33import { arsenalErrorAWSKMS } from '../utils' ;
44import { Agent as HttpAgent } from 'http' ;
55import { Agent as HttpsAgent } from 'https' ;
6- import { KMSClient ,
7- CreateKeyCommand ,
6+ import {
7+ KMSClient ,
8+ CreateKeyCommand ,
89 ScheduleKeyDeletionCommand ,
9- GenerateDataKeyCommand ,
10- EncryptCommand ,
11- DecryptCommand ,
12- ListKeysCommand ,
13- NotFoundException ,
14- KMSInvalidStateException } from '@aws-sdk/client-kms' ;
10+ GenerateDataKeyCommand ,
11+ EncryptCommand ,
12+ DecryptCommand ,
13+ NotFoundException ,
14+ KMSInvalidStateException ,
15+ } from '@aws-sdk/client-kms' ;
1516const { NodeHttpHandler } = require ( '@smithy/node-http-handler' ) ;
1617import * as werelogs from 'werelogs' ;
1718import assert from 'assert' ;
@@ -60,7 +61,7 @@ export default class Client implements KMSInterface {
6061
6162 constructor ( options : ClientOptions ) {
6263 this . _supportsDefaultKeyPerAccount = true ;
63- const { providerName, tls, ak, sk, region, endpoint, noAwsArn } = options . kmsAWS ;
64+ const { providerName, tls, ak, sk, region, endpoint, noAwsArn } = options . kmsAWS ;
6465
6566 const requestHandler = new NodeHttpHandler ( {
6667 httpAgent : ! tls ? new HttpAgent ( {
@@ -134,9 +135,13 @@ export default class Client implements KMSInterface {
134135 // Prefer ARN, but fall back to KeyId if ARN is missing
135136 keyId = keyMetadata ?. Arn ?? ( keyMetadata ?. KeyId || '' ) ;
136137 }
138+ // May produce double arn prefix: scality arn + aws arn
139+ // arn:scality:kms:external:aws_kms:custom:key/arn:aws:kms:region:accountId:key/cbd69d33-ba8e-4b56-8cfe
140+ // If this is a problem, a config flag should be used to hide the scality arn when returning the KMS KeyId
141+ // or aws arn when creating the KMS Key
137142 const arn = `${ this . backend . arnPrefix } ${ keyId } ` ;
138143 cb ( null , keyId , arn ) ;
139- } ) . catch ( err => {
144+ } ) . catch ( ( err : Error ) => {
140145 const error = arsenalErrorAWSKMS ( err ) ;
141146 logger . error ( 'AWS KMS: failed to create master encryption key' , { err } ) ;
142147 cb ( error ) ;
@@ -170,9 +175,10 @@ export default class Client implements KMSInterface {
170175 return ;
171176 }
172177 cb ( null ) ;
173- } ) . catch ( err => {
178+ } ) . catch ( ( err : Error ) => {
174179 if ( err instanceof NotFoundException || err instanceof KMSInvalidStateException ) {
175- logger . info ( 'AWS KMS: key does not exist or is already pending deletion' , { masterKeyId, error : err } ) ;
180+ // master key does not exist or is already pending deletion
181+ logger . warn ( 'AWS KMS: key does not exist or is already pending deletion' , { masterKeyId, error : err } ) ;
176182 return cb ( null ) ;
177183 }
178184 const error = arsenalErrorAWSKMS ( err ) ;
@@ -204,7 +210,7 @@ export default class Client implements KMSInterface {
204210 const isolatedPlaintext = this . safePlaintext ( data . Plaintext as Buffer ) ;
205211 logger . debug ( 'AWS KMS: data key generated' ) ;
206212 cb ( null , isolatedPlaintext , Buffer . from ( data . CiphertextBlob as Uint8Array ) ) ;
207- } ) . catch ( err => {
213+ } ) . catch ( ( err : Error ) => {
208214 const error = arsenalErrorAWSKMS ( err ) ;
209215 logger . error ( 'AWS KMS: failed to generate data key' , { err } ) ;
210216 cb ( error ) ;
@@ -238,8 +244,7 @@ export default class Client implements KMSInterface {
238244
239245 logger . debug ( 'AWS KMS: data key ciphered' ) ;
240246 cb ( null , Buffer . from ( data . CiphertextBlob as Uint8Array ) ) ;
241- return ;
242- } ) . catch ( err => {
247+ } ) . catch ( ( err : Error ) => {
243248 const error = arsenalErrorAWSKMS ( err ) ;
244249 logger . error ( 'AWS KMS: failed to cipher data key' , { err } ) ;
245250 cb ( error ) ;
@@ -274,23 +279,29 @@ export default class Client implements KMSInterface {
274279
275280 logger . debug ( 'AWS KMS: data key deciphered' ) ;
276281 cb ( null , isolatedPlaintext ) ;
277- } ) . catch ( err => {
282+ } ) . catch ( ( err : Error ) => {
278283 const error = arsenalErrorAWSKMS ( err ) ;
279284 logger . error ( 'AWS KMS: failed to decipher data key' , { err } ) ;
280285 cb ( error ) ;
281286 } ) ;
282287 }
283288
284289 /**
285- * Healthcheck function to verify KMS connectivity
290+ * NOTE1: S3C-4833 KMS healthcheck is disabled in CloudServer.
291+ *
292+ * For the Arsenal client library we intentionally keep this as a no-op
293+ * to avoid making extra AWS KMS calls (which can incur costs and require
294+ * additional permissions). Callers should rely on higher-level health
295+ * checks provided by their services instead of this method.
286296 */
297+ /*
287298 healthcheck(logger: werelogs.Logger, cb: (err: Error | null) => void): void {
288299 logger.debug("AWS KMS: performing healthcheck");
289-
300+
290301 const command = new ListKeysCommand({
291302 Limit: 1,
292303 });
293-
304+
294305 this.client.send(command).then(() => {
295306 logger.debug("AWS KMS healthcheck: list keys succeeded");
296307 cb(null);
@@ -300,4 +311,5 @@ export default class Client implements KMSInterface {
300311 cb(error);
301312 });
302313 }
314+ */
303315}
0 commit comments