refactor(kms): extract ciphertext envelope decoding#330
Merged
vieiralucas merged 1 commit intomainfrom Apr 13, 2026
Merged
Conversation
Decrypt and ReEncrypt each carried ~100 lines of ciphertext-envelope
decoding and XOR-decryption logic, all identical: parse the base64
blob, branch on the fakecloud-kms: / fakecloud-imported: prefix, look
up the source key, and either decode the embedded plaintext directly
or un-XOR the imported-key envelope.
Move all of that into decode_ciphertext_envelope, a helper that
returns a DecodedCiphertext { source_arn, plaintext_b64 }. Decrypt
now builds its JSON response straight from the struct; ReEncrypt
uses it to drive the subsequent destination-key re-wrap. The two
envelope prefix strings become file-level constants instead of being
redeclared in each function. invalid_ciphertext() is a tiny
error-construction helper that used to be inlined in six different
places with the same body.
No behavior change. Same AwsServiceError codes, same messages, same
response shapes.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="crates/fakecloud-kms/src/service.rs">
<violation number="1" location="crates/fakecloud-kms/src/service.rs:99">
P2: Refactor changed `ReEncrypt` malformed-ciphertext message by hard-coding a different unknown-prefix error in the shared decoder.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| Err(AwsServiceError::aws_error( | ||
| StatusCode::BAD_REQUEST, | ||
| "InvalidCiphertextException", | ||
| "The ciphertext is not a valid FakeCloud KMS ciphertext", |
There was a problem hiding this comment.
P2: Refactor changed ReEncrypt malformed-ciphertext message by hard-coding a different unknown-prefix error in the shared decoder.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At crates/fakecloud-kms/src/service.rs, line 99:
<comment>Refactor changed `ReEncrypt` malformed-ciphertext message by hard-coding a different unknown-prefix error in the shared decoder.</comment>
<file context>
@@ -11,9 +11,102 @@ use fakecloud_aws::arn::Arn;
+ Err(AwsServiceError::aws_error(
+ StatusCode::BAD_REQUEST,
+ "InvalidCiphertextException",
+ "The ciphertext is not a valid FakeCloud KMS ciphertext",
+ ))
+}
</file context>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
`Decrypt` and `ReEncrypt` each carried ~100 lines of ciphertext-envelope decoding and XOR-decryption logic, all identical: parse the base64 blob, branch on the `fakecloud-kms:` / `fakecloud-imported:` prefix, look up the source key, and either decode the embedded plaintext directly or un-XOR the imported-key envelope.
Move all of that into `decode_ciphertext_envelope`, a helper that returns a `DecodedCiphertext { source_arn, plaintext_b64 }`. `Decrypt` now builds its JSON response straight from the struct; `ReEncrypt` uses it to drive the subsequent destination-key re-wrap. The two envelope prefix strings become file-level constants instead of being redeclared in each function. `invalid_ciphertext()` is a tiny error-construction helper that used to be inlined in six different places with the same body.
No behavior change. Same `AwsServiceError` codes, same messages, same response shapes.
Test plan
Summary by cubic
Refactored
fakecloud-kmsto extract ciphertext-envelope decoding intodecode_ciphertext_envelope, removing duplicated logic inDecryptandReEncrypt. No behavior changes; same error codes, messages, and response shapes.decode_ciphertext_envelope, returningDecodedCiphertext { source_arn, plaintext_b64 }.FAKE_ENVELOPE_PREFIXandIMPORTED_ENVELOPE_PREFIXto file-level constants; addedinvalid_ciphertext()helper.DecryptandReEncryptto use the helper and simplify code paths.Written for commit 9acc6f8. Summary will update on new commits.