prefix is not required

aws · Jan 15, 2025 · 90d1fc3 · 90d1fc3
1 parent c7d3968
commit 90d1fc3
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 19 deletions.
diff --git a/modules/branch-keystore-node/src/branch_keystore_helpers.ts b/modules/branch-keystore-node/src/branch_keystore_helpers.ts
@@ -165,17 +165,18 @@ export function validateBranchKeyRecord(item: BranchKeyItem): BranchKeyRecord {
     `Branch keystore record does not contain ${HIERARCHY_VERSION_FIELD} field of type number`
   )
 
+
+  // This requirement is around the construction of the encryption context.
+  // It is possible that customers will have constructed their own branch keys
+  // with a custom creation method.
+  // In this case encryption context may not be prefixed.
+  // The Dafny version of this code does not enforce
+  // that additional encryption context keys MUST be prefixed,
+  // therefore the JS release does not as well.
+
   //= aws-encryption-sdk-specification/framework/key-store/dynamodb-key-storage.md#record-format
   //# A branch key record MAY include [custom encryption context](../branch-key-store.md#custom-encryption-context) key-value pairs.
   //# These attributes should be prefixed with `aws-crypto-ec:` the same way they are for [AWS KMS encryption context](../branch-key-store.md#encryption-context).
-  for (const field in item) {
-    if (!POTENTIAL_BRANCH_KEY_RECORD_FIELDS.includes(field)) {
-      needs(
-        field.startsWith(CUSTOM_ENCRYPTION_CONTEXT_FIELD_PREFIX),
-        `Custom encryption context key ${field} should be prefixed with ${CUSTOM_ENCRYPTION_CONTEXT_FIELD_PREFIX}`
-      )
-    }
-  }
 
   // serialize the DDB response item as a more well-defined and validated branch
   // key record object

diff --git a/modules/branch-keystore-node/test/branch_keystore_helpers.test.ts b/modules/branch-keystore-node/test/branch_keystore_helpers.test.ts
@@ -333,26 +333,18 @@ describe('Test keystore helpers', () => {
       })
     })
 
-    it('Active & versioned items have additional fields prefixed improperly', () => {
+    it('Active & versioned items may have additional fields that are not prefixed', () => {
       const activeItem = {
         ...ACTIVE_BRANCH_KEY,
         ...INVALID_CUSTOM_ENCRYPTION_CONTEXT_KV_PAIRS,
       }
-      expect(() => validateBranchKeyRecord(activeItem)).to.throw(
-        `Custom encryption context key ${
-          Object.keys(INVALID_CUSTOM_ENCRYPTION_CONTEXT_KV_PAIRS)[0]
-        } should be prefixed with ${CUSTOM_ENCRYPTION_CONTEXT_FIELD_PREFIX}`
-      )
+      expect(() => validateBranchKeyRecord(activeItem)).to.not.throw()
 
       const versionedItem = {
         ...VERSION_BRANCH_KEY,
         ...INVALID_CUSTOM_ENCRYPTION_CONTEXT_KV_PAIRS,
       }
-      expect(() => validateBranchKeyRecord(versionedItem)).to.throw(
-        `Custom encryption context key ${
-          Object.keys(INVALID_CUSTOM_ENCRYPTION_CONTEXT_KV_PAIRS)[0]
-        } should be prefixed with ${CUSTOM_ENCRYPTION_CONTEXT_FIELD_PREFIX}`
-      )
+      expect(() => validateBranchKeyRecord(versionedItem)).to.not.throw()
     })
   })