diff --git a/build.gradle b/build.gradle index 7c31823..fae98bc 100644 --- a/build.gradle +++ b/build.gradle @@ -1,6 +1,6 @@ buildscript { ext { - osisVersion = '2.2.2' + osisVersion = '2.2.3' vaultclientVersion = '1.1.2' springBootVersion = '2.7.6' } diff --git a/osis-core/src/main/java/com/scality/osis/service/impl/ScalityOsisServiceImpl.java b/osis-core/src/main/java/com/scality/osis/service/impl/ScalityOsisServiceImpl.java index 23b5761..aed9fa8 100644 --- a/osis-core/src/main/java/com/scality/osis/service/impl/ScalityOsisServiceImpl.java +++ b/osis-core/src/main/java/com/scality/osis/service/impl/ScalityOsisServiceImpl.java @@ -1406,14 +1406,19 @@ private String retrieveSecretKey(String repoKey) throws Exception { String secretKey = null; if (repoVal != null) { + try { + // Using `repoKey` for Associated Data during decryption + secretKey = cipherFactory.getCipherByID(repoVal.getKeyID()) + .decrypt(repoVal, + cipherFactory.getSecretCipherKeyByID(repoVal.getKeyID()), + repoKey); - // Using `repoKey` for Associated Data during encryption - secretKey = cipherFactory.getCipherByID(repoVal.getKeyID()) - .decrypt(repoVal, - cipherFactory.getSecretCipherKeyByID(repoVal.getKeyID()), - repoKey); - - logger.debug("[Cache] Retrieve Secret Key successful"); + logger.debug("[Cache] Retrieve Secret Key successful"); + } catch (Exception e) { + logger.error("Error: Unable to decrypt secret key data for Redis key: {}. Error details: {}", repoKey, e.getMessage()); + logger.debug("Full stack trace:", e); + deleteSecretKey(repoKey); + } } return secretKey; } diff --git a/osis-core/src/test/java/com/scality/osis/service/impl/ScalityOsisServiceCredentialsTests.java b/osis-core/src/test/java/com/scality/osis/service/impl/ScalityOsisServiceCredentialsTests.java index 4bedd47..d0e4fa6 100644 --- a/osis-core/src/test/java/com/scality/osis/service/impl/ScalityOsisServiceCredentialsTests.java +++ b/osis-core/src/test/java/com/scality/osis/service/impl/ScalityOsisServiceCredentialsTests.java @@ -11,8 +11,10 @@ import org.mockito.stubbing.Answer; import org.springframework.http.HttpStatus; +import javax.crypto.AEADBadTagException; import java.util.Collections; import java.util.Date; +import java.util.List; import static com.scality.osis.utils.ScalityConstants.*; import static com.scality.osis.utils.ScalityTestUtils.*; @@ -451,6 +453,15 @@ void testGetS3CredentialWithNullTenantIdAndUserId() { assertTrue(result.getActive()); } + @Test + void testGetS3CredentialsKeyPresentInRedisUnableToDecrypt() throws Exception { + when(baseCipherMock.decrypt(any(), any(), any())).thenThrow(new AEADBadTagException("Decryption failed")); + final OsisS3Credential result = scalityOsisServiceUnderTest.getS3Credential(SAMPLE_TENANT_ID, TEST_USER_ID, TEST_ACCESS_KEY); + // When decryption fails, the API call should succeed, and we should return the result with secret key listed as + // "Not Available" + assertEquals("Not Available", result.getSecretKey()); + } + @Test void testListS3Credentials() { // Setup @@ -526,6 +537,15 @@ void testListS3CredentialsWithNoKeyOnRedis() { } + @Test + void testListS3CredentialsKeyPresentInRedisUnableToDecrypt() throws Exception { + when(baseCipherMock.decrypt(any(), any(), any())).thenThrow(new AEADBadTagException("Decryption failed")); + final List result = scalityOsisServiceUnderTest.listS3Credentials(TEST_TENANT_ID, + TEST_USER_ID, 0L, 1000L).getItems(); + // When decryption fails, the API call should succeed, and we should get a new access key in the result + assertEquals(2, result.size()); + } + @Test void testListS3CredentialsErr() { // Setup