Skip to content

Add error handling for invalid encryption keys with logging #4326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
philippthun merged 11 commits into from
May 12, 2025
Merged

Add error handling for invalid encryption keys with logging #4326

philippthun merged 11 commits into from
May 12, 2025

Conversation

@kathap
Copy link
Contributor

@kathap kathap commented Apr 28, 2025
edited
Loading

This PR improves the Cloud Controller’s error handling when a key is present in the encryption_key_label database column but missing from the cloud_controller_ng.yml configuration file.
Previously, this scenario would raise a low-level Ruby error such as:
TypeError: no implicit conversion of nil into String
which was unclear and did not help operators understand the root cause.
For that we introduce a global rescue for encryption and decryption failures at the controller level, ensuring that any OpenSSL::Cipher::CipherError raised during encryption or decryption is caught and turned into a 500 Internal Server Error with message Error while processing encrypted data.

  • A short explanation of the proposed change:
    Introduce global handling for encryption/decryption errors, converting low-level cipher failures into a clear 500 Internal Server Error response.

  • An explanation of the use cases your change solves
    Helps operators diagnose missing or misconfigured encryption keys and gives API users a clear error response instead of an obscure Ruby exception.

  • Links to any other associated PRs

  • I have reviewed the contributing guide

  • I have viewed, signed, and submitted the Contributor License Agreement

  • I have made this pull request to the main branch

  • I have run all the unit tests using bundle exec rake

  • I have run CF Acceptance Tests

@kathap
Add error handling for invalid encryption keys with logging
ca06765 
- Wrapped pbkdf2_hmac in a begin-rescue block to catch encryption key errors.
- Added detailed error logging for failed key derivation.
@kathap kathap marked this pull request as draft April 28, 2025 15:26
@kathap kathap force-pushed the add-error-log-if-key-label-for-encryption-is-wrong branch from 8d5472d to f984d22 Compare April 30, 2025 06:48
kathap added 2 commits April 30, 2025 17:06
@kathap
Throw appropriate error instead of UnknownError for GET /v3/service_c…
d227ca5 
…redential_bindings/:binding_guid/details when encryption-key-label is invalid
@kathap
enhance error handling
ec88450
@kathap kathap force-pushed the add-error-log-if-key-label-for-encryption-is-wrong branch from e9932a6 to ec88450 Compare May 5, 2025 12:40
@kathap kathap force-pushed the add-error-log-if-key-label-for-encryption-is-wrong branch from ad04ad7 to 047cf50 Compare May 5, 2025 15:19
@kathap kathap force-pushed the add-error-log-if-key-label-for-encryption-is-wrong branch from 047cf50 to 3e15dbf Compare May 5, 2025 15:51
@kathap kathap force-pushed the add-error-log-if-key-label-for-encryption-is-wrong branch from fbb9423 to 0613136 Compare May 6, 2025 12:04
@kathap kathap marked this pull request as ready for review May 7, 2025 07:26
philippthun
philippthun reviewed May 8, 2025
View reviewed changes
philippthun
philippthun previously approved these changes May 9, 2025
View reviewed changes
@philippthun philippthun merged commit 17e9190 into main May 12, 2025
12 checks passed
ari-wg-gitbot added a commit to cloudfoundry/capi-release that referenced this pull request May 12, 2025
@ari-wg-gitbot
Bump cloud_controller_ng
69f2884 
Changes in cloud_controller_ng:

- Add error handling for invalid encryption keys with logging
    PR: cloudfoundry/cloud_controller_ng#4326
    Author: Katharina Przybill <[email protected]>
    Author: Philipp Thun <[email protected]>

- Fix typo in sample response JSON in API docs
    PR: cloudfoundry/cloud_controller_ng#4353
    Author: Rashid Rashidov <[email protected]>

Dependency updates in cloud_controller_ng:

- build(deps-dev): bump parallel_tests from 5.1.0 to 5.2.0
    PR: cloudfoundry/cloud_controller_ng#4350
    Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@moleske moleske deleted the add-error-log-if-key-label-for-encryption-is-wrong branch May 12, 2025 15:40
@kathap kathap mentioned this pull request May 19, 2025
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@philippthun philippthun philippthun approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kathap @philippthun