feat(kms-keyring): KMS CMK alias is a valid identifier (aws#231)

CMK alias or keyId are valid identifiers for keyIds and generatorKeyId.

Author: seebees

modules/kms-keyring/src/kms_client_supplier.ts

@@ -42,7 +42,7 @@ export function getClient<Client extends AwsEsdkKMSInterface, Config> (
  * in this case, the Encryption SDK should find the default region
  * or the default region needs to be supplied to this function
  */
- const config = { ...defaultConfig, region } as Config
+ const config = (region ? { ...defaultConfig, region } : { ...defaultConfig }) as Config
  const client = new KMSClient(config)
 
  /* Postcondition: A region must be configured.

modules/kms-keyring/src/kms_keyring.ts

@@ -78,9 +78,9 @@ export function KmsKeyringClass<S extends SupportedAlgorithmSuites, Client exten
  needs(!(!discovery && !generatorKeyId && !keyIds.length), 'Noop keyring is not allowed: Set a keyId or discovery')
  /* Precondition: A keyring can be either a Discovery or have keyIds configured. */
  needs(!(discovery && (generatorKeyId || keyIds.length)), 'A keyring can be either a Discovery or have keyIds configured.')
- /* Precondition: All KMS key arns must be valid. */
- needs(!generatorKeyId || !!regionFromKmsKeyArn(generatorKeyId), 'Malformed arn.')
- needs(keyIds.every(keyarn => !!regionFromKmsKeyArn(keyarn)), 'Malformed arn.')
+ /* Precondition: All KMS key identifiers must be valid. */
+ needs(!generatorKeyId || typeof regionFromKmsKeyArn(generatorKeyId) === 'string', 'Malformed arn.')
+ needs(keyIds.every(keyArn => typeof regionFromKmsKeyArn(keyArn) === 'string'), 'Malformed arn.')
  /* Precondition: clientProvider needs to be a callable function. */
  needs(typeof clientProvider === 'function', 'Missing clientProvider')
 

modules/kms-keyring/src/region_from_kms_key_arn.ts

@@ -15,6 +15,15 @@
 
 import { needs } from '@aws-crypto/material-management'
 
+/* See: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms
+ * regex to match: 'resourceType/resourceId' || 'resourceType'
+ * This is complicated because the `split(':')`.
+ * The valid resourceType resourceId delimiters are `/`, `:`.
+ * This means if the delimiter is a `:` it will be split out,
+ * when splitting the whole arn.
+ */
+const aliasOrKeyResourceType = /^(alias|key)(\/.*)*$/
+
 export function regionFromKmsKeyArn (kmsKeyArn: string): string {
  /* Precondition: A KMS key arn must be a string. */
  needs(typeof kmsKeyArn === 'string', 'KMS key arn must be a string.')
@@ -23,17 +32,30 @@ export function regionFromKmsKeyArn (kmsKeyArn: string): string {
  * arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
  * arn:aws:kms:us-east-1:123456789012:alias/example-alias
  */
- const [arnLiteral, partition, service, region] = kmsKeyArn.split(':')
+ const [arnLiteral, partition, service, region = ''] = kmsKeyArn.split(':')
 
  /* Postcondition: The ARN must be well formed.
  * The arn and kms section have defined values,
  * but the aws section does not.
+ * It is also possible to have a a key or alias.
+ * In this case the partition, service, region
+ * will be empty.
+ * In this case the arnLiteral should look like an alias.
  */
  needs(
- arnLiteral === 'arn' &&
- partition &&
- service === 'kms' &&
- region,
+ (arnLiteral === 'arn' &&
+ partition &&
+ service === 'kms' &&
+ region) ||
+ /* Partition may or may not have a value.
+ * If the resourceType delimiter is /,
+ * it will not have a value.
+ * However if the delimiter is : it will
+ * because of the split(':')
+ */
+ (!service &&
+ !region &&
+ arnLiteral.match(aliasOrKeyResourceType)),
  'Malformed arn.')
 
  return region

modules/kms-keyring/test/kms_keyring.constructor.test.ts

@@ -75,7 +75,7 @@ describe('KmsKeyring: constructor', () => {
  expect(() => new TestKmsKeyring({ clientProvider, generatorKeyId, keyIds, discovery })).to.throw()
  })
 
- it('Precondition: All KMS key arns must be valid.', () => {
+ it('Precondition: All KMS key identifiers must be valid.', () => {
  const clientProvider: any = () => {}
  class TestKmsKeyring extends KmsKeyringClass(Keyring as KeyRingConstructible<NodeAlgorithmSuite>) {}
 
@@ -95,6 +95,18 @@ describe('KmsKeyring: constructor', () => {
  })).to.throw()
  })
 
+ it('An KMS CMK alias is a valid CMK identifier', () => {
+ const clientProvider: any = () => {}
+ class TestKmsKeyring extends KmsKeyringClass(Keyring as KeyRingConstructible<NodeAlgorithmSuite>) {}
+
+ const test = new TestKmsKeyring({
+ clientProvider,
+ generatorKeyId: 'alias/example-alias',
+ keyIds: ['alias:example-alias']
+ })
+ expect(test).to.be.instanceOf(TestKmsKeyring)
+ })
+
  it('Precondition: clientProvider needs to be a callable function.', () => {
  class TestKmsKeyring extends KmsKeyringClass(Keyring as KeyRingConstructible<NodeAlgorithmSuite>) {}
  const clientProvider: any = 'not function'

modules/kms-keyring/test/region_from_kms_key_arn.test.ts

@@ -25,6 +25,19 @@ describe('regionFromKmsKeyArn', () => {
  expect(test1).to.equal('us-east-1')
  const test2 = regionFromKmsKeyArn('arn:aws:kms:us-east-1:123456789012:alias/example-alias')
  expect(test2).to.equal('us-east-1')
+ const test3 = regionFromKmsKeyArn('arn:aws:kms:us-east-1:123456789012:12345678-1234-1234-1234-123456789012')
+ expect(test3).to.equal('us-east-1')
+ })
+
+ it('return empty string for an alias', () => {
+ expect(regionFromKmsKeyArn('alias/example-alias')).to.equal('')
+ expect(regionFromKmsKeyArn('alias:example-alias')).to.equal('')
+ /* using a keyId is confusing.
+ * It should work but is not recommended.
+ * Figuring out what region they CMK exist in is difficult.
+ */
+ expect(regionFromKmsKeyArn('key/12345678-1234-1234-1234-123456789012')).to.equal('')
+ expect(regionFromKmsKeyArn('key:12345678-1234-1234-1234-123456789012')).to.equal('')
  })
 
  it('Precondition: A KMS key arn must be a string.', () => {
@@ -40,5 +53,14 @@ describe('regionFromKmsKeyArn', () => {
  expect(() => regionFromKmsKeyArn('arn:aws:NOTkms:us-east-1:123456789012:alias/example-alias')).to.throw()
  // empty region
  expect(() => regionFromKmsKeyArn('arn:aws:kms::123456789012:alias/example-alias')).to.throw()
+
+ // no resource type
+ expect(() => regionFromKmsKeyArn('example-alias')).to.throw()
+ // invalid resource type
+ expect(() => regionFromKmsKeyArn('something/example-alias')).to.throw()
+ expect(() => regionFromKmsKeyArn('something:example-alias')).to.throw()
+ // invalid delimiter
+ expect(() => regionFromKmsKeyArn('alias_example-alias')).to.throw()
+ expect(() => regionFromKmsKeyArn('key_12345678-1234-1234-1234-123456789012')).to.throw()
  })
 })