localstack-core 4.7.1.dev139__py3-none-any.whl → 4.10.1.dev7__py3-none-any.whl

localstack/services/s3/presigned_url.py

@@ -40,14 +40,13 @@ from localstack.http.request import get_raw_path
 from localstack.services.s3.constants import (
     DEFAULT_PRE_SIGNED_ACCESS_KEY_ID,
     DEFAULT_PRE_SIGNED_SECRET_ACCESS_KEY,
+    S3_HOST_ID,
     SIGNATURE_V2_PARAMS,
     SIGNATURE_V4_PARAMS,
 )
 from localstack.services.s3.utils import (
-    S3_VIRTUAL_HOST_FORWARDED_HEADER,
     capitalize_header_name_from_snake_case,
     extract_bucket_name_and_key_from_headers_and_path,
-    forwarded_from_virtual_host_addressed_request,
     is_bucket_name_valid,
     is_presigned_url_request,
     uses_host_addressing,
@@ -85,8 +84,6 @@ IGNORED_SIGV4_HEADERS = [
     "x-amz-content-sha256",
 ]
 
-FAKE_HOST_ID = "9Gjjt1m+cjU4OPvX9O9/8RuvnG41MRb/18Oux2o5H5MY7ISNTlXN+Dz9IG62/ILVxhAGI0qyPfg="
-
 HOST_COMBINATION_REGEX = r"^(.*)(:[\d]{0,6})"
 PORT_REPLACEMENT = [":80", ":443", f":{config.GATEWAY_LISTEN[0].port}", ""]
 
@@ -156,7 +153,7 @@ def create_signature_does_not_match_sig_v2(
         "The request signature we calculated does not match the signature you provided. Check your key and signing method."
     )
     ex.AWSAccessKeyId = access_key_id
-    ex.HostId = FAKE_HOST_ID
+    ex.HostId = S3_HOST_ID
     ex.SignatureProvided = request_signature
     ex.StringToSign = string_to_sign
     ex.StringToSignBytes = to_bytes(string_to_sign).hex(sep=" ", bytes_per_sep=2).upper()
@@ -299,7 +296,7 @@ def is_valid_sig_v2(query_args: set) -> bool:
             LOG.info("Presign signature calculation failed")
             raise AccessDenied(
                 "Query-string authentication requires the Signature, Expires and AWSAccessKeyId parameters",
-                HostId=FAKE_HOST_ID,
+                HostId=S3_HOST_ID,
             )
 
         return True
@@ -317,7 +314,7 @@ def is_valid_sig_v4(query_args: set) -> bool:
             LOG.info("Presign signature calculation failed")
             raise AuthorizationQueryParametersError(
                 "Query-string authentication version 4 requires the X-Amz-Algorithm, X-Amz-Credential, X-Amz-Signature, X-Amz-Date, X-Amz-SignedHeaders, and X-Amz-Expires parameters.",
-                HostId=FAKE_HOST_ID,
+                HostId=S3_HOST_ID,
             )
 
         return True
@@ -351,7 +348,7 @@ def validate_presigned_url_s3(context: RequestContext) -> None:
             )
         else:
             raise AccessDenied(
-                "Request has expired", HostId=FAKE_HOST_ID, Expires=expires, ServerTime=time.time()
+                "Request has expired", HostId=S3_HOST_ID, Expires=expires, ServerTime=time.time()
             )
 
     auth_signer = HmacV1QueryAuthValidation(credentials=signing_credentials, expires=expires)
@@ -450,7 +447,7 @@ def validate_presigned_url_s3v4(context: RequestContext) -> None:
         else:
             raise AccessDenied(
                 "There were headers present in the request which were not signed",
-                HostId=FAKE_HOST_ID,
+                HostId=S3_HOST_ID,
                 HeadersNotSigned=", ".join(sigv4_context.missing_signed_headers),
             )
 
@@ -482,7 +479,7 @@ def validate_presigned_url_s3v4(context: RequestContext) -> None:
         else:
             raise AccessDenied(
                 "Request has expired",
-                HostId=FAKE_HOST_ID,
+                HostId=S3_HOST_ID,
                 Expires=expiration_time.timestamp(),
                 ServerTime=time.time(),
                 X_Amz_Expires=x_amz_expires,
@@ -568,34 +565,21 @@ class S3SigV4SignatureContext:
             self._query_parameters
         )
 
