fix: adds checks for x-amz-content-sha256 in anonymous requests

Fixes #1554 Fixes #1423 The gateway previously ignored the `x-amz-content-sha256` header for anonymous unsigned requests to public buckets. This PR adds hash calculation for this header and correctly handles special payload types. It also fixes the case where a signed streaming payload (`STREAMING-AWS4-HMAC-SHA256-PAYLOAD...`) is used with anonymous requests. In this scenario, the gateway now returns a specific "not supported" error, consistent with S3 behavior.
2026-01-03 10:35:15 +00:00 · 2025-09-23 00:44:14 +04:00
parent 6a34f3a848
commit df74e7fde6
6 changed files with 118 additions and 11 deletions
--- a/tests/integration/group-tests.go
+++ b/tests/integration/group-tests.go
@@ -926,6 +926,8 @@ func TestPublicBuckets(s *S3Conf) {
 	PublicBucket_public_bucket_policy(s)
 	PublicBucket_public_object_policy(s)
 	PublicBucket_public_acl(s)
+	PublicBucket_signed_streaming_payload(s)
+	PublicBucket_incorrect_sha256_hash(s)
 }

 func TestVersioning(s *S3Conf) {
@@ -1534,6 +1536,8 @@ func GetIntTests() IntTests {
 		"PublicBucket_public_bucket_policy":                                       PublicBucket_public_bucket_policy,
 		"PublicBucket_public_object_policy":                                       PublicBucket_public_object_policy,
 		"PublicBucket_public_acl":                                                 PublicBucket_public_acl,
+		"PublicBucket_signed_streaming_payload":                                   PublicBucket_signed_streaming_payload,
+		"PublicBucket_incorrect_sha256_hash":                                      PublicBucket_incorrect_sha256_hash,
 		"PutBucketVersioning_non_existing_bucket":                                 PutBucketVersioning_non_existing_bucket,
 		"PutBucketVersioning_invalid_status":                                      PutBucketVersioning_invalid_status,
 		"PutBucketVersioning_success_enabled":                                     PutBucketVersioning_success_enabled,