fix: kms decryption of redis_temp_locker_encryption_key (#2650)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

crates/external_services/src/kms.rs

@@ -120,6 +120,14 @@ pub enum KmsError {
     /// The KMS client has not been initialized.
     #[error("The KMS client has not been initialized")]
     KmsClientNotInitialized,
+
+    /// The KMS client has not been initialized.
+    #[error("Hex decode failed")]
+    HexDecodeFailed,
+
+    /// The KMS client has not been initialized.
+    #[error("Utf8 decode failed")]
+    Utf8DecodeFailed,
 }
 
 impl KmsConfig {
@@ -140,7 +148,7 @@ impl KmsConfig {
 /// A wrapper around a KMS value that can be decrypted.
 #[derive(Clone, Debug, Default, serde::Deserialize, Eq, PartialEq)]
 #[serde(transparent)]
-pub struct KmsValue(Secret<String>);
+pub struct KmsValue(pub Secret<String>);
 
 impl common_utils::ext_traits::ConfigExt for KmsValue {
     fn is_empty_after_trim(&self) -> bool {

crates/router/src/configs/kms.rs

@@ -1,5 +1,6 @@
 use common_utils::errors::CustomResult;
-use external_services::kms::{decrypt::KmsDecrypt, KmsClient, KmsError};
+use error_stack::{IntoReport, ResultExt};
+use external_services::kms::{decrypt::KmsDecrypt, KmsClient, KmsError, KmsValue};
 use masking::ExposeInterface;
 
 use crate::configs::settings;
@@ -41,6 +42,19 @@ impl KmsDecrypt for settings::ActiveKmsSecrets {
         kms_client: &KmsClient,
     ) -> CustomResult<Self::Output, KmsError> {
         self.jwekey = self.jwekey.expose().decrypt_inner(kms_client).await?.into();
+        self.redis_temp_locker_encryption_key = hex::decode(
+            KmsValue(
+                String::from_utf8(self.redis_temp_locker_encryption_key.expose())
+                    .into_report()
+                    .change_context(KmsError::Utf8DecodeFailed)?
+                    .into(),
+            )
+            .decrypt_inner(kms_client)
+            .await?,
+        )
+        .into_report()
+        .change_context(KmsError::HexDecodeFailed)?
+        .into();
         Ok(self)
     }
 }

crates/router/src/configs/settings.rs

@@ -52,7 +52,7 @@ pub enum Subcommand {
 #[derive(Clone)]
 pub struct ActiveKmsSecrets {
     pub jwekey: masking::Secret<Jwekey>,
-    pub redis_temp_locker_encryption_key: masking::Secret<String>,
+    pub redis_temp_locker_encryption_key: masking::Secret<Vec<u8>>,
 }
 
 #[derive(Debug, Deserialize, Clone, Default)]

crates/router/src/core/payment_methods/vault.rs

@@ -721,7 +721,6 @@ fn get_redis_temp_locker_encryption_key(state: &routes::AppState) -> RouterResul
         .kms_secrets
         .redis_temp_locker_encryption_key
         .peek()
-        .as_bytes()
         .to_owned();
 
     #[cfg(not(feature = "kms"))]

crates/router/src/routes/app.rs

@@ -132,6 +132,7 @@ impl AppState {
                 .locker
                 .redis_temp_locker_encryption_key
                 .clone()
+                .into_bytes()
                 .into(),
         }
         .decrypt_inner(kms_client)