S3: implement new data integrity for MultipartUpload #12183
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bentsku
commented
Jan 25, 2025
tests/unit/test_s3.py
Outdated
There was a problem hiding this comment.
This file was testing botocore code, so it wasn't really useful
tests/aws/services/s3/test_s3.py
Outdated
There was a problem hiding this comment.
Sorry for all the duplication in the tests, multipart uploads are super verbose and annoying to work with
Comment on lines
-393
to
-426
| def get_object_checksum_for_algorithm(checksum_algorithm: str, data: bytes) -> str: | ||
| match checksum_algorithm: | ||
| case ChecksumAlgorithm.CRC32: | ||
| return checksum_crc32(data) | ||
|
|
||
| case ChecksumAlgorithm.CRC32C: | ||
| return checksum_crc32c(data) | ||
|
|
||
| case ChecksumAlgorithm.SHA1: | ||
| return hash_sha1(data) | ||
|
|
||
| case ChecksumAlgorithm.SHA256: | ||
| return hash_sha256(data) | ||
|
|
||
| case _: | ||
| # TODO: check proper error? for now validated client side, need to check server response | ||
| raise InvalidRequest("The value specified in the x-amz-trailer header is not supported") | ||
|
|
||
|
|
||
| def verify_checksum(checksum_algorithm: str, data: bytes, request: Dict): | ||
| # TODO: you don't have to specify the checksum algorithm | ||
| # you can use only the checksum-{algorithm-type} header | ||
| # https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html | ||
| key = f"Checksum{checksum_algorithm.upper()}" | ||
| # TODO: is there a message if the header is missing? | ||
| checksum = request.get(key) | ||
| calculated_checksum = get_object_checksum_for_algorithm(checksum_algorithm, data) | ||
|
|
||
| if calculated_checksum != checksum: | ||
| raise InvalidRequest( | ||
| f"Value for x-amz-checksum-{checksum_algorithm.lower()} header is invalid." | ||
| ) | ||
|
|
||
|
|
There was a problem hiding this comment.
this code wasn't used anymore anywhere, since we're properly calculating checksums on streams instead of the full string
| @@ -454,40 +442,6 @@ def base_64_content_md5_to_etag(content_md5: ContentMD5) -> str | None: | |||
| return hex_digest | |||
|
|
|||
|
|
|||
| def decode_aws_chunked_object( | |||
There was a problem hiding this comment.
we did not use this code anymore, as localstack.services.s3.codec.AwsChunkedDecoder superseded it
S3 Image Test Results (AMD64 / ARM64) 2 files ± 0 2 suites ±0 8m 8s ⏱️ + 2m 58s Results for commit c3b2220. ± Comparison against base commit faef710. This pull request removes 2 and adds 31 tests. Note that renamed tests count towards both.♻️ This comment has been updated with latest results. |
1167d27 to
0c5c40e
Compare
This reverts commit ad6e619.
0c5c40e to
1d155af
Compare
1d155af to
7fc465e
Compare
LocalStack Community integration with Pro 2 files ± 0 2 suites ±0 1h 53m 49s ⏱️ + 1m 6s Results for commit c3b2220. ± Comparison against base commit faef710. This pull request removes 2 and adds 48 tests. Note that renamed tests count towards both.♻️ This comment has been updated with latest results. |
k-a-il
approved these changes
Jan 28, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
This PR implements the new data integrity checks for Multipart Upload (shortened MPU), namely the ability to set the
FULL_OBJECTchecksum type for a MPU, allowing the user to not keep track of individual checksum parts to calculate the final one, but instead send the full object checksum to S3. This can be done thanks toCRC*type checksums, which can linearize, meaning you can get the full object checksum from the individual parts' checksums (via a somewhat complicated function).The PR looks big (3k lines), but 70% of it is snapshots, because I had to cover a lot of different cases, operations' responses, and there was a lot of ground to cover that wasn't previously covered.
There is a lot of additional validation and default values to check (different relationship between checksum algorithm and checksum type), new validation of the MPU total size at completion time, I've also ported the fix with different error message depending if the checksum value is valid or not.
The biggest part and challenge of this PR is to implement to logic to combine CRC checksums together in order to create the
FULL_OBJECTchecksum. More can be read about this in the following Stack Overflow post: https://stackoverflow.com/a/23126768I had to look everywhere online to try to find someway to do that, and it was pretty hard to find. I found an old repository of Alibaba, with the function available in Python2 to combine CRC64 checksums, I had to adapt it a little to run with Python3 and fit our use case better.
More resources to read about the new S3 data integrity push:
There's also a bit of cleanup done, removing some unused functions/code.
Changes
FULL_OBJECTandCOMPOSITEfor MPU