localstack-core 4.3.1.dev5__py3-none-any.whl → 4.3.1.dev27__py3-none-any.whl

localstack/services/cloudformation/v2/provider.py

@@ -1,3 +1,4 @@
+import logging
 from copy import deepcopy
 
 from localstack.aws.api import RequestContext, handler
@@ -5,12 +6,18 @@ from localstack.aws.api.cloudformation import (
     ChangeSetNameOrId,
     ChangeSetNotFoundException,
     ChangeSetType,
+    ClientRequestToken,
     CreateChangeSetInput,
     CreateChangeSetOutput,
     DescribeChangeSetOutput,
+    DisableRollback,
+    ExecuteChangeSetOutput,
+    ExecutionStatus,
     IncludePropertyValues,
+    InvalidChangeSetStatusException,
     NextToken,
     Parameter,
+    RetainExceptOnCreate,
     StackNameOrId,
     StackStatus,
 )
@@ -27,6 +34,9 @@ from localstack.services.cloudformation.engine.template_utils import resolve_sta
 from localstack.services.cloudformation.engine.v2.change_set_model_describer import (
     ChangeSetModelDescriber,
 )
+from localstack.services.cloudformation.engine.v2.change_set_model_executor import (
+    ChangeSetModelExecutor,
+)
 from localstack.services.cloudformation.engine.validations import ValidationError
 from localstack.services.cloudformation.provider import (
     ARN_CHANGESET_REGEX,
@@ -41,6 +51,8 @@ from localstack.services.cloudformation.stores import (
 )
 from localstack.utils.collections import remove_attributes
 
+LOG = logging.getLogger(__name__)
+
 
 class CloudformationProviderV2(CloudformationProvider):
     @handler("CreateChangeSet", expand=False)
@@ -178,7 +190,12 @@ class CloudformationProviderV2(CloudformationProvider):
 
         # create change set for the stack and apply changes
         change_set = StackChangeSet(
-            context.account_id, context.region, stack, req_params, transformed_template
+            context.account_id,
+            context.region,
+            stack,
+            req_params,
+            transformed_template,
+            change_set_type=change_set_type,
         )
         # only set parameters for the changeset, then switch to stack on execute_change_set
         change_set.template_body = template_body
@@ -233,14 +250,61 @@ class CloudformationProviderV2(CloudformationProvider):
 
         return CreateChangeSetOutput(StackId=change_set.stack_id, Id=change_set.change_set_id)
 
+    @handler("ExecuteChangeSet")
+    def execute_change_set(
+        self,
+        context: RequestContext,
+        change_set_name: ChangeSetNameOrId,
+        stack_name: StackNameOrId | None = None,
+        client_request_token: ClientRequestToken | None = None,
+        disable_rollback: DisableRollback | None = None,
+        retain_except_on_create: RetainExceptOnCreate | None = None,
+        **kwargs,
+    ) -> ExecuteChangeSetOutput:
+        change_set = find_change_set(
+            context.account_id,
+            context.region,
+            change_set_name,
+            stack_name=stack_name,
+            active_only=True,
+        )
+        if not change_set:
+            raise ChangeSetNotFoundException(f"ChangeSet [{change_set_name}] does not exist")
+        if change_set.metadata.get("ExecutionStatus") != ExecutionStatus.AVAILABLE:
+            LOG.debug("Change set %s not in execution status 'AVAILABLE'", change_set_name)
+            raise InvalidChangeSetStatusException(
+                f"ChangeSet [{change_set.metadata['ChangeSetId']}] cannot be executed in its current status of [{change_set.metadata.get('Status')}]"
+            )
+        stack_name = change_set.stack.stack_name
+        LOG.debug(
+            'Executing change set "%s" for stack "%s" with %s resources ...',
+            change_set_name,
+            stack_name,
+            len(change_set.template_resources),
+        )
+        if not change_set.update_graph:
+            raise RuntimeError("Programming error: no update graph found for change set")
+
+        change_set_executor = ChangeSetModelExecutor(
+            change_set.update_graph,
+            account_id=context.account_id,
+            region=context.region,
+            stack_name=change_set.stack.stack_name,
+            stack_id=change_set.stack.stack_id,
+        )
+        new_resources = change_set_executor.execute()
+        change_set.stack.set_stack_status(f"{change_set.change_set_type or 'UPDATE'}_COMPLETE")
+        change_set.stack.resources = new_resources
+        return ExecuteChangeSetOutput()
+
     @handler("DescribeChangeSet")
     def describe_change_set(
         self,
         context: RequestContext,
         change_set_name: ChangeSetNameOrId,
-        stack_name: StackNameOrId = None,
-        next_token: NextToken = None,
-        include_property_values: IncludePropertyValues = None,
+        stack_name: StackNameOrId | None = None,
+        next_token: NextToken | None = None,
+        include_property_values: IncludePropertyValues | None = None,
         **kwargs,
     ) -> DescribeChangeSetOutput:
         # TODO add support for include_property_values
@@ -261,8 +325,10 @@ class CloudformationProviderV2(CloudformationProvider):
         if not change_set:
             raise ChangeSetNotFoundException(f"ChangeSet [{change_set_name}] does not exist")
 
