in src/utils/eif_signer.rs [426:460]
fn test_invalid_kms_arns() {
let invalid_arns = vec![
// Invalid partition
"arn:invalid:kms:us-east-1:123456789012:key/abcd1234",
// Missing region
"arn:aws:kms::123456789012:key/abcd1234",
// Invalid account ID (too short)
"arn:aws:kms:us-east-1:12345678901:key/abcd1234",
// Invalid account ID (too long)
"arn:aws:kms:us-east-1:1234567890123:key/abcd1234",
// Invalid account ID (non-numeric)
"arn:aws:kms:us-east-1:12345678901a:key/abcd1234",
// Wrong service
"arn:aws:s3:us-east-1:123456789012:key/abcd1234",
// Invalid resource type
"arn:aws:kms:us-east-1:123456789012:alias/abcd1234",
// Invalid key ID format
"arn:aws:kms:us-east-1:123456789012:key/abc@1234",
// Missing key ID
"arn:aws:kms:us-east-1:123456789012:key/",
"arn:aws:kms:us-east-1:123456789012:key:",
// Invalid separator
"arn:aws:kms:us-east-1:123456789012:key-abcd1234",
// Empty string
"",
];
for arn in invalid_arns {
assert!(
parse_kms_arn(arn).is_none(),
"ARN should not match: {}",
arn
);
}
}