localstack-core 4.13.2.dev93__py3-none-any.whl → 4.13.2.dev95__py3-none-any.whl

localstack/services/kms/models.py

@@ -45,16 +45,15 @@ from localstack.aws.api.kms import (
     OriginType,
     ReplicateKeyRequest,
     SigningAlgorithmSpec,
-    TagList,
     UnsupportedOperationException,
 )
-from localstack.constants import TAG_KEY_CUSTOM_ID
 from localstack.services.kms.exceptions import ValidationException
-from localstack.services.kms.utils import is_valid_key_arn, validate_tag, validate_tag_list
+from localstack.services.kms.utils import is_valid_key_arn
 from localstack.services.stores import AccountRegionBundle, BaseStore, LocalAttribute
 from localstack.utils.aws.arns import get_partition, kms_alias_arn, kms_key_arn
 from localstack.utils.crypto import decrypt, encrypt
 from localstack.utils.strings import long_uid, to_bytes, to_str
+from localstack.utils.tagging import Tags
 
 LOG = logging.getLogger(__name__)
 
@@ -114,9 +113,6 @@ RESERVED_ALIASES = [
 # list of key names that should be skipped when serializing the encryption context
 IGNORED_CONTEXT_KEYS = ["aws-crypto-public-key"]
 
-# special tag name to allow specifying a custom key material for created keys
-TAG_KEY_CUSTOM_KEY_MATERIAL = "_custom_key_material_"
-
 
 def _serialize_ciphertext_blob(ciphertext: Ciphertext) -> bytes:
     header = struct.pack(
@@ -289,7 +285,6 @@ class KmsCryptoKey:
 class KmsKey:
     metadata: KeyMetadata
     crypto_key: KmsCryptoKey
-    tags: dict[str, str]
     policy: str
     is_key_rotation_enabled: bool
     rotation_period_in_days: int
@@ -302,18 +297,13 @@ class KmsKey:
         create_key_request: CreateKeyRequest = None,
         account_id: str = None,
         region: str = None,
+        custom_key_material: bytes | None = None,
+        custom_key_id: str | None = None,
     ):
         create_key_request = create_key_request or CreateKeyRequest()
         self.previous_keys = []
 
-        # Please keep in mind that tags of a key could be present in the request, they are not a part of metadata. At
-        # least in the sense of DescribeKey not returning them with the rest of the metadata. Instead, tags are more
-        # like aliases:
-        # https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html
-        # "DescribeKey does not return the following information: ... Tags on the KMS key."
-        self.tags = {}
-        self.add_tags(create_key_request.get("Tags"))
-        # Same goes for the policy. It is in the request, but not in the metadata.
+        # Policy is in the request but not in the metadata.
         self.policy = create_key_request.get("Policy") or self._get_default_key_policy(
             account_id, region
         )
@@ -322,13 +312,7 @@ class KmsKey:
         # disable it."
         self.is_key_rotation_enabled = False
 
-        self._populate_metadata(create_key_request, account_id, region)
-        custom_key_material = None
-        if TAG_KEY_CUSTOM_KEY_MATERIAL in self.tags:
-            # check if the _custom_key_material_ tag is specified, to use a custom key material for this key
-            custom_key_material = base64.b64decode(self.tags[TAG_KEY_CUSTOM_KEY_MATERIAL])
-            # remove the _custom_key_material_ tag from the tags to not readily expose the custom key material
-            del self.tags[TAG_KEY_CUSTOM_KEY_MATERIAL]
+        self._populate_metadata(create_key_request, account_id, region, custom_key_id=custom_key_id)
         self.crypto_key = KmsCryptoKey(self.metadata.get("KeySpec"), custom_key_material)
         self._internal_key_id = uuid.uuid4()
 
@@ -560,7 +544,11 @@ class KmsKey:
     #
     # Data keys are symmetric, data key pairs are asymmetric.
     def _populate_metadata(
-        self, create_key_request: CreateKeyRequest, account_id: str, region: str
+        self,
+        create_key_request: CreateKeyRequest,
+        account_id: str,
+        region: str,
+        custom_key_id: str | None = None,
     ) -> None:
         self.metadata = KeyMetadata()
         # Metadata fields coming from a creation request
@@ -597,9 +585,8 @@ class KmsKey:
             else KeyState.PendingImport
         )
 
