Changed-lines coverage: PR changed C/C++ lines covered by tests: 91.36% (444/486) Uncovered changed code (with context): ================================================================================ src/IO/S3/Client.h ================================================================================ --- uncovered block 246-246 --- 244 | } 245 | >> 246 | ProviderType getProviderType() const { return provider_type; } 247 | 248 | bool isClientForGCS() const { return provider_type == ProviderType::GCS; } ================================================================================ src/IO/S3/Requests.cpp ================================================================================ --- uncovered block 54-56 --- 52 | "which require a flexible checksum; use CRC32 or SHA256"); 53 | if (OpenSSLInitializer::instance().isFIPSEnabled()) >> 54 | throw Exception( >> 55 | ErrorCodes::INVALID_SETTING_VALUE, >> 56 | "Setting upload_checksum_algorithm cannot be MD5 when FIPS mode is enabled; use CRC32 or SHA256"); 57 | } 58 | return *algorithm; --- uncovered block 67-67 --- 65 | /// Default to the SDK's `Content-MD5` path. Under FIPS that is unavailable and silently dropped, so upgrade to `SHA256`. 66 | if (OpenSSLInitializer::instance().isFIPSEnabled()) >> 67 | return RequestChecksum::Algorithm::SHA256; 68 | return RequestChecksum::Algorithm::MD5; 69 | } ================================================================================ src/IO/S3/Requests.h ================================================================================ --- uncovered block 62-62 --- 60 | case Algorithm::SHA256: 61 | return Model::ChecksumAlgorithm::SHA256; >> 62 | case Algorithm::MD5: 63 | throw Exception(ErrorCodes::LOGICAL_ERROR, "MD5 cannot be used as an AWS flexible checksum algorithm"); 64 | } --- uncovered block 80-81 --- 78 | target.SetChecksumSHA256(checksum); 79 | return; >> 80 | case Algorithm::MD5: >> 81 | return; 82 | } 83 | UNREACHABLE(); --- uncovered block 97-98 --- 95 | case Algorithm::SHA256: 96 | return Aws::Utils::HashingUtils::Base64Encode(Aws::Utils::HashingUtils::CalculateSHA256(*(req.GetBody()))); >> 97 | case Algorithm::MD5: >> 98 | break; 99 | } 100 | UNREACHABLE(); --- uncovered block 195-195 --- 193 | { 194 | if (!RequestChecksum::usesFlexibleChecksumHeader(algorithm)) >> 195 | return; 196 | 197 | upload_checksum_algorithm = algorithm; ================================================================================ src/IO/S3/copyS3File.cpp ================================================================================ --- uncovered block 153-153 --- 151 | const auto & storage_class_name = request_settings[S3RequestSetting::storage_class_name]; 152 | if (!storage_class_name.value.empty()) >> 153 | request.SetStorageClass(Aws::S3::Model::StorageClassMapper::GetStorageClassForName(storage_class_name)); 154 | 155 | if (usesFlexibleUploadChecksumHeader()) --- uncovered block 419-419 --- 417 | { 418 | if (has_failed) >> 419 | return; 420 | 421 | try --- uncovered block 530-533 --- 528 | const auto & storage_class_name = request_settings[S3RequestSetting::storage_class_name]; 529 | if (!storage_class_name.value.empty()) >> 530 | request.SetStorageClass(Aws::S3::Model::StorageClassMapper::GetStorageClassForName(storage_class_name)); 531 | 532 | if (usesFlexibleUploadChecksumHeader()) >> 533 | request.setUploadChecksumAlgorithm(*upload_checksum_algorithm); 534 | 535 | /// If we don't do it, AWS SDK can mistakenly set it to application/xml, see https://github.com/aws/aws-sdk-cpp/issues/1840 ================================================================================ src/IO/S3RequestSettings.cpp ================================================================================ --- uncovered block 262-264 --- 260 | /// No `MD5` under FIPS — it would silently send no checksum. 