s3store: Add option to log API calls (#1260)

Author: Acconut

cmd/tusd/cli/composer.go

@@ -7,6 +7,9 @@ import (
 	"path/filepath"
 	"strings"
 
+	"golang.org/x/exp/slog"
+
+	"github.com/tus/tusd/v2/internal/s3log"
 	"github.com/tus/tusd/v2/pkg/azurestore"
 	"github.com/tus/tusd/v2/pkg/filelocker"
 	"github.com/tus/tusd/v2/pkg/filestore"
@@ -45,7 +48,8 @@ func CreateComposer() {
 			printStartupLog("Using '%s/%s' as S3 endpoint and bucket for storage.\n", Flags.S3Endpoint, Flags.S3Bucket)
 		}
 
-		s3Client := s3.NewFromConfig(s3Config, func(o *s3.Options) {
+		var s3Client s3store.S3API
+		s3Client = s3.NewFromConfig(s3Config, func(o *s3.Options) {
 			o.UseAccelerate = Flags.S3TransferAcceleration
 
 			// Disable HTTPS and only use HTTP (helpful for debugging requests).
@@ -57,6 +61,13 @@ func CreateComposer() {
 			}
 		})
 
+		if Flags.S3LogAPICalls {
+			if !Flags.VerboseOutput {
+				stderr.Fatalf("The -s3-log-api-calls flag requires verbose mode (-verbose) to be enabled")
+			}
+			s3Client = s3log.New(s3Client, slog.Default())
+		}
+
 		store := s3store.New(Flags.S3Bucket, s3Client)
 		store.ObjectPrefix = Flags.S3ObjectPrefix
 		store.PreferredPartSize = Flags.S3PartSize

cmd/tusd/cli/flags.go

@@ -39,6 +39,7 @@ var Flags struct {
 	S3DisableContentHashes           bool
 	S3DisableSSL                     bool
 	S3ConcurrentPartUploads          int
+	S3LogAPICalls                    bool
 	GCSBucket                        string
 	GCSObjectPrefix                  string
 	AzStorage                        string
@@ -138,6 +139,7 @@ func ParseFlags() {
 		f.BoolVar(&Flags.S3DisableSSL, "s3-disable-ssl", false, "Disable SSL and only use HTTP for communication with S3 (experimental and may be removed in the future)")
 		f.IntVar(&Flags.S3ConcurrentPartUploads, "s3-concurrent-part-uploads", 10, "Number of concurrent part uploads to S3 (experimental and may be removed in the future)")
 		f.BoolVar(&Flags.S3TransferAcceleration, "s3-transfer-acceleration", false, "Use AWS S3 transfer acceleration endpoint (requires -s3-bucket option and Transfer Acceleration property on S3 bucket to be set)")
+		f.BoolVar(&Flags.S3LogAPICalls, "s3-log-api-calls", false, "Log all S3 API calls for debugging purposes")
 	})
 
