[#462] Implement PATCH for regular objects

Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>

api/errors/errors.go

@@ -187,6 +187,9 @@ const (
 	ErrInvalidRequestLargeCopy
 	ErrInvalidStorageClass
 	VersionIDMarkerWithoutKeyMarker
+	ErrInvalidRangeLength
+	ErrRangeOutOfBounds
+	ErrMissingContentRange
 
 	ErrMalformedJSON
 	ErrInsecureClientRequest
@@ -1739,6 +1742,24 @@ var errorCodes = errorCodeMap{
 		Description:    "Part number must be an integer between 1 and 10000, inclusive",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
+	ErrInvalidRangeLength: {
+		ErrCode:        ErrInvalidRangeLength,
+		Code:           "InvalidRange",
+		Description:    "Provided range length must be equal to content length",
+		HTTPStatusCode: http.StatusRequestedRangeNotSatisfiable,
+	},
+	ErrRangeOutOfBounds: {
+		ErrCode:        ErrRangeOutOfBounds,
+		Code:           "InvalidRange",
+		Description:    "Provided range is outside of object bounds",
+		HTTPStatusCode: http.StatusRequestedRangeNotSatisfiable,
+	},
+	ErrMissingContentRange: {
+		ErrCode:        ErrMissingContentRange,
+		Code:           "MissingContentRange",
+		Description:    "Content-Range header is mandatory for this type of request",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
 	// Add your error structure here.
 }
 

api/handler/get_test.go

@@ -228,6 +228,14 @@ func getObjectRange(t *testing.T, tc *handlerContext, bktName, objName string, s
 	return content
 }
 
+func getObjectVersion(tc *handlerContext, bktName, objName, version string) []byte {
+	w := getObjectBaseResponse(tc, bktName, objName, version)
+	assertStatus(tc.t, w, http.StatusOK)
+	content, err := io.ReadAll(w.Result().Body)
+	require.NoError(tc.t, err)
+	return content
+}
+
 func getObjectAssertS3Error(hc *handlerContext, bktName, objName, version string, code errors.ErrorCode) {
 	w := getObjectBaseResponse(hc, bktName, objName, version)
 	assertS3Error(hc.t, w, errors.GetAPIError(code))

