feat: implements checksum calculation for all actions

Closes #1549 Fixes #1593 Fixes #1521 Fixes #1427 Fixes #1311 Fixes #1301 Fixes #1040 This PR primarily focuses on checksum calculation within the gateway, but it also includes several related fixes and improvements. It introduces a middleware responsible for handling and calculating checksums for the `x-amz-checksum-*` headers and `Content-MD5`. The middleware is applied only to actions that expect a request body or checksum headers. It also enforces validation for actions that require a non-empty request body, returning an error if the body is missing. Similarly, it returns an error for actions where at least one checksum header (`Content-MD5` or `x-amz-checksum-*`) is required but none is provided. The implementation is based on [https://gist.github.com/niksis02/eec3198f03e561a0998d67af75c648d7](the reference table), tested directly against S3: It also fixes the error case where the `x-amz-sdk-checksum-algorithm` header is present but no corresponding `x-amz-checksum-*` or `x-amz-trailer` header is included. Additionally, the PR improves validation for the `x-amz-content-sha256` header. For actions that require this header, an error is now returned when it’s missing. For actions that don’t require it, the middleware no longer enforces its presence. Following the common S3 pattern, the header remains mandatory for admin routes. Finally, the `x-amz-content-sha256` header is now optional for anonymous requests, as it is not required in that case.
2026-01-03 10:35:15 +00:00 · 2025-10-25 01:33:27 +04:00
parent d63b5818f1
commit 12f4920c8d
12 changed files with 363 additions and 316 deletions
--- a/s3err/s3err.go
+++ b/s3err/s3err.go
@@ -156,7 +156,11 @@ const (
 	ErrInvalidVersionId
 	ErrNoSuchVersion
 	ErrSuspendedVersioningNotAllowed
+	ErrMissingRequestBody
 	ErrMultipleChecksumHeaders
+	ErrChecksumSDKAlgoMismatch
+	ErrChecksumRequired
+	ErrMissingContentSha256
 	ErrInvalidChecksumAlgorithm
 	ErrInvalidChecksumPart
 	ErrChecksumTypeWithAlgo
@@ -673,6 +677,26 @@ var errorCodeResponse = map[ErrorCode]APIError{
 		Description:    "An Object Lock configuration is present on this bucket, so the versioning state cannot be changed.",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
+	ErrMissingRequestBody: {
+		Code:           "MissingRequestBodyError",
+		Description:    "Request Body is empty",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrChecksumSDKAlgoMismatch: {
+		Code:           "InvalidRequest",
+		Description:    "x-amz-sdk-checksum-algorithm specified, but no corresponding x-amz-checksum-* or x-amz-trailer headers were found.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrChecksumRequired: {
+		Code:           "InvalidRequest",
+		Description:    "Missing required header for this request: Content-MD5 OR x-amz-checksum-*",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrMissingContentSha256: {
+		Code:           "InvalidRequest",
+		Description:    "Missing required header for this request: x-amz-content-sha256",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
 	ErrMultipleChecksumHeaders: {
 		Code:           "InvalidRequest",
 		Description:    "Expecting a single x-amz-checksum- header. Multiple checksum Types are not allowed.",