itsscb/sqlx
1
0
Fork 0
mirror of https://github.com/launchbadge/sqlx.git synced 2026-03-20 09:04:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Szymek156/issue2009 (#2014)

Browse Source 
* SQLite: Execute SQLCipher pragmas as very first operations on the database

SQLCipher requires, apart from 'key' pragma also other cipher-related
to be executed before read/write to the database.

* Added tests for SQLCipher functionality

* remove default-features from libsqlite3-sys when building from dev-dependencies

Co-authored-by: Szymon Zimnowoda <szimnowoda.memri@gmail.com>
This commit is contained in:
szymek156
2022-08-05 21:20:14 +02:00
committed by GitHub
parent 728717f032
commit c931cab95f
3 changed files with 251 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

202
tests/sqlite/sqlcipher.rs Normal file
View File

@@ -0,0 +1,202 @@
use std::str::FromStr;
use sqlx::sqlite::SqliteQueryResult;
use sqlx::{query, Connection, SqliteConnection};
use sqlx::{sqlite::SqliteConnectOptions, ConnectOptions};
use sqlx_rt::fs::File;
use tempdir::TempDir;
async fn new_db_url() -> anyhow::Result<(String, TempDir)> {
let dir = TempDir::new("sqlcipher_test")?;
let filepath = dir.path().join("database.sqlite3");
// Touch the file, so DB driver will not complain it does not exist
File::create(filepath.as_path()).await?;
Ok((format!("sqlite://{}", filepath.display()), dir))
}
async fn fill_db(conn: &mut SqliteConnection) -> anyhow::Result<SqliteQueryResult> {
conn.transaction(|tx| {
Box::pin(async move {
query(
"
CREATE TABLE Company(
Id INT PRIMARY KEY NOT NULL,
Name TEXT NOT NULL,
Salary REAL
);
",
)
.execute(&mut *tx)
.await?;
query(
r#"
INSERT INTO Company(Id, Name, Salary)
VALUES
(1, "aaa", 111),
(2, "bbb", 222)
"#,
)
.execute(tx)
.await
})
})
.await
.map_err(|e| e.into())
}
#[sqlx_macros::test]
async fn it_encrypts() -> anyhow::Result<()> {
let (url, _dir) = new_db_url().await?;
let mut conn = SqliteConnectOptions::from_str(&url)?
.pragma("key", "the_password")
.connect()
.await?;
fill_db(&mut conn).await?;
// Create another connection without key, query should fail
let mut conn = SqliteConnectOptions::from_str(&url)?.connect().await?;
assert!(conn
.transaction(|tx| {
Box::pin(async move { query("SELECT * FROM Company;").fetch_all(tx).await })
})
.await
.is_err());
Ok(())
}
#[sqlx_macros::test]
async fn it_can_store_and_read_encrypted_data() -> anyhow::Result<()> {
let (url, _dir) = new_db_url().await?;
let mut conn = SqliteConnectOptions::from_str(&url)?
.pragma("key", "the_password")
.connect()
.await?;
fill_db(&mut conn).await?;
// Create another connection with valid key
let mut conn = SqliteConnectOptions::from_str(&url)?
.pragma("key", "the_password")
.connect()
.await?;
let result = conn
.transaction(|tx| {
Box::pin(async move { query("SELECT * FROM Company;").fetch_all(tx).await })
})
.await?;
assert!(result.len() > 0);
Ok(())
}
#[sqlx_macros::test]
async fn it_fails_if_password_is_incorrect() -> anyhow::Result<()> {
let (url, _dir) = new_db_url().await?;
let mut conn = SqliteConnectOptions::from_str(&url)?
.pragma("key", "the_password")
.connect()
.await?;
fill_db(&mut conn).await?;
// Connection with invalid key should not allow to execute queries
let mut conn = SqliteConnectOptions::from_str(&url)?
.pragma("key", "BADBADBAD")
.connect()
.await?;
assert!(conn
.transaction(|tx| {
Box::pin(async move { query("SELECT * FROM Company;").fetch_all(tx).await })
})
.await
.is_err());
Ok(())
}
#[sqlx_macros::test]
async fn it_honors_order_of_encryption_pragmas() -> anyhow::Result<()> {
let (url, _dir) = new_db_url().await?;
// Make call of cipher configuration mixed with other pragmas,
// it should have no effect, encryption related pragmas should be
// executed first and allow to establish valid connection
let mut conn = SqliteConnectOptions::from_str(&url)?
.pragma("cipher_kdf_algorithm", "PBKDF2_HMAC_SHA1")
.journal_mode(sqlx::sqlite::SqliteJournalMode::Wal)
.pragma("cipher_page_size", "1024")
.pragma("key", "the_password")
.foreign_keys(true)
.pragma("kdf_iter", "64000")
.auto_vacuum(sqlx::sqlite::SqliteAutoVacuum::Incremental)
.pragma("cipher_hmac_algorithm", "HMAC_SHA1")
.connect()
.await?;
fill_db(&mut conn).await?;
let mut conn = SqliteConnectOptions::from_str(&url)?
.pragma("dummy", "pragma")
// The cipher configuration set on first connection is
// version 3 of SQLCipher, so for second it's enough to set
// the compatibility mode.
.pragma("cipher_compatibility", "3")
.pragma("key", "the_password")
.connect()
.await?;
let result = conn
.transaction(|tx| {
Box::pin(async move { query("SELECT * FROM COMPANY;").fetch_all(tx).await })
})
.await?;
assert!(result.len() > 0);
Ok(())
}
#[sqlx_macros::test]
async fn it_allows_to_rekey_the_db() -> anyhow::Result<()> {
let (url, _dir) = new_db_url().await?;
let mut conn = SqliteConnectOptions::from_str(&url)?
.pragma("key", "the_password")
.connect()
.await?;
fill_db(&mut conn).await?;
// The 'pragma rekey' can be called at any time
query("PRAGMA rekey = new_password;")
.execute(&mut conn)
.await?;
let mut conn = SqliteConnectOptions::from_str(&url)?
.pragma("dummy", "pragma")
.pragma("key", "new_password")
.connect()
.await?;
let result = conn
.transaction(|tx| {
Box::pin(async move { query("SELECT * FROM COMPANY;").fetch_all(tx).await })
})
.await?;
assert!(result.len() > 0);
Ok(())
}