Merge pull request #141 from scality/improvement/OSIS-147-stop-osis-f…

…ailure-on-decryption Improvement: osis 147 stop osis failure on decryption
scality · May 22, 2024 · 357f00e · 357f00e
2 parents ea5000f + 4e97906
commit 357f00e
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 8 deletions.
diff --git a/build.gradle b/build.gradle
@@ -1,6 +1,6 @@
 buildscript {
     ext {
-        osisVersion = '2.2.2'
+        osisVersion = '2.2.3'
         vaultclientVersion = '1.1.2'
         springBootVersion = '2.7.6'
     }

diff --git a/osis-core/src/main/java/com/scality/osis/service/impl/ScalityOsisServiceImpl.java b/osis-core/src/main/java/com/scality/osis/service/impl/ScalityOsisServiceImpl.java
@@ -1406,14 +1406,19 @@ private String retrieveSecretKey(String repoKey) throws Exception {
         String secretKey = null;
 
         if (repoVal != null) {
+            try {
+                // Using `repoKey` for Associated Data during decryption
+                secretKey = cipherFactory.getCipherByID(repoVal.getKeyID())
+                        .decrypt(repoVal,
+                                cipherFactory.getSecretCipherKeyByID(repoVal.getKeyID()),
+                                repoKey);
 
-            // Using `repoKey` for Associated Data during encryption
-            secretKey = cipherFactory.getCipherByID(repoVal.getKeyID())
-                    .decrypt(repoVal,
-                            cipherFactory.getSecretCipherKeyByID(repoVal.getKeyID()),
-                            repoKey);
-
-            logger.debug("[Cache] Retrieve Secret Key successful");
+                logger.debug("[Cache] Retrieve Secret Key successful");
+            } catch (Exception e) {
+                logger.error("Error: Unable to decrypt secret key data for Redis key: {}. Error details: {}", repoKey, e.getMessage());
+                logger.debug("Full stack trace:", e);
+                deleteSecretKey(repoKey);
+            }
         }
         return secretKey;
     }

diff --git a/...-core/src/test/java/com/scality/osis/service/impl/ScalityOsisServiceCredentialsTests.java b/...-core/src/test/java/com/scality/osis/service/impl/ScalityOsisServiceCredentialsTests.java
@@ -11,8 +11,10 @@
 import org.mockito.stubbing.Answer;
 import org.springframework.http.HttpStatus;
 
+import javax.crypto.AEADBadTagException;
 import java.util.Collections;
 import java.util.Date;
+import java.util.List;
 
 import static com.scality.osis.utils.ScalityConstants.*;
 import static com.scality.osis.utils.ScalityTestUtils.*;
@@ -451,6 +453,15 @@ void testGetS3CredentialWithNullTenantIdAndUserId() {
         assertTrue(result.getActive());
     }
 
+    @Test
+    void testGetS3CredentialsKeyPresentInRedisUnableToDecrypt() throws Exception {
+        when(baseCipherMock.decrypt(any(), any(), any())).thenThrow(new AEADBadTagException("Decryption failed"));
+        final OsisS3Credential result = scalityOsisServiceUnderTest.getS3Credential(SAMPLE_TENANT_ID, TEST_USER_ID, TEST_ACCESS_KEY);
+        // When decryption fails, the API call should succeed, and we should return the result with secret key listed as
+        // "Not Available"
+        assertEquals("Not Available", result.getSecretKey());
+    }
+
     @Test
     void testListS3Credentials() {
         // Setup
@@ -526,6 +537,15 @@ void testListS3CredentialsWithNoKeyOnRedis() {
 
     }
 
+    @Test
+    void testListS3CredentialsKeyPresentInRedisUnableToDecrypt() throws Exception {
+        when(baseCipherMock.decrypt(any(), any(), any())).thenThrow(new AEADBadTagException("Decryption failed"));
+        final List<OsisS3Credential> result = scalityOsisServiceUnderTest.listS3Credentials(TEST_TENANT_ID,
+                TEST_USER_ID, 0L, 1000L).getItems();
+        // When decryption fails, the API call should succeed, and we should get a new access key in the result
+        assertEquals(2, result.size());
+    }
+
     @Test
     void testListS3CredentialsErr() {
         // Setup