-        if forwarded_from_virtual_host_addressed_request(self._headers):
-            # FIXME: maybe move this so it happens earlier in the chain when using virtual host?
-            if not is_bucket_name_valid(self._bucket):
-                raise InvalidBucketName(BucketName=self._bucket)
-            netloc = self._headers.get(S3_VIRTUAL_HOST_FORWARDED_HEADER)
-            self.host = netloc
-            self._original_host = netloc
-            self.signed_headers["host"] = netloc
-            # the request comes from the Virtual Host router, we need to remove the bucket from the path
+        netloc = urlparse.urlparse(self.request.url).netloc
+        self.host = netloc
+        self._original_host = netloc
+        if (host_addressed := uses_host_addressing(self._headers)) and not is_bucket_name_valid(
+            self._bucket
+        ):
+            raise InvalidBucketName(BucketName=self._bucket)
+
+        if not host_addressed and not self.request.path.startswith(f"/{self._bucket}"):
+            # if in path style, check that the path starts with the bucket
+            # our path has been sanitized, we should use the un-sanitized one
             splitted_path = self.request.path.split("/", maxsplit=2)
-            self.path = f"/{splitted_path[-1]}"
-
+            self.path = f"/{self._bucket}/{splitted_path[-1]}"
         else:
-            netloc = urlparse.urlparse(self.request.url).netloc
-            self.host = netloc
-            self._original_host = netloc
-            if (host_addressed := uses_host_addressing(self._headers)) and not is_bucket_name_valid(
-                self._bucket
-            ):
-                raise InvalidBucketName(BucketName=self._bucket)
-
-            if not host_addressed and not self.request.path.startswith(f"/{self._bucket}"):
-                # if in path style, check that the path starts with the bucket
-                # our path has been sanitized, we should use the un-sanitized one
-                splitted_path = self.request.path.split("/", maxsplit=2)
-                self.path = f"/{self._bucket}/{splitted_path[-1]}"
-            else:
-                self.path = self.request.path
+            self.path = self.request.path
 
         # we need to URL encode the path, as the key needs to be urlencoded for the signature to match
         self.path = urlparse.quote(self.path)
@@ -714,7 +698,7 @@ class S3SigV4SignatureContext:
         if not (split_creds := credential.split("/")) or len(split_creds) != 5:
             raise AuthorizationQueryParametersError(
                 'Error parsing the X-Amz-Credential parameter; the Credential is mal-formed; expecting "<YOUR-AKID>/YYYYMMDD/REGION/SERVICE/aws4_request".',
-                HostId=FAKE_HOST_ID,
+                HostId=S3_HOST_ID,
             )
 
         return split_creds[2]
@@ -775,7 +759,7 @@ def validate_post_policy(
             "Bucket POST must contain a field named 'key'.  If it is specified, please check the order of the fields.",
             ArgumentName="key",
             ArgumentValue="",
-            HostId=FAKE_HOST_ID,
+            HostId=S3_HOST_ID,
         )
 
     form_dict = {k.lower(): v for k, v in request_form.items()}
@@ -791,7 +775,7 @@ def validate_post_policy(
 
     if not is_v2 and not is_v4:
         ex: AccessDenied = AccessDenied("Access Denied")
-        ex.HostId = FAKE_HOST_ID
+        ex.HostId = S3_HOST_ID
         raise ex
 
     try:
@@ -810,7 +794,7 @@ def validate_post_policy(
     if expiration := policy_decoded.get("expiration"):
         if is_expired(_parse_policy_expiration_date(expiration)):
             ex: AccessDenied = AccessDenied("Invalid according to Policy: Policy expired.")
-            ex.HostId = FAKE_HOST_ID
+            ex.HostId = S3_HOST_ID
             raise ex
 
     # TODO: validate the signature
@@ -832,7 +816,7 @@ def validate_post_policy(
             str_condition = str(condition).replace("'", '"')
             raise AccessDenied(
                 f"Invalid according to Policy: Policy Condition failed: {str_condition}",
-                HostId=FAKE_HOST_ID,
+                HostId=S3_HOST_ID,
             )
 
