Deserialization old containers on decryption fail

crypto/envelope_detector.go

@@ -154,7 +154,17 @@ func (wrapper *OldContainerDetectorWrapper) OnAcraStruct(ctx context.Context, ac
 		return nil, err
 	}
 
-	return wrapper.detector.OnCryptoEnvelope(ctx, serialized)
+	processedData, err := wrapper.detector.OnCryptoEnvelope(ctx, serialized)
+	if err != nil {
+		return nil, err
+	}
+
+	// return old container in case of unavailability to decrypt it
+	if bytes.Equal(processedData, serialized) {
+		return acraStruct, nil
+	}
+
+	return processedData, nil
 }
 
 // OnAcraBlock implementation of acrablock.Processor
@@ -164,7 +174,17 @@ func (wrapper *OldContainerDetectorWrapper) OnAcraBlock(ctx context.Context, acr
 		return nil, err
 	}
 
-	return wrapper.detector.OnCryptoEnvelope(ctx, serialized)
+	processedData, err := wrapper.detector.OnCryptoEnvelope(ctx, serialized)
+	if err != nil {
+		return nil, err
+	}
+
+	// return old container in case of unavailability to decrypt it
+	if bytes.Equal(processedData, serialized) {
+		return acraBlock, nil
+	}
+
+	return processedData, nil
 }
 
 // OnCryptoEnvelope used to pretend BackWrapper as callback for EnvelopeDetector

crypto/envelope_detector_test.go

@@ -103,21 +103,8 @@ func TestOldContainerDetectorWrapper(t *testing.T) {
 					t.Fatal("OnColumn error ", err)
 				}
 
-				if len(outBuffer) <= len(tcase.Data) {
-					t.Fatal("Invalid outBuffer length")
-				}
-
-				internal, envelopeID, err := DeserializeEncryptedData(outBuffer)
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				if envelopeID != tcase.envelopeID {
-					t.Fatal("invalid envelopeID - should be", tcase.envelopeID)
-				}
-
-				if !bytes.Equal(internal, tcase.Data) {
-					t.Fatal("deserialized internal container is not equals to initial data")
+				if len(outBuffer) != len(tcase.Data) {
+					t.Fatal("Invalid outBuffer length - outBuffer should be the same")
 				}
 			}
 		})

examples/python/encryptor_config_with_zone.yaml

@@ -46,4 +46,5 @@ schemas:
       - id
       - email
     encrypted:
-      - column: email
+      - column: email
+

tests/test.py

@@ -6472,6 +6472,26 @@ def testSearchAcraBlock(self):
         self.checkDefaultIdEncryption(**context)
         self.assertEqual(rows[0]['searchable_acrablock'], search_term)
 
+    def testDeserializeOldContainerOnDecryptionFail(self):
+        acrastruct = create_acrastruct_with_client_id(b'somedata', TLS_CERT_CLIENT_ID_1)
+
+        context = self.get_context_data()
+        context['raw_data'] = acrastruct
+        search_term = context['searchable_acrablock']
+
+        # Insert searchable data and raw AcraStruct
+        self.insertRow(context)
+
+        rows = self.executeSelect2(
+            sa.select([self.encryptor_table])
+                .where(self.encryptor_table.c.searchable_acrablock == sa.bindparam('searchable_acrablock')),
+            {'searchable_acrablock': search_term})
+        self.assertEqual(len(rows), 1)
+        self.checkDefaultIdEncryption(**context)
+
+        # AcraStruct should be as is - not serialized inside general container
+        self.assertEqual(rows[0]['raw_data'], acrastruct)
+
     def testSearchWithEncryptedData(self):
         context = self.get_context_data()
         not_encrypted_term = context['raw_data']