api/handler/patch.go

@@ -0,0 +1,186 @@
+package handler
+
+import (
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
+	"go.uber.org/zap"
+)
+
+const maxPatchSize = 5 * 1024 * 1024 * 1024 // 5GB
+
+func (h *handler) PatchObjectHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	reqInfo := middleware.GetReqInfo(ctx)
+
+	if _, ok := r.Header[api.ContentRange]; !ok {
+		h.logAndSendError(w, "missing Content-Range", reqInfo, errors.GetAPIError(errors.ErrMissingContentRange))
+		return
+	}
+
+	if _, ok := r.Header[api.ContentLength]; !ok {
+		h.logAndSendError(w, "missing Content-Length", reqInfo, errors.GetAPIError(errors.ErrMissingContentLength))
+		return
+	}
+
+	conditional, err := parsePatchConditionalHeaders(r.Header)
+	if err != nil {
+		h.logAndSendError(w, "could not parse conditional headers", reqInfo, err)
+		return
+	}
+
+	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
+	if err != nil {
+		h.logAndSendError(w, "could not get bucket info", reqInfo, err)
+		return
+	}
+
+	settings, err := h.obj.GetBucketSettings(ctx, bktInfo)
+	if err != nil {
+		h.logAndSendError(w, "could not get bucket settings", reqInfo, err)
+		return
+	}
+
+	srcObjPrm := &layer.HeadObjectParams{
+		Object:    reqInfo.ObjectName,
+		BktInfo:   bktInfo,
+		VersionID: reqInfo.URL.Query().Get(api.QueryVersionID),
+	}
+
+	extendedSrcObjInfo, err := h.obj.GetExtendedObjectInfo(ctx, srcObjPrm)
+	if err != nil {
+		h.logAndSendError(w, "could not find object", reqInfo, err)
+		return
+	}
+	srcObjInfo := extendedSrcObjInfo.ObjectInfo
+
+	if err = checkPreconditions(srcObjInfo, conditional, h.cfg.MD5Enabled()); err != nil {
+		h.logAndSendError(w, "precondition failed", reqInfo, err)
+		return
+	}
+
+	srcSize, err := layer.GetObjectSize(srcObjInfo)
+	if err != nil {
+		h.logAndSendError(w, "failed to get source object size", reqInfo, err)
+		return
+	}
+
+	byteRange, err := parsePatchByteRange(r.Header.Get(api.ContentRange), srcSize)
+	if err != nil {
+		h.logAndSendError(w, "could not parse byte range", reqInfo, errors.GetAPIError(errors.ErrInvalidRange), zap.Error(err))
+		return
+	}
+
+	if maxPatchSize < byteRange.End-byteRange.Start+1 {
+		h.logAndSendError(w, "byte range length is longer than allowed", reqInfo, errors.GetAPIError(errors.ErrInvalidRange), zap.Error(err))
+		return
+	}
+
+	if uint64(r.ContentLength) != (byteRange.End - byteRange.Start + 1) {
+		h.logAndSendError(w, "content-length must be equal to byte range length", reqInfo, errors.GetAPIError(errors.ErrInvalidRangeLength))
+		return
+	}
+
+	if byteRange.Start > srcSize {
+		h.logAndSendError(w, "start byte is greater than object size", reqInfo, errors.GetAPIError(errors.ErrRangeOutOfBounds))
+		return
+	}
+
+	params := &layer.PatchObjectParams{
+		Object:            srcObjInfo,
+		BktInfo:           bktInfo,
+		NewBytes:          r.Body,
+		Range:             byteRange,
+		VersioningEnabled: settings.VersioningEnabled(),
+	}
+
+	extendedObjInfo, err := h.obj.PatchObject(ctx, params)
+	if err != nil {
+		if isErrObjectLocked(err) {
+			h.logAndSendError(w, "object is locked", reqInfo, errors.GetAPIError(errors.ErrAccessDenied))
+		} else {
+			h.logAndSendError(w, "could not patch object", reqInfo, err)
+		}
+		return
+	}
+
+	w.Header().Set(api.AmzVersionID, extendedObjInfo.ObjectInfo.VersionID())
+	w.Header().Set(api.ETag, data.Quote(extendedObjInfo.ObjectInfo.ETag(h.cfg.MD5Enabled())))
+
+	resp := PatchObjectResult{
+		Object: PatchObject{
+			LastModified: extendedObjInfo.ObjectInfo.Created.UTC().Format(time.RFC3339),
+			ETag:         data.Quote(extendedObjInfo.ObjectInfo.ETag(h.cfg.MD5Enabled())),
+		},
+	}
+
+	if err = middleware.EncodeToResponse(w, resp); err != nil {
+		h.logAndSendError(w, "could not encode PatchObjectResult to response", reqInfo, err)
+		return
+	}
+}
+
+func parsePatchConditionalHeaders(headers http.Header) (*conditionalArgs, error) {
+	var err error
+	args := &conditionalArgs{
+		IfMatch: data.UnQuote(headers.Get(api.IfMatch)),
+	}
+
+	if args.IfUnmodifiedSince, err = parseHTTPTime(headers.Get(api.IfUnmodifiedSince)); err != nil {
+		return nil, err
+	}
+
+	return args, nil
+}
+
+func parsePatchByteRange(rangeStr string, objSize uint64) (*layer.RangeParams, error) {
+	const prefix = "bytes "
+
+	if rangeStr == "" {
+		return nil, fmt.Errorf("empty range")
+	}
+
+	if !strings.HasPrefix(rangeStr, prefix) {
+		return nil, fmt.Errorf("unknown unit in range header")
+	}
+
+	rangeStr, _, found := strings.Cut(strings.TrimPrefix(rangeStr, prefix), "/") // value after / is ignored
+	if !found {
+		return nil, fmt.Errorf("invalid range: %s", rangeStr)
+	}
+
+	startStr, endStr, found := strings.Cut(rangeStr, "-")
+	if !found {
+		return nil, fmt.Errorf("invalid range: %s", rangeStr)
+	}
+
+	start, err := strconv.ParseUint(startStr, 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("invalid start byte: %s", startStr)
+	}
+
+	end := objSize - 1
+	if len(endStr) > 0 {
+		end, err = strconv.ParseUint(endStr, 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("invalid end byte: %s", endStr)
+		}
+	}
+
+	if start > end {
+		return nil, fmt.Errorf("start byte is greater than end byte")
+	}
+
+	return &layer.RangeParams{
+		Start: start,
+		End:   end,
+	}, nil
+}

