blob/s3blob: make it possible to configure the default integrity protection (#3634)

Author: stanhu

aws/aws.go

@@ -20,13 +20,45 @@ import (
 	"fmt"
 	"net/url"
 	"strconv"
+	"strings"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/aws/ratelimit"
 	"github.com/aws/aws-sdk-go-v2/aws/retry"
 	"github.com/aws/aws-sdk-go-v2/config"
 )
 
+const (
+	requestChecksumCalculationParamKey = "request_checksum_calculation"
+	responseChecksumValidationParamKey = "response_checksum_validation"
+)
+
+// parseRequestChecksumCalculation parses request checksum calculation mode values.
+// Supports AWS SDK documented values: "when_supported", "when_required".
+func parseRequestChecksumCalculation(value string) (aws.RequestChecksumCalculation, error) {
+	switch strings.ToLower(value) {
+	case "when_supported":
+		return aws.RequestChecksumCalculationWhenSupported, nil
+	case "when_required":
+		return aws.RequestChecksumCalculationWhenRequired, nil
+	default:
+		return aws.RequestChecksumCalculationWhenSupported, fmt.Errorf("invalid value for %q: %q. Valid values are: when_supported, when_required", requestChecksumCalculationParamKey, value)
+	}
+}
+
+// parseResponseChecksumValidation parses response checksum validation mode values.
+// Supports AWS SDK documented values: "when_supported", "when_required".
+func parseResponseChecksumValidation(value string) (aws.ResponseChecksumValidation, error) {
+	switch strings.ToLower(value) {
+	case "when_supported":
+		return aws.ResponseChecksumValidationWhenSupported, nil
+	case "when_required":
+		return aws.ResponseChecksumValidationWhenRequired, nil
+	default:
+		return aws.ResponseChecksumValidationWhenSupported, fmt.Errorf("invalid value for %q: %q. Valid values are: when_supported, when_required", responseChecksumValidationParamKey, value)
+	}
+}
+
 // NewDefaultV2Config returns a aws.Config for AWS SDK v2, using the default options.
 func NewDefaultV2Config(ctx context.Context) (aws.Config, error) {
 	return config.LoadDefaultConfig(ctx)
@@ -53,6 +85,8 @@ func NewDefaultV2Config(ctx context.Context) (aws.Config, error) {
 //   - rate_limiter_capacity: A integer value configures the capacity of a token bucket used
 //     in client-side rate limits. If no value is set, the client-side rate limiting is disabled.
 //     See https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/retries-timeouts/#client-side-rate-limiting.
+//   - request_checksum_calculation: Request checksum calculation mode (when_supported, when_required)
+//   - response_checksum_validation: Response checksum validation mode (when_supported, when_required)
 func V2ConfigFromURLParams(ctx context.Context, q url.Values) (aws.Config, error) {
 	var endpoint string
 	var hostnameImmutable bool
@@ -103,6 +137,20 @@ func V2ConfigFromURLParams(ctx context.Context, q url.Values) (aws.Config, error
 			if anon {
 				opts = append(opts, config.WithCredentialsProvider(aws.AnonymousCredentials{}))
 			}
+		case requestChecksumCalculationParamKey:
+			value, err := parseRequestChecksumCalculation(value)
+			if err != nil {
+				return aws.Config{}, err
+			}
+
+			opts = append(opts, config.WithRequestChecksumCalculation(value))
+		case responseChecksumValidationParamKey:
+			value, err := parseResponseChecksumValidation(value)
+			if err != nil {
+				return aws.Config{}, err
+			}
+
+			opts = append(opts, config.WithResponseChecksumValidation(value))
 		case "awssdk":
 			// ignore, should be handled before this
 		default:

aws/aws_test.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"net/url"
 	"reflect"
+	"strings"
 	"testing"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -73,6 +74,54 @@ func TestV2ConfigFromURLParams(t *testing.T) {
 			name:  "Rate limit capacity",
 			query: url.Values{"rate_limiter_capacity": {"500"}},
 		},
+		{
+			name:  "Request checksum calculation when_supported",
+			query: url.Values{"request_checksum_calculation": {"when_supported"}},
+		},
+		{
+			name:  "Request checksum calculation when_required",
+			query: url.Values{"request_checksum_calculation": {"when_required"}},
+		},
+		{
+			name:  "Response checksum validation when_supported",
+			query: url.Values{"response_checksum_validation": {"when_supported"}},
+		},
+		{
+			name:  "Response checksum validation when_required",
+			query: url.Values{"response_checksum_validation": {"when_required"}},
+		},
+		{
+			name:  "Both checksum parameters",
+			query: url.Values{"request_checksum_calculation": {"when_required"}, "response_checksum_validation": {"when_supported"}},
+		},
+		{
+			name:    "Invalid request checksum value",
+			query:   url.Values{"request_checksum_calculation": {"invalid"}},
+			wantErr: true,
+		},
+		{
+			name:    "Invalid response checksum value",
+			query:   url.Values{"response_checksum_validation": {"invalid"}},
+			wantErr: true,
+		},
+		{
+			name:    "Empty request checksum value",
+			query:   url.Values{"request_checksum_calculation": {""}},
+			wantErr: true,
+		},
+		{
+			name:    "Empty response checksum value",
+			query:   url.Values{"response_checksum_validation": {""}},
+			wantErr: true,
+		},
+		{
+			name:  "Uppercase request checksum",
+			query: url.Values{"request_checksum_calculation": {"WHEN_SUPPORTED"}},
+		},
+		{
+			name:  "Mixed case response checksum",
+			query: url.Values{"response_checksum_validation": {"When_Required"}},
+		},
 		// Can't test "profile", since AWS validates that the profile exists.
 	}
 
