CLDSRV-892: UploadPart store part checksum

leif-scality · leif-scality · commit d8d75da173bc · 2026-04-16T18:43:02.000+02:00
diff --git a/lib/api/objectPutPart.js b/lib/api/objectPutPart.js
@@ -21,6 +21,10 @@ const { BackendInfo } = models;
 const writeContinue = require('../utilities/writeContinue');
 const { parseObjectEncryptionHeaders } = require('./apiUtils/bucket/bucketEncryption');
 const validateChecksumHeaders = require('./apiUtils/object/validateChecksumHeaders');
+const {
+    getChecksumDataFromHeaders,
+    arsenalErrorFromChecksumError,
+} = require('./apiUtils/integrity/validateChecksums');
 const { validateQuotas } = require('./apiUtils/quotas/quotaUtils');
 const { setSSEHeaders } = require('./apiUtils/object/sseHeaders');
 const { storeServerAccessLogInfo } = require('../metadata/metadataUtils');
@@ -113,6 +117,8 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
     // `requestType` is the general 'objectPut'.
     const requestType = request.apiMethods || 'objectPutPart';
     let partChecksum;
+    let mpuChecksumAlgo;
+    let mpuChecksumIsDefault;
 
     return async.waterfall([
         // Get the destination bucket.
@@ -196,6 +202,9 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
                         return next(errors.AccessDenied, destinationBucket);
                     }
 
+                    mpuChecksumAlgo = res.checksumAlgorithm;
+                    mpuChecksumIsDefault = res.checksumIsDefault;
+
                     const objectLocationConstraint =
                         res.controllingLocationConstraint;
                     const sseAlgo = res['x-amz-server-side-encryption'];
@@ -316,8 +325,43 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
             };
             const backendInfo = new BackendInfo(config,
                 objectLocationConstraint);
+
+            const headerChecksum = getChecksumDataFromHeaders(request.headers);
+            if (headerChecksum && headerChecksum.error) {
+                return next(arsenalErrorFromChecksumError(headerChecksum), destinationBucket);
+            }
+
+            // If the MPU specifies a non-default checksum algo and the
+            // client sends a different algo, reject the request.
+            if (headerChecksum && mpuChecksumAlgo && !mpuChecksumIsDefault
+                && headerChecksum.algorithm !== mpuChecksumAlgo) {
+                return next(errors.InvalidRequest.customizeDescription(
+                    `Checksum algorithm '${headerChecksum.algorithm}' is not the same ` +
+                    `as the checksum algorithm '${mpuChecksumAlgo}' specified during ` +
+                    'CreateMultipartUpload.'
+                ), destinationBucket);
+            }
+
+            const primaryAlgo = mpuChecksumAlgo || 'crc64nvme';
+            let checksums;
+            if (headerChecksum && headerChecksum.algorithm === mpuChecksumAlgo) {
+                checksums = {
+                    primary: headerChecksum, // MPU and Header match only need to calculate one.
+                    secondary: null,
+                };
+            } else if (headerChecksum) {
+                checksums = {
+                    primary: { algorithm: primaryAlgo, isTrailer: false, expected: undefined },
+                    secondary: headerChecksum, // MPU and Header mismatch, need to verify the header checksum.
+                };
+            } else {
+                checksums = {
+                    primary: { algorithm: primaryAlgo, isTrailer: false, expected: undefined },
+                    secondary: null, // No Header checksum, we only calculate the MPU one.
