small updates to arn things

seebees · seebees · commit aabbfed2bc54 · 2024-12-13T21:36:54.000-08:00
diff --git a/modules/branch-keystore-node/src/kms_config.ts b/modules/branch-keystore-node/src/kms_config.ts
@@ -2,6 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 import {
+  isMultiRegionAwsKmsArn,
   // getRegionFromIdentifier,
   parseAwsKmsKeyArn,
 } from '@aws-crypto/kms-keyring'
@@ -78,13 +79,16 @@ export class KmsKeyConfig implements RegionalKmsConfig {
   //# that is a KMS ARN.
   constructor(config: KmsConfig) {
     readOnlyProperty(this, '_config', config)
+    /* Precondition: config must be a string or object */
+    const configType = typeof config
+    needs(!!config && (configType === 'object' || 'string'), 'Config must be a `discovery` or an object.')
     if (config === 'discovery') {
       // Nothing to set
     } else if ('identifier' in config || 'mrkIdentifier' in config) {
       const arn =
         'identifier' in config ? config.identifier : config.mrkIdentifier
       /* Precondition: ARN must be a string */
-      needs(arn || typeof arn === 'string', 'ARN must be a string')
+      needs(typeof arn === 'string', 'ARN must be a string')
 
       //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-configuration
       //# To be clear, an KMS ARN for a Multi-Region Key MAY be provided to the `KMS Key ARN` configuration,
@@ -101,6 +105,7 @@ export class KmsKeyConfig implements RegionalKmsConfig {
       )
 
       readOnlyProperty(this, '_parsedArn', parsedArn)
+      readOnlyProperty(this, '_arn', arn)
     } else if ('region' in config) {
       readOnlyProperty(this, '_mrkRegion', config.region)
     } else {
@@ -170,7 +175,7 @@ export class KmsKeyConfig implements RegionalKmsConfig {
       //# For two ARNs to be compatible:
       //# If the [AWS KMS Configuration](#aws-kms-configuration) designates single region ARN compatibility,
       //# then two ARNs are compatible if they are exactly equal.
-      return this._arn == otherArn
+      return this._arn === otherArn
     } else if ('mrkIdentifier' in this._config) {
       //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-key-arn-compatibility
       //# If the [AWS KMS Configuration](#aws-kms-configuration) designates MRK ARN compatibility,
@@ -207,7 +212,7 @@ export class KmsKeyConfig implements RegionalKmsConfig {
       //# If the KMS Configuration is MRDiscovery, `KeyId` MUST be the `kms-arn` attribute value of the AWS DDB response item, with the region replaced by the configured region.
       const parsedArn = parseAwsKmsKeyArn(otherArn)
       needs(parsedArn, 'KMS ARN from the keystore is not an ARN:' + otherArn)
-      return constructArnInOtherRegion(parsedArn, this._mrkRegion)
+      return isMultiRegionAwsKmsArn(parsedArn) ? constructArnInOtherRegion(parsedArn, this._mrkRegion) : otherArn
     } else if (
       'identifier' in this._config ||
       'mrkIdentifier' in this._config
diff --git a/modules/branch-keystore-node/test/kms_config.test.ts b/modules/branch-keystore-node/test/kms_config.test.ts
@@ -2,11 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 import { expect } from 'chai'
-import {
-  KmsKeyConfig,
-  RegionalKmsConfig,
-  KmsConfig,
-} from '../src/kms_config'
+import { KmsKeyConfig, RegionalKmsConfig, KmsConfig } from '../src/kms_config'
 
 function supplySrkKmsConfig(config: KmsConfig): KmsKeyConfig {
   return new KmsKeyConfig(config)
@@ -29,9 +25,20 @@ export const WELL_FORMED_MRK_ALIAS_ARN =
   'arn:aws:kms:us-west-2:123456789012:alias/mrk/my-mrk-alias'
 
 describe('Test KmsKeyConfig class', () => {
+
+  it('Precondition: config must be a string or object', () => {
+    for (const config of [null, undefined, 0]) {
+      expect(() => supplySrkKmsConfig(config as any)).to.throw(
+        'Config must be a `discovery` or an object.'
+      )
+    }
+  })
   it('Precondition: ARN must be a string', () => {
     for (const arn of [null, undefined, 0, {}]) {
-      expect(() => supplySrkKmsConfig(arn as any)).to.throw(
+      expect(() => supplySrkKmsConfig({identifier: arn} as any)).to.throw(
+        'ARN must be a string'
+      )
+      expect(() => supplySrkKmsConfig({mrkIdentifier: arn} as any)).to.throw(
         'ARN must be a string'
       )
     }
@@ -67,20 +74,20 @@ describe('Test KmsKeyConfig class', () => {
     })
 
