Skip to content

fix(secretsmanager,dynamodb,s3,sns,iam): AWS-correct error codes/status (bug-hunt LOW)#2291

Merged
vieiralucas merged 1 commit into
mainfrom
bh-errs
Jul 16, 2026
Merged

fix(secretsmanager,dynamodb,s3,sns,iam): AWS-correct error codes/status (bug-hunt LOW)#2291
vieiralucas merged 1 commit into
mainfrom
bh-errs

Conversation

@vieiralucas

@vieiralucas vieiralucas commented Jul 16, 2026

Copy link
Copy Markdown
Member

Summary

Five low-severity but wire-visible error-shape divergences from the 2026-07-15 bug hunt. Each is a negative-path response that a strict client / conformance-minded user would see differ from AWS.

  • SecretsManager GetRandomPassword — over-long PasswordLength returned InvalidParameterValue; AWS uses InvalidParameterException (the under-length branch already did). Both branches now carry a real message instead of echoing the code.
  • DynamoDB GetResourcePolicy (no policy attached) — returned HTTP 404; awsJson1.0 client errors are always HTTP 400 with the error type in the body.
  • S3 UploadPartpartNumber < 1 was masked as 404 NoSuchUpload; an out-of-range part number is 400 InvalidArgument, matching the existing > 10000 branch.
  • SNS Publish Subject — length measured in bytes; AWS caps Subject at 100 characters, so a multibyte subject was wrongly rejected. Now counts chars.
  • STS length/range validation — leaked the awsJson ValidationException code through the shared fakecloud_core::validation helpers; STS speaks the awsQuery protocol and must emit ValidationError. Added STS-local wrappers that re-stamp the code and message; the shared helper is untouched, so awsJson services keep ValidationException.

Test plan

  • cargo test -p fakecloud-secretsmanager --lib test_get_random_password_too_long — asserts InvalidParameterException.
  • cargo test -p fakecloud-dynamodb --lib resource_policy_lifecycle — asserts PolicyNotFoundException + HTTP 400.
  • cargo test -p fakecloud-s3 --lib upload_part_rejects_invalid_part_number — partNumber 0 now InvalidArgument/400 (test updated off old NoSuchUpload).
  • cargo test -p fakecloud-sns --lib publish_subject_length_counts_characters_not_bytes — 100-char multibyte accepted, 101 rejected.
  • cargo test -p fakecloud-iam --lib assume_role_length_violation_uses_query_protocol_error_code — STS length violation → ValidationError.
  • cargo clippy --tests -- -D warnings clean on all five crates.

No API surface / SDK / docs change (error-response shapes only).


Summary by cubic

Align error codes and HTTP statuses with AWS across SecretsManager, DynamoDB, S3, SNS, and STS. Fixes wire-visible negative-path responses without changing APIs.

  • Bug Fixes
    • fakecloud-secretsmanager: GetRandomPassword over-long PasswordLength now returns InvalidParameterException with a clear message (was InvalidParameterValue).
    • fakecloud-dynamodb: GetResourcePolicy (no policy) now returns HTTP 400 PolicyNotFoundException (was 404).
    • fakecloud-s3: UploadPart partNumber out of range (<1 or >10000) now returns HTTP 400 InvalidArgument (was 404 NoSuchUpload for <1).
    • fakecloud-sns: Publish Subject length validated by characters, not bytes; 100 chars allowed, 101 rejected.
    • fakecloud-iam (STS): length/range validation now surfaces ValidationError for awsQuery; added local wrappers so awsJson services keep ValidationException.

Written for commit 62cb1cd. Summary will update on new commits.

Review in cubic

…us (bug-hunt LOW)

- SecretsManager GetRandomPassword: over-long PasswordLength returned
  `InvalidParameterValue`; AWS uses `InvalidParameterException` (the sibling
  under-length branch already did). Both branches now carry a real message.
- DynamoDB GetResourcePolicy (no policy attached) returned HTTP 404; awsJson1.0
  client errors are always HTTP 400 with the type in the body.
- S3 UploadPart partNumber < 1 was masked as 404 NoSuchUpload; an out-of-range
  partNumber is 400 InvalidArgument, matching the > 10000 branch.
- SNS Publish Subject length was measured in bytes; AWS caps it at 100
  *characters*, so a multibyte subject was wrongly rejected. Count chars.
- STS length/range validation leaked the awsJson `ValidationException` code
  through the shared validator; STS speaks awsQuery and must emit
  `ValidationError`. Added STS-local wrappers that re-stamp the code (shared
  helper unchanged, so awsJson services keep `ValidationException`).

Tests: SM over-long code; DDB 400 status; S3 partNumber-0 InvalidArgument/400
(existing test updated off the old NoSuchUpload behavior); SNS 100-char
multibyte subject accepted / 101 rejected; STS length violation -> ValidationError.
@vieiralucas vieiralucas requested a review from Copilot July 16, 2026 00:58

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@vieiralucas vieiralucas merged commit 1a2268b into main Jul 16, 2026
155 checks passed
@vieiralucas vieiralucas deleted the bh-errs branch July 16, 2026 03:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants