Add integrity checks to CompleteMultipartUpload
https://redmine.teklia.com/issues/11437
Requires #1928 (closed)
The MultipartUploadCompleteSerializer.create method should be extended to verify the hashes returned by S3 after completing the upload.
The load(ChecksumMode="ENABLED") updates the object attributes with the e_tag, computed from the list of part MD5 hashes, and the checksum_sha256 and other similar attributes for other hash algorithms.
Steps 8 and 9 of this tutorial describe how to compute and verify both checksums.
-
If all
md5_hashwere set in the parts:- Concatenate them all and turn them back into binary with
bytes.fromhex - Build an MD5 digest as a 32 character hexadecimal string of that concatenation
- Check that the
s3_object.e_tagis either{hash}-{len(parts)}(Ceph) or"{hash}-{len(parts)}"(Minio, AWS)
- Concatenate them all and turn them back into binary with
-
If
checksum_algorithmis set:- Concatenate them all and turn them back into binary with
bytes.fromhex - Get a checksum of this concatenation as a
bytes - Encode this checksum as Base64
- Check that the
s3_object.checksum_*is{checksum}-{len(parts)}
- Concatenate them all and turn them back into binary with
When either of those steps fail, perform the same error handling as for the object size check.
Edited by Erwan Rouchet