse which represents a list of all buckets owned by the requester.    
     * Called from S3BucketAction for GETting all buckets.
     * To check on bucket policies defined we have to (look for and) evaluate the policy on each
     * bucket the user owns.
     */
    public S3ListAllMyBucketsResponse handleRequest(S3ListAllMyBucketsRequest request) {
        S3ListAllMyBucketsResponse response = new S3ListAllMyBucketsResponse();
        SBucketDao bucketDao = new SBucketDao();

        // "...you can only list buckets for which you are the owner."
        List<SBucket> buckets = bucketDao.listBuckets(UserContext.current().getCanonicalUserId());
        S3CanonicalUser owner = new S3CanonicalUser();
        owner.setID(UserContext.current().getCanonicalUserId());
        owner.setDisplayName("");
        response.setOwner(owner);

        if (buckets != null) {
            S3ListAllMyBucketsEntry[] entries = new S3ListAllMyBucketsEntry[buckets.size()];
            int i = 0;
            for (SBucket bucket : buckets) {
                String bucketName = bucket.getName();
                S3PolicyContext context = new S3PolicyContext(PolicyActions.ListAllMyBuckets, bucketName);
                verifyAccess(context, "SBucket", bucket.getId(), SAcl.PERMISSION_PASS);

                entries[i] = new S3ListAllMyBucketsEntry();
                entries[i].setName(bucketName);
                entries[i].setCreationDate(DateHelper.toCalendar(bucket.getCreateTime()));
                i++;
            }
            response.setBuckets(entries);
        }
        return response;
    }

    /**
     * Return an S3Response representing the result of PUTTING the ACL of a given bucket.
     * Called from S3BucketAction to PUT its ACL.
     */

    public S3Response handleRequest(S3SetBucketAccessControlPolicyRequest request) {
        S3Response response = new S3Response();
        SBucketDao bucketDao = new SBucketDao();
        String bucketName = request.getBucketName();
        SBucket sbucket = bucketDao.getByName(bucketName);
        if (sbucket == null) {
            response.setResultCode(404);
            response.setResultDescription("Bucket does not exist");
            return response;
        }

        S3PolicyContext context = new S3PolicyContext(PolicyActions.PutBucketAcl, bucketName);
        verifyAccess(context, "SBucket", sbucket.getId(), SAcl.PERMISSION_WRITE_ACL);

        SAclDao aclDao = new SAclDao();
        aclDao.save("SBucket", sbucket.getId(), request.getAcl());

        response.setResultCode(200);
        response.setResultDescription("OK");
        return response;
    }

    /**
     * Return a S3AccessControlPolicy representing the ACL of a given bucket.
     * Called from S3BucketAction to GET its ACL.
     */

    public S3AccessControlPolicy handleRequest(S3GetBucketAccessControlPolicyRequest request) {
        S3AccessControlPolicy policy = new S3AccessControlPolicy();
        SBucketDao bucketDao = new SBucketDao();
        String bucketName = request.getBucketName();
        SBucket sbucket = bucketDao.getByName(bucketName);
        if (sbucket == null)
            throw new NoSuchObjectException("Bucket " + bucketName + " does not exist");

        S3CanonicalUser owner = new S3CanonicalUser();
        owner.setID(sbucket.getOwnerCanonicalId());
        owner.setDisplayName("");
        policy.setOwner(owner);

        S3PolicyContext context = new S3PolicyContext(PolicyActions.GetBucketAcl, bucketName);
        verifyAccess(context, "SBucket", sbucket.getId(), SAcl.PERMISSION_READ_ACL);

        SAclDao aclDao = new SAclDao();
        List<SAcl> grants = aclDao.listGrants("SBucket", sbucket.getId());
        policy.setGrants(S3Grant.toGrants(grants));
        return policy;
    }

    /**
     * This method should be called if a multipart upload is aborted OR has completed successfully and
     * the individual parts have to be cleaned up.
     * Called from S3ObjectAction when executing at completion or when aborting multipart upload.
     * @param bucketName
     * @param uploadId
     * @param verifyPermission - If false then do not check the user's permission to clean up the state
     */
    public int freeUploadParts(String bucketName, int uploadId, boolean verifyPermission) {
        // -> we need to look up the final bucket to figure out which mount point to use to save the part in
        SBucketDao bucketDao = new SBucketDao();
        SBucket bucket = bucketDao.getByName(bucketName);
        if (bucket == null) {
            logger.error("initiateMultipartUpload failed since " + bucketName + " does not exist");
            return 404;
        }

        OrderedPair<SHost, String> host_storagelocation_pair = getBucketStorageHost(bucket);
        S3BucketAdapter bucketAdapter = getStorageHostBucketAdapter(host_storagelocation_pair.getFirst());

        try {
            MultipartLoadDao uploadDao = new MultipartLoadDao();
            OrderedPair<String, String> exists = uploadDao.multipartExits(uploadId);
            if (null == exists) {
                logger.error(
                        "initiateMultipartUpload failed since multipart upload" + uploadId + " does not exist");
                return 404;
            }

            // -> the multipart initiator or bucket owner can do this action by default
            if (verifyPermission) {
                String initiator = uploadDao.getInitiator(uploadId);
                if (null == initiator || !initiator.equals(UserContext.current().getAccessKey())) {
                    // -> write permission on a bucket allows a PutObject / DeleteObject action on any object in the bucket
                    S3PolicyContext context = new S3PolicyContext(PolicyActions.AbortMultipartUpload, bucketName);
                    context.setKeyName(exists.getSecond());
                    verifyAccess(context, "SBucket", bucket.getId(), SAcl.PERMISSION_WRITE);
                }
            }

            // -> first get a list of all the uploaded files and delete one by one
            S3MultipartPart[] parts = uploadDao.getParts(uploadId, 10000, 0);
            for (int i = 0; i < parts.length; i++) {
                bucketAdapter.deleteObject(host_storagelocation_pair.getSecond(),
                        ServiceProvider.getInstance().getMultipartDir(), parts[i].getPath());
            }

            uploadDao.deleteUpload(uploadId);
            return 204;

        } catch (PermissionDeniedException e) {
            logger.error("freeUploadParts failed due to [" + e.getMessage() + "]", e);
            throw e;
        } catch (Exception e) {
            logger.error("freeUploadParts failed due to [" + e.getMessage() + "]", e);
            return 500;
        }
    }

    /**
     * The initiator must have permission to write to the bucket in question in order to initiate
     * a multipart upload.  Also check to make sure the special folder used to store parts of 
     * a multipart exists for this bucket.
     * Called from S3ObjectAction during many stages of multipart upload.
     */
    public S3PutObjectInlineResponse initiateMultipartUpload(S3PutObjectInlineRequest request) {
        S3PutObjectInlineResponse response = new S3PutObjectInlineResponse();
        String bucketName = request.getBucketName();
        String nameKey = request.getKey();

        // -> does the bucket exist and can we write to it?
        SBucketDao bucketDao = new SBucketDao();
        SBucket bucket = bucketDao.getByName(bucketName);
        if (bucket == null) {
            logger.error("initiateMultipartUpload failed since " + bucketName + " does not exist");
            response.setResultCode(404);
        }

        S3PolicyContext context = new S3PolicyContext(PolicyActions.PutObject, bucketName);
        context.setKeyName(nameKey);
        context.setEvalParam(ConditionKeys.Acl, request.getCannedAccess());
        verifyAccess(context, "SBucket", bucket.getId(), SAcl.PERMISSION_WRITE);

        createUploadFolder(bucketName);

        try {
            MultipartLoadDao uploadDao = new MultipartLoadDao();
            int uploadId = uploadDao.initiateUpload(UserContext.current().getAccessKey(), bucketName, nameKey,
                    request.getCannedAccess(), request.getMetaEntries());
            response.setUploadId(uploadId);
            response.setResultCode(200);

