feat(s3): add configurable payload signing and Content-MD5 headers for S3-compatible providers (#842)

Co-authored-by: Claude <[email protected]>

Author: corylanou

.github/workflows/manual-integration-tests.yml

@@ -31,6 +31,11 @@ on:
         required: false
         default: false
         type: boolean
+      test_tigris:
+        description: 'Run Fly.io Tigris integration tests'
+        required: false
+        default: false
+        type: boolean
 
 jobs:
   setup:
@@ -61,7 +66,8 @@ jobs:
         run: |
           if [ "${{ github.event.inputs.test_s3 }}" != "true" ] && \
              [ "${{ github.event.inputs.test_gcs }}" != "true" ] && \
-             [ "${{ github.event.inputs.test_abs }}" != "true" ]; then
+             [ "${{ github.event.inputs.test_abs }}" != "true" ] && \
+             [ "${{ github.event.inputs.test_tigris }}" != "true" ]; then
             echo "::error::At least one test type must be selected"
             exit 1
           fi
@@ -74,6 +80,7 @@ jobs:
           echo "- S3 (AWS): ${{ github.event.inputs.test_s3 }}" >> $GITHUB_STEP_SUMMARY
           echo "- Google Cloud Storage: ${{ github.event.inputs.test_gcs }}" >> $GITHUB_STEP_SUMMARY
           echo "- Azure Blob Storage: ${{ github.event.inputs.test_abs }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Fly.io Tigris: ${{ github.event.inputs.test_tigris }}" >> $GITHUB_STEP_SUMMARY
 
   s3-integration:
     name: S3 Integration Tests (AWS)
@@ -96,7 +103,7 @@ jobs:
 
       - run: go install ./cmd/litestream
 
-      - run: go test -v ./replica_client_test.go -integration s3
+      - run: go test -v ./replica_client_test.go -integration -replica-clients=s3
         env:
           LITESTREAM_S3_ACCESS_KEY_ID: ${{ secrets.LITESTREAM_S3_ACCESS_KEY_ID }}
           LITESTREAM_S3_SECRET_ACCESS_KEY: ${{ secrets.LITESTREAM_S3_SECRET_ACCESS_KEY }}
@@ -118,6 +125,47 @@ jobs:
             *.log
             test-results/
 
+  tigris-integration:
+    name: Tigris Integration Tests
+    runs-on: ubuntu-latest
+    needs: setup
+    if: github.event.inputs.test_tigris == 'true'
+    concurrency:
+      group: integration-test-tigris-manual
+      cancel-in-progress: false
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.setup.outputs.ref }}
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+
+      - run: go env
+
+      - run: go install ./cmd/litestream
+
+      - run: go test -v ./replica_client_test.go -integration -replica-clients=tigris
+        env:
+          LITESTREAM_TIGRIS_ACCESS_KEY_ID: ${{ secrets.LITESTREAM_TIGRIS_ACCESS_KEY_ID }}
+          LITESTREAM_TIGRIS_SECRET_ACCESS_KEY: ${{ secrets.LITESTREAM_TIGRIS_SECRET_ACCESS_KEY }}
+
+      - name: Create test results directory
+        if: always()
+        run: |
+          mkdir -p test-results
+          echo "Test completed at $(date)" > test-results/tigris-test.log
+
+      - name: Upload test results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: tigris-test-results
+          path: |
+            *.log
+            test-results/
+
   gcs-integration:
     name: Google Cloud Storage Integration Tests
     runs-on: ubuntu-latest
@@ -145,7 +193,7 @@ jobs:
 
       - run: go install ./cmd/litestream
 
-      - run: go test -v ./replica_client_test.go -integration gs
+      - run: go test -v ./replica_client_test.go -integration -replica-clients=gs
         env:
           GOOGLE_APPLICATION_CREDENTIALS: /opt/gcp.json
           LITESTREAM_GS_BUCKET: litestream-github-workflows
@@ -186,7 +234,7 @@ jobs:
 
       - run: go install ./cmd/litestream
 
-      - run: go test -v ./replica_client_test.go -integration abs
+      - run: go test -v ./replica_client_test.go -integration -replica-clients=abs
         env:
           LITESTREAM_ABS_ACCOUNT_NAME: ${{ secrets.LITESTREAM_ABS_ACCOUNT_NAME }}
           LITESTREAM_ABS_ACCOUNT_KEY: ${{ secrets.LITESTREAM_ABS_ACCOUNT_KEY }}
@@ -210,7 +258,7 @@ jobs:
   summary:
     name: Test Summary
     runs-on: ubuntu-latest
-    needs: [setup, s3-integration, gcs-integration, abs-integration]
+    needs: [setup, s3-integration, gcs-integration, abs-integration, tigris-integration]
     if: always()
     steps:
       - name: Download all artifacts
@@ -250,6 +298,14 @@ jobs:
             echo "⏭️ **Azure Blob Storage:** Skipped" >> $GITHUB_STEP_SUMMARY
           fi
 
