Skip to content

Commit

Permalink
Deserialization old containers on decryption fail (#528)
Browse files Browse the repository at this point in the history
* zhars/fix_deserializon_old_container_on_fail

Added deserialization of old container on decryption fail
  • Loading branch information
Zhaars authored and Lagovas committed Apr 28, 2022
1 parent 8e8a347 commit 79dcf71
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 18 deletions.
24 changes: 22 additions & 2 deletions crypto/envelope_detector.go
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,17 @@ func (wrapper *OldContainerDetectorWrapper) OnAcraStruct(ctx context.Context, ac
return nil, err
}

return wrapper.detector.OnCryptoEnvelope(ctx, serialized)
processedData, err := wrapper.detector.OnCryptoEnvelope(ctx, serialized)
if err != nil {
return nil, err
}

// return old container in case of unavailability to decrypt it
if bytes.Equal(processedData, serialized) {
return acraStruct, nil
}

return processedData, nil
}

// OnAcraBlock implementation of acrablock.Processor
Expand All @@ -164,7 +174,17 @@ func (wrapper *OldContainerDetectorWrapper) OnAcraBlock(ctx context.Context, acr
return nil, err
}

return wrapper.detector.OnCryptoEnvelope(ctx, serialized)
processedData, err := wrapper.detector.OnCryptoEnvelope(ctx, serialized)
if err != nil {
return nil, err
}

// return old container in case of unavailability to decrypt it
if bytes.Equal(processedData, serialized) {
return acraBlock, nil
}

return processedData, nil
}

// OnCryptoEnvelope used to pretend BackWrapper as callback for EnvelopeDetector
Expand Down
17 changes: 2 additions & 15 deletions crypto/envelope_detector_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,21 +103,8 @@ func TestOldContainerDetectorWrapper(t *testing.T) {
t.Fatal("OnColumn error ", err)
}

if len(outBuffer) <= len(tcase.Data) {
t.Fatal("Invalid outBuffer length")
}

internal, envelopeID, err := DeserializeEncryptedData(outBuffer)
if err != nil {
t.Fatal(err)
}

if envelopeID != tcase.envelopeID {
t.Fatal("invalid envelopeID - should be", tcase.envelopeID)
}

if !bytes.Equal(internal, tcase.Data) {
t.Fatal("deserialized internal container is not equals to initial data")
if len(outBuffer) != len(tcase.Data) {
t.Fatal("Invalid outBuffer length - outBuffer should be the same")
}
}
})
Expand Down
3 changes: 2 additions & 1 deletion examples/python/encryptor_config_with_zone.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -46,4 +46,5 @@ schemas:
- id
- email
encrypted:
- column: email
- column: email

20 changes: 20 additions & 0 deletions tests/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -6472,6 +6472,26 @@ def testSearchAcraBlock(self):
self.checkDefaultIdEncryption(**context)
self.assertEqual(rows[0]['searchable_acrablock'], search_term)

def testDeserializeOldContainerOnDecryptionFail(self):
acrastruct = create_acrastruct_with_client_id(b'somedata', TLS_CERT_CLIENT_ID_1)

context = self.get_context_data()
context['raw_data'] = acrastruct
search_term = context['searchable_acrablock']

# Insert searchable data and raw AcraStruct
self.insertRow(context)

rows = self.executeSelect2(
sa.select([self.encryptor_table])
.where(self.encryptor_table.c.searchable_acrablock == sa.bindparam('searchable_acrablock')),
{'searchable_acrablock': search_term})
self.assertEqual(len(rows), 1)
self.checkDefaultIdEncryption(**context)

# AcraStruct should be as is - not serialized inside general container
self.assertEqual(rows[0]['raw_data'], acrastruct)

def testSearchWithEncryptedData(self):
context = self.get_context_data()
not_encrypted_term = context['raw_data']
Expand Down

0 comments on commit 79dcf71

Please sign in to comment.