Return AccessDenied Error Code when failing to decrypt credentials (#396)

Author: Brianwithay21

src/main/java/software/amazon/cloudformation/HookAbstractWrapper.java

@@ -38,6 +38,7 @@
 import software.amazon.cloudformation.encryption.Cipher;
 import software.amazon.cloudformation.encryption.KMSCipher;
 import software.amazon.cloudformation.exceptions.BaseHandlerException;
+import software.amazon.cloudformation.exceptions.EncryptionException;
 import software.amazon.cloudformation.exceptions.FileScrubberException;
 import software.amazon.cloudformation.exceptions.TerminalException;
 import software.amazon.cloudformation.injection.CloudWatchLogsProvider;
@@ -233,33 +234,41 @@ private ProgressEvent<TargetT, CallbackT> processInvocation(final JSONObject raw
 
         // TODO: Include hook schema validation here after schema is finalized
 
-        // initialise dependencies with platform credentials
-        initialiseRuntime(request.getHookTypeName(), request.getRequestData().getProviderCredentials(),
-            request.getRequestData().getProviderLogGroupName(), request.getAwsAccountId(),
-            request.getRequestData().getHookEncryptionKeyArn(), request.getRequestData().getHookEncryptionKeyRole());
+        try {
+            // initialise dependencies with platform credentials
+            initialiseRuntime(request.getHookTypeName(), request.getRequestData().getProviderCredentials(),
+                request.getRequestData().getProviderLogGroupName(), request.getAwsAccountId(),
+                request.getRequestData().getHookEncryptionKeyArn(), request.getRequestData().getHookEncryptionKeyRole());
 
-        // transform the request object to pass to caller
-        HookHandlerRequest hookHandlerRequest = transform(request);
-        ConfigurationT typeConfiguration = request.getHookModel();
+            // transform the request object to pass to caller
+            HookHandlerRequest hookHandlerRequest = transform(request);
+            ConfigurationT typeConfiguration = request.getHookModel();
 
-        HookRequestContext<CallbackT> requestContext = request.getRequestContext();
+            HookRequestContext<CallbackT> requestContext = request.getRequestContext();
 
-        this.metricsPublisherProxy.publishInvocationMetric(Instant.now(), request.getActionInvocationPoint());
+            this.metricsPublisherProxy.publishInvocationMetric(Instant.now(), request.getActionInvocationPoint());
 
-        // last mile proxy creation with passed-in credentials (unless we are operating
-        // in a non-AWS model)
-        AmazonWebServicesClientProxy awsClientProxy = null;
-        Credentials processedCallerCredentials = processCredentials(request.getRequestData().getCallerCredentials());
-        if (processedCallerCredentials != null) {
-            awsClientProxy = new AmazonWebServicesClientProxy(this.loggerProxy, processedCallerCredentials,
-                                                              DelayFactory.CONSTANT_DEFAULT_DELAY_FACTORY,
-                                                              WaitStrategy.scheduleForCallbackStrategy());
+            // last mile proxy creation with passed-in credentials (unless we are operating
+            // in a non-AWS model)
+            AmazonWebServicesClientProxy awsClientProxy = null;
+            Credentials processedCallerCredentials = processCredentials(request.getRequestData().getCallerCredentials());
+            if (processedCallerCredentials != null) {
+                awsClientProxy = new AmazonWebServicesClientProxy(this.loggerProxy, processedCallerCredentials,
+                                                                  DelayFactory.CONSTANT_DEFAULT_DELAY_FACTORY,
+                                                                  WaitStrategy.scheduleForCallbackStrategy());
 
-        }
+            }
 
-        CallbackT callbackContext = (requestContext != null) ? requestContext.getCallbackContext() : null;
+            CallbackT callbackContext = (requestContext != null) ? requestContext.getCallbackContext() : null;
 
-        return wrapInvocationAndHandleErrors(awsClientProxy, hookHandlerRequest, request, callbackContext, typeConfiguration);
+            return wrapInvocationAndHandleErrors(awsClientProxy, hookHandlerRequest, request, callbackContext, typeConfiguration);
+
+        } catch (EncryptionException e) {
+            publishExceptionMetric(request.getActionInvocationPoint(), e, HandlerErrorCode.AccessDenied);
+            logUnhandledError("An encryption error occurred while processing request", request, e);
+
+            return ProgressEvent.defaultFailureHandler(e, HandlerErrorCode.AccessDenied);
+        }
     }
 
