type checks to class constructors and methods (#637)

* type checks to class constructors and methods

* modify grant token initialization

Author: nvobilis

modules/branch-keystore-node/src/branch_keystore.ts

@@ -1,7 +1,7 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-import { KmsConfig, RegionalKmsConfig } from './kms_config'
+import { isKmsConfig, KmsConfig, RegionalKmsConfig } from './kms_config'
 import { KMSClient } from '@aws-sdk/client-kms'
 import { DynamoDBClient } from '@aws-sdk/client-dynamodb'
 import {
@@ -54,7 +54,7 @@ export interface IBranchKeyStoreNode {
   kmsClient: KMSClient
   ddbClient: DynamoDBClient
   keyStoreId: string
-  grantTokens: ReadonlyArray<string>
+  grantTokens?: ReadonlyArray<string>
 
   getActiveBranchKey(branchKeyId: string): Promise<NodeBranchKeyMaterial>
   getBranchKeyVersion(
@@ -70,7 +70,7 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
   public declare kmsClient: KMSClient
   public declare ddbClient: DynamoDBClient
   public declare keyStoreId: string
-  public declare grantTokens: ReadonlyArray<string>
+  public declare grantTokens?: ReadonlyArray<string>
 
   constructor({
     ddbTableName,
@@ -81,18 +81,67 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
     keyStoreId,
     grantTokens,
   }: BranchKeyStoreNodeInput) {
+    /* Precondition: DDB table name must be a string */
+    needs(typeof ddbTableName === 'string', 'DDB table name must be a string')
+
+    /* Precondition: Logical keystore name must be a string */
+    needs(
+      typeof logicalKeyStoreName === 'string',
+      'Logical keystore name must be a string'
+    )
+
+    /* Precondition: KMS Configuration must be SRK */
+    needs(isKmsConfig(kmsConfiguration), 'KMS Configuration must be SRK')
+
+    /* Precondition: KMS client must be a KMSClient */
+    if (kmsClient) {
+      needs(kmsClient instanceof KMSClient, 'KMS client must be a KMSClient')
+    } else {
+      // ensure it's strictly undefined and not some other falsey value
+      kmsClient = undefined
+    }
+
+    /* Precondition: DDB client must be a DynamoDBClient */
+    if (ddbClient) {
+      needs(
+        ddbClient instanceof DynamoDBClient,
+        'DDB client must be a DynamoDBClient'
+      )
+    } else {
+      // ensure it's strictly undefined and not some other falsey value
+      ddbClient = undefined
+    }
+
+    /* Precondition: Keystore id must be a string */
+    if (keyStoreId) {
+      needs(typeof keyStoreId === 'string', 'Keystore id must be a string')
+    } else {
+      // ensure it's strictly undefined and not some other falsey value
+      keyStoreId = undefined
+    }
+
+    /* Precondition: Grant tokens must be a string array */
+    if (grantTokens) {
+      needs(
+        Array.isArray(grantTokens) &&
+          grantTokens.every((grantToken) => typeof grantToken === 'string'),
+        'Grant tokens must be a string array'
+      )
+    } else {
+      // ensure it's strictly undefined and not some other falsey value
+      grantTokens = undefined
+    }
+
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#keystore-id
     //# The Identifier for this KeyStore.
     //# If one is not supplied, then a [version 4 UUID](https://www.ietf.org/rfc/rfc4122.txt) MUST be used.
     readOnlyProperty(this, 'keyStoreId', keyStoreId ? keyStoreId : v4())
+    /* Postcondition: If unprovided, the keystore id is a generated valid uuidv4 */
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-grant-tokens
     //# A list of AWS KMS [grant tokens](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).
-    readOnlyProperty(
-      this,
-      'grantTokens',
-      Object.freeze(grantTokens ? grantTokens : [])
-    )
+    readOnlyProperty(this, 'grantTokens', grantTokens)
+    /* Postcondition: If unprovided, the grant tokens are undefined */
 
     needs(kmsConfiguration, 'AWS KMS Configuration required')
     readOnlyProperty(this, 'kmsConfiguration', Object.freeze(kmsConfiguration))
@@ -125,6 +174,7 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
           region: (this.kmsConfiguration as RegionalKmsConfig).getRegion(),
         })
     )
+    /* Postcondition: If unprovided, the DDB client is configured */
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#kms-client
     //# The KMS Client used when wrapping and unwrapping keys.
@@ -159,6 +209,7 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
           customUserAgent: KMS_CLIENT_USER_AGENT,
         })
     )
+    /* Postcondition: If unprovided, the KMS client is configured */
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#table-name
     //# The table name of the DynamoDb table that backs this Keystore.
@@ -223,7 +274,10 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
     //# On invocation, the caller:
 
