don't perform checksum validation in non-200 responses (#3075)

lucix-aws · web-flow · commit 977ee1d009c7 · 2025-04-28T11:04:31.000-04:00
diff --git a/.changelog/498b8f56240049758f82d8ee7a827ccd.json b/.changelog/498b8f56240049758f82d8ee7a827ccd.json
@@ -0,0 +1,8 @@
+{
+    "id": "498b8f56-2400-4975-8f82-d8ee7a827ccd",
+    "type": "bugfix",
+    "description": "Don't emit warnings about lack of checksum validation for non-200 responses.",
+    "modules": [
+        "service/internal/checksum"
+    ]
+}
diff --git a/service/internal/checksum/middleware_validate_output.go b/service/internal/checksum/middleware_validate_output.go
@@ -78,6 +78,12 @@ func (m *validateOutputPayloadChecksum) HandleDeserialize(
 		}
 	}
 
+	// this runs BEFORE the deserializer, so we have to preemptively check for
+	// non-200, in which case there is no checksum to validate
+	if response.StatusCode != 200 {
+		return out, metadata, err
+	}
+
 	var expectedChecksum string
 	var algorithmToUse Algorithm
 	for _, algorithm := range m.Algorithms {
@@ -94,7 +100,7 @@ func (m *validateOutputPayloadChecksum) HandleDeserialize(
 
 	// Skip validation if no checksum algorithm or checksum is available.
 	if len(expectedChecksum) == 0 || len(algorithmToUse) == 0 {
-		if response.StatusCode != 404 && response.Body != http.NoBody && m.LogValidationSkipped {
+		if response.Body != http.NoBody && m.LogValidationSkipped {
 			// TODO this probably should have more information about the
 			// operation output that won't be validated.
 			logger.Logf(logging.Warn,
diff --git a/service/internal/checksum/middleware_validate_output_test.go b/service/internal/checksum/middleware_validate_output_test.go
@@ -153,6 +153,20 @@ func TestValidateOutputPayloadChecksum(t *testing.T) {
 			expectAlgorithmsUsed:     []string{"CRC32"},
 			expectPayload:            []byte("hello world"),
 		},
+		"skip non-200": {
+			modifyContext: func(ctx context.Context) context.Context {
+				return setContextOutputValidationMode(ctx, "ENABLED")
+			},
+			response: &smithyhttp.Response{
+				Response: &http.Response{
+					StatusCode: 400,
+					Body:       ioutil.NopCloser(strings.NewReader("error")),
+				},
+			},
+			// does not log
+			expectHaveAlgorithmsUsed: false,
+			expectPayload:            []byte("error"),
+		},
 		"success skip ignore multipart checksum": {
 			modifyContext: func(ctx context.Context) context.Context {
 				return setContextOutputValidationMode(ctx, "ENABLED")