api/handler/patch_test.go

@@ -0,0 +1,292 @@
+package handler
+
+import (
+	"bytes"
+	"crypto/md5"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/xml"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
+	s3errors "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPatch(t *testing.T) {
+	tc := prepareHandlerContext(t)
+	tc.config.md5Enabled = true
+
+	bktName, objName := "bucket-for-patch", "object-for-patch"
+	createTestBucket(tc, bktName)
+
+	content := []byte("old object content")
+	md5Hash := md5.New()
+	md5Hash.Write(content)
+	etag := data.Quote(hex.EncodeToString(md5Hash.Sum(nil)))
+
+	w, r := prepareTestPayloadRequest(tc, bktName, objName, bytes.NewReader(content))
+	created := time.Now()
+	tc.Handler().PutObjectHandler(w, r)
+	require.Equal(t, etag, w.Header().Get(api.ETag))
+
+	patchPayload := []byte("new")
+	sha256Hash := sha256.New()
+	sha256Hash.Write(patchPayload)
+	sha256Hash.Write(content[len(patchPayload):])
+	hash := hex.EncodeToString(sha256Hash.Sum(nil))
+
+	for _, tt := range []struct {
+		name    string
+		rng     string
+		headers map[string]string
+		code    s3errors.ErrorCode
+	}{
+		{
+			name: "success",
+			rng:  "bytes 0-2/*",
+			headers: map[string]string{
+				api.IfUnmodifiedSince: created.Format(http.TimeFormat),
+				api.IfMatch:           etag,
+			},
+		},
+		{
+			name: "invalid range syntax",
+			rng:  "bytes 0-2",
+			code: s3errors.ErrInvalidRange,
+		},
+		{
+			name: "invalid range length",
+			rng:  "bytes 0-5/*",
+			code: s3errors.ErrInvalidRangeLength,
+		},
+		{
+			name: "invalid range start",
+			rng:  "bytes 20-22/*",
+			code: s3errors.ErrRangeOutOfBounds,
+		},
+		{
+			name: "range is too long",
+			rng:  "bytes 0-5368709120/*",
+			code: s3errors.ErrInvalidRange,
+		},
+		{
+			name: "If-Unmodified-Since precondition are not satisfied",
+			rng:  "bytes 0-2/*",
+			headers: map[string]string{
+				api.IfUnmodifiedSince: created.Add(-24 * time.Hour).Format(http.TimeFormat),
+			},
+			code: s3errors.ErrPreconditionFailed,
+		},
+		{
+			name: "If-Match precondition are not satisfied",
+			rng:  "bytes 0-2/*",
+			headers: map[string]string{
+				api.IfMatch: "etag",
+			},
+			code: s3errors.ErrPreconditionFailed,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.code == 0 {
+				res := patchObject(t, tc, bktName, objName, tt.rng, patchPayload, tt.headers)
+				require.Equal(t, data.Quote(hash), res.Object.ETag)
+			} else {
+				patchObjectErr(t, tc, bktName, objName, tt.rng, patchPayload, tt.headers, tt.code)
+			}
+		})
+	}
+}
+
+func TestPatchWithVersion(t *testing.T) {
+	hc := prepareHandlerContextWithMinCache(t)
+	bktName, objName := "bucket", "obj"
+	createVersionedBucket(hc, bktName)
+	objHeader := putObjectContent(hc, bktName, objName, "content")
+
+	putObjectContent(hc, bktName, objName, "some content")
+
+	patchObjectVersion(t, hc, bktName, objName, objHeader.Get(api.AmzVersionID), "bytes 7-14/*", []byte(" updated"))
+
+	res := listObjectsVersions(hc, bktName, "", "", "", "", 3)
+	require.False(t, res.IsTruncated)
+	require.Len(t, res.Version, 3)
+
+	for _, version := range res.Version {
+		content := getObjectVersion(hc, bktName, objName, version.VersionID)
+		if version.IsLatest {
+			require.Equal(t, []byte("content updated"), content)
+			continue
+		}
+		if version.VersionID == objHeader.Get(api.AmzVersionID) {
+			require.Equal(t, []byte("content"), content)
+			continue
+		}
+		require.Equal(t, []byte("some content"), content)
+	}
+}
+
+func TestPatchEncryptedObject(t *testing.T) {
+	tc := prepareHandlerContext(t)
+	bktName, objName := "bucket-for-patch-encrypted", "object-for-patch-encrypted"
+	createTestBucket(tc, bktName)
+
+	w, r := prepareTestPayloadRequest(tc, bktName, objName, strings.NewReader("object content"))
+	setEncryptHeaders(r)
+	tc.Handler().PutObjectHandler(w, r)
+	assertStatus(t, w, http.StatusOK)
+
