localstack
diff --git a/‎localstack-core/localstack/aws/api/s3/__init__.py
Lines changed: 2 additions & 0 deletions b/‎localstack-core/localstack/aws/api/s3/__init__.py
Lines changed: 2 additions & 0 deletions
diff --git a/‎localstack-core/localstack/aws/spec-patches.json
Lines changed: 12 additions & 0 deletions b/‎localstack-core/localstack/aws/spec-patches.json
Lines changed: 12 additions & 0 deletions
diff --git a/‎localstack-core/localstack/services/s3/models.py
Lines changed: 10 additions & 8 deletions b/‎localstack-core/localstack/services/s3/models.py
Lines changed: 10 additions & 8 deletions
diff --git a/‎localstack-core/localstack/services/s3/provider.py
Lines changed: 55 additions & 23 deletions b/‎localstack-core/localstack/services/s3/provider.py
Lines changed: 55 additions & 23 deletions
@@ -3579,8 +3579,10 @@ class PostResponse(TypedDict, total=False):
     ETagHeader: Optional[ETag]
     ChecksumCRC32: Optional[ChecksumCRC32]
     ChecksumCRC32C: Optional[ChecksumCRC32C]
+    ChecksumCRC64NVME: Optional[ChecksumCRC64NVME]
     ChecksumSHA1: Optional[ChecksumSHA1]
     ChecksumSHA256: Optional[ChecksumSHA256]
+    ChecksumType: Optional[ChecksumType]
     ServerSideEncryption: Optional[ServerSideEncryption]
     VersionId: Optional[ObjectVersionId]
     SSECustomerAlgorithm: Optional[SSECustomerAlgorithm]
 
@@ -540,6 +540,12 @@
             "location": "header",
             "locationName": "x-amz-checksum-crc32c"
           },
+          "ChecksumCRC64NVME":{
+            "shape":"ChecksumCRC64NVME",
+            "documentation":"<p>This header can be used as a data integrity check to verify that the data received is the same data that was originally sent. This header specifies the Base64 encoded, 64-bit <code>CRC64NVME</code> checksum of the object. The <code>CRC64NVME</code> checksum is always a full object checksum. For more information, see <a href=\"https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html\">Checking object integrity in the Amazon S3 User Guide</a>.</p>",
+            "location":"header",
+            "locationName":"x-amz-checksum-crc64nvme"
+          },
           "ChecksumSHA1": {
             "shape": "ChecksumSHA1",
             "documentation": "<p>The base64-encoded, 160-bit SHA-1 digest of the object. This will only be present if it was uploaded with the object. With multipart uploads, this may not be a checksum value of the object. For more information about how checksums are calculated with multipart uploads, see <a href=\"https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html#large-object-checksums\"> Checking object integrity</a> in the <i>Amazon S3 User Guide</i>.</p>",
@@ -552,6 +558,12 @@
             "location": "header",
             "locationName": "x-amz-checksum-sha256"
           },
+          "ChecksumType":{
+            "shape":"ChecksumType",
+            "documentation":"<p>This header specifies the checksum type of the object, which determines how part-level checksums are combined to create an object-level checksum for multipart objects. You can use this header as a data integrity check to verify that the checksum type that is received is the same checksum that was specified. If the checksum type doesn’t match the checksum type that was specified for the object during the <code>CreateMultipartUpload</code> request, it’ll result in a <code>BadDigest</code> error. For more information, see Checking object integrity in the Amazon S3 User Guide. </p>",
+            "location":"header",
+            "locationName":"x-amz-checksum-type"
+          },
           "ServerSideEncryption": {
             "shape": "ServerSideEncryption",
             "documentation": "<p>If you specified server-side encryption either with an Amazon Web Services KMS key or Amazon S3-managed encryption key in your PUT request, the response includes this header. It confirms the encryption algorithm that Amazon S3 used to encrypt the object.</p>",
 
