GetObject() fails when getting object multipart uploaded with additional checksum.

[lonewolf65535]

Describe the bug

GetObject() with checksum_mode(ChecksumMode::Enabled) fails in case of object multipart uploaded with addtional checksum.
Non multipart object download works.

Expected Behavior

An object multipart uploaded with addtional checksum have special checksum syntax.
GetObject() with checksum_mode(ChecksumMode::Enabled) should handle the checksum correctly.

Current Behavior

panic happens.

% RUST_BACKTRACE=1 cargo run
    Finished dev [unoptimized + debuginfo] target(s) in 0.15s
     Running `target/debug/additional_checksum`
thread 'main' panicked at 'services will always base64 encode the checksum value per the spec: DecodeError("Base64Error")', /Users/XXXXXX/.cargo/registry/src/github.com-1ecc6299db9ec823/aws-sdk-s3-0.24.0/src/http_body_checksum.rs:196:22
stack backtrace:
   0: rust_begin_unwind
             at /rustc/8460ca823e8367a30dda430efda790588b8c84d3/library/std/src/panicking.rs:575:5
   1: core::panicking::panic_fmt
             at /rustc/8460ca823e8367a30dda430efda790588b8c84d3/library/core/src/panicking.rs:64:14
   2: core::result::unwrap_failed
             at /rustc/8460ca823e8367a30dda430efda790588b8c84d3/library/core/src/result.rs:1790:5
   3: core::result::Result<T,E>::expect
             at /rustc/8460ca823e8367a30dda430efda790588b8c84d3/library/core/src/result.rs:1069:23
   4: aws_sdk_s3::http_body_checksum::check_headers_for_precalculated_checksum
             at /Users/XXXXXX/.cargo/registry/src/github.com-1ecc6299db9ec823/aws-sdk-s3-0.24.0/src/http_body_checksum.rs:195:17
   5: aws_sdk_s3::operation_deser::parse_get_object

Logs

2023-03-28T12:50:30.076083Z TRACE send_operation:map_request: aws_sigv4::http_request::sign: canonical_request=GET
/XXXXX/20MB
x-id=GetObject
host:s3.ap-northeast-1.amazonaws.com
x-amz-checksum-mode:ENABLED
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20230328T125030Z
x-amz-user-agent:aws-sdk-rust/0.54.1 api/s3/0.24.0 os/macos lang/rust/1.68.1

Reproduction Steps

1. Upload multipart object with additional checksum
   An easy way to do this is to upload (16 MiB over) in the AWS Management Console.
   Sample object information is as follows

$ aws s3api head-object --key 20MB --bucket XXXXX --checksum-mode enabled
{
    "AcceptRanges": "bytes",
    "LastModified": "2023-03-27T06:01:49+00:00",
    "ContentLength": 20971520,
    "ChecksumSHA256": "ykIsJpmJHik08T+RZsvK2VGP88Nfw3P3v2lvX6QbYhs=-2",
    "ETag": "\"42d00fcc41c2dfa063e0ca4c132a562f-2\"",
    "ContentType": "application/x-www-form-urlencoded; charset=utf-8",
    "ServerSideEncryption": "AES256",
    "Metadata": {}
}

$ aws s3api get-object-attributes  --bucket XXXXX --key 20MB --object-attributes ObjectParts
{
    "LastModified": "2023-03-27T06:01:49+00:00",
    "ObjectParts": {
        "TotalPartsCount": 2,
        "PartNumberMarker": 0,
        "NextPartNumberMarker": 2,
        "MaxParts": 1000,
        "IsTruncated": false,
        "Parts": [
            {
                "PartNumber": 1,
                "Size": 17179870,
                "ChecksumSHA256": "B0LMMRec9CTvvlLCmzI/KY5TY7+7FdL1YOPMnLoVHgQ="
            },
            {
                "PartNumber": 2,
                "Size": 3791650,
                "ChecksumSHA256": "hPqKA1atbiy2hJreh2MXE1lH1KeimQvCzLpO1V+xVJU="
            }
        ]
    }
}

2. Run the following code

//[dependencies]
//tokio = { version = "1.26.0", features = ["full"] }
//aws-sdk-s3 = "0.24.0"
//aws-config = "0.54.1"

use aws_sdk_s3;
use aws_sdk_s3::model::ChecksumMode;

#[tokio::main]
async fn main() {
    let client = aws_sdk_s3::Client::new(&aws_config::load_from_env().await);

    client
        .get_object()
        .bucket("XXXXXX")
        .key("20MB")
        .checksum_mode(ChecksumMode::Enabled)
        .send()
        .await
        .unwrap();
}

In this case, it try to decode "ykIsJpmJHik08T+RZsvK2VGP88Nfw3P3v2lvX6QbYhs=-2" .
"-2" is invalid base64 data.

Possible Solution

Call get-object-attributes API, verify each parts, and whole objects.

Additional Information/Context

https://awslabs.github.io/smithy/1.0/spec/aws/aws-core.html#http-response-checksums
https://docs.rs/aws-sdk-s3/latest/aws_sdk_s3/output/struct.GetObjectOutput.html#method.checksum_sha256
https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html#large-object-checksums