 
@@ -885,7 +869,7 @@ def _verify_condition(condition: list | dict, form: dict, additional_policy_meta
                     "Your proposed upload exceeds the maximum allowed size",
                     ProposedSize=size,
                     MaxSizeAllowed=end,
-                    HostId=FAKE_HOST_ID,
+                    HostId=S3_HOST_ID,
                 )
             else:
                 return True
@@ -934,7 +918,7 @@ def _is_match_with_signature_fields(
                     f"Bucket POST must contain a field named '{argument_name}'.  If it is specified, please check the order of the fields.",
                     ArgumentName=argument_name,
                     ArgumentValue="",
-                    HostId=FAKE_HOST_ID,
+                    HostId=S3_HOST_ID,
                 )
 
         return True

localstack/services/s3/provider.py

@@ -1,4 +1,5 @@
 import base64
+import contextlib
 import copy
 import datetime
 import json
@@ -8,6 +9,7 @@ from collections import defaultdict
 from inspect import signature
 from io import BytesIO
 from operator import itemgetter
+from threading import RLock
 from typing import IO
 from urllib import parse as urlparse
 from zoneinfo import ZoneInfo
@@ -23,6 +25,7 @@ from localstack.aws.api.s3 import (
     AccountId,
     AnalyticsConfiguration,
     AnalyticsId,
+    AuthorizationHeaderMalformed,
     BadDigest,
     Body,
     Bucket,
@@ -235,6 +238,7 @@ from localstack.services.s3.constants import (
     ARCHIVES_STORAGE_CLASSES,
     CHECKSUM_ALGORITHMS,
     DEFAULT_BUCKET_ENCRYPTION,
+    S3_HOST_ID,
 )
 from localstack.services.s3.cors import S3CorsHandler, s3_cors_request_handler
 from localstack.services.s3.exceptions import (
@@ -277,6 +281,7 @@ from localstack.services.s3.utils import (
     get_canned_acl,
     get_class_attrs_from_spec_class,
     get_failed_precondition_copy_source,
+    get_failed_upload_part_copy_source_preconditions,
     get_full_default_bucket_location,
     get_kms_key_arn,
     get_lifecycle_rule_from_object,
@@ -337,6 +342,8 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         self._storage_backend = storage_backend or EphemeralS3ObjectStore(DEFAULT_S3_TMP_DIR)
         self._notification_dispatcher = NotificationDispatcher()
         self._cors_handler = S3CorsHandler(BucketCorsIndex())
+        # TODO: add lock for keys for PutObject, only way to support precondition writes for versioned buckets
+        self._preconditions_locks = defaultdict(lambda: defaultdict(RLock))
 
         # runtime cache of Lifecycle Expiration headers, as they need to be calculated everytime we fetch an object
         # in case the rules have changed
@@ -381,7 +388,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         """
         if s3_bucket.notification_configuration:
             if not s3_notif_ctx:
-                s3_notif_ctx = S3EventNotificationContext.from_request_context_native(
+                s3_notif_ctx = S3EventNotificationContext.from_request_context(
                     context,
                     s3_bucket=s3_bucket,
                     s3_object=s3_object,
@@ -469,6 +476,16 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         context: RequestContext,
         request: CreateBucketRequest,
     ) -> CreateBucketOutput:
+        if context.region == "aws-global":
+            # TODO: extend this logic to probably all the provider, and maybe all services. S3 is the most impacted
+            #  right now so this will help users to properly set a region in their config
+            # See the `TestS3.test_create_bucket_aws_global` test
+            raise AuthorizationHeaderMalformed(
+                f"The authorization header is malformed; the region 'aws-global' is wrong; expecting '{AWS_REGION_US_EAST_1}'",
+                HostId=S3_HOST_ID,
+                Region=AWS_REGION_US_EAST_1,
+            )
+
         bucket_name = request["Bucket"]
 
         if not is_bucket_name_valid(bucket_name):
@@ -577,6 +594,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         store.global_bucket_map.pop(bucket)
         self._cors_handler.invalidate_cache()
         self._expiration_cache.pop(bucket, None)
+        self._preconditions_locks.pop(bucket, None)
         # clean up the storage backend
         self._storage_backend.delete_bucket(bucket)
 
