adding duvet anotations

Author: seebees

modules/branch-keystore-node/src/branch_keystore_helpers.ts

@@ -54,7 +54,6 @@ export async function getBranchKeyItem(
   partitionValue: string,
   sortValue: string
 ): Promise<BranchKeyItem> {
-  process.env
   // create a getItem command with the querying partition and sort keys
   // send the query for DDB to run
   // get the response
@@ -97,8 +96,8 @@ export async function getBranchKeyItem(
  * if there are additional fields within the response item that
  * don't follow the proper custom encryption context key naming convention
  */
-//= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#getencryptedactivebranchkey
-//# The AWS DDB response MUST contain the fields defined in the [branch keystore record format](#record-format).
+//= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#record-format
+//# A branch key record MUST include the following key-value pairs:
 export function validateBranchKeyRecord(item: BranchKeyItem): BranchKeyRecord {
   //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#record-format
   //# 1. `branch-key-id` : Unique identifier for a branch key; represented as [AWS DDB String](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.NamingRulesDataTypes.html#HowItWorks.DataTypes)
@@ -192,6 +191,9 @@ export function validateBranchKeyRecord(item: BranchKeyItem): BranchKeyRecord {
  * @returns authenticated encryption context
  */
 export function constructAuthenticatedEncryptionContext(
+  //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#logical-keystore-name
+  //# It is not stored on the items in the so it MUST be added
+  //# to items retrieved from the table.
   { logicalKeyStoreName }: { logicalKeyStoreName: string },
   branchKeyRecord: BranchKeyRecord
 ): BranchKeyEncryptionContext {

modules/branch-keystore-node/src/dynamodb_key_storage.ts

@@ -1,7 +1,12 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-import { IBranchKeyStorage, EncryptedHierarchicalKey } from './types'
+import {
+  IBranchKeyStorage,
+  EncryptedHierarchicalKey,
+  ActiveHierarchicalSymmetricVersion,
+  HierarchicalSymmetricVersion,
+} from './types'
 import { DynamoDBClient } from '@aws-sdk/client-dynamodb'
 import {
   getBranchKeyItem,
@@ -32,6 +37,9 @@ export interface DynamoDBKeyStorageInput {
   ddbClient: DynamoDBClient
 }
 
+//= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#operations
+//= type=implication
+//# The Dynamodb Key Storage Interface MUST implement the [key storage interface](./key-storage.md#interface).
 export class DynamoDBKeyStorage implements IBranchKeyStorage {
   public declare readonly ddbTableName: string
   public declare readonly logicalKeyStoreName: string
@@ -70,52 +78,140 @@ export class DynamoDBKeyStorage implements IBranchKeyStorage {
   public async getEncryptedActiveBranchKey(
     branchKeyId: string
   ): Promise<EncryptedHierarchicalKey> {
+    //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#getencryptedactivebranchkey
+    //# To get the active version for the branch key id from the keystore
+    //# this operation MUST call AWS DDB `GetItem`
+    //# using the `branch-key-id` as the Partition Key and `"branch:ACTIVE"` value as the Sort Key.
+
     // get the ddb response item using the partition & sort keys
     const ddbBranchKeyItem = await getBranchKeyItem(
       this,
       branchKeyId,
       BRANCH_KEY_ACTIVE_TYPE
     )
     // validate and form the branch key record
+
+    //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#getencryptedactivebranchkey
+    //# If the record does not contain the defined fields, this operation MUST fail.
+
+    //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#getencryptedactivebranchkey
+    //# The AWS DDB response MUST contain the fields defined in the [branch keystore record format](#record-format).
     const ddbBranchKeyRecord = validateBranchKeyRecord(ddbBranchKeyItem)
     // construct an encryption context from the record
     const authenticatedEncryptionContext =
       constructAuthenticatedEncryptionContext(this, ddbBranchKeyRecord)
 
-    return new EncryptedHierarchicalKey(
+    const encrypted = new EncryptedHierarchicalKey(
       authenticatedEncryptionContext,
       ddbBranchKeyRecord[BRANCH_KEY_FIELD]
     )
+
+    //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#getencryptedactivebranchkey
+    //# The returned EncryptedHierarchicalKey MUST have the same identifier as the input.
+    needs(encrypted.branchKeyId == branchKeyId, 'Unexpected branch key id.')
+
+    //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#getencryptedactivebranchkey
+    //# The returned EncryptedHierarchicalKey MUST have a type of ActiveHierarchicalSymmetricVersion.
+    needs(
+      encrypted.type instanceof ActiveHierarchicalSymmetricVersion,
+      'Unexpected type. Not an active record.'
+    )
+
+    return encrypted
   }
 
   public async getEncryptedBranchKeyVersion(
     branchKeyId: string,
     branchKeyVersion: string
   ): Promise<EncryptedHierarchicalKey> {
+    //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#getencryptedbranchkeyversion
+    //# To get a branch key from the keystore this operation MUST call AWS DDB `GetItem`
+    //# using the `branch-key-id` as the Partition Key and "branch:version:" + `branchKeyVersion` value as the Sort Key.
+
     // get the ddb response item using the partition & sort keys
     const ddbBranchKeyItem = await getBranchKeyItem(
       this,
       branchKeyId,
       BRANCH_KEY_TYPE_PREFIX + branchKeyVersion
     )
+
+    //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#getencryptedbranchkeyversion
+    //# If the record does not contain the defined fields, this operation MUST fail.
+
+    //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#getencryptedbranchkeyversion
+    //# The AWS DDB response MUST contain the fields defined in the [branch keystore record format](#record-format).
+
     // validate and form the branch key record
     const ddbBranchKeyRecord = validateBranchKeyRecord(ddbBranchKeyItem)
     // construct an encryption context from the record
     const authenticatedEncryptionContext =
       constructAuthenticatedEncryptionContext(this, ddbBranchKeyRecord)
 
