Added tests for SQLCipher functionality

Szymon Zimnowoda · Szymon Zimnowoda · commit 8a97782c160a · 2022-08-03T10:14:21.000+02:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -154,6 +154,10 @@ url = "2.2.2"
 rand = "0.8.4"
 rand_xoshiro = "0.6.0"
 hex = "0.4.3"
+tempdir = "0.3.7"
+# Needed to test SQLCipher
+libsqlite3-sys = { version = "*", default-features = false, features = ["bundled-sqlcipher"] }
+
 #
 # Any
 #
@@ -206,6 +210,11 @@ name = "sqlite-derives"
 path = "tests/sqlite/derives.rs"
 required-features = ["sqlite", "macros"]
 
+[[test]]
+name = "sqlcipher"
+path = "tests/sqlite/sqlcipher.rs"
+required-features = ["sqlite"]
+
 #
 # MySQL
 #
diff --git a/tests/sqlite/sqlcipher.rs b/tests/sqlite/sqlcipher.rs
@@ -0,0 +1,202 @@
+use std::str::FromStr;
+
+use sqlx::sqlite::SqliteQueryResult;
+use sqlx::{query, Connection, SqliteConnection};
+use sqlx::{sqlite::SqliteConnectOptions, ConnectOptions};
+use sqlx_rt::fs::File;
+use tempdir::TempDir;
+
+async fn new_db_url() -> anyhow::Result<(String, TempDir)> {
+    let dir = TempDir::new("sqlcipher_test")?;
+    let filepath = dir.path().join("database.sqlite3");
+
+    // Touch the file, so DB driver will not complain it does not exist
+    File::create(filepath.as_path()).await?;
+
+    Ok((format!("sqlite://{}", filepath.display()), dir))
+}
+
+async fn fill_db(conn: &mut SqliteConnection) -> anyhow::Result<SqliteQueryResult> {
+    conn.transaction(|tx| {
+        Box::pin(async move {
+            query(
+                "
+                CREATE TABLE Company(
+                    Id INT PRIMARY KEY     NOT NULL,
+                    Name           TEXT    NOT NULL,
+                    Salary         REAL
+                 );
+                 ",
+            )
+            .execute(&mut *tx)
+            .await?;
+
+            query(
+                r#"
+                INSERT INTO Company(Id, Name, Salary)
+                VALUES
+                    (1, "aaa", 111),
+                    (2, "bbb", 222)
+                "#,
+            )
+            .execute(tx)
+            .await
+        })
+    })
+    .await
+    .map_err(|e| e.into())
+}
+
+#[sqlx_macros::test]
+async fn it_encrypts() -> anyhow::Result<()> {
+    let (url, _dir) = new_db_url().await?;
+
+    let mut conn = SqliteConnectOptions::from_str(&url)?
+        .pragma("key", "the_password")
+        .connect()
+        .await?;
+
+    fill_db(&mut conn).await?;
+
+    // Create another connection without key, query should fail
+    let mut conn = SqliteConnectOptions::from_str(&url)?.connect().await?;
+
+    assert!(conn
+        .transaction(|tx| {
+            Box::pin(async move { query("SELECT * FROM Company;").fetch_all(tx).await })
+        })
+        .await
+        .is_err());
+
+    Ok(())
+}
+
+#[sqlx_macros::test]
+async fn it_can_store_and_read_encrypted_data() -> anyhow::Result<()> {
+    let (url, _dir) = new_db_url().await?;
+
+    let mut conn = SqliteConnectOptions::from_str(&url)?
+        .pragma("key", "the_password")
+        .connect()
+        .await?;
+
+    fill_db(&mut conn).await?;
+
+    // Create another connection with valid key
+    let mut conn = SqliteConnectOptions::from_str(&url)?
+        .pragma("key", "the_password")
+        .connect()
+        .await?;
+
+    let result = conn
+        .transaction(|tx| {
+            Box::pin(async move { query("SELECT * FROM Company;").fetch_all(tx).await })
+        })
+        .await?;
+
+    assert!(result.len() > 0);
+
+    Ok(())
+}
+
+#[sqlx_macros::test]
+async fn it_fails_if_password_is_incorrect() -> anyhow::Result<()> {
+    let (url, _dir) = new_db_url().await?;
+