     //# - MUST supply a `branch-key-id`
-    needs(branchKeyId, 'MUST supply a branch key id')
+    needs(
+      branchKeyId && typeof branchKeyId === 'string',
+      'MUST supply a string branch key id'
+    )
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#getactivebranchkey
     //# To get the active version for the branch key id from the keystore
@@ -244,9 +298,13 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
 
     //# - MUST supply a `branch-key-id`
     //# - MUST supply a `branchKeyVersion`
+    needs(
+      branchKeyId && typeof branchKeyId === 'string',
+      'MUST supply a string branch key id'
+    )
     needs(
       branchKeyId && branchKeyVersion,
-      'MUST supply a branch key id and branch key version'
+      'MUST supply a string branch key version'
     )
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#getbranchkeyversion
@@ -260,3 +318,10 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
 }
 
 immutableClass(BranchKeyStoreNode)
+
+// type guard
+export function isIBranchKeyStoreNode(
+  keyStore: any
+): keyStore is BranchKeyStoreNode {
+  return keyStore instanceof BranchKeyStoreNode
+}

modules/branch-keystore-node/src/branch_keystore_helpers.ts

@@ -269,7 +269,7 @@ export async function decryptBranchKey(
       KeyId: (kmsConfiguration as KmsKeyArnConfig).getArn(), // make this type casting assumption since only SRK Compatibility is supported currently
       CiphertextBlob: branchKeyRecord[BRANCH_KEY_FIELD],
       EncryptionContext: authenticatedEncryptionContext,
-      GrantTokens: grantTokens.slice(),
+      GrantTokens: grantTokens ? grantTokens.slice() : grantTokens,
     })
   )
 

modules/branch-keystore-node/src/kms_config.ts

@@ -37,6 +37,9 @@ export abstract class KmsKeyArnConfig implements RegionalKmsConfig {
   //# `KMS Key ARN` and `KMS MRKey ARN` MUST take an additional argument
   //# that is a KMS ARN.
   constructor(arn: string) {
+    /* Precondition: ARN must be a string */
+    needs(typeof arn === 'string', 'ARN must be a string')
+
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-configuration
     //# This ARN MUST NOT be an Alias.
     //# This ARN MUST be a valid
@@ -76,3 +79,7 @@ export class SrkCompatibilityKmsConfig extends KmsKeyArnConfig {
     return this.getArn() === otherArn
   }
 }
+
+export function isKmsConfig(config: any): config is SrkCompatibilityKmsConfig {
+  return config instanceof SrkCompatibilityKmsConfig
+}

modules/branch-keystore-node/test/branch_keystore.test.ts

@@ -2,7 +2,10 @@
 // SPDX-License-Identifier: Apache-2.0
 
 import chai, { expect } from 'chai'
-import { BranchKeyStoreNode } from '../src/branch_keystore'
+import {
+  BranchKeyStoreNode,
+  isIBranchKeyStoreNode,
+} from '../src/branch_keystore'
 import { validate, v4, version } from 'uuid'
 import chaiAsPromised from 'chai-as-promised'
 import {
@@ -36,6 +39,12 @@ import {
 
 chai.use(chaiAsPromised)
 describe('Test Branch keystore', () => {
+  it('Test type guard', () => {
+    for (const keyStore of [null, undefined, 0, {}, '']) {
+      expect(isIBranchKeyStoreNode(keyStore as any)).to.be.false
+    }
+  })
+
   describe('Test constructor', () => {
     const KMS_CONFIGURATION = new SrkCompatibilityKmsConfig(KEY_ARN)
 
@@ -56,6 +65,139 @@ describe('Test Branch keystore', () => {
       kmsConfiguration: KMS_CONFIGURATION,
     })
 