        } catch (Exception e) {
            logger.error("initiateMultipartUpload exception: ", e);
            response.setResultCode(500);
        }

        return response;
    }

    /**
     * Save the object fragment in a special (i.e., hidden) directory inside the same mount point as 
     * the bucket location that the final object will be stored in.
     * Called from S3ObjectAction during many stages of multipart upload.
     * @param request
     * @param uploadId
     * @param partNumber
     * @return S3PutObjectInlineResponse
     */
    public S3PutObjectInlineResponse saveUploadPart(S3PutObjectInlineRequest request, int uploadId,
            int partNumber) {
        S3PutObjectInlineResponse response = new S3PutObjectInlineResponse();
        String bucketName = request.getBucketName();

        // -> we need to look up the final bucket to figure out which mount point to use to save the part in
        SBucketDao bucketDao = new SBucketDao();
        SBucket bucket = bucketDao.getByName(bucketName);
        if (bucket == null) {
            logger.error("saveUploadedPart failed since " + bucketName + " does not exist");
            response.setResultCode(404);
        }
        S3PolicyContext context = new S3PolicyContext(PolicyActions.PutObject, bucketName);
        context.setKeyName(request.getKey());
        verifyAccess(context, "SBucket", bucket.getId(), SAcl.PERMISSION_WRITE);

        OrderedPair<SHost, String> host_storagelocation_pair = getBucketStorageHost(bucket);
        S3BucketAdapter bucketAdapter = getStorageHostBucketAdapter(host_storagelocation_pair.getFirst());
        String itemFileName = new String(uploadId + "-" + partNumber);
        InputStream is = null;

        try {
            is = request.getDataInputStream();
            String md5Checksum = bucketAdapter.saveObject(is, host_storagelocation_pair.getSecond(),
                    ServiceProvider.getInstance().getMultipartDir(), itemFileName);
            response.setETag(md5Checksum);

            MultipartLoadDao uploadDao = new MultipartLoadDao();
            uploadDao.savePart(uploadId, partNumber, md5Checksum, itemFileName, (int) request.getContentLength());
            response.setResultCode(200);

        } catch (IOException e) {
            logger.error("UploadPart failed due to " + e.getMessage(), e);
            response.setResultCode(500);
        } catch (OutOfStorageException e) {
            logger.error("UploadPart failed due to " + e.getMessage(), e);
            response.setResultCode(500);
        } catch (Exception e) {
            logger.error("UploadPart failed due to " + e.getMessage(), e);
            response.setResultCode(500);
        } finally {
            if (is != null) {
                try {
                    is.close();
                } catch (IOException e) {
                    logger.error("UploadPart unable to close stream from data handler.", e);
                }
            }
        }

        return response;
    }

    /**
     * Create the real object represented by all the parts of the multipart upload.       
     * Called from S3ObjectAction at completion of multipart upload.
     * @param httpResp - Servlet response handle to return the headers of the response (including version header) 
     * @param request - Normal parameters needed to create a new object (including metadata)
     * @param parts - List of files that make up the multipart
     * @param outputStream - Response output stream
     * N.B. - This method can be long-lasting 
     * We are required to keep the connection alive by returning whitespace characters back periodically.
     */

    public S3PutObjectInlineResponse concatentateMultipartUploads(HttpServletResponse httpResp,
            S3PutObjectInlineRequest request, S3MultipartPart[] parts, OutputStream outputStream)
            throws IOException {
        // [A] Set up and initial error checking
        S3PutObjectInlineResponse response = new S3PutObjectInlineResponse();
        String bucketName = request.getBucketName();
        String key = request.getKey();
        S3MetaDataEntry[] meta = request.getMetaEntries();

        SBucketDao bucketDao = new SBucketDao();
        SBucket bucket = bucketDao.getByName(bucketName);
        if (bucket == null) {
            logger.error("completeMultipartUpload( failed since " + bucketName + " does not exist");
            response.setResultCode(404);
        }

        // [B] Now we need to create the final re-assembled object
        //  -> the allocObjectItem checks for the bucket policy PutObject permissions
        OrderedPair<SObject, SObjectItem> object_objectitem_pair = allocObjectItem(bucket, key, meta, null,
                request.getCannedAccess());
        OrderedPair<SHost, String> host_storagelocation_pair = getBucketStorageHost(bucket);

        S3BucketAdapter bucketAdapter = getStorageHostBucketAdapter(host_storagelocation_pair.getFirst());
        String itemFileName = object_objectitem_pair.getSecond().getStoredPath();

        // -> Amazon defines that we must return a 200 response immediately to the client, but
        // -> we don't know the version header until we hit here
        httpResp.setStatus(200);
        httpResp.setContentType("text/xml; charset=UTF-8");
        String version = object_objectitem_pair.getSecond().getVersion();
        if (null != version)
            httpResp.addHeader("x-amz-version-id", version);
        httpResp.flushBuffer();

        // [C] Re-assemble the object from its uploaded file parts
        try {
            // explicit transaction control to avoid holding transaction during long file concatenation process
            PersistContext.commitTransaction();

            OrderedPair<String, Long> result = bucketAdapter.concatentateObjects(
                    host_storagelocation_pair.getSecond(), bucket.getName(), itemFileName,
                    ServiceProvider.getInstance().getMultipartDir(), parts, outputStream);
            response.setETag(result.getFirst());
            response.setLastModified(
                    DateHelper.toCalendar(object_objectitem_pair.getSecond().getLastModifiedTime()));

            SObjectItemDao itemDao = new SObjectItemDao();
            SObjectItem item = itemDao.get(object_objectitem_pair.getSecond().getId());
            item.setMd5(result.getFirst());
            item.setStoredSize(result.getSecond().longValue());
            response.setResultCode(200);

            PersistContext.getSession().save(item);
        } catch (Exception e) {
            logger.error("completeMultipartUpload failed due to " + e.getMessage(), e);
        }
        return response;
    }

    /**
     * Return a S3PutObjectInlineResponse which represents an object being created into a bucket      
     * Called from S3ObjectAction when PUTting or POTing an object.
     */

    public S3PutObjectInlineResponse handleRequest(S3PutObjectInlineRequest request) {
        S3PutObjectInlineResponse response = new S3PutObjectInlineResponse();
        String bucketName = request.getBucketName();
        String key = request.getKey();
        long contentLength = request.getContentLength();
        S3MetaDataEntry[] meta = request.getMetaEntries();
        S3AccessControlList acl = request.getAcl();

        SBucketDao bucketDao = new SBucketDao();
        SBucket bucket = bucketDao.getByName(bucketName);
        if (bucket == null)
            throw new NoSuchObjectException("Bucket " + bucketName + " does not exist");

        // Is the caller allowed to write the object?
        // The allocObjectItem checks for the bucket policy PutObject permissions
        OrderedPair<SObject, SObjectItem> object_objectitem_pair = allocObjectItem(bucket, key, meta, acl,
                request.getCannedAccess());
        OrderedPair<SHost, String> host_storagelocation_pair = getBucketStorageHost(bucket);

