Skip to content

Allow retries in DefaultKeyResolver.CanCreateAuthenticatedEncryptor #54711

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Apr 19, 2024
Merged

Allow retries in DefaultKeyResolver.CanCreateAuthenticatedEncryptor #54711

merged 9 commits into from
Apr 19, 2024

Conversation

amcasey
Copy link
Member

@amcasey amcasey commented Mar 23, 2024
edited
Loading

This code is trying to ensure that the selected key can be decrypted (i.e. is usable). It may fail if, for example, Azure KeyVault is unreachable due to connectivity issues. If it fails, there's a log message and then an immediately-activated key will be generated. An immediately-activated key can cause problems for sessions making requests to multiple app instances and those problems won't obviously be connected to the (almost silent) failure in CanCreateAuthenticatedEncryptor. Rather than effectively swallowing such errors, we should allow some retries.

Part of #36157

@amcasey amcasey requested a review from captainsafia March 23, 2024 01:03
@ghost ghost added the area-dataprotection Includes: DataProtection label Mar 23, 2024
@amcasey
Copy link
Member Author

amcasey commented Mar 23, 2024

This will probably have undesirable perf consequences if we don't also do #54675.

@dotnet-policy-service dotnet-policy-service bot added the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Mar 30, 2024
@amcasey
Copy link
Member Author

amcasey commented Apr 12, 2024
edited
Loading

Sadly, this does not actually work, in its present state. The key stores the decryption result in a Lazy, effectively caching the failure. The tests didn't catch this because I was mocking IKey and my mock didn't cache.

Edit: with that fixed, this seems effective against simulated failures. PR updates pending.
Edit 2: I've pushed that change. The tests are uglier, but it seems to work.

@amcasey
Allow retries in DefaultKeyResolver.CanCreateAuthenticatedEncryptor
6a89fba 
This code is trying to ensure that the selected key can be decrypted (i.e. is usable).  It may fail if, for example, Azure KeyVault is unreachable due to connectivity issues.  If it fails, there's a log message and then an immediately-activated key will be generated.  An immediately-activated key can cause problems for sessions making requests to multiple app instances and those problems won't obviously be connected to the (almost silent) failure in CanCreateAuthenticatedEncryptor.  Rather than effectively swallowing such errors, we should allow some retries.

Part of dotnet#52678, which is part of dotnet#36157
@amcasey
Copy link
Member Author

amcasey commented Apr 12, 2024

Force push is a trivial rebase - diff should be the same.

amcasey added 2 commits April 12, 2024 16:50
@amcasey
Roll our own Lazy that allows resets
1b48c84 
Retries against the actual `Key` type weren't working because the exception was getting cached in the key's lazy descriptor.  Implement our own simple lazy and expose a method for clearing the cached value and exception.
@amcasey
Fix handling of disallowed retries
c71056c
captainsafia
captainsafia reviewed Apr 15, 2024
View reviewed changes
@amcasey
Copy link
Member Author

amcasey commented Apr 18, 2024

CI failure is in IIS shadow copy and is unrelated. It'll re-run next time I push, so I won't bother doing it now.

@amcasey amcasey enabled auto-merge (squash) April 19, 2024 19:23
@amcasey amcasey merged commit 4d11def into dotnet:main Apr 19, 2024
26 checks passed
@dotnet-policy-service dotnet-policy-service bot added this to the 9.0-preview4 milestone Apr 19, 2024
@amcasey amcasey deleted the DecryptRetry branch April 19, 2024 21:24
@amcasey amcasey mentioned this pull request Apr 24, 2024
Closed
@amcasey amcasey mentioned this pull request Aug 2, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@captainsafia captainsafia captainsafia approved these changes

Assignees
No one assigned
Labels
area-dataprotection Includes: DataProtection pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun
Projects
None yet
Milestone
9.0-preview4
Development

Successfully merging this pull request may close these issues.
2 participants
@amcasey @captainsafia