Skip to content

Commit

Permalink
fix: show field name in error message when base64 decoding fails
Browse files Browse the repository at this point in the history 
Signed-off-by: Maximilian Gaß <m.gass@babiel.com>
  • Loading branch information
@mxey
mxey committed May 10, 2024
1 parent 985008e commit f742928
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 2 deletions.
3 changes: 2 additions & 1 deletion pkg/apis/sealedsecrets/v1alpha1/sealedsecret_expansion.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -277,7 +277,8 @@ func (s *SealedSecret) Unseal(codecs runtimeserializer.CodecFactory, privKeys ma
for key, value := range s.Spec.EncryptedData {
valueBytes, err := base64.StdEncoding.DecodeString(value)
if err != nil {
return nil, err
errs = append(errs, multierror.Tag(key, err))
continue
}
plaintext, err := crypto.HybridDecrypt(rand.Reader, privKeys, valueBytes, label)
if err != nil {
Expand Down
33 changes: 32 additions & 1 deletion pkg/apis/sealedsecrets/v1alpha1/sealedsecret_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ func TestSealRoundTripWithMisMatchClusterWide(t *testing.T) {

_, err := ssecret.Unseal(codecs, keys)
if err == nil {
t.Fatalf("Unseal did not return expected error: %v", err)
t.Fatal("Expecting error: got nil instead")
}
}

Expand Down Expand Up @@ -572,6 +572,37 @@ func TestRejectBothEncryptedDataAndDeprecatedV1Data(t *testing.T) {
}))
}

func TestInvalidBase64(t *testing.T) {
sealedSecret := &SealedSecret{
ObjectMeta: metav1.ObjectMeta{
Name: "myname",
Namespace: "myns",
},
Spec: SealedSecretSpec{
EncryptedData: map[string]string{
"foo": "NOTVALIDBASE64",
},
},
}

scheme := runtime.NewScheme()
codecs := serializer.NewCodecFactory(scheme)
_, keys := generateTestKey(t, testRand(), 2048)

_, err := sealedSecret.Unseal(codecs, keys)
if err == nil {
t.Fatal("Expecting error: got nil instead")
}

if !strings.Contains(err.Error(), "foo") {
t.Errorf("Expecting error: %q to contain field %q", err, "foo")
}

if strings.Contains(err.Error(), "decrypt") {
t.Errorf("Expecting error: %q to not contain %q (invalid base64 should skip decryption)", err, "decrypt")
}
}

func sealSecret(t *testing.T, secret *v1.Secret, newSealedSecret func(serializer.CodecFactory, *rsa.PublicKey, *v1.Secret) (*SealedSecret, error)) (*SealedSecret, serializer.CodecFactory, map[string]*rsa.PrivateKey) {
scheme := runtime.NewScheme()
codecs := serializer.NewCodecFactory(scheme)
Expand Down

0 comments on commit f742928

Please sign in to comment.