@@ -636,6 +654,16 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         expected_bucket_owner: AccountId = None,
         **kwargs,
     ) -> HeadBucketOutput:
+        if context.region == "aws-global":
+            # TODO: extend this logic to probably all the provider, and maybe all services. S3 is the most impacted
+            #  right now so this will help users to properly set a region in their config
+            # See the `TestS3.test_create_bucket_aws_global` test
+            raise AuthorizationHeaderMalformed(
+                f"The authorization header is malformed; the region 'aws-global' is wrong; expecting '{AWS_REGION_US_EAST_1}'",
+                HostId=S3_HOST_ID,
+                Region=AWS_REGION_US_EAST_1,
+            )
+
         store = self.get_store(context.account_id, context.region)
         if not (s3_bucket := store.buckets.get(bucket)):
             if not (account_id := store.global_bucket_map.get(bucket)):
@@ -727,6 +755,12 @@ class S3Provider(S3Api, ServiceLifecycleHook):
             system_metadata["ContentType"] = "binary/octet-stream"
 
         version_id = generate_version_id(s3_bucket.versioning_status)
+        if version_id != "null":
+            # if we are in a versioned bucket, we need to lock around the full key (all the versions)
+            # because object versions have locks per version
+            precondition_lock = self._preconditions_locks[bucket_name][key]
+        else:
+            precondition_lock = contextlib.nullcontext()
 
         etag_content_md5 = ""
         if content_md5 := request.get("ContentMD5"):
@@ -809,7 +843,10 @@ class S3Provider(S3Api, ServiceLifecycleHook):
                 if encodings:
                     s3_object.system_metadata["ContentEncoding"] = ",".join(encodings)
 
-        with self._storage_backend.open(bucket_name, s3_object, mode="w") as s3_stored_object:
+        with (
+            precondition_lock,
+            self._storage_backend.open(bucket_name, s3_object, mode="w") as s3_stored_object,
+        ):
             # as we are inside the lock here, if multiple concurrent requests happen for the same object, it's the first
             # one to finish to succeed, and subsequent will raise exceptions. Once the first write finishes, we're
             # opening the lock and other requests can check this condition
@@ -1248,7 +1285,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
             delete_marker_id = generate_version_id(s3_bucket.versioning_status)
             delete_marker = S3DeleteMarker(key=key, version_id=delete_marker_id)
             s3_bucket.objects.set(key, delete_marker)
-            s3_notif_ctx = S3EventNotificationContext.from_request_context_native(
+            s3_notif_ctx = S3EventNotificationContext.from_request_context(
                 context,
                 s3_bucket=s3_bucket,
                 s3_object=delete_marker,
@@ -1281,6 +1318,10 @@ class S3Provider(S3Api, ServiceLifecycleHook):
             store.TAGS.tags.pop(get_unique_key_id(bucket, key, version_id), None)
         self._notify(context, s3_bucket=s3_bucket, s3_object=s3_object)
 
+        if key not in s3_bucket.objects:
+            # we clean up keys that do not have any object versions in them anymore
+            self._preconditions_locks[bucket].pop(key, None)
+
         return response
 
     def delete_objects(
@@ -1314,6 +1355,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         errors = []
 
         to_remove = []
+        versioned_keys = set()
         for to_delete_object in objects:
             object_key = to_delete_object.get("Key")
             version_id = to_delete_object.get("VersionId")
@@ -1351,7 +1393,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
                 delete_marker_id = generate_version_id(s3_bucket.versioning_status)
                 delete_marker = S3DeleteMarker(key=object_key, version_id=delete_marker_id)
                 s3_bucket.objects.set(object_key, delete_marker)
-                s3_notif_ctx = S3EventNotificationContext.from_request_context_native(
+                s3_notif_ctx = S3EventNotificationContext.from_request_context(
                     context,
                     s3_bucket=s3_bucket,
                     s3_object=delete_marker,
@@ -1394,6 +1436,8 @@ class S3Provider(S3Api, ServiceLifecycleHook):
                 continue
 
             s3_bucket.objects.pop(object_key=object_key, version_id=version_id)
+            versioned_keys.add(object_key)
+
             if not quiet:
                 deleted_object = DeletedObject(
                     Key=object_key,
@@ -1411,6 +1455,11 @@ class S3Provider(S3Api, ServiceLifecycleHook):
             self._notify(context, s3_bucket=s3_bucket, s3_object=found_object)
             store.TAGS.tags.pop(get_unique_key_id(bucket, object_key, version_id), None)
 
