chore: add checksum validation to received ObjectRangeData

BenWhitehead · BenWhitehead · commit 8e516e6a2053 · 2025-03-14T16:47:39.000-04:00
When receiving an ObjectRangeData the checksum in the ChecksummedData should be validated.

If validation fails, we will abandon the read_id associated with the failed ObjectRangeData. And issue a new request from the offset of the pending client side read.
By abandoning the read_id we ensure that our response observer will receive and evaluate all BidiReadObjectResponse but that in pending bytes for that read_id won't be surfaced to the application thereby maintaining integrity of the bytes.

Add a test to ITBlobDescriptorFakeTest.java to induce a checksum failure and validate correct handling.
diff --git a/google-cloud-storage/clirr-ignored-differences.xml b/google-cloud-storage/clirr-ignored-differences.xml
@@ -127,4 +127,11 @@
     <method>com.google.api.core.ApiFuture getBlobDescriptor(com.google.cloud.storage.BlobId, com.google.cloud.storage.Storage$BlobSourceOption[])</method>
   </difference>
 
+  <difference>
+    <differenceType>7005</differenceType>
+    <className>com/google/cloud/storage/Hasher$*</className>
+    <method>* validate(*)</method>
+    <to>* validate(*)</to>
+  </difference>
+
 </differences>
diff --git a/google-cloud-storage/src/main/java/com/google/cloud/storage/BlobDescriptorState.java b/google-cloud-storage/src/main/java/com/google/cloud/storage/BlobDescriptorState.java
@@ -16,14 +16,16 @@
 
 package com.google.cloud.storage;
 
+import static com.google.common.base.Preconditions.checkState;
+
 import com.google.common.collect.ImmutableList;
 import com.google.storage.v2.BidiReadHandle;
 import com.google.storage.v2.BidiReadObjectRequest;
 import com.google.storage.v2.Object;
 import com.google.storage.v2.ReadRange;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.concurrent.atomic.AtomicReference;
 import org.checkerframework.checker.nullness.qual.MonotonicNonNull;
@@ -44,7 +46,7 @@ final class BlobDescriptorState {
     this.routingToken = new AtomicReference<>();
     this.metadata = new AtomicReference<>();
     this.readIdSeq = new AtomicLong(1);
-    this.outstandingReads = new ConcurrentHashMap<>();
+    this.outstandingReads = new HashMap<>();
   }
 
   BidiReadObjectRequest getOpenRequest() {
@@ -74,15 +76,21 @@ long newReadId() {
 
   @Nullable
   BlobDescriptorStreamRead getOutstandingRead(long key) {
-    return outstandingReads.get(key);
+    synchronized (this) {
+      return outstandingReads.get(key);
+    }
   }
 
   void putOutstandingRead(long key, BlobDescriptorStreamRead value) {
-    outstandingReads.put(key, value);
+    synchronized (this) {
+      outstandingReads.put(key, value);
+    }
   }
 
   void removeOutstandingRead(long key) {
-    outstandingReads.remove(key);
+    synchronized (this) {
+      outstandingReads.remove(key);
+    }
   }
 
   void setRoutingToken(String routingToken) {
@@ -94,9 +102,22 @@ String getRoutingToken() {
     return this.routingToken.get();
   }
 