+                };
+            }
             return dataStore(objectContext, cipherBundle, request,
-                size, streamingV4Params, backendInfo, log,
+                size, streamingV4Params, backendInfo, checksums, log,
                 (err, dataGetInfo, hexDigest, checksum) => {
                     if (err) {
                         return next(err, destinationBucket);
@@ -356,6 +400,15 @@ function objectPutPart(authInfo, request, streamingV4Params, log,
                 'content-length': size,
                 'owner-id': destinationBucket.getOwner(),
             };
+            if (partChecksum) {
+                if (partChecksum.storageChecksum) {
+                    omVal.checksumValue = partChecksum.storageChecksum.value;
+                    omVal.checksumAlgorithm = partChecksum.storageChecksum.algorithm;
+                } else {
+                    omVal.checksumValue = partChecksum.value;
+                    omVal.checksumAlgorithm = partChecksum.algorithm;
+                }
+            }
             const mdParams = { overheadField: constants.overheadField };
             return metadata.putObjectMD(mpuBucketName, partKey, omVal, mdParams, log,
                 err => {
diff --git a/tests/unit/api/objectPutPartChecksum.js b/tests/unit/api/objectPutPartChecksum.js
@@ -0,0 +1,275 @@
+const assert = require('assert');
+const async = require('async');
+const crypto = require('crypto');
+const { storage } = require('arsenal');
+const { parseString } = require('xml2js');
+
+const { bucketPut } = require('../../../lib/api/bucketPut');
+const initiateMultipartUpload = require('../../../lib/api/initiateMultipartUpload');
+const objectPutPart = require('../../../lib/api/objectPutPart');
+const constants = require('../../../constants');
+const { cleanup, DummyRequestLogger, makeAuthInfo } = require('../helpers');
+const DummyRequest = require('../DummyRequest');
+
+const { metadata } = storage.metadata.inMemory.metadata;
+
+const log = new DummyRequestLogger();
+const canonicalID = 'accessKey1';
+const authInfo = makeAuthInfo(canonicalID);
+const namespace = 'default';
+const bucketName = 'checksum-test-bucket';
+const objectKey = 'testObject';
+const mpuBucket = `${constants.mpuBucketPrefix}${bucketName}`;
+const partBody = Buffer.from('I am a part body for checksum testing', 'utf8');
+
+const bucketPutRequest = {
+    bucketName,
+    namespace,
+    headers: { host: `${bucketName}.s3.amazonaws.com` },
+    url: '/',
+    actionImplicitDenies: false,
+};
+
+function makeInitiateRequest(extraHeaders = {}) {
+    return {
+        socket: { remoteAddress: '1.1.1.1' },
+        bucketName,
+        namespace,
+        objectKey,
+        headers: {
+            host: `${bucketName}.s3.amazonaws.com`,
+            ...extraHeaders,
+        },
+        url: `/${objectKey}?uploads`,
+        actionImplicitDenies: false,
+    };
+}
+
+function makePutPartRequest(uploadId, partNumber, body, extraHeaders = {}) {
+    const md5Hash = crypto.createHash('md5').update(body);
+    return new DummyRequest({
+        bucketName,
+        namespace,
+        objectKey,
+        headers: {
+            host: `${bucketName}.s3.amazonaws.com`,
+            ...extraHeaders,
+        },
+        url: `/${objectKey}?partNumber=${partNumber}&uploadId=${uploadId}`,
+        query: { partNumber, uploadId },
+        partHash: md5Hash.digest('hex'),
+        actionImplicitDenies: false,
+    }, body);
+}
+
+function initiateMPU(initiateHeaders, cb) {
+    async.waterfall([
+        next => bucketPut(authInfo, bucketPutRequest, log, next),
+        (corsHeaders, next) => {
+            const req = makeInitiateRequest(initiateHeaders);
+            initiateMultipartUpload(authInfo, req, log, next);
+        },
+        (result, corsHeaders, next) => parseString(result, next),
+    ], (err, json) => {
+        if (err) {return cb(err);}
+        return cb(null, json.InitiateMultipartUploadResult.UploadId[0]);
+    });
+}
+
+function getPartMetadata(uploadId) {
+    const mpuKeys = metadata.keyMaps.get(mpuBucket);
+    if (!mpuKeys) {return null;}
+    for (const [key, val] of mpuKeys) {
+        if (key.startsWith(uploadId) && !key.startsWith('overview')) {
+            return val;
+        }
+    }
+    return null;
+}
+
+describe('objectPutPart checksum validation', () => {
+    beforeEach(() => cleanup());
+
+    describe('algo match validation', () => {
+        it('should accept part with matching checksum algo', done => {
+            initiateMPU({ 'x-amz-checksum-algorithm': 'crc32' }, (err, uploadId) => {
+                assert.ifError(err);
+                const request = makePutPartRequest(uploadId, 1, partBody, {
+                    'x-amz-checksum-crc32': 'AAAAAA==',
+                });
+                objectPutPart(authInfo, request, undefined, log, err => {
+                    // BadDigest is expected since the checksum value won't
+                    // match the body, but NOT InvalidRequest — the algo is accepted.