+          if [ "${{ needs.tigris-integration.result }}" == "success" ]; then
+            echo "✅ **Fly.io Tigris:** Passed" >> $GITHUB_STEP_SUMMARY
+          elif [ "${{ needs.tigris-integration.result }}" == "failure" ]; then
+            echo "❌ **Fly.io Tigris:** Failed" >> $GITHUB_STEP_SUMMARY
+          elif [ "${{ needs.tigris-integration.result }}" == "skipped" ]; then
+            echo "⏭️ **Fly.io Tigris:** Skipped" >> $GITHUB_STEP_SUMMARY
+          fi
+
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "---" >> $GITHUB_STEP_SUMMARY
           echo "**Triggered by:** @${{ github.actor }}" >> $GITHUB_STEP_SUMMARY
@@ -272,6 +328,7 @@ jobs:
             if ('${{ needs.s3-integration.result }}' === 'failure') failedJobs.push('S3');
             if ('${{ needs.gcs-integration.result }}' === 'failure') failedJobs.push('GCS');
             if ('${{ needs.abs-integration.result }}' === 'failure') failedJobs.push('Azure');
+            if ('${{ needs.tigris-integration.result }}' === 'failure') failedJobs.push('Tigris');
 
             if (failedJobs.length > 0) {
               statusEmoji = '❌';

abs/replica_client.go

@@ -275,7 +275,8 @@ func (c *ReplicaClient) DeleteAll(ctx context.Context) error {
 	}
 
 	pager := c.client.NewListBlobsFlatPager(c.Bucket, &azblob.ListBlobsFlatOptions{
-		Prefix: &prefix,
+		Prefix:  &prefix,
+		Include: azblob.ListBlobsInclude{Metadata: true},
 	})
 
 	for pager.More() {
@@ -336,7 +337,8 @@ func newLTXFileIterator(ctx context.Context, client *ReplicaClient, level int, s
 	}
 
 	itr.pager = client.client.NewListBlobsFlatPager(client.Bucket, &azblob.ListBlobsFlatOptions{
-		Prefix: &prefix,
+		Prefix:  &prefix,
+		Include: azblob.ListBlobsInclude{Metadata: true},
 	})
 
 	return itr

cmd/litestream/main.go

@@ -811,15 +811,17 @@ type ReplicaSettings struct {
 	ValidationInterval *time.Duration `yaml:"validation-interval"`
 
 	// S3 settings
-	AccessKeyID     string    `yaml:"access-key-id"`
-	SecretAccessKey string    `yaml:"secret-access-key"`
-	Region          string    `yaml:"region"`
-	Bucket          string    `yaml:"bucket"`
-	Endpoint        string    `yaml:"endpoint"`
-	ForcePathStyle  *bool     `yaml:"force-path-style"`
-	SkipVerify      bool      `yaml:"skip-verify"`
-	PartSize        *ByteSize `yaml:"part-size"`
-	Concurrency     *int      `yaml:"concurrency"`
+	AccessKeyID       string    `yaml:"access-key-id"`
+	SecretAccessKey   string    `yaml:"secret-access-key"`
+	Region            string    `yaml:"region"`
+	Bucket            string    `yaml:"bucket"`
+	Endpoint          string    `yaml:"endpoint"`
+	ForcePathStyle    *bool     `yaml:"force-path-style"`
+	SignPayload       *bool     `yaml:"sign-payload"`
+	RequireContentMD5 *bool     `yaml:"require-content-md5"`
+	SkipVerify        bool      `yaml:"skip-verify"`
+	PartSize          *ByteSize `yaml:"part-size"`
+	Concurrency       *int      `yaml:"concurrency"`
 
 	// ABS settings
 	AccountName string `yaml:"account-name"`
@@ -894,6 +896,12 @@ func (rs *ReplicaSettings) SetDefaults(src *ReplicaSettings) {
 	if rs.ForcePathStyle == nil {
 		rs.ForcePathStyle = src.ForcePathStyle
 	}
+	if rs.SignPayload == nil {
+		rs.SignPayload = src.SignPayload
+	}
+	if rs.RequireContentMD5 == nil {
+		rs.RequireContentMD5 = src.RequireContentMD5
+	}
 	if src.SkipVerify {
 		rs.SkipVerify = true
 	}
@@ -1101,6 +1109,14 @@ func NewS3ReplicaClientFromConfig(c *ReplicaConfig, _ *litestream.Replica) (_ *s
 
 	bucket, configPath := c.Bucket, c.Path
 	region, endpoint, skipVerify := c.Region, c.Endpoint, c.SkipVerify
+	signPayload := false
+	if v := c.SignPayload; v != nil {
+		signPayload = *v
+	}
+	requireContentMD5 := true
+	if v := c.RequireContentMD5; v != nil {
+		requireContentMD5 = *v
+	}
 
