diff --git a/crypto/envelope_detector.go b/crypto/envelope_detector.go index 87605b869..473116e44 100644 --- a/crypto/envelope_detector.go +++ b/crypto/envelope_detector.go @@ -154,7 +154,17 @@ func (wrapper *OldContainerDetectorWrapper) OnAcraStruct(ctx context.Context, ac return nil, err } - return wrapper.detector.OnCryptoEnvelope(ctx, serialized) + processedData, err := wrapper.detector.OnCryptoEnvelope(ctx, serialized) + if err != nil { + return nil, err + } + + // return old container in case of unavailability to decrypt it + if bytes.Equal(processedData, serialized) { + return acraStruct, nil + } + + return processedData, nil } // OnAcraBlock implementation of acrablock.Processor @@ -164,7 +174,17 @@ func (wrapper *OldContainerDetectorWrapper) OnAcraBlock(ctx context.Context, acr return nil, err } - return wrapper.detector.OnCryptoEnvelope(ctx, serialized) + processedData, err := wrapper.detector.OnCryptoEnvelope(ctx, serialized) + if err != nil { + return nil, err + } + + // return old container in case of unavailability to decrypt it + if bytes.Equal(processedData, serialized) { + return acraBlock, nil + } + + return processedData, nil } // OnCryptoEnvelope used to pretend BackWrapper as callback for EnvelopeDetector diff --git a/crypto/envelope_detector_test.go b/crypto/envelope_detector_test.go index 27e559f55..96c20cb60 100644 --- a/crypto/envelope_detector_test.go +++ b/crypto/envelope_detector_test.go @@ -103,21 +103,8 @@ func TestOldContainerDetectorWrapper(t *testing.T) { t.Fatal("OnColumn error ", err) } - if len(outBuffer) <= len(tcase.Data) { - t.Fatal("Invalid outBuffer length") - } - - internal, envelopeID, err := DeserializeEncryptedData(outBuffer) - if err != nil { - t.Fatal(err) - } - - if envelopeID != tcase.envelopeID { - t.Fatal("invalid envelopeID - should be", tcase.envelopeID) - } - - if !bytes.Equal(internal, tcase.Data) { - t.Fatal("deserialized internal container is not equals to initial data") + if len(outBuffer) != len(tcase.Data) { + t.Fatal("Invalid outBuffer length - outBuffer should be the same") } } }) diff --git a/examples/python/encryptor_config_with_zone.yaml b/examples/python/encryptor_config_with_zone.yaml index b9334ff12..5efe7ec0e 100644 --- a/examples/python/encryptor_config_with_zone.yaml +++ b/examples/python/encryptor_config_with_zone.yaml @@ -46,4 +46,5 @@ schemas: - id - email encrypted: - - column: email \ No newline at end of file + - column: email + diff --git a/tests/test.py b/tests/test.py index 5505e6d0d..44c5a1851 100644 --- a/tests/test.py +++ b/tests/test.py @@ -6472,6 +6472,26 @@ def testSearchAcraBlock(self): self.checkDefaultIdEncryption(**context) self.assertEqual(rows[0]['searchable_acrablock'], search_term) + def testDeserializeOldContainerOnDecryptionFail(self): + acrastruct = create_acrastruct_with_client_id(b'somedata', TLS_CERT_CLIENT_ID_1) + + context = self.get_context_data() + context['raw_data'] = acrastruct + search_term = context['searchable_acrablock'] + + # Insert searchable data and raw AcraStruct + self.insertRow(context) + + rows = self.executeSelect2( + sa.select([self.encryptor_table]) + .where(self.encryptor_table.c.searchable_acrablock == sa.bindparam('searchable_acrablock')), + {'searchable_acrablock': search_term}) + self.assertEqual(len(rows), 1) + self.checkDefaultIdEncryption(**context) + + # AcraStruct should be as is - not serialized inside general container + self.assertEqual(rows[0]['raw_data'], acrastruct) + def testSearchWithEncryptedData(self): context = self.get_context_data() not_encrypted_term = context['raw_data']