enhance error handling

kathap · kathap · commit e9932a6f1eb2 · 2025-05-05T14:38:21.000+02:00
diff --git a/app/controllers/v3/application_controller.rb b/app/controllers/v3/application_controller.rb
@@ -93,6 +93,7 @@ class ApplicationController < ActionController::Base
   rescue_from CloudController::Errors::CompoundError, with: :handle_compound_error
   rescue_from ActionDispatch::Http::Parameters::ParseError, with: :handle_invalid_request_body
   rescue_from Sequel::DatabaseConnectionError, Sequel::DatabaseDisconnectError, with: :handle_db_connection_error
+  rescue_from OpenSSL::Cipher::CipherError, with: :handle_decryption_error
 
   def configuration
     Config.config
@@ -219,6 +220,11 @@ def handle_db_connection_error(_)
     handle_api_error(error)
   end
 
+  def handle_decryption_error(_)
+    error = CloudController::Errors::ApiError.new_from_details('InternalServerError', 'Failed to decrypt credentials')
+    handle_api_error(error)
+  end
+
   def handle_exception(error)
     presenter = ErrorPresenter.new(error, Rails.env.test?, V3ErrorHasher.new(error))
     logger.info(presenter.log_message)
diff --git a/app/controllers/v3/service_credential_bindings_controller.rb b/app/controllers/v3/service_credential_bindings_controller.rb
@@ -129,18 +129,15 @@ def details
     ensure_service_credential_binding_is_accessible!
     not_found! unless can_read_secrets_in_the_binding_space?
     not_found_with_message!(service_credential_binding) unless service_credential_binding.create_succeeded?
-
+    # begin
     credentials = if service_credential_binding.is_a?(ServiceKey) && service_credential_binding.credhub_reference?
                     fetch_credentials_value(service_credential_binding.credhub_reference)
                   else
                     begin
                       service_credential_binding.credentials
-                    rescue StandardError => e
+                    rescue VCAP::CloudController::Encryptor::EncryptorError => e
                       logger.error("Failed to decrypt credentials: #{e.message}")
-                      raise CloudController::Errors::ApiError.new_from_details('UnprocessableEntity',
-                                                                               "Cannot read credentials for \
-                                                                                      service_credential_binding \
-                                                                                      with guid: #{service_credential_binding.guid}")
+                      raise CloudController::Errors::V3::ApiError.new_from_details('InternalServerError', 'Failed to decrypt credentials')
                     end
                   end
 
diff --git a/lib/cloud_controller/encryptor.rb b/lib/cloud_controller/encryptor.rb
@@ -8,7 +8,7 @@
 module VCAP::CloudController
   module Encryptor
     ENCRYPTION_ITERATIONS = 2048
-
+    class EncryptorError < StandardError; end
     class << self
       ALGORITHM = 'AES-128-CBC'.freeze
 
@@ -47,11 +47,11 @@ def decrypt(encrypted_input, salt, iterations:, label: nil)
         return unless encrypted_input
 
         key = key_to_use(label)
-        begin
+        # begin
           decrypt_raw(encrypted_input, key, salt, iterations:)
-        rescue OpenSSL::Cipher::CipherError, StandardError => e
-          raise StandardError.new("Decryption failed: #{e.message}")
-        end
+        # rescue OpenSSL::Cipher::CipherError, StandardError => e
+        #   raise StandardError.new("Decryption failed: #{e.message}")
+        # end
       end
 
       def decrypt_raw(encrypted_input, key, salt, iterations:)
@@ -88,9 +88,9 @@ def run_cipher(cipher, input, salt, key, iterations:)
         else
           begin
             cipher.key = OpenSSL::PKCS5.pbkdf2_hmac(key, salt, iterations, 16, OpenSSL::Digest.new('SHA256'))
-          rescue StandardError => e
+          rescue OpenSSL::Cipher::CipherError => e
             logger.error("Failed to derive cipher key due to missing key for encryption_key_label=#{current_encryption_key_label}: #{e.class}: #{e.message}") if key.nil?
-            raise
+            raise EncryptorError
           end
           cipher.iv = salt
         end
diff --git a/spec/request/service_credential_bindings_spec.rb b/spec/request/service_credential_bindings_spec.rb
@@ -631,17 +631,17 @@ def check_filtered_bindings(*bindings)
           foo: 'fooencryptionkey',
           death: 'headbangingdeathmetalkey', 'invalid-key-label': 'fakekey'
         }
+        allow_any_instance_of(ErrorPresenter).to receive(:raise_500?).and_return(false)
       end
 
       it 'fails to decrypt the credentials and returns a 500 error' do
         app_binding.class.db[:service_bindings].where(id: app_binding.id).update(encryption_key_label: 'invalid-key-label')
 
-        allow(VCAP::CloudController::Encryptor).to receive(:decrypt_raw).and_raise(StandardError.new('Decryption failed'))
-
+        allow(VCAP::CloudController::Encryptor).to receive(:run_cipher).and_raise(VCAP::CloudController::Encryptor::EncryptorError)
         api_call.call(admin_headers)
 
-        expect(last_response).to have_status_code(422)
-        expect(parsed_response['errors'].first['detail']).to match(/Cannot read credentials/i)
+        expect(last_response).to have_status_code(500)
+        expect(parsed_response['errors'].first['detail']).to match(/Failed/i)
       end
     end
 
