fix(core): be tolerant of decryption issue

loicmathieu · loicmathieu · commit 69d403d3874a · 2025-04-03T14:01:37.000+02:00
If we cannot decrupt outputs, let's ignore the outpot and log a warning.
This may only happen on configuratin mismatch between nodes.
diff --git a/core/src/main/java/io/kestra/core/encryption/EncryptionService.java b/core/src/main/java/io/kestra/core/encryption/EncryptionService.java
@@ -64,8 +64,10 @@ public static byte[] encrypt(String key, byte[] plainText) throws GeneralSecurit
      * The IV is recovered from the beginning of the string.
      *
      * @see #decrypt(String, byte[])
+     * @throws IllegalArgumentException when the cipherText cannot be BASE64 decoded.
+     *         This may indicate that the cipherText was not encrypted at first so a caller may use this as an indication as it tries to decode a text that was not encoded.
      */
-    public static String decrypt(String key, String cipherText) throws GeneralSecurityException {
+    public static String decrypt(String key, String cipherText) throws GeneralSecurityException, IllegalArgumentException {
         if (cipherText == null || cipherText.isEmpty()) {
             return cipherText;
         }
diff --git a/core/src/main/java/io/kestra/core/runners/Secret.java b/core/src/main/java/io/kestra/core/runners/Secret.java
@@ -2,7 +2,6 @@
 
 import io.kestra.core.encryption.EncryptionService;
 import io.kestra.core.models.tasks.common.EncryptedString;
-import jakarta.annotation.Nullable;
 import org.slf4j.Logger;
 
 import java.security.GeneralSecurityException;
@@ -50,8 +49,11 @@ Map<String, Object> decrypt(final Map<String, Object> data) {
                     try {
                         String decoded = decrypt((String) map.get("value"));
                         decryptedMap.put(entry.getKey(), decoded);
-                    } catch (GeneralSecurityException e) {
-                        throw new RuntimeException(e);
+                    } catch (GeneralSecurityException | IllegalArgumentException e) {
+                        // NOTE: in rare cases, if for ex a Worker didn't have the encryption but an Executor has it,
+                        // we can have a non-encrypted output that we try to decrypt, this will lead to an IllegalArgumentException.
+                        // As it could break the executor, the best is to do nothing in this case and only log an error.
+                        logger.get().warn("Unable to decrypt the output", e);
                     }
                 }  else {
                     decryptedMap.put(entry.getKey(), decrypt((Map<String, Object>) map));

Original file line number	Diff line number	Diff line change
`@@ -64,8 +64,10 @@ public static byte[] encrypt(String key, byte[] plainText) throws GeneralSecurit`
`64`	`64`	`* The IV is recovered from the beginning of the string.`
`65`	`65`	`*`
`66`	`66`	`* @see #decrypt(String, byte[])`
	`67`	`+ * @throws IllegalArgumentException when the cipherText cannot be BASE64 decoded.`
	`68`	`+ * This may indicate that the cipherText was not encrypted at first so a caller may use this as an indication as it tries to decode a text that was not encoded.`
`67`	`69`	`*/`
`68`		`- public static String decrypt(String key, String cipherText) throws GeneralSecurityException {`
	`70`	`+ public static String decrypt(String key, String cipherText) throws GeneralSecurityException, IllegalArgumentException {`
`69`	`71`	`if (cipherText == null \|\| cipherText.isEmpty()) {`
`70`	`72`	`return cipherText;`
`71`	`73`	`}`