chore(modules-config): improve error context in decryption failures

JocLRojas · JocLRojas · commit e36be1627df0 · 2026-04-27T19:34:08.000+03:00
diff --git a/plugins/modules-config/config/config.go b/plugins/modules-config/config/config.go
@@ -161,14 +161,6 @@ func (s *ConfigServer) NotifyUpdate(moduleName string, section *ConfigurationSec
 
 func (s *ConfigServer) fetchModuleConfig(backend, moduleName, internalKey string) (*ConfigurationSection, int, error) {
 	url := fmt.Sprintf("%s/api/utm-modules/moduleDetails?nameShort=%s&serverId=1", backend, moduleName)
-	// Remove after testing, before release to production
-	catcher.Info("fetchModuleConfig: requesting", map[string]any{
-		"process":        "plugin_com.utmstack.modules-config",
-		"module":         moduleName,
-		"url":            url,
-		"internalKey":    internalKey,
-		"internalKeyLen": len(internalKey),
-	})
 
 	response, status, err := utils.DoReq[ConfigurationSection](
 		url,
@@ -177,54 +169,17 @@ func (s *ConfigServer) fetchModuleConfig(backend, moduleName, internalKey string
 		map[string]string{"Utm-Internal-Key": internalKey},
 		true,
 	)
-	// Remove after testing, before release to production
-	catcher.Info("fetchModuleConfig: response received", map[string]any{
-		"process":    "plugin_com.utmstack.modules-config",
-		"module":     moduleName,
-		"status":     status,
-		"err":        fmt.Sprintf("%v", err),
-		"groupCount": len(response.ModuleGroups),
-		"moduleName": response.ModuleName,
-	})
 
 	if err != nil || status != http.StatusOK {
 		return nil, status, err
 	}
-	// Remove after testing, before release to production
-	for _, g := range response.ModuleGroups {
-		for _, cnf := range g.ModuleGroupConfigurations {
-			catcher.Info("fetchModuleConfig: incoming field (pre-decrypt)", map[string]any{
-				"process":      "plugin_com.utmstack.modules-config",
-				"module":       moduleName,
-				"groupId":      g.Id,
-				"confKey":      cnf.ConfKey,
-				"confDataType": cnf.ConfDataType,
-				"valueLen":     len(cnf.ConfValue),
-				"confValue":    cnf.ConfValue,
-			})
-		}
-	}
 
 	if err := s.runDecrypter(&response); err != nil {
 		return nil, status, catcher.Error("failed to decrypt module config", err, map[string]any{
 			"process": "plugin_com.utmstack.modules-config",
 			"module":  moduleName,
 		})
 	}
-	// Remove after testing, before release to production
-	for _, g := range response.ModuleGroups {
-		for _, cnf := range g.ModuleGroupConfigurations {
-			catcher.Info("fetchModuleConfig: field (post-decrypt)", map[string]any{
-				"process":      "plugin_com.utmstack.modules-config",
-				"module":       moduleName,
-				"groupId":      g.Id,
-				"confKey":      cnf.ConfKey,
-				"confDataType": cnf.ConfDataType,
-				"valueLen":     len(cnf.ConfValue),
-				"confValue":    cnf.ConfValue,
-			})
-		}
-	}
 
 	return &response, status, nil
 }
diff --git a/plugins/modules-config/crypto/crypto.go b/plugins/modules-config/crypto/crypto.go
@@ -2,7 +2,6 @@ package crypto
 
 import (
 	"fmt"
-	"runtime/debug"
 	"strings"
 
 	"github.com/AtlasInsideCorp/AtlasInsideAES"
@@ -41,30 +40,12 @@ func decryptGroupConfigurations(moduleName string, group *config.ModuleGroup, ke
 	if group == nil {
 		return
 	}
-	// Remove after testing, before release to production
+
 	for _, cnf := range group.ModuleGroupConfigurations {
-		catcher.Info("crypto: evaluating field", map[string]any{
-			"process":      "plugin_com.utmstack.modules-config",
-			"module":       moduleName,
-			"groupId":      group.Id,
-			"confKey":      cnf.ConfKey,
-			"confDataType": cnf.ConfDataType,
-			"valueLen":     len(cnf.ConfValue),
-			"confValue":    cnf.ConfValue,
-			"key":          key,
-			"keyLen":       len(key),
-		})
-		// Remove after testing, before release to production
 		if !shouldDecrypt(moduleName, cnf.ConfDataType, cnf.ConfValue) {
-			catcher.Info("crypto: skipped (shouldDecrypt=false)", map[string]any{
-				"process":      "plugin_com.utmstack.modules-config",
-				"module":       moduleName,
-				"confKey":      cnf.ConfKey,
-				"confDataType": cnf.ConfDataType,
-			})
 			continue
 		}
-		// Remove after testing, before release to production
+
 		plain, err := safeAESDecrypt(cnf.ConfValue, key)
 		if err != nil {
 			_ = catcher.Error("failed to decrypt configuration value", err, map[string]any{
@@ -73,43 +54,23 @@ func decryptGroupConfigurations(moduleName string, group *config.ModuleGroup, ke
 				"groupId":      group.Id,
 				"confKey":      cnf.ConfKey,
 				"confDataType": cnf.ConfDataType,
-				"valueLen":     len(cnf.ConfValue),
-				"confValue":    cnf.ConfValue,
-				"key":          key,
-				"keyLen":       len(key),
 			})
 			continue
 		}
-		// Remove after testing, before release to production
-		catcher.Info("crypto: decrypted OK", map[string]any{
-			"process":   "plugin_com.utmstack.modules-config",
-			"module":    moduleName,
-			"groupId":   group.Id,
-			"confKey":   cnf.ConfKey,
-			"plainLen":  len(plain),
-			"plainHead": firstChars(plain, 64),
-		})
+
 		cnf.ConfValue = plain
 	}
 }
 
 func safeAESDecrypt(cipherText, key string) (plain string, err error) {
 	defer func() {
 		if r := recover(); r != nil {
-			stack := string(debug.Stack())
-			err = fmt.Errorf("decryption panic recovered: %v | stack: %s", r, stack)
+			err = fmt.Errorf("decryption failed (malformed ciphertext or wrong key): %v", r)
 		}
 	}()
 	return AtlasInsideAES.AESDecrypt(cipherText, []byte(key))
 }
 
