localstack-core 4.10.1.dev42__py3-none-any.whl → 4.11.2.dev14__py3-none-any.whl

localstack/services/sns/v2/provider.py

@@ -1,25 +1,30 @@
 import contextlib
 import copy
+import functools
 import json
 import logging
 import re
 
 from botocore.utils import InvalidArnException
+from rolo import Request, Router, route
 
 from localstack.aws.api import CommonServiceException, RequestContext
 from localstack.aws.api.sns import (
     AmazonResourceName,
+    BatchEntryIdsNotDistinctException,
     ConfirmSubscriptionResponse,
     CreateEndpointResponse,
     CreatePlatformApplicationResponse,
     CreateTopicResponse,
     Endpoint,
+    EndpointDisabledException,
     GetEndpointAttributesResponse,
     GetPlatformApplicationAttributesResponse,
     GetSMSAttributesResponse,
     GetSubscriptionAttributesResponse,
     GetTopicAttributesResponse,
     InvalidParameterException,
+    InvalidParameterValueException,
     ListEndpointsByPlatformApplicationResponse,
     ListPlatformApplicationsResponse,
     ListString,
@@ -28,8 +33,14 @@ from localstack.aws.api.sns import (
     ListTagsForResourceResponse,
     ListTopicsResponse,
     MapStringToString,
+    MessageAttributeMap,
     NotFoundException,
+    PhoneNumber,
     PlatformApplication,
+    PublishBatchRequestEntryList,
+    PublishBatchResponse,
+    PublishBatchResultEntry,
+    PublishResponse,
     SetSMSAttributesResponse,
     SnsApi,
     String,
@@ -39,26 +50,48 @@ from localstack.aws.api.sns import (
     TagKeyList,
     TagList,
     TagResourceResponse,
+    TooManyEntriesInBatchRequestException,
     TopicAttributesMap,
     UntagResourceResponse,
     attributeName,
     attributeValue,
     authenticateOnUnsubscribe,
     endpoint,
+    message,
+    messageStructure,
     nextToken,
     protocol,
+    subject,
     subscriptionARN,
     topicARN,
     topicName,
 )
-from localstack.services.sns import constants as sns_constants
+from localstack.constants import AWS_REGION_US_EAST_1, DEFAULT_AWS_ACCOUNT_ID
+from localstack.http import Response
+from localstack.services.edge import ROUTER
+from localstack.services.plugins import ServiceLifecycleHook
+from localstack.services.sns.analytics import internal_api_calls
 from localstack.services.sns.certificate import SNS_SERVER_CERT
 from localstack.services.sns.constants import (
+    ATTR_TYPE_REGEX,
     DUMMY_SUBSCRIPTION_PRINCIPAL,
+    MAXIMUM_MESSAGE_LENGTH,
+    MSG_ATTR_NAME_REGEX,
+    PLATFORM_ENDPOINT_MSGS_ENDPOINT,
+    SMS_MSGS_ENDPOINT,
+    SNS_CERT_ENDPOINT,
+    SNS_PROTOCOLS,
+    SUBSCRIPTION_TOKENS_ENDPOINT,
     VALID_APPLICATION_PLATFORMS,
+    VALID_MSG_ATTR_NAME_CHARS,
+    VALID_SUBSCRIPTION_ATTR_NAME,
 )
 from localstack.services.sns.filter import FilterPolicyValidator
-from localstack.services.sns.publisher import PublishDispatcher, SnsPublishContext
+from localstack.services.sns.publisher import (
+    PublishDispatcher,
+    SnsBatchPublishContext,
+    SnsPublishContext,
+)
 from localstack.services.sns.v2.models import (
     SMS_ATTRIBUTE_NAMES,
     SMS_DEFAULT_SENDER_REGEX,
@@ -79,18 +112,22 @@ from localstack.services.sns.v2.utils import (
     encode_subscription_token_with_region,
     get_next_page_token_from_arn,
     get_region_from_subscription_token,
+    get_topic_subscriptions,
     is_valid_e164_number,
     parse_and_validate_platform_application_arn,
     parse_and_validate_topic_arn,
     validate_subscription_attribute,
 )
 from localstack.utils.aws.arns import (
+    extract_account_id_from_arn,
+    extract_region_from_arn,
     get_partition,
     parse_arn,
     sns_platform_application_arn,
     sns_topic_arn,
 )
 from localstack.utils.collections import PaginatedList, select_from_typed_dict
+from localstack.utils.strings import to_bytes
 