-    return new EncryptedHierarchicalKey(
+    const encrypted = new EncryptedHierarchicalKey(
       authenticatedEncryptionContext,
       ddbBranchKeyRecord[BRANCH_KEY_FIELD]
     )
+
+    //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#getencryptedbranchkeyversion
+    //# The returned EncryptedHierarchicalKey MUST have the same identifier as the input.
+    needs(encrypted.branchKeyId == branchKeyId, 'Unexpected branch key id.')
+
+    //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#getencryptedbranchkeyversion
+    //# The returned EncryptedHierarchicalKey MUST have the same version as the input.
+    needs(
+      encrypted.type.version == branchKeyVersion,
+      'Unexpected branch key version.'
+    )
+
+    //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#getencryptedbranchkeyversion
+    //# The returned EncryptedHierarchicalKey MUST have a type of HierarchicalSymmetricVersion.
+    needs(
+      encrypted.type instanceof HierarchicalSymmetricVersion,
+      'Unexpected type. Not an version record.'
+    )
+
+    return encrypted
   }
 
   getKeyStorageInfo() {
     return {
       name: this.ddbTableName,
-      logicalName: this.logicalKeyStoreName
+      logicalName: this.logicalKeyStoreName,
     }
   }
 }
 
 immutableClass(DynamoDBKeyStorage)
+
+// This is a limited release for JS only.
+// The full Key Store operations are available
+// in the AWS Cryptographic Material Providers library
+// in various languages (Java, .Net, Python, Rust...)
+
+//= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#writenewencryptedbranchkey
+//= type=exception
+//# To add the branch keys and a beacon key to the keystore the
+//# operation MUST call [Amazon DynamoDB API TransactWriteItems](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_TransactWriteItems.html).
+//# The call to Amazon DynamoDB TransactWriteItems MUST use the configured Amazon DynamoDB Client to make the call.
+//# The operation MUST call Amazon DynamoDB TransactWriteItems with a request constructed as follows:
+
+//= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#writenewencryptedbranchkey
+//= type=exception
+//# If DDB TransactWriteItems is successful, this operation MUST return a successful response containing no additional data.
+//# Otherwise, this operation MUST yield an error.
+
+//= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#writenewencryptedbranchkeyversion
+//= type=exception
+//# To add the new branch key to the keystore,
+//# the operation MUST call [Amazon DynamoDB API TransactWriteItems](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_TransactWriteItems.html).
+//# The call to Amazon DynamoDB TransactWriteItems MUST use the configured Amazon DynamoDB Client to make the call.
+//# The operation MUST call Amazon DynamoDB TransactWriteItems with a request constructed as follows:
+
+//= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#getencryptedbeaconkey
+//= type=exception
+//# To get a branch key from the keystore this operation MUST call AWS DDB `GetItem`
+//# using the `branch-key-id` as the Partition Key and "beacon:ACTIVE" value as the Sort Key.
+//# The AWS DDB response MUST contain the fields defined in the [branch keystore record format](#record-format).
+//# The returned EncryptedHierarchicalKey MUST have the same identifier as the input.
+//# The returned EncryptedHierarchicalKey MUST have a type of ActiveHierarchicalSymmetricBeacon.
+//# If the record does not contain the defined fields, this operation MUST fail.

modules/branch-keystore-node/src/types.ts

@@ -186,6 +186,9 @@ export interface IBranchKeyStorage {
   //= type=implication
   //# - [GetKeyStorageInfo](#getkeystorageinfo)
 
+  //= aws-encryption-sdk-specification/framework/key-store/key-storage.md#getkeystorageinfo
+  //= type=implication
+  //# It MUST return the physical table name.
   getKeyStorageInfo(): { name: string, logicalName: string }
 }
 
@@ -253,4 +256,17 @@ export interface BranchKeyStoreNodeInput {
 
 //= aws-encryption-sdk-specification/framework/key-store/key-storage.md#interface
 //= type=exception
-//# - [GetEncryptedBeaconKey](#getencryptedbeaconkey)
+//# - [GetEncryptedBeaconKey](#getencryptedbeaconkey)
+
+//= aws-encryption-sdk-specification/framework/key-store/key-storage.md#writenewencryptedbranchkey
+//= type=exception
+//# The WriteNewEncryptedBranchKey caller MUST provide:
+
+//= aws-encryption-sdk-specification/framework/key-store/key-storage.md#writenewencryptedbranchkeyversion
+//= type=exception
+//# The WriteNewEncryptedBranchKeyVersion caller MUST provide:
+
+//= aws-encryption-sdk-specification/framework/key-store/key-storage.md#getencryptedbeaconkey
+//= type=exception
+//# The GetEncryptedBeaconKey caller MUST provide the same inputs as the [GetBeaconKey](../branch-key-store.md#getbeaconkey) operation.
+//# It MUST return an [EncryptedHierarchicalKey](#encryptedhierarchicalkey).