-func firstChars(s string, n int) string {
-	if len(s) <= n {
-		return s
-	}
-	return s[:n]
-}
-
 func shouldDecrypt(moduleName, confDataType, confValue string) bool {
 	if confValue == "" {
 		return false
diff --git a/plugins/modules-config/handlers.go b/plugins/modules-config/handlers.go
@@ -1,8 +1,6 @@
 package main
 
 import (
-	"bytes"
-	"io"
 	"net"
 	"net/http"
 
@@ -24,13 +22,6 @@ func startGRPCServer() error {
 	if err != nil {
 		return catcher.Error("failed to listen on port 9003", err, map[string]any{"process": "plugin_com.utmstack.modules-config"})
 	}
-	// Remove after testing, before release to production
-	catcher.Info("startGRPCServer: initializing decrypter", map[string]any{
-		"process":        "plugin_com.utmstack.modules-config",
-		"InternalKey":    InternalKey,
-		"InternalKeyLen": len(InternalKey),
-		"BackendService": BackendService,
-	})
 
 	config.GetConfigServer().SetDecrypter(func(section *config.ConfigurationSection) error {
 		return crypto.DecryptConfigurationSection(section, InternalKey)
@@ -78,62 +69,13 @@ func UpdateModuleConfig(c *gin.Context) {
 		return
 	}
 
-	rawBody, readErr := io.ReadAll(c.Request.Body)
-	if readErr != nil {
-		_ = catcher.Error("failed to read request body", readErr, map[string]any{
-			"process": "plugin_com.utmstack.modules-config",
-			"module":  moduleName,
-		})
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to read body"})
-		return
-	}
-	c.Request.Body = io.NopCloser(bytes.NewBuffer(rawBody))
-	// Remove after testing, before release to production
-	catcher.Info("UpdateModuleConfig: raw request body", map[string]any{
-		"process": "plugin_com.utmstack.modules-config",
-		"module":  moduleName,
-		"bodyLen": len(rawBody),
-		"rawBody": string(rawBody),
-	})
-
 	body := []config.ConfigurationSection{}
 	if err := c.ShouldBindJSON(&body); err != nil {
-		_ = catcher.Error("failed to bind JSON in UpdateModuleConfig", err, map[string]any{
-			"process": "plugin_com.utmstack.modules-config",
-			"module":  moduleName,
-		})
 		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
 		return
 	}
 
-	catcher.Info("UpdateModuleConfig: parsed body", map[string]any{
-		"process":      "plugin_com.utmstack.modules-config",
-		"module":       moduleName,
-		"sectionCount": len(body),
-	})
-	// Remove after testing, before release to production
 	if len(body) != 0 {
-		for _, g := range body[0].ModuleGroups {
-			for _, cnf := range g.ModuleGroupConfigurations {
-				catcher.Info("incoming Update field (pre-decrypt)", map[string]any{
-					"process":      "plugin_com.utmstack.modules-config",
-					"module":       moduleName,
-					"groupId":      g.Id,
-					"confKey":      cnf.ConfKey,
-					"confDataType": cnf.ConfDataType,
-					"valueLen":     len(cnf.ConfValue),
-					"confValue":    cnf.ConfValue,
-				})
-			}
-		}
-		// Remove after testing, before release to production
-		catcher.Info("UpdateModuleConfig: calling decrypter", map[string]any{
-			"process":        "plugin_com.utmstack.modules-config",
-			"module":         moduleName,
-			"InternalKey":    InternalKey,
-			"InternalKeyLen": len(InternalKey),
-		})
-
 		if err := crypto.DecryptConfigurationSection(&body[0], InternalKey); err != nil {
 			_ = catcher.Error("failed to decrypt module config on update", err, map[string]any{
 				"process": "plugin_com.utmstack.modules-config",
@@ -142,21 +84,6 @@ func UpdateModuleConfig(c *gin.Context) {
 			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to decrypt configuration"})
 			return
 		}
-		// Remove after testing, before release to production
-		for _, g := range body[0].ModuleGroups {
-			for _, cnf := range g.ModuleGroupConfigurations {
-				catcher.Info("Update field (post-decrypt)", map[string]any{
-					"process":      "plugin_com.utmstack.modules-config",
-					"module":       moduleName,
-					"groupId":      g.Id,
-					"confKey":      cnf.ConfKey,
-					"confDataType": cnf.ConfDataType,
-					"valueLen":     len(cnf.ConfValue),
-					"confValue":    cnf.ConfValue,
-				})
-			}
-		}
-
 		config.GetConfigServer().NotifyUpdate(moduleName, &body[0])
 	} else {
 		catcher.Info("Received empty configuration body, no updates made", map[string]any{"process": "plugin_com.utmstack.modules-config"})
@@ -177,7 +104,7 @@ func ValidateModuleConfig(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
 		return
 	}
-	// Remove after testing, before release to production
+
 	if err := crypto.DecryptModuleGroup(moduleName, &body, InternalKey); err != nil {
 		_ = catcher.Error("failed to decrypt module config on validate", err, map[string]any{
 			"process": "plugin_com.utmstack.modules-config",
