Request/Response Checksum Behavior Updates #3277
Conversation
|
Codecov ReportAttention: Patch coverage is
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## flexible-checksums-v2 #3277 +/- ##
========================================================
Coverage ? 93.14%
========================================================
Files ? 66
Lines ? 14424
Branches ? 0
========================================================
Hits ? 13435
Misses ? 989
Partials ? 0 ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
| # `payload_signing_enabled` config overrides this logic and forces the | ||
| # header. | ||
| def test_content_sha256_not_set_if_config_value_is_true(self): | ||
| # By default, put_object() provides a trailing checksum and includes the |
There was a problem hiding this comment.
Is this right? I wouldn't expect us to be using trailing checksums by default on put_object.
There was a problem hiding this comment.
Because CRC32 is the new default, put_object will use trailing checksums by default. This is because put_object has streaming input.
You can see this behavior in the current version of the SDK by running:
import boto3
boto3.set_stream_logger('')
s3 = boto3.client("s3")
response = s3.put_object(
Body=b"Example data.",
Bucket="<bucket_name>",
Key="example_key.txt",
ChecksumAlgorithm="CRC32",
)
jonathan343
force-pushed
the
flexible-checksums-v2
branch
from
2d66b37
to
d586cba
Compare
jonathan343
force-pushed
the
request-checksum-calculation
branch
from
ccbc9c0
to
17ef6f7
Compare
jonathan343
changed the title
jonathan343
changed the title
jonathan343
changed the title
Add ``request_checksum_calculation`` and ``response_checksum_validation`` config options.
* Add support for CRC64NVME when the CRT is available. * Update crc64nvme priority
…ed checksums." This reverts commit 93a47eb.
Add ``request_checksum_calculation`` and ``response_checksum_validation`` config options.
* Add support for CRC64NVME when the CRT is available. * Update crc64nvme priority
jonathan343
force-pushed
the
flexible-checksums-v2
branch
from
d586cba
to
fac0754
Compare
jonathan343
force-pushed
the
request-checksum-calculation
branch
from
009ea3d
to
626c08a
Compare
botocore/httpchecksum.py
Outdated
| if "extra_headers" in algorithm: | ||
| request["headers"].update(algorithm["extra_headers"]) |
There was a problem hiding this comment.
How does this work if the user already supplied these headers?
There was a problem hiding this comment.
The header we're worried about would only get added when the default checksum is used. This means that the user didn't supply the "requestAlgorithmMember" member. The user's input would always take precedence.
I'll update this logic to be less generic as suggested by your other comment.
botocore/httpchecksum.py
Outdated
| if has_checksum_header(request): | ||
| return | ||
|
|
||
| extra_headers = {} |
There was a problem hiding this comment.
Do we have a rough idea of what expansion we're expecting here? Generally grab-bag style containers like this tend to grow in unexpected ways. It may be worth constraining to the exact header we're expecting since it's tightly coupled to the checksum we're creating.
There was a problem hiding this comment.
I updated this to instead store the following in our request checksum context:
"request_algorithm_header": {
"name": "foo",
"value": "bar",
},
We can later check if "request_algorithm_header" in request["context"]["checksum"] and apply the header if it exists. Let me know if that's better.
| # We only support unsigned trailer checksums currently. As this | ||
| # disables payload signing we'll only use trailers over TLS. | ||
| location_type = "trailer" | ||
| if request["context"]["client_config"].signature_version != 's3': |
There was a problem hiding this comment.
Nit: would we prefer this if condition to be added to the parent if viaand?
This PR makes the following updates to the botocore flexible checksum behavior:
Request Checksum Calculation
awscrtdependency.request_checksum_calculationconfig is set towhen_supported(default value), a checksum will be generated whenever one of the following conditions is true:httpchecksumtrait and defines arequestAlgorithmMember.httpchecksumtrait and definesrequestChecksumRequired: true.request_checksum_calculationconfig is set towhen_required, a checksum will be generated only when:httpchecksumtrait and definesrequestChecksumRequired: true.S3 Customizations:
Response Checksum Validation
requestValidationModeMemberby the user will be used by the SDK.requestValidationModeMembervalue is not set by the user, the following behavior is experienced:response_checksum_validationconfig is set towhen_supported(default value), therequestValidationModeMemberwill be set toENABLED.response_checksum_validationconfig is set towhen_required, therequestValidationModeMemberwill not be set and checksum validation is skipped.