fix: cherry-pick decryption error across projects (#14582)

qinzhouxu · web-flow · commit 99568a7a1cb4 · 2025-09-24T09:48:44.000+08:00
* fix: cherry-pick decryption error across projects

* fix: add ut
diff --git a/packages/fx-core/src/core/crypto.ts b/packages/fx-core/src/core/crypto.ts
@@ -6,26 +6,32 @@ import Cryptr from "cryptr";
 
 export class LocalCrypto implements CryptoProvider {
   private cryptr: Cryptr;
+  private fixedCryptr: Cryptr;
   private prefix = "crypto_";
 
   constructor(projectId: string) {
     this.cryptr = new Cryptr(projectId + "_teamsfx");
+    this.fixedCryptr = new Cryptr("teamsfx_global_key");
   }
 
   public encrypt(plaintext: string): Result<string, FxError> {
-    return ok(this.prefix + this.cryptr.encrypt(plaintext));
+    return ok(this.prefix + this.fixedCryptr.encrypt(plaintext));
   }
 
   public decrypt(ciphertext: string): Result<string, FxError> {
     if (!ciphertext.startsWith(this.prefix)) {
       // legacy raw secret string
       return ok(ciphertext);
     }
+    const encryptedData = ciphertext.substr(this.prefix.length);
     try {
-      return ok(this.cryptr.decrypt(ciphertext.substr(this.prefix.length)));
+      return ok(this.fixedCryptr.decrypt(encryptedData));
     } catch (e) {
-      // ciphertext is broken
-      return err(new SystemError("Core", "DecryptionError", "Cipher text is broken"));
+      try {
+        return ok(this.cryptr.decrypt(encryptedData));
+      } catch (e2) {
+        return err(new SystemError("Core", "DecryptionError", "Cipher text is broken"));
+      }
     }
   }
 }
diff --git a/packages/fx-core/tests/core/crypto.test.ts b/packages/fx-core/tests/core/crypto.test.ts
@@ -0,0 +1,138 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+import { assert } from "chai";
+import "mocha";
+import { createSandbox } from "sinon";
+import Cryptr from "cryptr";
+import { LocalCrypto } from "../../src/core/crypto";
+import { SystemError } from "@microsoft/teamsfx-api";
+
+describe("LocalCrypto", () => {
+  const sandbox = createSandbox();
+  const testProjectId = "test-project-123";
+  const testPlaintext = "sensitive-data-to-encrypt";
+  const prefix = "crypto_";
+
+  let localCrypto: LocalCrypto;
+  let fixedCryptr: Cryptr;
+  let projectCryptr: Cryptr;
+
+  beforeEach(() => {
+    localCrypto = new LocalCrypto(testProjectId);
+    fixedCryptr = new Cryptr("teamsfx_global_key");
+    projectCryptr = new Cryptr(testProjectId + "_teamsfx");
+  });
+
+  afterEach(() => {
+    sandbox.restore();
+  });
+
+  describe("encrypt", () => {
+    it("should encrypt plaintext with fixed global key and add prefix", () => {
+      const result = localCrypto.encrypt(testPlaintext);
+
+      assert.isTrue(result.isOk());
+      if (result.isOk()) {
+        const encrypted = result.value;
+        assert.isTrue(encrypted.startsWith(prefix));
+
+        const encryptedData = encrypted.substr(prefix.length);
+        const decrypted = fixedCryptr.decrypt(encryptedData);
+        assert.equal(decrypted, testPlaintext);
+      }
+    });
+  });
+
+  describe("decrypt", () => {
+    it("should decrypt strings encrypted with fixed global key (new encryption)", () => {
+      const encrypted = fixedCryptr.encrypt(testPlaintext);
+      const ciphertext = prefix + encrypted;
+
+      const result = localCrypto.decrypt(ciphertext);
+
+      assert.isTrue(result.isOk());
+      if (result.isOk()) {
+        assert.equal(result.value, testPlaintext);
+      }
+    });
+
+    it("should decrypt strings encrypted with project-specific key (old encryption fallback)", () => {
+      const encrypted = projectCryptr.encrypt(testPlaintext);
+      const ciphertext = prefix + encrypted;
+
+      const result = localCrypto.decrypt(ciphertext);
+
+      assert.isTrue(result.isOk());
+      if (result.isOk()) {
+        assert.equal(result.value, testPlaintext);
+      }
+    });
+
+    it("should return error when both fixed and project cryptr fail to decrypt", () => {
+      const invalidCiphertext = prefix + "invalid-cipher-text-that-cannot-be-decrypted";
+
+      const result = localCrypto.decrypt(invalidCiphertext);
+
+      assert.isTrue(result.isErr());
+      if (result.isErr()) {
+        assert.instanceOf(result.error, SystemError);
+        assert.equal(result.error.source, "Core");
+        assert.equal(result.error.name, "DecryptionError");
+        assert.equal(result.error.message, "Cipher text is broken");
+      }
+    });
+
+    it("should successfully encrypt and decrypt data (round trip)", () => {
+      const encryptResult = localCrypto.encrypt(testPlaintext);
+      assert.isTrue(encryptResult.isOk());
+
+      if (encryptResult.isOk()) {
+        const decryptResult = localCrypto.decrypt(encryptResult.value);
+        assert.isTrue(decryptResult.isOk());
+
+        if (decryptResult.isOk()) {
+          assert.equal(decryptResult.value, testPlaintext);
+        }
+      }
+    });
+
+    it("should handle cross-project compatibility for new encryption", () => {
+      const crypto1 = new LocalCrypto("project1");
+      const crypto2 = new LocalCrypto("project2");
+
+      // New encryption uses fixed global key, so it works across different project IDs
+      const encryptResult = crypto1.encrypt(testPlaintext);
+      assert.isTrue(encryptResult.isOk());
+
+      if (encryptResult.isOk()) {
+        const decryptResult = crypto2.decrypt(encryptResult.value);
+        assert.isTrue(decryptResult.isOk());
+
+        if (decryptResult.isOk()) {
+          assert.equal(decryptResult.value, testPlaintext);
+        }
+      }
+    });
+
+    it("should not decrypt legacy data from different project IDs", () => {
+      const project1Crypto = new LocalCrypto("project1");
+      const project2Crypto = new LocalCrypto("project2");
+      const project1Cryptr = new Cryptr("project1_teamsfx");
+
+      // Create legacy encrypted data with project1 key
+      const legacyEncrypted = prefix + project1Cryptr.encrypt(testPlaintext);
+
+      // project1 crypto should decrypt it (fallback to project-specific key)
+      const project1Result = project1Crypto.decrypt(legacyEncrypted);
+      assert.isTrue(project1Result.isOk());
+      if (project1Result.isOk()) {
+        assert.equal(project1Result.value, testPlaintext);
+      }
+
+      // project2 crypto should fail to decrypt it (different project key)
+      const project2Result = project2Crypto.decrypt(legacyEncrypted);
+      assert.isTrue(project2Result.isErr());
+    });
+  });
+});

