@spec arn?(String.t()) :: boolean()

Checks if a string looks like an ARN (starts with "arn:").

Examples

iex> AwsEncryptionSdk.Keyring.KmsKeyArn.arn?("arn:aws:kms:us-west-2:123:key/abc")
true

iex> AwsEncryptionSdk.Keyring.KmsKeyArn.arn?("mrk-123")
false

@spec mrk?(t() | String.t()) :: boolean()

Determines if a key identifier represents a Multi-Region Key (MRK).

Accepts either a parsed KmsKeyArn struct or a string identifier.

Parameters

• arn_or_identifier - A KmsKeyArn struct or string key identifier

Returns

• true if the identifier represents an MRK
• false otherwise

Rules

For ARN structs:

• Resource type "alias" always returns false
• Resource type "key" with ID starting with "mrk-" returns true
• Otherwise returns false

For string identifiers:

• Strings starting with "arn:" are parsed and checked as ARNs
• Strings starting with "alias/" return false
• Strings starting with "mrk-" return true
• All other strings return false

Examples

iex> {:ok, arn} = AwsEncryptionSdk.Keyring.KmsKeyArn.parse("arn:aws:kms:us-west-2:123:key/mrk-abc")
iex> AwsEncryptionSdk.Keyring.KmsKeyArn.mrk?(arn)
true

iex> AwsEncryptionSdk.Keyring.KmsKeyArn.mrk?("mrk-abc123")
true

iex> AwsEncryptionSdk.Keyring.KmsKeyArn.mrk?("alias/my-key")
false

@spec mrk_match?(String.t(), String.t()) :: boolean()

Determines if two key identifiers match for decrypt purposes.

This implements the AWS KMS MRK Match for Decrypt algorithm. Two identifiers match if:

1. They are identical strings, OR
2. Both are Multi-Region keys with the same partition, service, account, resource type, and resource ID (region may differ)

Parameters

• identifier_a - First AWS KMS key identifier (ARN or raw ID)
• identifier_b - Second AWS KMS key identifier (ARN or raw ID)

Returns

• true if the identifiers match for decrypt purposes
• false otherwise

Examples

iex> AwsEncryptionSdk.Keyring.KmsKeyArn.mrk_match?(
...>   "arn:aws:kms:us-west-2:123:key/mrk-abc",
...>   "arn:aws:kms:us-east-1:123:key/mrk-abc"
...> )
true

iex> AwsEncryptionSdk.Keyring.KmsKeyArn.mrk_match?(
...>   "arn:aws:kms:us-west-2:123:key/mrk-abc",
...>   "arn:aws:kms:us-west-2:123:key/normal-key"
...> )
false

@spec parse(String.t()) :: {:ok, t()} | {:error, term()}

Parses an AWS KMS ARN string into a structured format.

Parameters

• arn_string - A string containing an AWS KMS ARN

Returns

• {:ok, t()} on successful parsing
• {:error, reason} on validation failure

Errors

• {:error, :invalid_prefix} - ARN does not start with "arn"
• {:error, :empty_partition} - Partition component is empty
• {:error, :empty_service} - Service component is empty
• {:error, :invalid_service} - Service is not "kms"
• {:error, :empty_region} - Region component is empty
• {:error, :empty_account} - Account component is empty
• {:error, :invalid_resource_section} - Resource section missing "/" separator
• {:error, :empty_resource_type} - Resource type is empty
• {:error, :invalid_resource_type} - Resource type not "alias" or "key"
• {:error, :empty_resource_id} - Resource ID is empty

Examples

iex> AwsEncryptionSdk.Keyring.KmsKeyArn.parse("arn:aws:kms:us-west-2:123456789012:key/1234abcd")
{:ok, %AwsEncryptionSdk.Keyring.KmsKeyArn{
  partition: "aws",
  service: "kms",
  region: "us-west-2",
  account: "123456789012",
  resource_type: "key",
  resource_id: "1234abcd"
}}

iex> AwsEncryptionSdk.Keyring.KmsKeyArn.parse("invalid")
{:error, :invalid_prefix}

@spec to_string(t()) :: String.t()

Reconstructs an ARN string from a parsed KmsKeyArn struct.

Examples

iex> {:ok, arn} = AwsEncryptionSdk.Keyring.KmsKeyArn.parse("arn:aws:kms:us-west-2:123:key/abc")
iex> AwsEncryptionSdk.Keyring.KmsKeyArn.to_string(arn)
"arn:aws:kms:us-west-2:123:key/abc"