spring-cloud-aws icon indicating copy to clipboard operation
spring-cloud-aws copied to clipboard

Published 20 hours ago verified publisher icon awspring

checksum algorithm on presigned url ignored

Open jeusdi opened this issue 11 months ago • 1 comments

Type: Bug

Component: "S3"

Describe the bug I'm trying to create PUT presigned url` in order to send them to the client and client makes the upload to my S3 bucket.

My S3 is configured to send PutObejct events to an SQS. Then, I need to get the checksum of uploaded file in order to store the checksum into my database.

I'm trying to create a put presigned_url with this code:

public URL generatePushResourceLocation(DocumentId documentId, String contentMD5) {
	ObjectMetadata objectMetadata = ObjectMetadata.builder().checksumAlgorithm(ChecksumAlgorithm.SHA256).build();
	URL signedPutURL = s3Template.createSignedPutURL(this.bucket, key, Duration.ofMinutes(10), objectMetadata, null);

	return signedPutURL;
}

The generated url sample is like:

http://localstack.localhost:8000/espaidoc/9a6f8254-502b-4a44-b82a-5fb16022e8fd?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20240308T120347Z&X-Amz-SignedHeaders=host%3Bx-amz-sdk-checksum-algorithm&X-Amz-Expires=60&X-Amz-Credential=test%2F20240308%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=1df5154810a2b11136c9425333c139ac0a1c4d6537de2d372e74645be7ab22c3

As you can see, a x-amz-sdk-checksum-algorithm parameter is appended, but it's empty.

When I make the PUT using generated presigned url everything seems to work, but when I'm trying to get object attributes, I'm not getting any ChecksumSHA256:

$ aws s3api get-object-attributes --bucket $BUCKET_NAME --key $KEY --object-attributes "ObjectSize" "Checksum" | yq .
{
  "LastModified": "2024-03-08T12:05:24+00:00",
  "ObjectSize": 2333
}

I'm trying to simulate this behavior using cli:

$ aws s3api put-object --bucket $BUCKET_NAME --key $KEY --body pom.xml --checksum-algorithm SHA256 | yq .
{
  "ETag": "\"44a7a97ddff52b27557a39cb2983ae62\"",
  "ChecksumSHA256": "ZR6CNpjrGvQWPPkaHiAeTWm2La1ZZIHLjtrFaPjnaPc=",
  "ServerSideEncryption": "AES256"
}

Also, I'm able to get object attributes like:

$ aws s3api get-object-attributes --bucket $BUCKET_NAME --key $KEY --object-attributes "ObjectSize" "Checksum" | yq .
{
  "LastModified": "2024-03-08T12:01:16+00:00",
  "Checksum": {
    "ChecksumSHA256": "ZR6CNpjrGvQWPPkaHiAeTWm2La1ZZIHLjtrFaPjnaPc="
  },
  "ObjectSize": 2097
}

Isn't it able to set a checksum algorithm on presigned PUT url?

jeusdi avatar Mar 08 '24 20:03 jeusdi