-        if TAG_KEY_CUSTOM_ID in self.tags:
-            # check if the _custom_id_ tag is specified, to set a user-defined KeyId for this key
-            self.metadata["KeyId"] = self.tags[TAG_KEY_CUSTOM_ID].strip()
+        if custom_key_id:
+            self.metadata["KeyId"] = custom_key_id
         elif self.metadata.get("MultiRegion"):
             # https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
             # "Notice that multi-Region keys have a distinctive key ID that begins with mrk-. You can use the mrk- prefix to
@@ -625,21 +612,6 @@ class KmsKey:
                 ReplicaKeys=[],
             )
 
-    def add_tags(self, tags: TagList) -> None:
-        # Just in case we get None from somewhere.
-        if not tags:
-            return
-
-        validate_tag_list(tags)
-
-        # Do not care if we overwrite an existing tag:
-        # https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html
-        # "To edit a tag, specify an existing tag key and a new tag value."
-        for i, tag in enumerate(tags, start=1):
-            if tag.get("TagKey") != TAG_KEY_CUSTOM_KEY_MATERIAL:
-                validate_tag(i, tag)
-            self.tags[tag.get("TagKey")] = tag.get("TagValue")
-
     def schedule_key_deletion(self, pending_window_in_days: int) -> None:
         self.metadata["Enabled"] = False
         # TODO For MultiRegion keys, the status of replicas get set to "PendingDeletion", while the primary key
@@ -870,5 +842,8 @@ class KmsStore(BaseStore):
     # maps import tokens to import data
     imports: dict[str, KeyImportState] = LocalAttribute(default=dict)
 
+    # maps key arn to tags
+    tags: Tags = LocalAttribute(default=Tags)
+
 
 kms_stores = AccountRegionBundle("kms", KmsStore)

localstack/services/kms/provider.py

@@ -137,9 +137,12 @@ from localstack.services.kms.models import (
 )
 from localstack.services.kms.utils import (
     execute_dry_run_capable,
+    get_custom_key_id,
+    get_custom_key_material,
     is_valid_key_arn,
     parse_key_arn,
     validate_alias_name,
+    validate_and_filter_tags,
 )
 from localstack.services.plugins import ServiceLifecycleHook
 from localstack.state import StateVisitor
@@ -229,7 +232,13 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
         account_id: str, region_name: str, request: CreateKeyRequest = None
     ) -> KmsKey:
         store = kms_stores[account_id][region_name]
-        key = KmsKey(request, account_id, region_name)
+        key = KmsKey(
+            request,
+            account_id,
+            region_name,
+            get_custom_key_material(request),
+            get_custom_key_id(request),
+        )
         key_id = key.metadata["KeyId"]
         store.keys[key_id] = key
         return key
@@ -299,11 +308,9 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
         store = kms_stores[account_id][region_name]
         if alias_name not in RESERVED_ALIASES or alias_name in store.aliases:
             return
-        create_key_request = {}
         key_id = KmsProvider._create_kms_key(
             account_id,
             region_name,
-            create_key_request,
         ).metadata.get("KeyId")
         create_alias_request = CreateAliasRequest(AliasName=alias_name, TargetKeyId=key_id)
         KmsProvider._create_kms_alias(account_id, region_name, create_alias_request)
@@ -393,19 +400,25 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
     def _is_rsa_spec(key_spec: str) -> bool:
         return key_spec in [KeySpec.RSA_2048, KeySpec.RSA_3072, KeySpec.RSA_4096]
 
-    # These tagging methods are overwritten in the Pro implementation.
-    def _get_key_tags(self, key: KmsKey, account_id: str, region: str) -> TagList:
-        return [Tag(TagKey=key, TagValue=value) for key, value in key.tags.items()]
+    def _get_key_tags(self, account_id: str, region: str, resource_arn: str) -> TagList:
+        store = self._get_store(account_id, region)
+        return [
+            Tag(TagKey=key, TagValue=value)
+            for key, value in store.tags.get_tags(resource_arn).items()
+        ]
 
