type checks to class constructors and methods (#637)

* type checks to class constructors and methods

* modify grant token initialization

Author: nvobilis

modules/branch-keystore-node/src/branch_keystore.ts

@@ -1,7 +1,7 @@
 // Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-import { KmsConfig, RegionalKmsConfig } from './kms_config'
+import { isKmsConfig, KmsConfig, RegionalKmsConfig } from './kms_config'
 import { KMSClient } from '@aws-sdk/client-kms'
 import { DynamoDBClient } from '@aws-sdk/client-dynamodb'
 import {
@@ -54,7 +54,7 @@ export interface IBranchKeyStoreNode {
   kmsClient: KMSClient
   ddbClient: DynamoDBClient
   keyStoreId: string
-  grantTokens: ReadonlyArray<string>
+  grantTokens?: ReadonlyArray<string>
 
   getActiveBranchKey(branchKeyId: string): Promise<NodeBranchKeyMaterial>
   getBranchKeyVersion(
@@ -70,7 +70,7 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
   public declare kmsClient: KMSClient
   public declare ddbClient: DynamoDBClient
   public declare keyStoreId: string
-  public declare grantTokens: ReadonlyArray<string>
+  public declare grantTokens?: ReadonlyArray<string>
 
   constructor({
     ddbTableName,
@@ -81,18 +81,67 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
     keyStoreId,
     grantTokens,
   }: BranchKeyStoreNodeInput) {
+    /* Precondition: DDB table name must be a string */
+    needs(typeof ddbTableName === 'string', 'DDB table name must be a string')
+
+    /* Precondition: Logical keystore name must be a string */
+    needs(
+      typeof logicalKeyStoreName === 'string',
+      'Logical keystore name must be a string'
+    )
+
+    /* Precondition: KMS Configuration must be SRK */
+    needs(isKmsConfig(kmsConfiguration), 'KMS Configuration must be SRK')
+
+    /* Precondition: KMS client must be a KMSClient */
+    if (kmsClient) {
+      needs(kmsClient instanceof KMSClient, 'KMS client must be a KMSClient')
+    } else {
+      // ensure it's strictly undefined and not some other falsey value
+      kmsClient = undefined
+    }
+
+    /* Precondition: DDB client must be a DynamoDBClient */
+    if (ddbClient) {
+      needs(
+        ddbClient instanceof DynamoDBClient,
+        'DDB client must be a DynamoDBClient'
+      )
+    } else {
+      // ensure it's strictly undefined and not some other falsey value
+      ddbClient = undefined
+    }
+
+    /* Precondition: Keystore id must be a string */
+    if (keyStoreId) {
+      needs(typeof keyStoreId === 'string', 'Keystore id must be a string')
+    } else {
+      // ensure it's strictly undefined and not some other falsey value
+      keyStoreId = undefined
+    }
+
+    /* Precondition: Grant tokens must be a string array */
+    if (grantTokens) {
+      needs(
+        Array.isArray(grantTokens) &&
+          grantTokens.every((grantToken) => typeof grantToken === 'string'),
+        'Grant tokens must be a string array'
+      )
+    } else {
+      // ensure it's strictly undefined and not some other falsey value
+      grantTokens = undefined
+    }
+
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#keystore-id
     //# The Identifier for this KeyStore.
     //# If one is not supplied, then a [version 4 UUID](https://www.ietf.org/rfc/rfc4122.txt) MUST be used.
     readOnlyProperty(this, 'keyStoreId', keyStoreId ? keyStoreId : v4())
+    /* Postcondition: If unprovided, the keystore id is a generated valid uuidv4 */
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-grant-tokens
     //# A list of AWS KMS [grant tokens](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token).
-    readOnlyProperty(
-      this,
-      'grantTokens',
-      Object.freeze(grantTokens ? grantTokens : [])
-    )
+    readOnlyProperty(this, 'grantTokens', grantTokens)
+    /* Postcondition: If unprovided, the grant tokens are undefined */
 
     needs(kmsConfiguration, 'AWS KMS Configuration required')
     readOnlyProperty(this, 'kmsConfiguration', Object.freeze(kmsConfiguration))
@@ -125,6 +174,7 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
           region: (this.kmsConfiguration as RegionalKmsConfig).getRegion(),
         })
     )
+    /* Postcondition: If unprovided, the DDB client is configured */
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#kms-client
     //# The KMS Client used when wrapping and unwrapping keys.
@@ -159,6 +209,7 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
           customUserAgent: KMS_CLIENT_USER_AGENT,
         })
     )
+    /* Postcondition: If unprovided, the KMS client is configured */
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#table-name
     //# The table name of the DynamoDb table that backs this Keystore.
@@ -223,7 +274,10 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
     //# On invocation, the caller:
 
     //# - MUST supply a `branch-key-id`
-    needs(branchKeyId, 'MUST supply a branch key id')
+    needs(
+      branchKeyId && typeof branchKeyId === 'string',
+      'MUST supply a string branch key id'
+    )
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#getactivebranchkey
     //# To get the active version for the branch key id from the keystore
@@ -244,9 +298,13 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
 
     //# - MUST supply a `branch-key-id`
     //# - MUST supply a `branchKeyVersion`
+    needs(
+      branchKeyId && typeof branchKeyId === 'string',
+      'MUST supply a string branch key id'
+    )
     needs(
       branchKeyId && branchKeyVersion,
-      'MUST supply a branch key id and branch key version'
+      'MUST supply a string branch key version'
     )
 
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#getbranchkeyversion
@@ -260,3 +318,10 @@ export class BranchKeyStoreNode implements IBranchKeyStoreNode {
 }
 
 immutableClass(BranchKeyStoreNode)
+
+// type guard
+export function isIBranchKeyStoreNode(
+  keyStore: any
+): keyStore is BranchKeyStoreNode {
+  return keyStore instanceof BranchKeyStoreNode
+}

modules/branch-keystore-node/src/branch_keystore_helpers.ts

@@ -269,7 +269,7 @@ export async function decryptBranchKey(
       KeyId: (kmsConfiguration as KmsKeyArnConfig).getArn(), // make this type casting assumption since only SRK Compatibility is supported currently
       CiphertextBlob: branchKeyRecord[BRANCH_KEY_FIELD],
       EncryptionContext: authenticatedEncryptionContext,
-      GrantTokens: grantTokens.slice(),
+      GrantTokens: grantTokens ? grantTokens.slice() : grantTokens,
     })
   )
 

modules/branch-keystore-node/src/kms_config.ts

@@ -37,6 +37,9 @@ export abstract class KmsKeyArnConfig implements RegionalKmsConfig {
   //# `KMS Key ARN` and `KMS MRKey ARN` MUST take an additional argument
   //# that is a KMS ARN.
   constructor(arn: string) {
+    /* Precondition: ARN must be a string */
+    needs(typeof arn === 'string', 'ARN must be a string')
+
     //= aws-encryption-sdk-specification/framework/branch-key-store.md#aws-kms-configuration
     //# This ARN MUST NOT be an Alias.
     //# This ARN MUST be a valid
@@ -76,3 +79,7 @@ export class SrkCompatibilityKmsConfig extends KmsKeyArnConfig {
     return this.getArn() === otherArn
   }
 }
+
+export function isKmsConfig(config: any): config is SrkCompatibilityKmsConfig {
+  return config instanceof SrkCompatibilityKmsConfig
+}