CLDSRV-898: handle checksums in CompleteMultipartUpload

[leif-scality]

• Calculate and compare the final object checksum with the one sent by the headers
• Check that all parts have the correct checksum and checksum type
• stores the final checksum when FULL_OBJECT (COMPOSITE are going to be stored by https://scality.atlassian.net/browse/S3C-10399)
• lint tests/unit/api/multipartUpload.js

[claude]

LGTM

Review by Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 92.35294% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.39%. Comparing base (580d648) to head (7b3785c).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
lib/api/completeMultipartUpload.js	90.59%	11 Missing ⚠️
lib/api/apiUtils/integrity/validateChecksums.js	96.22%	2 Missing ⚠️

Additional details and impacted files

Files with missing lines	Coverage Δ
lib/api/apiUtils/integrity/validateChecksums.js	98.80% <96.22%> (-0.25%)	⬇️
lib/api/completeMultipartUpload.js	90.34% <90.59%> (+0.99%)	⬆️

... and 3 files with indirect coverage changes

@@                 Coverage Diff                 @@
##           development/9.4    #6170      +/-   ##
===================================================
+ Coverage            85.25%   85.39%   +0.13%     
===================================================
  Files                  208      208              
  Lines                13919    14065     +146     
===================================================
+ Hits                 11867    12011     +144     
- Misses                2052     2054       +2     

Flag	Coverage Δ
file-ft-tests	69.30% <62.94%> (+0.48%)	⬆️
kmip-ft-tests	27.88% <4.70%> (-0.25%)	⬇️
mongo-v0-ft-tests	70.50% <62.94%> (+0.52%)	⬆️
mongo-v1-ft-tests	70.46% <62.94%> (+0.39%)	⬆️
multiple-backend	36.28% <5.88%> (-0.33%)	⬇️
sur-tests	35.14% <5.88%> (-1.23%)	⬇️
sur-tests-inflights	38.00% <46.47%> (+0.65%)	⬆️
unit	72.23% <91.17%> (+0.21%)	⬆️
utapi-v2-tests	35.22% <46.47%> (+0.44%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bert-e]

Hello leif-scality,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
/after_pull_request	Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval	Bypass the pull request author's approval	⭐
/bypass_build_status	Bypass the build and test status	⭐
/bypass_commit_size	Bypass the check on the size of the changeset TBA	⭐
/bypass_incompatible_branch	Bypass the check on the source branch prefix	⭐
/bypass_jira_check	Bypass the Jira issue check	⭐
/bypass_peer_approval	Bypass the pull request peers' approval	⭐
/bypass_leader_approval	Bypass the pull request leaders' approval	⭐
/approve	Instruct Bert-E that the author has approved the pull request.		✍️
/create_pull_requests	Allow the creation of integration pull requests.
/create_integration_branches	Allow the creation of integration branches.
/no_octopus	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity	Change review acceptance criteria from one reviewer at least to all reviewers
/wait	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
/help	Print Bert-E's manual in the pull request.
/status	Print Bert-E's current status in the pull request TBA
/clear	Remove all comments from Bert-E from the history TBA
/retry	Re-start a fresh build TBA
/build	Re-start a fresh build TBA
/force_reset	Delete integration branches & pull requests, and restart merge process from the beginning.
/reset	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

[bert-e]

Incorrect fix version

The Fix Version/s in issue CLDSRV-898 contains:

• None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

• 9.4.0

Please check the Fix Version/s of CLDSRV-898, or the target
branch of this pull request.

[claude]

LGTM

Well-designed separation of CompleteMPU's final-object checksum semantics from body-digest validation. The callNext double-callback guard in processParts is a good defensive pattern for the mixed callback/promise flow. Test coverage is thorough across all algorithm/type combinations, including edge cases for default MPUs, legacy MPUs, and soft-null vs InternalError distinction.

Review by Claude Code

[jonathan-gramain]

Suggested change

	const parts = jsonList.Part || [];
	for (let i = 0; i < parts.length; i++) {
	const part = parts[i];
	for (const part of (jsonList.Part || [])) {

[leif-scality]

done

[jonathan-gramain]

Suggested change

	`The ${algoLabel} you specified for part ${partNumber} ` + 'did not match what we received.',
	`The ${algoLabel} you specified for part ${partNumber} did not match what we received.`,

[leif-scality]

done

[jonathan-gramain]

There's already a test file multipartUpload.js, wouldn't it be better to add the tests there? Or if a refactor into multiple files is beneficial, maybe port some related tests from there to this new file to avoid scattering the complete MPU tests into multiple files.

