Merge pull request #306 from cipherstash/set-key-name-integration-test

Set key name integration test

Author: tobyhede

.github/workflows/test.yml

@@ -28,10 +28,18 @@ jobs:
           CS_TENANT_KEYSET_ID_1: ${{ secrets.CS_TENANT_KEYSET_ID_1 }}
           CS_TENANT_KEYSET_ID_2: ${{ secrets.CS_TENANT_KEYSET_ID_2 }}
           CS_TENANT_KEYSET_ID_3: ${{ secrets.CS_TENANT_KEYSET_ID_3 }}
+          CS_TENANT_KEYSET_NAME_1: ${{ secrets.CS_TENANT_KEYSET_NAME_1 }}
+          CS_TENANT_KEYSET_NAME_2: ${{ secrets.CS_TENANT_KEYSET_NAME_2 }}
+          CS_TENANT_KEYSET_NAME_3: ${{ secrets.CS_TENANT_KEYSET_NAME_3 }}
           CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
           CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
           CS_WORKSPACE_CRN: "crn:ap-southeast-2.aws:${{ secrets.CS_WORKSPACE_ID }}"
-
           RUST_BACKTRACE: "1"
         run: |
-          mise run --output prefix test
+          mise run --output prefix test
+
+      # Always show the Proxy logs, for debugging
+      - name: Show Proxy logs
+        if: always()
+        run: |
+          docker logs --timestamps proxy-tls

docs/errors.md

@@ -311,13 +311,13 @@ A KeysetId could not be set using the `SET CIPHERSTASH.KEYSET_ID` command.
 ### Error message
 
 ```
-A KeysetId could not be set using `SET CIPHERSTASH.KEYSET_ID`
+Keyset Id could not be set using `SET CIPHERSTASH.KEYSET_ID`
 ```
 
 ### How to Fix
 
-1. Check the syntax of the `SET CIPHERSTASH.KEYSET_ID` command. The `KeysetId` value should be in single quotes.
-2. Check that the `KeysetId` is a valid UUID.
+1. Check the syntax of the `SET CIPHERSTASH.KEYSET_ID` command. The `keyset_id` value should be in single quotes.
+2. Check that the `keyset_id` is a valid UUID.
 3. Check that the value is being set as a literal. The PostgreSQL `SET` statement does not support parameterised querying.
 
 
@@ -337,21 +337,40 @@ KeysetName could not be set using the `SET CIPHERSTASH.KEYSET_NAME` command.
 ### Error message
 
 ```
-A KeysetName could not be set using `SET CIPHERSTASH.KEYSET_NAME`
+Keyset Name could not be set using `SET CIPHERSTASH.KEYSET_NAME`
 ```
 
 ### How to Fix
 
-1. Check the syntax of the `SET CIPHERSTASH.KEYSET_ID` command. The `KeysetName` value should be in single quotes.
-2. Check that the provided `KeysetName` is a valid UUID.
+1. Check the syntax of the `SET CIPHERSTASH.KEYSET_ID` command. The `keyset_name` value should be in single quotes.
 2. Check that the value is being set as a literal. The PostgreSQL `SET` statement does not support parameterised querying.
 
 
 ```
-   SET [ SESSION ] CIPHERSTASH.KEYSET_NAME { TO | = } '{KeysetName}'
+   SET [ SESSION ] CIPHERSTASH.KEYSET_NAME { TO | = } '{keyset_name}'
 ```
 
 
+<!-- ---------------------------------------------------------------------------------------------------- -->
+
+
+## Unknown Keyset Identifier <a id='encrypt-unknown-keyset'></a>
+
+The specified keyset could not be loaded.
+
+
+### Error message
+
+```
+Unknown keyset name or id '{keyset}'
+```
+
+### How to Fix
+
+1. Check that the active `keyset_name` or `keyset_id` is associated with a keyset in the configured workspace.
+2. Check that the configured client credentials have access to the keyset and workspace.
+3. Keyset names are case sensitive. If setting the active keyset by name, check that the `keyset_name` is an exact match.
+
 
 <!-- ---------------------------------------------------------------------------------------------------- -->
 
@@ -567,7 +586,7 @@ If the error persists, please contact CipherStash [support](https://cipherstash.
 