-  public List<ReadRange> getOutstandingReads() {
-    return outstandingReads.values().stream()
-        .map(BlobDescriptorStreamRead::makeReadRange)
-        .collect(ImmutableList.toImmutableList());
+  BlobDescriptorStreamRead assignNewReadId(long oldReadId) {
+    synchronized (this) {
+      BlobDescriptorStreamRead remove = outstandingReads.remove(oldReadId);
+      checkState(remove != null, "unable to locate old");
+      long newReadId = newReadId();
+      BlobDescriptorStreamRead withNewReadId = remove.withNewReadId(newReadId);
+      outstandingReads.put(newReadId, withNewReadId);
+      return withNewReadId;
+    }
+  }
+
+  List<ReadRange> getOutstandingReads() {
+    synchronized (this) {
+      return outstandingReads.values().stream()
+          .map(BlobDescriptorStreamRead::makeReadRange)
+          .collect(ImmutableList.toImmutableList());
+    }
   }
 }
diff --git a/google-cloud-storage/src/main/java/com/google/cloud/storage/BlobDescriptorStream.java b/google-cloud-storage/src/main/java/com/google/cloud/storage/BlobDescriptorStream.java
@@ -24,14 +24,17 @@
 import com.google.api.gax.rpc.ResponseObserver;
 import com.google.api.gax.rpc.StreamController;
 import com.google.common.base.Preconditions;
+import com.google.protobuf.ByteString;
 import com.google.rpc.Status;
 import com.google.storage.v2.BidiReadHandle;
 import com.google.storage.v2.BidiReadObjectError;
 import com.google.storage.v2.BidiReadObjectRedirectedError;
 import com.google.storage.v2.BidiReadObjectRequest;
 import com.google.storage.v2.BidiReadObjectResponse;
+import com.google.storage.v2.ChecksummedData;
 import com.google.storage.v2.Object;
 import com.google.storage.v2.ObjectRangeData;
+import com.google.storage.v2.ReadRange;
 import com.google.storage.v2.ReadRangeError;
 import java.io.IOException;
 import java.util.List;
@@ -240,11 +243,33 @@ public void onResponse(BidiReadObjectResponse response) {
         }
         for (int i = 0; i < rangeData.size(); i++) {
           ObjectRangeData d = rangeData.get(i);
-          long id = d.getReadRange().getReadId();
+          ReadRange readRange = d.getReadRange();
+          long id = readRange.getReadId();
           BlobDescriptorStreamRead read = state.getOutstandingRead(id);
           if (read == null) {
             continue;
           }
+          // TODO: validate read is still open
+          // todo: check that offsets match up
+          ChecksummedData checksummedData = d.getChecksummedData();
+          ByteString content = checksummedData.getContent();
+          int crc32C = checksummedData.getCrc32C();
+
+          try {
+            // todo: benchmark how long it takes to compute this checksum and whether it needs to
+            //   happen on a non-io thread
+            Hasher.enabled().validate(Crc32cValue.of(crc32C), content);
+          } catch (IOException e) {
+            //noinspection resource
+            BlobDescriptorStreamRead readWithNewId = state.assignNewReadId(id);
+            // todo: record failure for read
+            BidiReadObjectRequest requestWithNewReadId =
+                BidiReadObjectRequest.newBuilder()
+                    .addReadRanges(readWithNewId.makeReadRange())
+                    .build();
+            requestStream.send(requestWithNewReadId);
+            continue;
+          }
           final int idx = i;
           //noinspection rawtypes
           ResponseContentLifecycleHandle.ChildRef childRef =
diff --git a/google-cloud-storage/src/main/java/com/google/cloud/storage/BlobDescriptorStreamRead.java b/google-cloud-storage/src/main/java/com/google/cloud/storage/BlobDescriptorStreamRead.java
@@ -39,11 +39,16 @@ abstract class BlobDescriptorStreamRead implements AutoCloseable, Closeable {
   protected final List<ChildRef> childRefs;
   protected boolean closed;
 
-  private BlobDescriptorStreamRead(long readId, long readOffset, long readLimit) {
+  private BlobDescriptorStreamRead(long readId, ReadCursor readCursor) {
+    this(readId, readCursor, Collections.synchronizedList(new ArrayList<>()), false);
+  }
+
+  private BlobDescriptorStreamRead(
+      long readId, ReadCursor readCursor, List<ChildRef> childRefs, boolean closed) {
     this.readId = readId;
-    this.readCursor = new ReadCursor(readOffset, readOffset + readLimit);
-    this.childRefs = Collections.synchronizedList(new ArrayList<>());
-    this.closed = false;
+    this.readCursor = readCursor;
+    this.childRefs = childRefs;
+    this.closed = closed;
   }
 
   abstract void accept(ChildRef childRef) throws IOException;
@@ -52,6 +57,8 @@ private BlobDescriptorStreamRead(long readId, long readOffset, long readLimit) {
 
   abstract void fail(Status status) throws IOException;
 