-        change_set_describer = ChangeSetModelDescriber(node_template=change_set.update_graph)
-        resource_changes = change_set_describer.get_resource_changes()
+        change_set_describer = ChangeSetModelDescriber(
+            node_template=change_set.update_graph, include_property_values=include_property_values
+        )
+        resource_changes = change_set_describer.get_changes()
 
         attrs = [
             "ChangeSetType",

localstack/services/ec2/patches.py

@@ -78,15 +78,22 @@ def apply_patches():
         tags: Optional[dict[str, str]] = None,
         **kwargs,
     ):
+        # Patch this method so that we can create a subnet with a specific "custom"
+        # ID.  The custom ID that we will use is contained within a special tag.
         vpc_id: str = args[0] if len(args) >= 1 else kwargs["vpc_id"]
         cidr_block: str = args[1] if len(args) >= 1 else kwargs["cidr_block"]
         resource_identifier = SubnetIdentifier(
             self.account_id, self.region_name, vpc_id, cidr_block
         )
-        # tags has the format: {"subnet": {"Key": ..., "Value": ...}}
+
+        # tags has the format: {"subnet": {"Key": ..., "Value": ...}}, but we need
+        # to pass this to the generate method as {"Key": ..., "Value": ...}.  Take
+        # care not to alter the original tags dict otherwise moto will not be able
+        # to understand it.
+        subnet_tags = None
         if tags is not None:
-            tags = tags.get("subnet", tags)
-        custom_id = resource_identifier.generate(tags=tags)
+            subnet_tags = tags.get("subnet", tags)
+        custom_id = resource_identifier.generate(tags=subnet_tags)
 
         if custom_id:
             # Check if custom id is unique within a given VPC
@@ -102,9 +109,16 @@ def apply_patches():
         if custom_id:
             # Remove the subnet from the default dict and add it back with the custom id
             self.subnets[availability_zone].pop(result.id)
+            old_id = result.id
             result.id = custom_id
             self.subnets[availability_zone][custom_id] = result
 
+            # Tags are not stored in the Subnet object, but instead stored in a separate
+            # dict in the EC2 backend, keyed by subnet id.  That therefore requires
+            # updating as well.
+            if old_id in self.tags:
+                self.tags[custom_id] = self.tags.pop(old_id)
+
         # Return the subnet with the patched custom id
         return result
 
@@ -132,9 +146,16 @@ def apply_patches():
         if custom_id:
             # Remove the security group from the default dict and add it back with the custom id
             self.groups[result.vpc_id].pop(result.group_id)
+            old_id = result.group_id
             result.group_id = result.id = custom_id
             self.groups[result.vpc_id][custom_id] = result
 
+            # Tags are not stored in the Security Group object, but instead are stored in a
+            # separate dict in the EC2 backend, keyed by id.  That therefore requires
+            # updating as well.
+            if old_id in self.tags:
+                self.tags[custom_id] = self.tags.pop(old_id)
+
         return result
 