+	patchObjectErr(t, tc, bktName, objName, "bytes 2-4/*", []byte("new"), nil, s3errors.ErrInternalError)
+}
+
+func TestPatchMissingHeaders(t *testing.T) {
+	tc := prepareHandlerContext(t)
+	bktName, objName := "bucket-for-patch-missing-headers", "object-for-patch-missing-headers"
+	createTestBucket(tc, bktName)
+
+	w, r := prepareTestPayloadRequest(tc, bktName, objName, strings.NewReader("object content"))
+	setEncryptHeaders(r)
+	tc.Handler().PutObjectHandler(w, r)
+	assertStatus(t, w, http.StatusOK)
+
+	w = httptest.NewRecorder()
+	r = httptest.NewRequest(http.MethodPatch, defaultURL, strings.NewReader("new"))
+	tc.Handler().PatchObjectHandler(w, r)
+	assertS3Error(t, w, s3errors.GetAPIError(s3errors.ErrMissingContentRange))
+
+	w = httptest.NewRecorder()
+	r = httptest.NewRequest(http.MethodPatch, defaultURL, strings.NewReader("new"))
+	r.Header.Set(api.ContentRange, "bytes 0-2/*")
+	tc.Handler().PatchObjectHandler(w, r)
+	assertS3Error(t, w, s3errors.GetAPIError(s3errors.ErrMissingContentLength))
+}
+
+func TestParsePatchByteRange(t *testing.T) {
+	for _, tt := range []struct {
+		rng      string
+		size     uint64
+		expected *layer.RangeParams
+		err      bool
+	}{
+		{
+			rng: "bytes 2-7/*",
+			expected: &layer.RangeParams{
+				Start: 2,
+				End:   7,
+			},
+		},
+		{
+			rng: "bytes 2-7/3",
+			expected: &layer.RangeParams{
+				Start: 2,
+				End:   7,
+			},
+		},
+		{
+			rng:  "bytes 2-/*",
+			size: 9,
+			expected: &layer.RangeParams{
+				Start: 2,
+				End:   8,
+			},
+		},
+		{
+			rng:  "bytes 2-/3",
+			size: 9,
+			expected: &layer.RangeParams{
+				Start: 2,
+				End:   8,
+			},
+		},
+		{
+			rng: "",
+			err: true,
+		},
+		{
+			rng: "2-7/*",
+			err: true,
+		},
+		{
+			rng: "bytes 7-2/*",
+			err: true,
+		},
+		{
+			rng: "bytes 2-7",
+			err: true,
+		},
+		{
+			rng: "bytes 2/*",
+			err: true,
+		},
+		{
+			rng: "bytes a-7/*",
+			err: true,
+		},
+		{
+			rng: "bytes 2-a/*",
+			err: true,
+		},
+	} {
+		t.Run(fmt.Sprintf("case: %s", tt.rng), func(t *testing.T) {
+			rng, err := parsePatchByteRange(tt.rng, tt.size)
+			if tt.err {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				require.Equal(t, tt.expected.Start, rng.Start)
+				require.Equal(t, tt.expected.End, rng.End)
+			}
+		})
+	}
+}
+
+func patchObject(t *testing.T, tc *handlerContext, bktName, objName, rng string, payload []byte, headers map[string]string) *PatchObjectResult {
+	w := patchObjectBase(tc, bktName, objName, "", rng, payload, headers)
+	assertStatus(t, w, http.StatusOK)
+
+	result := &PatchObjectResult{}
+	err := xml.NewDecoder(w.Result().Body).Decode(result)
+	require.NoError(t, err)
+	return result
+}
+
+func patchObjectVersion(t *testing.T, tc *handlerContext, bktName, objName, version, rng string, payload []byte) *PatchObjectResult {
+	w := patchObjectBase(tc, bktName, objName, version, rng, payload, nil)
+	assertStatus(t, w, http.StatusOK)
+
+	result := &PatchObjectResult{}
+	err := xml.NewDecoder(w.Result().Body).Decode(result)
+	require.NoError(t, err)
+	return result
+}
+
+func patchObjectErr(t *testing.T, tc *handlerContext, bktName, objName, rng string, payload []byte, headers map[string]string, code s3errors.ErrorCode) {
+	w := patchObjectBase(tc, bktName, objName, "", rng, payload, headers)
+	assertS3Error(t, w, s3errors.GetAPIError(code))
+}
+
+func patchObjectBase(tc *handlerContext, bktName, objName, version, rng string, payload []byte, headers map[string]string) *httptest.ResponseRecorder {
+	query := make(url.Values)
+	if len(version) > 0 {
+		query.Add(api.QueryVersionID, version)
+	}
+
+	w, r := prepareTestRequestWithQuery(tc, bktName, objName, query, payload)
+	r.Header.Set(api.ContentRange, rng)
+	r.Header.Set(api.ContentLength, strconv.Itoa(len(payload)))
+	for k, v := range headers {
+		r.Header.Set(k, v)
+	}
+
+	tc.Handler().PatchObjectHandler(w, r)
+	return w
+}