+        for versioned_key in versioned_keys:
+            # we clean up keys that do not have any object versions in them anymore
+            if versioned_key not in s3_bucket.objects:
+                self._preconditions_locks[bucket].pop(versioned_key, None)
+
         # TODO: request charged
         self._storage_backend.remove(bucket, to_remove)
         response: DeleteObjectsOutput = {}
@@ -2179,7 +2228,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         # TODO: add a way to transition from ongoing-request=true to false? for now it is instant
         s3_object.restore = f'ongoing-request="false", expiry-date="{restore_expiration_date}"'
 
-        s3_notif_ctx_initiated = S3EventNotificationContext.from_request_context_native(
+        s3_notif_ctx_initiated = S3EventNotificationContext.from_request_context(
             context,
             s3_bucket=s3_bucket,
             s3_object=s3_object,
@@ -2483,10 +2532,6 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         request: UploadPartCopyRequest,
     ) -> UploadPartCopyOutput:
         # TODO: handle following parameters:
-        #  CopySourceIfMatch: Optional[CopySourceIfMatch]
-        #  CopySourceIfModifiedSince: Optional[CopySourceIfModifiedSince]
-        #  CopySourceIfNoneMatch: Optional[CopySourceIfNoneMatch]
-        #  CopySourceIfUnmodifiedSince: Optional[CopySourceIfUnmodifiedSince]
         #  SSECustomerAlgorithm: Optional[SSECustomerAlgorithm]
         #  SSECustomerKey: Optional[SSECustomerKey]
         #  SSECustomerKeyMD5: Optional[SSECustomerKeyMD5]
@@ -2549,6 +2594,14 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         if source_range:
             range_data = parse_copy_source_range_header(source_range, src_s3_object.size)
 
+        if precondition := get_failed_upload_part_copy_source_preconditions(
+            request, src_s3_object.last_modified, src_s3_object.etag
+        ):
+            raise PreconditionFailed(
+                "At least one of the pre-conditions you specified did not hold",
+                Condition=precondition,
+            )
+
         s3_part = S3Part(part_number=part_number)
         if s3_multipart.checksum_algorithm:
             s3_part.checksum_algorithm = s3_multipart.checksum_algorithm
@@ -2622,6 +2675,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
             )
 
         elif if_none_match:
+            # TODO: improve concurrency mechanism for `if_none_match` and `if_match`
             if if_none_match != "*":
                 raise NotImplementedException(
                     "A header you provided implies functionality that is not implemented",
@@ -3293,7 +3347,7 @@ class S3Provider(S3Api, ServiceLifecycleHook):
 
         s3_object = s3_bucket.get_object(key=key, version_id=version_id, http_method="DELETE")
 
-        store.TAGS.tags.pop(get_unique_key_id(bucket, key, version_id), None)
+        store.TAGS.tags.pop(get_unique_key_id(bucket, key, s3_object.version_id), None)
         response = DeleteObjectTaggingOutput()
         if s3_object.version_id:
             response["VersionId"] = s3_object.version_id
@@ -3854,7 +3908,9 @@ class S3Provider(S3Api, ServiceLifecycleHook):
         if retention and retention["RetainUntilDate"] < datetime.datetime.now(datetime.UTC):
             # weirdly, this date is format as following: Tue Dec 31 16:00:00 PST 2019
             # it contains the timezone as PST, even if you target a bucket in Europe or Asia
-            pst_datetime = retention["RetainUntilDate"].astimezone(tz=ZoneInfo("US/Pacific"))
+            pst_datetime = retention["RetainUntilDate"].astimezone(
+                tz=ZoneInfo("America/Los_Angeles")
+            )
             raise InvalidArgument(
                 "The retain until date must be in the future!",
                 ArgumentName="RetainUntilDate",