     @patch(ec2_models.vpcs.VPCBackend.create_vpc)
@@ -175,9 +196,16 @@ def apply_patches():
 
             # Remove the VPC from the default dict and add it back with the custom id
             self.vpcs.pop(vpc_id)
+            old_id = result.id
             result.id = custom_id
             self.vpcs[custom_id] = result
 
+            # Tags are not stored in the VPC object, but instead stored in a separate
+            # dict in the EC2 backend, keyed by VPC id.  That therefore requires
+            # updating as well.
+            if old_id in self.tags:
+                self.tags[custom_id] = self.tags.pop(old_id)
+
             # Create default network ACL, route table, and security group for custom ID VPC
             self.create_route_table(
                 vpc_id=custom_id,

localstack/services/kms/models.py

@@ -476,7 +476,7 @@ class KmsKey:
             if "PKCS" in signing_algorithm:
                 return padding.PKCS1v15()
             elif "PSS" in signing_algorithm:
-                return padding.PSS(mgf=padding.MGF1(hasher), salt_length=padding.PSS.MAX_LENGTH)
+                return padding.PSS(mgf=padding.MGF1(hasher), salt_length=padding.PSS.DIGEST_LENGTH)
             else:
                 LOG.warning("Unsupported padding in SigningAlgorithm '%s'", signing_algorithm)
 

localstack/services/lambda_/event_source_mapping/pollers/dynamodb_poller.py

@@ -61,6 +61,8 @@ class DynamoDBPoller(StreamPoller):
                 **kwargs,
             )
             shards[shard_id] = get_shard_iterator_response["ShardIterator"]
+
+        LOG.debug("Event source %s has %d shards.", self.source_arn, len(self.shards))
         return shards
 
     def stream_arn_param(self) -> dict:

localstack/services/lambda_/event_source_mapping/pollers/kinesis_poller.py

@@ -84,6 +84,8 @@ class KinesisPoller(StreamPoller):
                 **kwargs,
             )
             shards[shard_id] = get_shard_iterator_response["ShardIterator"]
+
+        LOG.debug("Event source %s has %d shards.", self.source_arn, len(self.shards))
         return shards
 
     def stream_arn_param(self) -> dict:

localstack/services/lambda_/event_source_mapping/pollers/stream_poller.py

@@ -154,7 +154,6 @@ class StreamPoller(Poller):
             LOG.debug("No shards found for %s.", self.source_arn)
             raise EmptyPollResultsException(service=self.event_source(), source_arn=self.source_arn)
         else:
-            LOG.debug("Event source %s has %d shards.", self.source_arn, len(self.shards))
             # Remove all shard batchers without corresponding shards
             for shard_id in self.shard_batcher.keys() - self.shards.keys():
                 self.shard_batcher.pop(shard_id, None)
@@ -185,7 +184,10 @@ class StreamPoller(Poller):
     def poll_events_from_shard(self, shard_id: str, shard_iterator: str):
         get_records_response = self.get_records(shard_iterator)
         records: list[dict] = get_records_response.get("Records", [])
-        next_shard_iterator = get_records_response["NextShardIterator"]
+        if not (next_shard_iterator := get_records_response.get("NextShardIterator")):
+            # If the next shard iterator is None, we can assume the shard is closed or
+            # has expired on the DynamoDB Local server, hence we should re-initialize.
+            self.shards = self.initialize_shards()
 
         # We cannot reliably back-off when no records found since an iterator
         # may have to move multiple times until records are returned.

localstack/services/lambda_/invocation/assignment.py

@@ -86,7 +86,9 @@ class AssignmentService(OtherServiceEndpoint):
         except InvalidStatusException as invalid_e:
             LOG.error("InvalidStatusException: %s", invalid_e)
         except Exception as e:
-            LOG.error("Failed invocation %s", e)
+            LOG.error(
+                "Failed invocation <%s>: %s", type(e), e, exc_info=LOG.isEnabledFor(logging.DEBUG)
+            )
             self.stop_environment(execution_environment)
             raise e
 
