Raise error when trying to tag key with duplicated tags

k-a-il · k-a-il · commit 45fee2b034fb · 2025-01-17T15:08:52.000+01:00
diff --git a/localstack-core/localstack/services/kms/exceptions.py b/localstack-core/localstack/services/kms/exceptions.py
@@ -9,3 +9,8 @@ def __init__(self, message: str):
 class AccessDeniedException(CommonServiceException):
     def __init__(self, message: str):
         super().__init__("AccessDeniedException", message, 400, True)
+
+
+class TagException(CommonServiceException):
+    def __init__(self, message=None):
+        super().__init__("TagException", status_code=400, message=message)
diff --git a/localstack-core/localstack/services/kms/models.py b/localstack-core/localstack/services/kms/models.py
@@ -47,7 +47,7 @@
     UnsupportedOperationException,
 )
 from localstack.constants import TAG_KEY_CUSTOM_ID
-from localstack.services.kms.exceptions import ValidationException
+from localstack.services.kms.exceptions import TagException, ValidationException
 from localstack.services.kms.utils import is_valid_key_arn
 from localstack.services.stores import AccountRegionBundle, BaseStore, LocalAttribute
 from localstack.utils.aws.arns import get_partition, kms_alias_arn, kms_key_arn
@@ -561,6 +561,10 @@ def add_tags(self, tags: List) -> None:
         if not tags:
             return
 
+        tag_keys = [tag["TagKey"] for tag in tags]
+        if len(tag_keys) != len(set(tag_keys)):
+            raise TagException("Duplicate tag keys")
+
         # Do not care if we overwrite an existing tag:
         # https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html
         # "To edit a tag, specify an existing tag key and a new tag value."
diff --git a/tests/aws/services/kms/test_kms.py b/tests/aws/services/kms/test_kms.py
@@ -103,6 +103,23 @@ def test_create_key(
         assert f":{region_name}:" in response["Arn"]
         assert f":{account_id}:" in response["Arn"]
 
+    @markers.aws.validated
+    def test_tag_key_with_duplicate_tag_keys_raises_error(
+        self, kms_client_for_region, kms_create_key, snapshot, region_name
+    ):
+        kms_client = kms_client_for_region(region_name)
+        key_id = kms_create_key(
+            region_name=region_name, Description="test key 123", KeyUsage="ENCRYPT_DECRYPT"
+        )["KeyId"]
+
+        tags = [
+            {"TagKey": "tag1", "TagValue": "value1"},
+            {"TagKey": "tag1", "TagValue": "another-value1"},
+        ]
+        with pytest.raises(ClientError) as e:
+            kms_client.tag_resource(KeyId=key_id, Tags=tags)
+        snapshot.match("duplicate-tag-keys", e.value.response)
+
     @markers.aws.only_localstack
     def test_create_key_custom_id(self, kms_create_key, aws_client):
         custom_id = str(uuid.uuid4())
@@ -987,47 +1004,6 @@ def test_get_put_list_key_policies(self, kms_create_key, aws_client, account_id)
         key_policy = aws_client.kms.get_key_policy(KeyId=key_id, PolicyName="default")["Policy"]
         assert json.dumps(json.loads(key_policy)) == policy_two
 
