localstack · bentsku · Aug 9, 2022 · Aug 2, 2022 · Aug 4, 2022 · Aug 5, 2022
diff --git a/localstack/services/sns/provider.py b/localstack/services/sns/provider.py
@@ -463,6 +463,15 @@ def publish_batch(
                 raise InvalidParameterException(
                     "Invalid parameter: The MessageGroupId parameter is required for FIFO topics"
                 )
+            moto_sns_backend = moto_sns_backends[context.region]
+            if moto_sns_backend.get_topic(arn=topic_arn).content_based_deduplication == "false":
+                if not all(
8000
+                    ["MessageDeduplicationId" in entry for entry in publish_batch_request_entries]
+                ):
+                    raise InvalidParameterException(
+                        "Invalid parameter: The topic should either have ContentBasedDeduplication enabled or MessageDeduplicationId provided explicitly",
+                    )
+
         response = {"Successful": [], "Failed": []}
         for entry in publish_batch_request_entries:
             message_id = str(uuid.uuid4())
@@ -499,9 +508,7 @@ def set_subscription_attributes(
     ) -> None:
         sub = get_subscription_by_arn(subscription_arn)
         if not sub:
-            raise NotFoundException(
-                f"Unable to find subscription for given ARN: {subscription_arn}"
-            )
+            raise NotFoundException("Subscription does not exist")
         sub[attribute_name] = attribute_value
 
     def confirm_subscription(
@@ -663,7 +670,7 @@ def publish(
         if topic_arn and ".fifo" in topic_arn:
             if not message_group_id:
                 raise InvalidParameterException(
-                    "The MessageGroupId parameter is required for FIFO topics",
+                    "Invalid parameter: The MessageGroupId parameter is required for FIFO topics",
                 )
             moto_sns_backend = moto_sns_backends[context.region]
             if moto_sns_backend.get_topic(arn=topic_arn).content_based_deduplication == "false":
@@ -730,7 +737,7 @@ def subscribe(
             )
         if ".fifo" in endpoint and ".fifo" not in topic_arn:
             raise InvalidParameterException(
-                "FIFO SQS Queues can not be subscribed to standard SNS topics"
+                "Invalid parameter: Invalid parameter: Endpoint Reason: FIFO SQS Queues can not be subscribed to standard SNS topics"
             )
         moto_response = call_moto(context)
         subscription_arn = moto_response.get("SubscriptionArn")
@@ -1167,6 +1174,7 @@ def create_sns_message_body(
         "Timestamp": timestamp_millis(),
         "SignatureVersion": "1",
         # TODO Add a more sophisticated solution with an actual signature
+        #  check KMS for providing real cert and how to serve them
         # Hardcoded
         "Signature": "EXAMPLEpH+..",
         "SigningCertURL": "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-0000000000000000000000.pem",

diff --git a/localstack/testing/snapshots/transformer_utility.py b/localstack/testing/snapshots/transformer_utility.py
@@ -176,17 +176,42 @@ def sqs_api():
             TransformerUtility.key_value("SenderId"),
             TransformerUtility.jsonpath("$..MessageAttributes.RequestID.StringValue", "request-id"),
             KeyValueBasedTransformer(_resource_name_transformer, "resource"),
-            KeyValueBasedTransformer(_signing_cert_url_token_transformer, replacement="token"),
+        ]
+
+    @staticmethod
+    def sns_api():
+        """
+        :return: array with Transformers, for sns api.
+        """
+        return [
+            TransformerUtility.key_value("ReceiptHandle"),
+            TransformerUtility.key_value("SequenceNumber"),  # this might need to be in SQS
+            TransformerUtility.key_value(
+                "Signature", value_replacement="<signature>", reference_replacement=False
+            ),
+            # the body of SNS messages contains a timestamp, need to ignore the hash
+            TransformerUtility.key_value("MD5OfBody", "<md5-hash>", reference_replacement=False),
+            # this can interfere in ARN with the accountID
+            TransformerUtility.key_value(
+                "SenderId", value_replacement="<sender-id>", reference_replacement=False
+            ),
             KeyValueBasedTransformer(
-                _sns_pem_file_token_transformer, replacement="signing-cert-file"
+                _sns_pem_file_token_transformer,
+                replacement="signing-cert-file",
             ),
-            # replaces the domain in "UnsubscribeURL"
-            TransformerUtility.regex(
-                re.compile(
-                    r"(?<=UnsubscribeURL[\"|']:\s[\"|'])(https?.*?)(?=/\?Action=Unsubscribe)"
-                ),
+            # replaces the domain in "UnsubscribeURL" URL (KeyValue won't work as it replaces reference, and if
+            # replace_reference is False, then it replaces the whole key
+            # this will be able to use a KeyValue based once we provide a certificate for message signing in SNS
+            # a match must be made case-insensitive because the key casing is different from lambda notifications
+            RegexTransformer(
+                r"(?<=(?i)UnsubscribeURL[\"|']:\s[\"|'])(https?.*?)(?=/\?Action=Unsubscribe)",
                 replacement="<unsubscribe-domain>",
             ),
+            KeyValueBasedTransformer(_resource_name_transformer, "resource"),
+            # add a special transformer with 'resource' replacement for SubscriptionARN in UnsubscribeURL
+            KeyValueBasedTransformer(
+                _sns_unsubscribe_url_subscription_arn_transformer, replacement="resource"
+            ),
         ]
 
