Make encryptor error-wrapping test deterministic (cloudfoundry#5110)

philippthun · web-flow · commit b5a8f7d06171 · 2026-05-19T15:42:18.000+02:00
The "raises an EncryptorError" test relied on AES-CBC + PKCS#7
producing invalid padding when decrypting with the wrong key. With a
random plaintext, padding is coincidentally valid ~1/256 of the time
(dominated by the last byte being 0x01), so cipher.final returns
garbage instead of raising and the test flakes.

Stub OpenSSL::Cipher#final to raise CipherError so the test exercises
the rescue/wrap logic in run_cipher deterministically. Add a parallel
test in the "no key label" context, since the same wrapping applies
there.
diff --git a/spec/unit/lib/cloud_controller/encryptor_spec.rb b/spec/unit/lib/cloud_controller/encryptor_spec.rb
@@ -161,6 +161,15 @@ module VCAP::CloudController
 
               expect(result).not_to eq(unencrypted_string)
             end
+
+            it 'wraps OpenSSL::Cipher::CipherError as an EncryptorError' do
+              encrypted_string = Encryptor.encrypt(unencrypted_string, salt)
+              allow_any_instance_of(OpenSSL::Cipher).to receive(:final).and_raise(OpenSSL::Cipher::CipherError, 'bad decrypt')
+
+              expect do
+                Encryptor.decrypt(encrypted_string, salt, iterations: encryption_iterations)
+              end.to raise_error(VCAP::CloudController::Encryptor::EncryptorError, %r{Encryption/Decryption failed: bad decrypt})
+            end
           end
 
           context 'when the wrong label is passed for decryption' do
@@ -176,13 +185,13 @@ module VCAP::CloudController
               expect(result).not_to eq(unencrypted_string)
             end
 
-            it 'raises an EncryptorError' do
-              allow(Encryptor).to receive(:current_encryption_key_label).and_return('foo')
+            it 'wraps OpenSSL::Cipher::CipherError as an EncryptorError' do
               encrypted_string = Encryptor.encrypt(unencrypted_string, salt)
+              allow_any_instance_of(OpenSSL::Cipher).to receive(:final).and_raise(OpenSSL::Cipher::CipherError, 'bad decrypt')
 
               expect do
                 Encryptor.decrypt(encrypted_string, salt, label: 'bar', iterations: encryption_iterations)
-              end.to raise_error(VCAP::CloudController::Encryptor::EncryptorError, %r{Encryption/Decryption failed: })
+              end.to raise_error(VCAP::CloudController::Encryptor::EncryptorError, %r{Encryption/Decryption failed: bad decrypt})
             end
           end
         end
