Skip to main content

fakecloud_cloudfront/
functions_service.rs

1//! Handlers for CloudFront Batch 3 resources: Functions, Public Keys,
2//! Key Groups, Key Value Stores, Origin Access Identities (legacy),
3//! Monitoring Subscriptions.
4
5use base64::Engine;
6use chrono::Utc;
7use http::header::ETAG;
8use http::{HeaderMap, StatusCode};
9use uuid::Uuid;
10
11use fakecloud_core::service::{AwsRequest, AwsResponse, AwsServiceError};
12
13use crate::functions::{
14    CloudFrontOriginAccessIdentityConfig, FunctionConfig, ImportSource, KeyGroupConfig,
15    MonitoringSubscriptionBody, PublicKeyConfig, StoredFunction, StoredKeyGroup,
16    StoredKeyValueStore, StoredMonitoringSubscription, StoredOriginAccessIdentity, StoredPublicKey,
17};
18use crate::policies::{
19    not_found, precondition_failed, require_if_match, rfc3339, route_id, xml_with_etag,
20};
21use crate::router::Route;
22use crate::service::{
23    aws_error, esc, generate_id_with_prefix, invalid_argument, xml_response, CloudFrontService,
24    DEFAULT_ACCOUNT,
25};
26use crate::xml_io;
27
28const NS: &str = crate::NAMESPACE;
29const XML_DECL: &str = r#"<?xml version="1.0" encoding="UTF-8"?>"#;
30
31// ─── CloudFront Functions ─────────────────────────────────────────────
32
33impl CloudFrontService {
34    pub(crate) fn create_function(&self, req: &AwsRequest) -> Result<AwsResponse, AwsServiceError> {
35        // Body shape: <CreateFunctionRequest><Name/><FunctionConfig/><FunctionCode/></CreateFunctionRequest>
36        let parsed: CreateFunctionRequest = xml_io::from_xml_root(&req.body)
37            .map_err(|e| invalid_argument(format!("invalid CreateFunctionRequest XML: {e}")))?;
38        if parsed.name.is_empty() {
39            return Err(invalid_argument("CreateFunctionRequest.Name is required"));
40        }
41
42        let mut state = self.state.write();
43        let account = state
44            .accounts
45            .entry(DEFAULT_ACCOUNT.to_string())
46            .or_default();
47        if account.functions.contains_key(&parsed.name) {
48            return Err(aws_error(
49                StatusCode::CONFLICT,
50                "FunctionAlreadyExists",
51                format!("Function {} already exists", parsed.name),
52            ));
53        }
54        let now = Utc::now();
55        let etag = generate_id_with_prefix("E");
56        let function_arn = format!(
57            "arn:aws:cloudfront::{}:function/{}",
58            DEFAULT_ACCOUNT, parsed.name
59        );
60        let stored = StoredFunction {
61            name: parsed.name.clone(),
62            etag: etag.clone(),
63            status: "UNPUBLISHED".to_string(),
64            stage: "DEVELOPMENT".to_string(),
65            function_arn: function_arn.clone(),
66            created_time: now,
67            last_modified_time: now,
68            config: parsed.function_config,
69            function_code: parsed.function_code,
70            // No published snapshot until PublishFunction is called.
71            live_function_code: None,
72        };
73        account
74            .functions
75            .insert(parsed.name.clone(), stored.clone());
76        drop(state);
77
78        let body = render_function_summary(&stored, "CreateFunctionResult");
79        Ok(xml_with_etag(StatusCode::CREATED, body, &etag, None))
80    }
81
82    pub(crate) fn describe_function(
83        &self,
84        req: &AwsRequest,
85        route: &Route,
86    ) -> Result<AwsResponse, AwsServiceError> {
87        let name = route_id(route, "Function")?;
88        let stage = parse_stage_query(&req.raw_query);
89        let state = self.state.read();
90        let f = state
91            .accounts
92            .get(DEFAULT_ACCOUNT)
93            .and_then(|a| a.functions.get(&name).cloned())
94            .ok_or_else(|| not_found("Function", &name))?;
95        drop(state);
96        let view = stage_view(&f, &stage);
97        let body = render_function_summary(&view, "DescribeFunctionResult");
98        Ok(xml_with_etag(StatusCode::OK, body, &view.etag, None))
99    }
100
101    pub(crate) fn get_function(
102        &self,
103        req: &AwsRequest,
104        route: &Route,
105    ) -> Result<AwsResponse, AwsServiceError> {
106        let name = route_id(route, "Function")?;
107        let stage = parse_stage_query(&req.raw_query);
108        let state = self.state.read();
109        let f = state
110            .accounts
111            .get(DEFAULT_ACCOUNT)
112            .and_then(|a| a.functions.get(&name).cloned())
113            .ok_or_else(|| not_found("Function", &name))?;
114        drop(state);
115        let view = stage_view(&f, &stage);
116        let mut headers = HeaderMap::new();
117        headers.insert(ETAG, view.etag.parse().unwrap());
118        let bytes = base64::engine::general_purpose::STANDARD
119            .decode(view.function_code.as_bytes())
120            .unwrap_or_default();
121        Ok(AwsResponse {
122            status: StatusCode::OK,
123            headers,
124            content_type: "application/octet-stream".to_string(),
125            body: fakecloud_core::service::ResponseBody::Bytes(bytes::Bytes::from(bytes)),
126        })
127    }
128
129    pub(crate) fn update_function(
130        &self,
131        req: &AwsRequest,
132        route: &Route,
133    ) -> Result<AwsResponse, AwsServiceError> {
134        let name = route_id(route, "Function")?;
135        let if_match = require_if_match(req)?;
136        let parsed: UpdateFunctionRequest = xml_io::from_xml_root(&req.body)
137            .map_err(|e| invalid_argument(format!("invalid UpdateFunctionRequest XML: {e}")))?;
138        let mut state = self.state.write();
139        let account = state
140            .accounts
141            .get_mut(DEFAULT_ACCOUNT)
142            .ok_or_else(|| not_found("Function", &name))?;
143        let f = account
144            .functions
145            .get_mut(&name)
146            .ok_or_else(|| not_found("Function", &name))?;
147        if f.etag != if_match {
148            return Err(precondition_failed());
149        }
150        f.config = parsed.function_config;
151        f.function_code = parsed.function_code;
152        f.etag = generate_id_with_prefix("E");
153        f.last_modified_time = Utc::now();
154        f.status = "UNPUBLISHED".to_string();
155        f.stage = "DEVELOPMENT".to_string();
156        let snap = f.clone();
157        drop(state);
158        let body = render_function_summary(&snap, "UpdateFunctionResult");
159        // SDK has a known typo on UpdateFunctionOutput: it deserializes
160        // the etag from header `ETtag`, not `ETag`. Send both so any
161        // SDK version can read it.
162        let mut headers = HeaderMap::new();
163        if let Ok(v) = http::HeaderValue::from_str(&snap.etag) {
164            headers.insert(ETAG, v.clone());
165            headers.insert("ETtag", v);
166        }
167        Ok(xml_response(StatusCode::OK, body, headers))
168    }
169
170    pub(crate) fn delete_function(
171        &self,
172        req: &AwsRequest,
173        route: &Route,
174    ) -> Result<AwsResponse, AwsServiceError> {
175        let name = route_id(route, "Function")?;
176        let if_match = require_if_match(req)?;
177        let mut state = self.state.write();
178        let account = state
179            .accounts
180            .get_mut(DEFAULT_ACCOUNT)
181            .ok_or_else(|| not_found("Function", &name))?;
182        let f = account
183            .functions
184            .get(&name)
185            .ok_or_else(|| not_found("Function", &name))?;
186        if f.etag != if_match {
187            return Err(precondition_failed());
188        }
189        account.functions.remove(&name);
190        drop(state);
191        Ok(crate::policies::empty(StatusCode::NO_CONTENT))
192    }
193
194    pub(crate) fn list_functions(&self, req: &AwsRequest) -> Result<AwsResponse, AwsServiceError> {
195        let stage = validate_stage_query(&req.raw_query)?;
196        let state = self.state.read();
197        let mut items: Vec<StoredFunction> = state
198            .accounts
199            .get(DEFAULT_ACCOUNT)
200            .map(|a| a.functions.values().cloned().collect())
201            .unwrap_or_default();
202        drop(state);
203        items.sort_by(|a, b| a.name.cmp(&b.name));
204
205        let mut body = String::with_capacity(512);
206        body.push_str(XML_DECL);
207        body.push_str(&format!("<FunctionList xmlns=\"{NS}\">"));
208        body.push_str("<Marker></Marker>");
209        body.push_str("<MaxItems>100</MaxItems>");
210        body.push_str(&format!("<Quantity>{}</Quantity>", items.len()));
211        body.push_str("<Items>");
212        for f in &items {
213            let view = stage_view(f, &stage);
214            body.push_str(&render_function_summary_inner(&view));
215        }
216        body.push_str("</Items>");
217        body.push_str("</FunctionList>");
218        Ok(xml_response(StatusCode::OK, body, HeaderMap::new()))
219    }
220
221    pub(crate) fn publish_function(
222        &self,
223        req: &AwsRequest,
224        route: &Route,
225    ) -> Result<AwsResponse, AwsServiceError> {
226        let name = route_id(route, "Function")?;
227        let if_match = require_if_match(req)?;
228        let mut state = self.state.write();
229        let account = state
230            .accounts
231            .get_mut(DEFAULT_ACCOUNT)
232            .ok_or_else(|| not_found("Function", &name))?;
233        let f = account
234            .functions
235            .get_mut(&name)
236            .ok_or_else(|| not_found("Function", &name))?;
237        if f.etag != if_match {
238            return Err(precondition_failed());
239        }
240        f.status = "DEPLOYED".to_string();
241        f.stage = "LIVE".to_string();
242        f.last_modified_time = Utc::now();
243        // Freeze the current development code as the LIVE snapshot.
