localstack-core 4.10.1.dev7__py3-none-any.whl → 4.10.1.dev42__py3-none-any.whl

localstack/services/kms/provider.py

@@ -4,10 +4,13 @@ import datetime
 import logging
 import os
 
+from cbor2 import loads as cbor2_loads
 from cryptography.exceptions import InvalidTag
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes, keywrap
 from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
+from cryptography.hazmat.primitives.serialization import load_der_public_key
 
 from localstack.aws.api import CommonServiceException, RequestContext, handler
 from localstack.aws.api.kms import (
@@ -138,6 +141,7 @@ from localstack.services.plugins import ServiceLifecycleHook
 from localstack.utils.aws.arns import get_partition, kms_alias_arn, parse_arn
 from localstack.utils.collections import PaginatedList
 from localstack.utils.common import select_attributes
+from localstack.utils.crypto import pkcs7_envelope_encrypt
 from localstack.utils.strings import short_uid, to_bytes, to_str
 
 LOG = logging.getLogger(__name__)
@@ -518,7 +522,12 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
 
         self.update_primary_key_with_replica_keys(primary_key, replica_key, replica_region)
 
-        return ReplicateKeyResponse(ReplicaKeyMetadata=replica_key.metadata)
+        # CurrentKeyMaterialId is not returned in the ReplicaKeyMetadata. May be due to not being evaluated until
+        # the key has been successfully replicated as it does not show up in DescribeKey immediately either.
+        replica_key_metadata_response = copy.deepcopy(replica_key.metadata)
+        replica_key_metadata_response.pop("CurrentKeyMaterialId", None)
+
+        return ReplicateKeyResponse(ReplicaKeyMetadata=replica_key_metadata_response)
 
     @staticmethod
     # Adds new multi region replica key to the primary key's metadata.
@@ -1075,6 +1084,25 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
         self._validate_key_for_encryption_decryption(context, key)
         self._validate_key_state_not_pending_import(key)
 
+        # Handle the recipient field.  This is used by AWS Nitro to re-encrypt the plaintext to the key specified
+        # by the enclave.  Proper support for this will take significant work to figure out how to model enforcing
+        # the attestation measurements; for now, if recipient is specified and has an attestation doc in it including
+        # a public key where it's expected to be, we encrypt to that public key.  This at least allows users to use
+        # localstack as a drop-in replacement for AWS when testing without having to skip the secondary decryption
+        # when using localstack.
+        recipient_pubkey = None
+        if recipient:
+            attestation_document = recipient["AttestationDocument"]
+            # We do all of this in a try/catch and warn if it fails so that if users are currently passing a nonsense
+            # value we don't break it for them.  In the future we could do a breaking change to require a valid attestation
+            # (or at least one that contains the public key).
+            try:
+                recipient_pubkey = self._extract_attestation_pubkey(attestation_document)
+            except Exception as e:
+                logging.warning(
+                    "Unable to extract public key from non-empty attestation document: %s", e
+                )
+
         try:
             # TODO: Extend the implementation to handle additional encryption/decryption scenarios
             # beyond the current support for offline encryption and online decryption using RSA keys if key id exists in
@@ -1088,20 +1116,27 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
                 plaintext = key.decrypt(ciphertext, encryption_context)
         except InvalidTag:
             raise InvalidCiphertextException()
+
         # For compatibility, we return EncryptionAlgorithm values expected from AWS. But LocalStack currently always
         # encrypts with symmetric encryption no matter the key settings.
         #
         # We return a key ARN instead of KeyId despite the name of the parameter, as this is what AWS does and states
         # in its docs.
-        # TODO add support for "recipient"
         #  https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html#API_Decrypt_RequestSyntax
         # TODO add support for "dry_run"
-        return DecryptResponse(
+        response = DecryptResponse(
             KeyId=key.metadata.get("Arn"),
-            Plaintext=plaintext,
             EncryptionAlgorithm=encryption_algorithm,
         )
 