261 | if (algorithm && *algorithm == S3::RequestChecksum::Algorithm::MD5 && OpenSSLInitializer::instance().isFIPSEnabled()) >> 262 | throw Exception( >> 263 | ErrorCodes::INVALID_SETTING_VALUE, >> 264 | "Setting upload_checksum_algorithm cannot be MD5 when FIPS mode is enabled; use CRC32 or SHA256"); 265 | 266 | /// TODO: it's possible to set too small limits. ================================================================================ src/IO/WriteBufferFromS3.cpp ================================================================================ --- uncovered block 513-513 --- 511 | /// `GCS` is never an `S3Express` bucket, so this check can short-circuit before the `S3Express` handling. 512 | if (client_ptr->isClientForGCS()) >> 513 | return std::nullopt; 514 | 515 | if (client_ptr->isChecksumDisabled() && !client_ptr->isS3ExpressBucket()) --- uncovered block 669-669 --- 667 | 668 | if (!write_settings.object_storage_write_if_match.empty()) >> 669 | req.SetIfMatch(write_settings.object_storage_write_if_match); 670 | 671 | Aws::S3::Model::CompletedMultipartUpload multipart_upload; ================================================================================ src/IO/tests/gtest_writebuffer_s3.cpp ================================================================================ --- uncovered block 973-984 --- 971 | if (DB::OpenSSLInitializer::instance().isFIPSEnabled()) 972 | { >> 973 | EXPECT_THROW({ >> 974 | try 975 | { >> 976 | request_settings.updateFromSettings(getSettings(), /* if_changed */ true, /* validate_settings */ true); 977 | } >> 978 | catch (const DB::Exception & e) 979 | { >> 980 | ASSERT_EQ(ErrorCodes::INVALID_SETTING_VALUE, e.code()); >> 981 | EXPECT_THAT(e.what(), testing::HasSubstr("cannot be MD5 when FIPS mode is enabled")); >> 982 | throw; 983 | } >> 984 | }, DB::Exception); 985 | } 986 | else --- uncovered block 1072-1086 --- 1070 | if (DB::OpenSSLInitializer::instance().isFIPSEnabled()) 1071 | { >> 1072 | getSettings()[Setting::s3_upload_checksum_algorithm] = "MD5"; >> 1073 | request_settings.updateFromSettings(getSettings(), /* if_changed */ true, /* validate_settings */ false); 1074 | >> 1075 | EXPECT_THROW({ >> 1076 | try 1077 | { >> 1078 | S3::RequestChecksum::getUploadChecksumAlgorithm(request_settings, /* is_s3express_bucket */ false); 1079 | } >> 1080 | catch (const DB::Exception & e) 1081 | { >> 1082 | ASSERT_EQ(ErrorCodes::INVALID_SETTING_VALUE, e.code()); >> 1083 | EXPECT_THAT(e.what(), testing::HasSubstr("cannot be MD5 when FIPS mode is enabled")); >> 1084 | throw; 1085 | } >> 1086 | }, DB::Exception); 1087 | } 1088 | } --- uncovered block 1103-1105 --- 1101 | if (DB::OpenSSLInitializer::instance().isFIPSEnabled()) 1102 | { >> 1103 | ASSERT_EQ(Aws::S3::Model::ChecksumAlgorithm::SHA256, injection->put_object_algorithm); >> 1104 | ASSERT_TRUE(injection->put_object_request_checksum_required); >> 1105 | ASSERT_FALSE(injection->put_object_should_compute_content_md5); 1106 | } 1107 | else --- uncovered block 1118-1118 --- 1116 | { 1117 | if (DB::OpenSSLInitializer::instance().isFIPSEnabled()) >> 1118 | return; 1119 | 1120 | auto injection = std::make_shared(); WARNING: Failed to get start time for [Print Uncovered Code] - start time and duration won't be set --- Coverage counts --- Lines : baseline 871,758/1,017,564 -> current 872,407/1,018,015 (delta +649 / +451) Functions : baseline 945,476/1,020,463 -> current 945,555/1,020,521 (delta +79 / +58) Branches : baseline 280,558/360,194 -> current 280,728/360,404 (delta +170 / +210)