I found that when acra-server validates searchable hash after decryption and it failed then it skips applying response_on_fail option and just returns as is. It's because our searchable encryptor decrypts data as first, marks the current context as successful decryption, and then validates hash which will fail. Due to the context was marked as successful, acra-server do nothing on encoding stage because it expects valid raw value instead of returning error or default value.
In this PR were added marking context as NotDecrypted in case of failed hash validation and tests for that.
Additionally found, that our encryptor_config validations denied searchable fields with type awareness (probably because searchable encryption was added after the first introduction of type awareness) and added missed masks.
I found that when acra-server validates searchable hash after decryption and it failed then it skips applying
response_on_failoption and just returns as is. It's because our searchable encryptor decrypts data as first, marks the current context as successful decryption, and then validates hash which will fail. Due to the context was marked as successful, acra-server do nothing on encoding stage because it expects valid raw value instead of returning error or default value. In this PR were added marking context as NotDecrypted in case of failed hash validation and tests for that. Additionally found, that our encryptor_config validations denied searchable fields with type awareness (probably because searchable encryption was added after the first introduction of type awareness) and added missed masks.Checklist