[#218] Add check content sha256 header

The X-Amz-Content-Sha256 header check is done only for unencrypted payload. Signed-off-by: Roman Loginov <r.loginov@yadro.com>
2023-11-13 11:01:47 +03:00 · 2023-11-13 11:01:47 +03:00 · 861454e499
commit 861454e499
parent b28ecef43b
10 changed files with 282 additions and 26 deletions
--- a/api/handler/multipart_upload_test.go
+++ b/api/handler/multipart_upload_test.go
@ -314,6 +314,84 @@ func TestMultipartUploadEnabledMD5(t *testing.T) {
 	require.Equal(t, data.Quote(hex.EncodeToString(completeMD5Sum[:])+"-2"), resp.ETag)
 }

+func TestUploadPartCheckContentSHA256(t *testing.T) {
+	hc := prepareHandlerContext(t)
+
+	bktName, objName := "bucket-1", "object-1"
+	createTestBucket(hc, bktName)
+	partSize := 5 * 1024 * 1024
+
+	for _, tc := range []struct {
+		name    string
+		hash    string
+		content []byte
+		error   bool
+	}{
+		{
+			name:    "invalid hash value",
+			hash:    "d1b2a59fbea7e20077af9f91b27e95e865061b270be03ff539ab3b73587882e8",
+			content: []byte("content"),
+			error:   true,
+		},
+		{
+			name:    "correct hash for empty payload",
+			hash:    "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+			content: []byte(""),
+			error:   false,
+		},
+		{
+			name:    "unsigned payload",
+			hash:    "UNSIGNED-PAYLOAD",
+			content: []byte("content"),
+			error:   false,
+		},
+		{
+			name:    "correct hash",
+			hash:    "ed7002b439e9ac845f22357d822bac1444730fbdb6016d3ec9432297b9ec9f73",
+			content: []byte("content"),
+			error:   false,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			multipartUpload := createMultipartUpload(hc, bktName, objName, map[string]string{})
+
+			etag1, data1 := uploadPart(hc, bktName, objName, multipartUpload.UploadID, 1, partSize)
+
+			query := make(url.Values)
+			query.Set(uploadIDQuery, multipartUpload.UploadID)
+			query.Set(partNumberQuery, strconv.Itoa(2))
+
+			w, r := prepareTestRequestWithQuery(hc, bktName, objName, query, tc.content)
+			r.Header.Set(api.AmzContentSha256, tc.hash)
+			hc.Handler().UploadPartHandler(w, r)
+			if tc.error {
+				assertS3Error(t, w, s3Errors.GetAPIError(s3Errors.ErrContentSHA256Mismatch))
+
+				list := listParts(hc, bktName, objName, multipartUpload.UploadID, "0", http.StatusOK)
+				require.Len(t, list.Parts, 1)
+
+				w := completeMultipartUploadBase(hc, bktName, objName, multipartUpload.UploadID, []string{etag1})
+				assertStatus(t, w, http.StatusOK)
+
+				data, _ := getObject(hc, bktName, objName)
+				equalDataSlices(t, data1, data)
+				return
+			}
+			assertStatus(t, w, http.StatusOK)
+
+			list := listParts(hc, bktName, objName, multipartUpload.UploadID, "0", http.StatusOK)
+			require.Len(t, list.Parts, 2)
+
+			etag2 := w.Header().Get(api.ETag)
+			w = completeMultipartUploadBase(hc, bktName, objName, multipartUpload.UploadID, []string{etag1, etag2})
+			assertStatus(t, w, http.StatusOK)
+
+			data, _ := getObject(hc, bktName, objName)
+			equalDataSlices(t, append(data1, tc.content...), data)
+		})
+	}
+}
+
 func uploadPartCopy(hc *handlerContext, bktName, objName, uploadID string, num int, srcObj string, start, end int) *UploadPartCopyResponse {
 	return uploadPartCopyBase(hc, bktName, objName, false, uploadID, num, srcObj, start, end)
 }