+        # Encrypt to the recipient pubkey if specified.  Otherwise, return the actual plaintext
+        if recipient_pubkey:
+            response["CiphertextForRecipient"] = pkcs7_envelope_encrypt(plaintext, recipient_pubkey)
+        else:
+            response["Plaintext"] = plaintext
+
+        return response
+
     def get_parameters_for_import(
         self,
         context: RequestContext,
@@ -1176,13 +1211,10 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
         # TODO check if there was already a key imported for this kms key
         # if so, it has to be identical. We cannot change keys by reimporting after deletion/expiry
         key_material = self._decrypt_wrapped_key_material(import_state, encrypted_key_material)
-
-        if expiration_model:
-            key_to_import_material_to.metadata["ExpirationModel"] = expiration_model
-        else:
-            key_to_import_material_to.metadata["ExpirationModel"] = (
-                ExpirationModelType.KEY_MATERIAL_EXPIRES
-            )
+        key_material_id = key_to_import_material_to.generate_key_material_id(key_material)
+        key_to_import_material_to.metadata["ExpirationModel"] = (
+            expiration_model or ExpirationModelType.KEY_MATERIAL_EXPIRES
+        )
         if (
             key_to_import_material_to.metadata["ExpirationModel"]
             == ExpirationModelType.KEY_MATERIAL_EXPIRES
@@ -1191,12 +1223,42 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
             raise ValidationException(
                 "A validTo date must be set if the ExpirationModel is KEY_MATERIAL_EXPIRES"
             )
+        if existing_pending_material := key_to_import_material_to.crypto_key.pending_key_material:
+            pending_key_material_id = key_to_import_material_to.generate_key_material_id(
+                existing_pending_material
+            )
+            raise KMSInvalidStateException(
+                f"New key material (id: {key_material_id}) cannot be imported into KMS key "
+                f"{key_to_import_material_to.metadata['Arn']}, because another key material "
+                f"(id: {pending_key_material_id}) is pending rotation."
+            )
+
         # TODO actually set validTo and make the key expire
         key_to_import_material_to.metadata["Enabled"] = True
         key_to_import_material_to.metadata["KeyState"] = KeyState.Enabled
         key_to_import_material_to.crypto_key.load_key_material(key_material)
 
-        return ImportKeyMaterialResponse()
+        # KeyMaterialId / CurrentKeyMaterialId is only exposed for symmetric encryption keys.
+        key_material_id_response = None
+        if key_to_import_material_to.metadata["KeySpec"] == KeySpec.SYMMETRIC_DEFAULT:
+            key_material_id_response = key_to_import_material_to.generate_key_material_id(
+                key_material
+            )
+
+            # If there is no CurrentKeyMaterialId, instantly promote the pending key material to the current.
+            if key_to_import_material_to.metadata.get("CurrentKeyMaterialId") is None:
+                key_to_import_material_to.metadata["CurrentKeyMaterialId"] = (
+                    key_material_id_response
+                )
+                key_to_import_material_to.crypto_key.key_material = (
+                    key_to_import_material_to.crypto_key.pending_key_material
+                )
+                key_to_import_material_to.crypto_key.pending_key_material = None
+
+        return ImportKeyMaterialResponse(
+            KeyId=key_to_import_material_to.metadata["Arn"],
+            KeyMaterialId=key_material_id_response,
+        )
 
     def delete_imported_key_material(
         self,
@@ -1323,7 +1385,7 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
         key = self._get_kms_key(account_id, region_name, key_id, any_key_state_allowed=True)
 
         response = GetKeyRotationStatusResponse(
-            KeyId=key_id,
+            KeyId=key.metadata["Arn"],
             KeyRotationEnabled=key.is_key_rotation_enabled,
             NextRotationDate=key.next_rotation_date,
         )
@@ -1415,13 +1477,13 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
 
         if key.metadata["KeySpec"] != KeySpec.SYMMETRIC_DEFAULT:
             raise UnsupportedOperationException()
-        if key.metadata["Origin"] == OriginType.EXTERNAL:
-            raise NotImplementedError("Rotation of imported keys is not supported yet.")
+        self._validate_key_state_not_pending_import(key)
+        self._validate_external_key_has_pending_material(key)
 
         key.rotate_key_on_demand()
 
         return RotateKeyOnDemandResponse(
-            KeyId=key_id,
+            KeyId=key.metadata["Arn"],
         )
 
     @handler("TagResource", expand=False)
@@ -1498,6 +1560,12 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
         if key.metadata["KeyState"] == KeyState.PendingImport:
             raise KMSInvalidStateException(f"{key.metadata['Arn']} is pending import.")
 