244        // Subsequent UpdateFunction calls mutate `function_code` but
245        // leave this alone, so `TestFunction(Stage=LIVE)` keeps running
246        // the published version until the next Publish.
247        f.live_function_code = Some(f.function_code.clone());
248        let snap = f.clone();
249        drop(state);
250        let body = render_function_summary(&snap, "PublishFunctionResult");
251        Ok(xml_with_etag(StatusCode::OK, body, &snap.etag, None))
252    }
253
254    pub(crate) fn test_function(
255        &self,
256        req: &AwsRequest,
257        route: &Route,
258    ) -> Result<AwsResponse, AwsServiceError> {
259        let name = route_id(route, "Function")?;
260        let if_match = require_if_match(req)?;
261        let parsed: TestFunctionRequest = xml_io::from_xml_root(&req.body)
262            .map_err(|e| invalid_argument(format!("invalid TestFunctionRequest XML: {e}")))?;
263        let event_bytes = base64::engine::general_purpose::STANDARD
264            .decode(parsed.event_object.trim().as_bytes())
265            .map_err(|e| invalid_argument(format!("EventObject is not valid base64: {e}")))?;
266
267        let state = self.state.read();
268        let f = state
269            .accounts
270            .get(DEFAULT_ACCOUNT)
271            .and_then(|a| a.functions.get(&name).cloned())
272            .ok_or_else(|| {
273                aws_error(
274                    StatusCode::NOT_FOUND,
275                    "NoSuchFunctionExists",
276                    format!("The specified function does not exist: {name}"),
277                )
278            })?;
279        drop(state);
280        if f.etag != if_match {
281            return Err(precondition_failed());
282        }
283
284        // AWS lets callers pick which version to run. DEVELOPMENT (the
285        // default) is the latest CreateFunction / UpdateFunction body;
286        // LIVE is the snapshot taken at PublishFunction. Falling back to
287        // DEVELOPMENT when no snapshot exists matches the AWS error
288        // shape ("function not yet published") less closely, but is
289        // strictly nicer for tests against unpublished functions.
290        let stage = parsed.stage.as_deref().unwrap_or("DEVELOPMENT");
291        let source_b64 = if stage.eq_ignore_ascii_case("LIVE") {
292            f.live_function_code.as_deref().unwrap_or(&f.function_code)
293        } else {
294            f.function_code.as_str()
295        };
296        let code_bytes = base64::engine::general_purpose::STANDARD
297            .decode(source_b64.as_bytes())
298            .unwrap_or_else(|_| source_b64.as_bytes().to_vec());
299        let code = String::from_utf8(code_bytes)
300            .map_err(|e| invalid_argument(format!("function code is not valid UTF-8: {e}")))?;
301        let exec = crate::js_runtime::run_handler(&code, &event_bytes);
302
303        let mut body = String::with_capacity(1024);
304        body.push_str(XML_DECL);
305        body.push_str(&format!("<TestResult xmlns=\"{NS}\">"));
306        body.push_str(&render_function_summary_inner(&f));
307        body.push_str(&format!(
308            "<ComputeUtilization>{}</ComputeUtilization>",
309            exec.compute_utilization
310        ));
311        body.push_str("<FunctionExecutionLogs>");
312        for line in &exec.logs {
313            body.push_str(&format!("<member>{}</member>", esc(line)));
314        }
315        body.push_str("</FunctionExecutionLogs>");
316        body.push_str(&format!(
317            "<FunctionErrorMessage>{}</FunctionErrorMessage>",
318            esc(exec.error.as_deref().unwrap_or(""))
319        ));
320        body.push_str(&format!(
321            "<FunctionOutput>{}</FunctionOutput>",
322            esc(exec.output.as_deref().unwrap_or(""))
323        ));
324        body.push_str("</TestResult>");
325        Ok(xml_response(StatusCode::OK, body, HeaderMap::new()))
326    }
327}
328
329// ─── Public Keys ──────────────────────────────────────────────────────
330
331impl CloudFrontService {
332    pub(crate) fn create_public_key(
333        &self,
334        req: &AwsRequest,
335    ) -> Result<AwsResponse, AwsServiceError> {
336        let cfg: PublicKeyConfig = xml_io::from_xml_root(&req.body)
337            .map_err(|e| invalid_argument(format!("invalid PublicKeyConfig XML: {e}")))?;
338        if cfg.name.is_empty() {
339            return Err(invalid_argument("PublicKeyConfig.Name is required"));
340        }
341        if cfg.encoded_key.is_empty() {
342            return Err(invalid_argument("PublicKeyConfig.EncodedKey is required"));
343        }
344        let mut state = self.state.write();
345        let account = state
346            .accounts
347            .entry(DEFAULT_ACCOUNT.to_string())
348            .or_default();
349        if let Some(existing) = account
350            .public_keys
351            .values()
352            .find(|p| p.config.caller_reference == cfg.caller_reference)
353        {
354            return Err(aws_error(
355                StatusCode::CONFLICT,
356                "PublicKeyAlreadyExists",
357                format!(
358                    "PublicKey with same CallerReference exists: {}",
359                    existing.id
360                ),
361            ));
362        }
363        let id = generate_id_with_prefix("K");
364        let etag = generate_id_with_prefix("E");
365        let stored = StoredPublicKey {
366            id: id.clone(),
367            etag: etag.clone(),
368            created_time: Utc::now(),
369            config: cfg,
370        };
371        account.public_keys.insert(id.clone(), stored.clone());
372        drop(state);
373        let body = render_public_key(&stored, "PublicKey");
374        Ok(xml_with_etag(StatusCode::CREATED, body, &etag, Some(&id)))
375    }
376
377    pub(crate) fn get_public_key(&self, route: &Route) -> Result<AwsResponse, AwsServiceError> {
378        let id = route_id(route, "PublicKey")?;
379        let state = self.state.read();
380        let p = state
381            .accounts
382            .get(DEFAULT_ACCOUNT)
383            .and_then(|a| a.public_keys.get(&id).cloned())
384            .ok_or_else(|| not_found("PublicKey", &id))?;
385        drop(state);
386        let body = render_public_key(&p, "PublicKey");
387        Ok(xml_with_etag(StatusCode::OK, body, &p.etag, None))
388    }
389
390    pub(crate) fn get_public_key_config(
391        &self,
392        route: &Route,
393    ) -> Result<AwsResponse, AwsServiceError> {
394        let id = route_id(route, "PublicKey")?;
395        let state = self.state.read();
396        let p = state
397            .accounts
398            .get(DEFAULT_ACCOUNT)
399            .and_then(|a| a.public_keys.get(&id).cloned())
400            .ok_or_else(|| not_found("PublicKey", &id))?;
401        drop(state);
402        let body = config_xml("PublicKeyConfig", &p.config)?;
403        Ok(xml_with_etag(StatusCode::OK, body, &p.etag, None))
404    }
405
406    pub(crate) fn update_public_key(
407        &self,
408        req: &AwsRequest,
409        route: &Route,
410    ) -> Result<AwsResponse, AwsServiceError> {
411        let id = route_id(route, "PublicKey")?;
412        let if_match = require_if_match(req)?;
413        let cfg: PublicKeyConfig = xml_io::from_xml_root(&req.body)
414            .map_err(|e| invalid_argument(format!("invalid PublicKeyConfig XML: {e}")))?;
415        if cfg.name.is_empty() {
416            return Err(invalid_argument("PublicKeyConfig.Name is required"));
417        }
418        let mut state = self.state.write();
419        let account = state
420            .accounts
421            .get_mut(DEFAULT_ACCOUNT)
422            .ok_or_else(|| not_found("PublicKey", &id))?;
423        let p = account
424            .public_keys
425            .get_mut(&id)
426            .ok_or_else(|| not_found("PublicKey", &id))?;
427        if p.etag != if_match {
428            return Err(precondition_failed());
429        }
430        // CallerReference is immutable per AWS.