@@ -310,7 +310,7 @@ def __init__(
         self.etag = etag
         self.size = size
         self.expires = expires
-        self.checksum_algorithm = checksum_algorithm
+        self.checksum_algorithm = checksum_algorithm or ChecksumAlgorithm.CRC64NVME
         self.checksum_value = checksum_value
         self.checksum_type = checksum_type
         self.encryption = encryption
@@ -429,6 +429,7 @@ class S3Multipart:
     upload_id: MultipartUploadId
     checksum_value: Optional[str]
     checksum_type: Optional[ChecksumType]
+    checksum_algorithm: ChecksumAlgorithm
     initiated: datetime
     precondition: bool
 
@@ -463,6 +464,7 @@ def __init__(
         self.tagging = tagging
         self.checksum_value = None
         self.checksum_type = checksum_type
+        self.checksum_algorithm = checksum_algorithm
         self.precondition = precondition
         self.object = S3Object(
             key=key,
@@ -490,13 +492,13 @@ def complete_multipart(
     ):
         last_part_index = len(parts) - 1
         object_etag = hashlib.md5(usedforsecurity=False)
-        has_checksum = self.object.checksum_algorithm is not None
+        has_checksum = self.checksum_algorithm is not None
         checksum_hash = None
         if has_checksum:
-            if self.object.checksum_type == ChecksumType.COMPOSITE:
-                checksum_hash = get_s3_checksum(self.object.checksum_algorithm)
+            if self.checksum_type == ChecksumType.COMPOSITE:
+                checksum_hash = get_s3_checksum(self.checksum_algorithm)
             else:
-                checksum_hash = CombinedCrcHash(self.object.checksum_algorithm)
+                checksum_hash = CombinedCrcHash(self.checksum_algorithm)
 
         pos = 0
         parts_map = {}
@@ -520,7 +522,7 @@ def complete_multipart(
                 )
 
             if has_checksum:
-                checksum_key = f"Checksum{self.object.checksum_algorithm.upper()}"
+                checksum_key = f"Checksum{self.checksum_algorithm.upper()}"
                 if not (part_checksum := part.get(checksum_key)):
                     if self.checksum_type == ChecksumType.COMPOSITE:
                         # weird case, they still try to validate a different checksum type than the multipart
@@ -532,7 +534,7 @@ def complete_multipart(
                                 )
 
                         raise InvalidRequest(
-                            f"The upload was created using a {self.object.checksum_algorithm.lower()} checksum. "
+                            f"The upload was created using a {self.checksum_algorithm.lower()} checksum. "
                             f"The complete request must include the checksum for each part. "
                             f"It was missing for part {part_number} in the request."
                         )
@@ -584,7 +586,7 @@ def complete_multipart(
                 checksum_value = f"{checksum_value}-{len(parts)}"
 
             elif self.checksum_type == ChecksumType.FULL_OBJECT:
-                if validation_checksum != checksum_value:
+                if validation_checksum and validation_checksum != checksum_value:
                     raise BadDigest(
                         f"The {self.object.checksum_algorithm.lower()} you specified did not match the calculated checksum."
                     )
 
@@ -786,7 +786,9 @@ def put_object(
             s3_stored_object.write(body)
 
             if s3_object.checksum_algorithm:
-                if not validate_checksum_value(s3_object.checksum_value, checksum_algorithm):
+                if not s3_object.checksum_value:
+                    s3_object.checksum_value = s3_stored_object.checksum
+                elif not validate_checksum_value(s3_object.checksum_value, checksum_algorithm):
                     self._storage_backend.remove(bucket_name, s3_object)
                     raise InvalidRequest(
                         f"Value for x-amz-checksum-{s3_object.checksum_algorithm.lower()} header is invalid."
@@ -1066,6 +1068,9 @@ def head_object(
         if checksum_algorithm := s3_object.checksum_algorithm:
             if (request.get("ChecksumMode") or "").upper() == "ENABLED":
                 response[f"Checksum{checksum_algorithm.upper()}"] = s3_object.checksum_value
+                response["ChecksumType"] = getattr(
+                    s3_object, "checksum_type", ChecksumType.FULL_OBJECT
+                )
 
