CLDSRV-873: return checksum in HeadObject

leif-scality · leif-scality · commit 86267367ad00 · 2026-03-18T15:18:06.000+01:00
diff --git a/lib/api/objectHead.js b/lib/api/objectHead.js
@@ -32,6 +32,12 @@ function objectHead(authInfo, request, log, callback) {
     const bucketName = request.bucketName;
     const objectKey = request.objectKey;
 
+    const checksumMode = request.headers['x-amz-checksum-mode'];
+    if (checksumMode !== undefined && checksumMode !== 'ENABLED') {
+        log.debug('invalid x-amz-checksum-mode', { checksumMode });
+        return callback(errors.InvalidArgument);
+    }
+
     const decodedVidResult = decodeVersionId(request.query);
     if (decodedVidResult instanceof Error) {
         log.trace('invalid versionId query', {
@@ -97,6 +103,15 @@ function objectHead(authInfo, request, log, callback) {
             const responseHeaders = collectResponseHeaders(objMD, corsHeaders,
                 verCfg);
 
+            if (checksumMode === 'ENABLED') {
+                const checksum = objMD.checksum;
+                if (checksum) {
+                    responseHeaders[`x-amz-checksum-${checksum.checksumAlgorithm}`]
+                        = checksum.checksumValue;
+                    responseHeaders['x-amz-checksum-type'] = checksum.checksumType;
+                }
+            }
+
             setExpirationHeaders(responseHeaders, {
                 lifecycleConfig: bucket.getLifecycleConfiguration(),
                 objectParams: {
diff --git a/tests/functional/aws-node-sdk/test/object/objectHead.js b/tests/functional/aws-node-sdk/test/object/objectHead.js
@@ -14,7 +14,14 @@ const {
     UploadPartCommand,
     CompleteMultipartUploadCommand,
 } = require('@aws-sdk/client-s3');
-
+// Register the CRT-based CRC64NVME implementation with the SDK middleware.
+// The crc64-nvme-crt package sets its own container but the flexible-checksums
+// middleware has a separate container that must be patched explicitly.
+const { CrtCrc64Nvme } = require('@aws-sdk/crc64-nvme-crt');
+const { crc64NvmeCrtContainer } = require('@aws-sdk/middleware-flexible-checksums');
+crc64NvmeCrtContainer.CrtCrc64Nvme = CrtCrc64Nvme;
+
+const { algorithms } = require('../../../../../lib/api/apiUtils/integrity/validateChecksums');
 const changeObjectLock = require('../../../../utilities/objectLock-util');
 const withV4 = require('../support/withV4');
 const BucketUtility = require('../../lib/utility/bucket-util');
@@ -538,6 +545,84 @@ describe('HEAD object, conditions', () => {
     });
 });
 
+describe('HEAD object checksum mode', () => {
+    withV4(sigCfg => {
+        let bucketUtil;
+        let s3;
+        const checksumBucket = 'checksum-headobject-test';
+        const checksumKey = 'checksum-test-object';
+        const body = Buffer.from('checksum test body');
+
+        // Expected base64-encoded digests of `body` for each algorithm,
+        // computed once in the before hook (crc64nvme digest is async).
+        const expectedDigests = {};
+
+        before(async () => {
+            bucketUtil = new BucketUtility('default', sigCfg);
+            s3 = bucketUtil.s3;
+            await s3.send(new CreateBucketCommand({ Bucket: checksumBucket }));
+
+            for (const { internalName } of checksumAlgorithms) {
+                // algorithms[internalName].digest() returns a base64 string
+                expectedDigests[internalName] =
+                    await algorithms[internalName].digest(body);
+            }
+        });
+
+        after(async () => {
+            await bucketUtil.empty(checksumBucket);
+            await s3.send(new DeleteBucketCommand({ Bucket: checksumBucket }));
+        });
+
+        const checksumAlgorithms = [
+            { algorithm: 'SHA256', responseField: 'ChecksumSHA256', internalName: 'sha256' },
+            { algorithm: 'SHA1',   responseField: 'ChecksumSHA1',   internalName: 'sha1'   },
+            { algorithm: 'CRC32',  responseField: 'ChecksumCRC32',  internalName: 'crc32'  },
+            { algorithm: 'CRC32C', responseField: 'ChecksumCRC32C', internalName: 'crc32c' },
+            { algorithm: 'CRC64NVME', responseField: 'ChecksumCRC64NVME', internalName: 'crc64nvme' },
+        ];
+
+        checksumAlgorithms.forEach(({ algorithm, responseField, internalName }) => {
+            it(`should return ${responseField} and ChecksumType when ChecksumMode is ENABLED`, async () => {
+                const putRes = await s3.send(new PutObjectCommand({
+                    Bucket: checksumBucket,
+                    Key: checksumKey,
+                    Body: body,
+                    ChecksumAlgorithm: algorithm,
+                }));
+                const storedChecksum = putRes[responseField];
+                assert(storedChecksum, `Expected ${responseField} in PutObject response`);
+
+                const headRes = await s3.send(new HeadObjectCommand({
+                    Bucket: checksumBucket,
+                    Key: checksumKey,
+                    ChecksumMode: 'ENABLED',
+                }));
+                assert.strictEqual(headRes[responseField], expectedDigests[internalName],
+                    `${responseField} value mismatch`);
+                assert.strictEqual(headRes[responseField], storedChecksum);
+                assert.strictEqual(headRes.ChecksumType, 'FULL_OBJECT');
+            });
+        });
+
+        it('should not return checksum headers when ChecksumMode is not set', async () => {
+            await s3.send(new PutObjectCommand({
+                Bucket: checksumBucket,
+                Key: checksumKey,
+                Body: body,
+                ChecksumAlgorithm: 'SHA256',
+            }));
+
+            const headRes = await s3.send(new HeadObjectCommand({
+                Bucket: checksumBucket,
+                Key: checksumKey,
+            }));
+            assert.strictEqual(headRes.ChecksumSHA256, undefined);
+            assert.strictEqual(headRes.ChecksumType, undefined);
+        });
+    });
+});
+
 const isCEPH = process.env.CI_CEPH !== undefined;
 const describeSkipIfCeph = isCEPH ? describe.skip : describe;
 
diff --git a/tests/unit/api/objectHead.js b/tests/unit/api/objectHead.js
@@ -1,4 +1,7 @@
 const assert = require('assert');
+const { models } = require('arsenal');
+const { ObjectMD, ObjectMDChecksum } = models;
+const { algorithms } = require('../../../lib/api/apiUtils/integrity/validateChecksums');
 
 const { bucketPut } = require('../../../lib/api/bucketPut');
 const { cleanup, DummyRequestLogger, makeAuthInfo } = require('../helpers');
@@ -565,6 +568,104 @@ describe('objectHead API', () => {
         });
     });
 
+    describe('x-amz-checksum-mode', () => {
+        const checksumAlgorithms = [
+            { name: 'sha256',    header: 'x-amz-checksum-sha256'    },
+            { name: 'sha1',      header: 'x-amz-checksum-sha1'      },
+            { name: 'crc32',     header: 'x-amz-checksum-crc32'     },
+            { name: 'crc32c',    header: 'x-amz-checksum-crc32c'    },
+            { name: 'crc64nvme', header: 'x-amz-checksum-crc64nvme' },
+        ];
+
+        // Digests of postBody ("I am a body") for each algorithm, computed once.
+        const expectedDigests = {};
+
+        before(done => {
+            Promise.all(checksumAlgorithms.map(async ({ name }) => {
+                expectedDigests[name] = await algorithms[name].digest(postBody);
+            })).then(() => done(), done);
+        });
+
+        checksumAlgorithms.forEach(({ name, header }) => {
+            it(`should return ${header} and x-amz-checksum-type when mode is ENABLED`, done => {
+                const md = new ObjectMD(mdColdHelper.baseMd)
+                    .setChecksum(new ObjectMDChecksum(name, expectedDigests[name], 'FULL_OBJECT'));
+                mdColdHelper.putBucketMock(bucketName, null, () =>
+                    mdColdHelper.putObjectMock(bucketName, objectName, md, () => {
+                        const req = {
+                            bucketName,
+                            namespace,
+                            objectKey: objectName,
+                            headers: { 'x-amz-checksum-mode': 'ENABLED' },
+                            url: `/${bucketName}/${objectName}`,
+                        };
+                        objectHead(authInfo, req, log, (err, res) => {
+                            assert.ifError(err);
+                            assert.strictEqual(res[header], expectedDigests[name]);
+                            assert.strictEqual(res['x-amz-checksum-type'], 'FULL_OBJECT');
+                            done();
+                        });
+                    }));
+            });
+        });
+
+        it('should not return checksum headers when mode is ENABLED but object has no checksum', done => {
+            mdColdHelper.putBucketMock(bucketName, null, () =>
+                mdColdHelper.putObjectMock(bucketName, objectName, undefined, () => {
+                    const req = {
+                        bucketName,
+                        namespace,
+                        objectKey: objectName,
+                        headers: { 'x-amz-checksum-mode': 'ENABLED' },
+                        url: `/${bucketName}/${objectName}`,
+                    };
+                    objectHead(authInfo, req, log, (err, res) => {
+                        assert.ifError(err);
+                        checksumAlgorithms.forEach(({ header }) =>
+                            assert.strictEqual(res[header], undefined));
+                        assert.strictEqual(res['x-amz-checksum-type'], undefined);
+                        done();
+                    });
+                }));
+        });
+
+        it('should not return checksum headers when x-amz-checksum-mode is not set', done => {
+            const md = new ObjectMD(mdColdHelper.baseMd)
+                .setChecksum(new ObjectMDChecksum('sha256', expectedDigests.sha256, 'FULL_OBJECT'));
+            mdColdHelper.putBucketMock(bucketName, null, () =>
+                mdColdHelper.putObjectMock(bucketName, objectName, md, () => {
+                    const req = {
+                        bucketName,
+                        namespace,
+                        objectKey: objectName,
+                        headers: {},
+                        url: `/${bucketName}/${objectName}`,
+                    };
+                    objectHead(authInfo, req, log, (err, res) => {
+                        assert.ifError(err);
+                        checksumAlgorithms.forEach(({ header }) =>
+                            assert.strictEqual(res[header], undefined));
+                        assert.strictEqual(res['x-amz-checksum-type'], undefined);
+                        done();
+                    });
+                }));
+        });
+
+        it('should return InvalidArgument when x-amz-checksum-mode is not ENABLED', done => {
+            const req = {
+                bucketName,
+                namespace,
+                objectKey: objectName,
+                headers: { 'x-amz-checksum-mode': 'DISABLED' },
+                url: `/${bucketName}/${objectName}`,
+            };
+            objectHead(authInfo, req, log, err => {
+                assert.strictEqual(err.is.InvalidArgument, true);
+                done();
+            });
+        });
+    });
+
     [
         {
             name: 'should return content-length of 0 when requesting part 1 of empty object',
diff --git a/tests/unit/api/utils/metadataMockColdStorage.js b/tests/unit/api/utils/metadataMockColdStorage.js
@@ -202,6 +202,7 @@ function getDeleteMarkerObjectMD(versionId) {
 }
 
 module.exports = {
+    baseMd,
     putObjectMock,
     getArchivedObjectMD,
     getRestoringObjectMD,

Original file line number	Diff line number	Diff line change
`@@ -202,6 +202,7 @@ function getDeleteMarkerObjectMD(versionId) {`
`202`	`202`	`}`
`203`	`203`
`204`	`204`	`module.exports = {`
	`205`	`+ baseMd,`
`205`	`206`	`putObjectMock,`
`206`	`207`	`getArchivedObjectMD,`
`207`	`208`	`getRestoringObjectMD,`