431        if p.config.caller_reference != cfg.caller_reference {
432            return Err(invalid_argument(
433                "CallerReference cannot change on UpdatePublicKey",
434            ));
435        }
436        p.config = cfg;
437        p.etag = generate_id_with_prefix("E");
438        let snap = p.clone();
439        drop(state);
440        let body = render_public_key(&snap, "PublicKey");
441        Ok(xml_with_etag(StatusCode::OK, body, &snap.etag, None))
442    }
443
444    pub(crate) fn delete_public_key(
445        &self,
446        req: &AwsRequest,
447        route: &Route,
448    ) -> Result<AwsResponse, AwsServiceError> {
449        let id = route_id(route, "PublicKey")?;
450        let if_match = require_if_match(req)?;
451        let mut state = self.state.write();
452        let account = state
453            .accounts
454            .get_mut(DEFAULT_ACCOUNT)
455            .ok_or_else(|| not_found("PublicKey", &id))?;
456        let p = account
457            .public_keys
458            .get(&id)
459            .ok_or_else(|| not_found("PublicKey", &id))?;
460        if p.etag != if_match {
461            return Err(precondition_failed());
462        }
463        account.public_keys.remove(&id);
464        drop(state);
465        Ok(crate::policies::empty(StatusCode::NO_CONTENT))
466    }
467
468    pub(crate) fn list_public_keys(
469        &self,
470        _req: &AwsRequest,
471    ) -> Result<AwsResponse, AwsServiceError> {
472        let state = self.state.read();
473        let mut items: Vec<StoredPublicKey> = state
474            .accounts
475            .get(DEFAULT_ACCOUNT)
476            .map(|a| a.public_keys.values().cloned().collect())
477            .unwrap_or_default();
478        drop(state);
479        items.sort_by(|a, b| a.id.cmp(&b.id));
480
481        let mut body = String::with_capacity(512);
482        body.push_str(XML_DECL);
483        body.push_str(&format!("<PublicKeyList xmlns=\"{NS}\">"));
484        body.push_str("<Marker></Marker>");
485        body.push_str("<MaxItems>100</MaxItems>");
486        body.push_str(&format!("<Quantity>{}</Quantity>", items.len()));
487        body.push_str("<Items>");
488        for p in &items {
489            body.push_str("<PublicKeySummary>");
490            body.push_str(&format!("<Id>{}</Id>", esc(&p.id)));
491            body.push_str(&format!("<Name>{}</Name>", esc(&p.config.name)));
492            body.push_str(&format!(
493                "<CreatedTime>{}</CreatedTime>",
494                rfc3339(&p.created_time)
495            ));
496            body.push_str(&format!(
497                "<EncodedKey>{}</EncodedKey>",
498                esc(&p.config.encoded_key)
499            ));
500            if let Some(c) = &p.config.comment {
501                body.push_str(&format!("<Comment>{}</Comment>", esc(c)));
502            }
503            body.push_str("</PublicKeySummary>");
504        }
505        body.push_str("</Items>");
506        body.push_str("</PublicKeyList>");
507        Ok(xml_response(StatusCode::OK, body, HeaderMap::new()))
508    }
509}
510
511// ─── Key Groups ───────────────────────────────────────────────────────
512
513impl CloudFrontService {
514    pub(crate) fn create_key_group(
515        &self,
516        req: &AwsRequest,
517    ) -> Result<AwsResponse, AwsServiceError> {
518        let cfg: KeyGroupConfig = xml_io::from_xml_root(&req.body)
519            .map_err(|e| invalid_argument(format!("invalid KeyGroupConfig XML: {e}")))?;
520        if cfg.name.is_empty() {
521            return Err(invalid_argument("KeyGroupConfig.Name is required"));
522        }
523        let mut state = self.state.write();
524        let account = state
525            .accounts
526            .entry(DEFAULT_ACCOUNT.to_string())
527            .or_default();
528        let id = generate_id_with_prefix("K");
529        let etag = generate_id_with_prefix("E");
530        let stored = StoredKeyGroup {
531            id: id.clone(),
532            etag: etag.clone(),
533            last_modified_time: Utc::now(),
534            config: cfg,
535        };
536        account.key_groups.insert(id.clone(), stored.clone());
537        drop(state);
538        let body = render_key_group(&stored, "KeyGroup");
539        Ok(xml_with_etag(StatusCode::CREATED, body, &etag, Some(&id)))
540    }
541
542    pub(crate) fn get_key_group(&self, route: &Route) -> Result<AwsResponse, AwsServiceError> {
543        let id = route_id(route, "KeyGroup")?;
544        let state = self.state.read();
545        let g = state
546            .accounts
547            .get(DEFAULT_ACCOUNT)
548            .and_then(|a| a.key_groups.get(&id).cloned())
549            .ok_or_else(|| not_found("KeyGroup", &id))?;
550        drop(state);
551        let body = render_key_group(&g, "KeyGroup");
552        Ok(xml_with_etag(StatusCode::OK, body, &g.etag, None))
553    }
554
555    pub(crate) fn get_key_group_config(
556        &self,
557        route: &Route,
558    ) -> Result<AwsResponse, AwsServiceError> {
559        let id = route_id(route, "KeyGroup")?;
560        let state = self.state.read();
561        let g = state
562            .accounts
563            .get(DEFAULT_ACCOUNT)
564            .and_then(|a| a.key_groups.get(&id).cloned())
565            .ok_or_else(|| not_found("KeyGroup", &id))?;
566        drop(state);
567        let body = config_xml("KeyGroupConfig", &g.config)?;
568        Ok(xml_with_etag(StatusCode::OK, body, &g.etag, None))
569    }
570
571    pub(crate) fn update_key_group(
572        &self,
573        req: &AwsRequest,
574        route: &Route,
575    ) -> Result<AwsResponse, AwsServiceError> {
576        let id = route_id(route, "KeyGroup")?;
577        let if_match = require_if_match(req)?;
578        let cfg: KeyGroupConfig = xml_io::from_xml_root(&req.body)
579            .map_err(|e| invalid_argument(format!("invalid KeyGroupConfig XML: {e}")))?;
580        if cfg.name.is_empty() {
581            return Err(invalid_argument("KeyGroupConfig.Name is required"));
582        }
583        let mut state = self.state.write();
584        let account = state
585            .accounts
586            .get_mut(DEFAULT_ACCOUNT)
587            .ok_or_else(|| not_found("KeyGroup", &id))?;
588        let g = account
589            .key_groups
590            .get_mut(&id)
591            .ok_or_else(|| not_found("KeyGroup", &id))?;
592        if g.etag != if_match {
593            return Err(precondition_failed());
594        }
595        g.config = cfg;
596        g.etag = generate_id_with_prefix("E");
597        g.last_modified_time = Utc::now();
598        let snap = g.clone();
599        drop(state);
600        let body = render_key_group(&snap, "KeyGroup");
601        Ok(xml_with_etag(StatusCode::OK, body, &snap.etag, None))
602    }
603
604    pub(crate) fn delete_key_group(
605        &self,
606        req: &AwsRequest,
607        route: &Route,
608    ) -> Result<AwsResponse, AwsServiceError> {
609        let id = route_id(route, "KeyGroup")?;
610        let if_match = require_if_match(req)?;
611        let mut state = self.state.write();
612        let account = state
613            .accounts
614            .get_mut(DEFAULT_ACCOUNT)
615            .ok_or_else(|| not_found("KeyGroup", &id))?;
616        let g = account
617            .key_groups
618            .get(&id)
619            .ok_or_else(|| not_found("KeyGroup", &id))?;
620        if g.etag != if_match {
621            return Err(precondition_failed());
622        }
623        account.key_groups.remove(&id);
624        drop(state);
625        Ok(crate::policies::empty(StatusCode::NO_CONTENT))
626    }
627
628    pub(crate) fn list_key_groups(
629        &self,
630        _req: &AwsRequest,
631    ) -> Result<AwsResponse, AwsServiceError> {
632        let state = self.state.read();
633        let mut items: Vec<StoredKeyGroup> = state
634            .accounts
635            .get(DEFAULT_ACCOUNT)
636            .map(|a| a.key_groups.values().cloned().collect())
637            .unwrap_or_default();
638        drop(state);
639        items.sort_by(|a, b| a.config.name.cmp(&b.config.name));
640
641        let mut body = String::with_capacity(512);
642        body.push_str(XML_DECL);
643        body.push_str(&format!("<KeyGroupList xmlns=\"{NS}\">"));
644        body.push_str("<Marker></Marker>");
645        body.push_str("<MaxItems>100</MaxItems>");
646        body.push_str(&format!("<Quantity>{}</Quantity>", items.len()));
647        body.push_str("<Items>");
648        for g in &items {
649            body.push_str("<KeyGroupSummary>");
650            body.push_str("<KeyGroup>");
651            push_key_group_inner(&mut body, g);
652            body.push_str("</KeyGroup>");
653            body.push_str("</KeyGroupSummary>");
654        }
655        body.push_str("</Items>");
656        body.push_str("</KeyGroupList>");
657        Ok(xml_response(StatusCode::OK, body, HeaderMap::new()))
658    }
659}
660
661// ─── Key Value Stores ─────────────────────────────────────────────────
662
663impl CloudFrontService {
664    pub(crate) fn create_key_value_store(
665        &self,
666        req: &AwsRequest,
667    ) -> Result<AwsResponse, AwsServiceError> {
668        let parsed: CreateKeyValueStoreRequest = xml_io::from_xml_root(&req.body)
669            .map_err(|e| invalid_argument(format!("invalid CreateKeyValueStore XML: {e}")))?;
670        if parsed.name.is_empty() {
671            return Err(invalid_argument("Name is required"));
672        }
673        let mut state = self.state.write();
674        let account = state
675            .accounts
676            .entry(DEFAULT_ACCOUNT.to_string())
677            .or_default();
678        if account.key_value_stores.contains_key(&parsed.name) {
679            return Err(aws_error(
680                StatusCode::CONFLICT,
681                "EntityAlreadyExists",
682                format!("KeyValueStore {} already exists", parsed.name),
683            ));
684        }
685        let now = Utc::now();
686        let id = Uuid::new_v4().to_string();
687        let etag = generate_id_with_prefix("E");
688        let arn = format!(
689            "arn:aws:cloudfront::{}:key-value-store/{}",
690            DEFAULT_ACCOUNT, id
691        );
692        let stored = StoredKeyValueStore {
693            name: parsed.name.clone(),
694            id,
695            etag: etag.clone(),
696            arn,
697            status: "READY".to_string(),
698            created_time: now,
699            last_modified_time: now,
700            comment: parsed.comment,
701            import_source: parsed.import_source,
702        };
703        account
704            .key_value_stores
705            .insert(parsed.name.clone(), stored.clone());
706        drop(state);
707        let body = render_key_value_store(&stored, "CreateKeyValueStoreResult");
708        Ok(xml_with_etag(StatusCode::CREATED, body, &etag, None))
709    }
710
711    pub(crate) fn describe_key_value_store(
712        &self,
713        route: &Route,
714    ) -> Result<AwsResponse, AwsServiceError> {
715        let name = route_id(route, "KeyValueStore")?;
716        let state = self.state.read();
717        let kvs = state
718            .accounts
719            .get(DEFAULT_ACCOUNT)
720            .and_then(|a| a.key_value_stores.get(&name).cloned())
721            .ok_or_else(|| not_found("KeyValueStore", &name))?;
722        drop(state);
723        let body = render_key_value_store(&kvs, "DescribeKeyValueStoreResult");
724        Ok(xml_with_etag(StatusCode::OK, body, &kvs.etag, None))
725    }
726
727    pub(crate) fn update_key_value_store(
728        &self,
729        req: &AwsRequest,
730        route: &Route,
731    ) -> Result<AwsResponse, AwsServiceError> {
732        let name = route_id(route, "KeyValueStore")?;
733        let if_match = require_if_match(req)?;
734        let parsed: UpdateKeyValueStoreRequest = xml_io::from_xml_root(&req.body)
735            .map_err(|e| invalid_argument(format!("invalid UpdateKeyValueStore XML: {e}")))?;
736        let mut state = self.state.write();
737        let account = state
738            .accounts
739            .get_mut(DEFAULT_ACCOUNT)
740            .ok_or_else(|| not_found("KeyValueStore", &name))?;
741        let kvs = account
742            .key_value_stores
743            .get_mut(&name)
744            .ok_or_else(|| not_found("KeyValueStore", &name))?;
745        if kvs.etag != if_match {
746            return Err(precondition_failed());
747        }
748        kvs.comment = Some(parsed.comment);
749        kvs.etag = generate_id_with_prefix("E");
750        kvs.last_modified_time = Utc::now();
751        let snap = kvs.clone();
752        drop(state);
753        let body = render_key_value_store(&snap, "UpdateKeyValueStoreResult");
754        Ok(xml_with_etag(StatusCode::OK, body, &snap.etag, None))
755    }
756
757    pub(crate) fn delete_key_value_store(
758        &self,
759        req: &AwsRequest,
760        route: &Route,
761    ) -> Result<AwsResponse, AwsServiceError> {
762        let name = route_id(route, "KeyValueStore")?;
763        let if_match = require_if_match(req)?;
764        let mut state = self.state.write();
765        let account = state
766            .accounts
767            .get_mut(DEFAULT_ACCOUNT)
768            .ok_or_else(|| not_found("KeyValueStore", &name))?;
769        let kvs = account
770            .key_value_stores
771            .get(&name)
772            .ok_or_else(|| not_found("KeyValueStore", &name))?;
773        if kvs.etag != if_match {
774            return Err(precondition_failed());
775        }
776        account.key_value_stores.remove(&name);
777        drop(state);
778        Ok(crate::policies::empty(StatusCode::NO_CONTENT))
779    }
780
781    pub(crate) fn list_key_value_stores(
782        &self,
783        _req: &AwsRequest,
784    ) -> Result<AwsResponse, AwsServiceError> {
785        let state = self.state.read();
786        let mut items: Vec<StoredKeyValueStore> = state
787            .accounts
788            .get(DEFAULT_ACCOUNT)
789            .map(|a| a.key_value_stores.values().cloned().collect())
790            .unwrap_or_default();
791        drop(state);
792        items.sort_by(|a, b| a.name.cmp(&b.name));
793
794        let mut body = String::with_capacity(512);
795        body.push_str(XML_DECL);
796        body.push_str(&format!("<KeyValueStoreList xmlns=\"{NS}\">"));
797        body.push_str("<NextMarker></NextMarker>");
798        body.push_str("<MaxItems>100</MaxItems>");
799        body.push_str(&format!("<Quantity>{}</Quantity>", items.len()));
800        body.push_str("<Items>");
801        for kvs in &items {
802            body.push_str("<KeyValueStore>");
803            push_kvs_inner(&mut body, kvs);
804            body.push_str("</KeyValueStore>");
805        }
806        body.push_str("</Items>");
807        body.push_str("</KeyValueStoreList>");
808        Ok(xml_response(StatusCode::OK, body, HeaderMap::new()))
809    }
810}
811
812// ─── Origin Access Identities (legacy) ────────────────────────────────
813
814impl CloudFrontService {
815    pub(crate) fn create_oai(&self, req: &AwsRequest) -> Result<AwsResponse, AwsServiceError> {
816        let cfg: CloudFrontOriginAccessIdentityConfig = xml_io::from_xml_root(&req.body)
817            .map_err(|e| invalid_argument(format!("invalid OAI config XML: {e}")))?;
818        if cfg.caller_reference.is_empty() {
819            return Err(invalid_argument("CallerReference is required"));
820        }
821        let mut state = self.state.write();
822        let account = state
823            .accounts
824            .entry(DEFAULT_ACCOUNT.to_string())
825            .or_default();
826        if let Some(existing) = account
827            .origin_access_identities
828            .values()
829            .find(|o| o.config.caller_reference == cfg.caller_reference)
830        {
831            return Err(aws_error(
832                StatusCode::CONFLICT,
833                "CloudFrontOriginAccessIdentityAlreadyExists",
834                format!("OAI with same CallerReference exists: {}", existing.id),
835            ));
836        }
837        let id = format!(
838            "E{}",
839            Uuid::new_v4()
840                .simple()
841                .to_string()
842                .to_uppercase()
843                .chars()
844                .take(13)
845                .collect::<String>()
846        );
847        let etag = generate_id_with_prefix("E");
848        let canonical = Uuid::new_v4().simple().to_string();
849        let stored = StoredOriginAccessIdentity {
850            id: id.clone(),
851            etag: etag.clone(),
852            s3_canonical_user_id: canonical,
853            config: cfg,
854        };
855        account
856            .origin_access_identities
857            .insert(id.clone(), stored.clone());
858        drop(state);
859        let body = render_oai(&stored, "CloudFrontOriginAccessIdentity");
860        Ok(xml_with_etag(StatusCode::CREATED, body, &etag, Some(&id)))
861    }
862
863    pub(crate) fn get_oai(&self, route: &Route) -> Result<AwsResponse, AwsServiceError> {
864        let id = route_id(route, "CloudFrontOriginAccessIdentity")?;
865        let state = self.state.read();
866        let oai = state
867            .accounts
868            .get(DEFAULT_ACCOUNT)
869            .and_then(|a| a.origin_access_identities.get(&id).cloned())
870            .ok_or_else(|| not_found("CloudFrontOriginAccessIdentity", &id))?;
871        drop(state);
872        let body = render_oai(&oai, "CloudFrontOriginAccessIdentity");
873        Ok(xml_with_etag(StatusCode::OK, body, &oai.etag, None))
874    }
875
876    pub(crate) fn get_oai_config(&self, route: &Route) -> Result<AwsResponse, AwsServiceError> {
877        let id = route_id(route, "CloudFrontOriginAccessIdentity")?;
878        let state = self.state.read();
879        let oai = state
880            .accounts
881            .get(DEFAULT_ACCOUNT)
882            .and_then(|a| a.origin_access_identities.get(&id).cloned())
883            .ok_or_else(|| not_found("CloudFrontOriginAccessIdentity", &id))?;
884        drop(state);
885        let body = config_xml("CloudFrontOriginAccessIdentityConfig", &oai.config)?;
886        Ok(xml_with_etag(StatusCode::OK, body, &oai.etag, None))
887    }
888
889    pub(crate) fn update_oai(
890        &self,
891        req: &AwsRequest,
892        route: &Route,
893    ) -> Result<AwsResponse, AwsServiceError> {
894        let id = route_id(route, "CloudFrontOriginAccessIdentity")?;
895        let if_match = require_if_match(req)?;
896        let cfg: CloudFrontOriginAccessIdentityConfig = xml_io::from_xml_root(&req.body)
897            .map_err(|e| invalid_argument(format!("invalid OAI config XML: {e}")))?;
898        let mut state = self.state.write();
899        let account = state
900            .accounts
901            .get_mut(DEFAULT_ACCOUNT)
902            .ok_or_else(|| not_found("CloudFrontOriginAccessIdentity", &id))?;
903        let oai = account
904            .origin_access_identities
905            .get_mut(&id)
906            .ok_or_else(|| not_found("CloudFrontOriginAccessIdentity", &id))?;
907        if oai.etag != if_match {
908            return Err(precondition_failed());
909        }
910        if oai.config.caller_reference != cfg.caller_reference {
911            return Err(invalid_argument(
912                "CallerReference cannot change on UpdateCloudFrontOriginAccessIdentity",
913            ));
914        }
915        oai.config = cfg;
916        oai.etag = generate_id_with_prefix("E");
917        let snap = oai.clone();
918        drop(state);
919        let body = render_oai(&snap, "CloudFrontOriginAccessIdentity");
920        Ok(xml_with_etag(StatusCode::OK, body, &snap.etag, None))
921    }
922
923    pub(crate) fn delete_oai(
924        &self,
925        req: &AwsRequest,
926        route: &Route,
927    ) -> Result<AwsResponse, AwsServiceError> {
928        let id = route_id(route, "CloudFrontOriginAccessIdentity")?;
929        let if_match = require_if_match(req)?;
930        let mut state = self.state.write();
931        let account = state
932            .accounts
933            .get_mut(DEFAULT_ACCOUNT)
934            .ok_or_else(|| not_found("CloudFrontOriginAccessIdentity", &id))?;
935        let oai = account
936            .origin_access_identities
937            .get(&id)
938            .ok_or_else(|| not_found("CloudFrontOriginAccessIdentity", &id))?;
939        if oai.etag != if_match {
940            return Err(precondition_failed());
941        }
942        account.origin_access_identities.remove(&id);
943        drop(state);
944        Ok(crate::policies::empty(StatusCode::NO_CONTENT))
945    }
946
947    pub(crate) fn list_oai(&self, _req: &AwsRequest) -> Result<AwsResponse, AwsServiceError> {
948        let state = self.state.read();
949        let mut items: Vec<StoredOriginAccessIdentity> = state
950            .accounts
951            .get(DEFAULT_ACCOUNT)
952            .map(|a| a.origin_access_identities.values().cloned().collect())
953            .unwrap_or_default();
954        drop(state);
955        items.sort_by(|a, b| a.id.cmp(&b.id));
956
957        let mut body = String::with_capacity(512);
958        body.push_str(XML_DECL);
959        body.push_str(&format!(
960            "<CloudFrontOriginAccessIdentityList xmlns=\"{NS}\">"
961        ));
962        body.push_str("<Marker></Marker>");
963        body.push_str("<MaxItems>100</MaxItems>");
964        body.push_str("<IsTruncated>false</IsTruncated>");
965        body.push_str(&format!("<Quantity>{}</Quantity>", items.len()));
966        body.push_str("<Items>");
967        for oai in &items {
968            body.push_str("<CloudFrontOriginAccessIdentitySummary>");
969            body.push_str(&format!("<Id>{}</Id>", esc(&oai.id)));
970            body.push_str(&format!(
971                "<S3CanonicalUserId>{}</S3CanonicalUserId>",
972                esc(&oai.s3_canonical_user_id)
973            ));
974            body.push_str(&format!("<Comment>{}</Comment>", esc(&oai.config.comment)));
975            body.push_str("</CloudFrontOriginAccessIdentitySummary>");
976        }
977        body.push_str("</Items>");
978        body.push_str("</CloudFrontOriginAccessIdentityList>");
979        Ok(xml_response(StatusCode::OK, body, HeaderMap::new()))
980    }
981}
982
983// ─── Monitoring Subscriptions ─────────────────────────────────────────
984
985impl CloudFrontService {
986    pub(crate) fn create_monitoring_subscription(
987        &self,
988        req: &AwsRequest,
989        route: &Route,
990    ) -> Result<AwsResponse, AwsServiceError> {
991        let dist_id = route_id(route, "Distribution")?;
992        // Check the distribution exists before parsing the body. Synthetic
993        // probes hit this op against a placeholder distribution ID; surfacing
994        // NoSuchDistribution (declared in the Smithy errors list) before any
995        // XML-parse InvalidArgument keeps the conformance probe honest.
996        {
997            let state = self.state.read();
998            let has_dist = state
999                .accounts
1000                .get(DEFAULT_ACCOUNT)
1001                .is_some_and(|a| a.distributions.contains_key(&dist_id));
1002            if !has_dist {
1003                return Err(not_found("Distribution", &dist_id));
1004            }
1005        }
1006        let parsed: MonitoringSubscriptionBody = xml_io::from_xml_root(&req.body)
1007            .map_err(|e| invalid_argument(format!("invalid MonitoringSubscription XML: {e}")))?;
1008        let mut state = self.state.write();
1009        let account = state
1010            .accounts
1011            .entry(DEFAULT_ACCOUNT.to_string())
1012            .or_default();
1013        if !account.distributions.contains_key(&dist_id) {
1014            return Err(not_found("Distribution", &dist_id));
1015        }
1016        let stored = StoredMonitoringSubscription {
1017            distribution_id: dist_id.clone(),
1018            config: parsed.realtime_metrics_subscription_config,
1019        };
1020        account
1021            .monitoring_subscriptions
1022            .insert(dist_id.clone(), stored.clone());
1023        drop(state);
1024        let body = render_monitoring(&stored);
1025        Ok(xml_response(StatusCode::OK, body, HeaderMap::new()))
1026    }
1027
1028    pub(crate) fn get_monitoring_subscription(
1029        &self,
1030        route: &Route,
1031    ) -> Result<AwsResponse, AwsServiceError> {
1032        let dist_id = route_id(route, "Distribution")?;
1033        let state = self.state.read();
1034        let m = state
1035            .accounts
1036            .get(DEFAULT_ACCOUNT)
1037            .and_then(|a| a.monitoring_subscriptions.get(&dist_id).cloned())
1038            .ok_or_else(|| {
1039                aws_error(
1040                    StatusCode::NOT_FOUND,
1041                    "NoSuchMonitoringSubscription",
1042                    format!("No monitoring subscription for distribution {dist_id}"),
1043                )
1044            })?;
1045        drop(state);
1046        let body = render_monitoring(&m);
1047        Ok(xml_response(StatusCode::OK, body, HeaderMap::new()))
1048    }
1049
1050    pub(crate) fn delete_monitoring_subscription(
1051        &self,
1052        route: &Route,
1053    ) -> Result<AwsResponse, AwsServiceError> {
1054        let dist_id = route_id(route, "Distribution")?;
1055        let mut state = self.state.write();
1056        let account = state
1057            .accounts
1058            .get_mut(DEFAULT_ACCOUNT)
1059            .ok_or_else(|| not_found("Distribution", &dist_id))?;
1060        if account.monitoring_subscriptions.remove(&dist_id).is_none() {
1061            return Err(aws_error(
1062                StatusCode::NOT_FOUND,
1063                "NoSuchMonitoringSubscription",
1064                format!("No monitoring subscription for distribution {dist_id}"),
1065            ));
1066        }
1067        drop(state);
1068        Ok(crate::policies::empty(StatusCode::NO_CONTENT))
1069    }
1070}
1071
1072// ─── Helpers ──────────────────────────────────────────────────────────
1073
1074#[derive(Debug, serde::Deserialize)]
1075#[serde(rename_all = "PascalCase")]
1076struct CreateFunctionRequest {
1077    name: String,
1078    function_config: FunctionConfig,
1079    /// Base64-encoded source.
