Skip to content

Disable response checksum validation for custom S3 endpoints#37

Draft
ffittschen wants to merge 1 commit into
cirruslabs:mainfrom
ffittschen:fix/s3-presign-checksum-mode
Draft

Disable response checksum validation for custom S3 endpoints#37
ffittschen wants to merge 1 commit into
cirruslabs:mainfrom
ffittschen:fix/s3-presign-checksum-mode

Conversation

@ffittschen

Copy link
Copy Markdown

This PR keeps presigned GETs portable across S3-compatible stores by disabling response checksum validation when a custom endpoint is configured.

The root cause is in newS3Client: the client is built without overriding ResponseChecksumValidation, so it keeps aws-sdk-go-v2's default of WhenSupported. The presign client is derived from that same client (NewS3Storages3.NewPresignClient), so presigned GetObject URLs carry a signed x-amz-checksum-mode=ENABLED query param. Some S3-compatible stores don't verify that extra signed parameter and reject the request with 403 SignatureDoesNotMatch, so proxied cache restores fail even though the object exists and header-signed requests succeed. This reproduces against SeaweedFS 3.80 (4.38 handles the presigned signature correctly); the param is unnecessary on a proxied download regardless, and real AWS S3 is unaffected.

This PR sets ResponseChecksumValidation = WhenRequired in newS3Client only when a custom BaseEndpoint is configured, so presigned GETs stay portable across stores that don't verify the param while leaving real AWS S3 untouched.

Fixes #35.

How to test

  • Assert that go test ./internal/commands/ -run TestNewS3ClientCustomEndpointPresignOmitsChecksumMode passes — it asserts a presigned GET for a custom endpoint carries no X-Amz-Checksum-Mode param (offline; no backend required).
  • Assert that go build ./... is clean.
  • The full go test ./... suite requires Docker/LocalStack (testcontainers) and was not run in my environment.

The GHA v2 proxy download re-presigns a GET and fetches it back through
the sidecar. With aws-sdk-go-v2's default ResponseChecksumValidation of
"when_supported", the presigned GET carries a signed
x-amz-checksum-mode=ENABLED query parameter. S3-compatible stores that
do not verify that extra signed parameter reject the request with 403
SignatureDoesNotMatch, so every proxied cache restore fails even though
the object exists and header-signed requests succeed.

Set ResponseChecksumValidation to WhenRequired when a custom endpoint is
configured so presigned GETs stay portable across S3-compatible stores;
real AWS S3 is unaffected. Add an offline regression test asserting the
parameter is absent.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Presigned GET carries a signed x-amz-checksum-mode param that some S3-compatible stores reject with 403

1 participant