@@ -107,7 +109,7 @@ class AssignmentService(OtherServiceEndpoint):
         except EnvironmentStartupTimeoutException:
             raise
         except Exception as e:
-            message = f"Could not start new environment: {e}"
+            message = f"Could not start new environment: {type(e).__name__}:{e}"
             raise AssignmentException(message) from e
         return execution_environment
 

localstack/services/lambda_/invocation/execution_environment.py

@@ -37,10 +37,11 @@ class RuntimeStatus(Enum):
     INACTIVE = auto()
     STARTING = auto()
     READY = auto()
-    RUNNING = auto()
+    INVOKING = auto()
     STARTUP_FAILED = auto()
     STARTUP_TIMED_OUT = auto()
     STOPPED = auto()
+    TIMING_OUT = auto()
 
 
 class InvalidStatusException(Exception):
@@ -246,7 +247,7 @@ class ExecutionEnvironment:
     def release(self) -> None:
         self.last_returned = datetime.now()
         with self.status_lock:
-            if self.status != RuntimeStatus.RUNNING:
+            if self.status != RuntimeStatus.INVOKING:
                 raise InvalidStatusException(
                     f"Execution environment {self.id} can only be set to status ready while running."
                     f" Current status: {self.status}"
@@ -264,7 +265,7 @@ class ExecutionEnvironment:
                     f"Execution environment {self.id} can only be reserved if ready. "
                     f" Current status: {self.status}"
                 )
-            self.status = RuntimeStatus.RUNNING
+            self.status = RuntimeStatus.INVOKING
 
         self.keepalive_timer.cancel()
 
@@ -274,6 +275,17 @@ class ExecutionEnvironment:
             self.id,
             self.function_version.qualified_arn,
         )
+        # The stop() method allows to interrupt invocations (on purpose), which might cancel running invocations
+        # which we should not do when the keepalive timer passed.
+        # The new TIMING_OUT state prevents this race condition
+        with self.status_lock:
+            if self.status != RuntimeStatus.READY:
+                LOG.debug(
+                    "Keepalive timer passed, but current runtime status is %s. Aborting keepalive stop.",
+                    self.status,
+                )
+                return
+            self.status = RuntimeStatus.TIMING_OUT
         self.stop()
         # Notify assignment service via callback to remove from environments list
         self.on_timeout(self.version_manager_id, self.id)
@@ -340,7 +352,7 @@ class ExecutionEnvironment:
         return f"{prefix}{prefixed_logs}"
 
     def invoke(self, invocation: Invocation) -> InvocationResult:
-        assert self.status == RuntimeStatus.RUNNING
+        assert self.status == RuntimeStatus.INVOKING
         # Async/event invokes might miss an aws_trace_header, then we need to create a new root trace id.
         aws_trace_header = (
             invocation.trace_context.get("aws_trace_header") or TraceHeader().ensure_root_exists()

localstack/services/lambda_/invocation/logs.py

@@ -1,13 +1,13 @@
 import dataclasses
 import logging
 import threading
+import time
 from queue import Queue
 from typing import Optional, Union
 
 from localstack.aws.connect import connect_to
 from localstack.utils.aws.client_types import ServicePrincipal
 from localstack.utils.bootstrap import is_api_enabled
-from localstack.utils.cloudwatch.cloudwatch_util import store_cloudwatch_logs
 from localstack.utils.threads import FuncThread
 