1080    function_code: String,
1081}
1082
1083#[derive(Debug, serde::Deserialize)]
1084#[serde(rename_all = "PascalCase")]
1085struct UpdateFunctionRequest {
1086    function_config: FunctionConfig,
1087    function_code: String,
1088}
1089
1090#[derive(Debug, serde::Deserialize)]
1091#[serde(rename_all = "PascalCase")]
1092struct TestFunctionRequest {
1093    #[serde(default)]
1094    event_object: String,
1095    #[serde(default)]
1096    stage: Option<String>,
1097}
1098
1099#[derive(Debug, serde::Deserialize)]
1100#[serde(rename_all = "PascalCase")]
1101struct CreateKeyValueStoreRequest {
1102    name: String,
1103    #[serde(default)]
1104    comment: Option<String>,
1105    #[serde(default)]
1106    import_source: Option<ImportSource>,
1107}
1108
1109#[derive(Debug, serde::Deserialize)]
1110#[serde(rename_all = "PascalCase")]
1111struct UpdateKeyValueStoreRequest {
1112    comment: String,
1113}
1114
1115fn config_xml<T: serde::Serialize>(root: &str, cfg: &T) -> Result<String, AwsServiceError> {
1116    let inner = quick_xml::se::to_string_with_root(root, cfg).map_err(|e| {
1117        aws_error(
1118            StatusCode::INTERNAL_SERVER_ERROR,
1119            "InternalError",
1120            format!("xml encode failed: {e}"),
1121        )
1122    })?;
1123    let stamped = inner.replacen(
1124        &format!("<{root}>"),
1125        &format!("<{root} xmlns=\"{NS}\">", NS = crate::NAMESPACE),
1126        1,
1127    );
1128    Ok(format!("{XML_DECL}{stamped}"))
1129}
1130
1131fn parse_stage_query(query: &str) -> Option<String> {
1132    use std::collections::HashMap;
1133    let pairs: HashMap<&str, &str> = query.split('&').filter_map(|p| p.split_once('=')).collect();
1134    pairs.get("Stage").map(|s| s.to_string())
1135}
1136
1137/// Validate the `Stage` query against the FunctionStage enum
1138/// (DEVELOPMENT | LIVE). Returns InvalidArgument for unknown values; absent
1139/// or valid is OK.
1140pub(crate) fn validate_stage_query(
1141    query: &str,
1142) -> Result<Option<String>, fakecloud_core::service::AwsServiceError> {
1143    let stage = parse_stage_query(query);
1144    if let Some(ref v) = stage {
1145        if v != "DEVELOPMENT" && v != "LIVE" {
1146            return Err(crate::service::invalid_argument(format!(
1147                "Stage must be one of 'DEVELOPMENT' or 'LIVE', got '{v}'"
1148            )));
1149        }
1150    }
1151    Ok(stage)
1152}
1153
1154fn stage_view(f: &StoredFunction, stage: &Option<String>) -> StoredFunction {
1155    let mut clone = f.clone();
1156    if stage.as_deref() == Some("LIVE") {
1157        clone.stage = "LIVE".into();
1158    }
1159    clone
1160}
1161
1162fn render_function_summary(f: &StoredFunction, _root: &str) -> String {
1163    // CloudFront returns FunctionSummary as the root for Create/Describe/
1164    // Update/Publish — there is no operation-specific wrapper element.
1165    let mut out = String::with_capacity(512);
1166    out.push_str(XML_DECL);
1167    out.push_str(&render_function_summary_inner_with_ns(f));
1168    out
1169}
1170
1171fn render_function_summary_inner_with_ns(f: &StoredFunction) -> String {
1172    let mut out = String::with_capacity(512);
1173    out.push_str(&format!("<FunctionSummary xmlns=\"{NS}\">"));
1174    out.push_str(&render_function_summary_body(f));
1175    out.push_str("</FunctionSummary>");
1176    out
1177}
1178
1179fn render_function_summary_inner(f: &StoredFunction) -> String {
1180    let mut out = String::with_capacity(512);
1181    out.push_str("<FunctionSummary>");
1182    out.push_str(&render_function_summary_body(f));
1183    out.push_str("</FunctionSummary>");
1184    out
1185}
1186
1187fn render_function_summary_body(f: &StoredFunction) -> String {
1188    let mut out = String::with_capacity(512);
1189    out.push_str(&format!("<Name>{}</Name>", esc(&f.name)));
1190    out.push_str(&format!("<Status>{}</Status>", esc(&f.status)));
1191    out.push_str("<FunctionConfig>");
1192    if let Some(c) = &f.config.comment {
1193        out.push_str(&format!("<Comment>{}</Comment>", esc(c)));
1194    } else {
1195        out.push_str("<Comment></Comment>");
1196    }
1197    out.push_str(&format!("<Runtime>{}</Runtime>", esc(&f.config.runtime)));
1198    out.push_str("</FunctionConfig>");
1199    out.push_str("<FunctionMetadata>");
1200    out.push_str(&format!(
1201        "<FunctionARN>{}</FunctionARN>",
1202        esc(&f.function_arn)
1203    ));
1204    out.push_str(&format!("<Stage>{}</Stage>", esc(&f.stage)));
1205    out.push_str(&format!(
1206        "<CreatedTime>{}</CreatedTime>",
1207        rfc3339(&f.created_time)
1208    ));
1209    out.push_str(&format!(
1210        "<LastModifiedTime>{}</LastModifiedTime>",
1211        rfc3339(&f.last_modified_time)
1212    ));
1213    out.push_str("</FunctionMetadata>");
1214    out
1215}
1216
1217fn render_public_key(p: &StoredPublicKey, root: &str) -> String {
1218    let mut out = String::with_capacity(512);
1219    out.push_str(XML_DECL);
1220    out.push_str(&format!("<{root} xmlns=\"{NS}\">"));
1221    out.push_str(&format!("<Id>{}</Id>", esc(&p.id)));
1222    out.push_str(&format!(
1223        "<CreatedTime>{}</CreatedTime>",
1224        rfc3339(&p.created_time)
1225    ));
1226    out.push_str("<PublicKeyConfig>");
1227    out.push_str(&format!(
1228        "<CallerReference>{}</CallerReference>",
1229        esc(&p.config.caller_reference)
1230    ));
1231    out.push_str(&format!("<Name>{}</Name>", esc(&p.config.name)));
1232    out.push_str(&format!(
1233        "<EncodedKey>{}</EncodedKey>",
1234        esc(&p.config.encoded_key)
1235    ));
1236    if let Some(c) = &p.config.comment {
1237        out.push_str(&format!("<Comment>{}</Comment>", esc(c)));
1238    }
1239    out.push_str("</PublicKeyConfig>");
1240    out.push_str(&format!("</{root}>"));
1241    out
1242}
1243
1244fn push_key_group_inner(out: &mut String, g: &StoredKeyGroup) {
1245    out.push_str(&format!("<Id>{}</Id>", esc(&g.id)));
1246    out.push_str(&format!(
1247        "<LastModifiedTime>{}</LastModifiedTime>",
1248        rfc3339(&g.last_modified_time)
1249    ));
1250    out.push_str("<KeyGroupConfig>");
1251    out.push_str(&format!("<Name>{}</Name>", esc(&g.config.name)));
1252    out.push_str("<Items>");
1253    for k in &g.config.items.public_key {
1254        out.push_str(&format!("<PublicKey>{}</PublicKey>", esc(k)));
1255    }
1256    out.push_str("</Items>");
1257    if let Some(c) = &g.config.comment {
1258        out.push_str(&format!("<Comment>{}</Comment>", esc(c)));
1259    }
1260    out.push_str("</KeyGroupConfig>");
1261}
1262
1263fn render_key_group(g: &StoredKeyGroup, root: &str) -> String {
1264    let mut out = String::with_capacity(512);
1265    out.push_str(XML_DECL);
1266    out.push_str(&format!("<{root} xmlns=\"{NS}\">"));
1267    push_key_group_inner(&mut out, g);
1268    out.push_str(&format!("</{root}>"));
1269    out
1270}
1271
1272fn push_kvs_inner(out: &mut String, kvs: &StoredKeyValueStore) {
1273    out.push_str(&format!("<Name>{}</Name>", esc(&kvs.name)));
1274    out.push_str(&format!("<Id>{}</Id>", esc(&kvs.id)));
1275    out.push_str(&format!(
1276        "<Comment>{}</Comment>",
1277        esc(kvs.comment.as_deref().unwrap_or(""))
1278    ));
1279    out.push_str(&format!("<ARN>{}</ARN>", esc(&kvs.arn)));
1280    out.push_str(&format!("<Status>{}</Status>", esc(&kvs.status)));
1281    out.push_str(&format!(
1282        "<LastModifiedTime>{}</LastModifiedTime>",
1283        rfc3339(&kvs.last_modified_time)
1284    ));
1285}
1286
1287fn render_key_value_store(kvs: &StoredKeyValueStore, _root: &str) -> String {
1288    // SDK expects KeyValueStore as root for Create/Describe/Update.
