@@ -10,6 +10,7 @@ import {
1010} from '@aws-sdk/client-kms'
1111import { APIGatewayProxyEvent , Context } from 'aws-lambda'
1212import { mockClient } from 'aws-sdk-client-mock'
13+ import 'aws-sdk-client-mock-jest'
1314import { jwtDecode as jwt_decode } from 'jwt-decode'
1415
1516process . env . CURRENT_KEY = 'key-1' // Set env var as it is called on load of the file
@@ -111,6 +112,9 @@ describe('handlers/sign/sign.ts', () => {
111112
112113 expect ( response . statusCode ) . toEqual ( 500 )
113114 expect ( response . body ) . toEqual ( 'KMS key is not correctly tagged' )
115+ expect ( kmsMock ) . toHaveReceivedCommandWith ( DescribeKeyCommand , { KeyId : 'key-1' } )
116+ expect ( kmsMock ) . toHaveReceivedCommandWith ( ListResourceTagsCommand , { KeyId : 'key-1' } )
117+ expect ( kmsMock ) . not . toHaveReceivedCommand ( SignCommand )
114118 } )
115119
116120 test ( 'it should respond internal server error if the KeyId is not in the metadata' , async ( ) => {
@@ -121,6 +125,9 @@ describe('handlers/sign/sign.ts', () => {
121125
122126 expect ( response . statusCode ) . toEqual ( 500 )
123127 expect ( response . body ) . toEqual ( 'KMS key could not be retrieved' )
128+ expect ( kmsMock ) . toHaveReceivedCommandWith ( DescribeKeyCommand , { KeyId : 'key-1' } )
129+ expect ( kmsMock ) . not . toHaveReceivedCommand ( ListResourceTagsCommand )
130+ expect ( kmsMock ) . not . toHaveReceivedCommand ( SignCommand )
124131 } )
125132
126133 test ( 'should sign correctly' , async ( ) => {
@@ -173,6 +180,16 @@ describe('handlers/sign/sign.ts', () => {
173180
174181 const tokenParts = responseBody . token . split ( '.' )
175182 expect ( tokenParts [ 2 ] ) . toEqual ( `${ b64Signature . replace ( '==' , '' ) } ` )
183+
184+ // Verify KMS was called with correct parameters
185+ expect ( kmsMock ) . toHaveReceivedCommandWith ( DescribeKeyCommand , { KeyId : 'key-1' } )
186+ expect ( kmsMock ) . toHaveReceivedCommandWith ( ListResourceTagsCommand , { KeyId : 'key-1' } )
187+ expect ( kmsMock ) . toHaveReceivedCommandWith ( SignCommand , {
188+ KeyId : 'key-1' ,
189+ SigningAlgorithm : 'RSASSA_PKCS1_V1_5_SHA_256' ,
190+ MessageType : 'RAW' ,
191+ Message : expect . any ( Buffer )
192+ } )
176193 } )
177194} )
178195
@@ -209,6 +226,15 @@ describe('handlers/sign/sign.ts - additional coverage', () => {
209226
210227 const decodedToken : any = jwt_decode ( token )
211228 expect ( decodedToken . aud ) . toBe ( 'custom-aud' )
229+
230+ expect ( kmsMock ) . toHaveReceivedCommandTimes ( DescribeKeyCommand , 1 )
231+ expect ( kmsMock ) . toHaveReceivedCommandTimes ( ListResourceTagsCommand , 1 )
232+ expect ( kmsMock ) . toHaveReceivedCommandWith ( SignCommand , {
233+ KeyId : 'key-1' ,
234+ SigningAlgorithm : 'RSASSA_PKCS1_V1_5_SHA_256' ,
235+ MessageType : 'RAW' ,
236+ Message : expect . any ( Buffer )
237+ } )
212238 } )
213239
214240 test ( 'should handle missing queryStringParameters' , async ( ) => {
@@ -267,6 +293,7 @@ describe('handlers/sign/sign.ts - additional coverage', () => {
267293 const response = await handler ( event , CONTEXT )
268294 expect ( response . statusCode ) . toBe ( 500 )
269295 expect ( response . body ) . toEqual ( 'KMS key is not correctly tagged' )
296+ expect ( kmsMock ) . not . toHaveReceivedCommand ( SignCommand )
270297 } )
271298
272299 test ( 'should handle missing KeyId in DescribeKeyCommand' , async ( ) => {
@@ -277,6 +304,8 @@ describe('handlers/sign/sign.ts - additional coverage', () => {
277304 const response = await handler ( event , CONTEXT )
278305 expect ( response . statusCode ) . toBe ( 500 )
279306 expect ( response . body ) . toEqual ( 'KMS key could not be retrieved' )
307+ expect ( kmsMock ) . toHaveReceivedCommandTimes ( DescribeKeyCommand , 1 )
308+ expect ( kmsMock ) . not . toHaveReceivedCommand ( ListResourceTagsCommand )
280309 } )
281310
282311 test ( 'should handle missing userArn' , async ( ) => {
@@ -286,6 +315,7 @@ describe('handlers/sign/sign.ts - additional coverage', () => {
286315 const response = await handler ( event , CONTEXT )
287316 expect ( response . statusCode ) . toBe ( 400 )
288317 expect ( response . body ) . toEqual ( 'Unable to resolve identity' )
318+ expect ( kmsMock ) . not . toHaveReceivedCommand ( DescribeKeyCommand )
289319 } )
290320
291321 test ( 'should handle completely invalid arn' , async ( ) => {
@@ -295,6 +325,7 @@ describe('handlers/sign/sign.ts - additional coverage', () => {
295325 const response = await handler ( event , CONTEXT )
296326 expect ( response . statusCode ) . toBe ( 400 )
297327 expect ( response . body ) . toEqual ( 'Unable to resolve identity' )
328+ expect ( kmsMock ) . not . toHaveReceivedCommand ( DescribeKeyCommand )
298329 } )
299330
300331 test ( 'should handle error when ListResourceTagsCommand returns undefined' , async ( ) => {
@@ -308,6 +339,7 @@ describe('handlers/sign/sign.ts - additional coverage', () => {
308339 const response = await handler ( event , CONTEXT )
309340 expect ( response . statusCode ) . toBe ( 500 )
310341 expect ( response . body ) . toEqual ( 'KMS key is not correctly tagged' )
342+ expect ( kmsMock ) . not . toHaveReceivedCommand ( SignCommand )
311343 } )
312344} )
313345
0 commit comments