 ### How to Fix
 
-1. Check that the data in the encrypted column is in correct format [EQL](https://github.com/cipherstash/encrypt-query-language).
+1. Check that the data in the encrypted column is in the correct format [EQL](https://github.com/cipherstash/encrypt-query-language).
 
 <!-- TODO: Link to EQL Doc on storage format-->
 

mise.toml

@@ -136,7 +136,7 @@ mise run rust:version
 mise run test:check
 mise run test:format
 mise run test:clippy
-# mise run test:unit
+mise run test:unit
 mise run test:integration
 """
 
@@ -278,76 +278,75 @@ description = "Runs integration test/s"
 run = """
 set -e
 
-# echo
-# echo '###############################################'
-# echo '# Preflight'
-# echo '###############################################'
-# echo
+echo
+echo '###############################################'
+echo '# Preflight'
+echo '###############################################'
+echo
 
 # Ensure Postgres instances are running
 mise run test:integration:preflight
 
-# echo
-# echo '###############################################'
-# echo '# Test: unconfigured proxy'
-# echo '###############################################'
-# echo
+echo
+echo '###############################################'
+echo '# Test: unconfigured proxy'
+echo '###############################################'
+echo
 
 mise --env tcp run postgres:eql:teardown
 mise --env tcp run proxy:up proxy --extra-args "--detach --wait"
 mise --env tcp run test:wait_for_postgres_to_quack --port 6432 --max-retries 20
 mise --env tcp run test:integration:psql-passthrough
 mise --env tcp run proxy:down
 
-# echo
-# echo '###############################################'
-# echo '# Setup'
-# echo '###############################################'
-# echo
+echo
+echo '###############################################'
+echo '# Setup'
+echo '###############################################'
+echo
 
-# # Ensure EQL is set up before we try and start Proxy
+# Ensure EQL is set up before we try and start Proxy
 mise --env tcp run postgres:setup
 mise --env tls run postgres:setup
 
-# echo
-# echo '###############################################'
-# echo '# Test: Prometheus'
-# echo '###############################################'
-# echo
+echo
+echo '###############################################'
+echo '# Test: Prometheus'
+echo '###############################################'
+echo
 
 mise --env tcp run proxy:up proxy --extra-args "--detach --wait"
 mise --env tcp run test:wait_for_postgres_to_quack --port 6432 --max-retries 20
 mise --env tcp run test:integration:prometheus
 mise --env tcp run proxy:down
 
-# echo
-# echo '###############################################'
-# echo '# Test: non-TLS'
-# echo '###############################################'
-# echo
+echo
+echo '###############################################'
+echo '# Test: non-TLS'
+echo '###############################################'
+echo
 
 mise --env tcp run proxy:up proxy --extra-args "--detach --wait"
 mise --env tcp run test:wait_for_postgres_to_quack --port 6432 --max-retries 20
 mise --env tcp run test:integration:psql-tcp
 mise --env tcp run proxy:down
 
-# echo
-# echo '###############################################'
-# echo '# Test: TLS'
-# echo '###############################################'
-# echo
+echo
+echo '###############################################'
+echo '# Test: TLS'
+echo '###############################################'
+echo
 
 mise --env tls run proxy:up proxy-tls --extra-args "--detach --wait"
 mise --env tls run test:wait_for_postgres_to_quack --port 6432 --max-retries 20 --tls
 mise --env tls run test:integration:psql-tls
 mise --env tls run proxy:down
 
