Add discovery

Author: seebees

modules/branch-keystore-node/src/branch_keystore_helpers.ts

@@ -31,7 +31,6 @@ import {
   BEACON_KEY_TYPE_VALUE,
   POTENTIAL_BRANCH_KEY_RECORD_FIELDS,
 } from './constants'
-import { parseAwsKmsKeyArn } from '@aws-crypto/kms-keyring'
 
 /**
  * This utility function uses a partition and sort key to query for a single branch

modules/branch-keystore-node/src/kms_config.ts

@@ -23,7 +23,6 @@ export interface KMSMultiRegionKey {
 
 //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-configuration
 //# `Discovery` does not take an additional argument.
-
 export type Discovery = 'discovery'
 
 //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-configuration
@@ -147,11 +146,6 @@ export class KmsKeyConfig implements RegionalKmsConfig {
     }
   }
 
-  //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-key-arn-compatibility
-  //# For two ARNs to be compatible:
-
-  //# If the [AWS KMS Configuration](#aws-kms-configuration) designates single region ARN compatibility,
-  //# then two ARNs are compatible if they are exactly equal.
   isCompatibleWithArn(otherArn: string): boolean {
     if (this._config === 'discovery' || 'region' in this._config) {
       // This may result in the function being called twice.
@@ -167,10 +161,21 @@ export class KmsKeyConfig implements RegionalKmsConfig {
         `${otherArn} must be a well-formed AWS KMS non-alias resource arn`
       )
 
+      //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-key-arn-compatibility
+      //# If the [AWS KMS Configuration](#aws-kms-configuration) is Discovery or MRDiscovery,
+      //# no comparison is ever made between ARNs.
       return true
     } else if ('identifier' in this._config) {
+      //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-key-arn-compatibility
+      //# For two ARNs to be compatible:
+      //# If the [AWS KMS Configuration](#aws-kms-configuration) designates single region ARN compatibility,
+      //# then two ARNs are compatible if they are exactly equal.
       return this._arn == otherArn
     } else if ('mrkIdentifier' in this._config) {
+      //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-key-arn-compatibility
+      //# If the [AWS KMS Configuration](#aws-kms-configuration) designates MRK ARN compatibility,
+      //# then two ARNs are compatible if they are equal in all parts other than the region.
+      //# That is, they are compatible if [AWS KMS MRK Match for Decrypt](aws-kms/aws-kms-mrk-match-for-decrypt.md#implementation) returns true.
       return mrkAwareAwsKmsKeyIdCompare(this._arn, otherArn)
     } else {
       needs(false, 'Unexpected configuration state')

modules/branch-keystore-node/test/branch_keystore.test.ts

@@ -15,7 +15,6 @@ import {
   IncorrectKeyException,
 } from '@aws-sdk/client-kms'
 import { DynamoDBClient } from '@aws-sdk/client-dynamodb'
-import { SrkCompatibilityKmsConfig } from '../src/kms_config'
 import { getRegionFromIdentifier } from '@aws-crypto/kms-keyring'
 import {
   BRANCH_KEY_ACTIVE_VERSION,
@@ -47,7 +46,7 @@ describe('Test Branch keystore', () => {
   })
 
   describe('Test constructor', () => {
-    const KMS_CONFIGURATION = new SrkCompatibilityKmsConfig(KEY_ARN)
+    const KMS_CONFIGURATION = { identifier: KEY_ARN }
 
     const BRANCH_KEYSTORE = new BranchKeyStoreNode({
       storage: { ddbTableName: DDB_TABLE_NAME },
@@ -194,7 +193,7 @@ describe('Test Branch keystore', () => {
       const kmsClient = new KMSClient({})
       const ddbClient = new DynamoDBClient({})
       expect(() => {
-        const kmsConfig = new SrkCompatibilityKmsConfig(KEY_ID)
+        const kmsConfig = { identifier: KEY_ID }
         return new BranchKeyStoreNode({
           storage: { ddbTableName: DDB_TABLE_NAME, ddbClient },
           logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
@@ -210,7 +209,7 @@ describe('Test Branch keystore', () => {
       const kmsClient = new KMSClient({})
       const ddbClient = new DynamoDBClient({})
       expect(() => {
-        const kmsConfig = new SrkCompatibilityKmsConfig(KMS_KEY_ALIAS)
+        const kmsConfig = { identifier: KMS_KEY_ALIAS }
         return new BranchKeyStoreNode({
           storage: { ddbTableName: DDB_TABLE_NAME, ddbClient },
           logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
@@ -225,7 +224,7 @@ describe('Test Branch keystore', () => {
     it('Valid config', () => {
       const kmsClient = new KMSClient({})
       const ddbClient = new DynamoDBClient({})
-      const kmsConfig = new SrkCompatibilityKmsConfig(KEY_ARN)
+      const kmsConfig = { identifier: KEY_ID }
       const keyStore = new BranchKeyStoreNode({
         storage: { ddbTableName: DDB_TABLE_NAME, ddbClient },
         logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
@@ -243,7 +242,7 @@ describe('Test Branch keystore', () => {
     it('Test valid config with no clients', () => {
       const kmsClient = new KMSClient({})
       const ddbClient = new DynamoDBClient({})
-      const kmsConfig = new SrkCompatibilityKmsConfig(KEY_ARN)
+      const kmsConfig = { identifier: KEY_ID }
 