api/handler/response.go

@@ -195,6 +195,15 @@ type PostResponse struct {
 	ETag   string `xml:"Etag"`
 }
 
+type PatchObjectResult struct {
+	Object PatchObject `xml:"Object"`
+}
+
+type PatchObject struct {
+	LastModified string `xml:"LastModified"`
+	ETag         string `xml:"ETag"`
+}
+
 // MarshalXML -- StringMap marshals into XML.
 func (s StringMap) MarshalXML(e *xml.Encoder, start xml.StartElement) error {
 	tokens := []xml.Token{start}

api/layer/frostfs.go

@@ -200,6 +200,27 @@ type PrmObjectSearch struct {
 	FilePrefix string
 }
 
+// PrmObjectPatch groups parameters of FrostFS.PatchObject operation.
+type PrmObjectPatch struct {
+	// Authentication parameters.
+	PrmAuth
+
+	// Container of the patched object.
+	Container cid.ID
+
+	// Identifier of the patched object.
+	Object oid.ID
+
+	// Object patch payload encapsulated in io.Reader primitive.
+	Payload io.Reader
+
+	// Object range to patch.
+	Range *RangeParams
+
+	// Size of original object payload.
+	ObjectSize uint64
+}
+
 var (
 	// ErrAccessDenied is returned from FrostFS in case of access violation.
 	ErrAccessDenied = errors.New("access denied")
@@ -294,6 +315,15 @@ type FrostFS interface {
 	// prevented the objects from being selected.
 	SearchObjects(context.Context, PrmObjectSearch) ([]oid.ID, error)
 
+	// PatchObject performs object patch in the FrostFS container.
+	// It returns the ID of the patched object.
+	//
+	// It returns ErrAccessDenied on selection access violation.
+	//
+	// It returns exactly one non-nil value. It returns any error encountered which
+	// prevented the objects from being patched.
+	PatchObject(context.Context, PrmObjectPatch) (oid.ID, error)
+
 	// TimeToEpoch computes current epoch and the epoch that corresponds to the provided now and future time.
 	// Note:
 	// * future time must be after the now

api/layer/frostfs_mock.go

@@ -21,6 +21,7 @@ import (
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/netmap"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object"
 	oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
+	oidtest "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id/test"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/session"
 	"git.frostfs.info/TrueCloudLab/frostfs-sdk-go/user"
 	"github.com/nspcc-dev/neo-go/pkg/crypto/keys"
@@ -415,6 +416,42 @@ func (t *TestFrostFS) NetworkInfo(context.Context) (netmap.NetworkInfo, error) {
 	return ni, nil
 }
 