 LOG = logging.getLogger(__name__)
@@ -50,10 +50,34 @@ class LogHandler:
             log_item = self.log_queue.get()
             if log_item is QUEUE_SHUTDOWN:
                 return
+            # we need to split by newline - but keep the newlines in the strings
+            # strips empty lines, as they are not accepted by cloudwatch
+            logs = [line + "\n" for line in log_item.logs.split("\n") if line]
+            # until we have a better way to have timestamps, log events have the same time for a single invocation
+            log_events = [
+                {"timestamp": int(time.time() * 1000), "message": log_line} for log_line in logs
+            ]
             try:
-                store_cloudwatch_logs(
-                    logs_client, log_item.log_group, log_item.log_stream, log_item.logs
-                )
+                try:
+                    logs_client.put_log_events(
+                        logGroupName=log_item.log_group,
+                        logStreamName=log_item.log_stream,
+                        logEvents=log_events,
+                    )
+                except logs_client.exceptions.ResourceNotFoundException:
+                    # create new log group
+                    try:
+                        logs_client.create_log_group(logGroupName=log_item.log_group)
+                    except logs_client.exceptions.ResourceAlreadyExistsException:
+                        pass
+                    logs_client.create_log_stream(
+                        logGroupName=log_item.log_group, logStreamName=log_item.log_stream
+                    )
+                    logs_client.put_log_events(
+                        logGroupName=log_item.log_group,
+                        logStreamName=log_item.log_stream,
+                        logEvents=log_events,
+                    )
             except Exception as e:
                 LOG.warning(
                     "Error saving logs to group %s in region %s: %s",

localstack/services/lambda_/provider.py

@@ -223,6 +223,7 @@ from localstack.services.lambda_.runtimes import (
     DEPRECATED_RUNTIMES,
     DEPRECATED_RUNTIMES_UPGRADES,
     RUNTIMES_AGGREGATED,
+    SNAP_START_SUPPORTED_RUNTIMES,
     VALID_RUNTIMES,
 )
 from localstack.services.lambda_.urlrouter import FunctionUrlRouter
@@ -718,6 +719,11 @@ class LambdaProvider(LambdaApi, ServiceLifecycleHook):
                 f"1 validation error detected: Value '{apply_on}' at 'snapStart.applyOn' failed to satisfy constraint: Member must satisfy enum value set: [PublishedVersions, None]"
             )
 
+        if runtime not in SNAP_START_SUPPORTED_RUNTIMES:
+            raise InvalidParameterValueException(
+                f"{runtime} is not supported for SnapStart enabled functions.", Type="User"
+            )
+
     def _validate_layers(self, new_layers: list[str], region: str, account_id: str):
         if len(new_layers) > LAMBDA_LAYERS_LIMIT_PER_FUNCTION:
             raise InvalidParameterValueException(
@@ -1597,10 +1603,19 @@ class LambdaProvider(LambdaApi, ServiceLifecycleHook):
         except ServiceException:
             raise
         except EnvironmentStartupTimeoutException as e:
-            raise LambdaServiceException("Internal error while executing lambda") from e
+            raise LambdaServiceException(
+                f"[{context.request_id}] Timeout while starting up lambda environment for function {function_name}:{qualifier}"
+            ) from e
         except Exception as e:
-            LOG.error("Error while invoking lambda", exc_info=e)
-            raise LambdaServiceException("Internal error while executing lambda") from e
+            LOG.error(
+                "[%s] Error while invoking lambda %s",
+                context.request_id,
+                function_name,
+                exc_info=LOG.isEnabledFor(logging.DEBUG),
+            )
+            raise LambdaServiceException(
+                f"[{context.request_id}] Internal error while executing lambda {function_name}:{qualifier}. Caused by {type(e).__name__}: {e}"
+            ) from e
 
         if invocation_type == InvocationType.Event:
             # This happens when invocation type is event

localstack/services/lambda_/runtimes.py

@@ -59,6 +59,7 @@ IMAGE_MAPPING: dict[Runtime, str] = {
     Runtime.dotnet6: "dotnet:6",
     Runtime.dotnetcore3_1: "dotnet:core3.1",  # deprecated Apr 3, 2023 => Apr 3, 2023 => May 3, 2023
     Runtime.go1_x: "go:1",  # deprecated Jan 8, 2024 => Feb 8, 2024 => Mar 12, 2024
+    Runtime.ruby3_4: "ruby:3.4",
     Runtime.ruby3_3: "ruby:3.3",
     Runtime.ruby3_2: "ruby:3.2",
     Runtime.ruby2_7: "ruby:2.7",  # deprecated Dec 7, 2023 => Jan 9, 2024 => Feb 8, 2024
@@ -133,6 +134,7 @@ RUNTIMES_AGGREGATED = {
     "ruby": [
         Runtime.ruby3_2,
         Runtime.ruby3_3,
+        Runtime.ruby3_4,
     ],
     "dotnet": [
         Runtime.dotnet6,
@@ -149,7 +151,18 @@ TESTED_RUNTIMES: list[Runtime] = [
     runtime for runtime_group in RUNTIMES_AGGREGATED.values() for runtime in runtime_group
 ]
 