     private void logUnhandledError(final String errorDescription,

src/main/java/software/amazon/cloudformation/encryption/KMSCipher.java

@@ -87,7 +87,13 @@ public Credentials decryptCredentials(final String encryptedCredentials) {
         try {
             final CryptoResult<byte[],
                 KmsMasterKey> result = cryptoHelper.decryptData(kmsKeyProvider, Base64.decode(encryptedCredentials));
-            return serializer.deserialize(new String(result.getResult(), StandardCharsets.UTF_8), this.credentialsTypeReference);
+            final Credentials credentials = serializer.deserialize(new String(result.getResult(), StandardCharsets.UTF_8),
+                this.credentialsTypeReference);
+            if (credentials == null) {
+                throw new EncryptionException("Failed to decrypt credentials. Decrypted credentials are 'null'.");
+            }
+
+            return credentials;
         } catch (final IOException | AwsCryptoException e) {
             throw new EncryptionException("Failed to decrypt credentials.", e);
         }

src/test/java/software/amazon/cloudformation/HookWrapperTest.java

@@ -48,6 +48,7 @@
 import software.amazon.awssdk.http.HttpStatusCode;
 import software.amazon.awssdk.http.SdkHttpClient;
 import software.amazon.cloudformation.encryption.KMSCipher;
+import software.amazon.cloudformation.exceptions.EncryptionException;
 import software.amazon.cloudformation.exceptions.ResourceNotFoundException;
 import software.amazon.cloudformation.exceptions.TerminalException;
 import software.amazon.cloudformation.injection.CredentialsProvider;
@@ -743,6 +744,34 @@ public void invokeHandler_throwsHookNotFoundException_returnsNotFound() throws I
         }
     }
 
+    @Test
+    public void invokeHandler_throwsEncryptionException_returnsAccessDenied() throws IOException {
+        wrapper.setTransformResponse(hookHandlerRequest);
+
+        lenient().when(cipher.decryptCredentials(any())).thenThrow(new EncryptionException("Failed to decrypt credentials."));
+
+        try (final InputStream in = loadRequestStream("preCreate.request.json");
+            final OutputStream out = new ByteArrayOutputStream()) {
+
+            wrapper.processRequest(in, out);
+
+            // all metrics should be published, once for a single invocation
+            verify(providerMetricsPublisher, times(0)).publishInvocationMetric(any(Instant.class),
+                eq(HookInvocationPoint.CREATE_PRE_PROVISION));
+            verify(providerMetricsPublisher, times(0)).publishDurationMetric(any(Instant.class),
+                eq(HookInvocationPoint.CREATE_PRE_PROVISION), anyLong());
+
+            // failure metric should be published
+            verify(providerMetricsPublisher, times(0)).publishExceptionMetric(any(Instant.class), any(HookInvocationPoint.class),
+                any(ResourceNotFoundException.class), any(HandlerErrorCode.class));
+
+            // verify output response
+            verifyHandlerResponse(out,
+                HookProgressEvent.<TestContext>builder().clientRequestToken("123456").errorCode(HandlerErrorCode.AccessDenied)
+                    .hookStatus(HookStatus.FAILED).message("Failed to decrypt credentials.").build());
+        }
+    }
+
     @Test
     public void invokeHandler_metricPublisherThrowable_returnsFailureResponse() throws IOException {
         // simulate runtime Errors in the metrics publisher (such as dependency

src/test/java/software/amazon/cloudformation/encryption/KMSCipherTest.java

@@ -15,16 +15,20 @@
 package software.amazon.cloudformation.encryption;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.lenient;
 import com.amazonaws.encryptionsdk.AwsCrypto;
 import com.amazonaws.encryptionsdk.CryptoResult;
+import com.amazonaws.encryptionsdk.exception.AwsCryptoException;
 import com.amazonaws.encryptionsdk.kms.KmsMasterKey;
 import com.amazonaws.encryptionsdk.kms.KmsMasterKeyProvider;
+import java.io.IOException;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
+import software.amazon.cloudformation.exceptions.EncryptionException;
 import software.amazon.cloudformation.proxy.Credentials;
 