[leif-scality]

moved the tests to multipartUpload.js. This also triggered the new prettier linter in the file, I added it as a separate commit

[jonathan-gramain]

Shouldn't this be in constants too?

[leif-scality]

The algorithms object contains the TAG of each algo already, this object is just for testing that the tag was not changed in the algorithms object

[jonathan-gramain]

Could you construct it from algorithms? If algorithm is supposed to be a constant and we are concerned that it may be accidentally changed, what about using Object.freeze on it?

[jonathan-gramain]

Is the double space intentional? Also not very fond of matching against such a long error message that may vary, but that's okay I think.

[leif-scality]

AWS returns two spaces. For all the final API/XML errors I return exactly what AWS returns

 <Error><Code>InvalidPart</Code>
<Message>One or more of the specified parts could not be found.  The part may not have been uploaded, or the specified entity
  tag may not match the part's entity tag.</Message>
<UploadId>CTFNKyL2hI6n6irH0zbVWDzdPZ4n2ueJceRh1juCeuL2X5HOjrvCmXQMEqaoAatEWTEa3pWWxC7t9lOStMzjo0nJb4pv8Ct6oT
  Hv2n8mggVXRQ8RxiXyVyt3.3zpY98HVsZd.ozihhJ1HdUjLCkJtwJMQdNBd4fSdG9drS80vdg-</UploadId>
<PartNumber>1</PartNumber>
<ETag>0ebf9257a12e808d107b2ed1a826c122</ETag>
<RequestId>DAQAPVMCMSY4PDPV</RequestId>
<HostId>XS/2re3ieUQRTKdANLtZv14qyB2h3LjVHnmVrvjP0cj1PazPO16KkArQMtBLBy8S4mmLzQkuXZc=</HostId></Error>

[jonathan-gramain]

okay fair enough (my little voice tells me that AWS didn't care that much about the beauty of their error messages 🙂 )

[jonathan-gramain]

I believe no sane application would match an error by their exact error message to the dot, but I'm good with sticking to AWS to avoid ourselves asking the question. Personally I wouldn't care though 😛

[jonathan-gramain]

Also I believe the error messages are not enforced by the API contract, hence may change at any time on AWS side, which would make our effort useless in the end. Just my two cents and my last comment on this 😉

[jonathan-gramain]

If the list of supported headers is known and a short list of supported algorithms, it may be cleaner to directly extract each of the possible ones, or otherwise filter like [list-of-supported-headers].includes(h).

It would change the behavior (probably in a good way) if the client sends one or more unsupported checksums along with multiple valid ones, where we probably want to return AlgoNotSupported rather than MultipleChecksumTypes in priority in this case, but that's more a nitpick, either way should work.

[leif-scality]

AWS checks MultipleChecksumTypes before AlgoNotSupported, the current behavior is the same as AWS.

AWS also ignores only x-amz-checksum-type and x-amz-checksum-algorithm, they don't count them to the checksum count, and they also never trigger AlgoNotSupported. if we send x-amz-checksum-BAD on the other hand we get an AlgoNotSupported. If we send x-amz-checksum-BAD + x-amz-checksum-ZZZ we get MultipleChecksumTypes.

So the order is

1. check no MultipleChecksumTypes
2. check no AlgoNotSupported
3. check actual checksum value, BadDigest if mismatch

I added a commit to ignore x-amz-checksum-type and x-amz-checksum-algorithm in the other functions, I didn't know this behavior existed.

[jonathan-gramain]

Sounds good to me.

IMHO we don't necessarily have to mimic every AWS behavior when it comes to error handling in particular, as it takes time to reverse engineer those aspects with no clear benefit, and AWS implementation is not perfect and their choices can be debated too. Sure it became the de facto standard and we need to stick to its way of doing things to avoid breaking existing applications, but not necessarily in all its nitty gritty details and quirks.

[claude]

LGTM

The checksum handling for CompleteMultipartUpload is well-implemented: the split between md5-only body validation and final-object checksum assertion correctly matches AWS behavior. The callNext guard in processParts properly prevents double-callbacks in the mixed callback/promise flow. Per-part validation, final-object computation, and header assertion are thorough. Tests cover the full (algorithm, type) matrix including edge cases (default MPU, legacy MPU, missing parts).

