From d150f8ddcb662c1783776a77e6e799417d187508 Mon Sep 17 00:00:00 2001
From: Aleksey Kravchenko <al.kravchenko@yadro.com>
Date: Thu, 26 Dec 2024 13:15:50 +0300
Subject: [PATCH] [#598] Fix response code for invalid Content-Md5 header

Signed-off-by: Aleksey Kravchenko <al.kravchenko@yadro.com>
---
 api/handler/encryption_test.go |  8 +++++++-
 api/handler/put_test.go        | 13 +++++++++++--
 api/layer/object.go            |  2 +-
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/api/handler/encryption_test.go b/api/handler/encryption_test.go
index 94a06dea..2c3a728b 100644
--- a/api/handler/encryption_test.go
+++ b/api/handler/encryption_test.go
@@ -65,10 +65,16 @@ func TestMD5HeaderBadOrEmpty(t *testing.T) {
 	putEncryptedObjectWithHeadersErr(t, tc, bktName, objName, content, headers, errors.ErrInvalidDigest)
 
 	headers = map[string]string{
-		api.ContentMD5: "YWJjMTIzIT8kKiYoKSctPUB+",
+		api.ContentMD5: "yZRvHQZYwL5V7+k2pcwHLg==",
 	}
 
 	putEncryptedObjectWithHeadersErr(t, tc, bktName, objName, content, headers, errors.ErrBadDigest)
+
+	headers = map[string]string{
+		api.ContentMD5: "dGhlIHF1aWNrIGJyb3dF",
+	}
+
+	putEncryptedObjectWithHeadersErr(t, tc, bktName, objName, content, headers, errors.ErrInvalidDigest)
 }
 
 func TestGetEncryptedRange(t *testing.T) {
diff --git a/api/handler/put_test.go b/api/handler/put_test.go
index 53968a62..bf8863cf 100644
--- a/api/handler/put_test.go
+++ b/api/handler/put_test.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/md5"
+	"crypto/rand"
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/hex"
@@ -282,12 +283,20 @@ func TestPutObjectWithInvalidContentMD5(t *testing.T) {
 	createTestBucket(tc, bktName)
 
 	content := []byte("content")
+	md5HeaderContent := make([]byte, md5.Size)
+	n, err := rand.Read(md5HeaderContent)
+	require.Equal(t, md5.Size, n)
+	require.NoError(t, err)
 	w, r := prepareTestPayloadRequest(tc, bktName, objName, bytes.NewReader(content))
-	r.Header.Set(api.ContentMD5, base64.StdEncoding.EncodeToString([]byte("invalid")))
+	r.Header.Set(api.ContentMD5, base64.StdEncoding.EncodeToString(md5HeaderContent))
 	tc.Handler().PutObjectHandler(w, r)
 	assertS3Error(t, w, apierr.GetAPIError(apierr.ErrBadDigest))
 
-	content = []byte("content")
+	w, r = prepareTestPayloadRequest(tc, bktName, objName, bytes.NewReader(content))
+	r.Header.Set(api.ContentMD5, base64.StdEncoding.EncodeToString([]byte("invalid")))
+	tc.Handler().PutObjectHandler(w, r)
+	assertS3Error(t, w, apierr.GetAPIError(apierr.ErrInvalidDigest))
+
 	w, r = prepareTestPayloadRequest(tc, bktName, objName, bytes.NewReader(content))
 	r.Header.Set(api.ContentMD5, base64.StdEncoding.EncodeToString([]byte("")))
 	tc.Handler().PutObjectHandler(w, r)
diff --git a/api/layer/object.go b/api/layer/object.go
index 555a0cbf..571a120e 100644
--- a/api/layer/object.go
+++ b/api/layer/object.go
@@ -289,7 +289,7 @@ func (n *Layer) PutObject(ctx context.Context, p *PutObjectParams) (*data.Extend
 			return nil, apierr.GetAPIError(apierr.ErrInvalidDigest)
 		}
 		headerMd5Hash, err := base64.StdEncoding.DecodeString(*p.ContentMD5)
-		if err != nil {
+		if err != nil || len(headerMd5Hash) != md5.Size {
 			return nil, apierr.GetAPIError(apierr.ErrInvalidDigest)
 		}
 		if !bytes.Equal(headerMd5Hash, createdObj.MD5Sum) {