aljaz/turso
1
0
Fork 0
mirror of https://github.com/aljazceru/turso.git synced 2026-02-14 04:24:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Encryption support for database header page

Browse Source
This commit is contained in:
rajajisai
2025-09-11 16:17:01 -04:00
parent bc4aa63203
commit 89caa868f9
11 changed files with 205 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

188
tests/integration/query_processing/encryption.rs
View File

@@ -39,92 +39,7 @@ fn test_per_page_encryption() -> anyhow::Result<()> {
}
{
// this should panik because we should not be able to access the encrypted database
// without the key
let conn = tmp_db.connect_limbo();
let should_panic = panic::catch_unwind(panic::AssertUnwindSafe(|| {
run_query_on_row(&tmp_db, &conn, "SELECT * FROM test", |_: &Row| {}).unwrap();
}));
assert!(
should_panic.is_err(),
"should panic when accessing encrypted DB without key"
);
// it should also panic if we specify either only key or cipher
let conn = tmp_db.connect_limbo();
let should_panic = panic::catch_unwind(panic::AssertUnwindSafe(|| {
run_query(&tmp_db, &conn, "PRAGMA cipher = 'aegis256';").unwrap();
run_query_on_row(&tmp_db, &conn, "SELECT * FROM test", |_: &Row| {}).unwrap();
}));
assert!(
should_panic.is_err(),
"should panic when accessing encrypted DB without key"
);
let conn = tmp_db.connect_limbo();
let should_panic = panic::catch_unwind(panic::AssertUnwindSafe(|| {
run_query(
&tmp_db,
&conn,
"PRAGMA hexkey = 'b1bbfda4f589dc9daaf004fe21111e00dc00c98237102f5c7002a5669fc76327';",
).unwrap();
run_query_on_row(&tmp_db, &conn, "SELECT * FROM test", |_: &Row| {}).unwrap();
}));
assert!(
should_panic.is_err(),
"should panic when accessing encrypted DB without cipher name"
);
// it should panic if we specify wrong cipher or key
let conn = tmp_db.connect_limbo();
let should_panic = panic::catch_unwind(panic::AssertUnwindSafe(|| {
run_query(
&tmp_db,
&conn,
"PRAGMA hexkey = 'b1bbfda4f589dc9daaf004fe21111e00dc00c98237102f5c7002a5669fc76327';",
).unwrap();
run_query(&tmp_db, &conn, "PRAGMA cipher = 'aes256gcm';").unwrap();
run_query_on_row(&tmp_db, &conn, "SELECT * FROM test", |_: &Row| {}).unwrap();
}));
assert!(
should_panic.is_err(),
"should panic when accessing encrypted DB with incorrect cipher"
);
let conn = tmp_db.connect_limbo();
let should_panic = panic::catch_unwind(panic::AssertUnwindSafe(|| {
run_query(&tmp_db, &conn, "PRAGMA cipher = 'aegis256';").unwrap();
run_query(
&tmp_db,
&conn,
"PRAGMA hexkey = 'b1bbfda4f589dc9daaf004fe21111e00dc00c98237102f5c7002a5669fc76377';",
).unwrap();
run_query_on_row(&tmp_db, &conn, "SELECT * FROM test", |_: &Row| {}).unwrap();
}));
assert!(
should_panic.is_err(),
"should panic when accessing encrypted DB with incorrect key"
);
}
{
// let's test the existing db with the key
let existing_db = TempDatabase::new_with_existent(&db_path, false);
let conn = existing_db.connect_limbo();
run_query(&tmp_db, &conn, "PRAGMA cipher = 'aegis256';")?;
run_query(
&existing_db,
&conn,
"PRAGMA hexkey = 'b1bbfda4f589dc9daaf004fe21111e00dc00c98237102f5c7002a5669fc76327';",
)?;
run_query_on_row(&existing_db, &conn, "SELECT * FROM test", |row: &Row| {
assert_eq!(row.get::<i64>(0).unwrap(), 1);
assert_eq!(row.get::<String>(1).unwrap(), "Hello, World!");
})?;
}
{
// let's test connecting to the encrypted db using URI
//test connecting to the encrypted db using correct URI
let uri = format!(
"file:{}?cipher=aegis256&hexkey=b1bbfda4f589dc9daaf004fe21111e00dc00c98237102f5c7002a5669fc76327",
db_path.to_str().unwrap()
@@ -138,6 +53,92 @@ fn test_per_page_encryption() -> anyhow::Result<()> {
})?;
assert_eq!(row_count, 1);
}
{
//Try to create a table after reopening the encrypted db.
let uri = format!(