+  abstract BlobDescriptorStreamRead withNewReadId(long newReadId);
+
   final ReadRange makeReadRange() {
     return ReadRange.newBuilder()
         .setReadId(readId)
@@ -70,22 +77,37 @@ public void close() throws IOException {
 
   static AccumulatingRead<byte[]> createByteArrayAccumulatingRead(
       long readId, ByteRangeSpec range, SettableApiFuture<byte[]> complete) {
-    return new ByteArrayAccumulatingRead(readId, range.beginOffset(), range.length(), complete);
+    return new ByteArrayAccumulatingRead(
+        readId,
+        new ReadCursor(range.beginOffset(), range.beginOffset() + range.length()),
+        complete);
   }
 
   static AccumulatingRead<DisposableByteString> createZeroCopyByteStringAccumulatingRead(
       long readId, ByteRangeSpec range, SettableApiFuture<DisposableByteString> complete) {
     return new ZeroCopyByteStringAccumulatingRead(
-        readId, range.beginOffset(), range.length(), complete);
+        readId,
+        new ReadCursor(range.beginOffset(), range.beginOffset() + range.length()),
+        complete);
   }
 
   /** Base class of a read that will accumulate before completing by resolving a future */
   abstract static class AccumulatingRead<Result> extends BlobDescriptorStreamRead {
     protected final SettableApiFuture<Result> complete;
 
     private AccumulatingRead(
-        long readId, long readOffset, long readLimit, SettableApiFuture<Result> complete) {
-      super(readId, readOffset, readLimit);
+        long readId, ReadCursor readCursor, SettableApiFuture<Result> complete) {
+      super(readId, readCursor);
+      this.complete = complete;
+    }
+
+    private AccumulatingRead(
+        long readId,
+        ReadCursor readCursor,
+        List<ChildRef> childRefs,
+        boolean closed,
+        SettableApiFuture<Result> complete) {
+      super(readId, readCursor, childRefs, closed);
       this.complete = complete;
     }
 
@@ -106,15 +128,29 @@ void fail(Status status) throws IOException {
    */
   abstract static class StreamingRead extends BlobDescriptorStreamRead {
     private StreamingRead(long readId, long readOffset, long readLimit) {
-      super(readId, readOffset, readLimit);
+      super(readId, new ReadCursor(readOffset, readOffset + readLimit));
+    }
+
+    public StreamingRead(
+        long readId, ReadCursor readCursor, List<ChildRef> childRefs, boolean closed) {
+      super(readId, readCursor, childRefs, closed);
     }
   }
 
   static final class ByteArrayAccumulatingRead extends AccumulatingRead<byte[]> {
 
     private ByteArrayAccumulatingRead(
-        long readId, long readOffset, long readLimit, SettableApiFuture<byte[]> complete) {
-      super(readId, readOffset, readLimit, complete);
+        long readId, ReadCursor readCursor, SettableApiFuture<byte[]> complete) {
+      super(readId, readCursor, complete);
+    }
+
+    private ByteArrayAccumulatingRead(
+        long readId,
+        ReadCursor readCursor,
+        List<ChildRef> childRefs,
+        boolean closed,
+        SettableApiFuture<byte[]> complete) {
+      super(readId, readCursor, childRefs, closed, complete);
     }
 
     @Override
@@ -136,6 +172,11 @@ void eof() throws IOException {
         close();
       }
     }
+
+    @Override
+    ByteArrayAccumulatingRead withNewReadId(long newReadId) {
+      return new ByteArrayAccumulatingRead(newReadId, readCursor, childRefs, closed, complete);
+    }
   }
 
   static final class ZeroCopyByteStringAccumulatingRead
@@ -144,11 +185,8 @@ static final class ZeroCopyByteStringAccumulatingRead
     private volatile ByteString byteString;
 
     private ZeroCopyByteStringAccumulatingRead(
-        long readId,
-        long readOffset,
-        long readLimit,
-        SettableApiFuture<DisposableByteString> complete) {
-      super(readId, readOffset, readLimit, complete);
+        long readId, ReadCursor readCursor, SettableApiFuture<DisposableByteString> complete) {
+      super(readId, readCursor, complete);
     }
 
     @Override
@@ -172,5 +210,10 @@ void eof() throws IOException {
       byteString = base;
       complete.set(this);
     }
+
+    @Override
+    ZeroCopyByteStringAccumulatingRead withNewReadId(long newReadId) {
+      return new ZeroCopyByteStringAccumulatingRead(newReadId, readCursor, complete);
+    }
   }
 }
diff --git a/google-cloud-storage/src/main/java/com/google/cloud/storage/GapicUnbufferedReadableByteChannel.java b/google-cloud-storage/src/main/java/com/google/cloud/storage/GapicUnbufferedReadableByteChannel.java
@@ -181,7 +181,7 @@ public long read(ByteBuffer[] dsts, int offset, int length) throws IOException {
       if (checksummedData.hasCrc32C()) {
         Crc32cLengthKnown expected = Crc32cValue.of(checksummedData.getCrc32C(), contentSize);
         try {
-          hasher.validate(expected, content.asReadOnlyByteBufferList());
+          hasher.validate(expected, content);
         } catch (IOException e) {
           close();
           throw e;
diff --git a/google-cloud-storage/src/main/java/com/google/cloud/storage/Hasher.java b/google-cloud-storage/src/main/java/com/google/cloud/storage/Hasher.java
@@ -18,6 +18,7 @@
 
 import com.google.cloud.storage.Crc32cValue.Crc32cLengthKnown;
 import com.google.common.hash.Hashing;
+import com.google.protobuf.ByteString;
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.util.List;
@@ -38,7 +39,7 @@ default Crc32cLengthKnown hash(Supplier<ByteBuffer> b) {
 
   void validate(Crc32cValue<?> expected, Supplier<ByteBuffer> b) throws IOException;
 
-  void validate(Crc32cValue<?> expected, List<ByteBuffer> buffers) throws IOException;
+  void validate(Crc32cValue<?> expected, ByteString byteString) throws IOException;
 
   @Nullable
   Crc32cLengthKnown nullSafeConcat(Crc32cLengthKnown r1, Crc32cLengthKnown r2);
@@ -66,7 +67,7 @@ public Crc32cLengthKnown hash(ByteBuffer b) {
     public void validate(Crc32cValue<?> expected, Supplier<ByteBuffer> b) {}
 
     @Override
-    public void validate(Crc32cValue<?> expected, List<ByteBuffer> b) {}
+    public void validate(Crc32cValue<?> expected, ByteString b) {}
 
     @Override
     public @Nullable Crc32cLengthKnown nullSafeConcat(Crc32cLengthKnown r1, Crc32cLengthKnown r2) {
@@ -88,7 +89,8 @@ public Crc32cLengthKnown hash(ByteBuffer b) {
 
     @SuppressWarnings({"ConstantConditions", "UnstableApiUsage"})
     @Override
-    public void validate(Crc32cValue<?> expected, List<ByteBuffer> b) throws IOException {
+    public void validate(Crc32cValue<?> expected, ByteString byteString) throws IOException {
+      List<ByteBuffer> b = byteString.asReadOnlyByteBufferList();
       long remaining = 0;
       com.google.common.hash.Hasher crc32c = Hashing.crc32c().newHasher();
       for (ByteBuffer tmp : b) {
diff --git a/google-cloud-storage/src/test/java/com/google/cloud/storage/ITBlobDescriptorFakeTest.java b/google-cloud-storage/src/test/java/com/google/cloud/storage/ITBlobDescriptorFakeTest.java
