From e95b254a3f9df8deae3417a63c51a404d43fa1b4 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Tue, 13 Jun 2017 09:45:27 -0400
Subject: [PATCH] provide a more helpful error message for secret decryption
 failures.

see: #6230
see: #6395
---
 awx/main/utils/encryption.py | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/awx/main/utils/encryption.py b/awx/main/utils/encryption.py
index abdf8da5fd..8e2c0df29e 100644
--- a/awx/main/utils/encryption.py
+++ b/awx/main/utils/encryption.py
@@ -1,14 +1,17 @@
 import base64
 import hashlib
+import logging
 
 import six
-from cryptography.fernet import Fernet
+from cryptography.fernet import Fernet, InvalidToken
 
 from django.utils.encoding import smart_str
 
 
 __all__ = ['get_encryption_key', 'encrypt_field', 'decrypt_field', 'decrypt_value']
 
+logger = logging.getLogger('awx.main.utils.encryption')
+
 
 def get_encryption_key(field_name, pk=None):
     '''
@@ -83,4 +86,16 @@ def decrypt_field(instance, field_name, subfield=None):
         return value
     key = get_encryption_key(field_name, getattr(instance, 'pk', None))
 
-    return decrypt_value(key, value)
+    try:
+        return decrypt_value(key, value)
+    except InvalidToken:
+        logger.exception(
+            "Failed to decrypt `%s(pk=%s).%s`; if you've recently restored from "
+            "a database backup or are running in a clustered environment, "
+            "check that your `SECRET_KEY` value is correct",
+            instance.__class__.__name__,
+            getattr(instance, 'pk', None),
+            field_name,
+            exc_info=True
+        )
+        raise