-    def _set_key_tags(self, key: KmsKey, account_id: str, region: str, tags: TagList) -> None:
-        return
+    def _set_key_tags(self, account_id: str, region: str, resource_arn: str, tags: TagList) -> None:
+        validated_tags = validate_and_filter_tags(tags)
+        store = self._get_store(account_id, region)
+        store.tags.update_tags(
+            resource_arn, {tag["TagKey"]: tag["TagValue"] for tag in validated_tags}
+        )
 
     def _remove_key_tags(
-        self, key: KmsKey, account_id: str, region: str, tag_keys: TagKeyList
+        self, account_id: str, region: str, resource_arn: str, tag_keys: TagKeyList
     ) -> None:
-        # AWS doesn't seem to mind removal of a non-existent tag, so we do not raise any exception.
-        for tag_key in tag_keys:
-            key.tags.pop(tag_key, None)
+        store = self._get_store(account_id, region)
+        store.tags.delete_tags(resource_arn, tag_keys)
 
     #
     # Operation Handlers
@@ -417,8 +430,10 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
         context: RequestContext,
         request: CreateKeyRequest = None,
     ) -> CreateKeyResponse:
+        tags = validate_and_filter_tags(request.get("Tags", []))
         key = self._create_kms_key(context.account_id, context.region, request)
-        self._set_key_tags(key, context.account_id, context.region, request.get("Tags", []))
+        if tags:
+            self._set_key_tags(context.account_id, context.region, key.metadata["Arn"], tags)
         return CreateKeyResponse(KeyMetadata=key.metadata)
 
     @handler("ScheduleKeyDeletion", expand=False)
@@ -1487,7 +1502,9 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
         key = self._get_kms_key(
             context.account_id, context.region, request.get("KeyId"), any_key_state_allowed=True
         )
-        keys_list = PaginatedList(self._get_key_tags(key, context.account_id, context.region))
+        keys_list = PaginatedList(
+            self._get_key_tags(context.account_id, context.region, key.metadata["Arn"])
+        )
         page, next_token = keys_list.get_page(
             lambda tag: tag.get("TagKey"),
             next_token=request.get("Marker"),
@@ -1519,7 +1536,6 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
 
     @handler("TagResource", expand=False)
     def tag_resource(self, context: RequestContext, request: TagResourceRequest) -> None:
-        tags = request["Tags"]
         key = self._get_kms_key(
             context.account_id,
             context.region,
@@ -1527,14 +1543,11 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
             enabled_key_allowed=True,
             disabled_key_allowed=True,
         )
-        key.add_tags(tags)
-        self._set_key_tags(key, context.account_id, context.region, tags)
+        if tags := request["Tags"]:
+            self._set_key_tags(context.account_id, context.region, key.metadata["Arn"], tags)
 
     @handler("UntagResource", expand=False)
     def untag_resource(self, context: RequestContext, request: UntagResourceRequest) -> None:
-        if not (tag_keys := request.get("TagKeys", [])):
-            return
-
         key = self._get_kms_key(
             context.account_id,
             context.region,
@@ -1542,7 +1555,9 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
             enabled_key_allowed=True,
             disabled_key_allowed=True,
         )
-        self._remove_key_tags(key, context.account_id, context.region, tag_keys)
+        self._remove_key_tags(
+            context.account_id, context.region, key.metadata["Arn"], request["TagKeys"]
+        )
 
     def derive_shared_secret(
         self,

localstack/services/kms/utils.py

@@ -1,13 +1,23 @@
+import base64
 import re
 from collections.abc import Callable
 
-from localstack.aws.api.kms import DryRunOperationException, Tag, TagException, TagList
+from localstack.aws.api.kms import (
+    CreateKeyRequest,
+    DryRunOperationException,
+    Tag,
+    TagException,
+    TagList,
+)
+from localstack.constants import TAG_KEY_CUSTOM_ID
 from localstack.services.kms.exceptions import ValidationException
 from localstack.utils.aws.arns import ARN_PARTITION_REGEX
 