+    def _validate_external_key_has_pending_material(self, key: KmsKey):
+        if key.metadata["Origin"] == "EXTERNAL" and key.crypto_key.pending_key_material is None:
+            raise KMSInvalidStateException(
+                f"No available key material pending rotation for the key: {key.metadata['Arn']}."
+            )
+
     def _validate_key_for_encryption_decryption(self, context: RequestContext, key: KmsKey):
         key_usage = key.metadata["KeyUsage"]
         if key_usage != "ENCRYPT_DECRYPT":
@@ -1559,6 +1627,15 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
                     f" constraint: [Member must satisfy enum value set: {VALID_OPERATIONS}]"
                 )
 
+    def _extract_attestation_pubkey(self, attestation_document: bytes) -> RSAPublicKey:
+        # The attestation document comes as a COSE (CBOR Object Signing and Encryption) object: the CBOR
+        # attestation is signed and then the attestation and signature are again CBOR-encoded.  For now
+        # we don't bother validating the signature, though in the future we could.
+        cose_document = cbor2_loads(attestation_document)
+        attestation = cbor2_loads(cose_document[2])
+        public_key_bytes = attestation["public_key"]
+        return load_der_public_key(public_key_bytes)
+
     def _decrypt_wrapped_key_material(
         self,
         import_state: KeyImportState,

localstack/services/lambda_/api_utils.py

@@ -722,7 +722,9 @@ def validate_layer_runtimes_and_architectures(
         validations.append(validation_msg)
 
     if compatible_architectures and set(compatible_architectures).difference(ARCHITECTURES):
-        constraint = "[Member must satisfy enum value set: [x86_64, arm64]]"
+        constraint = (
+            "[Member must satisfy enum value set: [x86_64, arm64], Member must not be null]"
+        )
         validation_msg = f"Value '[{', '.join(list(compatible_architectures))}]' at 'compatibleArchitectures' failed to satisfy constraint: Member must satisfy constraint: {constraint}"
         validations.append(validation_msg)
 

localstack/services/lambda_/packages.py

@@ -12,7 +12,7 @@ from localstack.utils.platform import get_arch
 """Customized LocalStack version of the AWS Lambda Runtime Interface Emulator (RIE).
 https://github.com/localstack/lambda-runtime-init/blob/localstack/README-LOCALSTACK.md
 """
-LAMBDA_RUNTIME_DEFAULT_VERSION = "v0.1.36-pre"
+LAMBDA_RUNTIME_DEFAULT_VERSION = "v0.1.37-pre"
 LAMBDA_RUNTIME_VERSION = config.LAMBDA_INIT_RELEASE_VERSION or LAMBDA_RUNTIME_DEFAULT_VERSION
 LAMBDA_RUNTIME_INIT_URL = "https://github.com/localstack/lambda-runtime-init/releases/download/{version}/aws-lambda-rie-{arch}"
 

localstack/services/lambda_/provider.py

@@ -3728,7 +3728,7 @@ class LambdaProvider(LambdaApi, ServiceLifecycleHook):
         if not layer_version:
             raise ValidationException(
                 f"1 validation error detected: Value '{arn}' at 'arn' failed to satisfy constraint: Member must satisfy regular expression pattern: "
-                + "(arn:(aws[a-zA-Z-]*)?:lambda:[a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:\\d{12}:layer:[a-zA-Z0-9-_]+:[0-9]+)|(arn:[a-zA-Z0-9-]+:lambda:::awslayer:[a-zA-Z0-9-_]+)"
+                + "(arn:(aws[a-zA-Z-]*)?:lambda:(eusc-)?[a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:\\d{12}:layer:[a-zA-Z0-9-_]+:[0-9]+)|(arn:[a-zA-Z0-9-]+:lambda:::awslayer:[a-zA-Z0-9-_]+)"
             )
 
         store = lambda_stores[account_id][region_name]

