diff --git a/Microsoft.Azure.Cosmos.Encryption/src/Custom/EncryptionProcessor.cs b/Microsoft.Azure.Cosmos.Encryption/src/Custom/EncryptionProcessor.cs index c1b42c6dfe..c777287e45 100644 --- a/Microsoft.Azure.Cosmos.Encryption/src/Custom/EncryptionProcessor.cs +++ b/Microsoft.Azure.Cosmos.Encryption/src/Custom/EncryptionProcessor.cs @@ -588,7 +588,7 @@ internal static async Task DeserializeAndDecryptResponseAsync( CosmosDiagnosticsContext diagnosticsContext = CosmosDiagnosticsContext.Create(null); using (diagnosticsContext.CreateScope("EncryptionProcessor.DeserializeAndDecryptResponseAsync")) { - (JObject decryptedDocument, DecryptionContext _) = await EncryptionProcessor.DecryptAsync( + await EncryptionProcessor.DecryptAsync( document, encryptor, diagnosticsContext, diff --git a/Microsoft.Azure.Cosmos.Encryption/src/EncryptionContainer.cs b/Microsoft.Azure.Cosmos.Encryption/src/EncryptionContainer.cs index 2e64938207..b8aa22f6fd 100644 --- a/Microsoft.Azure.Cosmos.Encryption/src/EncryptionContainer.cs +++ b/Microsoft.Azure.Cosmos.Encryption/src/EncryptionContainer.cs @@ -910,29 +910,10 @@ internal async Task DeserializeAndDecryptResponseAsync( continue; } - try - { - JObject decryptedDocument = await EncryptionProcessor.DecryptAsync( - document, - encryptionSettings, - cancellationToken); - } - - // we cannot rely currently on a specific exception, this is due to the fact that the run time issue can be variable, - // we can hit issue with either Json serialization say an item was not encrypted but the policy shows it as encrypted, - // or we could hit a MicrosoftDataEncryptionException from MDE lib etc. - catch (Exception) - { - // most likely the encryption policy has changed. - encryptionSettings = await this.GetOrUpdateEncryptionSettingsFromCacheAsync( - obsoleteEncryptionSettings: encryptionSettings, - cancellationToken: cancellationToken); - - JObject decryptedDocument = await EncryptionProcessor.DecryptAsync( - document, - encryptionSettings, - cancellationToken); - } + await EncryptionProcessor.DecryptAsync( + document, + encryptionSettings, + cancellationToken); } // the contents get decrypted in place by DecryptAsync. @@ -1297,33 +1278,12 @@ private async Task> DecryptChangeFeedDocumentsAsync( foreach (JObject document in documents) { - try - { - JObject decryptedDocument = await EncryptionProcessor.DecryptAsync( - document, - encryptionSettings, - cancellationToken); - - decryptedItems.Add(decryptedDocument.ToObject()); - } - - // we cannot rely currently on a specific exception, this is due to the fact that the run time issue can be variable, - // we can hit issue with either Json serialization say an item was not encrypted but the policy shows it as encrypted, - // or we could hit a MicrosoftDataEncryptionException from MDE lib etc. - catch (Exception) - { - // most likely the encryption policy has changed. - encryptionSettings = await this.GetOrUpdateEncryptionSettingsFromCacheAsync( - obsoleteEncryptionSettings: encryptionSettings, - cancellationToken: cancellationToken); - - JObject decryptedDocument = await EncryptionProcessor.DecryptAsync( - document, - encryptionSettings, - cancellationToken); + JObject decryptedDocument = await EncryptionProcessor.DecryptAsync( + document, + encryptionSettings, + cancellationToken); - decryptedItems.Add(decryptedDocument.ToObject()); - } + decryptedItems.Add(decryptedDocument.ToObject()); } return decryptedItems; @@ -1385,9 +1345,17 @@ await this.GetOrUpdateEncryptionSettingsFromCacheAsync( isRetry: true); } - Stream decryptedContent = await this.DeserializeAndDecryptResponseAsync(responseMessage.Content, encryptionSettings, cancellationToken); + if (responseMessage.IsSuccessStatusCode && responseMessage.Content != null) + { + Stream decryptedContent = await this.DeserializeAndDecryptResponseAsync( + responseMessage.Content, + encryptionSettings, + cancellationToken); + + return new DecryptedResponseMessage(responseMessage, decryptedContent); + } - return new DecryptedResponseMessage(responseMessage, decryptedContent); + return responseMessage; } } } \ No newline at end of file diff --git a/Microsoft.Azure.Cosmos.Encryption/tests/EmulatorTests/MdeEncryptionTests.cs b/Microsoft.Azure.Cosmos.Encryption/tests/EmulatorTests/MdeEncryptionTests.cs index cee3082a0e..0edf111122 100644 --- a/Microsoft.Azure.Cosmos.Encryption/tests/EmulatorTests/MdeEncryptionTests.cs +++ b/Microsoft.Azure.Cosmos.Encryption/tests/EmulatorTests/MdeEncryptionTests.cs @@ -1524,7 +1524,9 @@ public async Task VerifyKekRevokeHandling() ContainerProperties containerProperties = new ContainerProperties(Guid.NewGuid().ToString(), "/PK") { ClientEncryptionPolicy = clientEncryptionPolicyWithRevokedKek }; Container encryptionContainer = await database.CreateContainerAsync(containerProperties, 400); - + + TestDoc testDoc1 = await MdeEncryptionTests.MdeCreateItemAsync(encryptionContainer); + testEncryptionKeyStoreProvider.RevokeAccessSet = true; // try creating it and it should fail as it has been revoked. @@ -1537,6 +1539,19 @@ public async Task VerifyKekRevokeHandling() { } + // testing query read fail due to revoked access. + try + { + await MdeEncryptionTests.ValidateQueryResultsAsync( + encryptionContainer, + "SELECT * FROM c", + testDoc1); + Assert.Fail("Query should have failed, since property path /Sensitive_NestedObjectFormatL1 has been encrypted using Cek with revoked access. "); + } + catch (RequestFailedException) + { + } + // for unwrap to succeed testEncryptionKeyStoreProvider.RevokeAccessSet = false;