From 8278985d6a4af20033219c2472bcabbf8099e0ff Mon Sep 17 00:00:00 2001 From: ZhmakaAS Date: Mon, 18 Apr 2022 13:59:02 +0200 Subject: [PATCH 1/5] zhars/fix_deserializon_old_container_on_fail Added deserialization of old container on decryption fail --- crypto/decryptor.go | 11 +++++++++++ crypto/envelope_detector.go | 10 ++++++++++ decryptor/base/decryptionNotification.go | 12 ++++++++++++ tests/test.py | 20 ++++++++++++++++++++ 4 files changed, 53 insertions(+) diff --git a/crypto/decryptor.go b/crypto/decryptor.go index 09f636994..994ac02d1 100644 --- a/crypto/decryptor.go +++ b/crypto/decryptor.go @@ -39,6 +39,17 @@ func (d DecryptHandler) OnCryptoEnvelope(ctx context.Context, container []byte) "zone_id": string(accessContext.GetZoneID()), }).WithError(err).Warningln("Can't decrypt SerializedContainer") base.AcrastructDecryptionCounter.WithLabelValues(base.DecryptionTypeFail).Inc() + + // if old container matched deserialize to return as is + if base.IsOldContainerFromContext(ctx) { + oldContainer, _, err := DeserializeEncryptedData(container) + if err != nil { + logger.WithError(err).Warningln("Can't deserialize SerializedContainer") + return nil, err + } + return oldContainer, nil + } + return container, nil } base.AcrastructDecryptionCounter.WithLabelValues(base.DecryptionTypeSuccess).Inc() diff --git a/crypto/envelope_detector.go b/crypto/envelope_detector.go index 87605b869..7156f8494 100644 --- a/crypto/envelope_detector.go +++ b/crypto/envelope_detector.go @@ -154,6 +154,11 @@ func (wrapper *OldContainerDetectorWrapper) OnAcraStruct(ctx context.Context, ac return nil, err } + // set in context that old container was found + if !base.IsOldContainerFromContext(ctx) { + ctx = base.MarkOldContainerContext(ctx) + } + return wrapper.detector.OnCryptoEnvelope(ctx, serialized) } @@ -164,6 +169,11 @@ func (wrapper *OldContainerDetectorWrapper) OnAcraBlock(ctx context.Context, acr return nil, err } + // set in context that old container was found + if !base.IsOldContainerFromContext(ctx) { + ctx = base.MarkOldContainerContext(ctx) + } + return wrapper.detector.OnCryptoEnvelope(ctx, serialized) } diff --git a/decryptor/base/decryptionNotification.go b/decryptor/base/decryptionNotification.go index fcee0d320..c643ca6fc 100644 --- a/decryptor/base/decryptionNotification.go +++ b/decryptor/base/decryptionNotification.go @@ -153,3 +153,15 @@ func MarkErrorConvertedDataTypeContext(ctx context.Context) context.Context { func IsErrorConvertedDataTypeFromContext(ctx context.Context) bool { return ctx.Value(errorConvertedDataTypeCtxKey{}) != nil } + +type oldContainerCtxKey struct{} + +// MarkOldContainerContext save flag in context that data is old container AcraStruct/AcraBlock +func MarkOldContainerContext(ctx context.Context) context.Context { + return context.WithValue(ctx, oldContainerCtxKey{}, true) +} + +// IsOldContainerFromContext return true if data was old container AcraStruct/AcraBlock +func IsOldContainerFromContext(ctx context.Context) bool { + return ctx.Value(oldContainerCtxKey{}) != nil +} diff --git a/tests/test.py b/tests/test.py index bfad14747..fac4b6de2 100644 --- a/tests/test.py +++ b/tests/test.py @@ -6472,6 +6472,26 @@ def testSearchAcraBlock(self): self.checkDefaultIdEncryption(**context) self.assertEqual(rows[0]['searchable_acrablock'], search_term) + def testDeserializeOldContainerOnDecryptionFail(self): + acrastruct = create_acrastruct_with_client_id(b'somedata', TLS_CERT_CLIENT_ID_1) + + context = self.get_context_data() + context['raw_data'] = acrastruct + search_term = context['searchable_acrablock'] + + # Insert searchable data and raw AcraStruct + self.insertRow(context) + + rows = self.executeSelect2( + sa.select([self.encryptor_table]) + .where(self.encryptor_table.c.searchable_acrablock == sa.bindparam('searchable_acrablock')), + {'searchable_acrablock': search_term}) + self.assertEqual(len(rows), 1) + self.checkDefaultIdEncryption(**context) + + # AcraStruct should be as is - not serialized inside general container + self.assertEqual(rows[0]['raw_data'], acrastruct) + def testSearchWithEncryptedData(self): context = self.get_context_data() not_encrypted_term = context['raw_data'] From 904fa2c053cd906bf66739718cacf6bcedb07a84 Mon Sep 17 00:00:00 2001 From: ZhmakaAS Date: Mon, 18 Apr 2022 16:07:19 +0200 Subject: [PATCH 2/5] zhars/fix_deserializon_old_container_on_fail fixed after review --- crypto/decryptor.go | 11 -------- crypto/envelope_detector.go | 26 +++++++++++++------ decryptor/base/decryptionNotification.go | 12 --------- .../python/encryptor_config_with_zone.yaml | 14 +++++++++- 4 files changed, 31 insertions(+), 32 deletions(-) diff --git a/crypto/decryptor.go b/crypto/decryptor.go index 994ac02d1..09f636994 100644 --- a/crypto/decryptor.go +++ b/crypto/decryptor.go @@ -39,17 +39,6 @@ func (d DecryptHandler) OnCryptoEnvelope(ctx context.Context, container []byte) "zone_id": string(accessContext.GetZoneID()), }).WithError(err).Warningln("Can't decrypt SerializedContainer") base.AcrastructDecryptionCounter.WithLabelValues(base.DecryptionTypeFail).Inc() - - // if old container matched deserialize to return as is - if base.IsOldContainerFromContext(ctx) { - oldContainer, _, err := DeserializeEncryptedData(container) - if err != nil { - logger.WithError(err).Warningln("Can't deserialize SerializedContainer") - return nil, err - } - return oldContainer, nil - } - return container, nil } base.AcrastructDecryptionCounter.WithLabelValues(base.DecryptionTypeSuccess).Inc() diff --git a/crypto/envelope_detector.go b/crypto/envelope_detector.go index 7156f8494..473116e44 100644 --- a/crypto/envelope_detector.go +++ b/crypto/envelope_detector.go @@ -154,12 +154,17 @@ func (wrapper *OldContainerDetectorWrapper) OnAcraStruct(ctx context.Context, ac return nil, err } - // set in context that old container was found - if !base.IsOldContainerFromContext(ctx) { - ctx = base.MarkOldContainerContext(ctx) + processedData, err := wrapper.detector.OnCryptoEnvelope(ctx, serialized) + if err != nil { + return nil, err + } + + // return old container in case of unavailability to decrypt it + if bytes.Equal(processedData, serialized) { + return acraStruct, nil } - return wrapper.detector.OnCryptoEnvelope(ctx, serialized) + return processedData, nil } // OnAcraBlock implementation of acrablock.Processor @@ -169,12 +174,17 @@ func (wrapper *OldContainerDetectorWrapper) OnAcraBlock(ctx context.Context, acr return nil, err } - // set in context that old container was found - if !base.IsOldContainerFromContext(ctx) { - ctx = base.MarkOldContainerContext(ctx) + processedData, err := wrapper.detector.OnCryptoEnvelope(ctx, serialized) + if err != nil { + return nil, err + } + + // return old container in case of unavailability to decrypt it + if bytes.Equal(processedData, serialized) { + return acraBlock, nil } - return wrapper.detector.OnCryptoEnvelope(ctx, serialized) + return processedData, nil } // OnCryptoEnvelope used to pretend BackWrapper as callback for EnvelopeDetector diff --git a/decryptor/base/decryptionNotification.go b/decryptor/base/decryptionNotification.go index c643ca6fc..fcee0d320 100644 --- a/decryptor/base/decryptionNotification.go +++ b/decryptor/base/decryptionNotification.go @@ -153,15 +153,3 @@ func MarkErrorConvertedDataTypeContext(ctx context.Context) context.Context { func IsErrorConvertedDataTypeFromContext(ctx context.Context) bool { return ctx.Value(errorConvertedDataTypeCtxKey{}) != nil } - -type oldContainerCtxKey struct{} - -// MarkOldContainerContext save flag in context that data is old container AcraStruct/AcraBlock -func MarkOldContainerContext(ctx context.Context) context.Context { - return context.WithValue(ctx, oldContainerCtxKey{}, true) -} - -// IsOldContainerFromContext return true if data was old container AcraStruct/AcraBlock -func IsOldContainerFromContext(ctx context.Context) bool { - return ctx.Value(oldContainerCtxKey{}) != nil -} diff --git a/examples/python/encryptor_config_with_zone.yaml b/examples/python/encryptor_config_with_zone.yaml index b9334ff12..582011805 100644 --- a/examples/python/encryptor_config_with_zone.yaml +++ b/examples/python/encryptor_config_with_zone.yaml @@ -46,4 +46,16 @@ schemas: - id - email encrypted: - - column: email \ No newline at end of file + - column: email + + - table: test_example_with_zone + columns: + - id + - zone_id + - data + - raw_data + encrypted: + - column: data + data_type: bytes + # base64 bytes value + default_data_value: dGVzdC1kYXRhCg== \ No newline at end of file From 5046a987a98508da85855adbad32b09760afe321 Mon Sep 17 00:00:00 2001 From: ZhmakaAS Date: Mon, 18 Apr 2022 16:09:34 +0200 Subject: [PATCH 3/5] zhars/fix_deserializon_old_container_on_fail redo redundant changes --- examples/python/encryptor_config_with_zone.yaml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/examples/python/encryptor_config_with_zone.yaml b/examples/python/encryptor_config_with_zone.yaml index 582011805..156a96cb7 100644 --- a/examples/python/encryptor_config_with_zone.yaml +++ b/examples/python/encryptor_config_with_zone.yaml @@ -47,15 +47,3 @@ schemas: - email encrypted: - column: email - - - table: test_example_with_zone - columns: - - id - - zone_id - - data - - raw_data - encrypted: - - column: data - data_type: bytes - # base64 bytes value - default_data_value: dGVzdC1kYXRhCg== \ No newline at end of file From 300c54243425c13053c07f857298e1f1959fe228 Mon Sep 17 00:00:00 2001 From: ZhmakaAS Date: Mon, 18 Apr 2022 16:10:11 +0200 Subject: [PATCH 4/5] zhars/fix_deserializon_old_container_on_fail redo redundant changes --- examples/python/encryptor_config_with_zone.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/python/encryptor_config_with_zone.yaml b/examples/python/encryptor_config_with_zone.yaml index 156a96cb7..5efe7ec0e 100644 --- a/examples/python/encryptor_config_with_zone.yaml +++ b/examples/python/encryptor_config_with_zone.yaml @@ -47,3 +47,4 @@ schemas: - email encrypted: - column: email + From 082a75554d6515d5a4983d6781bf2d68091aff36 Mon Sep 17 00:00:00 2001 From: ZhmakaAS Date: Mon, 18 Apr 2022 16:37:47 +0200 Subject: [PATCH 5/5] zhars/fix_deserializon_old_container_on_fail fixed unit tests --- crypto/envelope_detector_test.go | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/crypto/envelope_detector_test.go b/crypto/envelope_detector_test.go index 27e559f55..96c20cb60 100644 --- a/crypto/envelope_detector_test.go +++ b/crypto/envelope_detector_test.go @@ -103,21 +103,8 @@ func TestOldContainerDetectorWrapper(t *testing.T) { t.Fatal("OnColumn error ", err) } - if len(outBuffer) <= len(tcase.Data) { - t.Fatal("Invalid outBuffer length") - } - - internal, envelopeID, err := DeserializeEncryptedData(outBuffer) - if err != nil { - t.Fatal(err) - } - - if envelopeID != tcase.envelopeID { - t.Fatal("invalid envelopeID - should be", tcase.envelopeID) - } - - if !bytes.Equal(internal, tcase.Data) { - t.Fatal("deserialized internal container is not equals to initial data") + if len(outBuffer) != len(tcase.Data) { + t.Fatal("Invalid outBuffer length - outBuffer should be the same") } } })