        S3BucketAdapter bucketAdapter = getStorageHostBucketAdapter(host_storagelocation_pair.getFirst());
        String itemFileName = object_objectitem_pair.getSecond().getStoredPath();
        InputStream is = null;

        try {
            // explicit transaction control to avoid holding transaction during file-copy process
            PersistContext.commitTransaction();

            is = request.getDataInputStream();
            String md5Checksum = bucketAdapter.saveObject(is, host_storagelocation_pair.getSecond(),
                    bucket.getName(), itemFileName);
            response.setETag(md5Checksum);
            response.setLastModified(
                    DateHelper.toCalendar(object_objectitem_pair.getSecond().getLastModifiedTime()));
            response.setVersion(object_objectitem_pair.getSecond().getVersion());

            SObjectItemDao itemDao = new SObjectItemDao();
            SObjectItem item = itemDao.get(object_objectitem_pair.getSecond().getId());
            item.setMd5(md5Checksum);
            item.setStoredSize(contentLength);
            PersistContext.getSession().save(item);

        } catch (IOException e) {
            logger.error("PutObjectInline failed due to " + e.getMessage(), e);
        } catch (OutOfStorageException e) {
            logger.error("PutObjectInline failed due to " + e.getMessage(), e);
        } finally {
            if (is != null) {
                try {
                    is.close();
                } catch (IOException e) {
                    logger.error("PutObjectInline unable to close stream from data handler.", e);
                }
            }
        }

        return response;
    }

    /**
     * Return a S3PutObjectResponse which represents an object being created into a bucket      
     * Called from S3RestServlet when processing a DIME request.
     */

    public S3PutObjectResponse handleRequest(S3PutObjectRequest request) {
        S3PutObjectResponse response = new S3PutObjectResponse();
        String bucketName = request.getBucketName();
        String key = request.getKey();
        long contentLength = request.getContentLength();
        S3MetaDataEntry[] meta = request.getMetaEntries();
        S3AccessControlList acl = request.getAcl();

        SBucketDao bucketDao = new SBucketDao();
        SBucket bucket = bucketDao.getByName(bucketName);
        if (bucket == null)
            throw new NoSuchObjectException("Bucket " + bucketName + " does not exist");

        // Is the caller allowed to write the object?   
        // The allocObjectItem checks for the bucket policy PutObject permissions
        OrderedPair<SObject, SObjectItem> object_objectitem_pair = allocObjectItem(bucket, key, meta, acl, null);
        OrderedPair<SHost, String> host_storagelocation_pair = getBucketStorageHost(bucket);

        S3BucketAdapter bucketAdapter = getStorageHostBucketAdapter(host_storagelocation_pair.getFirst());
        String itemFileName = object_objectitem_pair.getSecond().getStoredPath();
        InputStream is = null;
        try {
            // explicit transaction control to avoid holding transaction during file-copy process
            PersistContext.commitTransaction();

            is = request.getInputStream();
            String md5Checksum = bucketAdapter.saveObject(is, host_storagelocation_pair.getSecond(),
                    bucket.getName(), itemFileName);
            response.setETag(md5Checksum);
            response.setLastModified(
                    DateHelper.toCalendar(object_objectitem_pair.getSecond().getLastModifiedTime()));

            SObjectItemDao itemDao = new SObjectItemDao();
            SObjectItem item = itemDao.get(object_objectitem_pair.getSecond().getId());
            item.setMd5(md5Checksum);
            item.setStoredSize(contentLength);
            PersistContext.getSession().save(item);

        } catch (OutOfStorageException e) {
            logger.error("PutObject failed due to " + e.getMessage(), e);
        } finally {
            if (is != null) {
                try {
                    is.close();
                } catch (IOException e) {
                    logger.error("Unable to close stream from data handler.", e);
                }
            }
        }

        return response;
    }

    /**
     * The ACL of an object is set at the object version level. By default, PUT sets the ACL of the latest 
     * version of an object. To set the ACL of a different version, using the versionId subresource. 
     * Called from S3ObjectAction to PUT an object's ACL.
     */

    public S3Response handleRequest(S3SetObjectAccessControlPolicyRequest request) {
        S3PolicyContext context = null;

        // [A] First find the object in the bucket
        S3Response response = new S3Response();
        SBucketDao bucketDao = new SBucketDao();
        String bucketName = request.getBucketName();
        SBucket sbucket = bucketDao.getByName(bucketName);
        if (sbucket == null) {
            response.setResultCode(404);
            response.setResultDescription("Bucket " + bucketName + "does not exist");
            return response;
        }

        SObjectDao sobjectDao = new SObjectDao();
        String nameKey = request.getKey();
        SObject sobject = sobjectDao.getByNameKey(sbucket, nameKey);
        if (sobject == null) {
            response.setResultCode(404);
            response.setResultDescription(
                    "Object " + request.getKey() + " in bucket " + bucketName + " does not exist");
            return response;
        }

        String deletionMark = sobject.getDeletionMark();
        if (null != deletionMark) {
            response.setResultCode(404);
            response.setResultDescription("Object " + request.getKey() + " has been deleted (1)");
            return response;
        }

        // [B] Versioning allow the client to ask for a specific version not just the latest
        SObjectItem item = null;
        int versioningStatus = sbucket.getVersioningStatus();
        String wantVersion = request.getVersion();
        if (SBucket.VERSIONING_ENABLED == versioningStatus && null != wantVersion)
            item = sobject.getVersion(wantVersion);
        else
            item = sobject.getLatestVersion((SBucket.VERSIONING_ENABLED != versioningStatus));

        if (item == null) {
            response.setResultCode(404);
            response.setResultDescription("Object " + request.getKey() + " has been deleted (2)");
            return response;
        }

        if (SBucket.VERSIONING_ENABLED == versioningStatus) {
            context = new S3PolicyContext(PolicyActions.PutObjectAclVersion, bucketName);
            context.setEvalParam(ConditionKeys.VersionId, wantVersion);
            response.setVersion(item.getVersion());
        } else
            context = new S3PolicyContext(PolicyActions.PutObjectAcl, bucketName);
        context.setKeyName(nameKey);
        verifyAccess(context, "SObjectItem", item.getId(), SAcl.PERMISSION_WRITE_ACL);

        // -> the acl always goes on the instance of the object
        SAclDao aclDao = new SAclDao();
        aclDao.save("SObjectItem", item.getId(), request.getAcl());

        response.setResultCode(200);
        response.setResultDescription("OK");
        return response;
    }

    /**
     * By default, GET returns ACL information about the latest version of an object. To return ACL 
     * information about a different version, use the versionId subresource
     * Called from S3ObjectAction to get an object's ACL.
     */

    public S3AccessControlPolicy handleRequest(S3GetObjectAccessControlPolicyRequest request) {
        S3PolicyContext context = null;

        // [A] Does the object exist that holds the ACL we are looking for?
        S3AccessControlPolicy policy = new S3AccessControlPolicy();
        SBucketDao bucketDao = new SBucketDao();
        String bucketName = request.getBucketName();
        SBucket sbucket = bucketDao.getByName(bucketName);
        if (sbucket == null)
            throw new NoSuchObjectException("Bucket " + bucketName + " does not exist");

        SObjectDao sobjectDao = new SObjectDao();
        String nameKey = request.getKey();
        SObject sobject = sobjectDao.getByNameKey(sbucket, nameKey);
        if (sobject == null)
            throw new NoSuchObjectException("Object " + request.getKey() + " does not exist");

        String deletionMark = sobject.getDeletionMark();
        if (null != deletionMark) {
            policy.setResultCode(404);
            policy.setResultDescription("Object " + request.getKey() + " has been deleted (1)");
            return policy;
        }