-
-# echo
-# echo '###############################################'
-# echo '# Test: Integration'
-# echo '###############################################'
-# echo
+echo
+echo '###############################################'
+echo '# Test: Integration'
+echo '###############################################'
+echo
 
 mise --env tls run proxy:up proxy-tls --extra-args "--detach --wait"
 mise --env tls run test:wait_for_postgres_to_quack --port 6432 --max-retries 20 --tls
@@ -373,23 +372,24 @@ export CS_DEFAULT_KEYSET_ID="{{default_keyset_id}}"
 
 mise --env tls run proxy:down
 
-# echo
-# echo '###############################################'
-# echo '# Test: Showcase'
-# echo '###############################################'
-# echo
+echo
+echo '###############################################'
+echo '# Test: Showcase'
+echo '###############################################'
+echo
 mise --env tls run proxy:up proxy-tls --extra-args "--detach --wait"
 mise --env tls run test:wait_for_postgres_to_quack --port 6432 --max-retries 20 --tls
 RUST_BACKTRACE=full cargo run -p showcase
 mise --env tls run proxy:down
 
-# echo
-# echo '###############################################'
-# echo '# Test: Language-specific integration'
-# echo '###############################################'
-# echo
+echo
+echo '###############################################'
+echo '# Test: Language-specific integration'
+echo '###############################################'
+echo
 mise run test:integration:lang:golang
 mise run test:integration:lang:python
+
 # Commented out pending fix of the root cause of the test flake
 # mise run test:integration:lang:elixir
 """

packages/cipherstash-proxy-integration/src/multitenant/mod.rs

@@ -1 +1,2 @@
 mod set_keyset_id;
+mod set_keyset_name;

packages/cipherstash-proxy-integration/src/multitenant/set_keyset_id.rs

@@ -84,7 +84,7 @@ mod tests {
     async fn set_keyset_id_with_simple_query() {
         trace();
 
-        // clear().await;
+        clear().await;
 
         let tenant_keyset_id_1 = std::env::var("CS_TENANT_KEYSET_ID_1")
             .map(|s| Uuid::parse_str(&s).unwrap())
@@ -246,6 +246,52 @@ mod tests {
         assert!(result.is_err());
     }
 
+    ///
+    /// Tests error handling of unknown keyset id
+    ///
+    #[tokio::test]
+    async fn set_keyset_id_unknown() {
+        trace();
+
+        clear().await;
+
+        let client = connect_with_tls(PROXY).await;
+
+        let tenant_keyset_id_1 = std::env::var("CS_TENANT_KEYSET_ID_1")
+            .map(|s| Uuid::parse_str(&s).unwrap())
+            .unwrap();
+        // Can set unknown name
+        let sql = "SET CIPHERSTASH.KEYSET_ID = '2cace9db-3a2a-4b46-a184-ba412b3e0730'";
+        let result = client.query(sql, &[]).await;
+        assert!(result.is_ok());
+
+        // Error on encrypt
+        let id = random_id();
+        let text = "TEST UNKNOWN";
+
+        let insert_sql = "INSERT INTO encrypted (id, encrypted_text) VALUES ($1, $2)";
+        let result = client.query(insert_sql, &[&id, &text]).await;
+        assert!(result.is_err());
+
+        if let Err(err) = result {
+            let msg = err.to_string();
+
+            assert_eq!(msg, "db error: FATAL: Unknown keyset name or id '2cace9db-3a2a-4b46-a184-ba412b3e0730'. For help visit https://github.com/cipherstash/proxy/blob/main/docs/errors.md#encrypt-unknown-keyset");
+        } else {
+            unreachable!();
+        }
+
+        //  --------
+        // Switch back to TENANT_1
+        let sql = format!("SET CIPHERSTASH.KEYSET_ID = '{tenant_keyset_id_1}'");
+        let result = client.query(&sql, &[]).await;
+        assert!(result.is_ok());
+
+        let insert_sql = "INSERT INTO encrypted (id, encrypted_text) VALUES ($1, $2)";
+        let result = client.query(insert_sql, &[&id, &text]).await;
+        assert!(result.is_ok());
+    }
+
     ///
     /// Tests various string literal formats for keyset_id values
     ///