         if s3_object.parts and request.get("PartNumber"):
             response["PartsCount"] = len(s3_object.parts)
@@ -1091,6 +1096,7 @@ def head_object(
 
         if range_data:
             response["ContentLength"] = range_data.content_length
+            response["ContentRange"] = range_data.content_range
             response["StatusCode"] = 206
 
         add_encryption_to_response(response, s3_object=s3_object)
@@ -1470,6 +1476,7 @@ def copy_object(
         acl = get_access_control_policy_for_new_resource_request(
             request, owner=dest_s3_bucket.owner
         )
+        checksum_algorithm = request.get("ChecksumAlgorithm")
 
         s3_object = S3Object(
             key=dest_key,
@@ -1479,7 +1486,7 @@ def copy_object(
             expires=request.get("Expires"),
             user_metadata=user_metadata,
             system_metadata=system_metadata,
-            checksum_algorithm=request.get("ChecksumAlgorithm") or src_s3_object.checksum_algorithm,
+            checksum_algorithm=checksum_algorithm or src_s3_object.checksum_algorithm,
             encryption=encryption_parameters.encryption,
             kms_key_id=encryption_parameters.kms_key_id,
             bucket_key_enabled=request.get(
@@ -2175,6 +2182,10 @@ def create_multipart_upload(
             owner=s3_bucket.owner,
             precondition=object_exists_for_precondition_write(s3_bucket, key),
         )
+        # it seems if there is SSE-C on the multipart, AWS S3 will override the default Checksum behavior (but not on
+        # PutObject)
+        if sse_c_key_md5:
+            s3_multipart.object.checksum_algorithm = None
 
         s3_bucket.multiparts[s3_multipart.id] = s3_multipart
 
@@ -2286,7 +2297,10 @@ def upload_part(
             decoded_content_length = int(headers.get("x-amz-decoded-content-length", 0))
             body = AwsChunkedDecoder(body, decoded_content_length, s3_part)
 
-        if s3_part.checksum_algorithm != s3_multipart.object.checksum_algorithm:
+        if (
+            s3_multipart.checksum_algorithm
+            and s3_part.checksum_algorithm != s3_multipart.checksum_algorithm
+        ):
             error_req_checksum = checksum_algorithm.lower() if checksum_algorithm else "null"
             error_mp_checksum = (
                 s3_multipart.object.checksum_algorithm.lower()
@@ -2525,7 +2539,7 @@ def complete_multipart_upload(
                 UploadId=upload_id,
             )
 
-        mpu_checksum_algorithm = s3_multipart.object.checksum_algorithm
+        mpu_checksum_algorithm = s3_multipart.checksum_algorithm
         mpu_checksum_type = getattr(s3_multipart, "checksum_type", None)
 
         if checksum_type and checksum_type != mpu_checksum_type:
@@ -2555,24 +2569,36 @@ def complete_multipart_upload(
             s3_multipart.complete_multipart(
                 parts, mpu_size=mpu_object_size, validation_checksum=checksum_value
             )
+            if mpu_checksum_algorithm and (
+                (
+                    checksum_value
+                    and mpu_checksum_type == ChecksumType.FULL_OBJECT
+                    and not checksum_type
+                )
+                or any(
+                    checksum_value
+                    for checksum_type, checksum_value in checksum_map.items()
+                    if checksum_type != checksum_algorithm
+                )
+            ):
+                # this is not ideal, but this validation comes last... after the validation of individual parts
+                s3_multipart.object.parts.clear()
+                raise BadDigest(
+                    f"The {mpu_checksum_algorithm.lower()} you specified did not match the calculated checksum."
+                )
         else:
             s3_multipart.complete_multipart(parts)
 
