aws
diff --git a/‎modules/branch-keystore-node/package.json
Lines changed: 1 addition & 1 deletion b/‎modules/branch-keystore-node/package.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎modules/branch-keystore-node/src/branch_keystore.ts
Lines changed: 114 additions & 139 deletions b/‎modules/branch-keystore-node/src/branch_keystore.ts
Lines changed: 114 additions & 139 deletions
@@ -19,7 +19,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@aws-crypto/kms-keyring": "file:.../kms-keyring",
+    "@aws-crypto/kms-keyring": "file:../kms-keyring",
     "@aws-sdk/client-dynamodb": "^3.616.0",
     "@aws-sdk/util-dynamodb": "^3.616.0",
     "tslib": "^2.2.0"
 
@@ -12,50 +12,15 @@ import {
 } from '@aws-crypto/material-management'
 import { v4 } from 'uuid'
 import {
-  constructAuthenticatedEncryptionContext,
   constructBranchKeyMaterials,
   decryptBranchKey,
-  getBranchKeyItem,
-  validateBranchKeyRecord,
 } from './branch_keystore_helpers'
-import {
-  BRANCH_KEY_ACTIVE_TYPE,
-  BRANCH_KEY_TYPE_PREFIX,
-  KMS_CLIENT_USER_AGENT,
-} from './constants'
-
-//= aws-encryption-sdk-specification/framework/branch-key-store.md#initialization
-//# The following inputs MAY be specified to create a KeyStore:
-
-//# - [ID](#keystore-id)
-//# - [AWS KMS Grant Tokens](#aws-kms-grant-tokens)
-//# - [DynamoDb Client](#dynamodb-client)
-//# - [KMS Client](#kms-client)
-
-//# The following inputs MUST be specified to create a KeyStore:
-
-//# - [Table Name](#table-name)
-//# - [AWS KMS Configuration](#aws-kms-configuration)
-//# - [Logical KeyStore Name](#logical-keystore-name)
-export interface BranchKeyStoreNodeInput {
-  ddbTableName: string
-  logicalKeyStoreName: string
-  kmsConfiguration: KmsConfig
-  kmsClient?: KMSClient
-  ddbClient?: DynamoDBClient
-  keyStoreId?: string
-  grantTokens?: string[]
-}
+import { KMS_CLIENT_USER_AGENT } from './constants'
 
-export interface IBranchKeyStoreNode {
-  ddbTableName: string
-  logicalKeyStoreName: string
-  kmsConfiguration: Readonly<KmsConfig>
-  kmsClient: KMSClient
-  ddbClient: DynamoDBClient
-  keyStoreId: string
-  grantTokens?: ReadonlyArray<string>
+import { IBranchKeyStorage, BranchKeyStoreNodeInput } from './types'
+import { DynamoDBKeyStorage } from './dynamodb_key_storage'
 
+interface IBranchKeyStoreNode {
   getActiveBranchKey(branchKeyId: string): Promise<NodeBranchKeyMaterial>
   getBranchKeyVersion(
     branchKeyId: string,
@@ -64,26 +29,23 @@ export interface IBranchKeyStoreNode {
 }
 
 export class BranchKeyStoreNode implements IBranchKeyStoreNode {
-  public declare ddbTableName: string
+  // public declare ddbTableName: string
   public declare logicalKeyStoreName: string
   public declare kmsConfiguration: Readonly<KmsConfig>
   public declare kmsClient: KMSClient
-  public declare ddbClient: DynamoDBClient
+  // public declare ddbClient: DynamoDBClient
   public declare keyStoreId: string
   public declare grantTokens?: ReadonlyArray<string>
 
+  public declare storage: IBranchKeyStorage
+
   constructor({
-    ddbTableName,
     logicalKeyStoreName,
+    storage,
+    keyManagement,
     kmsConfiguration,
-    kmsClient,
-    ddbClient,
     keyStoreId,
-    grantTokens,
   }: BranchKeyStoreNodeInput) {
-    /* Precondition: DDB table name must be a string */
-    needs(typeof ddbTableName === 'string', 'DDB table name must be a string')
-
     /* Precondition: Logical keystore name must be a string */
     needs(
       typeof logicalKeyStoreName === 'string',
@@ -94,23 +56,36 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
     needs(isKmsConfig(kmsConfiguration), 'KMS Configuration must be SRK')
 
     /* Precondition: KMS client must be a KMSClient */
-    if (kmsClient) {
-      needs(kmsClient instanceof KMSClient, 'KMS client must be a KMSClient')
-    } else {
-      // ensure it's strictly undefined and not some other falsey value
-      kmsClient = undefined
+    if (keyManagement?.kmsClient) {
+      needs(
+        keyManagement.kmsClient instanceof KMSClient,
+        'KMS client must be a KMSClient'
+      )
     }
 