@@ -90,6 +139,35 @@ func TestV2ConfigFromURLParams(t *testing.T) {
 				t.Errorf("got region %q, want %q", got.Region, test.wantRegion)
 			}
 
+			// Check checksum configuration based on query parameters
+			if test.query.Has("request_checksum_calculation") {
+				expectedValue := test.query.Get("request_checksum_calculation")
+				var expectedChecksum aws.RequestChecksumCalculation
+				switch strings.ToLower(expectedValue) {
+				case "when_supported":
+					expectedChecksum = aws.RequestChecksumCalculationWhenSupported
+				case "when_required":
+					expectedChecksum = aws.RequestChecksumCalculationWhenRequired
+				}
+				if got.RequestChecksumCalculation != expectedChecksum {
+					t.Errorf("got RequestChecksumCalculation %v, want %v", got.RequestChecksumCalculation, expectedChecksum)
+				}
+			}
+
+			if test.query.Has("response_checksum_validation") {
+				expectedValue := test.query.Get("response_checksum_validation")
+				var expectedChecksum aws.ResponseChecksumValidation
+				switch strings.ToLower(expectedValue) {
+				case "when_supported":
+					expectedChecksum = aws.ResponseChecksumValidationWhenSupported
+				case "when_required":
+					expectedChecksum = aws.ResponseChecksumValidationWhenRequired
+				}
+				if got.ResponseChecksumValidation != expectedChecksum {
+					t.Errorf("got ResponseChecksumValidation %v, want %v", got.ResponseChecksumValidation, expectedChecksum)
+				}
+			}
+
 			if test.wantEndpoint != nil {
 				if got.EndpointResolverWithOptions == nil {
 					t.Fatalf("expected an EndpointResolverWithOptions, got nil")

blob/s3blob/s3blob.go

@@ -209,10 +209,15 @@ func (o *URLOpener) OpenBucketURL(ctx context.Context, u *url.URL) (*blob.Bucket
 	}
 	client := s3.NewFromConfig(cfg, opts...)
 
+	// The S3 upload manager doesn't use the config or options to set the
+	// request checksum calculation. We need to set it explicitly:
+	// https://github.com/aws/aws-sdk-go-v2/pull/3151
+	o.Options.RequestChecksumCalculation = cfg.RequestChecksumCalculation
+
 	return OpenBucket(ctx, client, u.Host, &o.Options)
 }
 
-// Options sets options for constructing a *blob.Bucket backed by fileblob.
+// Options sets options for constructing a *blob.Bucket backed by S3.
 type Options struct {
 	// UseLegacyList forces the use of ListObjects instead of ListObjectsV2.
 	// Some S3-compatible services (like CEPH) do not currently support
@@ -228,6 +233,11 @@ type Options struct {
 	// This is required when a bucket policy enforces the use of a specific
 	// KMS key for uploads
 	KMSEncryptionID string
+
+	// RequestChecksumCalculation configures the default integrity protection for
+	// requests. This may need to be set to when_required to preserve compatibility for
+	// third-party S3 providers: https://github.com/aws/aws-sdk-go-v2/discussions/2960.
+	RequestChecksumCalculation aws.RequestChecksumCalculation
 }
 
 // openBucket returns an S3 Bucket.
@@ -242,11 +252,12 @@ func openBucket(ctx context.Context, client *s3.Client, bucketName string, opts
 		return nil, errors.New("s3blob.OpenBucket: client is required")
 	}
 	return &bucket{
-		name:           bucketName,
-		client:         client,
-		useLegacyList:  opts.UseLegacyList,
-		kmsKeyId:       opts.KMSEncryptionID,
-		encryptionType: opts.EncryptionType,
+		name:                       bucketName,
+		client:                     client,
+		useLegacyList:              opts.UseLegacyList,
+		kmsKeyId:                   opts.KMSEncryptionID,
+		encryptionType:             opts.EncryptionType,
+		requestChecksumCalculation: opts.RequestChecksumCalculation,
 	}, nil
 }
 
@@ -382,8 +393,9 @@ type bucket struct {
 	client        *s3.Client
 	useLegacyList bool
 
