feat(lib): Updated error types #362
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
elizabethhealy
previously approved these changes
Oct 14, 2024
- Untyped `Error` objects indicate a likely bug in the library itself - The messages should be prefixed `internal: ` - Samples include bad resource management or missing values in fields that should be const. - `TdfError` should be the root for all errors an application might theoretically screen for to find out if something is wrong in their application that might be caused by TDF or this library. Includes a novel `code` field to allow tracking based on a unique(?) error code - `ConfigurationError` should be able to be fixed by updating the application code. - `InvalidFileError` indicates that a file is likely tampered with or corrupt, although for some errors this may also indicate something is wrong with the user KAS. There are several subtypes when there may be changes to the configuration or user settings that could potentially fix the issue. - `DecryptError` may indicate that the key is incorrect; this could be caused by using a remote or CKS key is out of date, indicating a failure on the server side, but at the moment we have not implemented this. - `IntegrityError` indicates that the segment or global hash is incorrect. This could indicate a file was generated with a deprecated library that uses a different hash calculation. - `UnsafeUrlError` indicates that one or more required Key Access Objects refers to a remote KAS that is not in the allowlist. You can manually check the URL and add it to the allowlist in the client constructor if is a supported KAS. - `NetworkError` indicates a network connectivity error (e.g. during rewrap or key lookup), or a 5xx error on a service - `UnauthenticatedError` indicates that the Bearer token or a required DPoP was not attached to a request. This is often fixable with a mix of IdP/OAuth configuration changes and changes to the application or by adding custom middleware or some combination of all these. - `PermissionDeniedError` indicates that a service (rewrap or public key) has denied access, either due to traditional login (bearer token insufficient scope is one possibility) or due to ABAC (client entity does not have sufficient attributes for policy) - `UnsupportedFeatureError` indicates that an enum in the file or a KAS requirement is not met, e.g. KAS uses an unsupported EC curve, or the TDF file embeds such a curve; could indicate the file was generated with a newer, experimental, or deprecated/removed feature.
dmihalcik-virtru
force-pushed
the
feature/better-errors
branch
from
3e5b90a to
86c405f
Compare
elizabethhealy
previously approved these changes
Oct 15, 2024
| @@ -102,7 +102,9 @@ export class SplitKey { | |||
| : typeof metadata === 'string' | |||
| ? metadata | |||
| : () => { | |||
| throw new Error(); | |||
| throw new Error( | |||
There was a problem hiding this comment.
Yes this maybe should be invalidFileError, now that I look closer
There was a problem hiding this comment.
oh wait nevermind this is during write. Configuration error probably
| if (!algorithm) { | ||
| throw new Error('Uninitialized cipher type'); | ||
| // Hard coded as part of the cipher object. This should not be reachable. | ||
| throw new Error('internal: uninitialized cipher type'); |
There was a problem hiding this comment.
While I think this is most likely an internal error, it could conceivably also be a configuration error if the client is highly customized (a la secure share)
pflynn-virtru
previously approved these changes
Oct 15, 2024
dmihalcik-virtru
dismissed stale reviews from pflynn-virtru and elizabethhealy
via
53694df
pflynn-virtru
approved these changes
Oct 15, 2024
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Errorobjects indicate a likely bug in the library itselfinternal:TdfErrorshould be the root for all errors an application might theoretically screen for to find out if something is wrong in their application that might be caused by TDF or this library. Includes a novelcodefield to allow tracking based on a unique(?) error codeConfigurationErrorshould be able to be fixed by updating the application code.InvalidFileErrorindicates that a file is likely tampered with or corrupt, although for some errors this may also indicate something is wrong with the user KAS. There are several subtypes when there may be changes to the configuration or user settings that could potentially fix the issue.DecryptErrormay indicate that the key is incorrect; this could be caused by using a remote or CKS key is out of date, indicating a failure on the server side, but at the moment we have not implemented this.IntegrityErrorindicates that the segment or global hash is incorrect. This could indicate a file was generated with a deprecated library that uses a different hash calculation.UnsafeUrlErrorindicates that one or more required Key Access Objects refers to a remote KAS that is not in the allowlist. You can manually check the URL and add it to the allowlist in the client constructor if is a supported KAS.NetworkErrorindicates a network connectivity error (e.g. during rewrap or key lookup), or a 5xx error on a serviceUnauthenticatedErrorindicates that the Bearer token or a required DPoP was not attached to a request. This is often fixable with a mix of IdP/OAuth configuration changes and changes to the application or by adding custom middleware or some combination of all these.PermissionDeniedErrorindicates that a service (rewrap or public key) has denied access, either due to traditional login (bearer token insufficient scope is one possibility) or due to ABAC (client entity does not have sufficient attributes for policy)UnsupportedFeatureErrorindicates that an enum in the file or a KAS requirement is not met, e.g. KAS uses an unsupported EC curve, or the TDF file embeds such a curve; could indicate the file was generated with a newer, experimental, or deprecated/removed feature.