-    /* Precondition: DDB client must be a DynamoDBClient */
-    if (ddbClient) {
+    if (
+      'getEncryptedActiveBranchKey' in storage &&
+      'getEncryptedBranchKeyVersion' in storage
+    ) {
+      this.storage
+    } else {
       needs(
-        ddbClient instanceof DynamoDBClient,
+        !storage.ddbClient ||
+          (storage.ddbClient as any) instanceof DynamoDBClient,
         'DDB client must be a DynamoDBClient'
       )
-    } else {
-      // ensure it's strictly undefined and not some other falsey value
-      ddbClient = undefined
+      this.storage = new DynamoDBKeyStorage({
+        ddbTableName: storage.ddbTableName,
+        logicalKeyStoreName,
+        ddbClient:
+          storage.ddbClient instanceof DynamoDBClient
+            ? storage.ddbClient
+            : new DynamoDBClient({
+                region: (kmsConfiguration as RegionalKmsConfig).getRegion(),
+              }),
+      })
     }
+    readOnlyProperty(this, 'storage', this.storage)
 
     /* Precondition: Keystore id must be a string */
     if (keyStoreId) {
@@ -121,15 +96,14 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
     }
 
     /* Precondition: Grant tokens must be a string array */
-    if (grantTokens) {
+    if (keyManagement?.grantTokens) {
       needs(
-        Array.isArray(grantTokens) &&
-          grantTokens.every((grantToken) => typeof grantToken === 'string'),
+        Array.isArray(keyManagement.grantTokens) &&
+          keyManagement.grantTokens.every(
+            (grantToken) => typeof grantToken === 'string'
+          ),
         'Grant tokens must be a string array'
       )
-    } else {
-      // ensure it's strictly undefined and not some other falsey value
-      grantTokens = undefined
     }
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#keystore-id
@@ -140,42 +114,16 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-grant-tokens
     //# A list of AWS KMS [grant tokens](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).
-    readOnlyProperty(this, 'grantTokens', grantTokens)
+    readOnlyProperty(
+      this,
+      'grantTokens',
+      keyManagement?.grantTokens || undefined
+    )
     /* Postcondition: If unprovided, the grant tokens are undefined */
 
     needs(kmsConfiguration, 'AWS KMS Configuration required')
     readOnlyProperty(this, 'kmsConfiguration', Object.freeze(kmsConfiguration))
 
-    //= aws-encryption-sdk-specification/framework/branch-key-store.md#dynamodb-client
-    //# The DynamoDb Client used to put and get keys from the backing DDB table.
-
-    //# If the AWS KMS Configuration is KMS Key ARN or KMS MRKey ARN,
-    //# and no DynamoDb Client is provided,
-    //# a new DynamoDb Client MUST be created
-    //# with the region of the supplied KMS ARN.
-
-    //# If the AWS KMS Configuration is Discovery,
-    //# and no DynamoDb Client is provided,
-    //# a new DynamoDb Client MUST be created
-    //# with the default configuration.
-
-    //# If the AWS KMS Configuration is MRDiscovery,
-    //# and no DynamoDb Client is provided,
-    //# a new DynamoDb Client MUST be created
-    //# with the region configured in the MRDiscovery.
-    // TODO: when other KMS configuration types/classes are supported for the keystore,
-    // verify the configuration object type to determine how we instantiate the
-    // DDB client. This will ensure safe type casting.
-    readOnlyProperty(
-      this,
-      'ddbClient',
-      ddbClient ||
-        new DynamoDBClient({
-          region: (this.kmsConfiguration as RegionalKmsConfig).getRegion(),
-        })
-    )
-    /* Postcondition: If unprovided, the DDB client is configured */
-
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#kms-client
     //# The KMS Client used when wrapping and unwrapping keys.
 
@@ -203,19 +151,14 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
     readOnlyProperty(
       this,
       'kmsClient',
-      kmsClient ||
+      keyManagement?.kmsClient ||
         new KMSClient({
           region: (this.kmsConfiguration as RegionalKmsConfig).getRegion(),
           customUserAgent: KMS_CLIENT_USER_AGENT,
         })
     )
     /* Postcondition: If unprovided, the KMS client is configured */
 
-    //= aws-encryption-sdk-specification/framework/branch-key-store.md#table-name
-    //# The table name of the DynamoDb table that backs this Keystore.
-    needs(ddbTableName, 'DynamoDb table name required')
-    readOnlyProperty(this, 'ddbTableName', ddbTableName)
-
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#logical-keystore-name
     //# This name is cryptographically bound to all data stored in this table,
     //# and logically separates data between different tables.
@@ -234,38 +177,38 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
     Object.freeze(this)
   }
 
