Separate SignatureDoesNotMatchError for S3.

moto/core/authentication.py

@@ -13,7 +13,16 @@ from six import string_types
 from moto.iam.models import ACCOUNT_ID, Policy
 from moto.iam import iam_backend
 from moto.core.exceptions import SignatureDoesNotMatchError, AccessDeniedError, InvalidClientTokenIdError, AuthFailureError
-from moto.s3.exceptions import BucketAccessDeniedError, S3AccessDeniedError, BucketInvalidTokenError, S3InvalidTokenError, S3InvalidAccessKeyIdError, BucketInvalidAccessKeyIdError
+from moto.s3.exceptions import (
+    BucketAccessDeniedError,
+    S3AccessDeniedError,
+    BucketInvalidTokenError,
+    S3InvalidTokenError,
+    S3InvalidAccessKeyIdError,
+    BucketInvalidAccessKeyIdError,
+    BucketSignatureDoesNotMatchError,
+    S3SignatureDoesNotMatchError
+)
 from moto.sts import sts_backend
 
 log = logging.getLogger(__name__)
@@ -163,11 +172,9 @@ class IAMRequestBase(object):
         if not permitted:
             self._raise_access_denied()
 
+    @abstractmethod
     def _raise_signature_does_not_match(self):
-        if self._service == "ec2":
+        raise NotImplementedError()
-            raise AuthFailureError()
-        else:
-            raise SignatureDoesNotMatchError()
 
     @abstractmethod
     def _raise_access_denied(self):
@@ -212,6 +219,12 @@ class IAMRequestBase(object):
 
 class IAMRequest(IAMRequestBase):
 
+    def _raise_signature_does_not_match(self):
+        if self._service == "ec2":
+            raise AuthFailureError()
+        else:
+            raise SignatureDoesNotMatchError()
+
     def _raise_invalid_access_key(self, _):
         if self._service == "ec2":
             raise AuthFailureError()
@@ -230,8 +243,13 @@ class IAMRequest(IAMRequestBase):
 
 class S3IAMRequest(IAMRequestBase):
 
-    def _raise_invalid_access_key(self, reason):
+    def _raise_signature_does_not_match(self):
+        if "BucketName" in self._data:
+            raise BucketSignatureDoesNotMatchError(bucket=self._data["BucketName"])
+        else:
+            raise S3SignatureDoesNotMatchError()
 
+    def _raise_invalid_access_key(self, reason):
         if reason == "InvalidToken":
             if "BucketName" in self._data:
                 raise BucketInvalidTokenError(bucket=self._data["BucketName"])

moto/s3/exceptions.py

@@ -230,7 +230,7 @@ class BucketInvalidTokenError(BucketError):
 
 
 class S3InvalidAccessKeyIdError(S3ClientError):
-    code = 400
+    code = 403
 
     def __init__(self, *args, **kwargs):
         super(S3InvalidAccessKeyIdError, self).__init__(
@@ -239,9 +239,27 @@ class S3InvalidAccessKeyIdError(S3ClientError):
 
 
 class BucketInvalidAccessKeyIdError(S3ClientError):
-    code = 400
+    code = 403
 
     def __init__(self, *args, **kwargs):
         super(BucketInvalidAccessKeyIdError, self).__init__(
             'InvalidAccessKeyId',
             "The AWS Access Key Id you provided does not exist in our records.", *args, **kwargs)
+
+
+class S3SignatureDoesNotMatchError(S3ClientError):
+    code = 403
+
+    def __init__(self, *args, **kwargs):
+        super(S3SignatureDoesNotMatchError, self).__init__(
+            'SignatureDoesNotMatch',
+            "The request signature we calculated does not match the signature you provided. Check your key and signing method.", *args, **kwargs)
+
+
+class BucketSignatureDoesNotMatchError(S3ClientError):
+    code = 403
+
+    def __init__(self, *args, **kwargs):
+        super(BucketSignatureDoesNotMatchError, self).__init__(
+            'SignatureDoesNotMatch',
+            "The request signature we calculated does not match the signature you provided. Check your key and signing method.", *args, **kwargs)