+    const falseyValues = [false, 0, -0, 0n, '', null, undefined, NaN]
+    const truthyValues = [[3, [], true], {}, 1, true, 'string']
+
+    it('Precondition: DDB table name must be a string', () => {
+      // all types of values except strings
+      const badVals = [...falseyValues, ...truthyValues].filter(
+        (v) => typeof v !== 'string'
+      )
+
+      for (const ddbTableName of badVals) {
+        expect(
+          () =>
+            new BranchKeyStoreNode({
+              ddbTableName: ddbTableName as any,
+              logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
+              kmsConfiguration: KMS_CONFIGURATION,
+            })
+        ).to.throw('DDB table name must be a string')
+      }
+    })
+
+    it('Precondition: Logical keystore name must be a string', () => {
+      // all types of values except strings
+      const badVals = [...falseyValues, ...truthyValues].filter(
+        (v) => typeof v !== 'string'
+      )
+
+      for (const logicalKeyStoreName of badVals) {
+        expect(
+          () =>
+            new BranchKeyStoreNode({
+              ddbTableName: DDB_TABLE_NAME,
+              logicalKeyStoreName: logicalKeyStoreName as any,
+              kmsConfiguration: KMS_CONFIGURATION,
+            })
+        ).to.throw('Logical keystore name must be a string')
+      }
+    })
+
+    it('Precondition: KMS Configuration must be SRK', () => {
+      // all types of values
+      const badVals = [...falseyValues, ...truthyValues]
+
+      for (const kmsConfiguration of badVals) {
+        expect(
+          () =>
+            new BranchKeyStoreNode({
+              ddbTableName: DDB_TABLE_NAME,
+              logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
+              kmsConfiguration: kmsConfiguration as any,
+            })
+        ).to.throw('KMS Configuration must be SRK')
+      }
+    })
+
+    it('Precondition: KMS client must be a KMSClient', () => {
+      // only truthy values because KMS client may be falsey
+      for (const kmsClient of truthyValues) {
+        expect(
+          () =>
+            new BranchKeyStoreNode({
+              ddbTableName: DDB_TABLE_NAME,
+              logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
+              kmsConfiguration: KMS_CONFIGURATION,
+              kmsClient: kmsClient as any,
+            })
+        ).to.throw('KMS client must be a KMSClient')
+      }
+    })
+
+    it('Precondition: DDB client must be a DynamoDBClient', () => {
+      // only truthy values because DDB client may be falsey
+      for (const ddbClient of truthyValues) {
+        expect(
+          () =>
+            new BranchKeyStoreNode({
+              ddbTableName: DDB_TABLE_NAME,
+              logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
+              kmsConfiguration: KMS_CONFIGURATION,
+              ddbClient: ddbClient as any,
+            })
+        ).to.throw('DDB client must be a DynamoDBClient')
+      }
+    })
+
+    it('Precondition: Keystore id must be a string', () => {
+      // only truthy values that are not strings because keystore id may be
+      // falsey
+      const badVals = truthyValues.filter((v) => typeof v !== 'string')
+      for (const keyStoreId of badVals) {
+        expect(
+          () =>
+            new BranchKeyStoreNode({
+              ddbTableName: DDB_TABLE_NAME,
+              logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
+              kmsConfiguration: KMS_CONFIGURATION,
+              keyStoreId: keyStoreId as any,
+            })
+        ).to.throw('Keystore id must be a string')
+      }
+    })
+
+    it('Precondition: Grant tokens must be a string array', () => {
+      // use only truthy values because grantTokens may be falsey
+      for (const grantTokens of truthyValues) {
+        expect(
+          () =>
+            new BranchKeyStoreNode({
+              ddbTableName: DDB_TABLE_NAME,
+              logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
+              kmsConfiguration: KMS_CONFIGURATION,
+              grantTokens: grantTokens as any,
+            })
+        ).to.throw('Grant tokens must be a string array')
+      }
+    })
+
+    //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-grant-tokens
+    //= type=test
+    //# A list of AWS KMS [grant tokens](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).
+    it('Postcondition: If unprovided, the grant tokens are undefined', () => {
+      for (const grantTokens of falseyValues) {
+        expect(
+          new BranchKeyStoreNode({
+            ddbTableName: DDB_TABLE_NAME,
+            logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
+            kmsConfiguration: KMS_CONFIGURATION,
+            grantTokens: grantTokens as any,
+          }).grantTokens
+        ).to.equal(undefined)
+      }
+    })
+
     it('Invalid KmsKeyArn config', () => {
       const kmsClient = new KMSClient({})
       const ddbClient = new DynamoDBClient({})
@@ -151,18 +293,17 @@ describe('Test Branch keystore', () => {
     //= type=test
     //# The Identifier for this KeyStore.
     //# If one is not supplied, then a [version 4 UUID](https://www.ietf.org/rfc/rfc4122.txt) MUST be used.
-    it('Keystore ID not provided', () => {
-      expect(
-        validate(BRANCH_KEYSTORE.keyStoreId) &&
-          version(BRANCH_KEYSTORE.keyStoreId) === 4
-      ).equals(true)
-    })
+    it('Postcondition: If unprovided, the keystore id is a generated valid uuidv4', () => {
+      for (const keyStoreId of falseyValues) {
+        const { keyStoreId: id } = new BranchKeyStoreNode({
+          ddbTableName: DDB_TABLE_NAME,
+          logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
+          kmsConfiguration: KMS_CONFIGURATION,
+          keyStoreId: keyStoreId as any,
+        })
 