"file:{}?cipher=aegis256&hexkey=b1bbfda4f589dc9daaf004fe21111e00dc00c98237102f5c7002a5669fc76327",
db_path.to_str().unwrap()
);
let (_io, conn) = turso_core::Connection::from_uri(&uri, true, false, false, false)?;
run_query(
&tmp_db,
&conn,
"CREATE TABLE test1 (id INTEGER PRIMARY KEY, value TEXT);",
)?;
do_flush(&conn, &tmp_db)?;
}
{
//Try to create a table after reopening the encrypted db.
let uri = format!(
"file:{}?cipher=aegis256&hexkey=b1bbfda4f589dc9daaf004fe21111e00dc00c98237102f5c7002a5669fc76327",
db_path.to_str().unwrap()
);
let (_io, conn) = turso_core::Connection::from_uri(&uri, true, false, false, false)?;
run_query(
&tmp_db,
&conn,
"INSERT INTO test1 (value) VALUES ('Hello, World!')",
)?;
let mut row_count = 0;
run_query_on_row(&tmp_db, &conn, "SELECT * FROM test", |row: &Row| {
assert_eq!(row.get::<i64>(0).unwrap(), 1);
assert_eq!(row.get::<String>(1).unwrap(), "Hello, World!");
row_count += 1;
})?;
assert_eq!(row_count, 1);
do_flush(&conn, &tmp_db)?;
}
{
// test connecting to encrypted db using wrong key(key is ending with 77.The correct key is ending with 27).This should panic.
let uri = format!(
"file:{}?cipher=aegis256&hexkey=b1bbfda4f589dc9daaf004fe21111e00dc00c98237102f5c7002a5669fc76377",
db_path.to_str().unwrap()
);
let (_io, conn) = turso_core::Connection::from_uri(&uri, true, false, false, false)?;
let should_panic = panic::catch_unwind(panic::AssertUnwindSafe(|| {
run_query_on_row(&tmp_db, &conn, "SELECT * FROM test", |_row: &Row| {}).unwrap();
}));
assert!(
should_panic.is_err(),
"should panic when accessing encrypted DB with wrong key"
);
}
{
//test connecting to encrypted db using insufficient encryption parameters in URI.This should panic.
let uri = format!("file:{}?cipher=aegis256", db_path.to_str().unwrap());
let should_panic = panic::catch_unwind(panic::AssertUnwindSafe(|| {
turso_core::Connection::from_uri(&uri, true, false, false, false).unwrap();
}));
assert!(
should_panic.is_err(),
"should panic when accessing encrypted DB without passing hexkey in URI"
);
}
{
let uri = format!(
"file:{}?hexkey=b1bbfda4f589dc9daaf004fe21111e00dc00c98237102f5c7002a5669fc76327",
db_path.to_str().unwrap()
);
let should_panic = panic::catch_unwind(panic::AssertUnwindSafe(|| {
turso_core::Connection::from_uri(&uri, true, false, false, false).unwrap();
}));
assert!(
should_panic.is_err(),
"should panic when accessing encrypted DB without passing cipher in URI"
);
}
{
// Testing connecting to db without using URI.This should panic.
let conn = tmp_db.connect_limbo();
let should_panic = panic::catch_unwind(panic::AssertUnwindSafe(|| {
run_query_on_row(&tmp_db, &conn, "SELECT * FROM test", |_row: &Row| {}).unwrap();
}));
assert!(
should_panic.is_err(),
"should panic when accessing encrypted DB without using URI"
);
}
Ok(())
}
@@ -182,15 +183,12 @@ fn test_non_4k_page_size_encryption() -> anyhow::Result<()> {
{
// Reopen the existing db with 8k page size and test encryption
let existing_db = TempDatabase::new_with_existent(&db_path, false);
let conn = existing_db.connect_limbo();
run_query(&tmp_db, &conn, "PRAGMA cipher = 'aegis256';")?;
run_query(
&existing_db,
&conn,
"PRAGMA hexkey = 'b1bbfda4f589dc9daaf004fe21111e00dc00c98237102f5c7002a5669fc76327';",
)?;
run_query_on_row(&existing_db, &conn, "SELECT * FROM test", |row: &Row| {
let uri = format!(
"file:{}?cipher=aegis256&hexkey=b1bbfda4f589dc9daaf004fe21111e00dc00c98237102f5c7002a5669fc76327",
db_path.to_str().unwrap()
);
let (_io, conn) = turso_core::Connection::from_uri(&uri, true, false, false, false)?;
run_query_on_row(&tmp_db, &conn, "SELECT * FROM test", |row: &Row| {
assert_eq!(row.get::<i64>(0).unwrap(), 1);
assert_eq!(row.get::<String>(1).unwrap(), "Hello, World!");
})?;