Skip to content

Commit ed8c76e

Browse files
authored
S3: fix SSE-C parity error message (#12162)
1 parent e5e74db commit ed8c76e

File tree

4 files changed

+28
-18
lines changed

4 files changed

+28
-18
lines changed

localstack-core/localstack/services/s3/provider.py

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -883,7 +883,9 @@ def get_object(
883883
"The correct parameters must be provided to retrieve the object."
884884
)
885885
elif sse_key_hash != sse_c_key_md5:
886-
raise AccessDenied("Access Denied")
886+
raise AccessDenied(
887+
"Requests specifying Server Side Encryption with Customer provided keys must provide the correct secret key."
888+
)
887889

888890
validate_sse_c(
889891
algorithm=request.get("SSECustomerAlgorithm"),
@@ -1024,7 +1026,9 @@ def head_object(
10241026
"The correct parameters must be provided to retrieve the object."
10251027
)
10261028
elif s3_object.sse_key_hash != sse_c_key_md5:
1027-
raise AccessDenied("Access Denied")
1029+
raise AccessDenied(
1030+
"Requests specifying Server Side Encryption with Customer provided keys must provide the correct secret key."
1031+
)
10281032

10291033
validate_sse_c(
10301034
algorithm=request.get("SSECustomerAlgorithm"),

tests/aws/services/s3/test_s3.py

Lines changed: 9 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -11561,13 +11561,6 @@ def test_put_object_validation_sse_c(self, aws_client, s3_bucket, snapshot):
1156111561
snapshot.match("put-obj-sse-c-bad-md5", e.value.response)
1156211562

1156311563
@markers.aws.validated
11564-
@markers.snapshot.skip_snapshot_verify(
11565-
paths=[
11566-
# TODO: fix error message for SSEC Encryption
11567-
"$.get-obj-sse-c-no-md5..Message",
11568-
"$.get-obj-sse-c-wrong-key..Message",
11569-
],
11570-
)
1157111564
def test_object_retrieval_sse_c(self, aws_client, s3_bucket, snapshot):
1157211565
body = "test_data"
1157311566
key_name = "test-sse-c"
@@ -11637,6 +11630,15 @@ def test_object_retrieval_sse_c(self, aws_client, s3_bucket, snapshot):
1163711630
)
1163811631
snapshot.match("get-obj-sse-c-no-md5", e.value.response)
1163911632

11633+
with pytest.raises(ClientError) as e:
11634+
aws_client.s3.head_object(
11635+
Bucket=s3_bucket,
11636+
Key=key_name,
11637+
SSECustomerAlgorithm="AES256",
11638+
SSECustomerKey=cus_key,
11639+
)
11640+
snapshot.match("head-obj-sse-c-no-md5", e.value.response)
11641+
1164011642
with pytest.raises(ClientError) as e:
1164111643
bad_key_size = base64.b64encode(self.ENCRYPTION_KEY[:10]).decode("utf-8")
1164211644
bad_key_size_md5 = base64.b64encode(
@@ -11919,12 +11921,6 @@ def test_multipart_upload_sse_c_validation(self, aws_client, s3_bucket, snapshot
1191911921
# TODO: check complete with wrong parameters, even though it is not required to give them?
1192011922

1192111923
@markers.aws.validated
11922-
@markers.snapshot.skip_snapshot_verify(
11923-
paths=[
11924-
# TODO: fix error message for SSEC Encryption
11925-
"$.get-obj-sse-c-last-version-wrong-key..Message",
11926-
],
11927-
)
1192811924
def test_sse_c_with_versioning(self, aws_client, s3_bucket, snapshot):
1192911925
snapshot.add_transformer(snapshot.transform.key_value("VersionId"))
1193011926
# enable versioning on the bucket

tests/aws/services/s3/test_s3.snapshot.json

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12941,12 +12941,12 @@
1294112941
}
1294212942
},
1294312943
"tests/aws/services/s3/test_s3.py::TestS3SSECEncryption::test_object_retrieval_sse_c": {
12944-
"recorded-date": "21-01-2025, 18:16:22",
12944+
"recorded-date": "22-01-2025, 14:21:49",
1294512945
"recorded-content": {
1294612946
"put-obj-sse-c": {
1294712947
"ChecksumCRC32": "qIrZrA==",
1294812948
"ChecksumType": "FULL_OBJECT",
12949-
"ETag": "\"3f1ecdf4a27b54bc3ccafd083183cbc4\"",
12949+
"ETag": "\"7f021303b8ca8e5af2c5ee7bf1e96a18\"",
1295012950
"SSECustomerAlgorithm": "AES256",
1295112951
"SSECustomerKeyMD5": "JMwgiexXqwuPqIPjYFmIZQ==",
1295212952
"ResponseMetadata": {
@@ -13018,6 +13018,16 @@
1301813018
"HTTPStatusCode": 403
1301913019
}
1302013020
},
13021+
"head-obj-sse-c-no-md5": {
13022+
"Error": {
13023+
"Code": "403",
13024+
"Message": "Forbidden"
13025+
},
13026+
"ResponseMetadata": {
13027+
"HTTPHeaders": {},
13028+
"HTTPStatusCode": 403
13029+
}
13030+
},
1302113031
"get-obj-sse-c-wrong-key-size": {
1302213032
"Error": {
1302313033
"ArgumentName": "x-amz-server-side-encryption",

tests/aws/services/s3/test_s3.validation.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -798,7 +798,7 @@
798798
"last_validated_date": "2025-01-21T18:16:43+00:00"
799799
},
800800
"tests/aws/services/s3/test_s3.py::TestS3SSECEncryption::test_object_retrieval_sse_c": {
801-
"last_validated_date": "2025-01-21T18:16:22+00:00"
801+
"last_validated_date": "2025-01-22T14:21:48+00:00"
802802
},
803803
"tests/aws/services/s3/test_s3.py::TestS3SSECEncryption::test_put_object_lifecycle_with_sse_c": {
804804
"last_validated_date": "2025-01-21T18:16:15+00:00"

0 commit comments

Comments
 (0)