+# An unordered list of snapstart-enabled runtimes. Related to snapshots in test_snapstart_exceptions
+# https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html
+SNAP_START_SUPPORTED_RUNTIMES = [
+    Runtime.java11,
+    Runtime.java17,
+    Runtime.java21,
+    Runtime.python3_12,
+    Runtime.python3_13,
+    Runtime.dotnet8,
+]
+
 # An ordered list of all Lambda runtimes considered valid by AWS. Matching snapshots in test_create_lambda_exceptions
-VALID_RUNTIMES: str = "[nodejs20.x, provided.al2023, python3.12, python3.13, nodejs22.x, java17, nodejs16.x, dotnet8, python3.10, java11, python3.11, dotnet6, java21, nodejs18.x, provided.al2, ruby3.3, java8.al2, ruby3.2, python3.8, python3.9]"
+VALID_RUNTIMES: str = "[nodejs20.x, provided.al2023, python3.12, python3.13, nodejs22.x, java17, nodejs16.x, dotnet8, python3.10, java11, python3.11, dotnet6, java21, nodejs18.x, provided.al2, ruby3.3, ruby3.4, java8.al2, ruby3.2, python3.8, python3.9]"
 # An ordered list of all Lambda runtimes for layers considered valid by AWS. Matching snapshots in test_layer_exceptions
-VALID_LAYER_RUNTIMES: str = "[ruby2.6, dotnetcore1.0, python3.7, nodejs8.10, nasa, ruby2.7, python2.7-greengrass, dotnetcore2.0, python3.8, java21, dotnet6, dotnetcore2.1, python3.9, java11, nodejs6.10, provided, dotnetcore3.1, dotnet8, java17, nodejs, nodejs4.3, java8.al2, go1.x, nodejs20.x, go1.9, byol, nodejs10.x, provided.al2023, nodejs22.x, python3.10, java8, nodejs12.x, python3.11, nodejs8.x, python3.12, nodejs14.x, nodejs8.9, python3.13, nodejs16.x, provided.al2, nodejs4.3-edge, nodejs18.x, ruby3.2, python3.4, ruby3.3, ruby2.5, python3.6, python2.7]"
+VALID_LAYER_RUNTIMES: str = "[ruby2.6, dotnetcore1.0, python3.7, nodejs8.10, nasa, ruby2.7, python2.7-greengrass, dotnetcore2.0, python3.8, java21, dotnet6, dotnetcore2.1, python3.9, java11, nodejs6.10, provided, dotnetcore3.1, dotnet8, java25, java17, nodejs, nodejs4.3, java8.al2, go1.x, dotnet10, nodejs20.x, go1.9, byol, nodejs10.x, provided.al2023, nodejs22.x, python3.10, java8, nodejs12.x, python3.11, nodejs24.x, nodejs8.x, python3.12, nodejs14.x, nodejs8.9, python3.13, python3.14, nodejs16.x, provided.al2, nodejs4.3-edge, nodejs18.x, ruby3.2, python3.4, ruby3.3, ruby3.4, ruby2.5, python3.6, python2.7]"

localstack/services/s3/presigned_url.py

@@ -60,7 +60,7 @@ LOG = logging.getLogger(__name__)
 
 SIGNATURE_V2_POST_FIELDS = [
     "signature",
-    "AWSAccessKeyId",
+    "awsaccesskeyid",
 ]
 