+                    if (err) {
+                        assert.notStrictEqual(err.message, 'InvalidRequest');
+                    }
+                    done();
+                });
+            });
+        });
+
+        it('should reject part with mismatching checksum algo', done => {
+            initiateMPU({ 'x-amz-checksum-algorithm': 'sha256' }, (err, uploadId) => {
+                assert.ifError(err);
+                const request = makePutPartRequest(uploadId, 1, partBody, {
+                    'x-amz-checksum-crc32': 'AAAAAA==',
+                });
+                objectPutPart(authInfo, request, undefined, log, err => {
+                    assert(err, 'Expected an error');
+                    assert.strictEqual(err.message, 'InvalidRequest');
+                    done();
+                });
+            });
+        });
+
+        it('should accept part with no checksum on non-default MPU', done => {
+            initiateMPU({ 'x-amz-checksum-algorithm': 'sha256' }, (err, uploadId) => {
+                assert.ifError(err);
+                // No checksum header sent
+                const request = makePutPartRequest(uploadId, 1, partBody);
+                objectPutPart(authInfo, request, undefined, log, err => {
+                    assert.ifError(err);
+                    done();
+                });
+            });
+        });
+
+        it('should accept any checksum algo on default (no algo specified) MPU', done => {
+            initiateMPU({}, (err, uploadId) => {
+                assert.ifError(err);
+                // Send sha256 checksum even though MPU is default crc64nvme
+                const request = makePutPartRequest(uploadId, 1, partBody, {
+                    'x-amz-checksum-sha256': 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=',
+                });
+                objectPutPart(authInfo, request, undefined, log, err => {
+                    // BadDigest (wrong value) is fine; InvalidRequest (wrong algo) is not
+                    if (err) {
+                        assert.notStrictEqual(err.message, 'InvalidRequest');
+                    }
+                    done();
+                });
+            });
+        });
+    });
+
+    describe('checksum stored in part metadata', () => {
+        it('should store checksumValue and checksumAlgorithm in part metadata', done => {
+            initiateMPU({}, (err, uploadId) => {
+                assert.ifError(err);
+                const request = makePutPartRequest(uploadId, 1, partBody);
+                objectPutPart(authInfo, request, undefined, log, err => {
+                    assert.ifError(err);
+                    const partMD = getPartMetadata(uploadId);
+                    assert(partMD, 'Part metadata should exist');
+                    assert(partMD.checksumValue, 'checksumValue should be stored');
+                    assert.strictEqual(partMD.checksumAlgorithm, 'crc64nvme');
+                    done();
+                });
+            });
+        });
+
+        it('should store the MPU algo checksum when client sends matching algo', done => {
+            initiateMPU({ 'x-amz-checksum-algorithm': 'crc64nvme' }, (err, uploadId) => {
+                assert.ifError(err);
+                const request = makePutPartRequest(uploadId, 1, partBody);
+                objectPutPart(authInfo, request, undefined, log, err => {
+                    assert.ifError(err);
+                    const partMD = getPartMetadata(uploadId);
+                    assert(partMD);
+                    assert.strictEqual(partMD.checksumAlgorithm, 'crc64nvme');
+                    assert(partMD.checksumValue);
+                    done();
+                });
+            });
+        });
+    });
+
+    describe('dual-checksum', () => {
+        it('should store crc64nvme when default MPU and client sends different algo', done => {
+            initiateMPU({}, (err, uploadId) => {
+                assert.ifError(err);
+                // Compute correct crc32 for partBody so validation passes
+                const { algorithms } = require('../../../lib/api/apiUtils/integrity/validateChecksums');
+                const crc32Hash = algorithms.crc32.createHash();
+                crc32Hash.update(partBody);
+                const crc64Hash = algorithms.crc64nvme.createHash();
+                crc64Hash.update(partBody);
+                Promise.all([
