github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/cmd/roachtest/encryption.go

github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/cmd/roachtest/encryption.go (about)

     1  // Copyright 2018 The Cockroach Authors.
     2  //
     3  // Use of this software is governed by the Business Source License
     4  // included in the file licenses/BSL.txt.
     5  //
     6  // As of the Change Date specified in that file, in accordance with
     7  // the Business Source License, use of this software will be governed
     8  // by the Apache License, Version 2.0, included in the file
     9  // licenses/APL.txt.
    10  
    11  package main
    12  
    13  import (
    14  	"context"
    15  	"fmt"
    16  
    17  	"github.com/cockroachdb/errors"
    18  )
    19  
    20  func registerEncryption(r *testRegistry) {
    21  	// Note that no workload is run in this roachtest because kv roachtest
    22  	// ideally runs with encryption turned on to see the performance impact and
    23  	// to test the correctness of encryption at rest.
    24  	runEncryption := func(ctx context.Context, t *test, c *cluster) {
    25  		nodes := c.spec.NodeCount
    26  		c.Put(ctx, cockroach, "./cockroach", c.Range(1, nodes))
    27  		c.Start(ctx, t, c.Range(1, nodes), startArgs("--encrypt"))
    28  
    29  		// Check that /_status/stores/local endpoint has encryption status.
    30  		for _, addr := range c.InternalAdminUIAddr(ctx, c.Range(1, nodes)) {
    31  			if err := c.RunE(ctx, c.Node(nodes), fmt.Sprintf(`curl http://%s/_status/stores/local | (! grep '"encryptionStatus": null')`, addr)); err != nil {
    32  				t.Fatalf("encryption status from /_status/stores/local endpoint is null")
    33  			}
    34  		}
    35  
    36  		for i := 1; i <= nodes; i++ {
    37  			if err := c.StopCockroachGracefullyOnNode(ctx, i); err != nil {
    38  				t.Fatal(err)
    39  			}
    40  		}
    41  
    42  		// Restart node with encryption turned on to verify old key works.
    43  		c.Start(ctx, t, c.Range(1, nodes), startArgs("--encrypt"))
    44  
    45  		testCLIGenKey := func(size int) error {
    46  			// Generate encryption store key through `./cockroach gen encryption-key -s=size aes-size.key`.
    47  			if err := c.RunE(ctx, c.Node(nodes), fmt.Sprintf("./cockroach gen encryption-key -s=%[1]d aes-%[1]d.key", size)); err != nil {
    48  				return errors.Errorf("failed to generate aes key with size %d through CLI, got err %s", size, err)
    49  			}
    50  
    51  			// Check the size of generated aes key has expected size.
    52  			if err := c.RunE(ctx, c.Node(nodes), fmt.Sprintf(`size=$(wc -c <"aes-%d.key"); test $size -eq %d && exit 0 || exit 1`, size, 32+size/8)); err != nil {
    53  				return errors.Errorf("expected aes-%d.key has size %d bytes, but got different size", size, 32+size/8)
    54  			}
    55  
    56  			return nil
    57  		}
    58  
    59  		// Check that CLI can generated key with specified sizes.
    60  		for _, size := range []int{128, 192, 256} {
    61  			if err := testCLIGenKey(size); err != nil {
    62  				t.Fatal(err)
    63  			}
    64  		}
    65  
    66  		// Check that CLI returns error if AES key size is incorrect.
    67  		for _, size := range []int{20, 88, 90} {
    68  			// Cannot check for specific error message from CLI because command
    69  			// is run through roachprod and it will return exist status 1.
    70  			if err := testCLIGenKey(size); err == nil {
    71  				t.Fatalf("expected error from CLI gen encryption-key, but got nil")
    72  			}
    73  		}
    74  	}
    75  
    76  	for _, n := range []int{1} {
    77  		r.Add(testSpec{
    78  			Name:       fmt.Sprintf("encryption/nodes=%d", n),
    79  			Owner:      OwnerStorage,
    80  			MinVersion: "v2.1.0",
    81  			Cluster:    makeClusterSpec(n),
    82  			Run: func(ctx context.Context, t *test, c *cluster) {
    83  				runEncryption(ctx, t, c)
    84  			},
    85  		})
    86  	}
    87  }