 KMS_KEY_ARN_PATTERN = re.compile(
     rf"{ARN_PARTITION_REGEX}:kms:(?P<region_name>[^:]+):(?P<account_id>\d{{12}}):((?=key/)key/|(?=alias/))(?P<key_id>[^:]+)$"
 )
+# special tag name to allow specifying a custom key material for created keys
+TAG_KEY_CUSTOM_KEY_MATERIAL = "_custom_key_material_"
 
 
 def get_hash_algorithm(signing_algorithm: str) -> str:
@@ -60,13 +70,65 @@ def validate_tag(tag_position: int, tag: Tag) -> None:
         raise TagException("Tags beginning with aws: are reserved")
 
 
-def validate_tag_list(tag_list: TagList) -> None:
+def validate_and_filter_tags(tag_list: TagList) -> TagList:
+    """
+    Validates tags and filters out LocalStack specific tags
+
+    :param tag_list: The list of tags provided to apply to the KMS key.
+    :returns: Filtered and validated list of tags to apply to the KMS key.
+    """
     unique_tag_keys = {tag["TagKey"] for tag in tag_list}
     if len(unique_tag_keys) < len(tag_list):
         raise TagException("Duplicate tag keys")
     if len(tag_list) > 50:
         raise TagException("Too many tags")
 
+    validated_tags = []
+    for i, tag in enumerate(tag_list, start=1):
+        if tag["TagKey"] != TAG_KEY_CUSTOM_KEY_MATERIAL:
+            validate_tag(i, tag)
+            validated_tags.append(tag)
+
+    return validated_tags
+
+
+def get_custom_key_material(request: CreateKeyRequest | None) -> bytes | None:
+    """
+    Retrieves custom material which is sent in a CreateKeyRequest via the Tags.
+
+    :param request: The request for creating a KMS key.
+    :returns: Custom key material for the KMS key.
+    """
+    if not request:
+        return None
+
+    custom_key_material = None
+    tags = request.get("Tags", [])
+    for tag in tags:
+        if tag["TagKey"] == TAG_KEY_CUSTOM_KEY_MATERIAL:
+            custom_key_material = base64.b64decode(tag["TagValue"])
+
+    return custom_key_material
+
+
+def get_custom_key_id(request: CreateKeyRequest | None) -> bytes | None:
+    """
+    Retrieves a custom Key ID for the KMS key which is sent in a CreateKeyRequest via the Tags.
+
+    :param request: The request for creating a KMS key.
+    :returns: THe custom Key ID for the KMS key.
+    """
+    if not request:
+        return None
+
+    custom_key_id = None
+    tags = request.get("Tags", [])
+    for tag in tags:
+        if tag["TagKey"] == TAG_KEY_CUSTOM_ID:
+            custom_key_id = tag["TagValue"]
+
+    return custom_key_id
+
 
 def execute_dry_run_capable[T](func: Callable[..., T], dry_run: bool, *args, **kwargs) -> T:
     """

localstack/services/lambda_/invocation/models.py

@@ -6,7 +6,7 @@ from localstack.services.lambda_.invocation.lambda_models import (
     Layer,
 )
 from localstack.services.stores import AccountRegionBundle, BaseStore, LocalAttribute
-from localstack.utils.tagging import TaggingService
+from localstack.utils.tagging import Tags
 
 
 class LambdaStore(BaseStore):
@@ -26,7 +26,7 @@ class LambdaStore(BaseStore):
     capacity_providers: dict[str, CapacityProvider] = LocalAttribute(default=dict)
 