 # set up logger
 LOG = logging.getLogger(__name__)
@@ -99,12 +136,27 @@ SNS_TOPIC_NAME_PATTERN_FIFO = r"^[a-zA-Z0-9_-]{1,256}\.fifo$"
 SNS_TOPIC_NAME_PATTERN = r"^[a-zA-Z0-9_-]{1,256}$"
 
 
-class SnsProvider(SnsApi):
+class SnsProvider(SnsApi, ServiceLifecycleHook):
     def __init__(self) -> None:
         super().__init__()
         self._publisher = PublishDispatcher()
         self._signature_cert_pem: str = SNS_SERVER_CERT
 
+    def on_before_stop(self):
+        self._publisher.shutdown()
+
+    def on_after_init(self):
+        # Allow sent platform endpoint messages to be retrieved from the SNS endpoint
+        register_sns_api_resource(ROUTER)
+        # add the route to serve the certificate used to validate message signatures
+        ROUTER.add(self.get_signature_cert_pem_file)
+
+    @route(SNS_CERT_ENDPOINT, methods=["GET"])
+    def get_signature_cert_pem_file(self, request: Request):
+        # see http://sns-public-resources.s3.amazonaws.com/SNS_Message_Signing_Release_Note_Jan_25_2011.pdf
+        # see https://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html
+        return Response(self._signature_cert_pem, 200)
+
     ## Topic Operations
 
     def create_topic(
@@ -135,7 +187,6 @@ class SnsProvider(SnsApi):
                 )
             return CreateTopicResponse(TopicArn=topic_arn)
 
-        attributes = attributes or {}
         if attributes.get("FifoTopic") and attributes["FifoTopic"].lower() == "true":
             fifo_match = re.match(SNS_TOPIC_NAME_PATTERN_FIFO, name)
             if not fifo_match:
@@ -219,14 +270,12 @@ class SnsProvider(SnsApi):
 
         store = self.get_store(account_id=parsed_topic_arn["account"], region=context.region)
 
-        if topic_arn not in store.topics:
-            raise NotFoundException("Topic does not exist")
-
-        topic_subscriptions = store.topics[topic_arn]["subscriptions"]
+        topic = self._get_topic(arn=topic_arn, context=context)
+        topic_subscriptions = topic["subscriptions"]
         if not endpoint:
             # TODO: check AWS behaviour (because endpoint is optional)
             raise NotFoundException("Endpoint not specified in subscription")
-        if protocol not in sns_constants.SNS_PROTOCOLS:
+        if protocol not in SNS_PROTOCOLS:
             raise InvalidParameterException(
                 f"Invalid parameter: Amazon SNS does not support this protocol string: {protocol}"
             )
@@ -276,7 +325,7 @@ class SnsProvider(SnsApi):
             if sub.get("Endpoint") == endpoint:
                 if sub_attributes:
                     # validate the subscription attributes aren't different
-                    for attr in sns_constants.VALID_SUBSCRIPTION_ATTR_NAME:
+                    for attr in VALID_SUBSCRIPTION_ATTR_NAME:
                         # if a new attribute is present and different from an existent one, raise
                         if (new_attr := sub_attributes.get(attr)) and sub.get(attr) != new_attr:
                             raise InvalidParameterException(
@@ -338,8 +387,7 @@ class SnsProvider(SnsApi):
                 message=message_ctx,
                 store=store,
                 request_headers=context.request.headers,
-                # TODO: add topic attributes once they are ported from moto to LocalStack
-                # topic_attributes=vars(self._get_topic(topic_arn, context)),
+                topic_attributes=topic["attributes"],
             )
             self._publisher.publish_to_topic_subscriber(
                 ctx=publish_ctx,
@@ -539,11 +587,10 @@ class SnsProvider(SnsApi):
     def list_subscriptions_by_topic(
         self, context: RequestContext, topic_arn: topicARN, next_token: nextToken = None, **kwargs
     ) -> ListSubscriptionsByTopicResponse:
-        topic: Topic = self._get_topic(topic_arn, context)
+        self._get_topic(topic_arn, context)  # for validation purposes only
         parsed_topic_arn = parse_and_validate_topic_arn(topic_arn)
         store = self.get_store(parsed_topic_arn["account"], parsed_topic_arn["region"])
-        sub_arns: list[str] = topic.get("subscriptions", [])
-        subscriptions = [store.subscriptions[k] for k in sub_arns if k in store.subscriptions]
+        subscriptions = get_topic_subscriptions(store, topic_arn)
 
         paginated_subscriptions = PaginatedList(subscriptions)
         page, next_token = paginated_subscriptions.get_page(
@@ -557,6 +604,238 @@ class SnsProvider(SnsApi):
             response["NextToken"] = next_token
         return response
 