Version

├── aws-config v0.54.1
│   ├── aws-credential-types v0.54.1
│   │   ├── aws-smithy-async v0.54.4
│   │   ├── aws-smithy-types v0.54.4
│   ├── aws-http v0.54.1
│   │   ├── aws-credential-types v0.54.1 (*)
│   │   ├── aws-smithy-http v0.54.4
│   │   │   ├── aws-smithy-eventstream v0.54.4
│   │   │   │   ├── aws-smithy-types v0.54.4 (*)
│   │   │   ├── aws-smithy-types v0.54.4 (*)
│   │   ├── aws-smithy-types v0.54.4 (*)
│   │   ├── aws-types v0.54.1
│   │   │   ├── aws-credential-types v0.54.1 (*)
│   │   │   ├── aws-smithy-async v0.54.4 (*)
│   │   │   ├── aws-smithy-client v0.54.4
│   │   │   │   ├── aws-smithy-async v0.54.4 (*)
│   │   │   │   ├── aws-smithy-http v0.54.4 (*)
│   │   │   │   ├── aws-smithy-http-tower v0.54.4
│   │   │   │   │   ├── aws-smithy-http v0.54.4 (*)
│   │   │   │   │   ├── aws-smithy-types v0.54.4 (*)
│   │   │   │   ├── aws-smithy-protocol-test v0.54.4
│   │   │   │   ├── aws-smithy-types v0.54.4 (*)
│   │   │   ├── aws-smithy-http v0.54.4 (*)
│   │   │   ├── aws-smithy-types v0.54.4 (*)
│   ├── aws-sdk-sso v0.24.0
│   │   ├── aws-credential-types v0.54.1 (*)
│   │   ├── aws-endpoint v0.54.1
│   │   │   ├── aws-smithy-http v0.54.4 (*)
│   │   │   ├── aws-smithy-types v0.54.4 (*)
│   │   │   ├── aws-types v0.54.1 (*)
│   │   ├── aws-http v0.54.1 (*)
│   │   ├── aws-sig-auth v0.54.1
│   │   │   ├── aws-credential-types v0.54.1 (*)
│   │   │   ├── aws-sigv4 v0.54.1
│   │   │   │   ├── aws-smithy-eventstream v0.54.4 (*)
│   │   │   │   ├── aws-smithy-http v0.54.4 (*)
│   │   │   ├── aws-smithy-eventstream v0.54.4 (*)
│   │   │   ├── aws-smithy-http v0.54.4 (*)
│   │   │   ├── aws-types v0.54.1 (*)
│   │   ├── aws-smithy-async v0.54.4 (*)
│   │   ├── aws-smithy-client v0.54.4 (*)
│   │   ├── aws-smithy-http v0.54.4 (*)
│   │   ├── aws-smithy-http-tower v0.54.4 (*)
│   │   ├── aws-smithy-json v0.54.4
│   │   │   └── aws-smithy-types v0.54.4 (*)
│   │   ├── aws-smithy-types v0.54.4 (*)
│   │   ├── aws-types v0.54.1 (*)
│   ├── aws-sdk-sts v0.24.0
│   │   ├── aws-credential-types v0.54.1 (*)
│   │   ├── aws-endpoint v0.54.1 (*)
│   │   ├── aws-http v0.54.1 (*)
│   │   ├── aws-sig-auth v0.54.1 (*)
│   │   ├── aws-smithy-async v0.54.4 (*)
│   │   ├── aws-smithy-client v0.54.4 (*)
│   │   ├── aws-smithy-http v0.54.4 (*)
│   │   ├── aws-smithy-http-tower v0.54.4 (*)
│   │   ├── aws-smithy-json v0.54.4 (*)
│   │   ├── aws-smithy-query v0.54.4
│   │   │   ├── aws-smithy-types v0.54.4 (*)
│   │   ├── aws-smithy-types v0.54.4 (*)
│   │   ├── aws-smithy-xml v0.54.4
│   │   ├── aws-types v0.54.1 (*)
│   ├── aws-smithy-async v0.54.4 (*)
│   ├── aws-smithy-client v0.54.4 (*)
│   ├── aws-smithy-http v0.54.4 (*)
│   ├── aws-smithy-http-tower v0.54.4 (*)
│   ├── aws-smithy-json v0.54.4 (*)
│   ├── aws-smithy-types v0.54.4 (*)
│   ├── aws-types v0.54.1 (*)
├── aws-sdk-s3 v0.24.0
│   ├── aws-credential-types v0.54.1 (*)
│   ├── aws-endpoint v0.54.1 (*)
│   ├── aws-http v0.54.1 (*)
│   ├── aws-sig-auth v0.54.1 (*)
│   ├── aws-sigv4 v0.54.1 (*)
│   ├── aws-smithy-async v0.54.4 (*)
│   ├── aws-smithy-checksums v0.54.4
│   │   ├── aws-smithy-http v0.54.4 (*)
│   │   ├── aws-smithy-types v0.54.4 (*)
│   ├── aws-smithy-client v0.54.4 (*)
│   ├── aws-smithy-eventstream v0.54.4 (*)
│   ├── aws-smithy-http v0.54.4 (*)
│   ├── aws-smithy-http-tower v0.54.4 (*)
│   ├── aws-smithy-json v0.54.4 (*)
│   ├── aws-smithy-types v0.54.4 (*)
│   ├── aws-smithy-xml v0.54.4 (*)
│   ├── aws-types v0.54.1 (*)

Environment details (OS name and version, etc.)

System Version: macOS 13.2.1 (22D68) Kernel Version: Darwin 22.3.0 arm64 rustc 1.68.1 (8460ca823 2023-03-20)

Logs

No response

[rcoh]

thanks for the report! at the very least we shouldn't be panicking on that. cc @Velfi to take a look

[Velfi]

I've been able to reproduce this issue. Currently working on a fix.

[Velfi]

The fix is in, it's just pending release now.

[lonewolf65535]

@Velfi Thank you. new version(aws-sdk-s3 0.27.0) doesn’t panic, showing the following message.

WARN aws_sdk_s3::http_body_checksum: This checksum is a part-level checksum which can't be validated by the Rust SDK. Disable checksum validation for this request to fix this warning. more_info="See https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html#large-object-checksums for more information.”

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.