Merge pull request #39 from Mastercard/feature/graceful-error-handling

Handle encryption/decryption exceptions gracefully

package.json

@@ -46,7 +46,7 @@
   },
   "dependencies": {
     "insomnia-url": "^3.3.0",
-    "mastercard-client-encryption": "^1.4.0",
+    "mastercard-client-encryption": "^1.6.0",
     "mastercard-oauth1-signer": "^1.1.6",
     "node-forge": "^1.3.0"
   },

src/encryption/client-encryption.js

@@ -15,26 +15,31 @@ module.exports.request = async (context) => {
   ) {
     const headers = mcContext.requestHeader();
 
-    const fle = utils.cryptoService(mcContext.encryptionConfig);
+    const cryptoService = utils.cryptoService(mcContext.encryptionConfig);
 
     if (utils.isJWE(mcContext.encryptionConfig)) {
       // Convert cert
-      fle.crypto.encryptionCertificate = utils.pkcs8to1(mcContext.encryptionConfig.encryptionCertificate);
+      cryptoService.crypto.encryptionCertificate = utils.pkcs8to1(mcContext.encryptionConfig.encryptionCertificate);
     }
 
-    const encrypted = fle.encrypt(
-      mcContext.url,
-      headers,
-      JSON.parse(body.text)
-    );
+    try {
+      const encrypted = cryptoService.encrypt(
+        mcContext.url,
+        headers,
+        JSON.parse(body.text)
+      );
 
-    // override header
-    for (const [name, value] of Object.entries(encrypted.header)) {
-      context.request.setHeader(name, value);
-    }
+      // override header
+      for (const [name, value] of Object.entries(encrypted.header)) {
+        context.request.setHeader(name, value);
+      }
 
-    // replace body
-    context.request.setBodyText(JSON.stringify(encrypted.body));
+      // replace body
+      context.request.setBodyText(JSON.stringify(encrypted.body));
+    } catch (e) {
+      // eslint-disable-next-line no-console
+      console.log("Error occurred encrypting the request", e);
+    }
   }
 };
 
@@ -48,16 +53,21 @@ module.exports.response = async (context) => {
     mcContext.isJsonResponse() &&
     mcContext.encryptionConfig
   ) {
-    const fle = utils.cryptoService(mcContext.encryptionConfig);
+    const cryptoService = utils.cryptoService(mcContext.encryptionConfig);
 
     const response = JSON.parse(fs.readFileSync(body.path));
-    const decryptedBody = fle.decrypt({
-      body: response,
-      header: mcContext.responseHeader(),
-      request: {
-        url: mcContext.url
-      }
-    });
-    context.response.setBody(JSON.stringify(decryptedBody));
+    try {
+      const decryptedBody = cryptoService.decrypt({
+        body: response,
+        header: mcContext.responseHeader(),
+        request: {
+          url: mcContext.url
+        }
+      });
+      context.response.setBody(JSON.stringify(decryptedBody));
+    } catch (e) {
+      // eslint-disable-next-line no-console
+      console.log("Error occurred decrypting the response", e);
+    }
   }
 };

test/__res__/config-jwe.json

@@ -27,7 +27,8 @@
       "encryptedValueFieldName": "encryptedData",
       "publicKeyFingerprintType": "certificate",
       "encryptionCertificate": "./test/__res__/test_certificate.cert",
-      "privateKey": "./test/__res__/test_key.der"
+      "privateKey": "./test/__res__/test_key.der",
+      "dataEncoding": "base64"
     }
   }
 }

test/__res__/config-root-element.json

@@ -0,0 +1,38 @@
+{
+  "host": "https://sandbox.api.mastercard.com",
+  "mastercard": {
+    "consumerKey": "H5MR_EL6fmGG_jzvC6T7Wu43IZ-0plTTTfalNHft2482b23a!eab46a89cc2b46ebb31aeec610f52eeb0000000000000000",
+    "keyAlias": "mykeyalias",
+    "keystoreP12Path": "./test/__res__/test_key_container.p12",
+    "keystorePassword": "Password1",
+    "encryptionConfig": {
+      "paths": [
+        {
+          "path": "/resource",
+          "toEncrypt": [
+            {
+              "element": "$",
+              "obj": "$"
+            }
+          ],
+          "toDecrypt": [
+            {
+              "element": "$",
+              "obj": "$"
+            }
+          ]
+        }
+      ],
+      "oaepPaddingDigestAlgorithm": "SHA-512",
+      "ivFieldName": "iv",
+      "encryptedKeyFieldName": "encryptedKey",
+      "encryptedValueFieldName": "encryptedData",
+      "oaepHashingAlgorithmFieldName": "oaepHashingAlgorithm",
+      "publicKeyFingerprintFieldName": "publicKeyFingerprint",
+      "publicKeyFingerprintType": "certificate",
+      "dataEncoding": "hex",
+      "encryptionCertificate": "./test/__res__/test_certificate.cert",
+      "privateKey": "./test/__res__/test_key.der"
+    }
+  }
+}

test/__res__/mock-response-error.json

@@ -0,0 +1,13 @@
+{
+  "Errors": [
+    {
+      "Error": {
+        "Source": "Gateway",
+        "ReasonCode": "DECLINED",
+        "Description": "Unauthorized - Access Not Granted",
+        "Recoverable": false,
+        "Details": null
+      }
+    }
+  ]
+}

test/encryption/client-encryption.test.js

@@ -39,6 +39,12 @@ describe('Encryption', () => {
     body: body
   });
 
+  const contextWithRootElem = helper.context({
+    url: 'https://api.mastercard.com/service/api/resource',
+    body: body,
+    config: require('../__res__/config-root-element.json').mastercard
+  });
+
   const mockResponse = (_path) => {
     const readFileSync = fs.readFileSync;
     const fn = (path, options) => {
@@ -251,4 +257,30 @@ describe('Encryption', () => {
 
     assert(setBody.notCalled);
   });
+
+  it('should not override response if decryption fails', async () => {
+    mockResponse('./test/__res__/mock-response-error.json');
+    sinon.spy(contextWithRootElem.response, 'setBody');
+    sinon.mock(contextWithRootElem.response).expects('getHeader').returns('application/json');
+    sinon.mock(contextWithRootElem.response).expects('getBodyStream').returns({ path: 'mocked-response-path' });
+
+    await plugin.responseHooks[0](contextWithRootElem); // decrypt
+
+    sinon.assert.notCalled(contextWithRootElem.response.setBody);
+
+    fs.readFileSync.restore();
+  });
+
+  it('should not ovveride request if encryption fails', async () => {
+    let ctx = helper.context({ body: "invalid json" });
+    const setHeader = sinon.spy(ctx.request, 'setHeader');
+    const setBodyText = sinon.spy(ctx.request, 'setBodyText');
+
+    await plugin.requestHooks[0](ctx); // encrypt
+
+    assert(setHeader.notCalled);
+    assert(setBodyText.notCalled);
+  });
+
+
 });