From 095b518802a369819faddeb02b6ace6765dea017 Mon Sep 17 00:00:00 2001
From: Anis Elleuch <vadmeste@users.noreply.github.com>
Date: Tue, 7 Feb 2023 14:22:54 +0100
Subject: [PATCH] Show a better error msg when internal data encryption key is
 incorrect (#16549)

---
 cmd/config-migrate.go     | 19 ++++++-------------
 cmd/server-main.go        |  2 +-
 go.mod                    |  2 +-
 go.sum                    |  4 ++--
 internal/config/errors.go |  8 ++++----
 5 files changed, 14 insertions(+), 21 deletions(-)

diff --git a/cmd/config-migrate.go b/cmd/config-migrate.go
index 14b43a9d3..2e9e1593e 100644
--- a/cmd/config-migrate.go
+++ b/cmd/config-migrate.go
@@ -46,7 +46,7 @@ import (
 	"github.com/minio/pkg/quick"
 )
 
-// DO NOT EDIT following message template, please open a GitHub issue to discuss instead.
+// Do not edit following message template, please open a GitHub issue to discuss instead.
 var configMigrateMSGTemplate = "Configuration file %s migrated from version '%s' to '%s' successfully."
 
 // Save config file to corresponding backend
@@ -2515,20 +2515,13 @@ func checkConfigVersion(objAPI ObjectLayer, configFile string, version string) (
 			data, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
 				minioMetaBucket: path.Join(minioMetaBucket, configFile),
 			})
-			if err != nil {
-				data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
-				if err != nil {
-					if err == madmin.ErrMaliciousData {
-						return false, nil, config.ErrInvalidCredentialsBackendEncrypted(nil)
-					}
-					return false, nil, err
-				}
-			}
-		} else {
+		}
+
+		if GlobalKMS == nil && err != nil {
 			data, err = madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
 			if err != nil {
-				if err == madmin.ErrMaliciousData {
-					return false, nil, config.ErrInvalidCredentialsBackendEncrypted(nil)
+				if err == madmin.ErrMaliciousData || err == madmin.ErrUnexpectedHeader {
+					return false, nil, config.ErrInvalidConfigDecryptionKey(nil)
 				}
 				return false, nil, err
 			}
diff --git a/cmd/server-main.go b/cmd/server-main.go
index 4450199a6..c109c4ef2 100644
--- a/cmd/server-main.go
+++ b/cmd/server-main.go
@@ -465,7 +465,7 @@ func initConfigSubsystem(ctx context.Context, newObject ObjectLayer) error {
 		}
 
 		// Any other config errors we simply print a message and proceed forward.
-		logger.LogIf(ctx, fmt.Errorf("Unable to initialize config, some features may be missing %w", err))
+		logger.LogIf(ctx, fmt.Errorf("Unable to initialize config, some features may be missing: %w", err))
 	}
 
 	return nil
diff --git a/go.mod b/go.mod
index 8311b5e27..f70598ac9 100644
--- a/go.mod
+++ b/go.mod
@@ -48,7 +48,7 @@ require (
 	github.com/minio/dperf v0.4.2
 	github.com/minio/highwayhash v1.0.2
 	github.com/minio/kes v0.22.3
-	github.com/minio/madmin-go/v2 v2.0.8
+	github.com/minio/madmin-go/v2 v2.0.9
 	github.com/minio/minio-go/v7 v7.0.47
 	github.com/minio/mux v1.9.0
 	github.com/minio/pkg v1.6.1
diff --git a/go.sum b/go.sum
index 00b10ff56..82ccf9e1b 100644
--- a/go.sum
+++ b/go.sum
@@ -775,8 +775,8 @@ github.com/minio/highwayhash v1.0.2/go.mod h1:BQskDq+xkJ12lmlUUi7U0M5Swg3EWR+dLT
 github.com/minio/kes v0.22.3 h1:aSPW9uCMVaLax5POxvoQJxCU4MNo/KzMXA7WfmC/lRw=
 github.com/minio/kes v0.22.3/go.mod h1:wnhmdwWX2rpurNPKn3yDFImg2wuc7j3e+IU5rVkR9UY=
 github.com/minio/madmin-go v1.6.6/go.mod h1:ATvkBOLiP3av4D++2v1UEHC/QzsGtgXD5kYvvRYzdKs=
-github.com/minio/madmin-go/v2 v2.0.8 h1:gyqkULZS+RX5G2a4pxC8vmewbTzTBKItqqCIHR1GUcs=
-github.com/minio/madmin-go/v2 v2.0.8/go.mod h1:5aFi/VLWBHC2DEFfGIlUmAeJhaF4ZAjuYpEWZFU14Zw=
+github.com/minio/madmin-go/v2 v2.0.9 h1:wv1e4ZTH1L1SaHs/jaI3uW2AHYQw77T2hgarfPo1j3U=
+github.com/minio/madmin-go/v2 v2.0.9/go.mod h1:5aFi/VLWBHC2DEFfGIlUmAeJhaF4ZAjuYpEWZFU14Zw=
 github.com/minio/mc v0.0.0-20230203133213-3aebb3362b18 h1:Di71Ums7dD5vA3VK/loOqb/QttQjvCV/1/DF77w1XqA=
 github.com/minio/mc v0.0.0-20230203133213-3aebb3362b18/go.mod h1:j3BgTu1LshBzna9Wf8il7WAyw9IQabMu+EcrDUaNZ2k=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
diff --git a/internal/config/errors.go b/internal/config/errors.go
index 4bcfab426..c932b7bbe 100644
--- a/internal/config/errors.go
+++ b/internal/config/errors.go
@@ -121,10 +121,10 @@ var (
 		"MINIO_CACHE_AFTER cannot be used with MINIO_CACHE_COMMIT setting",
 	)
 
-	ErrInvalidCredentialsBackendEncrypted = newErrFn(
-		"Invalid credentials",
-		"Please set correct credentials in the environment for decryption",
-		`Detected encrypted config backend, correct access and secret keys should be specified via environment variables MINIO_ROOT_USER and MINIO_ROOT_PASSWORD to be able to decrypt the MinIO config, user IAM and policies`,
+	ErrInvalidConfigDecryptionKey = newErrFn(
+		"Incorrect encryption key to decrypt internal data",
+		"Please set the correct default KMS key value or the correct root credentials for older MinIO versions.",
+		`Revert MINIO_KMS_KES_KEY_NAME or MINIO_ROOT_USER/MINIO_ROOT_PASSWORD (for older MinIO versions) to be able to decrypt the internal data again.`,
 	)
 
 	ErrInvalidCredentials = newErrFn(