-    //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-grant-tokens
-    //= type=test
-    //# A list of AWS KMS [grant tokens](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).
-    it('Grant tokens not provided', () => {
-      expect(BRANCH_KEYSTORE.grantTokens).deep.equals([])
+        expect(validate(id) && version(id) === 4).equals(true)
+      }
     })
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#dynamodb-client
@@ -180,12 +321,19 @@ describe('Test Branch keystore', () => {
     //# and no DynamoDb Client is provided,
     //# a new DynamoDb Client MUST be created
     //# with the region configured in the MRDiscovery.
-    describe('DDB Client not provided', () => {
-      it('KMS config is not discovery', async () => {
-        expect(await BRANCH_KEYSTORE.ddbClient.config.region()).to.equal(
+    it('Postcondition: If unprovided, the DDB client is configured', async () => {
+      for (const ddbClient of falseyValues) {
+        const { ddbClient: client } = new BranchKeyStoreNode({
+          ddbTableName: DDB_TABLE_NAME,
+          logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
+          kmsConfiguration: KMS_CONFIGURATION,
+          ddbClient: ddbClient as any,
+        })
+
+        expect(await client.config.region()).to.equal(
           getRegionFromIdentifier(KEY_ARN)
         )
-      })
+      }
     })
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#kms-client
@@ -206,12 +354,19 @@ describe('Test Branch keystore', () => {
     //# On initialization the KeyStore SHOULD
     //# append a user agent string to the AWS KMS SDK Client with
     //# the value `aws-kms-hierarchy`.
-    describe('KMS Client not provided', () => {
-      it('KMS config is not discovery', async () => {
-        expect(await BRANCH_KEYSTORE.kmsClient.config.region()).to.equal(
+    it('Postcondition: If unprovided, the KMS client is configured', async () => {
+      for (const kmsClient of falseyValues) {
+        const { kmsClient: client } = new BranchKeyStoreNode({
+          ddbTableName: DDB_TABLE_NAME,
+          logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
+          kmsConfiguration: KMS_CONFIGURATION,
+          kmsClient: kmsClient as any,
+        })
+
+        expect(await client.config.region()).to.equal(
           getRegionFromIdentifier(KEY_ARN)
         )
-      })
+      }
     })
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#table-name
@@ -249,10 +404,6 @@ describe('Test Branch keystore', () => {
     })
 
     describe('Test proper init', () => {
-      it('Grant tokens are immutable', () => {
-        expect(Object.isFrozen(BRANCH_KEYSTORE.grantTokens)).equals(true)
-      })
-
       it('KMS Configuration is immutable', () => {
         expect(Object.isFrozen(BRANCH_KEYSTORE.kmsConfiguration)).equals(true)
       })
@@ -310,9 +461,17 @@ describe('Test Branch keystore', () => {
     //= type=test
     //# On invocation, the caller:
     //# - MUST supply a `branch-key-id`
-    void (await expect(keyStore.getActiveBranchKey('')).to.be.rejectedWith(
-      'MUST supply a branch key id'
-    ))
+    await expect(keyStore.getActiveBranchKey('')).to.be.rejectedWith(
+      'MUST supply a string branch key id'
+    )
+
+    // test type checks
+    await expect(
+      keyStore.getActiveBranchKey(undefined as any)
+    ).to.be.rejectedWith('MUST supply a string branch key id')
+    await expect(keyStore.getActiveBranchKey(null as any)).to.be.rejectedWith(
+      'MUST supply a string branch key id'
+    )
 
