Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

service/s3: Add ContentMD5 validation of S3 Objects #1827

Merged
merged 10 commits into from
Mar 12, 2018
Merged

service/s3: Add ContentMD5 validation of S3 Objects #1827

merged 10 commits into from
Mar 12, 2018

Conversation

jasdel
Copy link
Contributor

@jasdel jasdel commented Mar 8, 2018
edited
Loading

Adds support for setting the ContentMD5 of objects uploaded to S3. Also
adds validating the Object's MD5 hash downloaded matches that of the
hash the object was uploaded with. This feature provides validation and
early detection when S3 Object contents have changed unexpectedly.

@jasdel jasdel self-assigned this Mar 8, 2018
@jasdel
Add const aliases for io.Seek* constants
0094953
@jasdel
service/s3: Add ContentMD5 validation of S3 Objects
c91772b 
Adds support for setting the ContentMD5 of objects uploaded to S3. Also
adds validating the Object's MD5 hash downloaded matches that of the
hash the object was uploaded with. This feature provides validation and
early detection when S3 Object contents have changed unexpectedly.
@jasdel
correct "useMD5ValidationReader" payload len
95e6c01
@jasdel
add option to disable content md5 validation
26cdf99
@jasdel
Add integration tests
a37d047
@jasdel
Add handling of GetObject with byte-ranges and presigning for MD5 val…
de0cce6 
…idation
@jasdel
Add range get integration test
c815d97
@jasdel
Remove random bytes from ComputeBodyHash benchmark
7e83efd
@jasdel jasdel mentioned this pull request Mar 9, 2018
Closed
@xibz
Copy link
Contributor

xibz commented Mar 12, 2018

Shouldn't we also strip off the content length of the hash once we remove it?

xibz
xibz suggested changes Mar 12, 2018
View reviewed changes
service/s3/body_hash.go Outdated
if aws.BoolValue(r.Config.S3DisableContentMD5Validation) {
return
}
if r.ExpireTime != 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do you feel about putting this in a helper method like IsPresign? I think it'll increase the readability here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good will create a helper for this.

service/s3/body_hash.go
encoded := make([]byte, md5Base64EncLen)

base64.StdEncoding.Encode(encoded, md5Hash.Sum(sum[0:0]))
r.HTTPRequest.Header[contentMD5Header] = []string{string(encoded)}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if this header is already set? Wouldn't this stomp over it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This this block is only performed when there is no header present, the check was further up in the function. I'll add docs to clarify this.

service/s3/body_hash.go
sum := make([]byte, sha256.Size)

hex.Encode(encoded, sha256Hash.Sum(sum[0:0]))
r.HTTPRequest.Header[contentSha256Header] = []string{string(encoded)}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above

@jasdel jasdel merged commit 9a78182 into aws:master Mar 12, 2018
@jasdel jasdel deleted the feature/S3IntegChecks branch March 12, 2018 17:32
@patrobinson patrobinson mentioned this pull request Mar 15, 2018
Closed
jasdel added a commit to jasdel/aws-sdk-go that referenced this pull request Mar 15, 2018
@jasdel
service/s3: Disable S3 object ContentMD5 automatic validation
38c61a9 
Updates the S3 client to disable automatic ContentMD5 validation of S3
Put and Get objects. This disables the validation added in aws#1827.

Related to: aws#1837
jasdel added a commit to jasdel/aws-sdk-go that referenced this pull request Mar 15, 2018
@jasdel
service/s3: Disable S3 object ContentMD5 automatic validation
d40058c 
Updates the S3 client to disable automatic ContentMD5 validation of S3
Put and Get objects. This disables the validation added in aws#1827.

Related to: aws#1837
jasdel added a commit to jasdel/aws-sdk-go that referenced this pull request Mar 15, 2018
@jasdel
service/s3: Disable S3 object ContentMD5 automatic validation
d410fb1 
Updates the S3 client to disable automatic ContentMD5 validation of S3
Put and Get objects. This disables the validation added in aws#1827.

Related to: aws#1837
@jasdel jasdel mentioned this pull request Mar 15, 2018
Merged
jasdel added a commit to jasdel/aws-sdk-go that referenced this pull request Mar 15, 2018
@jasdel
service/s3: Disable S3 object ContentMD5 automatic validation
e5d3cf3 
Updates the S3 client to disable automatic ContentMD5 validation of S3
Put and Get objects. This disables the validation added in aws#1827.

Related to: aws#1837
jasdel added a commit that referenced this pull request Mar 15, 2018
@jasdel
service/s3: Disable S3 object ContentMD5 automatic validation (#1843)
e65709d 
Updates the S3 client to disable automatic ContentMD5 validation of S3
Put and Get objects. This disables the validation added in #1827.

Unexpected case whereContent-Length response header not set in an a GetObject API call prevents this the content MD5 validation feature from being successfully used until the SDK can handle the case.

The SDK will still set the Content-MD5 header for PutObject and UploadPart API calls.

Related to: #1837
@Quentin-M
Copy link

Quentin-M commented Apr 3, 2018
edited
Loading

@jasdel Just to make sure I read the code right, this PR adds end-to-end MD5 validation to all the following functions?

  • s3manager.NewUploader().Upload()
  • s3manager.NewDownloader().Download()
  • s3.GetObject()
  • s3.GetObject()

Thanks!

@jasdel
Copy link
Contributor Author

jasdel commented Apr 3, 2018

@Quentin-M This functionality actually had to be disabled while we resolve a issue with Content-Encoding and the SDK failing to validate the trailing checksum correctly, #1843. Once content encoding is fixed the SDK will do end-to-end MD5 validation for:

  • S3 Manager Uploader
  • S3 Manager Downloader
  • S3 GetObject
  • S3 PutObject
  • S3 UploadPart

@Quentin-M
Copy link

Quentin-M commented Apr 6, 2018 via email
edited
Loading

@Quentin-M Quentin-M mentioned this pull request Apr 6, 2018
Open
@choyri
Copy link

choyri commented Feb 16, 2023

I created CPU profile and found that s3.computeBodyHashes has a very high ratio.
After code review, can i probably assume that this feature is deserted? Except for using a large amount of computing resources when uploading, no benefits are obtained. 😕

image

@diegmonti diegmonti mentioned this pull request Jul 11, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xibz xibz xibz approved these changes

Assignees

@jasdel jasdel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jasdel @xibz @Quentin-M @choyri