        // [B] Versioning allow the client to ask for a specific version not just the latest
        SObjectItem item = null;
        int versioningStatus = sbucket.getVersioningStatus();
        String wantVersion = request.getVersion();
        if (SBucket.VERSIONING_ENABLED == versioningStatus && null != wantVersion)
            item = sobject.getVersion(wantVersion);
        else
            item = sobject.getLatestVersion((SBucket.VERSIONING_ENABLED != versioningStatus));

        if (item == null) {
            policy.setResultCode(404);
            policy.setResultDescription("Object " + request.getKey() + " has been deleted (2)");
            return policy;
        }

        if (SBucket.VERSIONING_ENABLED == versioningStatus) {
            context = new S3PolicyContext(PolicyActions.GetObjectVersionAcl, bucketName);
            context.setEvalParam(ConditionKeys.VersionId, wantVersion);
            policy.setVersion(item.getVersion());
        } else
            context = new S3PolicyContext(PolicyActions.GetObjectAcl, bucketName);
        context.setKeyName(nameKey);
        verifyAccess(context, "SObjectItem", item.getId(), SAcl.PERMISSION_READ_ACL);

        // [C] ACLs are ALWAYS on an instance of the object
        S3CanonicalUser owner = new S3CanonicalUser();
        owner.setID(sobject.getOwnerCanonicalId());
        owner.setDisplayName("");
        policy.setOwner(owner);
        policy.setResultCode(200);

        SAclDao aclDao = new SAclDao();
        List<SAcl> grants = aclDao.listGrants("SObjectItem", item.getId());
        policy.setGrants(S3Grant.toGrants(grants));
        return policy;
    }

    /**
     * Handle requests for GET object and HEAD "get object extended"
     * Called from S3ObjectAction for GET and HEAD of an object.
     */

    public S3GetObjectResponse handleRequest(S3GetObjectRequest request) {
        S3GetObjectResponse response = new S3GetObjectResponse();
        S3PolicyContext context = null;
        boolean ifRange = false;
        long bytesStart = request.getByteRangeStart();
        long bytesEnd = request.getByteRangeEnd();
        int resultCode = 200;

        // [A] Verify that the bucket and the object exist
        SBucketDao bucketDao = new SBucketDao();
        String bucketName = request.getBucketName();
        SBucket sbucket = bucketDao.getByName(bucketName);
        if (sbucket == null) {
            response.setResultCode(404);
            response.setResultDescription("Bucket " + request.getBucketName() + " does not exist");
            return response;
        }

        SObjectDao objectDao = new SObjectDao();
        String nameKey = request.getKey();
        SObject sobject = objectDao.getByNameKey(sbucket, nameKey);
        if (sobject == null) {
            response.setResultCode(404);
            response.setResultDescription(
                    "Object " + request.getKey() + " does not exist in bucket " + request.getBucketName());
            return response;
        }

        String deletionMark = sobject.getDeletionMark();
        if (null != deletionMark) {
            response.setDeleteMarker(deletionMark);
            response.setResultCode(404);
            response.setResultDescription("Object " + request.getKey() + " has been deleted (1)");
            return response;
        }

        // [B] Versioning allow the client to ask for a specific version not just the latest
        SObjectItem item = null;
        int versioningStatus = sbucket.getVersioningStatus();
        String wantVersion = request.getVersion();
        if (SBucket.VERSIONING_ENABLED == versioningStatus && null != wantVersion)
            item = sobject.getVersion(wantVersion);
        else
            item = sobject.getLatestVersion((SBucket.VERSIONING_ENABLED != versioningStatus));

        if (item == null) {
            response.setResultCode(404);
            response.setResultDescription("Object " + request.getKey() + " has been deleted (2)");
            return response;
        }

        if (SBucket.VERSIONING_ENABLED == versioningStatus) {
            context = new S3PolicyContext(PolicyActions.GetObjectVersion, bucketName);
            context.setEvalParam(ConditionKeys.VersionId, wantVersion);
        } else
            context = new S3PolicyContext(PolicyActions.GetObject, bucketName);
        context.setKeyName(nameKey);
        verifyAccess(context, "SObjectItem", item.getId(), SAcl.PERMISSION_READ);

        // [C] Handle all the IFModifiedSince ... conditions, and access privileges
        // -> http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.27 (HTTP If-Range header)
        if (request.isReturnCompleteObjectOnConditionFailure() && (0 <= bytesStart && 0 <= bytesEnd))
            ifRange = true;

        resultCode = conditionPassed(request.getConditions(), item.getLastModifiedTime(), item.getMd5(), ifRange);
        if (-1 == resultCode) {
            // -> If-Range implementation, we have to return the entire object
            resultCode = 200;
            bytesStart = -1;
            bytesEnd = -1;
        } else if (200 != resultCode) {
            response.setResultCode(resultCode);
            response.setResultDescription("Precondition Failed");
            return response;
        }

        // [D] Return the contents of the object inline   
        // -> extract the meta data that corresponds the specific versioned item 
        SMetaDao metaDao = new SMetaDao();
        List<SMeta> itemMetaData = metaDao.getByTarget("SObjectItem", item.getId());
        if (null != itemMetaData) {
            int i = 0;
            S3MetaDataEntry[] metaEntries = new S3MetaDataEntry[itemMetaData.size()];
            ListIterator<SMeta> it = itemMetaData.listIterator();
            while (it.hasNext()) {
                SMeta oneTag = (SMeta) it.next();
                S3MetaDataEntry oneEntry = new S3MetaDataEntry();
                oneEntry.setName(oneTag.getName());
                oneEntry.setValue(oneTag.getValue());
                metaEntries[i++] = oneEntry;
            }
            response.setMetaEntries(metaEntries);
        }

        //  -> support a single byte range
        if (0 <= bytesStart && 0 <= bytesEnd) {
            response.setContentLength(bytesEnd - bytesStart);
            resultCode = 206;
        } else
            response.setContentLength(item.getStoredSize());

        if (request.isReturnData()) {
            response.setETag(item.getMd5());
            response.setLastModified(DateHelper.toCalendar(item.getLastModifiedTime()));
            response.setVersion(item.getVersion());
            if (request.isInlineData()) {
                OrderedPair<SHost, String> tupleSHostInfo = getBucketStorageHost(sbucket);
                S3BucketAdapter bucketAdapter = getStorageHostBucketAdapter(tupleSHostInfo.getFirst());

                if (0 <= bytesStart && 0 <= bytesEnd)
                    response.setData(bucketAdapter.loadObjectRange(tupleSHostInfo.getSecond(),
                            request.getBucketName(), item.getStoredPath(), bytesStart, bytesEnd));
                else
                    response.setData(bucketAdapter.loadObject(tupleSHostInfo.getSecond(), request.getBucketName(),
                            item.getStoredPath()));
            }
        }

        response.setResultCode(resultCode);
        response.setResultDescription("OK");
        return response;
    }

    /**
     * Handle object deletion requests, both versioning and non-versioning requirements.
     * Called from S3ObjectAction for deletion.
     */
    public S3Response handleRequest(S3DeleteObjectRequest request) {
        // Verify that the bucket and object exist
        S3Response response = new S3Response();
        SBucketDao bucketDao = new SBucketDao();
        String bucketName = request.getBucketName();
        SBucket sbucket = bucketDao.getByName(bucketName);
        if (sbucket == null) {
            response.setResultCode(404);
            response.setResultDescription("<Code>Bucket dosen't exists</Code><Message>Bucket " + bucketName
                    + " does not exist</Message>");
            return response;
        }

        SObjectDao objectDao = new SObjectDao();
        String nameKey = request.getKey();
        SObject sobject = objectDao.getByNameKey(sbucket, nameKey);
        if (sobject == null) {
            response.setResultCode(404);
            response.setResultDescription("<Code>Not Found</Code><Message>No object with key " + nameKey
                    + " exists in bucket " + bucketName + "</Message>");
            return response;
        }

