fix(branch-keystore): modify AWS KMS configuration to only support single region key compatibility for now (#608)

* feat(branch-keystore): model AWS KMS configuration

* feat(keystore): create class to model AWS KMS configuration for branch keystore

* updated spec submodule to latest master

* Update spec submodule to track master branch

* feat(keystore): complete and test AWS KMS configuration class

* chore: remove version file from branch-keystore-node module

* chore: updated gitignore to ignore auto-generated version files in branch-keystore-node module

* chore: removed changelog from branch-keystore-node module so that git can autogenerate it

* added additional test for 100% coverage

* made the fix and tested

* remove duplicate compliance citations

* specified compliance tests

* fix compliance tests

* fix duvet

* remove duvet test annotations

* add compliance tests for duvet

* fix compliance tests for duvet

* fix compliance tests for duvet

* change lerna version

* removed getParsedArn

* separate kms config helpers from types

* specified what's a 'bad arn' in tests

* better error msg

* no longer supressing errors from parseAwsKmsKeyArn

* changed tests to assert for specific error messages

* add a notice

* sync lock file with package.json

* consolidate helpers

* compliance test citation

* add additional flag methods to tell us config state

* divide helper function tests and class method tests

* add notice

* Revert "change lerna version"

This reverts commit a9ba112605c76295fb23cfda651f37eff9332e7b.

* Update package-lock.json

Author: seebees

modules/branch-keystore-node/src/index.ts

@@ -1,4 +1,4 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-export * from './kms_configuration'
+export * from './kms_config'

modules/branch-keystore-node/src/kms_config.ts

@@ -0,0 +1,100 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { getRegionFromIdentifier } from '@aws-crypto/kms-keyring'
+import { assertValidNotAliasArn } from './kms_config_helpers'
+
+// a general interface that outlines common operations any of the 4 AWS KMS
+// configurations should perform
+export interface KmsConfig {
+  /**
+   * this method tells the user if the config is SRK/MRK compatibility
+   * @returns a flag answering the method's purpose
+   */
+  isKmsKeyArn(): boolean
+
+  /**
+   * this method tells the user if the config is MrDiscovery
+   * @returns a flag answering the method's purpose
+   */
+  isMrDiscovery(): boolean
+
+  /**
+   * this method tells the user if the config is Discovery
+   * @returns a flag answering the method's purpose
+   */
+  isDiscovery(): boolean
+
+  /**
+   * this method tells the user if the config is compatible with an arn
+   * @param otherArn
+   * @returns a flag answering the method's purpose
+   */
+  isCompatibleWithArn(otherArn: string): boolean
+}
+
+// an interface to outline the common operations any of the 3 region-based AWS KMS
+// configurations should perform
+export interface RegionalKmsConfig extends KmsConfig {
+  /**
+   * this method tells the user the config's region
+   * @returns the region
+   */
+  getRegion(): string
+}
+
+// an abstract class defining common behavior for operations that SRK and MRK compatibility
+// configs should perform
+export abstract class KmsKeyArnConfig implements RegionalKmsConfig {
+  private _arn: string
+
+  //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-configuration
+  //# `KMS Key ARN` and `KMS MRKey ARN` MUST take an additional argument
+  //# that is a KMS ARN.
+  constructor(arn: string) {
+    //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-configuration
+    //# This ARN MUST NOT be an Alias.
+    //# This ARN MUST be a valid
+    //# [AWS KMS Key ARN](./aws-kms/aws-kms-key-arn.md#a-valid-aws-kms-arn).
+    assertValidNotAliasArn(arn)
+    this._arn = arn
+  }
+
+  getRegion(): string {
+    return getRegionFromIdentifier(this._arn)
+  }
+
+  isKmsKeyArn(): boolean {
+    return true
+  }
+
+  isMrDiscovery(): boolean {
+    return false
+  }
+
+  isDiscovery(): boolean {
+    return false
+  }
+
+  getArn(): string {
+    return this._arn
+  }
+
+  abstract isCompatibleWithArn(otherArn: string): boolean
+}
+
+// a concrete class specifiying behavior for the SRK compatibility config
+export class SrkCompatibilityKmsConfig extends KmsKeyArnConfig {
+  constructor(arn: string) {
+    super(arn)
+  }
+
+  //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-key-arn-compatibility
+  //# For two ARNs to be compatible:
+
+  //# If the [AWS KMS Configuration](#aws-kms-configuration) designates single region ARN compatibility,
+  //# then two ARNs are compatible if they are exactly equal.
+  isCompatibleWithArn(otherArn: string): boolean {
+    return this.getArn() === otherArn
+  }
+}

modules/branch-keystore-node/src/kms_config_helpers.ts

@@ -0,0 +1,20 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { needs } from '@aws-crypto/material-management'
+import { ParsedAwsKmsKeyArn, parseAwsKmsKeyArn } from '@aws-crypto/kms-keyring'
+
+/**
+ * this utility function asserts that an arn is well-formed with all valid parts
+ * as an AWS KMS resource, whose type is not alias
+ * @param arn
+ * @throws `${arn} must be a well-formed AWS KMS non-alias resource arn`
+ * @throws 'Malformed.'
+ */
+export function assertValidNotAliasArn(arn: string): void {
+  const errorMessage = `${arn} must be a well-formed AWS KMS non-alias resource arn`
+  const parsedArn = parseAwsKmsKeyArn(arn)
+  needs(parsedArn, errorMessage)
+  const { ResourceType } = parsedArn as ParsedAwsKmsKeyArn
+  needs(ResourceType !== 'alias', errorMessage)
+}