fix(api): refactor project variables migration (#5054)

engine/api/migrate/refactor_proj_variables.go

@@ -118,16 +118,15 @@ func refactorProjectVariables(ctx context.Context, db *gorp.DbMap, id int64) err
 		}
 		v.Value = s
 	} else {
-		s, err = stringIfValid("cipher_value", cipherValue)
-		if err != nil {
-			return err
-		}
-
-		btes, err := secret.Decrypt([]byte(s))
-		if err != nil {
-			return err
+		s, _ = stringIfValid("cipher_value", cipherValue)
+		// ignore the error, to keep NULL value
+		if s != "" {
+			btes, err := secret.Decrypt([]byte(s))
+			if err != nil {
+				return err
+			}
+			v.Value = string(btes)
 		}
-		v.Value = string(btes)
 	}
 
 	if err := project.UpdateVariable(tx, pID, &v, nil, nil); err != nil {

engine/api/secret/secret.go

@@ -117,12 +117,12 @@ func Decrypt(data []byte) ([]byte, error) {
 
 	if key == nil {
 		log.Error(context.TODO(), "Missing key, init failed?")
-		return nil, sdk.ErrSecretKeyFetchFailed
+		return nil, sdk.WithStack(sdk.ErrSecretKeyFetchFailed)
 	}
 
 	if len(data) < (nonceSize + macSize) {
 		log.Error(context.TODO(), "cannot decrypt secret, got invalid data")
-		return nil, sdk.ErrInvalidSecretFormat
+		return nil, sdk.WithStack(sdk.ErrInvalidSecretFormat)
 	}
 
 	// Split actual data, hmac and nonce
@@ -135,12 +135,12 @@ func Decrypt(data []byte) ([]byte, error) {
 	h.Write(data)
 	mac := h.Sum(nil)
 	if !hmac.Equal(mac, tag) {
-		return nil, fmt.Errorf("invalid hmac")
+		return nil, sdk.WithStack(fmt.Errorf("invalid hmac"))
 	}
 	// uncipher data
 	c, err := aes.NewCipher(key[:ckeySize])
 	if err != nil {
-		return nil, err
+		return nil, sdk.WithStack(fmt.Errorf("unable to create cypher block: %v", err))
 	}
 	ctr := cipher.NewCTR(c, data[:nonceSize])
 	ctr.XORKeyStream(out, data[nonceSize:])