     const branchKeyMaterials = await keyStore.getActiveBranchKey(BRANCH_KEY_ID)
     expect(branchKeyMaterials.branchKeyIdentifier).equals(BRANCH_KEY_ID)
@@ -340,12 +499,26 @@ describe('Test Branch keystore', () => {
     //# On invocation, the caller:
     //# - MUST supply a `branch-key-id`
     //# - MUST supply a `branchKeyVersion`
-    void (await expect(
+    await expect(
       keyStore.getBranchKeyVersion('', BRANCH_KEY_ACTIVE_VERSION)
-    ).to.be.rejectedWith('MUST supply a branch key id'))
-    void (await expect(
+    ).to.be.rejectedWith('MUST supply a string branch key id')
+    await expect(
       keyStore.getBranchKeyVersion(BRANCH_KEY_ID, '')
-    ).to.be.rejectedWith('MUST supply a branch key id'))
+    ).to.be.rejectedWith('MUST supply a string branch key version')
+
+    // test type checks
+    await expect(
+      keyStore.getBranchKeyVersion(undefined as any, BRANCH_KEY_ACTIVE_VERSION)
+    ).to.be.rejectedWith('MUST supply a string branch key id')
+    await expect(
+      keyStore.getBranchKeyVersion(null as any, BRANCH_KEY_ACTIVE_VERSION)
+    ).to.be.rejectedWith('MUST supply a string branch key id')
+    await expect(
+      keyStore.getBranchKeyVersion(BRANCH_KEY_ID, undefined as any)
+    ).to.be.rejectedWith('MUST supply a string branch key version')
+    await expect(
+      keyStore.getBranchKeyVersion(BRANCH_KEY_ID, null as any)
+    ).to.be.rejectedWith('MUST supply a string branch key version')
 
     const branchKeyMaterials = await keyStore.getBranchKeyVersion(
       BRANCH_KEY_ID,

modules/branch-keystore-node/test/branch_keystore_helpers.test.ts

@@ -528,7 +528,6 @@ describe('Test keystore helpers', () => {
           KeyId: configArn,
           CiphertextBlob: activeBranchKeyRecord[BRANCH_KEY_FIELD],
           EncryptionContext: activeAuthEc,
-          GrantTokens: BRANCH_KEYSTORE.grantTokens.slice(),
         })
       )
       const expectedActiveBranchKey = Buffer.from(
@@ -550,7 +549,6 @@ describe('Test keystore helpers', () => {
           KeyId: configArn,
           CiphertextBlob: VERSION_BRANCH_KEY[BRANCH_KEY_FIELD],
           EncryptionContext: VERSION_BRANCH_AUTHENTICATED_ENCRYPTION_CONTEXT,
-          GrantTokens: BRANCH_KEYSTORE.grantTokens.slice(),
         })
       )
       const expectedVersionedBranchKey = Buffer.from(
@@ -648,7 +646,6 @@ describe('Test keystore helpers', () => {
           KeyId: configArn,
           CiphertextBlob: activeBranchKeyRecord[BRANCH_KEY_FIELD],
           EncryptionContext: activeAuthEc,
-          GrantTokens: branchKeyStore.grantTokens.slice(),
         })
       )
       const expectedActiveBranchKey = Buffer.from(
@@ -660,7 +657,6 @@ describe('Test keystore helpers', () => {
           KeyId: configArn,
           CiphertextBlob: versionedBranchKeyRecord[BRANCH_KEY_FIELD],
           EncryptionContext: versionedAuthEc,
-          GrantTokens: branchKeyStore.grantTokens.slice(),
         })
       )
       const expectedVersionedBranchKey = Buffer.from(

modules/branch-keystore-node/test/kms_config.test.ts

@@ -7,6 +7,7 @@ import {
   RegionalKmsConfig,
   KmsConfig,
   KmsKeyArnConfig,
+  isKmsConfig,
 } from '../src/kms_config'
 
 function supplySrkKmsConfig(arn: string): KmsConfig {
@@ -27,88 +28,100 @@ export const WELL_FORMED_SRK_ALIAS_ARN =
 export const WELL_FORMED_MRK_ALIAS_ARN =
   'arn:aws:kms:us-west-2:123456789012:alias/mrk/my-mrk-alias'
 