     describe('Test getCompatibleArnArn', () => {
-
       it('Returns the SRK', () => {
-        expect(config.getCompatibleArnArn(WELL_FORMED_SRK_ARN)).to.equal(WELL_FORMED_SRK_ARN)
+        expect(config.getCompatibleArnArn(WELL_FORMED_SRK_ARN)).to.equal(
+          WELL_FORMED_SRK_ARN
+        )
       })
 
       it('Throws for a non compatible value', () => {
         expect(() => config.getCompatibleArnArn(WELL_FORMED_MRK_ARN)).to.throw()
       })
-
     })
   })
 
   describe('Given a well formed MRK arn', () => {
-    const config = supplySrkKmsConfig({ identifier: WELL_FORMED_MRK_ARN })
+    const config = supplySrkKmsConfig({ mrkIdentifier: WELL_FORMED_MRK_ARN })
 
     it('Test getRegion', () => {
       expect((config as RegionalKmsConfig).getRegion()).equals('us-west-2')
@@ -115,96 +122,110 @@ describe('Test KmsKeyConfig class', () => {
     })
 
     describe('Test getCompatibleArnArn', () => {
-
       it('Returns the MRK', () => {
-        expect(config.getCompatibleArnArn(WELL_FORMED_MRK_ARN)).to.equal(WELL_FORMED_MRK_ARN)
+        expect(config.getCompatibleArnArn(WELL_FORMED_MRK_ARN)).to.equal(
+          WELL_FORMED_MRK_ARN
+        )
       })
 
       it('Returns the configured MRK because it is the right region', () => {
-        expect(config.getCompatibleArnArn(WELL_FORMED_MRK_ARN_DIFFERENT_REGION)).to.equal(WELL_FORMED_MRK_ARN)
+        expect(
+          config.getCompatibleArnArn(WELL_FORMED_MRK_ARN_DIFFERENT_REGION)
+        ).to.equal(WELL_FORMED_MRK_ARN)
       })
 
       it('Throws for a non compatible value', () => {
         expect(() => config.getCompatibleArnArn(WELL_FORMED_SRK_ARN)).to.throw()
       })
-
     })
   })
 
   describe('Given discovery configurations', () => {
-
     it('Discovery is compatible with ARNs', () => {
       const config = supplySrkKmsConfig('discovery')
-      expect(config.isCompatibleWithArn(ONE_PART_ARN)).to.equal(true)
       expect(config.isCompatibleWithArn(WELL_FORMED_SRK_ARN)).to.equal(true)
       expect(config.isCompatibleWithArn(WELL_FORMED_MRK_ARN)).to.equal(true)
     })
 
-
     it('MRDiscovery is compatible with ARNs', () => {
-      const config = supplySrkKmsConfig({region: 'us-west-2'})
-      expect(config.isCompatibleWithArn(ONE_PART_ARN)).to.equal(true)
+      const config = supplySrkKmsConfig({ region: 'us-west-2' })
       expect(config.isCompatibleWithArn(WELL_FORMED_SRK_ARN)).to.equal(true)
       expect(config.isCompatibleWithArn(WELL_FORMED_MRK_ARN)).to.equal(true)
     })
 
     it('Discovery MUST be an ARN', () => {
       const config = supplySrkKmsConfig('discovery')
       expect(() => config.isCompatibleWithArn(MALFORMED_ARN)).to.throw()
-      expect(() => config.isCompatibleWithArn(WELL_FORMED_SRK_ALIAS_ARN)).to.throw()
-      expect(() => config.isCompatibleWithArn(WELL_FORMED_MRK_ALIAS_ARN)).to.throw()
+      expect(() =>
+        config.isCompatibleWithArn(WELL_FORMED_SRK_ALIAS_ARN)
+      ).to.throw()
+      expect(() =>
+        config.isCompatibleWithArn(WELL_FORMED_MRK_ALIAS_ARN)
+      ).to.throw()
     })
 
