Check both MD5 locations for S3 KMS support.

If the S3 bucket used to house a repo has KMS encryption enabled then the etag of an object may not match the MD5 of the file. This may cause an incorrect error to be reported stating the file already exists and is different. A mechanism exists to work around this issue by using the MD5 stored in object metadata. This check doesn't always cover the case where KMS is enabled as the fallback is only used if the etag is not 32 characters long. This commit changes the fallback mechanism so that it is used in any case where the object's etag does not match the source MD5. This will incur a performance penalty of an extra head request for each object with a mismatch.
2026-01-11 03:11:50 +00:00 · 2023-03-21 19:58:13 -04:00
parent b5bf2cbcda
commit 1af09069f7
1 changed files with 6 additions and 6 deletions
--- a/s3/public.go
+++ b/s3/public.go
@@ -335,7 +335,11 @@ func (storage *PublishedStorage) LinkFromPool(publishedPrefix, publishedRelPath,
 	sourceMD5 := sourceChecksums.MD5

 	if exists {
-		if len(destinationMD5) != 32 {
+		if sourceMD5 == "" {
+			return fmt.Errorf("unable to compare object, MD5 checksum missing")
+		}
+
+		if len(destinationMD5) != 32 || destinationMD5 != sourceMD5 {
 			// doesn’t look like a valid MD5,
 			// attempt to fetch one from the metadata
 			var err error
@@ -346,17 +350,13 @@ func (storage *PublishedStorage) LinkFromPool(publishedPrefix, publishedRelPath,
 			}
 			storage.pathCache[relPath] = destinationMD5
 		}
-		if sourceMD5 == "" {
-			return fmt.Errorf("unable to compare object, MD5 checksum missing")
-		}

 		if destinationMD5 == sourceMD5 {
 			return nil
 		}

-		if !force && destinationMD5 != sourceMD5 {
+		if !force {
 			return fmt.Errorf("error putting file to %s: file already exists and is different: %s", poolPath, storage)
-
 		}
 	}