+    #
+    # Publish
+    #
+
+    def publish(
+        self,
+        context: RequestContext,
+        message: message,
+        topic_arn: topicARN | None = None,
+        target_arn: String | None = None,
+        phone_number: PhoneNumber | None = None,
+        subject: subject | None = None,
+        message_structure: messageStructure | None = None,
+        message_attributes: MessageAttributeMap | None = None,
+        message_deduplication_id: String | None = None,
+        message_group_id: String | None = None,
+        **kwargs,
+    ) -> PublishResponse:
+        if subject == "":
+            raise InvalidParameterException("Invalid parameter: Subject")
+        if not message or all(not m for m in message):
+            raise InvalidParameterException("Invalid parameter: Empty message")
+
+        # TODO: check for topic + target + phone number at the same time?
+        # TODO: more validation on phone, it might be opted out?
+        if phone_number and not is_valid_e164_number(phone_number):
+            raise InvalidParameterException(
+                f"Invalid parameter: PhoneNumber Reason: {phone_number} is not valid to publish to"
+            )
+
+        if message_attributes:
+            _validate_message_attributes(message_attributes)
+
+        if _get_total_publish_size(message, message_attributes) > MAXIMUM_MESSAGE_LENGTH:
+            raise InvalidParameterException("Invalid parameter: Message too long")
+
+        # for compatibility reasons, AWS allows users to use either TargetArn or TopicArn for publishing to a topic
+        # use any of them for topic validation
+        topic_or_target_arn = topic_arn or target_arn
+        topic = None
+
+        if is_fifo := (topic_or_target_arn and ".fifo" in topic_or_target_arn):
+            if not message_group_id:
+                raise InvalidParameterException(
+                    "Invalid parameter: The MessageGroupId parameter is required for FIFO topics",
+                )
+            topic = self._get_topic(topic_or_target_arn, context)
+            if topic["attributes"]["ContentBasedDeduplication"] == "false":
+                if not message_deduplication_id:
+                    raise InvalidParameterException(
+                        "Invalid parameter: The topic should either have ContentBasedDeduplication enabled or MessageDeduplicationId provided explicitly",
+                    )
+        elif message_deduplication_id:
+            # this is the first one to raise if both are set while the topic is not fifo
+            raise InvalidParameterException(
+                "Invalid parameter: MessageDeduplicationId Reason: The request includes MessageDeduplicationId parameter that is not valid for this topic type"
+            )
+
+        is_endpoint_publish = target_arn and ":endpoint/" in target_arn
+        if message_structure == "json":
+            try:
+                message = json.loads(message)
+                # Keys in the JSON object that correspond to supported transport protocols must have
+                # simple JSON string values.
+                # Non-string values will cause the key to be ignored.
+                message = {key: field for key, field in message.items() if isinstance(field, str)}
+                # TODO: check no default key for direct TargetArn endpoint publish, need credentials
+                # see example: https://docs.aws.amazon.com/sns/latest/dg/sns-send-custom-platform-specific-payloads-mobile-devices.html
+                if "default" not in message and not is_endpoint_publish:
+                    raise InvalidParameterException(
+                        "Invalid parameter: Message Structure - No default entry in JSON message body"
+                    )
+            except json.JSONDecodeError:
+                raise InvalidParameterException(
+                    "Invalid parameter: Message Structure - JSON message body failed to parse"
+                )
+
+        if not phone_number:
+            # use the account to get the store from the TopicArn (you can only publish in the same region as the topic)
+            parsed_arn = parse_and_validate_topic_arn(topic_or_target_arn)
+            store = self.get_store(account_id=parsed_arn["account"], region=context.region)
+            if is_endpoint_publish:
+                if not (platform_endpoint := store.platform_endpoints.get(target_arn)):
+                    raise InvalidParameterException(
+                        "Invalid parameter: TargetArn Reason: No endpoint found for the target arn specified"
+                    )
+                elif (
+                    not platform_endpoint.platform_endpoint["Attributes"]
+                    .get("Enabled", "false")
+                    .lower()
+                    == "true"
+                ):
+                    raise EndpointDisabledException("Endpoint is disabled")
+            else:
+                topic = self._get_topic(topic_or_target_arn, context)
+        else:
+            # use the store from the request context
+            store = self.get_store(account_id=context.account_id, region=context.region)
+
+        message_ctx = SnsMessage(
+            type=SnsMessageType.Notification,
+            message=message,
+            message_attributes=message_attributes,
+            message_deduplication_id=message_deduplication_id,
+            message_group_id=message_group_id,
+            message_structure=message_structure,
+            subject=subject,
+            is_fifo=is_fifo,
+        )
+        publish_ctx = SnsPublishContext(
+            message=message_ctx, store=store, request_headers=context.request.headers
+        )
+
+        if is_endpoint_publish:
+            self._publisher.publish_to_application_endpoint(
+                ctx=publish_ctx, endpoint_arn=target_arn
+            )
+        elif phone_number:
