Fixed weird edgecases with sanitisation and usage of protected keys

Author: frikky

db-connector.go

@@ -13345,7 +13345,7 @@ func SetDatastoreKeyBulk(ctx context.Context, allKeys []CacheKeyData) ([]Datasto
 
 			// URL encode
 			datastoreId = url.QueryEscape(datastoreId)
-			if len(cacheData.PublicAuthorization) == 0 {
+			if len(cacheData.PublicAuthorization) == 0 && cacheData.Category != "protected" {
 				cacheData.PublicAuthorization = uuid.NewV4().String()
 			}
 
@@ -13763,7 +13763,7 @@ func SetDatastoreKeyRevision(ctx context.Context, cacheData CacheKeyData) error
 	}
 
 	cacheData.Authorization = ""
-	if len(cacheData.PublicAuthorization) == 0 {
+	if len(cacheData.PublicAuthorization) == 0 && cacheData.Category != "protected" {
 		cacheData.PublicAuthorization = uuid.NewV4().String()
 	}
 
@@ -13829,7 +13829,7 @@ func SetDatastoreKey(ctx context.Context, cacheData CacheKeyData) error {
 	}
 
 	cacheData.Authorization = ""
-	if len(cacheData.PublicAuthorization) == 0 {
+	if len(cacheData.PublicAuthorization) == 0 && cacheData.Category != "protected" {
 		cacheData.PublicAuthorization = uuid.NewV4().String()
 	}
 
@@ -13956,7 +13956,9 @@ func GetDatastoreKey(ctx context.Context, id string, category string) (*CacheKey
 
 	category = strings.ReplaceAll(strings.ToLower(category), " ", "_")
 	if len(category) > 0 && category != "default" {
-		if !strings.HasSuffix(id, category) {
+		// FIXME: If they key itself is 'test_protected' and category 
+		// is 'protected' this breaks... Keeping it for now.
+		if !strings.HasSuffix(id, fmt.Sprintf("_%s", category)) {
 			id = fmt.Sprintf("%s_%s", id, category)
 		}
 	}
@@ -14016,9 +14018,8 @@ func GetDatastoreKey(ctx context.Context, id string, category string) (*CacheKey
 		cacheData = &wrapped.Source
 	} else {
 		key := datastore.NameKey(nameKey, id, nil)
-
 		if err := project.Dbclient.Get(ctx, key, cacheData); err != nil {
-			//log.Printf("ERROR: Failed getting cache key %s: %s", id, err)
+			//log.Printf("[WARNING]: Failed getting cache key %s: %s", id, err)
 
 			if strings.Contains(err.Error(), `cannot load field`) {
 				log.Printf("[ERROR] Error in cache key loading. Migrating org cache to new handler (3): %s", err)
@@ -14089,7 +14090,9 @@ func GetDatastoreKey(ctx context.Context, id string, category string) (*CacheKey
 		newValue, err := HandleKeyDecryption([]byte(cacheData.Value), encryptionKey)
 		if err == nil {
 			cacheData.Value = string(newValue)
-			cacheData.Encrypted = false
+
+			// Not removing this as it just causes confusion
+			//cacheData.Encrypted = false
 		}
 	}
 

shared.go

@@ -20028,7 +20028,7 @@ func HandleGetCacheKey(resp http.ResponseWriter, request *http.Request) {
 	cacheId := fmt.Sprintf("%s_%s", tmpData.OrgId, tmpData.Key)
 	cacheData, err := GetDatastoreKey(ctx, cacheId, tmpData.Category)
 	if err != nil {
-
+		log.Printf("[WARNING] Failed to GET cache key '%s' for org %s (get)", tmpData.Key, tmpData.OrgId)
 		// Doing a last resort search, e.g. to handle spaces and the like
 		allkeys, _, err := GetAllCacheKeys(ctx, org.Id, "", 150, "")
 		if err == nil {
@@ -20063,7 +20063,7 @@ func HandleGetCacheKey(resp http.ResponseWriter, request *http.Request) {
 		}
 	}
 
-	if len(cacheData.PublicAuthorization) == 0 {
+	if len(cacheData.PublicAuthorization) == 0 && cacheData.Category != "protected" {
 		cacheId := fmt.Sprintf("%s_%s", tmpData.OrgId, tmpData.Key)
 		if len(tmpData.Category) > 0 && tmpData.Category != "default" {
 			cacheId = fmt.Sprintf("%s_%s", cacheId, tmpData.Category)
@@ -33065,9 +33065,11 @@ func cleanupProtectedKeys(exec WorkflowExecution) WorkflowExecution {
 		return exec
 	}
 
-	if exec.Status == "FINISHED" || exec.Status == "ABORTED" {
-		return exec
-	}
+	// This doesn't matter as we are checking for 'sanitized' anyway
+	// This also makes it stop too early
+	//if exec.Status == "FINISHED" || exec.Status == "ABORTED" {
+	//	return exec
+	//}
 
 	protectedKeys, _, err := GetAllCacheKeys(context.Background(), exec.ExecutionOrg, "protected", 100, "")
 	if err != nil {
@@ -33076,11 +33078,11 @@ func cleanupProtectedKeys(exec WorkflowExecution) WorkflowExecution {
 	}
 
 	for resultKey, _ := range exec.Results {
-		if exec.Results[resultKey].Status != "FINISHED" && exec.Results[resultKey].Status != "SUCCESS" {
+		if exec.Results[resultKey].Sanitized {
 			continue
 		}
 
-		if exec.Results[resultKey].Sanitized {
+		if exec.Results[resultKey].Status != "FINISHED" && exec.Results[resultKey].Status != "SUCCESS" {
 			continue
 		}
 
@@ -33091,7 +33093,11 @@ func cleanupProtectedKeys(exec WorkflowExecution) WorkflowExecution {
 			} else if len(protectedKey.Value) > 2000000 {
 				exec.Results[resultKey].Result = strings.ReplaceAll(exec.Results[resultKey].Result, protectedKey.Value, "***")
 			} else {
-				exec.Results[resultKey].Result = SanitizeFuzzySubstring(exec.Results[resultKey].Result, protectedKey.Value, 2)
+				exec.Results[resultKey].Result = strings.ReplaceAll(exec.Results[resultKey].Result, protectedKey.Value, "***")
+
+				// FIXME: Should do more fuzzy sanitizing, but there are too
+				// many edgecases for it
+				//exec.Results[resultKey].Result = SanitizeFuzzySubstring(exec.Results[resultKey].Result, protectedKey.Value, 2)
 			}
 		}