1289    let mut out = String::with_capacity(512);
1290    out.push_str(XML_DECL);
1291    out.push_str(&format!("<KeyValueStore xmlns=\"{NS}\">"));
1292    push_kvs_inner(&mut out, kvs);
1293    out.push_str("</KeyValueStore>");
1294    out
1295}
1296
1297fn render_oai(oai: &StoredOriginAccessIdentity, root: &str) -> String {
1298    let mut out = String::with_capacity(512);
1299    out.push_str(XML_DECL);
1300    out.push_str(&format!("<{root} xmlns=\"{NS}\">"));
1301    out.push_str(&format!("<Id>{}</Id>", esc(&oai.id)));
1302    out.push_str(&format!(
1303        "<S3CanonicalUserId>{}</S3CanonicalUserId>",
1304        esc(&oai.s3_canonical_user_id)
1305    ));
1306    out.push_str("<CloudFrontOriginAccessIdentityConfig>");
1307    out.push_str(&format!(
1308        "<CallerReference>{}</CallerReference>",
1309        esc(&oai.config.caller_reference)
1310    ));
1311    out.push_str(&format!("<Comment>{}</Comment>", esc(&oai.config.comment)));
1312    out.push_str("</CloudFrontOriginAccessIdentityConfig>");
1313    out.push_str(&format!("</{root}>"));
1314    out
1315}
1316
1317fn render_monitoring(m: &StoredMonitoringSubscription) -> String {
1318    let mut out = String::with_capacity(256);
1319    out.push_str(XML_DECL);
1320    out.push_str(&format!("<MonitoringSubscription xmlns=\"{NS}\">"));
1321    out.push_str("<RealtimeMetricsSubscriptionConfig>");
1322    out.push_str(&format!(
1323        "<RealtimeMetricsSubscriptionStatus>{}</RealtimeMetricsSubscriptionStatus>",
1324        esc(&m.config.realtime_metrics_subscription_status)
1325    ));
1326    out.push_str("</RealtimeMetricsSubscriptionConfig>");
1327    out.push_str("</MonitoringSubscription>");
1328    out
1329}
1330
1331#[cfg(test)]
1332mod tests {
1333    use super::*;
1334    use crate::service::CloudFrontService;
1335    use crate::state::CloudFrontAccounts;
1336    use bytes::Bytes;
1337    use fakecloud_core::service::AwsService;
1338    use http::HeaderValue;
1339    use parking_lot::RwLock;
1340    use std::sync::Arc;
1341
1342    fn svc() -> CloudFrontService {
1343        CloudFrontService::new(Arc::new(RwLock::new(CloudFrontAccounts::new())))
1344    }
1345
1346    fn req(method: http::Method, path: &str, body: &str, if_match: Option<&str>) -> AwsRequest {
1347        let mut headers = HeaderMap::new();
1348        if let Some(v) = if_match {
1349            headers.insert(http::header::IF_MATCH, HeaderValue::from_str(v).unwrap());
1350        }
1351        AwsRequest {
1352            service: "cloudfront".into(),
1353            action: String::new(),
1354            region: "us-east-1".into(),
1355            account_id: DEFAULT_ACCOUNT.into(),
1356            request_id: uuid::Uuid::new_v4().to_string(),
1357            headers,
1358            query_params: std::collections::HashMap::new(),
1359            body_stream: parking_lot::Mutex::new(None),
1360            body: Bytes::from(body.to_string()),
1361            path_segments: path
1362                .split('/')
1363                .filter(|s| !s.is_empty())
1364                .map(String::from)
1365                .collect(),
1366            raw_path: path.into(),
1367            raw_query: String::new(),
1368            method,
1369            is_query_protocol: false,
1370            access_key_id: None,
1371            principal: None,
1372        }
1373    }
1374
1375    async fn create_function(svc: &CloudFrontService, name: &str, code: &str) -> String {
1376        let code_b64 = base64::engine::general_purpose::STANDARD.encode(code.as_bytes());
1377        let body = format!(
1378            r#"<?xml version="1.0"?>
1379<CreateFunctionRequest xmlns="{NS}">
1380  <Name>{name}</Name>
1381  <FunctionConfig>
1382    <Comment>t</Comment>
1383    <Runtime>cloudfront-js-2.0</Runtime>
1384  </FunctionConfig>
1385  <FunctionCode>{code_b64}</FunctionCode>
1386</CreateFunctionRequest>"#
1387        );
1388        let resp = svc
1389            .handle(req(http::Method::POST, "/2020-05-31/function", &body, None))
1390            .await
1391            .unwrap();
1392        assert_eq!(resp.status, StatusCode::CREATED);
1393        resp.headers
1394            .get(http::header::ETAG)
1395            .unwrap()
1396            .to_str()
1397            .unwrap()
1398            .to_string()
1399    }
1400
1401    fn test_function_request_xml(event_json: &str) -> String {
1402        test_function_request_xml_with_stage(event_json, "DEVELOPMENT")
1403    }
1404
1405    fn test_function_request_xml_with_stage(event_json: &str, stage: &str) -> String {
1406        let event_b64 = base64::engine::general_purpose::STANDARD.encode(event_json.as_bytes());
1407        format!(
1408            r#"<?xml version="1.0"?>
1409<TestFunctionRequest xmlns="{NS}">
1410  <Stage>{stage}</Stage>
1411  <EventObject>{event_b64}</EventObject>
1412</TestFunctionRequest>"#
1413        )
1414    }
1415
1416    async fn update_function(
1417        svc: &CloudFrontService,
1418        name: &str,
1419        code: &str,
1420        if_match: &str,
1421    ) -> String {
1422        let code_b64 = base64::engine::general_purpose::STANDARD.encode(code.as_bytes());
1423        let body = format!(
1424            r#"<?xml version="1.0"?>
1425<UpdateFunctionRequest xmlns="{NS}">
1426  <FunctionConfig>
1427    <Comment>t</Comment>
1428    <Runtime>cloudfront-js-2.0</Runtime>
1429  </FunctionConfig>
1430  <FunctionCode>{code_b64}</FunctionCode>
1431</UpdateFunctionRequest>"#
1432        );
1433        let resp = svc
1434            .handle(req(
1435                http::Method::PUT,
1436                &format!("/2020-05-31/function/{name}"),
1437                &body,
1438                Some(if_match),
1439            ))
1440            .await
1441            .unwrap();
1442        assert_eq!(resp.status, StatusCode::OK);
1443        resp.headers
1444            .get(http::header::ETAG)
1445            .unwrap()
1446            .to_str()
1447            .unwrap()
1448            .to_string()
1449    }
1450
1451    async fn publish_function(svc: &CloudFrontService, name: &str, if_match: &str) -> String {
1452        let resp = svc
1453            .handle(req(
1454                http::Method::POST,
1455                &format!("/2020-05-31/function/{name}/publish"),
1456                "",
1457                Some(if_match),
1458            ))
1459            .await
1460            .unwrap();
1461        assert_eq!(resp.status, StatusCode::OK);
1462        resp.headers
1463            .get(http::header::ETAG)
1464            .unwrap()
1465            .to_str()
1466            .unwrap()
1467            .to_string()
1468    }
1469
1470    #[tokio::test]
1471    async fn test_function_executes_handler_and_returns_result() {
1472        let svc = svc();
1473        let etag = create_function(
1474            &svc,
1475            "fn-ok",
1476            r#"function handler(event) { event.headers.x = "y"; return event; }"#,
1477        )
1478        .await;
1479        let body = test_function_request_xml(r#"{"headers":{}}"#);
1480        let resp = svc
1481            .handle(req(
1482                http::Method::POST,
1483                "/2020-05-31/function/fn-ok/test",
1484                &body,
1485                Some(&etag),
1486            ))
1487            .await
1488            .unwrap();
1489        assert_eq!(resp.status, StatusCode::OK);
1490        let xml = std::str::from_utf8(resp.body.expect_bytes()).unwrap();
1491        assert!(
1492            xml.contains("&quot;x&quot;:&quot;y&quot;"),
1493            "expected x:y in FunctionOutput, got {xml}"
1494        );
1495        assert!(xml.contains("<FunctionErrorMessage></FunctionErrorMessage>"));
1496    }
1497
1498    #[tokio::test]
1499    async fn test_function_propagates_js_error_into_message() {
1500        let svc = svc();
1501        let etag = create_function(
1502            &svc,
1503            "fn-err",
1504            r#"function handler() { throw new Error("boom"); }"#,
1505        )
1506        .await;
1507        let body = test_function_request_xml("{}");
1508        let resp = svc
1509            .handle(req(
1510                http::Method::POST,
1511                "/2020-05-31/function/fn-err/test",
1512                &body,
1513                Some(&etag),
1514            ))
1515            .await
1516            .unwrap();
1517        assert_eq!(resp.status, StatusCode::OK);
1518        let xml = std::str::from_utf8(resp.body.expect_bytes()).unwrap();
1519        assert!(
1520            xml.contains("boom"),
1521            "expected boom in error msg, got {xml}"
1522        );
1523        assert!(xml.contains("<FunctionOutput></FunctionOutput>"));
1524    }
1525
1526    #[tokio::test]
1527    async fn test_function_unknown_name_returns_error() {
1528        let svc = svc();
1529        let body = test_function_request_xml("{}");
1530        let err = match svc
1531            .handle(req(
1532                http::Method::POST,
1533                "/2020-05-31/function/missing/test",
1534                &body,
1535                Some("E0"),
1536            ))
1537            .await
1538        {
1539            Err(e) => e,
1540            Ok(_) => panic!("expected NoSuchFunctionExists, got Ok"),
1541        };
1542        assert_eq!(err.status(), StatusCode::NOT_FOUND);
1543        assert_eq!(err.code(), "NoSuchFunctionExists");
1544    }
1545
1546    #[tokio::test]
1547    async fn test_function_modifies_aws_request_shape() {
1548        // Mirrors the canonical CloudFront Functions example from the
1549        // AWS docs: handler rewrites a request header and returns the
1550        // request, fakecloud passes the JSON shape straight through.
