s3: add checksum configuration options

Dockerfile

@@ -39,7 +39,6 @@ ARG SEMVER_TESTING_ACCESS_KEY_ID
 ARG SEMVER_TESTING_SECRET_ACCESS_KEY
 ARG SEMVER_TESTING_BUCKET
 ARG SEMVER_TESTING_REGION
-ARG SEMVER_TESTING_V2_SIGNING
 COPY --from=builder /tests /go-tests
 WORKDIR /go-tests
 RUN set -e; for test in /go-tests/*.test; do \

README.md

@@ -79,6 +79,18 @@ the bucket.
 * `server_side_encryption`: *Optional.* The server-side encryption algorithm
 used when storing the version object (e.g. `AES256`, `aws:kms`, `aws:kms:dsse`).
 
+* `skip_s3_checksums`: *Optional.* Disables automatic checksum validation
+  for S3 operations. The AWS SDK v2 enables checksum validation by default,
+  which may not be supported by all S3-compatible providers. When set to
+  `true`, checksums are only calculated and validated when explicitly
+  required by the S3 API. Defaults to `false` (automatic checksums enabled).
+
+* `checksum_algorithm`: *Optional.* Specifies the checksum algorithm to use
+  when uploading objects to S3. Valid values are `CRC32`, `CRC32C`, `SHA1`,
+  `SHA256`, or `CRC64NVME`. If not specified, S3 will use its default algorithm.
+  This setting is ignored if `skip_s3_checksums` is set to `true`. Note that
+  not all S3-compatible providers support all algorithms.
+
 The following IAM permissions are required with a resource ARN like
 `"arn:aws:s3:::BUCKET_NAME/*"`. You could use the exact key instead of `/*` if
 you wish:

check/check_suite_test.go

@@ -15,7 +15,6 @@ var accessKeyID = os.Getenv("SEMVER_TESTING_ACCESS_KEY_ID")
 var secretAccessKey = os.Getenv("SEMVER_TESTING_SECRET_ACCESS_KEY")
 var bucketName = os.Getenv("SEMVER_TESTING_BUCKET")
 var regionName = os.Getenv("SEMVER_TESTING_REGION")
-var v2signing = os.Getenv("SEMVER_TESTING_V2_SIGNING") == "true"
 
 var _ = BeforeSuite(func() {
 	var err error

check/check_test.go

@@ -73,7 +73,6 @@ var _ = Describe("Check", func() {
 					AccessKeyID:     accessKeyID,
 					SecretAccessKey: secretAccessKey,
 					RegionName:      regionName,
-					UseV2Signing:    v2signing,
 				},
 			}
 

driver/driver.go

@@ -12,6 +12,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/blang/semver"
 	"github.com/concourse/semver-resource/models"
@@ -96,6 +97,13 @@ func FromSource(source models.Source) (Driver, error) {
 			},
 		}
 
+		if source.SkipS3Checksums {
+			s3Opts = append(s3Opts, func(o *s3.Options) {
+				o.RequestChecksumCalculation = aws.RequestChecksumCalculationWhenRequired
+				o.ResponseChecksumValidation = aws.ResponseChecksumValidationWhenRequired
+			})
+		}
+
 		if source.Endpoint != "" {
 			endpoint := source.Endpoint
 			u, err := url.Parse(source.Endpoint)
@@ -118,13 +126,19 @@ func FromSource(source models.Source) (Driver, error) {
 
 		s3Client := s3.NewFromConfig(cfg, s3Opts...)
 
+		var checksumAlgorithm types.ChecksumAlgorithm
+		if source.ChecksumAlgorithm != "" && !source.SkipS3Checksums {
+			checksumAlgorithm = types.ChecksumAlgorithm(source.ChecksumAlgorithm)
+		}
+
 		return &S3Driver{
 			InitialVersion: initialVersion,
 
 			Svc:                  s3Client,
 			BucketName:           source.Bucket,
 			Key:                  source.Key,
 			ServerSideEncryption: source.ServerSideEncryption,
+			ChecksumAlgorithm:    checksumAlgorithm,
 		}, nil
 
 	case models.DriverGit:

driver/s3.go

@@ -27,6 +27,7 @@ type S3Driver struct {
 	BucketName           string
 	Key                  string
 	ServerSideEncryption string
+	ChecksumAlgorithm    types.ChecksumAlgorithm
 }
 
 func (driver *S3Driver) Bump(bump version.Bump) (semver.Version, error) {
@@ -80,6 +81,10 @@ func (driver *S3Driver) Set(newVersion semver.Version) error {
 		params.ServerSideEncryption = types.ServerSideEncryption(driver.ServerSideEncryption)
 	}
 
+	if len(driver.ChecksumAlgorithm) > 0 {
+		params.ChecksumAlgorithm = driver.ChecksumAlgorithm
+	}
+
 	_, err := driver.Svc.PutObject(context.TODO(), params)
 	return err
 }

in/in_suite_test.go

@@ -15,7 +15,6 @@ var accessKeyID = os.Getenv("SEMVER_TESTING_ACCESS_KEY_ID")
 var secretAccessKey = os.Getenv("SEMVER_TESTING_SECRET_ACCESS_KEY")
 var bucketName = os.Getenv("SEMVER_TESTING_BUCKET")
 var regionName = os.Getenv("SEMVER_TESTING_REGION")
-var v2signing = os.Getenv("SEMVER_TESTING_V2_SIGNING") == "true"
 
 var _ = BeforeSuite(func() {
 	var err error

in/in_test.go

@@ -76,7 +76,6 @@ var _ = Describe("In", func() {
 					AccessKeyID:     accessKeyID,
 					SecretAccessKey: secretAccessKey,
 					RegionName:      regionName,
-					UseV2Signing:    v2signing,
 				},
 				Params: models.InParams{},
 			}

models/models.go

@@ -69,7 +69,8 @@ type Source struct {
 	DisableSSL           bool   `json:"disable_ssl"`
 	SkipSSLVerification  bool   `json:"skip_ssl_verification"`
 	ServerSideEncryption string `json:"server_side_encryption"`
-	UseV2Signing         bool   `json:"use_v2_signing"`
+	SkipS3Checksums      bool   `json:"skip_s3_checksums"`
+	ChecksumAlgorithm    string `json:"checksum_algorithm"`
 
 	URI           string `json:"uri"`
 	Branch        string `json:"branch"`

out/out_test.go

@@ -73,7 +73,6 @@ var _ = Describe("Out", func() {
 					AccessKeyID:     accessKeyID,
 					SecretAccessKey: secretAccessKey,
 					RegionName:      regionName,
-					UseV2Signing:    v2signing,
 				},
 				Params: models.OutParams{},
 			}