Skip to content

bug: S3 put object returns different code for invalid checksum from actual S3 API #12187

New issue
New issue
Closed
Bug
#12182
Closed
bug: S3 put object returns different code for invalid checksum from actual S3 API#12187
Bug
#12182
Assignees
bentsku
Labels
aws:s3Amazon Simple Storage Servicestatus: resolved/fixedResolved with a fix or an implementationtype: bugBug report
@zongsizhang

Description

@zongsizhang
zongsizhang
opened on Jan 26, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

We verify the permission putObject to a bucket by running the following put action:

try:
    # By providing an invalid checksum, we can test if the user has the necessary permissions to put an object into the bucket
    # without actually modifying the contents of the bucket
    local_s3_client.put_object(
        Bucket=bucket_name,
        Key=f"{path}{id_generator()}",
        Body=b"test",
        ChecksumSHA256="F4n4ufZISY9avP48cbf7QEcUO0MQItR30np6y6ZNLKg=",  # invalid checksum
    )
    return True
except botocore.exceptions.ClientError as e:
    if e.response["Error"]["Code"] == "BadDigest":
        return True

When we send the request to AWS S3, we get the following response:

{'Error': {'Code': 'BadDigest', 'Message': 'The SHA256 you specified did not match the calculated checksum.'}, ...}

But when we execute the same code when connecting to the Localstack service, we get the following response

{'Code': 'InvalidRequest', 'Message': 'Value for x-amz-checksum-sha256 header is invalid.'}

The error code is different.

Expected Behavior

Localstack service should return the same error code as the actual AWS API

{'Error': {'Code': 'BadDigest', 'Message': 'The SHA256 you specified did not match the calculated checksum.'}, ...}

How are you starting LocalStack?

Custom (please describe below)

Steps To Reproduce

How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)

We use Testcontainers to orchestrate the Localstack service using the latest image

with LocalStackContainer(image="localstack/localstack:latest") as localstack:
	...

Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)

try:
    # By providing an invalid checksum, we can test if the user has the necessary permissions to put an object into the bucket
    # without actually modifying the contents of the bucket
    local_s3_client.put_object(
        Bucket=bucket_name,
        Key=f"{path}{id_generator()}",
        Body=b"test",
        ChecksumSHA256="F4n4ufZISY9avP48cbf7QEcUO0MQItR30np6y6ZNLKg=",  # invalid checksum
    )
    return True
except botocore.exceptions.ClientError as e:
    if e.response["Error"]["Code"] == "BadDigest":
        return True

Environment

- OS: MacOS
- LocalStack:
  LocalStack version: latest(4.0.3)
  LocalStack Docker image sha: sha256:17c2f79ca4e1f804eb912291a19713d4134806325ef0d21d4c1053161dfa72d0
  LocalStack build date: 
  LocalStack build git hash:

Anything else?

No response

Metadata

Metadata

Assignees

Labels

aws:s3Amazon Simple Storage Servicestatus: resolved/fixedResolved with a fix or an implementationtype: bugBug report

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions