CLDSRV-744: add missing md5 checksum checks

Author: leif-scality

lib/api/api.js

@@ -74,6 +74,7 @@ const parseCopySource = require('./apiUtils/object/parseCopySource');
 const { tagConditionKeyAuth } = require('./apiUtils/authorization/tagConditionKeys');
 const { isRequesterASessionUser } = require('./apiUtils/authorization/permissionChecks');
 const checkHttpHeadersSize = require('./apiUtils/object/checkHttpHeadersSize');
+const { validateMethodChecksumNoChunking } = require('./apiUtils/integrity/validateChecksums');
 
 const monitoringMap = policies.actionMaps.actionMonitoringMapS3;
 
@@ -242,8 +243,16 @@ const api = {
                                   { postLength });
                         return next(errors.InvalidRequest);
                     }
+
+                    const buff = Buffer.concat(post, postLength);
+
+                    const err = validateMethodChecksumNoChunking(request, buff, log);
+                    if (err) {
+                        return next(err);
+                    }
+
                     // Convert array of post buffers into one string
-                    request.post = Buffer.concat(post, postLength).toString();
+                    request.post = buff.toString();
                     return next(null, userInfo, authorizationResults, streamingV4Params, infos);
                 });
                 return undefined;

lib/api/apiUtils/integrity/validateChecksums.js

@@ -0,0 +1,82 @@
+const crypto = require('crypto');
+const { errors: ArsenalErrors } = require('arsenal');
+const { config } = require('../../../Config');
+
+const ChecksumError = Object.freeze({
+    MD5Mismatch: 'MD5Mismatch',
+    MissingChecksum: 'MissingChecksum',
+});
+
+/**
+ * validateChecksumsNoChunking - Validate the checksums of a request.
+ * @param {object} headers - http headers
+ * @param {Buffer} body - http request body
+ * @return {object} - error
+ */
+function validateChecksumsNoChunking(headers, body) {
+    if (headers && headers['content-md5']) {
+        const md5 = crypto.createHash('md5').update(body).digest('base64');
+        if (md5 !== headers['content-md5']) {
+            return { error: ChecksumError.MD5Mismatch, details: { calculated: md5, expected: headers['content-md5'] } };
+        }
+
+        return null;
+    }
+
+    return { error: ChecksumError.MissingChecksum, details: null };
+}
+
+function defaultValidationFunc(request, body, log) {
+    const err = validateChecksumsNoChunking(request.headers, body);
+    if (err && err.error !== ChecksumError.MissingChecksum) {
+        log.debug('failed checksum validation', { method: request.apiMethod }, err);
+        return ArsenalErrors.BadDigest;
+    }
+
+    return null;
+}
+
+const methodValidationFunc = {
+    'bucketPutACL': defaultValidationFunc,
+    'bucketPutCors': defaultValidationFunc,
+    'bucketPutEncryption': defaultValidationFunc,
+    'bucketPutLifecycle': defaultValidationFunc,
+    'bucketPutNotification': defaultValidationFunc,
+    'bucketPutObjectLock': defaultValidationFunc,
+    'bucketPutPolicy': defaultValidationFunc,
+    'bucketPutReplication': defaultValidationFunc,
+    'bucketPutVersioning': defaultValidationFunc,
+    'bucketPutWebsite': defaultValidationFunc,
+    // TODO: DeleteObjects requires a checksum. Should return an error if ChecksumError.MissingChecksum.
+    'multiObjectDelete': defaultValidationFunc,
+    'objectPutACL': defaultValidationFunc,
+    'objectPutLegalHold': defaultValidationFunc,
+    'objectPutTagging': defaultValidationFunc,
+    'objectPutRetention': defaultValidationFunc,
+};
+
+/**
+ * validateMethodChecksumsNoChunking - Validate the checksums of a request.
+ * @param {object} request - http request
+ * @param {Buffer} body - http request body
+ * @param {object} log - logger
+ * @return {object} - error
+ */
+function validateMethodChecksumNoChunking(request, body, log) {
+    if (config.integrityChecks[request.apiMethod]) {
+        const validationFunc = methodValidationFunc[request.apiMethod];
+        if (!validationFunc) {
+            return null;
+        }
+
+        return validationFunc(request, body, log);
+    }
+
+    return null;
+}
+
+module.exports = {
+    ChecksumError,
+    validateChecksumsNoChunking,
+    validateMethodChecksumNoChunking,
+};

lib/api/bucketPutCors.js

@@ -1,4 +1,3 @@
-const crypto = require('crypto');
 const async = require('async');
 const { errors, errorInstances } = require('arsenal');
 
@@ -33,16 +32,6 @@ function bucketPutCors(authInfo, request, log, callback) {
         return callback(errors.MissingRequestBodyError);
     }
 
-    if (request.headers['content-md5']) {
-        const md5 = crypto.createHash('md5')
-            .update(request.post, 'utf8').digest('base64');
-        if (md5 !== request.headers['content-md5']) {
-            log.debug('bad md5 digest', { error: errors.BadDigest });
-            monitoring.promMetrics('PUT', bucketName, 400, 'putBucketCors');
-            return callback(errors.BadDigest);
-        }
-    }
-
     if (parseInt(request.headers['content-length'], 10) > 65536) {
         const errMsg = 'The CORS XML document is limited to 64 KB in size.';
         log.debug(errMsg, { error: errors.MalformedXML });

lib/api/bucketPutReplication.js

@@ -33,6 +33,7 @@ function bucketPutReplication(authInfo, request, log, callback) {
         requestType: request.apiMethods || 'bucketPutReplication',
         request,
     };
+
     return waterfall([
         // Validate the request XML and return the replication configuration.
         next => getReplicationConfiguration(post, log, next),

lib/api/multiObjectDelete.js

@@ -1,5 +1,3 @@
-const crypto = require('crypto');
-
 const async = require('async');
 const { parseString } = require('xml2js');
 const { auth, errors, versioning, s3middleware, policies } = require('arsenal');
@@ -475,16 +473,6 @@ function multiObjectDelete(authInfo, request, log, callback) {
         return callback(errors.MissingRequestBodyError);
     }
 
-    if (request.headers['content-md5']) {
-        const md5 = crypto.createHash('md5')
-            .update(request.post, 'utf8').digest('base64');
-        if (md5 !== request.headers['content-md5']) {
-            monitoring.promMetrics('DELETE', request.bucketName, 400,
-                'multiObjectDelete');
-            return callback(errors.BadDigest);
-        }
-    }
-
     const inPlayInternal = [];
     const bucketName = request.bucketName;
     const canonicalID = authInfo.getCanonicalID();

lib/api/objectPutTagging.js

@@ -27,7 +27,6 @@ function objectPutTagging(authInfo, request, log, callback) {
     log.debug('processing request', { method: 'objectPutTagging' });
 
     const { bucketName, objectKey } = request;
-
     const decodedVidResult = decodeVersionId(request.query);
     if (decodedVidResult instanceof Error) {
         log.trace('invalid versionId query', {

tests/unit/api/api.js

@@ -4,6 +4,7 @@ const api = require('../../../lib/api/api');
 const DummyRequest = require('../DummyRequest');
 const { default: AuthInfo } = require('arsenal/build/lib/auth/AuthInfo');
 const assert = require('assert');
+const crypto = require('crypto');
 
 describe('api.callApiMethod', () => {
     let sandbox;
@@ -49,6 +50,7 @@ describe('api.callApiMethod', () => {
         sandbox.restore();
     });
 
+
     it('should attach apiMethod to request', done => {
         const testMethod = 'bucketGet';
         api.callApiMethod(testMethod, request, response, log, () => {
@@ -112,4 +114,101 @@ describe('api.callApiMethod', () => {
             (userInfo, _request, streamingV4Params, log, cb) => cb);
         api.callApiMethod('multipartDelete', request, response, log);
     });
+
+    describe('MD5 checksum validation', () => {
+        const methodsWithChecksumValidation = [
+            'bucketPutACL',
+            'bucketPutCors', 
+            'bucketPutEncryption',
+            'bucketPutLifecycle',
+            'bucketPutNotification',
+            'bucketPutObjectLock',
+            'bucketPutPolicy',
+            'bucketPutReplication',
+            'bucketPutVersioning',
+            'bucketPutWebsite',
+            'multiObjectDelete',
+            'objectPutACL',
+            'objectPutLegalHold',
+            'objectPutTagging',
+            'objectPutRetention'
+        ];
+
+        methodsWithChecksumValidation.forEach(method => {
+            it(`should return BadDigest for ${method} when bad MD5 checksum is provided`, done => {
+                const body = '<xml></xml>';
+                const headers = {
+                    'content-md5': 'badchecksum123=', // Invalid MD5
+                    'content-length': body.length.toString()
+                };
+                
+                const requestWithBody = new DummyRequest({
+                    headers,
+                    query: {},
+                    socket: { remoteAddress: '127.0.0.1', destroy: sandbox.stub() }
+                }, body);
+                
+                sandbox.stub(api, method).callsFake(() => {
+                    done(new Error(`${method} was called despite bad checksum`));
+                });
+
+                api.callApiMethod(method, requestWithBody, response, log, err => {
+                    assert(err, `Expected error for ${method} with bad checksum`);
+                    assert(err.is.BadDigest, `Expected BadDigest error for ${method}, got: ${err.code}`);
+                    done();
+                });
+            });
+        });
+
+        methodsWithChecksumValidation.forEach(method => {
+            it(`should succeed for ${method} when correct MD5 checksum is provided`, done => {
+                const body = '<xml></xml>';
+                const correctMd5 = crypto.createHash('md5').update(body).digest('base64');
+                const headers = {
+                    'content-md5': correctMd5,
+                    'content-length': body.length.toString()
+                };
+                
+                const requestWithBody = new DummyRequest({
+                    headers,
+                    query: {},
+                    socket: { remoteAddress: '127.0.0.1', destroy: sandbox.stub() }
+                }, body);
+                
+                sandbox.stub(api, method).callsFake((userInfo, _request, log, cb) => {
+                    cb();
+                });
+
+                api.callApiMethod(method, requestWithBody, response, log, err => {
+                    assert.ifError(err, `Unexpected error for ${method} with good checksum: ${err}`);
+                    done();
+                });
+            });
+        });
+
+        methodsWithChecksumValidation.forEach(method => {
+            it(`should succeed for ${method} when no MD5 checksum is provided`, done => {
+                const body = '<xml></xml>';
+                const headers = {
+                    'content-md5': '',
+                    'content-length': body.length.toString()
+                };
+                
+                const requestWithBody = new DummyRequest({
+                    headers,
+                    query: {},
+                    socket: { remoteAddress: '127.0.0.1', destroy: sandbox.stub() }
+                }, body);
+                
+                sandbox.stub(api, method).callsFake((userInfo, _request, log, cb) => {
+                    cb();
+                });
+
+                api.callApiMethod(method, requestWithBody, response, log, err => {
+                    assert(!err, `Unexpected error for ${method} with no checksum: ${err}`);
+                    done();
+                });
+            });
+        });
+    });
 });