-describe('Test kms config', () => {
-  describe('Test SrkCompatibilityKmsConfig class', () => {
-    describe('Given a well formed SRK arn', () => {
-      //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-configuration
-      //= type=test
-      //# `KMS Key ARN` and `KMS MRKey ARN` MUST take an additional argument
-      //# that is a KMS ARN.
-      const config = supplySrkKmsConfig(WELL_FORMED_SRK_ARN)
-
-      it('Test getRegion', () => {
-        expect((config as RegionalKmsConfig).getRegion()).equals('us-west-2')
-      })
+describe('Test SrkCompatibilityKmsConfig class', () => {
+  it('Precondition: ARN must be a string', () => {
+    for (const arn of [null, undefined, 0, {}]) {
+      expect(() => supplySrkKmsConfig(arn as any)).to.throw(
+        'ARN must be a string'
+      )
+    }
+  })
 
-      it('Test getArn', () => {
-        expect((config as KmsKeyArnConfig).getArn()).equals(WELL_FORMED_SRK_ARN)
-      })
+  it('Type gaurd function', () => {
+    for (const config of [null, undefined, 0, {}, '']) {
+      expect(isKmsConfig(config as any)).to.be.false
+    }
+  })
 
-      //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-key-arn-compatibility
-      //= type=test
-      //# For two ARNs to be compatible:
-
-      //# If the [AWS KMS Configuration](#aws-kms-configuration) designates single region ARN compatibility,
-      //# then two ARNs are compatible if they are exactly equal.
-      describe('Test isCompatibleWithArn', () => {
-        it('Given an equal arn', () => {
-          expect(config.isCompatibleWithArn(WELL_FORMED_SRK_ARN)).equals(true)
-        })
-
-        it('Given a non-equal arn', () => {
-          expect(config.isCompatibleWithArn(WELL_FORMED_SRK_ALIAS_ARN)).equals(
-            false
-          )
-        })
-      })
+  describe('Given a well formed SRK arn', () => {
+    //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-configuration
+    //= type=test
+    //# `KMS Key ARN` and `KMS MRKey ARN` MUST take an additional argument
+    //# that is a KMS ARN.
+    const config = supplySrkKmsConfig(WELL_FORMED_SRK_ARN)
+
+    it('Test getRegion', () => {
+      expect((config as RegionalKmsConfig).getRegion()).equals('us-west-2')
     })
 
-    describe('Given a well formed MRK arn', () => {
-      const config = supplySrkKmsConfig(WELL_FORMED_MRK_ARN)
+    it('Test getArn', () => {
+      expect((config as KmsKeyArnConfig).getArn()).equals(WELL_FORMED_SRK_ARN)
+    })
 
-      it('Test getRegion', () => {
-        expect((config as RegionalKmsConfig).getRegion()).equals('us-west-2')
-      })
+    //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-key-arn-compatibility
+    //= type=test
+    //# For two ARNs to be compatible:
 
-      it('Test getArn', () => {
-        expect((config as KmsKeyArnConfig).getArn()).equals(WELL_FORMED_MRK_ARN)
+    //# If the [AWS KMS Configuration](#aws-kms-configuration) designates single region ARN compatibility,
+    //# then two ARNs are compatible if they are exactly equal.
+    describe('Test isCompatibleWithArn', () => {
+      it('Given an equal arn', () => {
+        expect(config.isCompatibleWithArn(WELL_FORMED_SRK_ARN)).equals(true)
       })
 
-      describe('Test isCompatibleWithArn', () => {
-        it('Given an equal arn', () => {
-          expect(config.isCompatibleWithArn(WELL_FORMED_MRK_ARN)).equals(true)
-        })
-
-        it('Given a non-equal arn', () => {
-          expect(config.isCompatibleWithArn(WELL_FORMED_MRK_ALIAS_ARN)).equals(
-            false
-          )
-        })
+      it('Given a non-equal arn', () => {
+        expect(config.isCompatibleWithArn(WELL_FORMED_SRK_ALIAS_ARN)).equals(
+          false
+        )
       })
     })
+  })
 