-        if (
-            mpu_checksum_algorithm
-            and not checksum_type
-            and mpu_checksum_type == ChecksumType.FULL_OBJECT
-        ):
-            # this is not ideal, but this validation comes last... after the validation of individual parts
-            s3_multipart.object.parts.clear()
-            raise BadDigest(
-                f"The {mpu_checksum_algorithm.lower()} you specified did not match the calculated checksum."
-            )
-
         stored_multipart = self._storage_backend.get_multipart(bucket, s3_multipart)
         stored_multipart.complete_multipart(
             [s3_multipart.parts.get(part_number) for part_number in parts_numbers]
         )
+        if not s3_multipart.checksum_algorithm and s3_multipart.object.checksum_algorithm:
+            with self._storage_backend.open(
+                bucket, s3_multipart.object, mode="r"
+            ) as s3_stored_object:
+                s3_multipart.object.checksum_value = s3_stored_object.checksum
+                s3_multipart.object.checksum_type = ChecksumType.FULL_OBJECT
 
         s3_object = s3_multipart.object
 
@@ -2599,9 +2625,11 @@ def complete_multipart_upload(
         if s3_object.version_id:
             response["VersionId"] = s3_object.version_id
 
-        if s3_object.checksum_algorithm:
+        # it seems AWS is not returning checksum related fields if the object has KMS encryption ¯\_(ツ)_/¯
+        # but it still generates them, and they can be retrieved with regular GetObject and such operations
+        if s3_object.checksum_algorithm and not s3_object.kms_key_id:
             response[f"Checksum{s3_object.checksum_algorithm.upper()}"] = s3_object.checksum_value
-            response["ChecksumType"] = mpu_checksum_type
+            response["ChecksumType"] = s3_object.checksum_type
 
         if s3_object.expiration:
             response["Expiration"] = s3_object.expiration  # TODO: properly parse the datetime
@@ -2691,7 +2719,7 @@ def list_parts(
                 PartNumber=part_number,
                 Size=part.size,
             )
-            if s3_multipart.object.checksum_algorithm:
+            if s3_multipart.checksum_algorithm:
                 part_item[f"Checksum{part.checksum_algorithm.upper()}"] = part.checksum_value
 
             parts.append(part_item)
@@ -2720,7 +2748,7 @@ def list_parts(
 
         if part_number_marker:
             response["PartNumberMarker"] = part_number_marker
-        if s3_multipart.object.checksum_algorithm:
+        if s3_multipart.checksum_algorithm:
             response["ChecksumAlgorithm"] = s3_multipart.object.checksum_algorithm
             response["ChecksumType"] = getattr(s3_multipart, "checksum_type", None)
 
@@ -2820,8 +2848,8 @@ def list_multipart_uploads(
                     Owner=multipart.initiator,  # TODO: check the difference
                     Initiator=multipart.initiator,
                 )
-                if multipart.object.checksum_algorithm:
-                    multipart_upload["ChecksumAlgorithm"] = multipart.object.checksum_algorithm
+                if multipart.checksum_algorithm:
+                    multipart_upload["ChecksumAlgorithm"] = multipart.checksum_algorithm
                     multipart_upload["ChecksumType"] = getattr(multipart, "checksum_type", None)
 
                 uploads.append(multipart_upload)
@@ -4288,7 +4316,10 @@ def post_object(
         with self._storage_backend.open(bucket, s3_object, mode="w") as s3_stored_object:
             s3_stored_object.write(stream)
 
-            if checksum_algorithm and s3_object.checksum_value != s3_stored_object.checksum:
+            if not s3_object.checksum_value:
+                s3_object.checksum_value = s3_stored_object.checksum
+
+            elif checksum_algorithm and s3_object.checksum_value != s3_stored_object.checksum:
                 self._storage_backend.remove(bucket, s3_object)
                 raise InvalidRequest(
                     f"Value for x-amz-checksum-{checksum_algorithm.lower()} header is invalid."
@@ -4334,7 +4365,8 @@ def post_object(
             response["VersionId"] = s3_object.version_id
 
         if s3_object.checksum_algorithm:
-            response[f"Checksum{checksum_algorithm.upper()}"] = s3_object.checksum_value
+            response[f"Checksum{s3_object.checksum_algorithm.upper()}"] = s3_object.checksum_value
+            response["ChecksumType"] = ChecksumType.FULL_OBJECT
 
         if s3_bucket.lifecycle_rules:
             if expiration_header := self._get_expiration_header(