-
     it('MRDiscovery MUST be an ARN', () => {
-      const config = supplySrkKmsConfig({region: 'us-west-2'})
+      const config = supplySrkKmsConfig({ region: 'us-west-2' })
       expect(() => config.isCompatibleWithArn(MALFORMED_ARN)).to.throw()
-      expect(() => config.isCompatibleWithArn(WELL_FORMED_SRK_ALIAS_ARN)).to.throw()
-      expect(() => config.isCompatibleWithArn(WELL_FORMED_MRK_ALIAS_ARN)).to.throw()
+      expect(() =>
+        config.isCompatibleWithArn(WELL_FORMED_SRK_ALIAS_ARN)
+      ).to.throw()
+      expect(() =>
+        config.isCompatibleWithArn(WELL_FORMED_MRK_ALIAS_ARN)
+      ).to.throw()
     })
 
     describe('Test getCompatibleArnArn for discovery', () => {
       const config = supplySrkKmsConfig('discovery')
 
       it('Returns the SRK', () => {
-        expect(config.getCompatibleArnArn(WELL_FORMED_SRK_ARN)).to.equal(WELL_FORMED_SRK_ARN)
+        expect(config.getCompatibleArnArn(WELL_FORMED_SRK_ARN)).to.equal(
+          WELL_FORMED_SRK_ARN
+        )
       })
 
       it('Returns the MRK', () => {
-        expect(config.getCompatibleArnArn(WELL_FORMED_MRK_ARN)).to.equal(WELL_FORMED_MRK_ARN)
+        expect(config.getCompatibleArnArn(WELL_FORMED_MRK_ARN)).to.equal(
+          WELL_FORMED_MRK_ARN
+        )
       })
 
       it('Returns the configured MRK because it is the right region', () => {
-        expect(config.getCompatibleArnArn(WELL_FORMED_MRK_ARN_DIFFERENT_REGION)).to.equal(WELL_FORMED_MRK_ARN_DIFFERENT_REGION)
+        expect(
+          config.getCompatibleArnArn(WELL_FORMED_MRK_ARN_DIFFERENT_REGION)
+        ).to.equal(WELL_FORMED_MRK_ARN_DIFFERENT_REGION)
       })
 
       it('Throws for a non compatible value', () => {
-        expect(() => config.getCompatibleArnArn(WELL_FORMED_SRK_ARN)).to.throw()
+        expect(() => config.getCompatibleArnArn(ONE_PART_ARN)).to.throw()
       })
-
     })
 
     describe('Test getCompatibleArnArn for MRDiscovery', () => {
-      const config = supplySrkKmsConfig({region: 'us-east-1'})
+      const config = supplySrkKmsConfig({ region: 'us-east-1' })
 
       it('Returns the SRK', () => {
-        expect(config.getCompatibleArnArn(WELL_FORMED_SRK_ARN)).to.equal(WELL_FORMED_SRK_ARN)
+        expect(config.getCompatibleArnArn(WELL_FORMED_SRK_ARN)).to.equal(
+          WELL_FORMED_SRK_ARN
+        )
       })
 
       it('Returns the MRK', () => {
-        expect(config.getCompatibleArnArn(WELL_FORMED_MRK_ARN)).to.equal(WELL_FORMED_MRK_ARN_DIFFERENT_REGION)
+        expect(config.getCompatibleArnArn(WELL_FORMED_MRK_ARN)).to.equal(
+          WELL_FORMED_MRK_ARN_DIFFERENT_REGION
+        )
       })
 
       it('Returns the configured MRK because it is the right region', () => {
-        expect(config.getCompatibleArnArn(WELL_FORMED_MRK_ARN_DIFFERENT_REGION)).to.equal(WELL_FORMED_MRK_ARN_DIFFERENT_REGION)
+        expect(
+          config.getCompatibleArnArn(WELL_FORMED_MRK_ARN_DIFFERENT_REGION)
+        ).to.equal(WELL_FORMED_MRK_ARN_DIFFERENT_REGION)
       })
 
       it('Throws for a non compatible value', () => {
-        expect(() => config.getCompatibleArnArn(WELL_FORMED_SRK_ARN)).to.throw()
+        expect(() => config.getCompatibleArnArn(ONE_PART_ARN)).to.throw()
       })
-
     })
-
   })
 
   //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-configuration
diff --git a/modules/kms-keyring/src/index.ts b/modules/kms-keyring/src/index.ts
@@ -7,6 +7,7 @@ export {
   parseAwsKmsKeyArn,
   constructArnInOtherRegion,
   mrkAwareAwsKmsKeyIdCompare,
+  isMultiRegionAwsKmsArn,
   ParsedAwsKmsKeyArn,
 } from './arn_parsing'
 export * from './kms_keyring'
