Optimize error handling and logging

Signed-off-by: Louis Chu <[email protected]>
opensearch-project · Oct 6, 2022 · 389c718 · 389c718
1 parent ea3f6c4
commit 389c718
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 17 deletions.
diff --git a/src/plugins/data_source/README.md b/src/plugins/data_source/README.md
@@ -79,7 +79,7 @@ a. Envelope encryption - has multiple benefits including strong protection on da
 
 b. Key derivation algorithm - HKDF with SHA-384, which “helps you avoid accidental reuse of a data encryption key and reduces the risk of overusing a data key.”
 
-c. Signature algorithm - ECDSA with P-384 and SHA-384. Under multiple data source case, data source indices stored on OpenSearch can be modified / replaced by attacker. With ECDSA signature, ciphertext decryption will fail if it’s getting pullted. No one will be able to create another signature that verifies with the public key because the private key has been dropped.
+c. Signature algorithm - ECDSA with P-384 and SHA-384. Under multiple data source case, data source documents stored on OpenSearch can be modified / replaced by attacker. With ECDSA signature, ciphertext decryption will fail if it’s getting pullted. No one will be able to create another signature that verifies with the public key because the private key has been dropped.
 
 ---
 

diff --git a/src/plugins/data_source/server/client/configure_client.ts b/src/plugins/data_source/server/client/configure_client.ts
@@ -58,10 +58,9 @@ export const getCredential = async (
 
   const { decryptedText, encryptionContext } = await cryptography
     .decodeAndDecrypt(password)
-    .catch(() => {
-      throw new Error(
-        'Encrypted "auth.credentials.password" contaminated. Please delete and create another data source.'
-      );
+    .catch((err: any) => {
+      // Re-throw as DataSourceConfigError
+      throw new DataSourceConfigError('Unable to decrypt "auth.credentials.password".', err);
     });
 
   if (encryptionContext!.endpoint !== endpoint) {

diff --git a/src/plugins/data_source/server/cryptography_service.ts b/src/plugins/data_source/server/cryptography_service.ts
@@ -9,9 +9,7 @@ import {
   RawAesKeyringNode,
   RawAesWrappingSuiteIdentifier,
 } from '@aws-crypto/client-node';
-
 import { Logger } from '../../../../src/core/server';
-
 import { DataSourcePluginConfigType } from '../config';
 
 export const ENCODING_STRATEGY: BufferEncoding = 'base64';

diff --git a/src/plugins/data_source/server/plugin.ts b/src/plugins/data_source/server/plugin.ts
@@ -20,7 +20,6 @@ import {
 } from '../../../../src/core/server';
 import { DataSourcePluginConfigType } from '../config';
 import { LoggingAuditor } from './audit/logging_auditor';
-
 import { CryptographyService, CryptographyServiceSetup } from './cryptography_service';
 import { DataSourceService, DataSourceServiceSetup } from './data_source_service';
 import { DataSourceSavedObjectsClientWrapper, dataSource } from './saved_objects';

diff --git a/src/plugins/data_source/server/saved_objects/data_source_saved_objects_client_wrapper.ts b/src/plugins/data_source/server/saved_objects/data_source_saved_objects_client_wrapper.ts
@@ -15,12 +15,9 @@ import {
   SavedObjectsUpdateOptions,
   SavedObjectsUpdateResponse,
 } from 'opensearch-dashboards/server';
-
 import { Logger, SavedObjectsErrorHelpers } from '../../../../../src/core/server';
-
 import { DATA_SOURCE_SAVED_OBJECT_TYPE } from '../../common';
 import { AuthType } from '../../common/data_sources';
-
 import { EncryptionContext, CryptographyServiceSetup } from '../cryptography_service';
 
 /**
@@ -296,8 +293,10 @@ export class DataSourceSavedObjectsClientWrapper {
       });
       attributes = savedObject.attributes;
     } catch (err: any) {
-      // this.logger.error(err);
-      throw err;
+      const errMsg = `Fail to fetch existing data source for dataSourceId [${id}]`;
+      this.logger.error(errMsg);
+      this.logger.error(err);
+      throw SavedObjectsErrorHelpers.decorateBadRequestError(err, errMsg);
     }
 
     if (!attributes) {
@@ -350,10 +349,11 @@ export class DataSourceSavedObjectsClientWrapper {
 
         const { encryptionContext } = await this.cryptography
           .decodeAndDecrypt(password)
-          .catch(() => {
-            throw SavedObjectsErrorHelpers.createBadRequestError(
-              'Update failed due to deprecated data source: encrypted "auth.credentials.password" contaminated. Please delete and create another data source.'
-            );
+          .catch((err: any) => {
+            const errMsg = `Fail to update existing data source for dataSourceId [${id}]: unable to decrypt "auth.credentials.password"`;
+            this.logger.error(errMsg);
+            this.logger.error(err);
+            throw SavedObjectsErrorHelpers.decorateBadRequestError(err, errMsg);
           });
 
         if (encryptionContext.endpoint !== endpoint) {
-Original file line number
+Diff line change
@@ Expand Up @@
     b. Key derivation algorithm - HKDF with SHA-384, which “helps you avoid accidental reuse of a data encryption key and reduces the risk of overusing a data key.”
-    c. Signature algorithm - ECDSA with P-384 and SHA-384. Under multiple data source case, data source indices stored on OpenSearch can be modified / replaced by attacker. With ECDSA signature, ciphertext decryption will fail if it’s getting pullted. No one will be able to create another signature that verifies with the public key because the private key has been dropped.
+    c. Signature algorithm - ECDSA with P-384 and SHA-384. Under multiple data source case, data source documents stored on OpenSearch can be modified / replaced by attacker. With ECDSA signature, ciphertext decryption will fail if it’s getting pullted. No one will be able to create another signature that verifies with the public key because the private key has been dropped.
     ---
@@ Expand Down @@