-    //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-configuration
-    //= type=test
-    //# This ARN MUST NOT be an Alias.
-    //# This ARN MUST be a valid
-    //# [AWS KMS Key ARN](./aws-kms/aws-kms-key-arn.md#a-valid-aws-kms-arn).
-    it('Given arns that are not parseable AWS KMS arns', () => {
-      expect(() => supplySrkKmsConfig(MALFORMED_ARN)).to.throw('Malformed arn.')
-      expect(() => supplySrkKmsConfig(ONE_PART_ARN)).to.throw(
-        `${ONE_PART_ARN} must be a well-formed AWS KMS non-alias resource arn`
-      )
+  describe('Given a well formed MRK arn', () => {
+    const config = supplySrkKmsConfig(WELL_FORMED_MRK_ARN)
+
+    it('Test getRegion', () => {
+      expect((config as RegionalKmsConfig).getRegion()).equals('us-west-2')
     })
 
-    it('Given a well formed SRK alias arn', () => {
-      expect(() => supplySrkKmsConfig(WELL_FORMED_SRK_ALIAS_ARN)).to.throw(
-        `${WELL_FORMED_SRK_ALIAS_ARN} must be a well-formed AWS KMS non-alias resource arn`
-      )
+    it('Test getArn', () => {
+      expect((config as KmsKeyArnConfig).getArn()).equals(WELL_FORMED_MRK_ARN)
     })
 
-    it('Given a well formed MRK alias arn', () => {
-      expect(() => supplySrkKmsConfig(WELL_FORMED_MRK_ALIAS_ARN)).to.throw(
-        `${WELL_FORMED_MRK_ALIAS_ARN} must be a well-formed AWS KMS non-alias resource arn`
-      )
+    describe('Test isCompatibleWithArn', () => {
+      it('Given an equal arn', () => {
+        expect(config.isCompatibleWithArn(WELL_FORMED_MRK_ARN)).equals(true)
+      })
+
+      it('Given a non-equal arn', () => {
+        expect(config.isCompatibleWithArn(WELL_FORMED_MRK_ALIAS_ARN)).equals(
+          false
+        )
+      })
     })
   })
+
+  //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-configuration
+  //= type=test
+  //# This ARN MUST NOT be an Alias.
+  //# This ARN MUST be a valid
+  //# [AWS KMS Key ARN](./aws-kms/aws-kms-key-arn.md#a-valid-aws-kms-arn).
+  it('Given arns that are not parseable AWS KMS arns', () => {
+    expect(() => supplySrkKmsConfig(MALFORMED_ARN)).to.throw('Malformed arn.')
+    expect(() => supplySrkKmsConfig(ONE_PART_ARN)).to.throw(
+      `${ONE_PART_ARN} must be a well-formed AWS KMS non-alias resource arn`
+    )
+  })
+
+  it('Given a well formed SRK alias arn', () => {
+    expect(() => supplySrkKmsConfig(WELL_FORMED_SRK_ALIAS_ARN)).to.throw(
+      `${WELL_FORMED_SRK_ALIAS_ARN} must be a well-formed AWS KMS non-alias resource arn`
+    )
+  })
+
+  it('Given a well formed MRK alias arn', () => {
+    expect(() => supplySrkKmsConfig(WELL_FORMED_MRK_ALIAS_ARN)).to.throw(
+      `${WELL_FORMED_MRK_ALIAS_ARN} must be a well-formed AWS KMS non-alias resource arn`
+    )
+  })
 })

modules/kms-keyring/src/branch_key_id_supplier.ts

@@ -10,3 +10,14 @@ import { EncryptionContext } from '@aws-crypto/material-management'
 export interface BranchKeyIdSupplier {
   getBranchKeyId(encryptionContext: EncryptionContext): string
 }
+
+// type guard
+export function isBranchKeyIdSupplier(
+  supplier: any
+): supplier is BranchKeyIdSupplier {
+  return (
+    typeof supplier === 'object' &&
+    supplier !== null &&
+    typeof supplier.getBranchKeyId === 'function'
+  )
+}

modules/kms-keyring/test/branch_key_id_supplier.test.ts

@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 import { EncryptionContext } from '@aws-crypto/material-management'
-import { BranchKeyIdSupplier } from '../src'
+import { BranchKeyIdSupplier, isBranchKeyIdSupplier } from '../src'
 import { expect } from 'chai'
 
 describe('Branch key id supplier', () => {
@@ -20,4 +20,10 @@ describe('Branch key id supplier', () => {
 