localstack/services/lambda_/runtimes.py

@@ -23,7 +23,7 @@ from localstack.aws.api.lambda_ import Runtime
 # 5. Run the unit test to check the runtime setup:
 # tests.unit.services.lambda_.test_api_utils.TestApiUtils.test_check_runtime
 # 6. Review special tests including:
-# a) [ext] tests.aws.services.lambda_.test_lambda_endpoint_injection
+# a) [pro] tests.aws.services.lambda_.test_lambda_endpoint_injection
 # 7. Before merging, run the ext integration tests to cover transparent endpoint injection testing.
 # 8. Add the new runtime to the K8 image build: https://github.com/localstack/lambda-images
 # 9. Inform the web team to update the resource browser (consider offering an endpoint in the future)
@@ -40,6 +40,7 @@ IMAGE_MAPPING: dict[Runtime, str] = {
     Runtime.nodejs16_x: "nodejs:16",
     Runtime.nodejs14_x: "nodejs:14",  # deprecated Dec 4, 2023  => Jan 9, 2024  => Feb 8, 2024
     Runtime.nodejs12_x: "nodejs:12",  # deprecated Mar 31, 2023 => Mar 31, 2023 => Apr 30, 2023
+    Runtime.python3_14: "python:3.14",
     Runtime.python3_13: "python:3.13",
     Runtime.python3_12: "python:3.12",
     Runtime.python3_11: "python:3.11",
@@ -47,6 +48,7 @@ IMAGE_MAPPING: dict[Runtime, str] = {
     Runtime.python3_9: "python:3.9",
     Runtime.python3_8: "python:3.8",
     Runtime.python3_7: "python:3.7",  # deprecated Dec 4, 2023 => Jan 9, 2024 => Feb 8, 2024
+    Runtime.java25: "java:25",
     Runtime.java21: "java:21",
     Runtime.java17: "java:17",
     Runtime.java11: "java:11",
@@ -116,6 +118,7 @@ RUNTIMES_AGGREGATED = {
         Runtime.nodejs16_x,
     ],
     "python": [
+        Runtime.python3_14,
         Runtime.python3_13,
         Runtime.python3_12,
         Runtime.python3_11,
@@ -124,6 +127,7 @@ RUNTIMES_AGGREGATED = {
         Runtime.python3_8,
     ],
     "java": [
+        Runtime.java25,
         Runtime.java21,
         Runtime.java17,
         Runtime.java11,
@@ -155,12 +159,13 @@ SNAP_START_SUPPORTED_RUNTIMES = [
     Runtime.java11,
     Runtime.java17,
     Runtime.java21,
+    Runtime.java25,
     Runtime.python3_12,
     Runtime.python3_13,
     Runtime.dotnet8,
 ]
 
 # An ordered list of all Lambda runtimes considered valid by AWS. Matching snapshots in test_create_lambda_exceptions
-VALID_RUNTIMES: str = "[nodejs20.x, provided.al2023, python3.12, python3.13, nodejs22.x, java17, nodejs16.x, dotnet8, python3.10, java11, python3.11, dotnet6, java21, nodejs18.x, provided.al2, ruby3.3, ruby3.4, java8.al2, ruby3.2, python3.8, python3.9]"
+VALID_RUNTIMES: str = "[nodejs20.x, python3.14, provided.al2023, python3.12, python3.13, nodejs22.x, java17, nodejs16.x, java25, dotnet8, python3.10, java11, python3.11, dotnet6, java21, nodejs18.x, provided.al2, ruby3.3, ruby3.4, java8.al2, ruby3.2, python3.8, python3.9]"
 # An ordered list of all Lambda runtimes for layers considered valid by AWS. Matching snapshots in test_layer_exceptions
-VALID_LAYER_RUNTIMES: str = "[ruby2.6, dotnetcore1.0, python3.7, nodejs8.10, nasa, ruby2.7, python2.7-greengrass, dotnetcore2.0, python3.8, java21, dotnet6, dotnetcore2.1, python3.9, java11, nodejs6.10, provided, dotnetcore3.1, dotnet8, java25, java17, nodejs, nodejs4.3, java8.al2, go1.x, dotnet10, nodejs20.x, go1.9, byol, nodejs10.x, provided.al2023, nodejs22.x, python3.10, java8, nodejs12.x, python3.11, nodejs24.x, nodejs8.x, python3.12, nodejs14.x, nodejs8.9, python3.13, python3.14, nodejs16.x, provided.al2, nodejs4.3-edge, nodejs18.x, ruby3.2, python3.4, ruby3.3, ruby3.4, ruby2.5, python3.6, python2.7]"
+VALID_LAYER_RUNTIMES: str = "[ruby3.5, ruby2.6, dotnetcore1.0, python3.7, nodejs8.10, nasa, ruby2.7, python2.7-greengrass, dotnetcore2.0, python3.8, java21, dotnet6, dotnetcore2.1, python3.9, java11, nodejs6.10, provided, dotnetcore3.1, dotnet8, java25, java17, nodejs, nodejs4.3, java8.al2, go1.x, dotnet10, nodejs20.x, go1.9, byol, nodejs10.x, provided.al2023, nodejs22.x, python3.10, java8, nodejs12.x, python3.11, nodejs24.x, nodejs8.x, python3.12, nodejs14.x, nodejs8.9, nodejs26.x, python3.13, python3.14, nodejs16.x, python3.15, provided.al2, nodejs4.3-edge, nodejs18.x, ruby3.2, python3.4, ruby3.3, ruby3.4, ruby2.5, python3.6, python2.7]"