+            self._publisher.publish_to_phone_number(ctx=publish_ctx, phone_number=phone_number)
+        else:
+            # beware if the subscription is FIFO, the order might not be guaranteed.
+            # 2 quick call to this method in succession might not be executed in order in the executor?
+            # TODO: test how this behaves in a FIFO context with a lot of threads.
+            publish_ctx.topic_attributes |= topic["attributes"]
+            self._publisher.publish_to_topic(publish_ctx, topic_or_target_arn)
+
+        if is_fifo:
+            return PublishResponse(
+                MessageId=message_ctx.message_id, SequenceNumber=message_ctx.sequencer_number
+            )
+
+        return PublishResponse(MessageId=message_ctx.message_id)
+
+    def publish_batch(
+        self,
+        context: RequestContext,
+        topic_arn: topicARN,
+        publish_batch_request_entries: PublishBatchRequestEntryList,
+        **kwargs,
+    ) -> PublishBatchResponse:
+        if len(publish_batch_request_entries) > 10:
+            raise TooManyEntriesInBatchRequestException(
+                "The batch request contains more entries than permissible."
+            )
+
+        parsed_arn = parse_and_validate_topic_arn(topic_arn)
+        store = self.get_store(account_id=parsed_arn["account"], region=context.region)
+        topic = self._get_topic(topic_arn, context)
+        ids = [entry["Id"] for entry in publish_batch_request_entries]
+        if len(set(ids)) != len(publish_batch_request_entries):
+            raise BatchEntryIdsNotDistinctException(
+                "Two or more batch entries in the request have the same Id."
+            )
+
+        response: PublishBatchResponse = {"Successful": [], "Failed": []}
+
+        # TODO: write AWS validated tests with FilterPolicy and batching
+        # TODO: find a scenario where we can fail to send a message synchronously to be able to report it
+        # right now, it seems that AWS fails the whole publish if something is wrong in the format of 1 message
+
+        total_batch_size = 0
+        message_contexts = []
+        for entry_index, entry in enumerate(publish_batch_request_entries, start=1):
+            message_payload = entry.get("Message")
+            message_attributes = entry.get("MessageAttributes", {})
+            if message_attributes:
+                # if a message contains non-valid message attributes, it
+                # will fail for the first non-valid message encountered, and raise ParameterValueInvalid
+                _validate_message_attributes(message_attributes, position=entry_index)
+
+            total_batch_size += _get_total_publish_size(message_payload, message_attributes)
+
+            # TODO: WRITE AWS VALIDATED
+            if entry.get("MessageStructure") == "json":
+                try:
+                    message = json.loads(message_payload)
+                    # Keys in the JSON object that correspond to supported transport protocols must have
+                    # simple JSON string values.
+                    # Non-string values will cause the key to be ignored.
+                    message = {
+                        key: field for key, field in message.items() if isinstance(field, str)
+                    }
+                    if "default" not in message:
+                        raise InvalidParameterException(
+                            "Invalid parameter: Message Structure - No default entry in JSON message body"
+                        )
+                    entry["Message"] = message  # noqa
+                except json.JSONDecodeError:
+                    raise InvalidParameterException(
+                        "Invalid parameter: Message Structure - JSON message body failed to parse"
+                    )
+
+            if is_fifo := (topic_arn.endswith(".fifo")):
+                if not all("MessageGroupId" in entry for entry in publish_batch_request_entries):
+                    raise InvalidParameterException(
+                        "Invalid parameter: The MessageGroupId parameter is required for FIFO topics"
+                    )
+                if topic["attributes"]["ContentBasedDeduplication"] == "false":
+                    if not all(
+                        "MessageDeduplicationId" in entry for entry in publish_batch_request_entries
+                    ):
+                        raise InvalidParameterException(
+                            "Invalid parameter: The topic should either have ContentBasedDeduplication enabled or MessageDeduplicationId provided explicitly",
+                        )
+
+            msg_ctx = SnsMessage.from_batch_entry(entry, is_fifo=is_fifo)
+            message_contexts.append(msg_ctx)
+            success = PublishBatchResultEntry(
+                Id=entry["Id"],
+                MessageId=msg_ctx.message_id,
+            )
+            if is_fifo:
+                success["SequenceNumber"] = msg_ctx.sequencer_number
+            response["Successful"].append(success)
+
+        if total_batch_size > MAXIMUM_MESSAGE_LENGTH:
+            raise CommonServiceException(
+                code="BatchRequestTooLong",
+                message="The length of all the messages put together is more than the limit.",
+                sender_fault=True,
+            )
+
+        publish_ctx = SnsBatchPublishContext(
+            messages=message_contexts,
+            store=store,
+            request_headers=context.request.headers,
+            topic_attributes=topic["attributes"],
+        )
+        self._publisher.publish_batch_to_topic(publish_ctx, topic_arn)
+
+        return response
+
     #
     # PlatformApplications
     #
@@ -826,16 +1105,15 @@ class SnsProvider(SnsApi):
     def get_store(account_id: str, region: str) -> SnsStore:
         return sns_stores[account_id][region]
 