        // Discover whether versioning is enabled.  If so versioning requires the setting of a deletion marker.
        String storedPath = null;
        SObjectItem item = null;
        int versioningStatus = sbucket.getVersioningStatus();
        if (SBucket.VERSIONING_ENABLED == versioningStatus) {
            String wantVersion = request.getVersion();
            S3PolicyContext context = new S3PolicyContext(PolicyActions.DeleteObjectVersion, bucketName);
            context.setKeyName(nameKey);
            context.setEvalParam(ConditionKeys.VersionId, wantVersion);
            verifyAccess(context, "SBucket", sbucket.getId(), SAcl.PERMISSION_WRITE);

            if (null == wantVersion) {
                // If versioning is on and no versionId is given then we just write a deletion marker
                sobject.setDeletionMark(UUID.randomUUID().toString());
                objectDao.update(sobject);
                response.setResultDescription("<DeleteMarker>true</DeleteMarker><DeleteMarkerVersionId>"
                        + sobject.getDeletionMark() + "</DeleteMarkerVersionId>");
            } else {
                // Otherwise remove the deletion marker if this has been set
                String deletionMarker = sobject.getDeletionMark();
                if (null != deletionMarker && wantVersion.equalsIgnoreCase(deletionMarker)) {
                    sobject.setDeletionMark(null);
                    objectDao.update(sobject);
                    response.setResultDescription("<VersionId>" + wantVersion + "</VersionId>");
                    response.setResultDescription("<DeleteMarker>true</DeleteMarker><DeleteMarkerVersionId>"
                            + sobject.getDeletionMark() + "</DeleteMarkerVersionId>");
                    response.setResultCode(204);
                    return response;
                }

                // If versioning is on and the versionId is given (non-null) then delete the object matching that version
                if (null == (item = sobject.getVersion(wantVersion))) {
                    response.setResultCode(404);
                    return response;
                } else {
                    // Providing versionId is non-null, then just delete the one item that matches the versionId from the database
                    storedPath = item.getStoredPath();
                    sobject.deleteItem(item.getId());
                    objectDao.update(sobject);
                    response.setResultDescription("<VersionId>" + wantVersion + "</VersionId>");
                }
            }
        } else { // If versioning is off then we do delete the null object
            S3PolicyContext context = new S3PolicyContext(PolicyActions.DeleteObject, bucketName);
            context.setKeyName(nameKey);
            verifyAccess(context, "SBucket", sbucket.getId(), SAcl.PERMISSION_WRITE);

            if (null == (item = sobject.getLatestVersion(true))) {
                response.setResultCode(404);
                response.setResultDescription("<Code>AccessDenied</Code><Message>Access Denied</Message>");
                return response;
            } else {
                // If there is no item with a null version then we are done
                if (null == item.getVersion()) {
                    // Otherwiswe remove the entire object 
                    // Cascade-deleting can delete related SObject/SObjectItem objects, but not SAcl and SMeta objects.
                    storedPath = item.getStoredPath();
                    deleteMetaData(item.getId());
                    deleteObjectAcls("SObjectItem", item.getId());
                    objectDao.delete(sobject);
                }
            }
        }

        // Delete the file holding the object
        if (null != storedPath) {
            OrderedPair<SHost, String> host_storagelocation_pair = getBucketStorageHost(sbucket);
            S3BucketAdapter bucketAdapter = getStorageHostBucketAdapter(host_storagelocation_pair.getFirst());
            bucketAdapter.deleteObject(host_storagelocation_pair.getSecond(), bucketName, storedPath);
        }

        response.setResultCode(204);
        return response;
    }

    private void deleteMetaData(long itemId) {
        SMetaDao metaDao = new SMetaDao();
        List<SMeta> itemMetaData = metaDao.getByTarget("SObjectItem", itemId);
        if (null != itemMetaData) {
            ListIterator<SMeta> it = itemMetaData.listIterator();
            while (it.hasNext()) {
                SMeta oneTag = (SMeta) it.next();
                metaDao.delete(oneTag);
            }
        }
    }

    private void deleteObjectAcls(String target, long itemId) {
        SAclDao aclDao = new SAclDao();
        List<SAcl> itemAclData = aclDao.listGrants(target, itemId);
        if (null != itemAclData) {
            ListIterator<SAcl> it = itemAclData.listIterator();
            while (it.hasNext()) {
                SAcl oneTag = (SAcl) it.next();
                aclDao.delete(oneTag);
            }
        }
    }

    private void deleteBucketAcls(long bucketId) {
        SAclDao aclDao = new SAclDao();
        List<SAcl> bucketAclData = aclDao.listGrants("SBucket", bucketId);
        if (null != bucketAclData) {
            ListIterator<SAcl> it = bucketAclData.listIterator();
            while (it.hasNext()) {
                SAcl oneTag = (SAcl) it.next();
                aclDao.delete(oneTag);
            }
        }
    }

    private S3ListBucketPrefixEntry[] composeListBucketPrefixEntries(List<SObject> l, String prefix,
            String delimiter, int maxKeys) {
        List<S3ListBucketPrefixEntry> entries = new ArrayList<S3ListBucketPrefixEntry>();
        int count = 0;

        for (SObject sobject : l) {
            if (delimiter != null && !delimiter.isEmpty()) {
                String subName = StringHelper.substringInBetween(sobject.getNameKey(), prefix, delimiter);
                if (subName != null) {
                    S3ListBucketPrefixEntry entry = new S3ListBucketPrefixEntry();
                    if (prefix != null && prefix.length() > 0)
                        entry.setPrefix(prefix + delimiter + subName);
                    else
                        entry.setPrefix(subName);
                }
            }
            count++;
            if (count >= maxKeys)
                break;
        }

        if (entries.size() > 0)
            return entries.toArray(new S3ListBucketPrefixEntry[0]);
        return null;
    }

    /**
     * The 'versionIdMarker' parameter only makes sense if enableVersion is true.   
     * versionIdMarker is the starting point to return information back.  So for example if an
     * object has versions 1,2,3,4,5 and the versionIdMarker is '3', then 3,4,5 will be returned
     * by this function.   If the versionIdMarker is null then all versions are returned.
     * 
     * TODO - how does the versionIdMarker work when there is a deletion marker in the object?
     */
    private S3ListBucketObjectEntry[] composeListBucketContentEntries(List<SObject> l, String prefix,
            String delimiter, int maxKeys, boolean enableVersion, String versionIdMarker) {
        List<S3ListBucketObjectEntry> entries = new ArrayList<S3ListBucketObjectEntry>();
        SObjectItem latest = null;
        boolean hitIdMarker = false;
        int count = 0;

        for (SObject sobject : l) {
            if (delimiter != null && !delimiter.isEmpty()) {
                if (StringHelper.substringInBetween(sobject.getNameKey(), prefix, delimiter) != null)
                    continue;
            }

            if (enableVersion) {
                hitIdMarker = (null == versionIdMarker ? true : false);

                // This supports GET REST calls with /?versions
                String deletionMarker = sobject.getDeletionMark();
                if (null != deletionMarker) {
                    // TODO we should also save the timestamp when something is deleted
                    S3ListBucketObjectEntry entry = new S3ListBucketObjectEntry();
                    entry.setKey(sobject.getNameKey());
                    entry.setVersion(deletionMarker);
                    entry.setIsLatest(true);
                    entry.setIsDeletionMarker(true);
                    entry.setLastModified(Calendar.getInstance(TimeZone.getTimeZone("GMT")));
                    entry.setOwnerCanonicalId(sobject.getOwnerCanonicalId());
                    entry.setOwnerDisplayName("");
                    entries.add(entry);
                    latest = null;
                } else
                    latest = sobject.getLatestVersion(false);