localstack/services/s3/utils.py

@@ -7,6 +7,7 @@ import logging
 import re
 import time
 import zlib
+from collections.abc import Mapping
 from enum import StrEnum
 from secrets import token_bytes
 from typing import Any, Literal, NamedTuple, Protocol
@@ -50,6 +51,7 @@ from localstack.aws.api.s3 import (
     SSEKMSKeyId,
     TaggingHeader,
     TagSet,
+    UploadPartCopyRequest,
     UploadPartRequest,
 )
 from localstack.aws.api.s3 import Type as GranteeType
@@ -62,7 +64,6 @@ from localstack.services.s3.constants import (
     AUTHENTICATED_USERS_ACL_GRANTEE,
     CHECKSUM_ALGORITHMS,
     LOG_DELIVERY_ACL_GRANTEE,
-    S3_VIRTUAL_HOST_FORWARDED_HEADER,
     SIGNATURE_V2_PARAMS,
     SIGNATURE_V4_PARAMS,
     SYSTEM_METADATA_SETTABLE_HEADERS,
@@ -403,6 +404,45 @@ def parse_copy_source_range_header(copy_source_range: str, object_size: int) ->
     )
 
 
+def get_failed_upload_part_copy_source_preconditions(
+    request: UploadPartCopyRequest, last_modified: datetime.datetime, etag: ETag
+) -> str | None:
+    """
+    Utility which parses the conditions from a S3 UploadPartCopy request.
+    Note: The order in which these conditions are checked if used in conjunction matters
+
+    :param UploadPartCopyRequest request: The S3 UploadPartCopy request.
+    :param datetime last_modified: The time the source object was last modified.
+    :param ETag etag: The ETag of the source object.
+
+    :returns: The name of the failed precondition.
+    """
+    if_match = request.get("CopySourceIfMatch")
+    if_none_match = request.get("CopySourceIfNoneMatch")
+    if_unmodified_since = request.get("CopySourceIfUnmodifiedSince")
+    if_modified_since = request.get("CopySourceIfModifiedSince")
+
+    if if_match:
+        if if_match.strip('"') != etag.strip('"'):
+            return "x-amz-copy-source-If-Match"
+        if if_modified_since and if_modified_since > last_modified:
+            return "x-amz-copy-source-If-Modified-Since"
+        # CopySourceIfMatch is unaffected by CopySourceIfUnmodifiedSince so return early
+        if if_unmodified_since:
+            return None
+
+    if if_unmodified_since and if_unmodified_since < last_modified:
+        return "x-amz-copy-source-If-Unmodified-Since"
+
+    if if_none_match and if_none_match.strip('"') == etag.strip('"'):
+        return "x-amz-copy-source-If-None-Match"
+
+    if if_modified_since and last_modified < if_modified_since < datetime.datetime.now(
+        tz=_gmt_zone_info
+    ):
+        return "x-amz-copy-source-If-Modified-Since"
+
+
 def get_full_default_bucket_location(bucket_name: BucketName) -> str:
     host_definition = localstack_host()
     if host_definition.host != constants.LOCALHOST_HOSTNAME:
@@ -482,7 +522,7 @@ def is_valid_canonical_id(canonical_id: str) -> bool:
         return False
 
 
-def uses_host_addressing(headers: dict[str, str]) -> str | None:
+def uses_host_addressing(headers: Mapping[str, str]) -> str | None:
     """
     Determines if the request is targeting S3 with virtual host addressing
     :param headers: the request headers
@@ -511,15 +551,6 @@ def get_system_metadata_from_request(request: dict) -> Metadata:
     return metadata
 
 
-def forwarded_from_virtual_host_addressed_request(headers: dict[str, str]) -> bool:
-    """
-    Determines if the request was forwarded from a v-host addressing style into a path one
-    """
-    # we can assume that the host header we are receiving here is actually the header we originally received
-    # from the client (because the edge service is forwarding the request in memory)
-    return S3_VIRTUAL_HOST_FORWARDED_HEADER in headers
-
-
 def extract_bucket_name_and_key_from_headers_and_path(
     headers: dict[str, str], path: str
 ) -> tuple[str | None, str | None]:

localstack/services/ses/provider.py

@@ -8,7 +8,6 @@ from datetime import UTC, date, datetime, time
 from typing import TYPE_CHECKING, Any
 
 from botocore.exceptions import ClientError
-from moto.core.parsers import XFormedDict
 from moto.ses import ses_backends
 from moto.ses.models import SESBackend
 