-  /**
-   * This is a utility method that encapsulates the overlapping logic for getActiveBranchKey
-   * and getBranchKeyVersion to retreive the branch key materials
-   * @param branchKeyId
-   * @param type - this could indicate an active or versioned request
-   * @returns branch key materials
-   */
-  private async _getBranchKeyMaterials(
-    branchKeyId: string,
-    type: string
-  ): Promise<NodeBranchKeyMaterial> {
-    // get the ddb response item using the partition & sort keys
-    const ddbBranchKeyItem = await getBranchKeyItem(this, branchKeyId, type)
-    // validate and form the branch key record
-    const ddbBranchKeyRecord = validateBranchKeyRecord(ddbBranchKeyItem)
-    // construct an encryption context from the record
-    const authenticatedEncryptionContext =
-      constructAuthenticatedEncryptionContext(this, ddbBranchKeyRecord)
-    // decrypt the encrypted branch key
-    const branchKey = await decryptBranchKey(
-      this,
-      ddbBranchKeyRecord,
-      authenticatedEncryptionContext
-    )
-    // construct branch key materials from the authenticated encryption context
-    const branchKeyMaterials = constructBranchKeyMaterials(
-      branchKey,
-      branchKeyId,
-      authenticatedEncryptionContext
-    )
-    return branchKeyMaterials
-  }
+  // /**
+  //  * This is a utility method that encapsulates the overlapping logic for getActiveBranchKey
+  //  * and getBranchKeyVersion to retreive the branch key materials
+  //  * @param branchKeyId
+  //  * @param type - this could indicate an active or versioned request
+  //  * @returns branch key materials
+  //  */
+  // private async _getBranchKeyMaterials(
+  //   branchKeyId: string,
+  //   type: string
+  // ): Promise<NodeBranchKeyMaterial> {
+  //   // get the ddb response item using the partition & sort keys
+  //   const ddbBranchKeyItem = await getBranchKeyItem(this, branchKeyId, type)
+  //   // validate and form the branch key record
+  //   const ddbBranchKeyRecord = validateBranchKeyRecord(ddbBranchKeyItem)
+  //   // construct an encryption context from the record
+  //   const authenticatedEncryptionContext =
+  //     constructAuthenticatedEncryptionContext(this, ddbBranchKeyRecord)
+  //   // decrypt the encrypted branch key
+  //   const branchKey = await decryptBranchKey(
+  //     this,
+  //     ddbBranchKeyRecord,
+  //     authenticatedEncryptionContext
+  //   )
+  //   // construct branch key materials from the authenticated encryption context
+  //   const branchKeyMaterials = constructBranchKeyMaterials(
+  //     branchKey,
+  //     branchKeyId,
+  //     authenticatedEncryptionContext
+  //   )
+  //   return branchKeyMaterials
+  // }
 
   async getActiveBranchKey(
     branchKeyId: string
@@ -279,10 +222,17 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
       'MUST supply a string branch key id'
     )
 
-    return await this._getBranchKeyMaterials(
-      branchKeyId,
-      BRANCH_KEY_ACTIVE_TYPE
+    const activeEncryptedBranchKey =
+      await this.storage.getEncryptedActiveBranchKey(branchKeyId)
+
+    // decrypt the encrypted branch key
+    const branchKey = await decryptBranchKey(this, activeEncryptedBranchKey)
+    // construct branch key materials from the authenticated encryption context
+    const branchKeyMaterials = constructBranchKeyMaterials(
+      branchKey,
+      activeEncryptedBranchKey
     )
+    return branchKeyMaterials
   }
 
   async getBranchKeyVersion(
@@ -303,10 +253,19 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
       'MUST supply a string branch key version'
     )
 
-    return await this._getBranchKeyMaterials(
+    const encryptedBranchKey = await this.storage.getEncryptedBranchKeyVersion(
       branchKeyId,
-      BRANCH_KEY_TYPE_PREFIX + branchKeyVersion
+      branchKeyVersion
+    )
+
+    // decrypt the encrypted branch key
+    const branchKey = await decryptBranchKey(this, encryptedBranchKey)
+    // construct branch key materials from the authenticated encryption context
+    const branchKeyMaterials = constructBranchKeyMaterials(
+      branchKey,
+      encryptedBranchKey
     )
+    return branchKeyMaterials
   }
 }
 
@@ -318,3 +277,19 @@ export function isIBranchKeyStoreNode(
 ): keyStore is BranchKeyStoreNode {
   return keyStore instanceof BranchKeyStoreNode
 }
+
+// The JS implementation is not encumbered with the legacy construction
+// by passing DDB clients et al.
+// So it can be simplified.
+//= aws-encryption-sdk-specification/framework/branch-key-store.md#initialization
+//= type=exception
+//# - [AWS KMS Grant Tokens](#aws-kms-grant-tokens)
+
+//= aws-encryption-sdk-specification/framework/branch-key-store.md#initialization
+//= type=exception
+//# - [DynamoDb Client](#dynamodb-client)
+
+//= aws-encryption-sdk-specification/framework/branch-key-store.md#initialization
+//= type=exception
+//# - [Table Name](#table-name)
+//# - [KMS Client](#kms-client)