fix: key was not saved correctly! better logging and errors.

TBD54566975 · Aug 14, 2024 · 06750ca · 06750ca
1 parent 0d423a4
commit 06750ca
Showing 1 changed file with 13 additions and 7 deletions.
diff --git a/backend/controller/dal/encryption.go b/backend/controller/dal/encryption.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/TBD54566975/ftl/backend/dal"
 	"github.com/TBD54566975/ftl/internal/encryption"
+	"github.com/TBD54566975/ftl/internal/log"
 )
 
 func (d *DAL) encrypt(subKey encryption.SubKey, cleartext []byte) ([]byte, error) {
@@ -16,7 +17,7 @@ func (d *DAL) encrypt(subKey encryption.SubKey, cleartext []byte) ([]byte, error
 
 	v, err := d.encryptor.Encrypt(subKey, cleartext)
 	if err != nil {
-		return nil, fmt.Errorf("failed to encrypt: %w", err)
+		return nil, fmt.Errorf("failed to encrypt binary with subkey %s: %w", subKey, err)
 	}
 
 	return v, nil
@@ -29,7 +30,7 @@ func (d *DAL) decrypt(subKey encryption.SubKey, encrypted []byte) ([]byte, error
 
 	v, err := d.encryptor.Decrypt(subKey, encrypted)
 	if err != nil {
-		return nil, fmt.Errorf("failed to decrypt: %w", err)
+		return nil, fmt.Errorf("failed to decrypt binary with subkey %s: %w", subKey, err)
 	}
 
 	return v, nil
@@ -47,7 +48,7 @@ func (d *DAL) encryptJSON(subKey encryption.SubKey, v any) ([]byte, error) {
 func (d *DAL) decryptJSON(subKey encryption.SubKey, encrypted []byte, v any) error { //nolint:unparam
 	decrypted, err := d.decrypt(subKey, encrypted)
 	if err != nil {
-		return fmt.Errorf("failed to decrypt: %w", err)
+		return fmt.Errorf("failed to decrypt json with subkey %s: %w", subKey, err)
 	}
 
 	if err = json.Unmarshal(decrypted, v); err != nil {
@@ -61,6 +62,7 @@ func (d *DAL) decryptJSON(subKey encryption.SubKey, encrypted []byte, v any) err
 // It will either create a key or load the existing one.
 // If the KMS URL is not set, it will use a NoOpEncryptor which does not encrypt anything.
 func (d *DAL) setupEncryptor(ctx context.Context) (err error) {
+	logger := log.FromContext(ctx)
 	tx, err := d.Begin(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to begin transaction: %w", err)
@@ -69,32 +71,36 @@ func (d *DAL) setupEncryptor(ctx context.Context) (err error) {
 
 	url, ok := d.kmsURL.Get()
 	if !ok {
+		logger.Infof("KMS URL not set, encryption not enabled")
 		d.encryptor = encryption.NewNoOpEncryptor()
 		return nil
 	}
 
 	encryptedKey, err := tx.db.GetOnlyEncryptionKey(ctx)
 	if err != nil {
 		if dal.IsNotFound(err) {
+			logger.Infof("No encryption key found, generating a new one")
 			encryptor, err := encryption.NewKMSEncryptorGenerateKey(url, nil)
 			if err != nil {
 				return fmt.Errorf("failed to create encryptor for generation: %w", err)
 			}
 			d.encryptor = encryptor
+
+			if err = tx.db.CreateOnlyEncryptionKey(ctx, encryptor.GetEncryptedKeyset()); err != nil {
+				return fmt.Errorf("failed to create only encryption key: %w", err)
+			}
+
 			return nil
 		}
 		return fmt.Errorf("failed to get only encryption key: %w", err)
 	}
 
+	logger.Debugf("Encryption key found, using it")
 	encryptor, err := encryption.NewKMSEncryptorWithKMS(url, nil, encryptedKey)
 	if err != nil {
 		return fmt.Errorf("failed to create encryptor with encrypted key: %w", err)
 	}
 	d.encryptor = encryptor
 
-	if err = tx.db.CreateOnlyEncryptionKey(ctx, encryptedKey); err != nil {
-		return fmt.Errorf("failed to create only encryption key: %w", err)
-	}
-
 	return nil
 }