@@ -183,6 +182,8 @@ class SesProvider(SesApi, ServiceLifecycleHook):
     #
 
     def on_after_init(self):
+        self._apply_patches()
+
         # Allow sent emails to be retrieved from the SES emails endpoint
         register_ses_api_resource()
 
@@ -198,6 +199,12 @@ class SesProvider(SesApi, ServiceLifecycleHook):
                 return entity.replace("From:", "").strip()
         return None
 
+    def _apply_patches(self) -> None:
+        # Suppress Moto's validation of receipt rule actions. These validations use Moto's implementation of S3, Lambda
+        # and SQS, which fail because these services have been internalised in LocalStack.
+        # Besides, AWS does not run the same validations as evidenced by our AWS-validated tests.
+        SESBackend._validate_receipt_rule_actions = lambda *_: None
+
     #
     # Implementations for SES operations
     #
@@ -518,8 +525,10 @@ class SesProvider(SesApi, ServiceLifecycleHook):
         backend.create_receipt_rule_set(rule_set_name)
         original_rule_set = backend.describe_receipt_rule_set(original_rule_set_name)
 
+        after = None
         for rule in original_rule_set.rules:
-            backend.create_receipt_rule(rule_set_name, rule)
+            backend.create_receipt_rule(rule_set_name, rule, after)
+            after = rule["Name"]
 
         return CloneReceiptRuleSetResponse()
 
@@ -548,7 +557,7 @@ class SesProvider(SesApi, ServiceLifecycleHook):
             )
 
         backend = get_ses_backend(context)
-        if identity not in backend.addresses:
+        if identity not in backend.email_identities:
             raise MessageRejected(f"Identity {identity} is not verified or does not exist.")
 
         # Store the setting in the backend
@@ -678,7 +687,7 @@ class SNSEmitter:
 def notify_event_destinations(
     context: RequestContext,
     # FIXME: Moto stores the Event Destinations as a single value when it should be a list
-    event_destinations: XFormedDict,
+    event_destinations: EventDestination | list[EventDestination],
     payload: EventDestinationPayload,
     email_type: EmailType,
 ):
@@ -688,14 +697,14 @@ def notify_event_destinations(
         event_destinations = [event_destinations]
 
     for event_destination in event_destinations:
-        if not event_destination["enabled"]:
+        if not event_destination["Enabled"]:
             continue
 
-        sns_destination_arn = event_destination.get("sns_destination", {}).get("topic_arn")
+        sns_destination_arn = event_destination.get("SNSDestination", {}).get("TopicARN")
         if not sns_destination_arn:
             continue
 
-        matching_event_types = event_destination.get("matching_event_types") or []
+        matching_event_types = event_destination.get("MatchingEventTypes") or []
         if EventType.send in matching_event_types:
             emitter.emit_send_event(
                 payload, sns_destination_arn, emit_source_arn=email_type != EmailType.TEMPLATED

localstack/services/sns/constants.py

@@ -1,5 +1,8 @@
 import re
 from string import ascii_letters, digits
+from typing import get_args
+
+from localstack.services.sns.v2.models import SnsApplicationPlatforms
 
 SNS_PROTOCOLS = [
     "http",
@@ -13,7 +16,7 @@ SNS_PROTOCOLS = [
     "firehose",
 ]
 
-VALID_SUBSCRIPTION_ATTR_NAME = [
+VALID_SUBSCRIPTION_ATTR_NAME: list[str] = [
     "DeliveryPolicy",
     "FilterPolicy",
     "FilterPolicyScope",
@@ -39,3 +42,6 @@ SUBSCRIPTION_TOKENS_ENDPOINT = "/_aws/sns/subscription-tokens"
 SNS_CERT_ENDPOINT = "/_aws/sns/SimpleNotificationService-6c6f63616c737461636b69736e696365.pem"
 
 DUMMY_SUBSCRIPTION_PRINCIPAL = "arn:{partition}:iam::{account_id}:user/DummySNSPrincipal"
+E164_REGEX = re.compile(r"^\+?[1-9]\d{1,14}$")
+
+VALID_APPLICATION_PLATFORMS = list(get_args(SnsApplicationPlatforms))