handle cipher error in central place in applications controller

kathap · kathap · commit e90425e605b5 · 2025-05-06T10:19:11.000+02:00
diff --git a/app/controllers/v3/service_credential_bindings_controller.rb b/app/controllers/v3/service_credential_bindings_controller.rb
@@ -133,12 +133,7 @@ def details
     credentials = if service_credential_binding.is_a?(ServiceKey) && service_credential_binding.credhub_reference?
                     fetch_credentials_value(service_credential_binding.credhub_reference)
                   else
-                    begin
-                      service_credential_binding.credentials
-                    rescue VCAP::CloudController::Encryptor::KeyDerivationError => e
-                      logger.error("Failed to decrypt credentials: #{e.message}")
-                      raise CloudController::Errors::V3::ApiError.new_from_details('InternalServerError', 'Failed to decrypt credentials')
-                    end
+                    service_credential_binding.credentials
                   end
 
     details = Presenters::V3::ServiceCredentialBindingDetailsPresenter.new(
diff --git a/lib/cloud_controller/encryptor.rb b/lib/cloud_controller/encryptor.rb
@@ -8,7 +8,7 @@
 module VCAP::CloudController
   module Encryptor
     ENCRYPTION_ITERATIONS = 2048
-    class KeyDerivationError < StandardError; end
+
     class << self
       ALGORITHM = 'AES-128-CBC'.freeze
 
@@ -83,12 +83,7 @@ def run_cipher(cipher, input, salt, key, iterations:)
         if deprecated_short_salt?(salt)
           cipher.pkcs5_keyivgen(key, salt)
         else
-          begin
-            cipher.key = OpenSSL::PKCS5.pbkdf2_hmac(key, salt, iterations, 16, OpenSSL::Digest.new('SHA256'))
-          rescue OpenSSL::Cipher::CipherError => e
-            logger.error("Failed to derive cipher key due to missing key for encryption_key_label=#{current_encryption_key_label}: #{e.class}: #{e.message}") if key.nil?
-            raise KeyDerivationError
-          end
+          cipher.key = OpenSSL::PKCS5.pbkdf2_hmac(key, salt, iterations, 16, OpenSSL::Digest.new('SHA256'))
           cipher.iv = salt
         end
         cipher.update(input) << cipher.final
diff --git a/spec/request/service_credential_bindings_spec.rb b/spec/request/service_credential_bindings_spec.rb
@@ -637,7 +637,7 @@ def check_filtered_bindings(*bindings)
       it 'fails to decrypt the credentials and returns a 500 error' do
         app_binding.class.db[:service_bindings].where(id: app_binding.id).update(encryption_key_label: 'invalid-key-label')
 
-        allow(VCAP::CloudController::Encryptor).to receive(:run_cipher).and_raise(VCAP::CloudController::Encryptor::KeyDerivationError)
+        allow(VCAP::CloudController::Encryptor).to receive(:run_cipher).and_raise(OpenSSL::Cipher::CipherError)
         api_call.call(admin_headers)
 
         expect(last_response).to have_status_code(500)
