Skip to content

Commit

Permalink
add checksum and some tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@Tristan1900
Tristan1900 committed Sep 17, 2024
1 parent 6e11b74 commit a1d18e6
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 6 deletions.
16 changes: 13 additions & 3 deletions br/pkg/stream/stream_mgr.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@
package stream

import (
"bytes"
"context"
"crypto/sha256"
"strings"

"github.com/klauspost/compress/zstd"
Expand Down Expand Up @@ -195,7 +197,7 @@ func (m *MetadataHelper) decodeCompressedData(data []byte, compressionType backu
"failed to decode compressed data: compression type is unimplemented. type id is %d", compressionType)
}

func (m *MetadataHelper) decryptIfNeeded(ctx context.Context, data []byte, encryptionInfo *encryptionpb.FileEncryptionInfo) ([]byte, error) {
func (m *MetadataHelper) verifyChecksumAndDecryptIfNeeded(ctx context.Context, data []byte, encryptionInfo *encryptionpb.FileEncryptionInfo) ([]byte, error) {
// no need to decrypt
if encryptionInfo == nil {
return data, nil
Expand All @@ -205,6 +207,14 @@ func (m *MetadataHelper) decryptIfNeeded(ctx context.Context, data []byte, encry
return data, errors.New("need to decrypt data but encryption manager not set")
}

// Verify checksum before decryption
if encryptionInfo.Checksum != nil {
actualChecksum := sha256.Sum256(data)
if !bytes.Equal(actualChecksum[:], encryptionInfo.Checksum) {
return nil, errors.New("checksum mismatch before decryption")
}
}

decryptedContent, err := m.encryptionManager.Decrypt(ctx, data, encryptionInfo)
if err != nil {
return nil, errors.Trace(err)
Expand Down Expand Up @@ -235,7 +245,7 @@ func (m *MetadataHelper) ReadFile(
return nil, errors.Trace(err)
}
// decrypt if needed
decryptedData, err := m.decryptIfNeeded(ctx, data, encryptionInfo)
decryptedData, err := m.verifyChecksumAndDecryptIfNeeded(ctx, data, encryptionInfo)
if err != nil {
return nil, errors.Trace(err)
}
Expand All @@ -251,7 +261,7 @@ func (m *MetadataHelper) ReadFile(
}
}
// decrypt if needed
decryptedData, err := m.decryptIfNeeded(ctx, cref.data[offset:offset+length], encryptionInfo)
decryptedData, err := m.verifyChecksumAndDecryptIfNeeded(ctx, cref.data[offset:offset+length], encryptionInfo)
if err != nil {
return nil, errors.Trace(err)
}
Expand Down
20 changes: 17 additions & 3 deletions br/tests/br_encryption/run.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,12 +166,17 @@ run_backup_restore_test() {
# Drop databases before restoring
drop_db || { echo "Failed to drop databases before restore"; exit 1; }

# Run pitr restore
# Run pitr restore and measure the performance
echo "restore log backup with $full_encryption_args and $log_encryption_args"
local start_time=$(date +%s.%N)
timeout 300 run_br --pd "$PD_ADDR" restore point -s "local://$TEST_DIR/$PREFIX/log" --full-backup-storage "local://$TEST_DIR/$PREFIX/full" $full_encryption_args $log_encryption_args || {
echo "Log backup restore failed or timed out after 5 minutes"
exit 1
}
local end_time=$(date +%s.%N)
local duration=$(echo "$end_time - $start_time" | bc | awk '{printf "%.3f", $0}')
echo "${encryption_mode} took ${duration} seconds"
echo "${encryption_mode},${duration}" >> "$TEST_DIR/performance_results.csv"

# Check data consistency after restore
echo "check data consistency after restore"
Expand Down Expand Up @@ -318,14 +323,23 @@ test_mixed_full_plain_log_encrypted() {
run_backup_restore_test "mixed_full_plain_log_encrypted" "$full_encryption_args" "$log_encryption_args"
}

# Initialize performance results file
echo "Operation,Encryption Mode,Duration (seconds)" > "$TEST_DIR/performance_results.csv"

# Run tests
#test_plaintext
test_plaintext
test_plaintext_data_key
test_local_master_key
test_aws_kms
test_mixed_full_encrypted_log_plain
test_mixed_full_plain_log_encrypted

# uncomment for manual testing
# uncomment for manual GCP KMS testing
#test_gcp_kms

echo "All encryption tests passed successfully"

# Display performance results
echo "Performance Results:"
cat "$TEST_DIR/performance_results.csv"

0 comments on commit a1d18e6

Please sign in to comment.