 	fs.AddGroup("Google Cloud Storage options", func(f *flag.FlagSet) {

docs/_storage-backends/aws-s3.md

@@ -117,3 +117,13 @@ $ AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7M
 ```
 
 Tusd is then usable at `http://localhost:8080/files/` and saves the uploads to the local MinIO instance.
+
+## Debugging
+
+If you are experiencing problems with the S3 storage, such as files not appearing in the bucket or uploads not resuming, it's helpful to inspect the individual calls that are made to S3. This is in particular useful when issues appear with S3-compatible services other than AWS S3. Small implementation differences can cause problems with resuming uploads, which can be spotted by inspecting the calls. To log all calls, enable the `-s3-log-api-calls` flag:
+
+```sh
+$ tusd -s3-bucket=my-test-bucket.com -s3-log-api-calls
+```
+
+The output may contain sensitive information, such as bucket names, IAM users, and account names. The content of the uploaded files is not logged. If a tusd maintainer asks for the logs and you don't want to share the logs publicly, you can ask to send them via e-mail.

internal/s3log/s3log.go

@@ -0,0 +1,173 @@
+// Package s3log provides a logging wrapper for the AWS S3 API.
+package s3log
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"golang.org/x/exp/slog"
+
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/tus/tusd/v2/pkg/s3store"
+)
+
+var _ s3store.S3API = &loggingS3API{}
+
+type loggingS3API struct {
+	// Wrapped is the underlying s3store.S3API implementation
+	Wrapped s3store.S3API
+	Logger  *slog.Logger
+}
+
+// New creates a wrapper around the provided S3 API that logs all calls to `logger`
+func New(wrapped s3store.S3API, logger *slog.Logger) s3store.S3API {
+	return &loggingS3API{
+		Wrapped: wrapped,
+		Logger:  logger,
+	}
+}
+
+// sanitizeForLogging creates a copy of the input with large values removed that
+// we don't want to print in the logs.
+func sanitizeForLogging(v interface{}) interface{} {
+	switch input := v.(type) {
+	case *s3.PutObjectInput:
+		sanitized := *input
+		sanitized.Body = nil
+		return sanitized
+	case *s3.UploadPartInput:
+		sanitized := *input
+		sanitized.Body = nil
+		return sanitized
+	case *s3.GetObjectOutput:
+		sanitized := *input
+		sanitized.Body = nil
+		return sanitized
+	default:
+		return v
+	}
+}
+
+// jsonEncode converts a value to a JSON string, handling errors gracefully
+func jsonEncode(v interface{}) string {
+	data, err := json.Marshal(v)
+	if err != nil {
+		return fmt.Sprintf("{\"error\":\"failed to marshal: %v\"}", err)
+	}
+
+	return string(data)
+}
+
+// logCall logs an API call with its input, output, and error
+func (l *loggingS3API) logCall(operation string, input, output interface{}, err error, duration time.Duration) {
+	sanitizedInput := sanitizeForLogging(input)
+	sanitizedOutput := sanitizeForLogging(output)
+
+	// Convert to JSON strings for structured logging
+	inputJSON := jsonEncode(sanitizedInput)
+	outputJSON := jsonEncode(sanitizedOutput)
+
+	attrs := []any{
+		"operation", operation,
+		"input", inputJSON,
+		"duration_ms", duration.Milliseconds(),
+	}
+
+	if err != nil {
+		attrs = append(attrs, "error", err.Error())
+	} else {
+		attrs = append(attrs, "output", outputJSON)
+	}
+
+	l.Logger.Debug("S3APICall", attrs...)
+}
+
+// PutObject implements the s3store.S3API interface
+func (l *loggingS3API) PutObject(ctx context.Context, input *s3.PutObjectInput, opt ...func(*s3.Options)) (*s3.PutObjectOutput, error) {
+	start := time.Now()
+	output, err := l.Wrapped.PutObject(ctx, input, opt...)
+	l.logCall("PutObject", input, output, err, time.Since(start))
+	return output, err
+}
+
+// ListParts implements the s3store.S3API interface
+func (l *loggingS3API) ListParts(ctx context.Context, input *s3.ListPartsInput, opt ...func(*s3.Options)) (*s3.ListPartsOutput, error) {
+	start := time.Now()
+	output, err := l.Wrapped.ListParts(ctx, input, opt...)
+	l.logCall("ListParts", input, output, err, time.Since(start))
+	return output, err
+}
+
+// UploadPart implements the s3store.S3API interface
+func (l *loggingS3API) UploadPart(ctx context.Context, input *s3.UploadPartInput, opt ...func(*s3.Options)) (*s3.UploadPartOutput, error) {
+	start := time.Now()
+	output, err := l.Wrapped.UploadPart(ctx, input, opt...)
+	l.logCall("UploadPart", input, output, err, time.Since(start))
+	return output, err
+}
+
+// GetObject implements the s3store.S3API interface
+func (l *loggingS3API) GetObject(ctx context.Context, input *s3.GetObjectInput, opt ...func(*s3.Options)) (*s3.GetObjectOutput, error) {
+	start := time.Now()
+	output, err := l.Wrapped.GetObject(ctx, input, opt...)
+	l.logCall("GetObject", input, output, err, time.Since(start))
+	return output, err
+}
+
+// HeadObject implements the s3store.S3API interface
+func (l *loggingS3API) HeadObject(ctx context.Context, input *s3.HeadObjectInput, opt ...func(*s3.Options)) (*s3.HeadObjectOutput, error) {
+	start := time.Now()
+	output, err := l.Wrapped.HeadObject(ctx, input, opt...)
+	l.logCall("HeadObject", input, output, err, time.Since(start))
+	return output, err
+}
+
+// CreateMultipartUpload implements the s3store.S3API interface
+func (l *loggingS3API) CreateMultipartUpload(ctx context.Context, input *s3.CreateMultipartUploadInput, opt ...func(*s3.Options)) (*s3.CreateMultipartUploadOutput, error) {
+	start := time.Now()
+	output, err := l.Wrapped.CreateMultipartUpload(ctx, input, opt...)
+	l.logCall("CreateMultipartUpload", input, output, err, time.Since(start))
+	return output, err
+}
+
+// AbortMultipartUpload implements the s3store.S3API interface
+func (l *loggingS3API) AbortMultipartUpload(ctx context.Context, input *s3.AbortMultipartUploadInput, opt ...func(*s3.Options)) (*s3.AbortMultipartUploadOutput, error) {
+	start := time.Now()
+	output, err := l.Wrapped.AbortMultipartUpload(ctx, input, opt...)
+	l.logCall("AbortMultipartUpload", input, output, err, time.Since(start))
+	return output, err
+}
+
+// DeleteObject implements the s3store.S3API interface
+func (l *loggingS3API) DeleteObject(ctx context.Context, input *s3.DeleteObjectInput, opt ...func(*s3.Options)) (*s3.DeleteObjectOutput, error) {
+	start := time.Now()
+	output, err := l.Wrapped.DeleteObject(ctx, input, opt...)
+	l.logCall("DeleteObject", input, output, err, time.Since(start))
+	return output, err
+}
+
+// DeleteObjects implements the s3store.S3API interface
+func (l *loggingS3API) DeleteObjects(ctx context.Context, input *s3.DeleteObjectsInput, opt ...func(*s3.Options)) (*s3.DeleteObjectsOutput, error) {
+	start := time.Now()
+	output, err := l.Wrapped.DeleteObjects(ctx, input, opt...)
+	l.logCall("DeleteObjects", input, output, err, time.Since(start))
+	return output, err
+}
+
+// CompleteMultipartUpload implements the s3store.S3API interface
+func (l *loggingS3API) CompleteMultipartUpload(ctx context.Context, input *s3.CompleteMultipartUploadInput, opt ...func(*s3.Options)) (*s3.CompleteMultipartUploadOutput, error) {
+	start := time.Now()
+	output, err := l.Wrapped.CompleteMultipartUpload(ctx, input, opt...)
+	l.logCall("CompleteMultipartUpload", input, output, err, time.Since(start))
+	return output, err
+}
+
+// UploadPartCopy implements the s3store.S3API interface
+func (l *loggingS3API) UploadPartCopy(ctx context.Context, input *s3.UploadPartCopyInput, opt ...func(*s3.Options)) (*s3.UploadPartCopyOutput, error) {
+	start := time.Now()
+	output, err := l.Wrapped.UploadPartCopy(ctx, input, opt...)
+	l.logCall("UploadPartCopy", input, output, err, time.Since(start))
+	return output, err
+}