 	// Use path style if an endpoint is explicitly set. This works because the
 	// only service to not use path style is AWS which does not use an endpoint.
@@ -1117,10 +1133,14 @@ func NewS3ReplicaClientFromConfig(c *ReplicaConfig, _ *litestream.Replica) (_ *s
 		}
 
 		var (
-			ubucket         string
-			uregion         string
-			uendpoint       string
-			uforcePathStyle bool
+			ubucket               string
+			uregion               string
+			uendpoint             string
+			uforcePathStyle       bool
+			usignPayload          bool
+			usignPayloadSet       bool
+			urequireContentMD5    bool
+			urequireContentMD5Set bool
 		)
 
 		if strings.HasPrefix(host, "arn:") {
@@ -1152,6 +1172,14 @@ func NewS3ReplicaClientFromConfig(c *ReplicaConfig, _ *litestream.Replica) (_ *s
 		if qSkipVerify := query.Get("skipVerify"); qSkipVerify != "" {
 			skipVerify = qSkipVerify == "true"
 		}
+		if v, ok := boolQueryValue(query, "signPayload", "sign-payload"); ok {
+			usignPayload = v
+			usignPayloadSet = true
+		}
+		if v, ok := boolQueryValue(query, "requireContentMD5", "require-content-md5"); ok {
+			urequireContentMD5 = v
+			urequireContentMD5Set = true
+		}
 
 		// Only apply URL parts to field that have not been overridden.
 		if configPath == "" {
@@ -1169,6 +1197,12 @@ func NewS3ReplicaClientFromConfig(c *ReplicaConfig, _ *litestream.Replica) (_ *s
 		if !forcePathStyle {
 			forcePathStyle = uforcePathStyle
 		}
+		if c.SignPayload == nil && usignPayloadSet {
+			signPayload = usignPayload
+		}
+		if c.RequireContentMD5 == nil && urequireContentMD5Set {
+			requireContentMD5 = urequireContentMD5
+		}
 	}
 
 	// Ensure required settings are set.
@@ -1186,6 +1220,8 @@ func NewS3ReplicaClientFromConfig(c *ReplicaConfig, _ *litestream.Replica) (_ *s
 	client.Endpoint = endpoint
 	client.ForcePathStyle = forcePathStyle
 	client.SkipVerify = skipVerify
+	client.SignPayload = signPayload
+	client.RequireContentMD5 = requireContentMD5
 
 	// Apply upload configuration if specified.
 	if c.PartSize != nil {
@@ -1570,6 +1606,25 @@ func cleanReplicaURLPath(p string) string {
 	return cleaned
 }
 
+func boolQueryValue(query url.Values, keys ...string) (bool, bool) {
+	if query == nil {
+		return false, false
+	}
+	for _, key := range keys {
+		if raw := query.Get(key); raw != "" {
+			switch strings.ToLower(raw) {
+			case "true", "1", "t", "yes":
+				return true, true
+			case "false", "0", "f", "no":
+				return false, true
+			default:
+				return false, true
+			}
+		}
+	}
+	return false, false
+}
+
 func regionFromS3ARN(arn string) string {
 	parts := strings.SplitN(arn, ":", 6)
 	if len(parts) >= 4 {

cmd/litestream/main_test.go

@@ -2250,6 +2250,46 @@ func TestNewS3ReplicaClientFromConfig(t *testing.T) {
 			t.Error("expected ForcePathStyle to be true for custom endpoint")
 		}
 	})
+
+	t.Run("QuerySigningOptions", func(t *testing.T) {
+		config := &main.ReplicaConfig{
+			URL: "s3://bucket/db?sign-payload=true&require-content-md5=false",
+		}
+
+		client, err := main.NewS3ReplicaClientFromConfig(config, nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !client.SignPayload {
+			t.Error("expected SignPayload to be true when query parameter is set")
+		}
+		if client.RequireContentMD5 {
+			t.Error("expected RequireContentMD5 to be false when disabled via query")
+		}
+	})
+
+	t.Run("ConfigOverridesQuerySigning", func(t *testing.T) {
+		signTrue := true
+		requireFalse := false
+		config := &main.ReplicaConfig{
+			URL: "s3://bucket/db?sign-payload=false&require-content-md5=true",
+			ReplicaSettings: main.ReplicaSettings{
+				SignPayload:       &signTrue,
+				RequireContentMD5: &requireFalse,
+			},
+		}
+
+		client, err := main.NewS3ReplicaClientFromConfig(config, nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !client.SignPayload {
+			t.Error("expected config SignPayload to override query parameter")
+		}
+		if client.RequireContentMD5 {
+			t.Error("expected config RequireContentMD5=false to override query parameter")
+		}
+	})
 }
 func TestGlobalDefaults(t *testing.T) {
 	// Test comprehensive global defaults functionality

etc/litestream.yml

@@ -7,6 +7,10 @@
 #    replica:
 #      path: /path/to/replica             # File-based replication
 #      url:  s3://my.bucket.com/db        # S3-based replication
+#      # Example Fly.io Tigris setup (requires signed payloads & no Content-MD5 deletes)
+#      # url: s3://my-tigris-bucket/db.sqlite?endpoint=fly.storage.tigris.dev&region=auto
+#      # sign-payload: true
+#      # require-content-md5: false
 #      type: nats                         # NATS JetStream replication
 #      url: nats://nats.example.com:4222
 #      bucket: litestream-backups