Original file line number	Diff line number	Diff line change
`@@ -6,26 +6,32 @@ import Cryptr from "cryptr";`
`6`	`6`
`7`	`7`	`export class LocalCrypto implements CryptoProvider {`
`8`	`8`	`private cryptr: Cryptr;`
	`9`	`+ private fixedCryptr: Cryptr;`
`9`	`10`	`private prefix = "crypto_";`
`10`	`11`
`11`	`12`	`constructor(projectId: string) {`
`12`	`13`	`this.cryptr = new Cryptr(projectId + "_teamsfx");`
	`14`	`+ this.fixedCryptr = new Cryptr("teamsfx_global_key");`
`13`	`15`	`}`
`14`	`16`
`15`	`17`	`public encrypt(plaintext: string): Result<string, FxError> {`
`16`		`- return ok(this.prefix + this.cryptr.encrypt(plaintext));`
	`18`	`+ return ok(this.prefix + this.fixedCryptr.encrypt(plaintext));`
`17`	`19`	`}`
`18`	`20`
`19`	`21`	`public decrypt(ciphertext: string): Result<string, FxError> {`
`20`	`22`	`if (!ciphertext.startsWith(this.prefix)) {`
`21`	`23`	`// legacy raw secret string`
`22`	`24`	`return ok(ciphertext);`
`23`	`25`	`}`
	`26`	`+ const encryptedData = ciphertext.substr(this.prefix.length);`
`24`	`27`	`try {`
`25`		`- return ok(this.cryptr.decrypt(ciphertext.substr(this.prefix.length)));`
	`28`	`+ return ok(this.fixedCryptr.decrypt(encryptedData));`
`26`	`29`	`} catch (e) {`
`27`		`- // ciphertext is broken`
`28`		`- return err(new SystemError("Core", "DecryptionError", "Cipher text is broken"));`
	`30`	`+ try {`
	`31`	`+ return ok(this.cryptr.decrypt(encryptedData));`
	`32`	`+ } catch (e2) {`
	`33`	`+ return err(new SystemError("Core", "DecryptionError", "Cipher text is broken"));`
	`34`	`+ }`
`29`	`35`	`}`
`30`	`36`	`}`
`31`	`37`	`}`