+                    algorithms.crc32.digestFromHash(crc32Hash),
+                    algorithms.crc64nvme.digestFromHash(crc64Hash),
+                ]).then(([crc32Digest, crc64Digest]) => {
+                    const request = makePutPartRequest(uploadId, 1, partBody, {
+                        'x-amz-checksum-crc32': crc32Digest,
+                    });
+                    objectPutPart(authInfo, request, undefined, log, (err, hexDigest, corsHeaders) => {
+                        assert.ifError(err);
+                        // Response header should be the client's algo (crc32)
+                        assert.strictEqual(corsHeaders['x-amz-checksum-crc32'], crc32Digest);
+                        // Stored metadata should be crc64nvme with correct value
+                        const partMD = getPartMetadata(uploadId);
+                        assert(partMD);
+                        assert.strictEqual(partMD.checksumAlgorithm, 'crc64nvme');
+                        assert.strictEqual(partMD.checksumValue, crc64Digest);
+                        done();
+                    });
+                });
+            });
+        });
+
+        it('should handle dual-checksum with trailer (STREAMING-UNSIGNED-PAYLOAD-TRAILER)', done => {
+            initiateMPU({}, (err, uploadId) => {
+                assert.ifError(err);
+                const { algorithms } = require('../../../lib/api/apiUtils/integrity/validateChecksums');
+                const hash = algorithms.sha256.createHash();
+                hash.update(partBody);
+                const crc64Hash = algorithms.crc64nvme.createHash();
+                crc64Hash.update(partBody);
+                Promise.all([
+                    algorithms.sha256.digestFromHash(hash),
+                    algorithms.crc64nvme.digestFromHash(crc64Hash),
+                ]).then(([sha256Digest, crc64Digest]) => {
+                    // Build chunked body with trailing checksum
+                    const hexLen = partBody.length.toString(16);
+                    const chunkedBody = `${hexLen}\r\n${partBody.toString()}\r\n` +
+                        `0\r\nx-amz-checksum-sha256:${sha256Digest}\r\n`;
+                    const request = makePutPartRequest(uploadId, 1, Buffer.from(chunkedBody), {
+                        'x-amz-content-sha256': 'STREAMING-UNSIGNED-PAYLOAD-TRAILER',
+                        'x-amz-trailer': 'x-amz-checksum-sha256',
+                    });
+                    request.parsedContentLength = partBody.length;
+                    objectPutPart(authInfo, request, undefined, log, (err, hexDigest, corsHeaders) => {
+                        assert.ifError(err);
+                        // Response should echo the client's sha256
+                        assert.strictEqual(corsHeaders['x-amz-checksum-sha256'], sha256Digest);
+                        // Stored metadata should be crc64nvme with correct value
+                        const partMD = getPartMetadata(uploadId);
+                        assert(partMD);
+                        assert.strictEqual(partMD.checksumAlgorithm, 'crc64nvme');
+                        assert.strictEqual(partMD.checksumValue, crc64Digest);
+                        done();
+                    });
+                });
+            });
+        });
+
+        it('should return client-facing checksum in response header for dual-checksum', done => {
+            initiateMPU({}, (err, uploadId) => {
+                assert.ifError(err);
+                const { algorithms } = require('../../../lib/api/apiUtils/integrity/validateChecksums');
+                const hash = algorithms.sha256.createHash();
+                hash.update(partBody);
+                Promise.resolve(algorithms.sha256.digestFromHash(hash)).then(digest => {
+                    const request = makePutPartRequest(uploadId, 1, partBody, {
+                        'x-amz-checksum-sha256': digest,
+                    });
+                    objectPutPart(authInfo, request, undefined, log, (err, hexDigest, corsHeaders) => {
+                        assert.ifError(err);
+                        assert.strictEqual(corsHeaders['x-amz-checksum-sha256'], digest);
+                        assert.strictEqual(corsHeaders['x-amz-checksum-crc64nvme'], undefined);
+                        done();
+                    });
+                });
+            });
+        });
+    });
+});