localstack/services/logs/provider.py

@@ -22,10 +22,13 @@ from localstack.aws.api.logs import (
     InputLogEvents,
     InvalidParameterException,
     KmsKeyId,
+    ListLogGroupsRequest,
+    ListLogGroupsResponse,
     ListTagsForResourceResponse,
     ListTagsLogGroupResponse,
     LogGroupClass,
     LogGroupName,
+    LogGroupSummary,
     LogsApi,
     LogStreamName,
     PutLogEventsResponse,
@@ -43,7 +46,7 @@ from localstack.services.plugins import ServiceLifecycleHook
 from localstack.utils.aws import arns
 from localstack.utils.aws.client_types import ServicePrincipal
 from localstack.utils.bootstrap import is_api_enabled
-from localstack.utils.common import is_number
+from localstack.utils.numbers import is_number
 from localstack.utils.patch import patch
 
 LOG = logging.getLogger(__name__)
@@ -60,8 +63,8 @@ class LogsProvider(LogsApi, ServiceLifecycleHook):
         log_group_name: LogGroupName,
         log_stream_name: LogStreamName,
         log_events: InputLogEvents,
-        sequence_token: SequenceToken = None,
-        entity: Entity = None,
+        sequence_token: SequenceToken | None = None,
+        entity: Entity | None = None,
         **kwargs,
     ) -> PutLogEventsResponse:
         logs_backend = get_moto_logs_backend(context.account_id, context.region)
@@ -97,33 +100,32 @@ class LogsProvider(LogsApi, ServiceLifecycleHook):
     ) -> DescribeLogGroupsResponse:
         region_backend = get_moto_logs_backend(context.account_id, context.region)
 
-        prefix: str = request.get("logGroupNamePrefix", "")
-        pattern: str = request.get("logGroupNamePattern", "")
+        prefix: str | None = request.get("logGroupNamePrefix", "")
+        pattern: str | None = request.get("logGroupNamePattern", "")
 
         if pattern and prefix:
             raise InvalidParameterException(
                 "LogGroup name prefix and LogGroup name pattern are mutually exclusive parameters."
             )
 
-        copy_groups = copy.deepcopy(dict(region_backend.groups))
+        moto_groups = copy.deepcopy(dict(region_backend.groups)).values()
 
         groups = [
-            group.to_describe_dict()
-            for name, group in copy_groups.items()
+            {"logGroupClass": LogGroupClass.STANDARD} | group.to_describe_dict()
+            for group in sorted(moto_groups, key=lambda g: g.name)
             if not (prefix or pattern)
-            or (prefix and name.startswith(prefix))
-            or (pattern and pattern in name)
+            or (prefix and group.name.startswith(prefix))
+            or (pattern and pattern in group.name)
         ]
 
-        groups = sorted(groups, key=lambda x: x["logGroupName"])
         return DescribeLogGroupsResponse(logGroups=groups)
 
     @handler("DescribeLogStreams", expand=False)
     def describe_log_streams(
         self, context: RequestContext, request: DescribeLogStreamsRequest
     ) -> DescribeLogStreamsResponse:
-        log_group_name: str = request.get("logGroupName")
-        log_group_identifier: str = request.get("logGroupIdentifier")
+        log_group_name: str | None = request.get("logGroupName")
+        log_group_identifier: str | None = request.get("logGroupIdentifier")
 
         if log_group_identifier and log_group_name:
             raise CommonServiceException(
@@ -138,13 +140,29 @@ class LogsProvider(LogsApi, ServiceLifecycleHook):
 
         return moto.call_moto_with_request(context, request_copy)
 