-    @markers.aws.validated
-    def test_tag_untag_list_tags(self, kms_create_key, aws_client):
-        def _create_tag(key):
-            return {"TagKey": key, "TagValue": short_uid()}
-
-        def _are_tags_there(tags, key_id):
-            if not tags:
-                return True
-            next_token = None
-            while True:
-                kwargs = {"nextToken": next_token} if next_token else {}
-                response = aws_client.kms.list_resource_tags(KeyId=key_id, **kwargs)
-                for response_tag in response["Tags"]:
-                    for i in range(len(tags)):
-                        if response_tag.get("TagKey") == tags[i].get("TagKey") and response_tag.get(
-                            "TagValue"
-                        ) == tags[i].get("TagValue"):
-                            del tags[i]
-                            if not tags:
-                                return True
-                            break
-                if "nextToken" not in response:
-                    break
-                next_token = response["nextToken"]
-            return False
-
-        old_tag_one = _create_tag("one")
-        new_tag_one = _create_tag("one")
-        tag_two = _create_tag("two")
-        tag_three = _create_tag("three")
-
-        key_id = kms_create_key(Tags=[old_tag_one, tag_two])["KeyId"]
-        assert _are_tags_there([old_tag_one, tag_two], key_id) is True
-        # Going to rewrite one of the tags and then add a new one.
-        aws_client.kms.tag_resource(KeyId=key_id, Tags=[new_tag_one, tag_three])
-        assert _are_tags_there([new_tag_one, tag_two, tag_three], key_id) is True
-        assert _are_tags_there([old_tag_one], key_id) is False
-        aws_client.kms.untag_resource(KeyId=key_id, TagKeys=[new_tag_one.get("TagKey")])
-        assert _are_tags_there([tag_two, tag_three], key_id) is True
-        assert _are_tags_there([new_tag_one], key_id) is False
-
     @markers.aws.validated
     def test_cant_use_disabled_or_deleted_keys(self, kms_create_key, aws_client):
         key_id = kms_create_key(KeySpec="SYMMETRIC_DEFAULT", KeyUsage="ENCRYPT_DECRYPT")["KeyId"]
diff --git a/tests/aws/services/kms/test_kms.snapshot.json b/tests/aws/services/kms/test_kms.snapshot.json
@@ -1793,5 +1793,21 @@
         }
       }
     }
+  },
+  "tests/aws/services/kms/test_kms.py::TestKMS::test_tag_key_with_duplicate_tag_keys_raises_error": {
+    "recorded-date": "17-01-2025, 13:35:08",
+    "recorded-content": {
+      "duplicate-tag-keys": {
+        "Error": {
+          "Code": "TagException",
+          "Message": "Duplicate tag keys"
+        },
+        "message": "Duplicate tag keys",
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 400
+        }
+      }
+    }
   }
 }
diff --git a/tests/aws/services/kms/test_kms.validation.json b/tests/aws/services/kms/test_kms.validation.json
@@ -38,6 +38,9 @@
   "tests/aws/services/kms/test_kms.py::TestKMS::test_disable_and_enable_key": {
     "last_validated_date": "2024-04-11T15:52:38+00:00"
   },
+  "tests/aws/services/kms/test_kms.py::TestKMS::test_tag_key_with_duplicate_tag_keys_raises_error": {
+    "last_validated_date": "2025-01-17T13:35:08+00:00"
+  },
   "tests/aws/services/kms/test_kms.py::TestKMS::test_encrypt_decrypt[RSA_2048-RSAES_OAEP_SHA_256]": {
     "last_validated_date": "2024-04-11T15:53:19+00:00"
   },

Original file line number	Diff line number	Diff line change
`@@ -1793,5 +1793,21 @@`
`1793`	`1793`	`}`
`1794`	`1794`	`}`
`1795`	`1795`	`}`
	`1796`	`+ },`
	`1797`	`+ "tests/aws/services/kms/test_kms.py::TestKMS::test_tag_key_with_duplicate_tag_keys_raises_error": {`
	`1798`	`+ "recorded-date": "17-01-2025, 13:35:08",`
	`1799`	`+ "recorded-content": {`
	`1800`	`+ "duplicate-tag-keys": {`
	`1801`	`+ "Error": {`
	`1802`	`+ "Code": "TagException",`
	`1803`	`+ "Message": "Duplicate tag keys"`
	`1804`	`+ },`
	`1805`	`+ "message": "Duplicate tag keys",`
	`1806`	`+ "ResponseMetadata": {`
	`1807`	`+ "HTTPHeaders": {},`
	`1808`	`+ "HTTPStatusCode": 400`
	`1809`	`+ }`
	`1810`	`+ }`
	`1811`	`+ }`
`1796`	`1812`	`}`
`1797`	`1813`	`}`