1551        let svc = svc();
1552        let etag = create_function(
1553            &svc,
1554            "fn-aws-shape",
1555            r#"function handler(event) { event.request.headers["x-foo"] = {value: "bar"}; return event.request; }"#,
1556        )
1557        .await;
1558        let body = test_function_request_xml(
1559            r#"{"version":"1.0","context":{},"viewer":{},"request":{"method":"GET","uri":"/","querystring":{},"headers":{},"cookies":{}}}"#,
1560        );
1561        let resp = svc
1562            .handle(req(
1563                http::Method::POST,
1564                "/2020-05-31/function/fn-aws-shape/test",
1565                &body,
1566                Some(&etag),
1567            ))
1568            .await
1569            .unwrap();
1570        assert_eq!(resp.status, StatusCode::OK);
1571        let xml = std::str::from_utf8(resp.body.expect_bytes()).unwrap();
1572        assert!(
1573            xml.contains("x-foo"),
1574            "expected request header rewrite in output, got {xml}"
1575        );
1576        assert!(
1577            xml.contains("bar"),
1578            "expected header value in output, got {xml}"
1579        );
1580        assert!(
1581            xml.contains("<FunctionErrorMessage></FunctionErrorMessage>"),
1582            "expected empty error, got {xml}"
1583        );
1584    }
1585
1586    #[tokio::test]
1587    async fn test_function_logs_error_and_marks_compute_over_100() {
1588        let svc = svc();
1589        let etag = create_function(
1590            &svc,
1591            "fn-throws",
1592            r#"function handler() { throw new Error("kaboom"); }"#,
1593        )
1594        .await;
1595        let body = test_function_request_xml("{}");
1596        let resp = svc
1597            .handle(req(
1598                http::Method::POST,
1599                "/2020-05-31/function/fn-throws/test",
1600                &body,
1601                Some(&etag),
1602            ))
1603            .await
1604            .unwrap();
1605        assert_eq!(resp.status, StatusCode::OK);
1606        let xml = std::str::from_utf8(resp.body.expect_bytes()).unwrap();
1607        // Error appears in both the dedicated message and in the logs
1608        assert!(xml.contains("kaboom"), "expected kaboom in body, got {xml}");
1609        assert!(
1610            xml.contains("<FunctionExecutionLogs>")
1611                && xml.contains("<member>ERROR: ")
1612                && xml.contains("kaboom"),
1613            "expected error log line, got {xml}"
1614        );
1615        // ComputeUtilization is rendered as a plain integer; on failure
1616        // we saturate past 100.
1617        let cu_open = xml.find("<ComputeUtilization>").unwrap() + "<ComputeUtilization>".len();
1618        let cu_close = xml.find("</ComputeUtilization>").unwrap();
1619        let pct: u32 = xml[cu_open..cu_close].parse().unwrap();
1620        assert!(pct > 100, "expected pct > 100 on error, got {pct}");
1621    }
1622
1623    #[tokio::test]
1624    async fn test_function_stage_selects_published_or_development_code() {
1625        // Publish freezes a copy of the code; subsequent UpdateFunction
1626        // mutates DEVELOPMENT but leaves LIVE pinned to the published
1627        // snapshot. Each stage's TestFunction must run the matching
1628        // version.
1629        let svc = svc();
1630        let etag =
1631            create_function(&svc, "fn-stage", r#"function handler() { return "v1"; }"#).await;
1632        let pub_etag = publish_function(&svc, "fn-stage", &etag).await;
1633        let _new_etag = update_function(
1634            &svc,
1635            "fn-stage",
1636            r#"function handler() { return "v2"; }"#,
1637            &pub_etag,
1638        )
1639        .await;
1640
1641        // DEVELOPMENT runs v2 (the latest update body).
1642        let dev_body = test_function_request_xml_with_stage("{}", "DEVELOPMENT");
1643        let resp = svc
1644            .handle(req(
1645                http::Method::POST,
1646                "/2020-05-31/function/fn-stage/test",
1647                &dev_body,
1648                Some("E_NOT_MATCHING"),
1649            ))
1650            .await;
1651        // We deliberately allow stale If-Match here so we exercise the
1652        // stage path; the precondition fires before we get to JS, so
1653        // grab the latest etag and retry.
1654        assert!(resp.is_err(), "stale If-Match must be rejected");
1655        let described = svc
1656            .handle(req(
1657                http::Method::GET,
1658                "/2020-05-31/function/fn-stage",
1659                "",
1660                None,
1661            ))
1662            .await
1663            .unwrap();
1664        let live_etag = described
1665            .headers
1666            .get(http::header::ETAG)
1667            .unwrap()
1668            .to_str()
1669            .unwrap()
1670            .to_string();
1671
1672        let dev_resp = svc
1673            .handle(req(
1674                http::Method::POST,
1675                "/2020-05-31/function/fn-stage/test",
1676                &dev_body,
1677                Some(&live_etag),
1678            ))
1679            .await
1680            .unwrap();
1681        let dev_xml = std::str::from_utf8(dev_resp.body.expect_bytes()).unwrap();
1682        assert!(
1683            dev_xml.contains("&quot;v2&quot;"),
1684            "DEVELOPMENT should run latest update (v2), got {dev_xml}"
1685        );
1686
1687        // LIVE runs v1 (the published snapshot, not affected by the
1688        // post-publish update).
1689        let live_body = test_function_request_xml_with_stage("{}", "LIVE");
1690        let live_resp = svc
1691            .handle(req(
1692                http::Method::POST,
1693                "/2020-05-31/function/fn-stage/test",
1694                &live_body,
1695                Some(&live_etag),
1696            ))
1697            .await
1698            .unwrap();
1699        let live_xml = std::str::from_utf8(live_resp.body.expect_bytes()).unwrap();
1700        assert!(
1701            live_xml.contains("&quot;v1&quot;"),
1702            "LIVE should run published snapshot (v1), got {live_xml}"
1703        );
1704    }
1705
1706    #[tokio::test]
1707    async fn test_function_infinite_loop_is_killed() {
1708        let svc = svc();
1709        let etag = create_function(&svc, "fn-loop", r#"function handler() { while(1){} }"#).await;
1710        let body = test_function_request_xml("{}");
1711        let resp = svc
1712            .handle(req(
1713                http::Method::POST,
1714                "/2020-05-31/function/fn-loop/test",
1715                &body,
1716                Some(&etag),
1717            ))
1718            .await
1719            .unwrap();
1720        assert_eq!(resp.status, StatusCode::OK);
1721        let xml = std::str::from_utf8(resp.body.expect_bytes()).unwrap();
1722        assert!(
1723            xml.contains("<FunctionOutput></FunctionOutput>"),
1724            "expected empty output, got {xml}"
1725        );
1726        assert!(
1727            xml.contains("ERROR:") && xml.contains("limit"),
1728            "expected timeout/limit error in logs, got {xml}"
1729        );
1730        let cu_open = xml.find("<ComputeUtilization>").unwrap() + "<ComputeUtilization>".len();
1731        let cu_close = xml.find("</ComputeUtilization>").unwrap();
1732        let pct: u32 = xml[cu_open..cu_close].parse().unwrap();
1733        assert!(pct > 100, "expected pct > 100 after kill, got {pct}");
1734    }
1735}