 @ExtendWith(MockitoExtension.class)
@@ -53,33 +57,76 @@ public void constructKMSCipher_constructSuccess() {
     public void decryptCredentials_decryptSuccess() {
         cipher = new KMSCipher(cryptoHelper, kmsKeyProvider);
         lenient().when(cryptoHelper.decryptData(any(KmsMasterKeyProvider.class), any(byte[].class))).thenReturn(result);
-        lenient().when(result.getResult()).thenReturn("{\"test\":\"test\"}".getBytes());
-
-        try {
-            Credentials decryptedCredentials = cipher
-                .decryptCredentials("ewogICAgICAgICAgICAiYWNjZXNzS2V5SWQiOiAiSUFTQVlLODM1R0FJRkhBSEVJMjMiLAogICAg\n"
-                    + "ICAgICAgICAic2VjcmV0QWNjZXNzS2V5IjogIjY2aU9HUE41TG5wWm9yY0xyOEtoMjV1OEFiakhW\n"
-                    + "bGx2NS9wb2gyTzAiLAogICAgICAgICAgICAic2Vzc2lvblRva2VuIjogImxhbWVIUzJ2UU9rblNI\n"
-                    + "V2hkRllUeG0yZUpjMUpNbjlZQk5JNG5WNG1YdWU5NDVLUEw2REhmVzhFc1VRVDV6d3NzWUVDMU52\n"
-                    + "WVA5eUQ2WTVzNWxLUjNjaGZsT0hQRnNJZTZlcWciCiAgICAgICAgfQ==");
-            assertThat(decryptedCredentials).isNotNull();
-        } catch (final Exception ex) {
-        }
+        lenient().when(result.getResult()).thenReturn(
+            "{\"accessKeyId\":\"testAccessKeyId\", \"secretAccessKey\": \"testSecretAccessKey\", \"sessionToken\": \"testToken\"}"
+                .getBytes());
 
+        Credentials decryptedCredentials = cipher
+            .decryptCredentials("ewogICAgICAgICAgICAiYWNjZXNzS2V5SWQiOiAiSUFTQVlLODM1R0FJRkhBSEVJMjMiLAogICAg\n"
+                + "ICAgICAgICAic2VjcmV0QWNjZXNzS2V5IjogIjY2aU9HUE41TG5wWm9yY0xyOEtoMjV1OEFiakhW\n"
+                + "bGx2NS9wb2gyTzAiLAogICAgICAgICAgICAic2Vzc2lvblRva2VuIjogImxhbWVIUzJ2UU9rblNI\n"
+                + "V2hkRllUeG0yZUpjMUpNbjlZQk5JNG5WNG1YdWU5NDVLUEw2REhmVzhFc1VRVDV6d3NzWUVDMU52\n"
+                + "WVA5eUQ2WTVzNWxLUjNjaGZsT0hQRnNJZTZlcWciCiAgICAgICAgfQ==");
+        assertThat(decryptedCredentials).isNotNull();
+        assertThat(decryptedCredentials.getAccessKeyId()).isEqualTo("testAccessKeyId");
+        assertThat(decryptedCredentials.getSecretAccessKey()).isEqualTo("testSecretAccessKey");
+        assertThat(decryptedCredentials.getSessionToken()).isEqualTo("testToken");
     }
 
