feat(Storage): Enable full object checksum validation for resumable uploads#15395
feat(Storage): Enable full object checksum validation for resumable uploads#15395mahendra-google wants to merge 1 commit into
Conversation
Summary of ChangesHello @mahendra-google, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces robust data integrity checks for resumable uploads by integrating CRC32C checksum validation. This enhancement ensures that multi-chunk transfers to Google Cloud Storage are verified end-to-end, preventing data corruption. The changes also update the client's error handling to align with the server's response to checksum mismatches. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request enables full object checksum validation for resumable uploads by introducing a Crc32cHashInterceptor. This interceptor calculates the CRC32C hash of the upload stream and attaches it to the final chunk of a resumable upload, ensuring end-to-end data integrity. The implementation is solid, with proper handling of the interceptor's lifecycle. The integration tests have been correctly updated to reflect the new server-side validation behavior, where the server now rejects corrupted uploads with a BadRequest status. Additionally, LengthOnlyStream has been updated to be a more compliant Stream implementation. My review includes a couple of suggestions to optimize performance by avoiding string allocations in the new parsing logic.
f443772 to
d4e4802
Compare
|
Can you use UploadStreamInterceptor which already calculates the hash and use it here instead of recomputing the hash on final chunk? |
|
8086e46 to
a371f67
Compare
99c6617 to
54d1d1c
Compare
| { | ||
| _hashingStream = ContentStream as HashingStream; | ||
| _interceptor = new Crc32cHashInterceptor(this, _hashingStream, _service); | ||
| _service?.HttpClient?.MessageHandler?.AddExecuteInterceptor(_interceptor); |
There was a problem hiding this comment.
The same service may be used in parallel for many different requests, including for many different uploads. You'll have interceptors that will be applied to all requests???
Even when you check the URI, assuming that check is enough in all cases, you are adding latency to all requests.
What am I missing?
There was a problem hiding this comment.
You make a very fair point regarding the service-wide scope of the interceptor.
While I have included logic to remove the interceptor upon upload completion or failure (to prevent long-term memory leaks on line 94 of the CustomMediaUpload class), I recognize that during high-concurrency periods, the interceptor chain could grow. This would indeed force every request—even those unrelated to this upload—to perform the URI check.
I initially assumed the latency of a reference comparison would be negligible, but I see how this architectural choice could be suboptimal for shared service instances. Since I want to ensure this implementation aligns with our performance standards, I am very open to your suggestions.
There was a problem hiding this comment.
Updated the URI comparison to include a reference equality check (ReferenceEquals) before performing a value-based .Equals(). This introduces an fail fast at the CPU register level by comparing memory addresses rather than performing a character-by-character string or component validation.This bypasses the URI equality check, significantly reducing CPU cycles and latency for the majority of requests where the object references do not match.
There was a problem hiding this comment.
My recommendation here is that you add an event on the base upload type that triggers on the last request only. This would be in Google.Apis. (Note that this is different to the initial proposal in Google.Apis which meant changing upload logic for all Discovery based libraries).
There was a problem hiding this comment.
@amanda-tarafa Recommended approach is being implemented. I will be raising separate PRs for both Google.Apis and storage library soon.
There was a problem hiding this comment.
Thanks. Because that is a change in the core libraries the .NET Cloud SDK team will need to review thorughly. A 1-2 pages design document describing the proposed change, before the PR is sent for review, should help expediting things.
361aff2 to
e4ee73a
Compare
| { | ||
| _hashingStream = ContentStream as HashingStream; | ||
| _interceptor = new Crc32cHashInterceptor(this, _hashingStream, _service); | ||
| _service?.HttpClient?.MessageHandler?.AddExecuteInterceptor(_interceptor); |
There was a problem hiding this comment.
My recommendation here is that you add an event on the base upload type that triggers on the last request only. This would be in Google.Apis. (Note that this is different to the initial proposal in Google.Apis which meant changing upload logic for all Discovery based libraries).
| GaxPreconditions.CheckEnumValue(validationMode, nameof(UploadObjectOptions.UploadValidationMode)); | ||
| switch (validationMode) | ||
| { | ||
| case UploadValidationMode.DeleteAndThrow: |
There was a problem hiding this comment.
Does this implementation respects both DeleteAndThrow and ThrowOnly? I don't see where the service would know the difference, so this would be another breaking change, that warrants a new major version bump.
There was a problem hiding this comment.
I appreciate you flagging that—ensuring we maintain backward compatibility is definitely a priority.
The implementation does respect both DeleteAndThrow and ThrowOnly. In the CustomMediaUpload class, I am passing the UploadObjectOptions instance directly into the constructor. The logic is scoped so that we only calculate the hash if the UploadValidationMode is set to something other than None. This allows the service to distinguish between the modes effectively without altering the existing contract.
There was a problem hiding this comment.
The hash is indeed only calculated if the value is set to other than None, that is correct.
The implementation does not respect the difference between DeleteAndThrow and ThrowOnly. These values are not being passed to the service, and they are not being enforced client side either as far as I can see.
ThrowOnly: Throws an exception if the hashes do not match, but the object remains in storage.DeleteAndThrow: Throws an exception if the hashes do not match and removes the object from storage.
There was a problem hiding this comment.
You are completely right, and thank you for pointing that out. The legacy DeleteAndThrow and ThrowOnly behaviors weren't being properly enforced .
To address this comprehensively and lean into a more robust architecture, I have refactored the implementation to leverage server-side validation instead of relying on client-side cleanup.
Here is a summary of the changes made in this update:
Introduced UploadValidationMode.RejectAndThrow: This leverages server-side validation, ensuring that invalid uploads are rejected automatically before the object is ever created.
Updated Default Upload Validation Mode & Tests: UploadObjectOptions now uses this new mode as the default behavior and UploadObjectTest has been updated to reflect this.
Deprecated Legacy Modes: We have deprecated ThrowOnly and DeleteAndThrow. Because server-side validation prevents the object from being created in the first place . By switching to server-side rejection, the object is blocked at the front door.
- It satisfies
DeleteAndThrowbecause the final state of the bucket is perfectly clean—no invalid object exists. - It satisfies (and improves upon)
ThrowOnlybecause it alerts the user via an exception, but removes the dangerous side effect of leaving a corrupted file behind.
There was a problem hiding this comment.
It satisfies (and improves upon) ThrowOnly because it alerts the user via an exception, but removes the dangerous side effect of leaving a corrupted file behind.
This is a breaking change. Deprecation is a signal that the behavior will stop working on the next major version. But while an element is deprecated, its behavior must be enforced. And it's not a dangerous side effect, it's a behavior explicitly requested by user when they specify ThrowOnly.
|
When you are ready to merge, please use squash and merge so we don't get the 16 iteration commits on the repo history. As an alternative, rebase the PR on top of main into a single commit before merging. |
02df9af to
23c8b2e
Compare
23c8b2e to
1367263
Compare
|
Regarding |
This PR enables full object checksum validation (specifically CRC32C) for JSON-based resumable uploads, ensuring end-to-end data integrity for multi-chunk transfers. Please see b/461996128