S3: fix SSE-C parity error message (#12162)

bentsku · web-flow · commit ed8c76e4a23a · 2025-01-22T19:35:13.000+01:00
diff --git a/localstack-core/localstack/services/s3/provider.py b/localstack-core/localstack/services/s3/provider.py
@@ -883,7 +883,9 @@ def get_object(
                     "The correct parameters must be provided to retrieve the object."
                 )
             elif sse_key_hash != sse_c_key_md5:
-                raise AccessDenied("Access Denied")
+                raise AccessDenied(
+                    "Requests specifying Server Side Encryption with Customer provided keys must provide the correct secret key."
+                )
 
         validate_sse_c(
             algorithm=request.get("SSECustomerAlgorithm"),
@@ -1024,7 +1026,9 @@ def head_object(
                     "The correct parameters must be provided to retrieve the object."
                 )
             elif s3_object.sse_key_hash != sse_c_key_md5:
-                raise AccessDenied("Access Denied")
+                raise AccessDenied(
+                    "Requests specifying Server Side Encryption with Customer provided keys must provide the correct secret key."
+                )
 
         validate_sse_c(
             algorithm=request.get("SSECustomerAlgorithm"),
diff --git a/tests/aws/services/s3/test_s3.py b/tests/aws/services/s3/test_s3.py
@@ -11561,13 +11561,6 @@ def test_put_object_validation_sse_c(self, aws_client, s3_bucket, snapshot):
         snapshot.match("put-obj-sse-c-bad-md5", e.value.response)
 
     @markers.aws.validated
-    @markers.snapshot.skip_snapshot_verify(
-        paths=[
-            # TODO: fix error message for SSEC Encryption
-            "$.get-obj-sse-c-no-md5..Message",
-            "$.get-obj-sse-c-wrong-key..Message",
-        ],
-    )
     def test_object_retrieval_sse_c(self, aws_client, s3_bucket, snapshot):
         body = "test_data"
         key_name = "test-sse-c"
@@ -11637,6 +11630,15 @@ def test_object_retrieval_sse_c(self, aws_client, s3_bucket, snapshot):
             )
         snapshot.match("get-obj-sse-c-no-md5", e.value.response)
 
+        with pytest.raises(ClientError) as e:
+            aws_client.s3.head_object(
+                Bucket=s3_bucket,
+                Key=key_name,
+                SSECustomerAlgorithm="AES256",
+                SSECustomerKey=cus_key,
+            )
+        snapshot.match("head-obj-sse-c-no-md5", e.value.response)
+
         with pytest.raises(ClientError) as e:
             bad_key_size = base64.b64encode(self.ENCRYPTION_KEY[:10]).decode("utf-8")
             bad_key_size_md5 = base64.b64encode(
@@ -11919,12 +11921,6 @@ def test_multipart_upload_sse_c_validation(self, aws_client, s3_bucket, snapshot
         # TODO: check complete with wrong parameters, even though it is not required to give them?
 
     @markers.aws.validated
-    @markers.snapshot.skip_snapshot_verify(
-        paths=[
-            # TODO: fix error message for SSEC Encryption
-            "$.get-obj-sse-c-last-version-wrong-key..Message",
-        ],
-    )
     def test_sse_c_with_versioning(self, aws_client, s3_bucket, snapshot):
         snapshot.add_transformer(snapshot.transform.key_value("VersionId"))
         # enable versioning on the bucket
diff --git a/tests/aws/services/s3/test_s3.snapshot.json b/tests/aws/services/s3/test_s3.snapshot.json
@@ -12941,12 +12941,12 @@
     }
   },
   "tests/aws/services/s3/test_s3.py::TestS3SSECEncryption::test_object_retrieval_sse_c": {
-    "recorded-date": "21-01-2025, 18:16:22",
+    "recorded-date": "22-01-2025, 14:21:49",
     "recorded-content": {
       "put-obj-sse-c": {
         "ChecksumCRC32": "qIrZrA==",
         "ChecksumType": "FULL_OBJECT",
-        "ETag": "\"3f1ecdf4a27b54bc3ccafd083183cbc4\"",
+        "ETag": "\"7f021303b8ca8e5af2c5ee7bf1e96a18\"",
         "SSECustomerAlgorithm": "AES256",
         "SSECustomerKeyMD5": "JMwgiexXqwuPqIPjYFmIZQ==",
         "ResponseMetadata": {
@@ -13018,6 +13018,16 @@
           "HTTPStatusCode": 403
         }
       },
+      "head-obj-sse-c-no-md5": {
+        "Error": {
+          "Code": "403",
+          "Message": "Forbidden"
+        },
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 403
+        }
+      },
       "get-obj-sse-c-wrong-key-size": {
         "Error": {
           "ArgumentName": "x-amz-server-side-encryption",
diff --git a/tests/aws/services/s3/test_s3.validation.json b/tests/aws/services/s3/test_s3.validation.json
@@ -798,7 +798,7 @@
     "last_validated_date": "2025-01-21T18:16:43+00:00"
   },
   "tests/aws/services/s3/test_s3.py::TestS3SSECEncryption::test_object_retrieval_sse_c": {
-    "last_validated_date": "2025-01-21T18:16:22+00:00"
+    "last_validated_date": "2025-01-22T14:21:48+00:00"
   },
   "tests/aws/services/s3/test_s3.py::TestS3SSECEncryption::test_put_object_lifecycle_with_sse_c": {
     "last_validated_date": "2025-01-21T18:16:15+00:00"