     @Test
     public void decryptCredentials_decryptFailure() {
         cipher = new KMSCipher("encryptionKeyArn", "encryptionKeyRole");
-        try {
-            Credentials decryptedCredentials = cipher
-                .decryptCredentials("ewogICAgICAgICAgICAiYWNjZXNzS2V5SWQiOiAiSUFTQVlLODM1R0FJRkhBSEVJMjMiLAogICAg\n"
-                    + "ICAgICAgICAic2VjcmV0QWNjZXNzS2V5IjogIjY2aU9HUE41TG5wWm9yY0xyOEtoMjV1OEFiakhW\n"
-                    + "bGx2NS9wb2gyTzAiLAogICAgICAgICAgICAic2Vzc2lvblRva2VuIjogImxhbWVIUzJ2UU9rblNI\n"
-                    + "V2hkRllUeG0yZUpjMUpNbjlZQk5JNG5WNG1YdWU5NDVLUEw2REhmVzhFc1VRVDV6d3NzWUVDMU52\n"
-                    + "WVA5eUQ2WTVzNWxLUjNjaGZsT0hQRnNJZTZlcWciCiAgICAgICAgfQ==");
-            assertThat(decryptedCredentials).isNotNull();
-        } catch (final Exception ex) {
-        }
+        assertThatThrownBy(
+            () -> cipher.decryptCredentials("ewogICAgICAgICAgICAiYWNjZXNzS2V5SWQiOiAiSUFTQVlLODM1R0FJRkhBSEVJMjMiLAogICAg\n"
+                + "ICAgICAgICAic2VjcmV0QWNjZXNzS2V5IjogIjY2aU9HUE41TG5wWm9yY0xyOEtoMjV1OEFiakhW\n"
+                + "bGx2NS9wb2gyTzAiLAogICAgICAgICAgICAic2Vzc2lvblRva2VuIjogImxhbWVIUzJ2UU9rblNI\n"
+                + "V2hkRllUeG0yZUpjMUpNbjlZQk5JNG5WNG1YdWU5NDVLUEw2REhmVzhFc1VRVDV6d3NzWUVDMU52\n"
+                + "WVA5eUQ2WTVzNWxLUjNjaGZsT0hQRnNJZTZlcWciCiAgICAgICAgfQ==")).isInstanceOf(EncryptionException.class)
+                    .hasMessageContaining("Failed to decrypt credentials");
+    }
+
+    @Test
+    public void decryptCredentials_returnsNullCredentials_decryptFailure() {
+        cipher = new KMSCipher(cryptoHelper, kmsKeyProvider);
+        lenient().when(cryptoHelper.decryptData(any(KmsMasterKeyProvider.class), any(byte[].class))).thenReturn(result);
+        lenient().when(result.getResult()).thenReturn("null".getBytes());
+
+        assertThatThrownBy(
+            () -> cipher.decryptCredentials("ewogICAgICAgICAgICAiYWNjZXNzS2V5SWQiOiAiSUFTQVlLODM1R0FJRkhBSEVJMjMiLAogICAg\n"
+                + "ICAgICAgICAic2VjcmV0QWNjZXNzS2V5IjogIjY2aU9HUE41TG5wWm9yY0xyOEtoMjV1OEFiakhW\n"
+                + "bGx2NS9wb2gyTzAiLAogICAgICAgICAgICAic2Vzc2lvblRva2VuIjogImxhbWVIUzJ2UU9rblNI\n"
+                + "V2hkRllUeG0yZUpjMUpNbjlZQk5JNG5WNG1YdWU5NDVLUEw2REhmVzhFc1VRVDV6d3NzWUVDMU52\n"
+                + "WVA5eUQ2WTVzNWxLUjNjaGZsT0hQRnNJZTZlcWciCiAgICAgICAgfQ==")).isInstanceOf(EncryptionException.class)
+                    .hasMessageContaining("Failed to decrypt credentials. Decrypted credentials are 'null'");
+    }
+
+    @Test
+    public void decryptCredentials_encryptionSDKError_decryptFailure() {
+        cipher = new KMSCipher(cryptoHelper, kmsKeyProvider);
+        lenient().when(cryptoHelper.decryptData(any(KmsMasterKeyProvider.class), any(byte[].class)))
+            .thenThrow(new AwsCryptoException());
+
+        assertThatThrownBy(
+            () -> cipher.decryptCredentials("ewogICAgICAgICAgICAiYWNjZXNzS2V5SWQiOiAiSUFTQVlLODM1R0FJRkhBSEVJMjMiLAogICAg\n"
+                + "ICAgICAgICAic2VjcmV0QWNjZXNzS2V5IjogIjY2aU9HUE41TG5wWm9yY0xyOEtoMjV1OEFiakhW\n"
+                + "bGx2NS9wb2gyTzAiLAogICAgICAgICAgICAic2Vzc2lvblRva2VuIjogImxhbWVIUzJ2UU9rblNI\n"
+                + "V2hkRllUeG0yZUpjMUpNbjlZQk5JNG5WNG1YdWU5NDVLUEw2REhmVzhFc1VRVDV6d3NzWUVDMU52\n"
+                + "WVA5eUQ2WTVzNWxLUjNjaGZsT0hQRnNJZTZlcWciCiAgICAgICAgfQ==")).isInstanceOf(EncryptionException.class)
+                    .hasCauseInstanceOf(AwsCryptoException.class).hasMessageContaining("Failed to decrypt credentials");
+    }
+
+    @Test
+    public void decryptCredentials_deserializationError_decryptFailure() {
+        cipher = new KMSCipher(cryptoHelper, kmsKeyProvider);
+        lenient().when(cryptoHelper.decryptData(any(KmsMasterKeyProvider.class), any(byte[].class))).thenReturn(result);
+        lenient().when(result.getResult()).thenReturn("{test: test\"".getBytes());
+
+        assertThatThrownBy(
+            () -> cipher.decryptCredentials("ewogICAgICAgICAgICAiYWNjZXNzS2V5SWQiOiAiSUFTQVlLODM1R0FJRkhBSEVJMjMiLAogICAg\n"
+                + "ICAgICAgICAic2VjcmV0QWNjZXNzS2V5IjogIjY2aU9HUE41TG5wWm9yY0xyOEtoMjV1OEFiakhW\n"
+                + "bGx2NS9wb2gyTzAiLAogICAgICAgICAgICAic2Vzc2lvblRva2VuIjogImxhbWVIUzJ2UU9rblNI\n"
+                + "V2hkRllUeG0yZUpjMUpNbjlZQk5JNG5WNG1YdWU5NDVLUEw2REhmVzhFc1VRVDV6d3NzWUVDMU52\n"
+                + "WVA5eUQ2WTVzNWxLUjNjaGZsT0hQRnNJZTZlcWciCiAgICAgICAgfQ==")).isInstanceOf(EncryptionException.class)
+                    .hasCauseInstanceOf(IOException.class).hasMessageContaining("Failed to decrypt credentials");
     }
 }