 SIGNATURE_V4_POST_FIELDS = [
@@ -768,13 +768,17 @@ def validate_post_policy(
         )
         raise ex
 
-    if not (policy := request_form.get("policy")):
+    form_dict = {k.lower(): v for k, v in request_form.items()}
+
+    policy = form_dict.get("policy")
+    if not policy:
         # A POST request needs a policy except if the bucket is publicly writable
         return
 
     # TODO: this does validation of fields only for now
-    is_v4 = _is_match_with_signature_fields(request_form, SIGNATURE_V4_POST_FIELDS)
-    is_v2 = _is_match_with_signature_fields(request_form, SIGNATURE_V2_POST_FIELDS)
+    is_v4 = _is_match_with_signature_fields(form_dict, SIGNATURE_V4_POST_FIELDS)
+    is_v2 = _is_match_with_signature_fields(form_dict, SIGNATURE_V2_POST_FIELDS)
+
     if not is_v2 and not is_v4:
         ex: AccessDenied = AccessDenied("Access Denied")
         ex.HostId = FAKE_HOST_ID
@@ -784,7 +788,7 @@ def validate_post_policy(
         policy_decoded = json.loads(base64.b64decode(policy).decode("utf-8"))
     except ValueError:
         # this means the policy has been tampered with
-        signature = request_form.get("signature") if is_v2 else request_form.get("x-amz-signature")
+        signature = form_dict.get("signature") if is_v2 else form_dict.get("x-amz-signature")
         credentials = get_credentials_from_parameters(request_form, "us-east-1")
         ex: SignatureDoesNotMatch = create_signature_does_not_match_sig_v2(
             request_signature=signature,
@@ -813,7 +817,6 @@ def validate_post_policy(
         return
 
     conditions = policy_decoded.get("conditions", [])
-    form_dict = {k.lower(): v for k, v in request_form.items()}
     for condition in conditions:
         if not _verify_condition(condition, form_dict, additional_policy_metadata):
             str_condition = str(condition).replace("'", '"')
@@ -896,7 +899,7 @@ def _parse_policy_expiration_date(expiration_string: str) -> datetime.datetime:
 
 
 def _is_match_with_signature_fields(
-    request_form: ImmutableMultiDict, signature_fields: list[str]
+    request_form: dict[str, str], signature_fields: list[str]
 ) -> bool:
     """
     Checks if the form contains at least one of the required fields passed in `signature_fields`
@@ -910,12 +913,13 @@ def _is_match_with_signature_fields(
         for p in signature_fields:
             if p not in request_form:
                 LOG.info("POST pre-sign missing fields")
-                # .capitalize() does not work here, because of AWSAccessKeyId casing
                 argument_name = (
-                    capitalize_header_name_from_snake_case(p)
-                    if "-" in p
-                    else f"{p[0].upper()}{p[1:]}"
+                    capitalize_header_name_from_snake_case(p) if "-" in p else p.capitalize()
                 )
+                # AWSAccessKeyId is a special case
+                if argument_name == "Awsaccesskeyid":
+                    argument_name = "AWSAccessKeyId"
+
                 ex: InvalidArgument = _create_invalid_argument_exc(
                     message=f"Bucket POST must contain a field named '{argument_name}'.  If it is specified, please check the order of the fields.",
                     name=argument_name,

localstack/services/secretsmanager/provider.py

@@ -729,17 +729,28 @@ def backend_rotate_secret(
     if not self._is_valid_identifier(secret_id):
         raise SecretNotFoundException()
 
-    if self.secrets[secret_id].is_deleted():
+    secret = self.secrets[secret_id]
+    if secret.is_deleted():
         raise InvalidRequestException(
             "An error occurred (InvalidRequestException) when calling the RotateSecret operation: You tried to \
             perform the operation on a secret that's currently marked deleted."
         )
+    # Resolve rotation_lambda_arn and fallback to previous value if its missing
+    # from the current request
+    rotation_lambda_arn = rotation_lambda_arn or secret.rotation_lambda_arn
+    if not rotation_lambda_arn:
+        raise InvalidRequestException(
+            "No Lambda rotation function ARN is associated with this secret."
+        )
 
     if rotation_lambda_arn:
         if len(rotation_lambda_arn) > 2048:
             msg = "RotationLambdaARN must <= 2048 characters long."
             raise InvalidParameterException(msg)
 