+    @handler("ListLogGroups", expand=False)
+    def list_log_groups(
+        self, context: RequestContext, request: ListLogGroupsRequest
+    ) -> ListLogGroupsResponse:
+        pattern: str | None = request.get("logGroupNamePattern")
+        region_backend: LogsBackend = get_moto_logs_backend(context.account_id, context.region)
+        moto_groups = copy.deepcopy(region_backend.groups).values()
+        groups = [
+            LogGroupSummary(
+                logGroupName=group.name, logGroupArn=group.arn, logGroupClass=LogGroupClass.STANDARD
+            )
+            for group in sorted(moto_groups, key=lambda g: g.name)
+            if not pattern or pattern in group.name
+        ]
+        return ListLogGroupsResponse(logGroups=groups)
+
     def create_log_group(
         self,
         context: RequestContext,
         log_group_name: LogGroupName,
-        kms_key_id: KmsKeyId = None,
-        tags: Tags = None,
-        log_group_class: LogGroupClass = None,
+        kms_key_id: KmsKeyId | None = None,
+        tags: Tags | None = None,
+        log_group_class: LogGroupClass | None = None,
         **kwargs,
     ) -> None:
         call_moto(context)
@@ -442,10 +460,9 @@ def moto_to_describe_dict(target, self):
     # reported race condition in https://github.com/localstack/localstack/issues/8011
     # making copy of "streams" dict here to avoid issues while summing up storedBytes
     copy_streams = copy.deepcopy(self.streams)
-    # parity tests shows that the arn ends with ":*"
-    arn = self.arn if self.arn.endswith(":*") else f"{self.arn}:*"
     log_group = {
-        "arn": arn,
+        "arn": f"{self.arn}:*",
+        "logGroupArn": self.arn,
         "creationTime": self.creation_time,
         "logGroupName": self.name,
         "metricFilterCount": 0,

localstack/services/s3/provider.py

@@ -502,7 +502,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
                 raise MalformedXML()
 
             if context.region == AWS_REGION_US_EAST_1:
-                if bucket_region == "us-east-1":
+                if bucket_region in ("us-east-1", "aws-global"):
                     raise InvalidLocationConstraint(
                         "The specified location-constraint is not valid",
                         LocationConstraint=bucket_region,

localstack/services/sns/v2/models.py

@@ -5,6 +5,7 @@ from enum import StrEnum
 from typing import Literal, TypedDict
 
 from localstack.aws.api.sns import (
+    Endpoint,
     MessageAttributeMap,
     PlatformApplication,
     PublishBatchRequestEntry,
@@ -39,6 +40,12 @@ SnsApplicationPlatforms = Literal[
 ]
 
 
+class EndpointAttributeNames(StrEnum):
+    CUSTOM_USER_DATA = "CustomUserData"
+    Token = "Token"
+    ENABLED = "Enabled"
+
+
 SMS_ATTRIBUTE_NAMES = [
     "DeliveryStatusIAMRole",
     "DeliveryStatusSuccessSamplingRate",
@@ -143,6 +150,19 @@ class SnsMessage:
         )
 
 
+@dataclass
+class PlatformEndpoint:
+    platform_application_arn: str
+    platform_endpoint: Endpoint
+
+
+@dataclass
+class PlatformApplicationDetails:
+    platform_application: PlatformApplication
+    # maps all Endpoints of the PlatformApplication, from their Token to their ARN
+    platform_endpoints: dict[str, str]
+
+
 class SnsStore(BaseStore):
     topics: dict[str, Topic] = LocalAttribute(default=dict)
 
@@ -156,7 +176,10 @@ class SnsStore(BaseStore):
     subscription_tokens: dict[str, str] = LocalAttribute(default=dict)
 
     # maps platform application arns to platform applications
-    platform_applications: dict[str, PlatformApplication] = LocalAttribute(default=dict)
+    platform_applications: dict[str, PlatformApplicationDetails] = LocalAttribute(default=dict)
+
+    # maps endpoint arns to platform endpoints
+    platform_endpoints: dict[str, PlatformEndpoint] = LocalAttribute(default=dict)
 
     # topic/subscription independent default values for sending sms messages
     sms_attributes: dict[str, str] = LocalAttribute(default=dict)