+func (t *TestFrostFS) PatchObject(ctx context.Context, prm PrmObjectPatch) (oid.ID, error) {
+	obj, err := t.retrieveObject(ctx, prm.Container, prm.Object)
+	if err != nil {
+		return oid.ID{}, err
+	}
+
+	newObj := *obj
+
+	patchBytes, err := io.ReadAll(prm.Payload)
+	if err != nil {
+		return oid.ID{}, err
+	}
+
+	var newPayload []byte
+	if prm.Range.Start > 0 {
+		newPayload = append(newPayload, obj.Payload()[:prm.Range.Start]...)
+	}
+	newPayload = append(newPayload, patchBytes...)
+	if prm.Range.End < obj.PayloadSize()-1 {
+		newPayload = append(newPayload, obj.Payload()[prm.Range.End+1:]...)
+	}
+	newObj.SetPayload(newPayload)
+	newObj.SetPayloadSize(uint64(len(newPayload)))
+
+	var hash checksum.Checksum
+	checksum.Calculate(&hash, checksum.SHA256, newPayload)
+	newObj.SetPayloadChecksum(hash)
+
+	newID := oidtest.ID()
+	newObj.SetID(newID)
+
+	t.objects[newAddress(prm.Container, newID).EncodeToString()] = &newObj
+
+	return newID, nil
+}
+
 func (t *TestFrostFS) checkAccess(cnrID cid.ID, owner user.ID) bool {
 	cnr, ok := t.containers[cnrID.EncodeToString()]
 	if !ok {

api/layer/layer.go

@@ -160,6 +160,7 @@ type (
 		DstEncryption encryption.Params
 		CopiesNumbers []uint32
 	}
+
 	// CreateBucketParams stores bucket create request parameters.
 	CreateBucketParams struct {
 		Name                     string

api/layer/patch.go

@@ -0,0 +1,78 @@
+package layer
+
+import (
+	"context"
+	"encoding/hex"
+	"fmt"
+	"io"
+
+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
+)
+
+type PatchObjectParams struct {
+	Object            *data.ObjectInfo
+	BktInfo           *data.BucketInfo
+	NewBytes          io.Reader
+	Range             *RangeParams
+	VersioningEnabled bool
+}
+
+func (n *Layer) PatchObject(ctx context.Context, p *PatchObjectParams) (*data.ExtendedObjectInfo, error) {
+	if p.Object.Headers[AttributeDecryptedSize] != "" {
+		return nil, fmt.Errorf("patch encrypted object")
+	}
+
+	if p.Object.Headers[MultipartObjectSize] != "" {
+		// TODO: support multipart object patch
+		return nil, fmt.Errorf("patch multipart object")
+	}
+
+	prmPatch := PrmObjectPatch{
+		Container:  p.BktInfo.CID,
+		Object:     p.Object.ID,
+		Payload:    p.NewBytes,
+		Range:      p.Range,
+		ObjectSize: p.Object.Size,
+	}
+	n.prepareAuthParameters(ctx, &prmPatch.PrmAuth, p.BktInfo.Owner)
+
+	objID, err := n.frostFS.PatchObject(ctx, prmPatch)
+	if err != nil {
+		return nil, fmt.Errorf("patch object: %w", err)
+	}
+
+	obj, err := n.objectHead(ctx, p.BktInfo, objID)
+	if err != nil {
+		return nil, fmt.Errorf("head object: %w", err)
+	}
+
+	payloadChecksum, _ := obj.PayloadChecksum()
+	hashSum := hex.EncodeToString(payloadChecksum.Value())
+	newVersion := &data.NodeVersion{
+		BaseNodeVersion: data.BaseNodeVersion{
+			OID:      objID,
+			ETag:     hashSum,
+			FilePath: p.Object.Name,
+			Size:     obj.PayloadSize(),
+			Created:  &p.Object.Created,
+			Owner:    &n.gateOwner,
+			// TODO: Add creation epoch
+		},
+		IsUnversioned: !p.VersioningEnabled,
+		IsCombined:    p.Object.Headers[MultipartObjectSize] != "",
+	}
+
+	if newVersion.ID, err = n.treeService.AddVersion(ctx, p.BktInfo, newVersion); err != nil {
+		return nil, fmt.Errorf("couldn't add new verion to tree service: %w", err)
+	}
+
+	p.Object.ID = objID
+	p.Object.Size = obj.PayloadSize()
+	p.Object.MD5Sum = ""
+	p.Object.HashSum = hashSum
+
+	return &data.ExtendedObjectInfo{
+		ObjectInfo:  p.Object,
+		NodeVersion: newVersion,
+	}, nil
+}

