Add context to logs for decryption failures (#11684)

* Add logging to decryption routines * Fix case of uknown encryption type * Add decryption context to log where failures occur * Update log message * Fix linting * Add more context logs * Add more fine grained logging * Update log message * Fix tests
2025-12-17 00:33:44 +00:00 · 2024-10-25 15:22:30 +02:00
parent adabc59c03
commit 122c3c7809
7 changed files with 61 additions and 17 deletions
--- a/libs/common/src/platform/models/domain/enc-string.spec.ts
+++ b/libs/common/src/platform/models/domain/enc-string.spec.ts
@@ -149,7 +149,7 @@ describe("EncString", () => {
      const key = new SymmetricCryptoKey(makeStaticByteArray(32));
      await encString.decryptWithKey(key, encryptService);

-      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, key);
+      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, key, "domain-withkey");
    });

    it("fails to decrypt when key is null", async () => {
@@ -351,7 +351,7 @@ describe("EncString", () => {
      await encString.decrypt(null, key);

      expect(keyService.getUserKeyWithLegacySupport).not.toHaveBeenCalled();
-      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, key);
+      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, key, "provided-key");
    });

    it("gets an organization key if required", async () => {
@@ -362,7 +362,11 @@ describe("EncString", () => {
      await encString.decrypt("orgId", null);

      expect(keyService.getOrgKey).toHaveBeenCalledWith("orgId");
-      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, orgKey);
+      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(
+        encString,
+        orgKey,
+        "domain-orgkey-orgId",
+      );
    });

    it("gets the user's decryption key if required", async () => {
@@ -373,7 +377,11 @@ describe("EncString", () => {
      await encString.decrypt(null, null);

      expect(keyService.getUserKeyWithLegacySupport).toHaveBeenCalledWith();
-      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, userKey);
+      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(
+        encString,
+        userKey,
+        "domain-withlegacysupport-masterkey",
+      );
    });
  });

--- a/libs/common/src/platform/models/domain/enc-string.ts
+++ b/libs/common/src/platform/models/domain/enc-string.ts
@@ -159,16 +159,27 @@ export class EncString implements Encrypted {
      return this.decryptedValue;
    }

+    let keyContext = "provided-key";
    try {
      if (key == null) {
        key = await this.getKeyForDecryption(orgId);
+        keyContext = orgId == null ? `domain-orgkey-${orgId}` : "domain-userkey|masterkey";
+        if (orgId != null) {
+          keyContext = `domain-orgkey-${orgId}`;
+        } else {
+          const cryptoService = Utils.getContainerService().getKeyService();
+          keyContext =
+            (await cryptoService.getUserKey()) == null
+              ? "domain-withlegacysupport-masterkey"
+              : "domain-withlegacysupport-userkey";
+        }
      }
      if (key == null) {
        throw new Error("No key to decrypt EncString with orgId " + orgId);
      }

      const encryptService = Utils.getContainerService().getEncryptService();
-      this.decryptedValue = await encryptService.decryptToUtf8(this, key);
+      this.decryptedValue = await encryptService.decryptToUtf8(this, key, keyContext);
    } catch (e) {
      this.decryptedValue = DECRYPT_ERROR;
    }
@@ -181,7 +192,7 @@ export class EncString implements Encrypted {
        throw new Error("No key to decrypt EncString");
      }

-      this.decryptedValue = await encryptService.decryptToUtf8(this, key);
+      this.decryptedValue = await encryptService.decryptToUtf8(this, key, "domain-withkey");
    } catch (e) {
      this.decryptedValue = DECRYPT_ERROR;
    }