                Iterator<SObjectItem> it = sobject.getItems().iterator();
                while (it.hasNext()) {
                    SObjectItem item = (SObjectItem) it.next();

                    if (!hitIdMarker) {
                        if (item.getVersion().equalsIgnoreCase(versionIdMarker)) {
                            hitIdMarker = true;
                            entries.add(toListEntry(sobject, item, latest));
                        }
                    } else
                        entries.add(toListEntry(sobject, item, latest));
                }
            } else { // -> if there are multiple versions of an object then just return its last version
                Iterator<SObjectItem> it = sobject.getItems().iterator();
                SObjectItem lastestItem = null;
                int maxVersion = 0;
                int version = 0;
                while (it.hasNext()) {
                    SObjectItem item = (SObjectItem) it.next();
                    String versionStr = item.getVersion();

                    if (null != versionStr)
                        version = Integer.parseInt(item.getVersion());
                    else
                        lastestItem = item;

                    // -> if the bucket has versions turned on
                    if (version > maxVersion) {
                        maxVersion = version;
                        lastestItem = item;
                    }
                }
                if (lastestItem != null) {
                    entries.add(toListEntry(sobject, lastestItem, null));
                }
            }

            count++;
            if (count >= maxKeys)
                break;
        }

        if (entries.size() > 0)
            return entries.toArray(new S3ListBucketObjectEntry[0]);
        else
            return null;
    }

    private static S3ListBucketObjectEntry toListEntry(SObject sobject, SObjectItem item, SObjectItem latest) {
        S3ListBucketObjectEntry entry = new S3ListBucketObjectEntry();
        entry.setKey(sobject.getNameKey());
        entry.setVersion(item.getVersion());
        entry.setETag("\"" + item.getMd5() + "\"");
        entry.setSize(item.getStoredSize());
        entry.setStorageClass("STANDARD");
        entry.setLastModified(DateHelper.toCalendar(item.getLastModifiedTime()));
        entry.setOwnerCanonicalId(sobject.getOwnerCanonicalId());
        entry.setOwnerDisplayName("");

        if (null != latest && item == latest)
            entry.setIsLatest(true);
        return entry;
    }

    private OrderedPair<SHost, String> getBucketStorageHost(SBucket bucket) {
        MHostMountDao mountDao = new MHostMountDao();

        SHost shost = bucket.getShost();
        if (shost.getHostType() == SHost.STORAGE_HOST_TYPE_LOCAL) {
            return new OrderedPair<SHost, String>(shost, shost.getExportRoot());
        }

        MHostMount mount = mountDao.getHostMount(ServiceProvider.getInstance().getManagementHostId(),
                shost.getId());
        if (mount != null) {
            return new OrderedPair<SHost, String>(shost, mount.getMountPath());
        }

        // need to redirect request to other node
        throw new HostNotMountedException("Storage host " + shost.getHost() + " is not locally mounted");
    }

    /**
     * Locate the folder to hold upload parts at the same mount point as the upload's final bucket
     * location.   Create the upload folder dynamically.
     * 
     * @param bucketName
     */
    private void createUploadFolder(String bucketName) {
        if (PersistContext.acquireNamedLock("bucket.creation", LOCK_ACQUIRING_TIMEOUT_SECONDS)) {
            try {
                allocBucketStorageHost(bucketName, ServiceProvider.getInstance().getMultipartDir());
            } finally {
                PersistContext.releaseNamedLock("bucket.creation");
            }
        }
    }

    /**
     * The overrideName is used to create a hidden storage bucket (folder) in the same location
     * as the given bucketName.   This can be used to create a folder for parts of a multipart
     * upload for the associated bucket.
     * 
     * @param bucketName
     * @param overrideName
     * @return
     */
    private OrderedPair<SHost, String> allocBucketStorageHost(String bucketName, String overrideName) {
        MHostDao mhostDao = new MHostDao();
        SHostDao shostDao = new SHostDao();

        MHost mhost = mhostDao.get(ServiceProvider.getInstance().getManagementHostId());
        if (mhost == null)
            throw new OutOfServiceException("Temporarily out of service");

        if (mhost.getMounts().size() > 0) {
            Random random = new Random();
            MHostMount[] mounts = (MHostMount[]) mhost.getMounts().toArray();
            MHostMount mount = mounts[random.nextInt(mounts.length)];
            S3BucketAdapter bucketAdapter = getStorageHostBucketAdapter(mount.getShost());
            bucketAdapter.createContainer(mount.getMountPath(), (null != overrideName ? overrideName : bucketName));
            return new OrderedPair<SHost, String>(mount.getShost(), mount.getMountPath());
        }

        // To make things simple, only allow one local mounted storage root TODO - Change in the future
        String localStorageRoot = ServiceProvider.getInstance().getStartupProperties().getProperty("storage.root");
        if (localStorageRoot != null) {
            SHost localSHost = shostDao.getLocalStorageHost(mhost.getId(), localStorageRoot);
            if (localSHost == null)
                throw new InternalErrorException("storage.root is configured but not initialized");

            S3BucketAdapter bucketAdapter = getStorageHostBucketAdapter(localSHost);
            bucketAdapter.createContainer(localSHost.getExportRoot(),
                    (null != overrideName ? overrideName : bucketName));
            return new OrderedPair<SHost, String>(localSHost, localStorageRoot);
        }

        throw new OutOfStorageException("No storage host is available");
    }

    public S3BucketAdapter getStorageHostBucketAdapter(SHost shost) {
        S3BucketAdapter adapter = bucketAdapters.get(shost.getHostType());
        if (adapter == null)
            throw new InternalErrorException(
                    "Bucket adapter is not installed for host type: " + shost.getHostType());

        return adapter;
    }

    /**
     * If acl is set then the cannedAccessPolicy parameter should be null and is ignored.   
     * The cannedAccessPolicy parameter is for REST Put requests only where a simple set of ACLs can be
     * created with a single header value.  Note that we do not currently support "anonymous" un-authenticated 
     * access in our implementation.
     * 
     * @throws IOException 
     */
    @SuppressWarnings("deprecation")
    public OrderedPair<SObject, SObjectItem> allocObjectItem(SBucket bucket, String nameKey, S3MetaDataEntry[] meta,
            S3AccessControlList acl, String cannedAccessPolicy) {
        SObjectDao objectDao = new SObjectDao();
        SObjectItemDao objectItemDao = new SObjectItemDao();
        SMetaDao metaDao = new SMetaDao();
        SAclDao aclDao = new SAclDao();
        SObjectItem item = null;
        int versionSeq = 1;
        int versioningStatus = bucket.getVersioningStatus();

        Session session = PersistContext.getSession();

        // [A] To write into a bucket the user must have write permission to that bucket
        S3PolicyContext context = new S3PolicyContext(PolicyActions.PutObject, bucket.getName());
        context.setKeyName(nameKey);
        context.setEvalParam(ConditionKeys.Acl, cannedAccessPolicy);

        verifyAccess(context, "SBucket", bucket.getId(), SAcl.PERMISSION_WRITE); // TODO - check this validates plain POSTs