api/middleware/constants.go

@@ -74,6 +74,7 @@ const (
 	AbortMultipartUploadOperation    = "AbortMultipartUpload"
 	DeleteObjectTaggingOperation     = "DeleteObjectTagging"
 	DeleteObjectOperation            = "DeleteObject"
+	PatchObjectOperation             = "PatchObject"
 )
 
 const (

api/middleware/policy.go

@@ -329,6 +329,8 @@ func determineObjectOperation(r *http.Request) string {
 	switch r.Method {
 	case http.MethodOptions:
 		return OptionsObjectOperation
+	case http.MethodPatch:
+		return PatchObjectOperation
 	case http.MethodHead:
 		return HeadObjectOperation
 	case http.MethodGet:

api/router.go

@@ -87,6 +87,7 @@ type (
 		AbortMultipartUploadHandler(http.ResponseWriter, *http.Request)
 		ListPartsHandler(w http.ResponseWriter, r *http.Request)
 		ListMultipartUploadsHandler(http.ResponseWriter, *http.Request)
+		PatchObjectHandler(http.ResponseWriter, *http.Request)
 
 		ResolveBucket(ctx context.Context, bucket string) (*data.BucketInfo, error)
 		ResolveCID(ctx context.Context, bucket string) (cid.ID, error)
@@ -403,6 +404,8 @@ func objectRouter(h Handler) chi.Router {
 
 	objRouter.Head("/*", named(s3middleware.HeadObjectOperation, h.HeadObjectHandler))
 
+	objRouter.Patch("/*", named(s3middleware.PatchObjectOperation, h.PatchObjectHandler))
+
 	// GET method handlers
 	objRouter.Group(func(r chi.Router) {
 		r.Method(http.MethodGet, "/*", NewHandlerFilter().

api/router_mock_test.go

@@ -561,6 +561,10 @@ func (h *handlerMock) ListMultipartUploadsHandler(w http.ResponseWriter, r *http
 	h.writeResponse(w, res)
 }
 
+func (h *handlerMock) PatchObjectHandler(http.ResponseWriter, *http.Request) {
+	panic("implement me")
+}
+
 func (h *handlerMock) ResolveBucket(ctx context.Context, name string) (*data.BucketInfo, error) {
 	reqInfo := middleware.GetReqInfo(ctx)
 	bktInfo, ok := h.buckets[reqInfo.Namespace+name]

internal/frostfs/frostfs.go

@@ -403,6 +403,38 @@ func (x *FrostFS) NetworkInfo(ctx context.Context) (netmap.NetworkInfo, error) {
 	return ni, nil
 }
 
+func (x *FrostFS) PatchObject(ctx context.Context, prm layer.PrmObjectPatch) (oid.ID, error) {
+	var addr oid.Address
+	addr.SetContainer(prm.Container)
+	addr.SetObject(prm.Object)
+
+	var prmPatch pool.PrmObjectPatch
+	prmPatch.SetAddress(addr)
+
+	var rng object.Range
+	rng.SetOffset(prm.Range.Start)
+	rng.SetLength(prm.Range.End - prm.Range.Start + 1)
+	if prm.Range.End >= prm.ObjectSize {
+		rng.SetLength(prm.ObjectSize - prm.Range.Start)
+	}
+
+	prmPatch.SetRange(&rng)
+	prmPatch.SetPayloadReader(prm.Payload)
+
+	if prm.BearerToken != nil {
+		prmPatch.UseBearer(*prm.BearerToken)
+	} else {
+		prmPatch.UseKey(prm.PrivateKey)
+	}
+
+	res, err := x.pool.PatchObject(ctx, prmPatch)
+	if err != nil {
+		return oid.ID{}, handleObjectError("patch object via connection pool", err)
+	}
+
+	return res.ObjectID, nil
+}
+
 // ResolverFrostFS represents virtual connection to the FrostFS network.
 // It implements resolver.FrostFS.
 type ResolverFrostFS struct {