Separate SignatureDoesNotMatchError for S3.

2019-07-24 21:01:11 +02:00 · 2019-07-24 21:01:11 +02:00 · d428acdb7c
commit d428acdb7c
parent d471eb69c0
2 changed files with 44 additions and 8 deletions
--- a/moto/core/authentication.py
+++ b/moto/core/authentication.py
@ -13,7 +13,16 @@ from six import string_types
 from moto.iam.models import ACCOUNT_ID, Policy
 from moto.iam import iam_backend
 from moto.core.exceptions import SignatureDoesNotMatchError, AccessDeniedError, InvalidClientTokenIdError, AuthFailureError
-from moto.s3.exceptions import BucketAccessDeniedError, S3AccessDeniedError, BucketInvalidTokenError, S3InvalidTokenError, S3InvalidAccessKeyIdError, BucketInvalidAccessKeyIdError
+from moto.s3.exceptions import (
+    BucketAccessDeniedError,
+    S3AccessDeniedError,
+    BucketInvalidTokenError,
+    S3InvalidTokenError,
+    S3InvalidAccessKeyIdError,
+    BucketInvalidAccessKeyIdError,
+    BucketSignatureDoesNotMatchError,
+    S3SignatureDoesNotMatchError
+)
 from moto.sts import sts_backend

 log = logging.getLogger(__name__)
@ -163,11 +172,9 @@ class IAMRequestBase(object):
        if not permitted:
            self._raise_access_denied()

+    @abstractmethod
    def _raise_signature_does_not_match(self):
-        if self._service == "ec2":
-            raise AuthFailureError()
-        else:
-            raise SignatureDoesNotMatchError()
+        raise NotImplementedError()

    @abstractmethod
    def _raise_access_denied(self):
@ -212,6 +219,12 @@ class IAMRequestBase(object):

 class IAMRequest(IAMRequestBase):

+    def _raise_signature_does_not_match(self):
+        if self._service == "ec2":
+            raise AuthFailureError()
+        else:
+            raise SignatureDoesNotMatchError()
+
    def _raise_invalid_access_key(self, _):
        if self._service == "ec2":
            raise AuthFailureError()
@ -230,8 +243,13 @@ class IAMRequest(IAMRequestBase):

 class S3IAMRequest(IAMRequestBase):

-    def _raise_invalid_access_key(self, reason):
+    def _raise_signature_does_not_match(self):
+        if "BucketName" in self._data:
+            raise BucketSignatureDoesNotMatchError(bucket=self._data["BucketName"])
+        else:
+            raise S3SignatureDoesNotMatchError()

+    def _raise_invalid_access_key(self, reason):
        if reason == "InvalidToken":
            if "BucketName" in self._data:
                raise BucketInvalidTokenError(bucket=self._data["BucketName"])
--- a/moto/s3/exceptions.py
+++ b/moto/s3/exceptions.py
@ -230,7 +230,7 @@ class BucketInvalidTokenError(BucketError):


 class S3InvalidAccessKeyIdError(S3ClientError):
-    code = 400
+    code = 403

    def __init__(self, *args, **kwargs):
        super(S3InvalidAccessKeyIdError, self).__init__(
@ -239,9 +239,27 @@ class S3InvalidAccessKeyIdError(S3ClientError):


 class BucketInvalidAccessKeyIdError(S3ClientError):
-    code = 400
+    code = 403

    def __init__(self, *args, **kwargs):
        super(BucketInvalidAccessKeyIdError, self).__init__(
            'InvalidAccessKeyId',
            "The AWS Access Key Id you provided does not exist in our records.", *args, **kwargs)
+
+
+class S3SignatureDoesNotMatchError(S3ClientError):
+    code = 403
+
+    def __init__(self, *args, **kwargs):
+        super(S3SignatureDoesNotMatchError, self).__init__(
+            'SignatureDoesNotMatch',
+            "The request signature we calculated does not match the signature you provided. Check your key and signing method.", *args, **kwargs)
+
+
+class BucketSignatureDoesNotMatchError(S3ClientError):
+    code = 403
+
+    def __init__(self, *args, **kwargs):
+        super(BucketSignatureDoesNotMatchError, self).__init__(
+            'SignatureDoesNotMatch',
+            "The request signature we calculated does not match the signature you provided. Check your key and signing method.", *args, **kwargs)