+    let mut conn = SqliteConnectOptions::from_str(&url)?
+        .pragma("key", "the_password")
+        .connect()
+        .await?;
+
+    fill_db(&mut conn).await?;
+
+    // Connection with invalid key should not allow to execute queries
+    let mut conn = SqliteConnectOptions::from_str(&url)?
+        .pragma("key", "BADBADBAD")
+        .connect()
+        .await?;
+
+    assert!(conn
+        .transaction(|tx| {
+            Box::pin(async move { query("SELECT * FROM Company;").fetch_all(tx).await })
+        })
+        .await
+        .is_err());
+
+    Ok(())
+}
+
+#[sqlx_macros::test]
+async fn it_honors_order_of_encryption_pragmas() -> anyhow::Result<()> {
+    let (url, _dir) = new_db_url().await?;
+
+    // Make call of cipher configuration mixed with other pragmas,
+    // it should have no effect, encryption related pragmas should be
+    // executed first and allow to establish valid connection
+    let mut conn = SqliteConnectOptions::from_str(&url)?
+        .pragma("cipher_kdf_algorithm", "PBKDF2_HMAC_SHA1")
+        .journal_mode(sqlx::sqlite::SqliteJournalMode::Wal)
+        .pragma("cipher_page_size", "1024")
+        .pragma("key", "the_password")
+        .foreign_keys(true)
+        .pragma("kdf_iter", "64000")
+        .auto_vacuum(sqlx::sqlite::SqliteAutoVacuum::Incremental)
+        .pragma("cipher_hmac_algorithm", "HMAC_SHA1")
+        .connect()
+        .await?;
+
+    fill_db(&mut conn).await?;
+
+    let mut conn = SqliteConnectOptions::from_str(&url)?
+        .pragma("dummy", "pragma")
+        // The cipher configuration set on first connection is
+        // version 3 of SQLCipher, so for second it's enough to set
+        // the compatibility mode.
+        .pragma("cipher_compatibility", "3")
+        .pragma("key", "the_password")
+        .connect()
+        .await?;
+
+    let result = conn
+        .transaction(|tx| {
+            Box::pin(async move { query("SELECT * FROM COMPANY;").fetch_all(tx).await })
+        })
+        .await?;
+
+    assert!(result.len() > 0);
+
+    Ok(())
+}
+
+#[sqlx_macros::test]
+async fn it_allows_to_rekey_the_db() -> anyhow::Result<()> {
+    let (url, _dir) = new_db_url().await?;
+
+    let mut conn = SqliteConnectOptions::from_str(&url)?
+        .pragma("key", "the_password")
+        .connect()
+        .await?;
+
+    fill_db(&mut conn).await?;
+
+    // The 'pragma rekey' can be called at any time
+    query("PRAGMA rekey = new_password;")
+        .execute(&mut conn)
+        .await?;
+
+    let mut conn = SqliteConnectOptions::from_str(&url)?
+        .pragma("dummy", "pragma")
+        .pragma("key", "new_password")
+        .connect()
+        .await?;
+
+    let result = conn
+        .transaction(|tx| {
+            Box::pin(async move { query("SELECT * FROM COMPANY;").fetch_all(tx).await })
+        })
+        .await?;
+
+    assert!(result.len() > 0);
+
+    Ok(())
+}

Original file line number	Diff line number	Diff line change
`@@ -154,6 +154,10 @@ url = "2.2.2"`
`154`	`154`	`rand = "0.8.4"`
`155`	`155`	`rand_xoshiro = "0.6.0"`
`156`	`156`	`hex = "0.4.3"`
	`157`	`+tempdir = "0.3.7"`
	`158`	`+# Needed to test SQLCipher`
	`159`	`+libsqlite3-sys = { version = "*", default-features = false, features = ["bundled-sqlcipher"] }`
	`160`	`+`
`157`	`161`	`#`
`158`	`162`	`# Any`
`159`	`163`	`#`
`@@ -206,6 +210,11 @@ name = "sqlite-derives"`
`206`	`210`	`path = "tests/sqlite/derives.rs"`
`207`	`211`	`required-features = ["sqlite", "macros"]`
`208`	`212`
	`213`	`+[[test]]`
	`214`	`+name = "sqlcipher"`
	`215`	`+path = "tests/sqlite/sqlcipher.rs"`
	`216`	`+required-features = ["sqlite"]`
	`217`	`+`
`209`	`218`	`#`
`210`	`219`	`# MySQL`
`211`	`220`	`#`