     # maps resource ARNs for EventSourceMappings and CodeSigningConfiguration to tags
-    TAGS: TaggingService = LocalAttribute(default=TaggingService)
+    tags: Tags = LocalAttribute(default=Tags)
 
 
 lambda_stores = AccountRegionBundle("lambda", LambdaStore)

localstack/services/lambda_/packages.py

@@ -12,7 +12,7 @@ from localstack.utils.platform import get_arch
 """Customized LocalStack version of the AWS Lambda Runtime Interface Emulator (RIE).
 https://github.com/localstack/lambda-runtime-init/blob/localstack/README-LOCALSTACK.md
 """
-LAMBDA_RUNTIME_DEFAULT_VERSION = "v0.1.40-pre"
+LAMBDA_RUNTIME_DEFAULT_VERSION = "v0.1.41-pre"
 LAMBDA_RUNTIME_VERSION = config.LAMBDA_INIT_RELEASE_VERSION or LAMBDA_RUNTIME_DEFAULT_VERSION
 LAMBDA_RUNTIME_INIT_URL = "https://github.com/localstack/lambda-runtime-init/releases/download/{version}/aws-lambda-rie-{arch}"
 

localstack/services/lambda_/provider.py

@@ -4415,28 +4415,25 @@ class LambdaProvider(LambdaApi, ServiceLifecycleHook):
     # only Function, Event Source Mapping, and Code Signing Config (not currently supported by LocalStack) ARNs
     # are available for tagging in AWS
 
+    @staticmethod
     def _update_resource_tags(
-        self, resource_arn: str, account_id: str, region: str, tags: dict[str, str]
+        resource_arn: str, account_id: str, region: str, tags: dict[str, str]
     ) -> None:
-        tagger_service = lambda_stores[account_id][region].TAGS
-        tag_svc_adapted_tags = [{"Key": key, "Value": value} for key, value in tags.items()]
-        tagger_service.tag_resource(resource_arn, tag_svc_adapted_tags)
+        lambda_stores[account_id][region].tags.update_tags(resource_arn, tags)
 
-    def _list_resource_tags(
-        self, resource_arn: str, account_id: str, region: str
-    ) -> dict[str, str]:
-        tagger_service = lambda_stores[account_id][region].TAGS
-        return tagger_service.tags.get(resource_arn, {})
+    @staticmethod
+    def _list_resource_tags(resource_arn: str, account_id: str, region: str) -> dict[str, str]:
+        return lambda_stores[account_id][region].tags.get_tags(resource_arn)
 
+    @staticmethod
     def _remove_resource_tags(
-        self, resource_arn: str, account_id: str, region: str, keys: TagKeyList
+        resource_arn: str, account_id: str, region: str, keys: TagKeyList
     ) -> None:
-        tagger_service = lambda_stores[account_id][region].TAGS
-        tagger_service.untag_resource(resource_arn, keys)
+        lambda_stores[account_id][region].tags.delete_tags(resource_arn, keys)
 
-    def _remove_all_resource_tags(self, resource_arn: str, account_id: str, region: str) -> None:
-        tagger_service = lambda_stores[account_id][region].TAGS
-        return tagger_service.tags.pop(resource_arn, None)
+    @staticmethod
+    def _remove_all_resource_tags(resource_arn: str, account_id: str, region: str) -> None:
+        lambda_stores[account_id][region].tags.delete_all_tags(resource_arn)
 
     def _get_tags(self, resource: TaggableResource) -> dict[str, str]:
         account_id, region = self._get_account_id_and_region_for_taggable_resource(resource)

localstack/services/opensearch/models.py

@@ -2,18 +2,15 @@ from localstack.aws.api.opensearch import DomainStatus
 from localstack.services.stores import (
     AccountRegionBundle,
     BaseStore,
-    CrossRegionAttribute,
     LocalAttribute,
 )
-from localstack.utils.tagging import TaggingService
+from localstack.utils.tagging import Tags
 
 
 class OpenSearchStore(BaseStore):
     # storage for domain resources (access should be protected with the _domain_mutex)
     opensearch_domains: dict[str, DomainStatus] = LocalAttribute(default=dict)
-
-    # static tagging service instance
-    TAGS = CrossRegionAttribute(default=TaggingService)
+    tags: Tags = LocalAttribute(default=Tags)
 
 
 opensearch_stores = AccountRegionBundle("opensearch", OpenSearchStore)