        // [B] If versioning is off them we over write a null object item
        SObject object = objectDao.getByNameKey(bucket, nameKey);
        if (object != null) {
            // -> if versioning is on create new object items
            if (SBucket.VERSIONING_ENABLED == versioningStatus) {
                session.lock(object, LockMode.UPGRADE);
                versionSeq = object.getNextSequence();
                object.setNextSequence(versionSeq + 1);
                session.save(object);

                item = new SObjectItem();
                item.setTheObject(object);
                object.getItems().add(item);
                item.setVersion(String.valueOf(versionSeq));
                Date ts = DateHelper.currentGMTTime();
                item.setCreateTime(ts);
                item.setLastAccessTime(ts);
                item.setLastModifiedTime(ts);
                session.save(item);
            } else { // -> find an object item with a null version, can be null
                     //    if bucket started out with versioning enabled and was then suspended
                item = objectItemDao.getByObjectIdNullVersion(object.getId());
                if (item == null) {
                    item = new SObjectItem();
                    item.setTheObject(object);
                    object.getItems().add(item);
                    Date ts = DateHelper.currentGMTTime();
                    item.setCreateTime(ts);
                    item.setLastAccessTime(ts);
                    item.setLastModifiedTime(ts);
                    session.save(item);
                }
            }
        } else { // -> there is no object nor an object item
            object = new SObject();
            object.setBucket(bucket);
            object.setNameKey(nameKey);
            object.setNextSequence(2);
            object.setCreateTime(DateHelper.currentGMTTime());
            object.setOwnerCanonicalId(UserContext.current().getCanonicalUserId());
            session.save(object);

            item = new SObjectItem();
            item.setTheObject(object);
            object.getItems().add(item);
            if (SBucket.VERSIONING_ENABLED == versioningStatus)
                item.setVersion(String.valueOf(versionSeq));
            Date ts = DateHelper.currentGMTTime();
            item.setCreateTime(ts);
            item.setLastAccessTime(ts);
            item.setLastModifiedTime(ts);
            session.save(item);
        }

        // [C] We will use the item DB id as the file name, MD5/contentLength will be stored later
        String suffix = null;
        int dotPos = nameKey.lastIndexOf('.');
        if (dotPos >= 0)
            suffix = nameKey.substring(dotPos);
        if (suffix != null)
            item.setStoredPath(String.valueOf(item.getId()) + suffix);
        else
            item.setStoredPath(String.valueOf(item.getId()));

        metaDao.save("SObjectItem", item.getId(), meta);

        // [D] Are we setting an ACL along with the object
        //  -> the ACL is ALWAYS set on a particular instance of the object (i.e., a version)
        if (null != cannedAccessPolicy) {
            setCannedAccessControls(cannedAccessPolicy, "SObjectItem", item.getId(), bucket);
        } else if (null == acl || 0 == acl.size()) {
            // -> this is termed the "private" or default ACL, "Owner gets FULL_CONTROL"
            setSingleAcl("SObjectItem", item.getId(), SAcl.PERMISSION_FULL);
        } else if (null != acl) {
            aclDao.save("SObjectItem", item.getId(), acl);
        }

        session.update(item);
        return new OrderedPair<SObject, SObjectItem>(object, item);
    }

    /**
     * Access controls that are specified via the "x-amz-acl:" headers in REST requests.
     * Note that canned policies can be set when the object's contents are set
     */
    public void setCannedAccessControls(String cannedAccessPolicy, String target, long objectId, SBucket bucket) {
        // Find the permission and symbol for the principal corresponding to the requested cannedAccessPolicy   
        Triple<Integer, Integer, String> permission_permission_symbol_triple = SAcl
                .getCannedAccessControls(cannedAccessPolicy, target, bucket.getOwnerCanonicalId());
        if (null == permission_permission_symbol_triple.getThird())
            setSingleAcl(target, objectId, permission_permission_symbol_triple.getFirst());
        else {
            setDefaultAcls(target, objectId, permission_permission_symbol_triple.getFirst(), // permission according to ownership of object
                    permission_permission_symbol_triple.getSecond(), // permission according to ownership of bucket
                    permission_permission_symbol_triple.getThird()); // "symbol" to indicate principal or otherwise name of owner

        }
    }

    private void setSingleAcl(String target, long targetId, int permission) {
        SAclDao aclDao = new SAclDao();
        S3AccessControlList defaultAcl = new S3AccessControlList();

        // -> if an annoymous request, then do not rewrite the ACL
        String userId = UserContext.current().getCanonicalUserId();
        if (0 < userId.length()) {
            S3Grant defaultGrant = new S3Grant();
            defaultGrant.setGrantee(SAcl.GRANTEE_USER);
            defaultGrant.setCanonicalUserID(userId);
            defaultGrant.setPermission(permission);
            defaultAcl.addGrant(defaultGrant);
            aclDao.save(target, targetId, defaultAcl);
        }
    }

    /**
     * The Cloud Stack API Access key is used for for the Canonical User Id everywhere (buckets and objects).   
     * 
     * @param owner - this can be the Cloud Access Key for a bucket owner or one of the
     *                following special symbols:
     *                (a) '*' - any principal authenticated user (i.e., any user with a registered Cloud Access Key)
     *                (b) 'A' - any anonymous principal (i.e., S3 request without an Authorization header)
     */
    private void setDefaultAcls(String target, long objectId, int permission1, int permission2, String owner) {
        SAclDao aclDao = new SAclDao();
        S3AccessControlList defaultAcl = new S3AccessControlList();

        // -> object owner
        S3Grant defaultGrant = new S3Grant();
        defaultGrant.setGrantee(SAcl.GRANTEE_USER);
        defaultGrant.setCanonicalUserID(UserContext.current().getCanonicalUserId());
        defaultGrant.setPermission(permission1);
        defaultAcl.addGrant(defaultGrant);

        // -> bucket owner 
        defaultGrant = new S3Grant();
        defaultGrant.setGrantee(SAcl.GRANTEE_USER);
        defaultGrant.setCanonicalUserID(owner);
        defaultGrant.setPermission(permission2);
        defaultAcl.addGrant(defaultGrant);
        aclDao.save(target, objectId, defaultAcl);
    }

    public static PolicyAccess verifyPolicy(S3PolicyContext context) {
        S3BucketPolicy policy = null;

        // Ordinarily a REST request will pass in an S3PolicyContext for a given bucket by this stage.  The HttpServletRequest object
        // should be held in the UserContext ready for extraction of the S3BucketPolicy.
        // If there is an error in obtaining the request object or in loading the policy then log the failure and return a S3PolicyContext
        // which indicates DEFAULT_DENY.  Where there is no failure, the policy returned should be specific to the Canonical User ID of the requester.

        try {
            // -> in SOAP the HttpServletRequest object is hidden and not passed around
            if (null != context) {
                context.setHttp(UserContext.current().getHttp());
                policy = loadPolicy(context);
            }

            if (null != policy)
                return policy.eval(context, UserContext.current().getCanonicalUserId());
            else
                return PolicyAccess.DEFAULT_DENY;
        } catch (Exception e) {
            logger.error("verifyAccess - loadPolicy failed, bucket: " + context.getBucketName() + " policy ignored",
                    e);
            return PolicyAccess.DEFAULT_DENY;
        }
    }

    /**
     * To determine access to a bucket or an object in a bucket evaluate first a define
     * bucket policy and then any defined ACLs.
     * 
     * @param context - all data needed for bucket policies
     * @param target - used for ACL evaluation, object identifier
     * @param targetId - used for ACL evaluation
     * @param requestedPermission - ACL type access requested
     * 
     * @throws ParseException, SQLException, ClassNotFoundException, IllegalAccessException, InstantiationException 
     */
    public static void verifyAccess(S3PolicyContext context, String target, long targetId,
            int requestedPermission) {
        switch (verifyPolicy(context)) {
        case ALLOW: // overrides ACLs (?)
            return;

        case DENY:
            throw new PermissionDeniedException("Access Denied - bucket policy DENY result");

        case DEFAULT_DENY:
        default:
            accessAllowed(target, targetId, requestedPermission);
            break;
        }
    }