Review by Claude Code

[claude]

• completeMultipartUpload.js:352 — When storedMetadata.checksumType is undefined (legacy MPU created before the checksum feature), the error message interpolates undefined into user-facing text: "The upload was created using the undefined checksum mode." Split the !mpuType guard into a separate branch with an appropriate message.
  
  Review by Claude Code

[claude]

LGTM — solid implementation with thorough test coverage.

One minor nit:
- Orphaned JSDoc in validateChecksums.js:332-337: the validateChecksumsNoChunking JSDoc now sits above the new validateContentMd5 function instead of its intended target.

Review by Claude Code

[claude]

• require('../../../lib/services') inside an it() callback at tests/unit/api/multipartUpload.js:4119. The project testing conventions require require()/import at the top of the file, never inside describe or function bodies. Move it alongside the other top-level imports.
  - Add const services = require('../../../lib/services'); at the top of the file and reference it from the test.
  
  Review by Claude Code

[claude]

LGTM

The checksum validation logic is well-structured: moving CompleteMPU out of checksumedMethods into md5OnlyMethods correctly distinguishes body-digest headers from final-object-checksum headers. The callNext double-callback guard in the Promise-to-callback bridge is appropriate defensive coding. Test coverage is thorough across all algorithm/type combinations, edge cases (default vs explicit MPU, legacy MPU, missing parts), and the new x-amz-checksum-type header validation.

Review by Claude Code

[claude]

callNext is not defined anywhere in this file — this will throw a ReferenceError at runtime when computeFinalChecksum returns an error for an explicit (non-default) MPU. Should be next.

— Claude Code

[leif-scality]

fixed

[claude]

• lib/api/completeMultipartUpload.js:623: callNext is not defined — will throw ReferenceError at runtime when computeFinalChecksum returns an error on an explicit (non-default) MPU. Should be next.
  - Replace callNext(error, destBucket) with next(error, destBucket)
  
  Review by Claude Code

[claude]

LGTM

Review by Claude Code

[BourgoisMickael]

This diff is too big, it could be in another PR by itself

[BourgoisMickael]

This pattern reoccurs multiple times in this file, you can make a function for that

[BourgoisMickael]

Suggested change

	'should return CRC64NVME/FULL_OBJECT on CompleteMPU response ' + 'when CreateMPU sent no checksum headers',
	'should return CRC64NVME/FULL_OBJECT on CompleteMPU response when CreateMPU sent no checksum headers',

[BourgoisMickael]

You can use assert.rejects

            await assert.rejects(promise, err => {
                assert.strictEqual(
                    err.name,
                    'InvalidPart',
                    `expected InvalidPart, got ${err.name}: ${err.message}`,
                );
               });

[leif-scality]

I forced push from the wrong branch, reverted the changes

[BourgoisMickael]

debug logs should probably not be tested

[leif-scality]

I will remove the log tests

[claude]

LGTM — well-structured feature with thorough test coverage across all algorithm/type combinations, error paths, and edge cases. Two minor nits posted inline:

- continueProcessParts(null) at two call sites passes an argument the function ignores — should be continueProcessParts()

Review by Claude Code

[BourgoisMickael]

In some tests above you use assert.ifError(result) and here assert.strictEqual(result, null), you should stick to only 1 pattern and be consistent everywhere

[BourgoisMickael]

It would be better to have a full mocked logger like it's done in some other test files, to avoid breakin if we change from debug to another level

[leif-scality]

I will remove the log tests

[jonathan-gramain]

Deconstruction could be slightly more readable

Suggested change

	const algorithm = storedMetadata.checksumAlgorithm;
	const type = storedMetadata.checksumType;
	const { checksumAlgorithm: algorithm, checksumType: type } = storedMetadata;

[jonathan-gramain]

Shouldn't this function be another step in the waterfall?

[jonathan-gramain]

Is there a benefit in catching those errors since we already have a catch-all below

[jonathan-gramain]

I think a lot of the unit tests could be turned into a declarative matrix for readability.

[jonathan-gramain]

It seems to me the test code is riddled with this type of local helpers, maybe we should consider a common layer of helpers for MPU construction?

[jonathan-gramain]

Extra newline and concatenation doesn't look necessary.