+    # In case rotation_period is not provided, resolve auto_rotate_after_days
+    # and fallback to previous value if its missing from the current request.
+    rotation_period = secret.auto_rotate_after_days or 0
     if rotation_rules:
         if rotation_days in rotation_rules:
             rotation_period = rotation_rules[rotation_days]
@@ -753,8 +764,6 @@ def backend_rotate_secret(
     except Exception:
         raise ResourceNotFoundException("Lambda does not exist or could not be accessed")
 
-    secret = self.secrets[secret_id]
-
     # The rotation function must end with the versions of the secret in
     # one of two states:
     #
@@ -782,7 +791,7 @@ def backend_rotate_secret(
         pass
 
     secret.rotation_lambda_arn = rotation_lambda_arn
-    secret.auto_rotate_after_days = rotation_rules.get(rotation_days, 0)
+    secret.auto_rotate_after_days = rotation_period
     if secret.auto_rotate_after_days > 0:
         wait_interval_s = int(rotation_period) * 86400
         secret.next_rotation_date = int(time.time()) + wait_interval_s

localstack/services/sqs/models.py

@@ -30,9 +30,9 @@ from localstack.services.sqs.exceptions import (
 )
 from localstack.services.sqs.queue import InterruptiblePriorityQueue, InterruptibleQueue
 from localstack.services.sqs.utils import (
-    decode_receipt_handle,
     encode_move_task_handle,
     encode_receipt_handle,
+    extract_receipt_handle_info,
     global_message_sequence,
     guess_endpoint_strategy_and_host,
     is_message_deduplication_id_required,
@@ -445,7 +445,7 @@ class SqsQueue:
         return len(self.delayed)
 
     def validate_receipt_handle(self, receipt_handle: str):
-        if self.arn != decode_receipt_handle(receipt_handle):
+        if self.arn != extract_receipt_handle_info(receipt_handle).queue_arn:
             raise ReceiptHandleIsInvalid(
                 f'The input receipt handle "{receipt_handle}" is not a valid receipt handle.'
             )
@@ -490,6 +490,7 @@ class SqsQueue:
                 return
 
             standard_message = self.receipts[receipt_handle]
+            self._pre_delete_checks(standard_message, receipt_handle)
             standard_message.deleted = True
             LOG.debug(
                 "deleting message %s from queue %s",
@@ -724,6 +725,18 @@ class SqsQueue:
 
         return expired
 
+    def _pre_delete_checks(self, standard_message: SqsMessage, receipt_handle: str) -> None:
+        """
+        Runs any potential checks if a message that has been successfully identified via a receipt handle
+        is indeed supposed to be deleted.
+        For example, a receipt handle that has expired might not lead to deletion.
+
+        :param standard_message: The message to be deleted
+        :param receipt_handle: The handle associated with the message
+        :return: None. Potential violations raise errors.
+        """
+        pass
+
 
 class StandardQueue(SqsQueue):
     visible: InterruptiblePriorityQueue[SqsMessage]
@@ -1001,9 +1014,15 @@ class FifoQueue(SqsQueue):
         for message in self.delayed:
             message.delay_seconds = value
 
+    def _pre_delete_checks(self, message: SqsMessage, receipt_handle: str) -> None:
+        _, _, _, last_received = extract_receipt_handle_info(receipt_handle)
+        if time.time() - float(last_received) > message.visibility_timeout:
+            raise InvalidParameterValueException(
+                f"Value {receipt_handle} for parameter ReceiptHandle is invalid. Reason: The receipt handle has expired."
+            )
+
     def remove(self, receipt_handle: str):
         self.validate_receipt_handle(receipt_handle)
-        decode_receipt_handle(receipt_handle)
 
         super().remove(receipt_handle)