Add checksum listeners before response targets (#3250)

Author: mullermp

build_tools/services.rb

@@ -12,7 +12,7 @@ class ServiceEnumerator
     MINIMUM_CORE_VERSION = "3.216.0"
 
     # Minimum `aws-sdk-core` version for new S3 gem builds
-    MINIMUM_CORE_VERSION_S3 = "3.216.0"
+    MINIMUM_CORE_VERSION_S3 = "3.224.1"
 
     EVENTSTREAM_PLUGIN = "Aws::Plugins::EventStreamConfiguration"
 

gems/aws-sdk-core/CHANGELOG.md

@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Issue - Signal data in http response listeners prior to writing, so that data can be inspected or verified before potential mutation.
+
 3.224.0 (2025-05-12)
 ------------------
 

gems/aws-sdk-core/lib/seahorse/client/http/response.rb

@@ -66,8 +66,8 @@ def signal_headers(status_code, headers)
         # @param [string] chunk
         def signal_data(chunk)
           unless chunk == ''
-            @body.write(chunk)
             emit(:data, chunk)
+            @body.write(chunk)
           end
         end
 

gems/aws-sdk-s3/CHANGELOG.md

@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Issue - Signal data in http response listeners prior to writing, so that data can be inspected or verified before potential mutation.
+
 1.186.1 (2025-05-15)
 ------------------
 * Issue - Abort multipart download if object is modified during download.

gems/aws-sdk-s3/lib/aws-sdk-s3/plugins/streaming_retry.rb

@@ -62,18 +62,16 @@ class StreamingRetry < Seahorse::Client::Plugin
         class Handler < Seahorse::Client::Handler
 
           def call(context)
-            target = context.params[:response_target] || context[:response_target]
-
             # retry is only supported when range is NOT set on the initial request
-            if supported_target?(target) && !context.params[:range]
-              add_event_listeners(context, target)
+            if supported_target?(context) && !context.params[:range]
+              add_event_listeners(context)
             end
             @handler.call(context)
           end
 
           private
 
-          def add_event_listeners(context, target)
+          def add_event_listeners(context)
             context.http_response.on_headers(200..299) do
               case context.http_response.body
               when Seahorse::Client::BlockIO then
@@ -123,8 +121,8 @@ def retryable_body?(context)
               context.http_response.body.is_a?(RetryableManagedFile)
           end
 
-          def supported_target?(target)
-            case target
+          def supported_target?(context)
+            case context[:response_target]
             when Proc, String, Pathname then true
             else false
             end

gems/aws-sdk-s3/spec/plugins/checksum_algorithm_spec.rb

@@ -4,92 +4,109 @@
 
 module Aws
   module S3
-    module Plugins
-      describe ChecksumAlgorithm do
-        let(:creds) { Aws::Credentials.new('akid', 'secret') }
-        let(:client) { S3::Client.new(stub_responses: true) }
-        let(:bucket) { 'bucket' }
-        let(:key) { 'key' }
+    describe Client do
+      let(:creds) { Aws::Credentials.new('akid', 'secret') }
+      let(:client) { S3::Client.new(stub_responses: true) }
+      let(:bucket) { 'bucket' }
+      let(:key) { 'key' }
 
-        let(:body) { 'hello world' }
-        let(:digest) { 'DUoRhQ==' }
+      let(:body) { 'hello world' }
+      let(:digest) { 'DUoRhQ==' }
 
-        let(:body_part_1) { 'hello '}
-        let(:digest_part_1) { '7YH59g==' }
+      let(:body_part_1) { 'hello '}
+      let(:digest_part_1) { '7YH59g==' }
 
-        it 'validates the checksum on an Object GET' do
-          client.stub_responses(
-            :get_object,
-            [{
-               body: body,
-               headers: {'x-amz-checksum-crc32' => digest},
-               status_code: 200
-             }])
-          resp = client.get_object(bucket: bucket, key: key, checksum_mode: 'ENABLED')
-          expect(resp.context[:http_checksum][:validated]).to eq 'CRC32'
-        end
+      it 'validates the checksum on an Object GET' do
+        client.stub_responses(
+          :get_object,
+          [{
+             body: body,
+             headers: {'x-amz-checksum-crc32' => digest},
+             status_code: 200
+           }]
+        )
+        resp = client.get_object(bucket: bucket, key: key)
+        expect(resp.context[:http_checksum][:validated]).to eq 'CRC32'
+      end
 
-        it 'raises when the checksum does not match on an Object GET' do
-          client.stub_responses(
-            :get_object,
-            [{
-               body: body,
-               headers: {'x-amz-checksum-crc32' => 'invalid_value'},
-               status_code: 200
-             }])
-          expect do
-            client.get_object(bucket: bucket, key: key, checksum_mode: 'ENABLED')
-          end.to raise_error(Aws::Errors::ChecksumError)
-        end
+      it 'raises when the checksum does not match on an Object GET' do
+        client.stub_responses(
+          :get_object,
+          [{
+             body: body,
+             headers: {'x-amz-checksum-crc32' => 'invalid_value'},
+             status_code: 200
+           }]
+        )
+        expect do
+          client.get_object(bucket: bucket, key: key)
+        end.to raise_error(Aws::Errors::ChecksumError)
+      end
 
-        it 'validates the checksum on a range GET matching the part boundary' do
-          client.stub_responses(
-            :get_object,
-            [{
-               body: body_part_1,
-               headers: {'x-amz-checksum-crc32' => digest_part_1},
-               status_code: 200
-             }])
-          resp = client.get_object(bucket: bucket, key: key, checksum_mode: 'ENABLED', range: "bytes=0-6")
-          expect(resp.context[:http_checksum][:validated]).to eq 'CRC32'
-        end
+      it 'validates the checksum on a range GET matching the part boundary' do
+        client.stub_responses(
+          :get_object,
+          [{
+             body: body_part_1,
+             headers: {'x-amz-checksum-crc32' => digest_part_1},
+             status_code: 200
+           }]
+        )
+        resp = client.get_object(bucket: bucket, key: key, range: "bytes=0-6")
+        expect(resp.context[:http_checksum][:validated]).to eq 'CRC32'
+      end
 
-        it 'validates the checksum on a single part GET' do
-          client.stub_responses(
-            :get_object,
-            [{
-               body: body_part_1,
-               headers: {'x-amz-checksum-crc32' => digest_part_1},
-               status_code: 200
-             }])
-          resp = client.get_object(bucket: bucket, key: key, checksum_mode: 'ENABLED', part_number: 1)
-          expect(resp.context[:http_checksum][:validated]).to eq 'CRC32'
+      it 'validates the checksum on a single part GET' do
+        client.stub_responses(
+          :get_object,
+          [{
+             body: body_part_1,
+             headers: {'x-amz-checksum-crc32' => digest_part_1},
+             status_code: 200
+           }]
+        )
+        resp = client.get_object(bucket: bucket, key: key, part_number: 1)
+        expect(resp.context[:http_checksum][:validated]).to eq 'CRC32'
+      end
+
+      it 'validates before any mutation of response target' do
+        client.stub_responses(
+          :get_object,
+          [{
+             body: body,
+             headers: {'x-amz-checksum-crc32' => digest},
+             status_code: 200
+           }]
+        )
+        resp = client.get_object(bucket: bucket, key: key) do |chunk|
+          chunk.upcase!
         end
+        expect(resp.context[:http_checksum][:validated]).to eq 'CRC32'
+      end
 
-        context 'checksum response composite validation' do
-          file = File.expand_path('checksum_response_composite.json', __dir__)
-          test_cases = JSON.load_file(file)
+      context 'checksum response composite validation' do
+        file = File.expand_path('checksum_response_composite.json', __dir__)
+        test_cases = JSON.load_file(file)
 
-          test_cases.each do |test_case|
-            it "passes test: #{test_case['documentation']}" do
-              if (algorithm = test_case['checksumAlgorithm'])
-                algorithm.upcase!
-                unless Aws::Plugins::ChecksumAlgorithm::CLIENT_ALGORITHMS.include?(algorithm)
-                  skip "Algorithm #{algorithm} not supported"
-                end
+        test_cases.each do |test_case|
+          it "passes test: #{test_case['documentation']}" do
+            if (algorithm = test_case['checksumAlgorithm'])
+              algorithm.upcase!
+              unless Aws::Plugins::ChecksumAlgorithm::CLIENT_ALGORITHMS.include?(algorithm)
+                skip "Algorithm #{algorithm} not supported"
               end
-
-              client.stub_responses(
-                :get_object,
-                [{
-                   body: test_case['responsePayload'],
-                   headers: test_case['responseHeaders'],
-                   status_code: 200
-                }]
-              )
-              resp = client.get_object(bucket: bucket, key: key, checksum_mode: 'ENABLED')
-              expect(resp.context[:http_checksum][:validated]).to be_nil
             end
+
+            client.stub_responses(
+              :get_object,
+              [{
+                 body: test_case['responsePayload'],
+                 headers: test_case['responseHeaders'],
+                 status_code: 200
+              }]
+            )
+            resp = client.get_object(bucket: bucket, key: key, checksum_mode: 'ENABLED')
+            expect(resp.context[:http_checksum][:validated]).to be_nil
           end
         end
       end