adding header handling in routeVeam + unit tests

This commit updates the validation logic for query parameters
in the Veeam route handler, ensuring better compatibility
with AWS SDK clients and stricter enforcement of supported actions.
The main changes include introducing case-insensitive query key handling,
explicit support for AWS SDK auxiliary parameters,
and improved error handling for unsupported or mismatched actions.
Unit tests have been added to verify these behaviors throughout.
Issue: CLDSRV-806

Author: benzekrimaha

lib/routes/routeVeeam.js

@@ -29,6 +29,13 @@ const apiToAction = {
     LIST: 'ListObjects',
 };
 
+const allowedSdkQueryKeys = new Set([
+    'x-id',
+    'x-amz-user-agent',
+    'x-amz-sdk-invocation-id',
+    'x-amz-sdk-request',
+]);
+
 const routeMap = {
     GET: getVeeamFile,
     PUT: putVeeamFile,
@@ -67,8 +74,33 @@ function checkBucketAndKey(bucketName, objectKey, requestQueryParams, method, lo
         // Download relies on GETs calls with auth in query parameters, that can be
         // checked if 'X-Amz-Credential' is included.
         // Deletion requires that the tags of the object are returned.
-        if (requestQueryParams && Object.keys(requestQueryParams).length > 0
-            && !(method === 'GET' && (requestQueryParams['X-Amz-Credential'] || ('tagging' in requestQueryParams)))) {
+        const originalQuery = requestQueryParams || {};
+        const normalizedQueryKeys = new Map(
+            Object.keys(originalQuery).map(key => [key.toLowerCase(), key])
+        );
+        const isPresignedGet = method === 'GET'
+            && (normalizedQueryKeys.has('x-amz-credential')
+                || normalizedQueryKeys.has('tagging'));
+
+        if (!isPresignedGet && normalizedQueryKeys.size > 0) {
+            const unsupportedKeys = Array.from(normalizedQueryKeys.keys())
+                .filter(lowerKey => {
+                    if (allowedSdkQueryKeys.has(lowerKey)) {
+                        return false;
+                    }
+                    if (lowerKey.startsWith('x-amz-sdk-')) {
+                        return false;
+                    }
+                    return true;
+                });
+            if (unsupportedKeys.length > 0) {
+                return errorInstances.InvalidRequest
+                    .customizeDescription('The Veeam SOSAPI folder does not support this action.');
+            }
+        }
+        const xIdOriginalKey = normalizedQueryKeys.get('x-id');
+        const xIdValue = xIdOriginalKey ? originalQuery[xIdOriginalKey] : undefined;
+        if (xIdValue && xIdValue !== apiToAction[method]) {
             return errorInstances.InvalidRequest
                 .customizeDescription('The Veeam SOSAPI folder does not support this action.');
         }

tests/unit/internal/routeVeeam.js

@@ -77,6 +77,44 @@ describe('RouteVeeam: checkBucketAndKey', () => {
             assert.strictEqual(routeVeeam.checkBucketAndKey(...test), undefined);
         });
     });
+
+    it('should allow AWS SDK x-id=PutObject query on PUT for system.xml', () => {
+        const err = routeVeeam.checkBucketAndKey(
+            'test',
+            '.system-d26a9498-cb7c-4a87-a44a-8ae204f5ba6c/system.xml',
+            { 'x-id': 'PutObject' },
+            'PUT',
+            log,
+        );
+        assert.strictEqual(err, undefined);
+    });
+
+    it('should allow AWS SDK auxiliary x-amz-sdk-* query params on PUT for system.xml', () => {
+        const err = routeVeeam.checkBucketAndKey(
+            'test',
+            '.system-d26a9498-cb7c-4a87-a44a-8ae204f5ba6c/system.xml',
+            {
+                'x-id': 'PutObject',
+                'x-amz-sdk-request': 'attempt=1',
+                'x-amz-sdk-invocation-id': 'abc-123',
+                'x-amz-user-agent': 'aws-sdk-js-v3',
+            },
+            'PUT',
+            log,
+        );
+        assert.strictEqual(err, undefined);
+    });
+
+    it('should reject mismatched x-id value on PUT for system.xml', () => {
+        const err = routeVeeam.checkBucketAndKey(
+            'test',
+            '.system-d26a9498-cb7c-4a87-a44a-8ae204f5ba6c/system.xml',
+            { 'x-id': 'GetObject' },
+            'PUT',
+            log,
+        );
+        assert.strictEqual(err.is.InvalidRequest, true);
+    });
 });
 
 describe('RouteVeeam: checkBucketAndKey', () => {