    /**
     * This method verifies that the accessing client has the requested
     * permission on the object/bucket/Acl represented by the tuple: <target, targetId>
     * 
     * For cases where an ACL is meant for any authenticated user we place a "*" for the
     * Canonical User Id.  N.B. - "*" is not a legal Cloud (Bridge) Access key.   
     * 
     * For cases where an ACL is meant for any anonymous user (or 'AllUsers') we place a "A" for the 
     * Canonical User Id.  N.B. - "A" is not a legal Cloud (Bridge) Access key. 
     */
    public static void accessAllowed(String target, long targetId, int requestedPermission) {
        if (SAcl.PERMISSION_PASS == requestedPermission)
            return;

        SAclDao aclDao = new SAclDao();

        // If an annoymous request, then canonicalUserId is an empty string
        String userId = UserContext.current().getCanonicalUserId();
        if (0 == userId.length()) {
            // Is an anonymous principal ACL set for this <target, targetId>?
            if (hasPermission(aclDao.listGrants(target, targetId, "A"), requestedPermission))
                return;
        } else {
            if (hasPermission(aclDao.listGrants(target, targetId, userId), requestedPermission))
                return;
            // Or alternatively is there is any principal authenticated ACL set for this <target, targetId>?
            if (hasPermission(aclDao.listGrants(target, targetId, "*"), requestedPermission))
                return;
        }
        // No privileges implies that no access is allowed   in the case of an anonymous user
        throw new PermissionDeniedException("Access Denied - ACLs do not give user the required permission");
    }

    /**
     * This method assumes that the bucket has been tested to make sure it exists before
     * it is called.
     * 
     * @param context 
     * @return S3BucketPolicy
     * @throws SQLException, ClassNotFoundException, IllegalAccessException, InstantiationException, ParseException 
     */
    public static S3BucketPolicy loadPolicy(S3PolicyContext context) throws InstantiationException,
            IllegalAccessException, ClassNotFoundException, SQLException, ParseException {
        OrderedPair<S3BucketPolicy, Integer> result = ServiceProvider.getInstance()
                .getBucketPolicy(context.getBucketName());
        S3BucketPolicy policy = result.getFirst();
        if (null == policy) {
            // -> do we have to load it from the database (any other value means there is no policy)?
            if (-1 == result.getSecond().intValue()) {
                BucketPolicyDao policyDao = new BucketPolicyDao();
                String policyInJson = policyDao.getPolicy(context.getBucketName());
                // -> place in cache that no policy exists in the database
                if (null == policyInJson) {
                    ServiceProvider.getInstance().setBucketPolicy(context.getBucketName(), null);
                    return null;
                }

                PolicyParser parser = new PolicyParser();
                policy = parser.parse(policyInJson, context.getBucketName());
                if (null != policy)
                    ServiceProvider.getInstance().setBucketPolicy(context.getBucketName(), policy);
            }
        }
        return policy;
    }

    public static void verifyBucketName(String bucketName, boolean useDNSGuidelines) throws InvalidBucketName {
        // [A] To comply with Amazon S3 basic requirements, bucket names must meet the following conditions
        // -> must be between 3 and 255 characters long
        int size = bucketName.length();
        if (3 > size || size > 255)
            throw new InvalidBucketName(bucketName + " is not between 3 and 255 characters long");

        // -> must start with a number or letter
        if (!Character.isLetterOrDigit(bucketName.charAt(0)))
            throw new InvalidBucketName(bucketName + " does not start with a number or letter");

        // -> can contain lowercase letters, numbers, periods (.), underscores (_), and dashes (-)
        // -> the bucket name can also contain uppercase letters but it is not recommended
        for (int i = 0; i < bucketName.length(); i++) {
            char next = bucketName.charAt(i);
            if (Character.isLetter(next))
                continue;
            else if (Character.isDigit(next))
                continue;
            else if ('.' == next)
                continue;
            else if ('_' == next)
                continue;
            else if ('-' == next)
                continue;
            else
                throw new InvalidBucketName(bucketName + " contains the invalid character: " + next);
        }

        // -> must not be formatted as an IP address (e.g., 192.168.5.4)
        String[] parts = bucketName.split("\\.");
        if (4 == parts.length) {
            try {
                int first = Integer.parseInt(parts[0]);
                int second = Integer.parseInt(parts[1]);
                int third = Integer.parseInt(parts[2]);
                int fourth = Integer.parseInt(parts[3]);
                throw new InvalidBucketName(bucketName + " is formatted as an IP address");
            } catch (NumberFormatException e) {
                throw new InvalidBucketName(bucketName);
            }
        }

        // [B] To conform with DNS requirements, Amazon recommends following these additional guidelines when creating buckets
        // -> bucket names should be between 3 and 63 characters long
        if (useDNSGuidelines) {
            // -> bucket names should be between 3 and 63 characters long
            if (3 > size || size > 63)
                throw new InvalidBucketName(
                        "DNS requiremens, bucket name: " + bucketName + " is not between 3 and 63 characters long");

            // -> bucket names should not contain underscores (_)
            int pos = bucketName.indexOf('_');
            if (-1 != pos)
                throw new InvalidBucketName(
                        "DNS requiremens, bucket name: " + bucketName + " should not contain underscores");

            // -> bucket names should not end with a dash
            if (bucketName.endsWith("-"))
                throw new InvalidBucketName(
                        "DNS requiremens, bucket name: " + bucketName + " should not end with a dash");

            // -> bucket names cannot contain two, adjacent periods
            pos = bucketName.indexOf("..");
            if (-1 != pos)
                throw new InvalidBucketName(
                        "DNS requiremens, bucket name: " + bucketName + " should not contain \"..\"");

            // -> bucket names cannot contain dashes next to periods (e.g., "my-.bucket.com" and "my.-bucket" are invalid)
            if (-1 != bucketName.indexOf("-.") || -1 != bucketName.indexOf(".-"))
                throw new InvalidBucketName(
                        "DNS requiremens, bucket name: " + bucketName + " should not contain \".-\" or \"-.\"");
        }
    }

    private static boolean hasPermission(List<SAcl> privileges, int requestedPermission) {
        ListIterator<SAcl> it = privileges.listIterator();
        while (it.hasNext()) {
            // True providing the requested permission is contained in one or the granted rights for this user.  False otherwise.
            SAcl rights = (SAcl) it.next();
            int permission = rights.getPermission();
            if (requestedPermission == (permission & requestedPermission))
                return true;
        }
        return false;
    }

    /**
     * ifRange is true and ifUnmodifiedSince or IfMatch fails then we return the entire object (indicated by
     * returning a -1 as the function result.
     * 
     * @param ifCond - conditional get defined by these tests
     * @param lastModified - value used on ifModifiedSince or ifUnmodifiedSince
     * @param ETag - value used on ifMatch and ifNoneMatch
     * @param ifRange - using an if-Range HTTP functionality 
     * @return -1 means return the entire object with an HTTP 200 (not a subrange)
     */
    private int conditionPassed(S3ConditionalHeaders ifCond, Date lastModified, String ETag, boolean ifRange) {
        if (null == ifCond)
            return 200;

        if (0 > ifCond.ifModifiedSince(lastModified))
            return 304;

        if (0 > ifCond.ifUnmodifiedSince(lastModified))
            return (ifRange ? -1 : 412);

        if (0 > ifCond.ifMatchEtag(ETag))
            return (ifRange ? -1 : 412);

        if (0 > ifCond.ifNoneMatchEtag(ETag))
            return 412;

        return 200;
    }
}