feat(crypto): name the failing setting in wrong-key decrypt log
The "could not decrypt a stored secret" warning was generic, so an operator couldn't tell which of the six secret settings was encrypted under an old key. Thread the setting key through _decode → decrypt_secret(context=...) so the log now reads e.g. "Could not decrypt stored secret smtp.password (wrong/rotated key — re-enter it)". Pure diagnostic; decrypt behaviour unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -81,8 +81,12 @@ def encrypt_secret(plaintext: str) -> str:
|
||||
return ENC_PREFIX + f.encrypt(plaintext.encode("utf-8")).decode("ascii")
|
||||
|
||||
|
||||
def decrypt_secret(value: str) -> str:
|
||||
"""Decrypt an ``enc:v1:`` token; pass through plaintext / undecryptable values."""
|
||||
def decrypt_secret(value: str, *, context: str = "") -> str:
|
||||
"""Decrypt an ``enc:v1:`` token; pass through plaintext / undecryptable values.
|
||||
|
||||
context (e.g. the setting key) is only used to name the value in the
|
||||
wrong-key log line, so an operator knows exactly which secret to re-enter.
|
||||
"""
|
||||
if not is_encrypted(value):
|
||||
return value
|
||||
f = _get()
|
||||
@@ -91,7 +95,8 @@ def decrypt_secret(value: str) -> str:
|
||||
try:
|
||||
return f.decrypt(value[len(ENC_PREFIX):].encode("ascii")).decode("utf-8")
|
||||
except InvalidToken:
|
||||
logger.error("Could not decrypt a stored secret (wrong/rotated key?)")
|
||||
logger.error("Could not decrypt stored secret %s (wrong/rotated key — re-enter it)",
|
||||
context or "(unknown setting)")
|
||||
return value
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user