search

danielberkompas / cloak_ecto

Encrypted fields for Ecto
MIT License
191 stars 30 forks source link

:error when decrypting field #57

Open jaronoff97 opened 1 month ago

jaronoff97 commented 1 month ago

I have a schema that was created with a migration for ecto_ch:

def change do
    create table(:settings, primary_key: false, engine: "MergeTree") do
      # The primary key for this is the organization id that the settings belong to.
      add(:organization_id, :uuid, primary_key: true)
      add(:token, :binary)

      timestamps(type: :utc_datetime)
    end
  end

with a model like so:

defmodule MyApp.Orgs.Settings do
  use Ecto.Schema
  import Ecto.Changeset

  @primary_key false
  schema "settings" do
    field(:token, MyApp.Orgs.SecretKey)

    timestamps(type: :utc_datetime)

    belongs_to(:organization, MyApp.Orgs.Organization,
      references: :id,
      type: Ecto.UUID
    )
  end

  @doc false
  def changeset(settings, attrs) do
    settings
    |> cast(attrs, [:token, :organization_id])
    |> validate_required([:token, :organization_id])
  end
end

where SecretKey is:

defmodule MyApp.Orgs.SecretKey do
  use Cloak.Ecto.Binary, vault: MyApp.Orgs.Vault
end
defmodule MyApp.Orgs.Vault do
  use Cloak.Vault, otp_app: :myapp
end

I have a simple test that makes a settings object and then lists the object. but I'm getting this error:

Assertion with == failed
     code:  assert Orgs.list_settings() == [settings]
     left:  [
              %myapp.Orgs.Settings{
                __meta__: #Ecto.Schema.Metadata<:loaded, "settings">,
                inserted_at: ~U[2024-06-12 20:10:48Z],
                token: :error,
                organization: %myapp.Orgs.Organization{
                  __meta__: #Ecto.Schema.Metadata<:loaded, "organizations">,
                  id: "9a31980f-0342-49af-8377-8e8ed9fc2852",
                  inserted_at: ~U[2024-06-12 20:10:48Z],
                  name: "some name",
                  settings: #Ecto.Association.NotLoaded<association :settings is not loaded>,
                  updated_at: ~U[2024-06-12 20:10:48Z],
                  users: #Ecto.Association.NotLoaded<association :users is not loaded>
                },
                organization_id: "9a31980f-0342-49af-8377-8e8ed9fc2852",
                updated_at: ~U[2024-06-12 20:10:48Z]
              }
            ]
     right: [
              %myapp.Orgs.Settings{
                __meta__: #Ecto.Schema.Metadata<:loaded, "settings">,
                inserted_at: ~U[2024-06-12 20:10:48Z],
                token: "some token",
                organization: %myapp.Orgs.Organization{
                  __meta__: #Ecto.Schema.Metadata<:loaded, "organizations">,
                  id: "9a31980f-0342-49af-8377-8e8ed9fc2852",
                  inserted_at: ~U[2024-06-12 20:10:48Z],
                  name: "some name",
                  settings: #Ecto.Association.NotLoaded<association :settings is not loaded>,
                  updated_at: ~U[2024-06-12 20:10:48Z],
                  users: #Ecto.Association.NotLoaded<association :users is not loaded>
                },
                organization_id: "9a31980f-0342-49af-8377-8e8ed9fc2852",
                updated_at: ~U[2024-06-12 20:10:48Z]
              }
            ]
     stacktrace:
       test/myapp/orgs_test.exs:15: (test)

Which implies that when I go to decrypt from my database, it's unable to use the vault to decrypt my encrypted key. I updated my test_helper.exs to ensure the vault was started, but no dice. MyApp.Orgs.Vault.start_link()

jaronoff97 commented 1 month ago

hmmm it looks like my vault isn't being started maybe?

      settings = settings_fixture()
      IO.puts("------")
      IO.inspect(MyApp.Orgs.Vault.decrypt(settings.token))
      IO.puts("------")
      assert Orgs.list_settings() == [settings]

results in this error:

{:error,
 %Cloak.MissingCipher{
   message: "No cipher found for vault: nil, ciphertext: \"some token\"",
   vault: nil,
   label: nil,
   ciphertext: "some token"
 }}