Raise errors on tagging buckets with aws:*

Cannot tag S3 buckets with reserved tag key space `aws:`
2020-03-30 17:23:33 -07:00 · 2020-03-30 17:23:33 -07:00 · 0c191ac33b
commit 0c191ac33b
parent acfdfb7d7c
3 changed files with 33 additions and 0 deletions
--- a/moto/s3/exceptions.py
+++ b/moto/s3/exceptions.py
@ -368,3 +368,12 @@ class WrongPublicAccessBlockAccountIdError(S3ClientError):
        super(WrongPublicAccessBlockAccountIdError, self).__init__(
            "AccessDenied", "Access Denied"
        )
+
+
+class NoSystemTags(S3ClientError):
+    code = 400
+
+    def __init__(self):
+        super(NoSystemTags, self).__init__(
+            "InvalidTag", "System tags cannot be added/updated by requester"
+        )
--- a/moto/s3/responses.py
+++ b/moto/s3/responses.py
@ -34,6 +34,7 @@ from .exceptions import (
    InvalidNotificationARN,
    InvalidNotificationEvent,
    ObjectNotInActiveTierError,
+    NoSystemTags,
 )
 from .models import (
    s3_backend,
@ -1399,6 +1400,11 @@ class ResponseObject(_TemplateEnvironmentMixin, ActionAuthenticatorMixin):
                for tag in parsed_xml["Tagging"]["TagSet"]["Tag"]:
                    tags.append(FakeTag(tag["Key"], tag["Value"]))

+        # Verify that "aws:" is not in the tags. If so, then this is a problem:
+        for tag in tags:
+            if tag.key.startswith("aws:"):
+                raise NoSystemTags()
+
        tag_set = FakeTagSet(tags)
        tagging = FakeTagging(tag_set)
        return tagging