-    # TODO: reintroduce multi-region parameter (latest before final migration from v1)
     @staticmethod
-    def _get_topic(arn: str, context: RequestContext) -> Topic:
+    def _get_topic(arn: str, context: RequestContext, multi_region: bool = False) -> Topic:
         """
         :param arn: the Topic ARN
         :param context: the RequestContext of the request
         :return: the model Topic
         """
         arn_data = parse_and_validate_topic_arn(arn)
-        if context.region != arn_data["region"]:
+        if not multi_region and context.region != arn_data["region"]:
             raise InvalidParameterException("Invalid parameter: TopicArn")
         try:
             store = SnsProvider.get_store(context.account_id, context.region)
@@ -887,7 +1165,6 @@ def _default_attributes(topic: Topic, context: RequestContext) -> TopicAttribute
             {
                 "ContentBasedDeduplication": "false",
                 "FifoTopic": "false",
-                "SignatureVersion": "2",
             }
         )
     return default_attributes
@@ -921,6 +1198,94 @@ def _create_default_topic_policy(topic: Topic, context: RequestContext) -> str:
     )
 
 
+def _validate_message_attributes(
+    message_attributes: MessageAttributeMap, position: int | None = None
+) -> None:
+    """
+    Validate the message attributes, and raises an exception if those do not follow AWS validation
+    See: https://docs.aws.amazon.com/sns/latest/dg/sns-message-attributes.html
+    Regex from: https://stackoverflow.com/questions/40718851/regex-that-does-not-allow-consecutive-dots
+    :param message_attributes: the message attributes map for the message
+    :param position: given to give the Batch Entry position if coming from `publishBatch`
+    :raises: InvalidParameterValueException
+    :return: None
+    """
+    for attr_name, attr in message_attributes.items():
+        if len(attr_name) > 256:
+            raise InvalidParameterValueException(
+                "Length of message attribute name must be less than 256 bytes."
+            )
+        _validate_message_attribute_name(attr_name)
+        # `DataType` is a required field for MessageAttributeValue
+        if (data_type := attr.get("DataType")) is None:
+            if position:
+                at = f"publishBatchRequestEntries.{position}.member.messageAttributes.{attr_name}.member.dataType"
+            else:
+                at = f"messageAttributes.{attr_name}.member.dataType"
+
+            raise CommonServiceException(
+                code="ValidationError",
+                message=f"1 validation error detected: Value null at '{at}' failed to satisfy constraint: Member must not be null",
+                sender_fault=True,
+            )
+
+        if data_type not in (
+            "String",
+            "Number",
+            "Binary",
+        ) and not ATTR_TYPE_REGEX.match(data_type):
+            raise InvalidParameterValueException(
+                f"The message attribute '{attr_name}' has an invalid message attribute type, the set of supported type prefixes is Binary, Number, and String."
+            )
+        if not any(attr_value.endswith("Value") for attr_value in attr):
+            raise InvalidParameterValueException(
+                f"The message attribute '{attr_name}' must contain non-empty message attribute value for message attribute type '{data_type}'."
+            )
+
+        value_key_data_type = "Binary" if data_type.startswith("Binary") else "String"
+        value_key = f"{value_key_data_type}Value"
+        if value_key not in attr:
+            raise InvalidParameterValueException(
+                f"The message attribute '{attr_name}' with type '{data_type}' must use field '{value_key_data_type}'."
+            )
+        elif not attr[value_key]:
+            raise InvalidParameterValueException(
+                f"The message attribute '{attr_name}' must contain non-empty message attribute value for message attribute type '{data_type}'.",
+            )
+
+
+def _validate_message_attribute_name(name: str) -> None:
+    """
+    Validate the message attribute name with the specification of AWS.
+    The message attribute name can contain the following characters: A-Z, a-z, 0-9, underscore(_), hyphen(-), and period (.). The name must not start or end with a period, and it should not have successive periods.
+    :param name: message attribute name
+    :raises InvalidParameterValueException: if the name does not conform to the spec
+    """
+    if not MSG_ATTR_NAME_REGEX.match(name):
+        # find the proper exception
+        if name[0] == ".":
+            raise InvalidParameterValueException(
+                "Invalid message attribute name starting with character '.' was found."
+            )
+        elif name[-1] == ".":
+            raise InvalidParameterValueException(
+                "Invalid message attribute name ending with character '.' was found."
+            )
+
+        for idx, char in enumerate(name):
+            if char not in VALID_MSG_ATTR_NAME_CHARS:
+                # change prefix from 0x to #x, without capitalizing the x
+                hex_char = "#x" + hex(ord(char)).upper()[2:]
+                raise InvalidParameterValueException(
+                    f"Invalid non-alphanumeric character '{hex_char}' was found in the message attribute name. Can only include alphanumeric characters, hyphens, underscores, or dots."
+                )
+            # even if we go negative index, it will be covered by starting/ending with dot
+            if char == "." and name[idx - 1] == ".":
+                raise InvalidParameterValueException(
+                    "Message attribute name can not have successive '.' character."
+                )
+
+
 def _validate_platform_application_name(name: str) -> None:
     reason = ""
     if not name:
@@ -997,3 +1362,269 @@ def _check_matching_tags(topic_arn: str, tags: TagList | None, store: SnsStore)
             if existing_tags is not None and tag not in existing_tags:
                 return False
     return True
+
+
+def _get_total_publish_size(
+    message_body: str, message_attributes: MessageAttributeMap | None
+) -> int:
+    size = _get_byte_size(message_body)
+    if message_attributes:
+        # https://docs.aws.amazon.com/sns/latest/dg/sns-message-attributes.html
+        # All parts of the message attribute, including name, type, and value, are included in the message size
+        # restriction, which is 256 KB.
+        # iterate over the Keys and Attributes, adding the length of the Key to the length of all Attributes values
+        # (DataType and StringValue or BinaryValue)
+        size += sum(
+            _get_byte_size(key) + sum(_get_byte_size(attr_value) for attr_value in attr.values())
+            for key, attr in message_attributes.items()
+        )
+
+    return size
+
+
+def _get_byte_size(payload: str | bytes) -> int:
+    # Calculate the real length of the byte object if the object is a string
+    return len(to_bytes(payload))
+
+
+def _register_sns_api_resource(router: Router):
+    """Register the retrospection endpoints as internal LocalStack endpoints."""
+    router.add(SNSServicePlatformEndpointMessagesApiResource())
+    router.add(SNSServiceSMSMessagesApiResource())
+    router.add(SNSServiceSubscriptionTokenApiResource())
+
+
+class SNSInternalResource:
+    resource_type: str
+    """Base class with helper to properly track usage of internal endpoints"""
+
+    def count_usage(self):
+        internal_api_calls.labels(resource_type=self.resource_type).increment()
+
+
+def count_usage(f):
+    @functools.wraps(f)
+    def _wrapper(self, *args, **kwargs):
+        self.count_usage()
+        return f(self, *args, **kwargs)
+
+    return _wrapper
+
+
+class SNSServicePlatformEndpointMessagesApiResource(SNSInternalResource):
+    resource_type = "platform-endpoint-message"
+    """Provides a REST API for retrospective access to platform endpoint messages sent via SNS.
+
+    This is registered as a LocalStack internal HTTP resource.
+
+    This endpoint accepts:
+    - GET param `accountId`: selector for AWS account. If not specified, return fallback `000000000000` test ID
+    - GET param `region`: selector for AWS `region`. If not specified, return default "us-east-1"
+    - GET param `endpointArn`: filter for `endpointArn` resource in SNS
+    - DELETE param `accountId`: selector for AWS account
+    - DELETE param `region`: will delete saved messages for `region`
+    - DELETE param `endpointArn`: will delete saved messages for `endpointArn`
+    """
+
+    _PAYLOAD_FIELDS = [
+        "TargetArn",
+        "TopicArn",
+        "Message",
+        "MessageAttributes",
+        "MessageStructure",
+        "Subject",
+        "MessageId",
+    ]
+
+    @route(PLATFORM_ENDPOINT_MSGS_ENDPOINT, methods=["GET"])
+    @count_usage
+    def on_get(self, request: Request):
+        filter_endpoint_arn = request.args.get("endpointArn")
+        account_id = (
+            request.args.get("accountId", DEFAULT_AWS_ACCOUNT_ID)
+            if not filter_endpoint_arn
+            else extract_account_id_from_arn(filter_endpoint_arn)
+        )
+        region = (
+            request.args.get("region", AWS_REGION_US_EAST_1)
+            if not filter_endpoint_arn
+            else extract_region_from_arn(filter_endpoint_arn)
+        )
+        store: SnsStore = sns_stores[account_id][region]
+        if filter_endpoint_arn:
+            messages = store.platform_endpoint_messages.get(filter_endpoint_arn, [])
+            messages = _format_messages(messages, self._PAYLOAD_FIELDS)
+            return {
+                "platform_endpoint_messages": {filter_endpoint_arn: messages},
+                "region": region,
+            }
+
+        platform_endpoint_messages = {
+            endpoint_arn: _format_messages(messages, self._PAYLOAD_FIELDS)
+            for endpoint_arn, messages in store.platform_endpoint_messages.items()
+        }
+        return {
+            "platform_endpoint_messages": platform_endpoint_messages,
+            "region": region,
+        }
+
+    @route(PLATFORM_ENDPOINT_MSGS_ENDPOINT, methods=["DELETE"])
+    @count_usage
+    def on_delete(self, request: Request) -> Response:
+        filter_endpoint_arn = request.args.get("endpointArn")
+        account_id = (
+            request.args.get("accountId", DEFAULT_AWS_ACCOUNT_ID)
+            if not filter_endpoint_arn
+            else extract_account_id_from_arn(filter_endpoint_arn)
+        )
+        region = (
+            request.args.get("region", AWS_REGION_US_EAST_1)
+            if not filter_endpoint_arn
+            else extract_region_from_arn(filter_endpoint_arn)
+        )
+        store: SnsStore = sns_stores[account_id][region]
+        if filter_endpoint_arn:
+            store.platform_endpoint_messages.pop(filter_endpoint_arn, None)
+            return Response("", status=204)
+
+        store.platform_endpoint_messages.clear()
+        return Response("", status=204)
+
+
+def register_sns_api_resource(router: Router):
+    """Register the retrospection endpoints as internal LocalStack endpoints."""
+    router.add(SNSServicePlatformEndpointMessagesApiResource())
+    router.add(SNSServiceSMSMessagesApiResource())
+    router.add(SNSServiceSubscriptionTokenApiResource())
+
+
+def _format_messages(sent_messages: list[dict[str, str]], validated_keys: list[str]):
+    """
+    This method format the messages to be more readable and undo the format change that was needed for Moto
+    Should be removed once we refactor SNS.
+    """
+    formatted_messages = []
+    for sent_message in sent_messages:
+        msg = {
+            key: json.dumps(value)
+            if key == "Message" and sent_message.get("MessageStructure") == "json"
+            else value
+            for key, value in sent_message.items()
+            if key in validated_keys
+        }
+        formatted_messages.append(msg)
+
+    return formatted_messages
+
+
+class SNSServiceSMSMessagesApiResource(SNSInternalResource):
+    resource_type = "sms-message"
+    """Provides a REST API for retrospective access to SMS messages sent via SNS.
+
+    This is registered as a LocalStack internal HTTP resource.
