fix(secretsmanager,dynamodb,s3,sns,iam): AWS-correct error codes/status (bug-hunt LOW)#2291
Merged
Conversation
…us (bug-hunt LOW) - SecretsManager GetRandomPassword: over-long PasswordLength returned `InvalidParameterValue`; AWS uses `InvalidParameterException` (the sibling under-length branch already did). Both branches now carry a real message. - DynamoDB GetResourcePolicy (no policy attached) returned HTTP 404; awsJson1.0 client errors are always HTTP 400 with the type in the body. - S3 UploadPart partNumber < 1 was masked as 404 NoSuchUpload; an out-of-range partNumber is 400 InvalidArgument, matching the > 10000 branch. - SNS Publish Subject length was measured in bytes; AWS caps it at 100 *characters*, so a multibyte subject was wrongly rejected. Count chars. - STS length/range validation leaked the awsJson `ValidationException` code through the shared validator; STS speaks awsQuery and must emit `ValidationError`. Added STS-local wrappers that re-stamp the code (shared helper unchanged, so awsJson services keep `ValidationException`). Tests: SM over-long code; DDB 400 status; S3 partNumber-0 InvalidArgument/400 (existing test updated off the old NoSuchUpload behavior); SNS 100-char multibyte subject accepted / 101 rejected; STS length violation -> ValidationError.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Five low-severity but wire-visible error-shape divergences from the 2026-07-15 bug hunt. Each is a negative-path response that a strict client / conformance-minded user would see differ from AWS.
GetRandomPassword— over-longPasswordLengthreturnedInvalidParameterValue; AWS usesInvalidParameterException(the under-length branch already did). Both branches now carry a real message instead of echoing the code.GetResourcePolicy(no policy attached) — returned HTTP 404; awsJson1.0 client errors are always HTTP 400 with the error type in the body.UploadPart—partNumber < 1was masked as 404NoSuchUpload; an out-of-range part number is 400InvalidArgument, matching the existing> 10000branch.PublishSubject — length measured in bytes; AWS caps Subject at 100 characters, so a multibyte subject was wrongly rejected. Now counts chars.ValidationExceptioncode through the sharedfakecloud_core::validationhelpers; STS speaks the awsQuery protocol and must emitValidationError. Added STS-local wrappers that re-stamp the code and message; the shared helper is untouched, so awsJson services keepValidationException.Test plan
cargo test -p fakecloud-secretsmanager --lib test_get_random_password_too_long— assertsInvalidParameterException.cargo test -p fakecloud-dynamodb --lib resource_policy_lifecycle— assertsPolicyNotFoundException+ HTTP 400.cargo test -p fakecloud-s3 --lib upload_part_rejects_invalid_part_number— partNumber 0 nowInvalidArgument/400 (test updated off oldNoSuchUpload).cargo test -p fakecloud-sns --lib publish_subject_length_counts_characters_not_bytes— 100-char multibyte accepted, 101 rejected.cargo test -p fakecloud-iam --lib assume_role_length_violation_uses_query_protocol_error_code— STS length violation →ValidationError.cargo clippy --tests -- -D warningsclean on all five crates.No API surface / SDK / docs change (error-response shapes only).
Summary by cubic
Align error codes and HTTP statuses with AWS across SecretsManager, DynamoDB, S3, SNS, and STS. Fixes wire-visible negative-path responses without changing APIs.
fakecloud-secretsmanager: GetRandomPassword over-long PasswordLength now returns InvalidParameterException with a clear message (was InvalidParameterValue).fakecloud-dynamodb: GetResourcePolicy (no policy) now returns HTTP 400 PolicyNotFoundException (was 404).fakecloud-s3: UploadPart partNumber out of range (<1 or >10000) now returns HTTP 400 InvalidArgument (was 404 NoSuchUpload for <1).fakecloud-sns: Publish Subject length validated by characters, not bytes; 100 chars allowed, 101 rejected.fakecloud-iam(STS): length/range validation now surfaces ValidationError for awsQuery; added local wrappers so awsJson services keep ValidationException.Written for commit 62cb1cd. Summary will update on new commits.