CLDSRV-908: CopyObject handle checksums

[leif-scality]

• Forward a src object checksum to the dest object
• Recompute the checksum when required (x-amz-checksum-algorithm header set, src object MPU with COMPOSITE checksum, ...). If needed this will trigger a GET operation to download and calculate the object checksum
• Compute a CRC64NMVE for the dest object if the src object has no checksum (counts as a recompute so the same conditions as above apply)

  ┌─────┬─────────────────────┬────────────────────────────────────┬──────────────────────────────────────────────────────────────────┐
  │  #  │   Source checksum   │ x-amz-checksum-algorithm requested │                            Recompute?                            │
  ├─────┼─────────────────────┼────────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
  │ 1   │ none                │ none                               │ Yes (Compute default CRC64NVME)                                  │
  ├─────┼─────────────────────┼────────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
  │ 2   │ FULL_OBJECT, algo X │ none                               │ No — propagate as-is                                             │
  ├─────┼─────────────────────┼────────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
  │ 3   │ FULL_OBJECT, algo X │ X (same algo)                      │ No — propagate as-is                                             │
  ├─────┼─────────────────────┼────────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
  │ 4   │ FULL_OBJECT, algo X │ Y (different algo)                 │ Yes                                                              │
  ├─────┼─────────────────────┼────────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
  │ 5   │ COMPOSITE, algo X   │ none                               │ Yes (can't propagate a MPU format digest to a single-object dest)│
  ├─────┼─────────────────────┼────────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
  │ 6   │ COMPOSITE, algo X   │ X (same algo)                      │ Yes                                                              │
  ├─────┼─────────────────────┼────────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
  │ 7   │ COMPOSITE, algo X   │ Y (different algo)                 │ Yes                                                              │
  ├─────┼─────────────────────┼────────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
  │ 8   │ none                │ any algo                           │ Yes (source has no digest, must compute)                         │
  ├─────┼─────────────────────┼────────────────────────────────────┼──────────────────────────────────────────────────────────────────┤
  │ 9   │ any                 │ source is 0-byte                   │ Yes (special-cased — empty-bytes digest, no streaming)           │
  └─────┴─────────────────────┴────────────────────────────────────┴──────────────────────────────────────────────────────────────────┘

Backend / scenario	Copy method	Old Copy method (pre-PR)
file / mem / sproxyd (scality)	GET + PUT + DELETE	GET + PUT + DELETE (same)
aws_s3 / azure / gcp — propagate (FULL_OBJECT src, algorithm absent or matching)	Native server-side copy (CopyObject / beginCopyFromURL / copyObject) — no GET	Native server-side copy (same)
aws_s3 / azure / gcp — recompute	GET + PUT + DELETE — streamed through CloudServer	Native server-side copy — no GET
external, cross-type or external ↔ local (e.g. aws → azure, aws → file)	GET + PUT + DELETE	GET + PUT + DELETE (same)
external, any + SSE	GET + PUT + DELETE	GET + PUT + DELETE (same)
copy-to-self — propagate (same location, no SSE, unversioned)	metadata-only — reuse location (no data)	metadata-only — reuse location (same)
copy-to-self — recompute (any backend)	GET only — reuse location (no PUT, no DELETE)	metadata-only — reuse location, no GET
0-byte source (same location / local)	metadata-only — no data	metadata-only — no data (same)
0-byte source → different external backend	PUT (data.put(null))	PUT (data.put(null)) (same)

[bert-e]

Hello leif-scality,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
/after_pull_request	Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval	Bypass the pull request author's approval	⭐
/bypass_build_status	Bypass the build and test status	⭐
/bypass_commit_size	Bypass the check on the size of the changeset TBA	⭐
/bypass_incompatible_branch	Bypass the check on the source branch prefix	⭐
/bypass_jira_check	Bypass the Jira issue check	⭐
/bypass_peer_approval	Bypass the pull request peers' approval	⭐
/bypass_leader_approval	Bypass the pull request leaders' approval	⭐
/approve	Instruct Bert-E that the author has approved the pull request.		✍️
/create_pull_requests	Allow the creation of integration pull requests.
/create_integration_branches	Allow the creation of integration branches.
/no_octopus	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity	Change review acceptance criteria from one reviewer at least to all reviewers
/wait	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
/help	Print Bert-E's manual in the pull request.
/status	Print Bert-E's current status in the pull request TBA
/clear	Remove all comments from Bert-E from the history TBA
/retry	Re-start a fresh build TBA
/build	Re-start a fresh build TBA
/force_reset	Delete integration branches & pull requests, and restart merge process from the beginning.
/reset	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

[bert-e]

Incorrect fix version

The Fix Version/s in issue CLDSRV-908 contains:

• None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

• 9.4.0

Please check the Fix Version/s of CLDSRV-908, or the target
branch of this pull request.

[claude]

LGTM — clean implementation of checksum propagation and recompute on CopyObject. Stream handling (jsutil.once guards, Azure per-part passthrough, error propagation) and the _shouldRecomputeChecksum decision logic are solid. One minor test style issue flagged inline.

- require() inside describe/withV4 callback in functional test — move to top of file

Review by Claude Code

[codecov]

❌ 2 Tests Failed:

Tests completed	Failed	Passed	Skipped
9367	2	9365	0

View the full list of 2 ❄️ flaky test(s)

"after each" hook for "should fail if trying to overwrite a delete marker"::MPU with x-scal-s3-version-id header With default signature "after each" hook for "should fail if trying to overwrite a delete marker"

Flake rate in main: 100.00% (Passed 0 times, Failed 11 times)

Stack Traces | 0.014s run time

We encountered an internal error. Please try again.

"after each" hook for "should fail if trying to overwrite a delete marker"::MPU with x-scal-s3-version-id header With v4 signature "after each" hook for "should fail if trying to overwrite a delete marker"

Flake rate in main: 100.00% (Passed 0 times, Failed 2 times)

Stack Traces | 0.014s run time

We encountered an internal error. Please try again.

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}

[claude]

LGTM

Review by Claude Code

[claude]

• Stream leak on source read error: when sourceStream errors in the recompute path, checksumStream is not destroyed, so data.put (reading from it) may hang indefinitely
  - Destroy checksumStream in the sourceStream error handler
  - Data orphan on copy-to-self with recompute: the recompute path writes new data via data.put, but deleteExistingData skips cleanup when sourceIsDestination is true, orphaning the old data locations
  - Track whether new data was written in the recompute path and allow cleanup in deleteExistingData accordingly
  
  Review by Claude Code

[claude]

LGTM

Review by Claude Code

[claude]

LGTM

Review by Claude Code

[claude]

Well-structured PR with thorough test coverage across all checksum scenarios (propagation, recompute, 0-byte, COMPOSITE, multi-part, Azure, copy-to-self, external backends).

- Stream leak on error in _recomputeChecksumAndStore: when one of sourceStream/checksumStream errors, the other is not destroyed, potentially leaking file descriptors from data.get. Add explicit destroy() calls on both streams in the error branch of the finish/done callbacks (applies to both the copy-to-self and stream-through-and-put paths).

Review by Claude Code

[claude]

• Potential data loss on copy-to-self with external backend (skipExternalBackendRecompute path): deleteExistingData at line 858 of objectCopy.js will delete the existing data locations even though no new data was written, because _shouldRecomputeChecksum() returns true but the recompute was skipped. The _dataReused flag is only set in _recomputeChecksumAndStore, not in the goGetData early-return path. Fix: set storeMetadataParams._dataReused = true before the early return at line 687.
  - The unit test at line 1152 (should early-return on copy-to-self) should also spy on data.batchDelete to catch this.
  
  Review by Claude Code

[claude]

LGTM — well-structured implementation with thorough test coverage across all the checksum scenarios (propagation, recompute, 0-byte, multi-part, Azure, copy-to-self, external backends, orphan cleanup, legacy string locations).

One note posted inline:

- Pre-existing needsEncryption bug (.algo vs .algorithm at line 692) makes the SSE guard in the new _recomputeChecksumAndStore copy-to-self path ineffective — not a regression from this PR, but worth tracking as a follow-up fix

Review by Claude Code

[claude]

LGTM

Thorough implementation of checksum handling on CopyObject. The propagation/recompute decision matrix covers all documented cases. Error handling with jsutil.once() guards against double callbacks throughout the stream paths. The orphan-detection filter (_orphanedDataLocations) correctly handles legacy string locations and cross-backend identity comparisons. Test coverage is comprehensive — unit tests for propagation, recompute (per-algorithm, COMPOSITE sources, multi-part, SSE, Azure path, 0-byte, copy-to-self), orphan cleanup, and legacy locations; plus functional end-to-end tests.

Review by Claude Code

[claude]

LGTM

Review by Claude Code

[claude]

LGTM

Thorough implementation with proper stream error handling (jsutil.once guards against double callbacks), correct orphan detection via (dataStoreName, key) identity, and comprehensive test coverage across all checksum scenarios (propagation, recompute, 0-byte, Azure, multi-part, SSE, copy-to-self, legacy string locations).

Review by Claude Code

[BourgoisMickael]

the error is not wrapped here

[BourgoisMickael]

You could pass the part as param to that function and define it once outside the async.eachSeries

[BourgoisMickael]

It's not optimal to use a Transform only for the side effect of calculating checksum while discarding the output.
The Transform still works on pushing bytes into it's buffer.
Maybe we could rework the Checksum by implementing a new ChecksumWritable stream that does the same checksum computation but discards immediately the bytes without pushing.

[leif-scality]

I don't think it is worth it to create a ChecksumWritable just to avoid a NOP. The checksum transform already handles everything and it is already tested

[BourgoisMickael]

Maybe this error should be wrapped as well to easily troubleshoot if an error is coming from the source or checksum stream

[BourgoisMickael]

not ideal to use boolean comparison with .is

Suggested change

	assert.strictEqual(err.is.InvalidRequest, true);
	assert.strictEqual(err.message, 'InvalidRequest');

[BourgoisMickael]

Ideally those restore should be in a hook beforeEach or afterEach to cover the case where an error is thrown before without executing this callback, that would leave the spy in place

[BourgoisMickael]

Same here, the stub should be tracked outside this test to be restored in a hook to avoid missing it if any code path throws without reaching this callbacks

[BourgoisMickael]

same here, the first assert.ifError from metadata.getObjectMD would not restore the spys

[BourgoisMickael]

Prefer assert.match with a regex to see the full detail of the xml + expected pattern in error message, or include a message to the assert to provide more details about actual vs expected value

[BourgoisMickael]

Overall many sinon spy/stub in many tests seems they could skip restore if some error branches is reached (here the ifError of getObjectMD and putObjectMD).

Maybe we should include in the claude review skill that in test files any mock/spy/stub should be tracked and cleaned in an afterEach hook to make sure every branch is covered. Otherwise one test failure might impact another test.