localstack/services/opensearch/provider.py

@@ -518,22 +518,20 @@ class OpensearchProvider(OpensearchApi, ServiceLifecycleHook):
                 cluster_manager().remove(DomainKey(domain_name, region, account_id).arn)
 
     def _add_tags(self, context: RequestContext, arn: ARN, tag_list: TagList) -> None:
-        self.get_store(context.account_id, context.region).TAGS.tag_resource(arn, tag_list)
+        self.get_store(context.account_id, context.region).tags.update_tags(
+            arn, {tag["Key"]: tag["Value"] for tag in tag_list}
+        )
 
     def _remove_tags(self, context: RequestContext, arn: ARN, tag_keys: StringList) -> None:
-        self.get_store(context.account_id, context.region).TAGS.untag_resource(arn, tag_keys)
+        self.get_store(context.account_id, context.region).tags.delete_tags(arn, tag_keys)
 
     def _remove_all_tags(self, context: RequestContext, arn: ARN) -> None:
-        self.get_store(context.account_id, context.region).TAGS.del_resource(arn)
+        self.get_store(context.account_id, context.region).tags.delete_all_tags(arn)
 
     def _list_tags(self, context: RequestContext, arn: ARN) -> TagList:
-        # The tagging service returns a dictionary with the given root name
         store = self.get_store(context.account_id, context.region)
-        tags = store.TAGS.list_tags_for_resource(arn=arn, root_name="root")
-        # Extract the actual list of tags for the typed response
-        tag_list: TagList = tags["root"]
-
-        return tag_list
+        tags = store.tags.get_tags(arn)
+        return [{"Key": key, "Value": value} for key, value in tags.items()]
 
     @handler("CreateDomain", expand=False)
     def create_domain(

localstack/services/route53/models.py

@@ -1,10 +1,12 @@
 from localstack.aws.api.route53 import DelegationSet
 from localstack.services.stores import AccountRegionBundle, BaseStore, LocalAttribute
+from localstack.utils.tagging import Tags
 
 
 class Route53Store(BaseStore):
     # maps delegation set ID to reusable delegation set details
     reusable_delegation_sets: dict[str, DelegationSet] = LocalAttribute(default=dict)
+    tags: Tags = LocalAttribute(default=Tags)
 
 
-route53_stores = AccountRegionBundle("route53", Route53Store)
+route53_stores = AccountRegionBundle("route53", Route53Store, validate=False)

localstack/services/route53/provider.py

@@ -27,6 +27,7 @@ from localstack.aws.api.route53 import (
 from localstack.aws.connect import connect_to
 from localstack.services.moto import call_moto
 from localstack.services.plugins import ServiceLifecycleHook
+from localstack.services.route53.models import Route53Store, route53_stores
 from localstack.state import StateVisitor
 
 
@@ -37,6 +38,10 @@ class Route53Provider(Route53Api, ServiceLifecycleHook):
         visitor.visit(route53_backends)
         visitor.visit(route53_stores)
 
+    @staticmethod
+    def get_route53_store(account_id: str, region: str) -> Route53Store:
+        return route53_stores[account_id][region]
+
     # No tag deletion logic to handle in Community. Overwritten in Pro implementation.
     def remove_resource_tags(
         self, context: RequestContext, resource_type: str, resource_id: str

localstack/services/s3/models.py

@@ -91,7 +91,7 @@ from localstack.services.stores import (
     LocalAttribute,
 )
 from localstack.utils.aws import arns
-from localstack.utils.tagging import TaggingService
+from localstack.utils.tagging import Tags
 
 LOG = logging.getLogger(__name__)
 
@@ -763,9 +763,7 @@ class S3Store(BaseStore):
     buckets: dict[BucketName, S3Bucket] = CrossRegionAttribute(default=dict)
     global_bucket_map: dict[BucketName, AccountId] = CrossAccountAttribute(default=dict)
     aws_managed_kms_key_id: SSEKMSKeyId = LocalAttribute(default=str)
-
-    # static tagging service instance
-    TAGS: TaggingService = CrossAccountAttribute(default=TaggingService)
+    tags: Tags = LocalAttribute(default=Tags)
 
 
 class BucketCorsIndex: