From 6a4c8c1f07244005dcba37eb7a6ac59fbce0b5e3 Mon Sep 17 00:00:00 2001 From: Masahiko Sawada Date: Mon, 25 May 2020 16:55:33 +0900 Subject: [PATCH v11 5/7] Add regression tests for key management. --- src/test/crypto/.gitignore | 2 ++ src/test/crypto/Makefile | 24 +++++++++++++++ src/test/crypto/t/001_basic.pl | 55 ++++++++++++++++++++++++++++++++++ src/test/perl/PostgresNode.pm | 15 ++++++++-- 4 files changed, 94 insertions(+), 2 deletions(-) create mode 100644 src/test/crypto/.gitignore create mode 100644 src/test/crypto/Makefile create mode 100644 src/test/crypto/t/001_basic.pl diff --git a/src/test/crypto/.gitignore b/src/test/crypto/.gitignore new file mode 100644 index 0000000000..e07b677a7d --- /dev/null +++ b/src/test/crypto/.gitignore @@ -0,0 +1,2 @@ +# Generated by regression tests +/tmp_check/ diff --git a/src/test/crypto/Makefile b/src/test/crypto/Makefile new file mode 100644 index 0000000000..b82e0cb554 --- /dev/null +++ b/src/test/crypto/Makefile @@ -0,0 +1,24 @@ +#------------------------------------------------------------------------- +# +# Makefile for src/test/crypto +# +# Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group +# +# src/test/crypto/Makefile +# +#------------------------------------------------------------------------- + +subdir = src/test/crypto +top_builddir = ../../.. +include $(top_builddir)/src/Makefile.global + +export with_openssl + +check: + $(prove_check) + +installcheck: + $(prove_installcheck) + +clean distclean maintainer-clean: + rm -rf tmp_check diff --git a/src/test/crypto/t/001_basic.pl b/src/test/crypto/t/001_basic.pl new file mode 100644 index 0000000000..25cd859b71 --- /dev/null +++ b/src/test/crypto/t/001_basic.pl @@ -0,0 +1,55 @@ +use strict; +use warnings; +use TestLib; +use PostgresNode; +use Test::More tests => 8; + +my $node = get_new_node('node'); +$node->init(enable_kms => 1); +$node->start; + +sub test_cipher +{ + my ($node, $inlen, $test_name) = @_; + + my $expected = $node->safe_psql( + 'postgres', + qq(SELECT repeat('1', $inlen);)); + + my $res = $node->safe_psql( + 'postgres', + qq( + SELECT pg_decrypt(pg_encrypt(repeat('1', $inlen))); + )); + is($res, $expected, $test_name); +} + +# Control file should know that checksums are disabled. +command_like( + [ 'pg_controldata', $node->data_dir ], + qr/Key management version:.*1/, + 'key manager is enabled in control file'); + +test_cipher($node, 6, 'less block size'); +test_cipher($node, 16, 'one block size'); +test_cipher($node, 20, 'more than one block size'); + +# Get the token encrypted +my $token = 'test_token'; +my $token_enc = $node->safe_psql('postgres', + qq(SELECT pg_encrypt('$token'))); +# Change the cluster passphrase command +$node->safe_psql('postgres', + qq(ALTER SYSTEM SET cluster_passphrase_command = + 'echo 1234123456789012345678901234567890123456789012345678901234567890';)); +$node->reload; + +my $ret = $node->safe_psql('postgres', 'SELECT pg_rotate_cluster_passphrase()'); +is($ret, 't', 'cluster passphrase rotation'); + +$node->restart; + +# Decrypt the token after passphrase rotation. +my $ret_token = $node->safe_psql('postgres', + qq(SELECT pg_decrypt('$token_enc'))); +is($ret_token, $token, 'decrypt after passphrase rotation'); diff --git a/src/test/perl/PostgresNode.pm b/src/test/perl/PostgresNode.pm index 1407359aef..a932969c7f 100644 --- a/src/test/perl/PostgresNode.pm +++ b/src/test/perl/PostgresNode.pm @@ -434,8 +434,19 @@ sub init mkdir $self->backup_dir; mkdir $self->archive_dir; - TestLib::system_or_bail('initdb', '-D', $pgdata, '-A', 'trust', '-N', - @{ $params{extra} }); + if ($params{enable_kms}) + { + TestLib::system_or_bail('initdb', '-D', $pgdata, '-A', 'trust', '-N', + '--cluster-passphrase-command', + 'echo 1234567890123456789012345678901234567890123456789012345678901234', + @{ $params{extra} }); + } + else + { + TestLib::system_or_bail('initdb', '-D', $pgdata, '-A', 'trust', '-N', + @{ $params{extra} }); + } + TestLib::system_or_bail($ENV{PG_REGRESS}, '--config-auth', $pgdata, @{ $params{auth_extra} }); -- 2.23.0