From ee1ca235d94f9ed272878943ae6991ddaf60763b Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Thu, 23 Apr 2026 12:39:56 -0400
Subject: [PATCH] s3: add test_head_object_404_with_policy_prefix()

Fixes: https://tracker.ceph.com/issues/74398

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---
 s3tests/functional/test_s3.py | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/s3tests/functional/test_s3.py b/s3tests/functional/test_s3.py
index 91680271..b6d39c08 100644
--- a/s3tests/functional/test_s3.py
+++ b/s3tests/functional/test_s3.py
@@ -19800,6 +19800,34 @@ def test_bucket_create_delete_bucket_ownership():
 
     client.delete_bucket_ownership_controls(Bucket=bucket)
 
+def test_head_object_404_with_policy_prefix():
+    client = get_client()
+    bucket = get_new_bucket(client)
+
+    policy = json.dumps({
+        "Version": "2012-10-17",
+        "Statement": [{
+            "Effect": "Allow",
+            "Principal": {"AWS": "*"},
+            "Action": "s3:ListBucket",
+            "Resource": f"arn:aws:s3:::{bucket}",
+            "Condition": {
+                "StringLike": {
+                    "s3:prefix": "public/*"
+                }
+            }
+        }]
+    })
+    client.put_bucket_policy(Bucket=bucket, Policy=policy)
+
+    alt_client = get_alt_client()
+    # expect 404 NoSuchKey for names that match the s3:prefix
+    e = assert_raises(ClientError, alt_client.head_object, Bucket=bucket, Key='public/object')
+    assert 404 == _get_status(e.response)
+    # expect 403 Forbidden for names that don't match
+    e = assert_raises(ClientError, alt_client.head_object, Bucket=bucket, Key='private/object')
+    assert 403 == _get_status(e.response)
+
 #########################
 # COPY ENCRYPTION TESTS #
 #########################
-- 
2.47.3