Throw appropriate error instead of UnknownError for GET /v3/service_credential_bindings/:binding_guid/details when encryption-key-label is invalid

kathap · kathap · commit d227ca5d7f03 · 2025-04-30T17:06:32.000+02:00
diff --git a/app/controllers/v3/service_credential_bindings_controller.rb b/app/controllers/v3/service_credential_bindings_controller.rb
@@ -133,7 +133,15 @@ def details
     credentials = if service_credential_binding.is_a?(ServiceKey) && service_credential_binding.credhub_reference?
                     fetch_credentials_value(service_credential_binding.credhub_reference)
                   else
-                    service_credential_binding.credentials
+                    begin
+                      service_credential_binding.credentials
+                    rescue StandardError => e
+                      logger.error("Failed to decrypt credentials: #{e.message}")
+                      raise CloudController::Errors::ApiError.new_from_details('UnprocessableEntity',
+                                                                               "Cannot read credentials for \
+                                                                                      service_credential_binding \
+                                                                                      with guid: #{service_credential_binding.guid}")
+                    end
                   end
 
     details = Presenters::V3::ServiceCredentialBindingDetailsPresenter.new(
diff --git a/lib/cloud_controller/encryptor.rb b/lib/cloud_controller/encryptor.rb
@@ -47,8 +47,11 @@ def decrypt(encrypted_input, salt, iterations:, label: nil)
         return unless encrypted_input
 
         key = key_to_use(label)
-
-        decrypt_raw(encrypted_input, key, salt, iterations:)
+        begin
+          decrypt_raw(encrypted_input, key, salt, iterations:)
+        rescue OpenSSL::Cipher::CipherError, StandardError => e
+          raise StandardError.new("Decryption failed: #{e.message}")
+        end
       end
 
       def decrypt_raw(encrypted_input, key, salt, iterations:)
diff --git a/spec/request/service_credential_bindings_spec.rb b/spec/request/service_credential_bindings_spec.rb
@@ -624,6 +624,27 @@ def check_filtered_bindings(*bindings)
       }
     end
 
+    context 'when the encryption_key_label is invalid' do
+      before do
+        VCAP::CloudController::Encryptor.database_encryption_keys = {
+          encryption_key_0: 'somevalidkeyvalue',
+          foo: 'fooencryptionkey',
+          death: 'headbangingdeathmetalkey', 'invalid-key-label': 'fakekey'
+        }
+      end
+
+      it 'fails to decrypt the credentials and returns a 500 error' do
+        app_binding.class.db[:service_bindings].where(id: app_binding.id).update(encryption_key_label: 'invalid-key-label')
+
+        allow(VCAP::CloudController::Encryptor).to receive(:decrypt_raw).and_raise(StandardError.new('Decryption failed'))
+
+        api_call.call(admin_headers)
+
+        expect(last_response).to have_status_code(422)
+        expect(parsed_response['errors'].first['detail']).to match(/Cannot read credentials/i)
+      end
+    end
+
     context "last binding operation is in 'create succeeded' state" do
       before do
         app_binding.save_with_attributes_and_new_operation({}, { type: 'create', state: 'succeeded' })