     expect(new Example().getBranchKeyId({})).to.equal('')
   })
+
+  it('Type guard', () => {
+    expect(isBranchKeyIdSupplier(undefined as any)).to.be.false
+    expect(isBranchKeyIdSupplier(null as any)).to.be.false
+    expect(isBranchKeyIdSupplier({} as any)).to.be.false
+  })
 })

modules/material-management/src/cryptographic_material.ts

@@ -151,15 +151,30 @@ export class NodeBranchKeyMaterial implements BranchKeyMaterial {
     branchKeyVersion: string,
     encryptionContext: EncryptionContext
   ) {
-    /* Precondition: branchKey must be a 32 byte-long buffer */
-    needs(branchKey.length === 32, 'Branch key must be 32 bytes long')
+    /* Precondition: Branch key must be a Buffer */
+    needs(branchKey instanceof Buffer, 'Branch key must be a Buffer')
+
+    /* Precondition: Branch key id must be a string */
+    needs(
+      typeof branchKeyIdentifier === 'string',
+      'Branch key id must be a string'
+    )
+
+    /* Precondition: Branch key version must be a string */
+    needs(
+      typeof branchKeyVersion === 'string',
+      'Branch key version must be a string'
+    )
 
     /* Precondition: encryptionContext must be an object, even if it is empty */
     needs(
       encryptionContext && typeof encryptionContext === 'object',
-      'Encryption context must be set'
+      'Encryption context must be an object'
     )
 
+    /* Precondition: branchKey must be a 32 byte-long buffer */
+    needs(branchKey.length === 32, 'Branch key must be 32 bytes long')
+
     /* Precondition: branch key ID is required */
     needs(branchKeyIdentifier, 'Empty branch key ID')
 

modules/material-management/test/cryptographic_material.test.ts

@@ -1003,6 +1003,62 @@ describe('NodeBranchKeyMaterial', () => {
     encryptionContext
   )
 
+  it('Precondition: Branch key must be a Buffer', () => {
+    for (const branchKey of [null, undefined, {}, 0, '']) {
+      expect(
+        () =>
+          new NodeBranchKeyMaterial(
+            branchKey as any,
+            branchKeyId,
+            branchKeyVersion,
+            encryptionContext
+          )
+      ).to.throw('Branch key must be a Buffer')
+    }
+  })
+
+  it('Precondition: Branch key id must be a string', () => {
+    for (const branchKeyId of [null, undefined, {}, 0]) {
+      expect(
+        () =>
+          new NodeBranchKeyMaterial(
+            branchKey,
+            branchKeyId as any,
+            branchKeyVersion,
+            encryptionContext
+          )
+      ).to.throw('Branch key id must be a string')
+    }
+  })
+
+  it('Precondition: Branch key version must be a string', () => {
+    for (const branchKeyVersion of [null, undefined, {}, 0]) {
+      expect(
+        () =>
+          new NodeBranchKeyMaterial(
+            branchKey,
+            branchKeyId,
+            branchKeyVersion as any,
+            encryptionContext
+          )
+      ).to.throw('Branch key version must be a string')
+    }
+  })
+
+  it('Precondition: encryptionContext must be an object, even if it is empty', () => {
+    for (const encryptionContext of [null, undefined, 0, '']) {
+      expect(
+        () =>
+          new NodeBranchKeyMaterial(
+            branchKey,
+            branchKeyId,
+            branchKeyVersion,
+            encryptionContext as any
+          )
+      ).to.throw('Encryption context must be an object')
+    }
+  })
+
   it('Precondition: branchKey must be a 32 byte-long buffer', () => {
     expect(
       () =>
@@ -1015,27 +1071,6 @@ describe('NodeBranchKeyMaterial', () => {
     ).to.throw('Branch key must be 32 bytes long')
   })
 
-  it('Precondition: encryptionContext must be an object, even if it is empty', () => {
-    expect(
-      () =>
-        new NodeBranchKeyMaterial(
-          branchKey,
-          branchKeyId,
-          branchKeyVersion,
-          undefined as any
-        )
-    ).to.throw('Encryption context must be set')
-    expect(
-      () =>
-        new NodeBranchKeyMaterial(
-          branchKey,
-          branchKeyId,
-          branchKeyVersion,
-          true as any
-        )
-    ).to.throw('Encryption context must be set')
-  })
-
   it('Precondition: branch key ID is required', () => {
     expect(
       () =>