// WAL can read entries are not wrapped, but not encrypted
func TestReadAllWrappedNoEncryption(t *testing.T) {
metadata, entries, snapshot := makeWALData(1, 1)
wrappedEntries := make([]raftpb.Entry, len(entries))
for i, entry := range entries {
r := api.MaybeEncryptedRecord{Data: entry.Data}
data, err := r.Marshal()
require.NoError(t, err)
entry.Data = data
wrappedEntries[i] = entry
}
tempdir := createWithWAL(t, OriginalWAL, metadata, snapshot, wrappedEntries)
defer os.RemoveAll(tempdir)
c := NewWALFactory(encryption.NoopCrypter, encryption.NoopCrypter)
wrapped, err := c.Open(tempdir, snapshot)
require.NoError(t, err)
defer wrapped.Close()
metaW, _, entsW, err := wrapped.ReadAll()
require.NoError(t, err)
require.NoError(t, wrapped.Close())
require.Equal(t, metadata, metaW)
require.Equal(t, entries, entsW)
}
// If decrypting a snapshot fails, the error is propagated
func TestSnapshotterLoadDecryptingFail(t *testing.T) {
tempdir, err := ioutil.TempDir("", "snapwrap")
require.NoError(t, err)
defer os.RemoveAll(tempdir)
crypter := &meowCrypter{}
ogSnap := OriginalSnap.New(tempdir)
r := api.MaybeEncryptedRecord{
Data: fakeSnapshotData.Data,
Algorithm: crypter.Algorithm(),
}
data, err := r.Marshal()
require.NoError(t, err)
emptyEncryptionFakeData := fakeSnapshotData
emptyEncryptionFakeData.Data = data
require.NoError(t, ogSnap.SaveSnap(emptyEncryptionFakeData))
c := NewSnapFactory(encryption.NoopCrypter, crypter)
wrapped := c.New(tempdir)
_, err = wrapped.Load()
require.Error(t, err)
require.Contains(t, err.Error(), "not meowcoded")
}
// The snapshot data (but not metadata or anything else) is encryptd before being
// passed to the wrapped Snapshotter.
func TestSnapshotterSavesSnapshotWithEncryption(t *testing.T) {
tempdir, err := ioutil.TempDir("", "snapwrap")
require.NoError(t, err)
defer os.RemoveAll(tempdir)
c := NewSnapFactory(meowCrypter{}, encryption.NoopCrypter)
wrapped := c.New(tempdir)
require.NoError(t, wrapped.SaveSnap(fakeSnapshotData))
ogSnap := OriginalSnap.New(tempdir)
readSnap, err := ogSnap.Load()
require.NoError(t, err)
r := api.MaybeEncryptedRecord{}
require.NoError(t, r.Unmarshal(readSnap.Data))
require.NotEqual(t, fakeSnapshotData.Data, r.Data)
require.Equal(t, fakeSnapshotData.Metadata, readSnap.Metadata)
}
// When reading WAL, if the decrypter can't read the encryption type, errors
func TestReadAllNoSupportedDecrypter(t *testing.T) {
metadata, entries, snapshot := makeWALData(1, 1)
for i, entry := range entries {
r := api.MaybeEncryptedRecord{Data: entry.Data, Algorithm: api.MaybeEncryptedRecord_Algorithm(-3)}
data, err := r.Marshal()
require.NoError(t, err)
entries[i].Data = data
}
tempdir := createWithWAL(t, OriginalWAL, metadata, snapshot, entries)
defer os.RemoveAll(tempdir)
c := NewWALFactory(encryption.NoopCrypter, encryption.NoopCrypter)
wrapped, err := c.Open(tempdir, snapshot)
require.NoError(t, err)
defer wrapped.Close()
_, _, _, err = wrapped.ReadAll()
require.Error(t, err)
defer wrapped.Close()
}
// The entry data and metadata are encryptd with the given encrypter, and a regular
// WAL will see them as such.
func TestSave(t *testing.T) {
metadata, entries, snapshot := makeWALData(1, 1)
crypter := &meowCrypter{}
c := NewWALFactory(crypter, encryption.NoopCrypter)
tempdir := createWithWAL(t, c, metadata, snapshot, entries)
defer os.RemoveAll(tempdir)
ogWAL, err := OriginalWAL.Open(tempdir, snapshot)
require.NoError(t, err)
defer ogWAL.Close()
meta, state, ents, err := ogWAL.ReadAll()
require.NoError(t, err)
require.Equal(t, metadata, meta)
require.Equal(t, state, state)
for _, ent := range ents {
var encrypted api.MaybeEncryptedRecord
require.NoError(t, encrypted.Unmarshal(ent.Data))
require.Equal(t, crypter.Algorithm(), encrypted.Algorithm)
require.True(t, bytes.HasSuffix(encrypted.Data, []byte("🐱")))
}
}
// When reading WAL, if a decrypter is available for the encryption type but any
// entry is incorrectly encryptd, an error is returned
func TestReadAllEntryIncorrectlyEncrypted(t *testing.T) {
crypter := &meowCrypter{}
metadata, entries, snapshot := makeWALData(1, 1)
// metadata is correctly encryptd, but entries are not meow-encryptd
for i, entry := range entries {
r := api.MaybeEncryptedRecord{Data: entry.Data, Algorithm: crypter.Algorithm()}
data, err := r.Marshal()
require.NoError(t, err)
entries[i].Data = data
}
tempdir := createWithWAL(t, OriginalWAL, metadata, snapshot, entries)
defer os.RemoveAll(tempdir)
c := NewWALFactory(encryption.NoopCrypter, crypter)
wrapped, err := c.Open(tempdir, snapshot)
require.NoError(t, err)
_, _, _, err = wrapped.ReadAll()
require.Error(t, err)
require.Contains(t, err.Error(), "not meowcoded")
require.NoError(t, wrapped.Close())
}
// Snapshotter can read snapshots that are wrapped, but not encrypted
func TestSnapshotterLoadNotEncryptedSnapshot(t *testing.T) {
tempdir, err := ioutil.TempDir("", "snapwrap")
require.NoError(t, err)
defer os.RemoveAll(tempdir)
ogSnap := OriginalSnap.New(tempdir)
r := api.MaybeEncryptedRecord{
Data: fakeSnapshotData.Data,
}
data, err := r.Marshal()
require.NoError(t, err)
emptyEncryptionFakeData := fakeSnapshotData
emptyEncryptionFakeData.Data = data
require.NoError(t, ogSnap.SaveSnap(emptyEncryptionFakeData))
c := NewSnapFactory(encryption.NoopCrypter, encryption.NoopCrypter)
wrapped := c.New(tempdir)
readSnap, err := wrapped.Load()
require.NoError(t, err)
require.Equal(t, fakeSnapshotData, *readSnap)
}