     @staticmethod
@@ -220,15 +245,15 @@ def secretsmanager_secret_id_arn(create_secret_res: CreateSecretResponse, index:
 
 
 def _sns_pem_file_token_transformer(key: str, val: str) -> str:
-    if isinstance(val, str) and key == "SigningCertURL":
-        pattern = re.compile(r".*SimpleNotificationService-(.*)?\.pem")
+    if isinstance(val, str) and key.lower() == "SigningCertURL".lower():
+        pattern = re.compile(r".*SimpleNotificationService-(.*\.pem)")
         match = re.match(pattern, val)
         if match:
             return match.groups()[0]
 
 
-def _signing_cert_url_token_transformer(key: str, val: str) -> str:
-    if isinstance(val, str) and key == "UnsubscribeURL":
+def _sns_unsubscribe_url_subscription_arn_transformer(key: str, val: str) -> str:
+    if isinstance(val, str) and key.lower() == "UnsubscribeURL".lower():
         pattern = re.compile(r".*(?<=\?Action=Unsubscribe&SubscriptionArn=).*:(.*)")
         match = re.match(pattern, val)
         if match:

diff --git a/tests/integration/s3/test_s3_notifications_sns.py b/tests/integration/s3/test_s3_notifications_sns.py
@@ -110,14 +110,9 @@ def test_object_created_put(
         snapshot,
     ):
         snapshot.add_transformer(snapshot.transform.sqs_api())
+        snapshot.add_transformer(snapshot.transform.sns_api())
         snapshot.add_transformer(snapshot.transform.s3_api())
-        snapshot.add_transformer(
-            snapshot.transform.jsonpath(
-                "$..Signature",
-                "signature",
-                reference_replacement=False,
-            ),
-        )
+
         bucket_name = s3_create_bucket()
         topic_arn = sns_create_topic()["TopicArn"]
         queue_url = sqs_create_queue()

diff --git a/tests/integration/s3/test_s3_notifications_sns.snapshot.json b/tests/integration/s3/test_s3_notifications_sns.snapshot.json
@@ -1,6 +1,6 @@
 {
   "tests/integration/s3/test_s3_notifications_sns.py::TestS3NotificationsToSns::test_object_created_put": {
-    "recorded-date": "08-08-2022, 17:51:20",
+    "recorded-date": "09-08-2022, 11:38:05",
     "recorded-content": {
       "receive_messages": {
         "messages": [
@@ -44,14 +44,14 @@
               ]
             },
             "MessageId": "<uuid:1>",
-            "Signature": "signature",
+            "Signature": "<signature>",
             "SignatureVersion": "1",
-            "SigningCertURL": "https://sns.<region>.amazonaws.com/SimpleNotificationService-<signing-cert-file:1>.pem",
+            "SigningCertURL": "https://sns.<region>.amazonaws.com/SimpleNotificationService-<signing-cert-file:1>",
             "Subject": "Amazon S3 Notification",
             "Timestamp": "date",
             "TopicArn": "arn:aws:sns:<region>:111111111111:<resource:2>",
             "Type": "Notification",
-            "UnsubscribeURL": "<unsubscribe-domain>/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:<region>:111111111111:<resource:2>:<token:1>"
+            "UnsubscribeURL": "<unsubscribe-domain>/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:<region>:111111111111:<resource:2>:<resource:3>"
           },
           {
             "Message": {
@@ -93,14 +93,14 @@
               ]
             },
             "MessageId": "<uuid:2>",
-            "Signature": "signature",
+            "Signature": "<signature>",
             "SignatureVersion": "1",
-            "SigningCertURL": "https://sns.<region>.amazonaws.com/SimpleNotificationService-<signing-cert-file:1>.pem",
+            "SigningCertURL": "https://sns.<region>.amazonaws.com/SimpleNotificationService-<signing-cert-file:1>",
             "Subject": "Amazon S3 Notification",
             "Timestamp": "date",
             "TopicArn": "arn:aws:sns:<region>:111111111111:<resource:2>",
             "Type": "Notification",
-            "UnsubscribeURL": "<unsubscribe-domain>/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:<region>:111111111111:<resource:2>:<token:1>"
+            "UnsubscribeURL": "<unsubscribe-domain>/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:<region>:111111111111:<resource:2>:<resource:3>"
           }
         ]
       }