-	encryptionType types.ServerSideEncryption
-	kmsKeyId       string
+	encryptionType             types.ServerSideEncryption
+	kmsKeyId                   string
+	requestChecksumCalculation aws.RequestChecksumCalculation
 }
 
 func (b *bucket) Close() error {
@@ -733,6 +745,8 @@ func (b *bucket) NewTypedWriter(ctx context.Context, key, contentType string, op
 		if opts.MaxConcurrency != 0 {
 			u.Concurrency = opts.MaxConcurrency
 		}
+
+		u.RequestChecksumCalculation = b.requestChecksumCalculation
 	})
 	md := make(map[string]string, len(opts.Metadata))
 	for k, v := range opts.Metadata {

blob/s3blob/s3blob_test.go

@@ -19,6 +19,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
 	"testing"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -27,6 +28,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/aws/smithy-go"
+	gcaws "gocloud.dev/aws"
 	"gocloud.dev/blob"
 	"gocloud.dev/blob/driver"
 	"gocloud.dev/blob/drivertest"
@@ -324,6 +326,26 @@ func TestOpenBucketFromURL(t *testing.T) {
 		{"s3://mybucket?fips=true", false},
 		// OK, use anonymous.
 		{"s3://mybucket?anonymous=true", false},
+		// OK, use request checksum calculation when_supported
+		{"s3://mybucket?request_checksum_calculation=when_supported", false},
+		// OK, use request checksum calculation when_required
+		{"s3://mybucket?request_checksum_calculation=when_required", false},
+		// OK, use response checksum validation when_supported
+		{"s3://mybucket?response_checksum_validation=when_supported", false},
+		// OK, use response checksum validation when_required
+		{"s3://mybucket?response_checksum_validation=when_required", false},
+		// OK, use both checksum parameters
+		{"s3://mybucket?request_checksum_calculation=when_required&response_checksum_validation=when_supported", false},
+		// OK, case insensitive checksum parameters
+		{"s3://mybucket?request_checksum_calculation=WHEN_SUPPORTED&response_checksum_validation=When_Required", false},
+		// Invalid request checksum value
+		{"s3://mybucket?request_checksum_calculation=invalid", true},
+		// Invalid response checksum value
+		{"s3://mybucket?response_checksum_validation=invalid", true},
+		// Empty request checksum value
+		{"s3://mybucket?request_checksum_calculation=", true},
+		// Empty response checksum value
+		{"s3://mybucket?response_checksum_validation=", true},
 		// Invalid accelerate
 		{"s3://mybucket?accelerate=bogus", true},
 		// Invalid FIPS
@@ -354,6 +376,81 @@ func TestOpenBucketFromURL(t *testing.T) {
 	}
 }
 
+func TestChecksumConfigurationPassthrough(t *testing.T) {
+	// Test that checksum configuration from URL parameters is properly passed through
+	// to the S3 bucket options
+	tests := []struct {
+		name                           string
+		url                            string
+		wantRequestChecksumCalculation aws.RequestChecksumCalculation
+		wantErr                        bool
+	}{
+		{
+			name:                           "request checksum when_supported",
+			url:                            "s3://mybucket?request_checksum_calculation=when_supported",
+			wantRequestChecksumCalculation: aws.RequestChecksumCalculationWhenSupported,
+		},
+		{
+			name:                           "request checksum when_required",
+			url:                            "s3://mybucket?request_checksum_calculation=when_required",
+			wantRequestChecksumCalculation: aws.RequestChecksumCalculationWhenRequired,
+		},
+		{
+			name:                           "case insensitive",
+			url:                            "s3://mybucket?request_checksum_calculation=WHEN_SUPPORTED",
+			wantRequestChecksumCalculation: aws.RequestChecksumCalculationWhenSupported,
+		},
+		{
+			name:    "invalid value",
+			url:     "s3://mybucket?request_checksum_calculation=invalid",
+			wantErr: true,
+		},
+	}
+
+	ctx := context.Background()
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			// Parse the URL to extract the bucket name and query parameters
+			u, err := url.Parse(test.url)
+			if err != nil {
+				t.Fatalf("failed to parse URL: %v", err)
+			}
+
+			// Create a mock AWS config with the query parameters
+			cfg, err := awscfg.LoadDefaultConfig(ctx)
+			if err != nil {
+				t.Fatalf("failed to load AWS config: %v", err)
+			}
+
+			// Apply URL parameters to the config
+			cfg, err = gcaws.V2ConfigFromURLParams(ctx, u.Query())
+			if (err != nil) != test.wantErr {
+				t.Errorf("got err %v want error %v", err, test.wantErr)
+				return
+			}
+			if err != nil {
+				return
+			}
+
+			// Create URLOpener to test the integration
+			opener := &URLOpener{}
+			bucket, err := opener.OpenBucketURL(ctx, u)
+			if err != nil {
+				t.Fatalf("failed to open bucket: %v", err)
+			}
+			defer bucket.Close()
+
+			// Verify that the checksum configuration was applied
+			// We can't directly access the internal bucket struct, but we can verify
+			// that the configuration was applied to the AWS config
+			if cfg.RequestChecksumCalculation != test.wantRequestChecksumCalculation {
+				t.Errorf("got RequestChecksumCalculation %v, want %v",
+					cfg.RequestChecksumCalculation, test.wantRequestChecksumCalculation)
+			}
+		})
+	}
+}
+
 func TestToServerSideEncryptionType(t *testing.T) {
 	tests := []struct {
 		value         string