       // test with no kms client supplied
       expect(
@@ -408,7 +407,7 @@ describe('Test Branch keystore', () => {
   it('Test get active key', async () => {
     const kmsClient = new KMSClient({})
     const ddbClient = new DynamoDBClient({})
-    const kmsConfig = new SrkCompatibilityKmsConfig(KEY_ARN)
+    const kmsConfig = { identifier: KEY_ID }
     const keyStore = new BranchKeyStoreNode({
       kmsConfiguration: kmsConfig,
       storage: { ddbTableName: DDB_TABLE_NAME, ddbClient: ddbClient },
@@ -444,7 +443,7 @@ describe('Test Branch keystore', () => {
   it('Test get branch key version', async () => {
     const kmsClient = new KMSClient({})
     const ddbClient = new DynamoDBClient({})
-    const kmsConfig = new SrkCompatibilityKmsConfig(KEY_ARN)
+    const kmsConfig = { identifier: KEY_ID }
 
     const keyStore = new BranchKeyStoreNode({
       kmsConfiguration: kmsConfig,
@@ -494,7 +493,7 @@ describe('Test Branch keystore', () => {
   it('Test get active key with incorrect kms key arn', async () => {
     const kmsClient = new KMSClient({})
     const ddbClient = new DynamoDBClient({})
-    const kmsConfig = new SrkCompatibilityKmsConfig(KEY_ARN)
+    const kmsConfig = { identifier: KEY_ID }
 
     const keyStore = new BranchKeyStoreNode({
       kmsConfiguration: kmsConfig,
@@ -514,7 +513,7 @@ describe('Test Branch keystore', () => {
   it('Test get active key with wrong logical keystore name', async () => {
     const kmsClient = new KMSClient({})
     const ddbClient = new DynamoDBClient({})
-    const kmsConfig = new SrkCompatibilityKmsConfig(KEY_ARN)
+    const kmsConfig = { identifier: KEY_ID }
 
     const keyStore = new BranchKeyStoreNode({
       kmsConfiguration: kmsConfig,
@@ -532,7 +531,7 @@ describe('Test Branch keystore', () => {
   it('Test get active key does not exist fails', async () => {
     const kmsClient = new KMSClient({})
     const ddbClient = new DynamoDBClient({})
-    const kmsConfig = new SrkCompatibilityKmsConfig(KEY_ARN)
+    const kmsConfig = { identifier: KEY_ID }
 
     const keyStore = new BranchKeyStoreNode({
       kmsConfiguration: kmsConfig,
@@ -550,7 +549,7 @@ describe('Test Branch keystore', () => {
   })
 
   it('Test get active key with no clients', async () => {
-    const kmsConfig = new SrkCompatibilityKmsConfig(KEY_ARN)
+    const kmsConfig = { identifier: KEY_ID }
     const keyStore = new BranchKeyStoreNode({
       kmsConfiguration: kmsConfig,
       logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
@@ -564,7 +563,7 @@ describe('Test Branch keystore', () => {
   it('Test get active key for lying branch key', async () => {
     const kmsClient = new KMSClient({})
     const ddbClient = new DynamoDBClient({})
-    const kmsConfig = new SrkCompatibilityKmsConfig(POSTAL_HORN_KEY_ARN)
+    const kmsConfig = { identifier: POSTAL_HORN_KEY_ARN }
 
     const keyStore = new BranchKeyStoreNode({
       kmsConfiguration: kmsConfig,
@@ -582,7 +581,7 @@ describe('Test Branch keystore', () => {
   it('Test get versioned key for lying branch key', async () => {
     const kmsClient = new KMSClient({})
     const ddbClient = new DynamoDBClient({})
-    const kmsConfig = new SrkCompatibilityKmsConfig(POSTAL_HORN_KEY_ARN)
+    const kmsConfig = { identifier: POSTAL_HORN_KEY_ARN }
 
     const keyStore = new BranchKeyStoreNode({
       kmsConfiguration: kmsConfig,

modules/branch-keystore-node/test/branch_keystore_helpers.test.ts

@@ -4,7 +4,6 @@
 import chai, { expect } from 'chai'
 import chaiAsPromised from 'chai-as-promised'
 import { BranchKeyStoreNode } from '../src/branch_keystore'
-import { SrkCompatibilityKmsConfig } from '../src/kms_config'
 import {
   constructAuthenticatedEncryptionContext,
   constructBranchKeyMaterials,
@@ -69,7 +68,7 @@ const INVALID_CUSTOM_ENCRYPTION_CONTEXT_KV_PAIRS = {
 const BRANCH_KEYSTORE = new BranchKeyStoreNode({
   storage: { ddbTableName: DDB_TABLE_NAME },
   logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
-  kmsConfiguration: new SrkCompatibilityKmsConfig(KEY_ARN),
+  kmsConfiguration: { identifier: KEY_ARN },
 })
 
 const BRANCH_KEY_STORAGE = BRANCH_KEYSTORE.storage as DynamoDBKeyStorage
@@ -497,7 +496,7 @@ describe('Test keystore helpers', () => {
       const branchKeyStore = new BranchKeyStoreNode({
         storage: { ddbTableName: DDB_TABLE_NAME },
         logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
-        kmsConfiguration: new SrkCompatibilityKmsConfig(configArn),
+        kmsConfiguration: { identifier: configArn },
       })
 
       // create a real up-to-date active branch key record
@@ -524,7 +523,7 @@ describe('Test keystore helpers', () => {
       const branchKeyStore = new BranchKeyStoreNode({
         storage: { ddbTableName: DDB_TABLE_NAME },
         logicalKeyStoreName: LOGICAL_KEYSTORE_NAME,
-        kmsConfiguration: new SrkCompatibilityKmsConfig(configArn),
+        kmsConfiguration: { identifier: configArn },
       })
 
       const activeBranchKeyRecord =