From 1fdcb641fad28f4594edf5041d2beadb5a48352e Mon Sep 17 00:00:00 2001 From: Masahiko Sawada Date: Wed, 30 Oct 2019 17:38:45 +0900 Subject: [PATCH v2 5/5] Add regression tests for TDE --- src/test/Makefile | 3 +- src/test/encryption/.gitignore | 2 ++ src/test/encryption/Makefile | 23 +++++++++++++++ src/test/encryption/README | 23 +++++++++++++++ src/test/encryption/t/001_base.pl | 48 +++++++++++++++++++++++++++++++ src/test/perl/PostgresNode.pm | 15 ++++++++-- 6 files changed, 111 insertions(+), 3 deletions(-) create mode 100644 src/test/encryption/.gitignore create mode 100644 src/test/encryption/Makefile create mode 100644 src/test/encryption/README create mode 100644 src/test/encryption/t/001_base.pl diff --git a/src/test/Makefile b/src/test/Makefile index efb206aa75..63ed65670d 100644 --- a/src/test/Makefile +++ b/src/test/Makefile @@ -12,7 +12,8 @@ subdir = src/test top_builddir = ../.. include $(top_builddir)/src/Makefile.global -SUBDIRS = perl regress isolation modules authentication recovery subscription +SUBDIRS = perl regress isolation modules authentication recovery subscription \ + encryption # Test suites that are not safe by default but can be run if selected # by the user via the whitespace-separated list in variable diff --git a/src/test/encryption/.gitignore b/src/test/encryption/.gitignore new file mode 100644 index 0000000000..871e943d50 --- /dev/null +++ b/src/test/encryption/.gitignore @@ -0,0 +1,2 @@ +# Generated by test suite +/tmp_check/ diff --git a/src/test/encryption/Makefile b/src/test/encryption/Makefile new file mode 100644 index 0000000000..ff30d42c71 --- /dev/null +++ b/src/test/encryption/Makefile @@ -0,0 +1,23 @@ +#------------------------------------------------------------------------- +# +# Makefile for src/test/encrption +# +# Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group +# Portions Copyright (c) 1994, Regents of the University of California +# +# src/test/encryption/Makefile +# +#------------------------------------------------------------------------- + +subdir = src/test/encryption +top_builddir = ../../.. +include $(top_builddir)/src/Makefile.global + +check: + $(prove_check) + +installcheck: + $(prove_installcheck) + +clean distclean maintainer-clean: + rm -rf tmp_check diff --git a/src/test/encryption/README b/src/test/encryption/README new file mode 100644 index 0000000000..1b8fe5424e --- /dev/null +++ b/src/test/encryption/README @@ -0,0 +1,23 @@ +src/test/encryption/README + +Regression tests for transparent data encryption +===================================================== + +This directory contains a test suite for transparent data encryption + +Running the tests +================= + +NOTE: You must have given the --enable-tap-tests argument to configure. + +Run + make check +or + make installcheck +You can use "make installcheck" if you previously did "make install" +(including installing the hstore extension). In that case, the code +in the installation tree is tested. With "make check", a temporary +installation tree is built from the current sources and then tested. + +Either way, this test initializes, starts, and stops several test Postgres +clusters. diff --git a/src/test/encryption/t/001_base.pl b/src/test/encryption/t/001_base.pl new file mode 100644 index 0000000000..6616966a81 --- /dev/null +++ b/src/test/encryption/t/001_base.pl @@ -0,0 +1,48 @@ +use strict; +use warnings; +use PostgresNode; +use TestLib; +use Test::More tests => 3; + +my $keyword = "secret keyword"; +my $node = get_new_node('test'); +$node->init(enable_encryption => 1); +$node->start; + +# Check is the given relation file is encrypted +sub is_encrypted +{ + my $node = shift; + my $filepath = shift; + my $expected = shift; + my $testname = shift; + my $pgdata = $node->data_dir; + + open my $file, '<' , "$pgdata/$filepath"; + sysread $file, my $buffer, 8192; + + my $ret = $buffer !~ /$keyword/ ? 1 : 0; + + is($ret, $expected, $testname); + + close $file; +} + +$node->safe_psql('postgres', + qq( + CREATE TABLE test (a text); + INSERT INTO test VALUES ('$keyword'); + )); +my $table_filepath = $node->safe_psql('postgres', qq(SELECT pg_relation_filepath('test'))); +my $wal_filepath = 'pg_wal' . $node->safe_psql('postgres', qq(SELECT pg_walfile_name(pg_current_wal_lsn()))); + +# Read encrypted table +my $ret = $node->safe_psql('postgres', 'SELECT a FROM test'); +is($ret, "$keyword", 'Read encrypted table'); + +# Sync to disk +$node->safe_psql('postgres', 'CHECKPOINT'); + +# Encrypted table must be encrypted +is_encrypted($node, $table_filepath, 1, 'table is encrypted'); +is_encrypted($node, $wal_filepath, 1, 'WAL is encrypted'); diff --git a/src/test/perl/PostgresNode.pm b/src/test/perl/PostgresNode.pm index 270bd6c856..680a1f9002 100644 --- a/src/test/perl/PostgresNode.pm +++ b/src/test/perl/PostgresNode.pm @@ -430,12 +430,23 @@ sub init $params{allows_streaming} = 0 unless defined $params{allows_streaming}; $params{has_archiving} = 0 unless defined $params{has_archiving}; + $params{enable_encryption} = 0 unless defined $params{enable_encryption}; mkdir $self->backup_dir; mkdir $self->archive_dir; - TestLib::system_or_bail('initdb', '-D', $pgdata, '-A', 'trust', '-N', - @{ $params{extra} }); + if ($params{enable_encryption}) + { + TestLib::system_or_bail('initdb', '-D', $pgdata, '-A', 'trust', '-N', + '--cluster-passphrase-command', 'echo "password"', + '-e', 'aes-128', + @{ $params{extra} }); + } + else + { + TestLib::system_or_bail('initdb', '-D', $pgdata, '-A', 'trust', '-N', + @{ $params{extra} }); + } TestLib::system_or_bail($ENV{PG_REGRESS}, '--config-auth', $pgdata, @{ $params{auth_extra} }); -- 2.23.0