[#218] Add check content sha256 header

The X-Amz-Content-Sha256 header check is done only for unencrypted payload. Signed-off-by: Roman Loginov <r.loginov@yadro.com>
2023-11-13 11:01:47 +03:00 · 2023-11-13 11:01:47 +03:00 · 861454e499
commit 861454e499
parent b28ecef43b
10 changed files with 282 additions and 26 deletions
--- a/api/layer/multipart_upload.go
+++ b/api/layer/multipart_upload.go
@ -15,6 +15,7 @@ import (
 	"strings"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	s3errors "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer/encryption"
@ -66,11 +67,12 @@ type (
 	}

 	UploadPartParams struct {
-		Info       *UploadInfoParams
-		PartNumber int
-		Size       uint64
-		Reader     io.Reader
-		ContentMD5 string
+		Info              *UploadInfoParams
+		PartNumber        int
+		Size              uint64
+		Reader            io.Reader
+		ContentMD5        string
+		ContentSHA256Hash string
 	}

 	UploadCopyParams struct {
@ -260,6 +262,20 @@ func (n *layer) uploadPart(ctx context.Context, multipartInfo *data.MultipartInf
 		size = decSize
 	}

+	if !p.Info.Encryption.Enabled() && len(p.ContentSHA256Hash) > 0 && !auth.IsStandardContentSHA256(p.ContentSHA256Hash) {
+		contentHashBytes, err := hex.DecodeString(p.ContentSHA256Hash)
+		if err != nil {
+			return nil, s3errors.GetAPIError(s3errors.ErrContentSHA256Mismatch)
+		}
+		if !bytes.Equal(contentHashBytes, hash) {
+			err = n.objectDelete(ctx, bktInfo, id)
+			if err != nil {
+				n.reqLogger(ctx).Debug(logs.FailedToDeleteObject, zap.Stringer("cid", bktInfo.CID), zap.Stringer("oid", id))
+			}
+			return nil, s3errors.GetAPIError(s3errors.ErrContentSHA256Mismatch)
+		}
+	}
+
 	n.reqLogger(ctx).Debug(logs.UploadPart,
 		zap.String("multipart upload", p.Info.UploadID), zap.Int("part number", p.PartNumber),
 		zap.Stringer("cid", bktInfo.CID), zap.Stringer("oid", id))