export function validateBranchKeyRecord()

in modules/branch-keystore-node/src/branch_keystore_helpers.ts [99:182]

• 41 lines of code
• 12 McCabe index (conditional complexity)

export function validateBranchKeyRecord(item: BranchKeyItem): BranchKeyRecord {
  //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#record-format
  //# 1. `branch-key-id` : Unique identifier for a branch key; represented as [AWS DDB String](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.NamingRulesDataTypes.html#HowItWorks.DataTypes)
  needs(
    BRANCH_KEY_IDENTIFIER_FIELD in item &&
      typeof item[BRANCH_KEY_IDENTIFIER_FIELD] === 'string',
    `Branch keystore record does not contain a ${BRANCH_KEY_IDENTIFIER_FIELD} field of type string`
  )

  //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#record-format
  //# 1. `type` : One of the following; represented as [AWS DDB String](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.NamingRulesDataTypes.html#HowItWorks.DataTypes)
  //#    - The string literal `"beacon:ACTIVE"`. Then `enc` is the wrapped beacon key.
  //#    - The string `"branch:version:"` + `version`, where `version` is the Branch Key Version. Then `enc` is the wrapped branch key.
  //#    - The string literal `"branch:ACTIVE"`. Then `enc` is the wrapped beacon key of the active version. Then
  needs(
    TYPE_FIELD in item &&
      typeof item[TYPE_FIELD] === 'string' &&
      (item[TYPE_FIELD] === BRANCH_KEY_ACTIVE_TYPE ||
        item[TYPE_FIELD].startsWith(BRANCH_KEY_TYPE_PREFIX) ||
        item[TYPE_FIELD] === BEACON_KEY_TYPE_VALUE),
    `Branch keystore record does not contain a valid ${TYPE_FIELD} field of type string`
  )

  //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#record-format
  //# 1. `version` : Only exists if `type` is the string literal `"branch:ACTIVE"`.
  //#   Then it is the Branch Key Version. represented as [AWS DDB String](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.NamingRulesDataTypes.html#HowItWorks.DataTypes)
  if (item[TYPE_FIELD] === BRANCH_KEY_ACTIVE_TYPE) {
    needs(
      BRANCH_KEY_ACTIVE_VERSION_FIELD in item &&
        typeof item[BRANCH_KEY_ACTIVE_VERSION_FIELD] === 'string',
      `Branch keystore record does not contain a ${BRANCH_KEY_ACTIVE_VERSION_FIELD} field of type string`
    )
  }

  //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#record-format
  //# 1. `enc` : Encrypted version of the key;
  //#   represented as [AWS DDB Binary](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.NamingRulesDataTypes.html#HowItWorks.DataTypes)
  needs(
    BRANCH_KEY_FIELD in item && item[BRANCH_KEY_FIELD] instanceof Uint8Array,
    `Branch keystore record does not contain ${BRANCH_KEY_FIELD} field of type Uint8Array`
  )

  //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#record-format
  //# 1. `kms-arn`: The AWS KMS Key ARN used to generate the `enc` value.
  //#   represented as [AWS DDB String](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.NamingRulesDataTypes.html#HowItWorks.DataTypes)
  needs(
    KMS_FIELD in item && typeof item[KMS_FIELD] === 'string',
    `Branch keystore record does not contain ${KMS_FIELD} field of type string`
  )

  //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#record-format
  //# 1. `create-time`: Timestamp in ISO 8601 format in UTC, to microsecond precision.
  //#   Represented as [AWS DDB String](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.NamingRulesDataTypes.html#HowItWorks.DataTypes)
  needs(
    KEY_CREATE_TIME_FIELD in item &&
      typeof item[KEY_CREATE_TIME_FIELD] === 'string',
    `Branch keystore record does not contain ${KEY_CREATE_TIME_FIELD} field of type string`
  )

  //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#record-format
  //# 1. `hierarchy-version`: Version of the hierarchical keyring;
  //#   represented as [AWS DDB Number](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.NamingRulesDataTypes.html#HowItWorks.DataTypes)
  needs(
    HIERARCHY_VERSION_FIELD in item &&
      typeof item[HIERARCHY_VERSION_FIELD] === 'number',
    `Branch keystore record does not contain ${HIERARCHY_VERSION_FIELD} field of type number`
  )

  // This requirement is around the construction of the encryption context.
  // It is possible that customers will have constructed their own branch keys
  // with a custom creation method.
  // In this case encryption context may not be prefixed.
  // The Dafny version of this code does not enforce
  // that additional encryption context keys MUST be prefixed,
  // therefore the JS release does not as well.

  //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#record-format
  //# A branch key record MAY include [custom encryption context](../branch-key-store.md#custom-encryption-context) key-value pairs.
  //# These attributes should be prefixed with `aws-crypto-ec:` the same way they are for [AWS KMS encryption context](../branch-key-store.md#encryption-context).

  // serialize the DDB response item as a more well-defined and validated branch
  // key record object
  return Object.assign({}, item) as BranchKeyRecord
}