+
+    This endpoint accepts:
+    - GET param `accountId`: selector for AWS account. If not specified, return fallback `000000000000` test ID
+    - GET param `region`: selector for AWS `region`. If not specified, return default "us-east-1"
+    - GET param `phoneNumber`: filter for `phoneNumber` resource in SNS
+    """
+
+    _PAYLOAD_FIELDS = [
+        "PhoneNumber",
+        "TopicArn",
+        "SubscriptionArn",
+        "MessageId",
+        "Message",
+        "MessageAttributes",
+        "MessageStructure",
+        "Subject",
+    ]
+
+    @route(SMS_MSGS_ENDPOINT, methods=["GET"])
+    @count_usage
+    def on_get(self, request: Request):
+        account_id = request.args.get("accountId", DEFAULT_AWS_ACCOUNT_ID)
+        region = request.args.get("region", AWS_REGION_US_EAST_1)
+        filter_phone_number = request.args.get("phoneNumber")
+        store: SnsStore = sns_stores[account_id][region]
+        if filter_phone_number:
+            messages = [
+                m for m in store.sms_messages if m.get("PhoneNumber") == filter_phone_number
+            ]
+            messages = _format_messages(messages, self._PAYLOAD_FIELDS)
+            return {
+                "sms_messages": {filter_phone_number: messages},
+                "region": region,
+            }
+
+        sms_messages = {}
+
+        for m in _format_messages(store.sms_messages, self._PAYLOAD_FIELDS):
+            sms_messages.setdefault(m.get("PhoneNumber"), []).append(m)
+
+        return {
+            "sms_messages": sms_messages,
+            "region": region,
+        }
+
+    @route(SMS_MSGS_ENDPOINT, methods=["DELETE"])
+    @count_usage
+    def on_delete(self, request: Request) -> Response:
+        account_id = request.args.get("accountId", DEFAULT_AWS_ACCOUNT_ID)
+        region = request.args.get("region", AWS_REGION_US_EAST_1)
+        filter_phone_number = request.args.get("phoneNumber")
+        store: SnsStore = sns_stores[account_id][region]
+        if filter_phone_number:
+            store.sms_messages = [
+                m for m in store.sms_messages if m.get("PhoneNumber") != filter_phone_number
+            ]
+            return Response("", status=204)
+
+        store.sms_messages.clear()
+        return Response("", status=204)
+
+
+class SNSServiceSubscriptionTokenApiResource(SNSInternalResource):
+    resource_type = "subscription-token"
+    """Provides a REST API for retrospective access to Subscription Confirmation Tokens to confirm subscriptions.
+    Those are not sent for email, and sometimes inaccessible when working with external HTTPS endpoint which won't be
+    able to reach your local host.
+
+    This is registered as a LocalStack internal HTTP resource.
+
+    This endpoint has the following parameter:
+    - GET `subscription_arn`: `subscriptionArn`resource in SNS for which you want the SubscriptionToken
+    """
+
+    @route(f"{SUBSCRIPTION_TOKENS_ENDPOINT}/<path:subscription_arn>", methods=["GET"])
+    @count_usage
+    def on_get(self, _request: Request, subscription_arn: str):
+        try:
+            parsed_arn = parse_arn(subscription_arn)
+        except InvalidArnException:
+            response = Response("", 400)
+            response.set_json(
+                {
+                    "error": "The provided SubscriptionARN is invalid",
+                    "subscription_arn": subscription_arn,
+                }
+            )
+            return response
+
+        store: SnsStore = sns_stores[parsed_arn["account"]][parsed_arn["region"]]
+
+        for token, sub_arn in store.subscription_tokens.items():
+            if sub_arn == subscription_arn:
+                return {
+                    "subscription_token": token,
+                    "subscription_arn": subscription_arn,
+                }
+
+        response = Response("", 404)
+        response.set_json(
+            {
+                "error": "The provided SubscriptionARN is not found",
+                "subscription_arn": subscription_arn,
+            }
+        )
+        return response