chore(audit): fix audits to verify encryption file + check for empty …

…files (#7548) * fix audits to verify encryption file + check for empty files
dgraph-io · Mar 14, 2021 · 4e48426 · 4e48426
1 parent 931f514
commit 4e48426
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 18 deletions.
diff --git a/ee/audit/interceptor_ee.go b/ee/audit/interceptor_ee.go
@@ -192,7 +192,7 @@ func maskPasswordFieldsInGQL(req string) string {
 		Input: gqlReq.Query,
 	})
 	if gErr != nil {
-		glog.Errorf("unable to parse gql request %+v", err)
+		glog.Errorf("unable to parse gql request %+v", gErr)
 		return req
 	}
 	if len(query.Operations) == 0 {

diff --git a/ee/audit/run_ee.go b/ee/audit/run_ee.go
@@ -93,23 +93,40 @@ func run() error {
 	block, err := aes.NewCipher(key)
 	stat, err := os.Stat(decryptCmd.Conf.GetString("in"))
 	x.Check(err)
+	if stat.Size() == 0 {
+		glog.Info("audit file is empty")
+		return nil
+	}
+	var iterator int64 = 0
+
 	iv := make([]byte, aes.BlockSize)
-	x.Check2(file.ReadAt(iv, 0))
+	x.Check2(file.ReadAt(iv, iterator))
+	iterator = iterator + aes.BlockSize
+
+	t := make([]byte, len(x.VerificationText))
+	x.Check2(file.ReadAt(t, iterator))
+	iterator = iterator + int64(len(x.VerificationText))
+
+	stream := cipher.NewCTR(block, iv)
+	stream.XORKeyStream(t, t)
+	if string(t) != x.VerificationText {
+		return errors.New("invalid encryption key provided. Please check your encryption key")
+	}
 
-	var iterator int64 = 16
 	for {
-		content := make([]byte, binary.BigEndian.Uint32(iv[12:]))
-		x.Check2(file.ReadAt(content, iterator))
-		iterator = iterator + int64(binary.BigEndian.Uint32(iv[12:]))
-		stream := cipher.NewCTR(block, iv)
-		stream.XORKeyStream(content, content)
-		x.Check2(outfile.Write(content))
 		// if its the end of data. finish decrypting
 		if iterator >= stat.Size() {
 			break
 		}
 		x.Check2(file.ReadAt(iv[12:], iterator))
 		iterator = iterator + 4
+
+		content := make([]byte, binary.BigEndian.Uint32(iv[12:]))
+		x.Check2(file.ReadAt(content, iterator))
+		iterator = iterator + int64(binary.BigEndian.Uint32(iv[12:]))
+		stream := cipher.NewCTR(block, iv)
+		stream.XORKeyStream(content, content)
+		x.Check2(outfile.Write(content))
 	}
 	glog.Infof("Decryption of Audit file %s is Done. Decrypted file is %s",
 		decryptCmd.Conf.GetString("in"),

diff --git a/go.sum b/go.sum
@@ -186,6 +186,7 @@ github.com/gin-contrib/sse v0.0.0-20190301062529-5545eab6dad3/go.mod h1:VJ0WA2NB
 github.com/gin-gonic/gin v1.4.0/go.mod h1:OW2EZn3DO8Ln9oIKOvM++LBO+5UPHJJDH72/q/3rZdM=
 github.com/glycerine/go-unsnap-stream v0.0.0-20181221182339-f9677308dec2/go.mod h1:/20jfyN9Y5QPEAprSgKAUr+glWDY39ZiUEAYOEv5dsE=
 github.com/glycerine/goconvey v0.0.0-20190410193231-58a59202ab31/go.mod h1:Ogl1Tioa0aV7gstGFO7KhffUsb9M4ydbEbbxpcEDc24=
+github.com/go-check/check v0.0.0-20180628173108-788fd7840127 h1:0gkP6mzaMqkmpcJYCFOLkIBwI7xFExG03bbkOkCvUPI=
 github.com/go-check/check v0.0.0-20180628173108-788fd7840127/go.mod h1:9ES+weclKsC9YodN5RgxqK/VD9HM9JsCSh7rNhMZE98=
 github.com/go-chi/chi v3.3.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
 github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w=

diff --git a/t/t.go b/t/t.go
@@ -145,8 +145,28 @@ func detectRace(prefix string) bool {
 	return zeroRaceDetected || alphaRaceDetected
 }
 
-func stopCluster(composeFile, prefix string, wg *sync.WaitGroup) {
+func outputLogs(prefix string) {
+	printLogs := func(container string) {
+		in := testutil.GetContainerInstance(prefix, container)
+		c := in.GetContainer()
+		logCmd := exec.Command("docker", "logs", c.ID)
+		out, err := logCmd.CombinedOutput()
+		fmt.Printf("Docker logs for %d is %s with error %+v ", c.ID, string(out), err)
+	}
+	for i := 0; i <= 3; i++ {
+		printLogs("zero" + strconv.Itoa(i))
+	}
+
+	for i := 0; i <= 6; i++ {
+		printLogs("alpha" + strconv.Itoa(i))
+	}
+}
+
+func stopCluster(composeFile, prefix string, wg *sync.WaitGroup, err error) {
 	go func() {
+		if err != nil {
+			outputLogs(prefix)
+		}
 		cmd := command("docker-compose", "-f", composeFile, "-p", prefix, "down", "-v")
 		cmd.Stderr = nil
 		if err := cmd.Run(); err != nil {
@@ -267,7 +287,7 @@ func runTests(taskCh chan task, closer *z.Closer) error {
 			return
 		}
 		wg.Add(1)
-		stopCluster(defaultCompose, prefix, wg)
+		stopCluster(defaultCompose, prefix, wg, nil)
 		stopped = true
 	}
 	defer stop()
@@ -317,21 +337,21 @@ func getClusterPrefix() string {
 	return fmt.Sprintf("%s%03d-%d", getGlobalPrefix(), procId, id)
 }
 
-func runCustomClusterTest(ctx context.Context, pkg string, wg *sync.WaitGroup) error {
+func runCustomClusterTest(ctx context.Context, pkg string, wg *sync.WaitGroup) (err error) {
 	fmt.Printf("Bringing up cluster for package: %s\n", pkg)
-
 	compose := composeFileFor(pkg)
 	prefix := getClusterPrefix()
-	err := startCluster(compose, prefix)
+	err = startCluster(compose, prefix)
 	if err != nil {
-		return err
+		return
 	}
 	if !*keepCluster {
 		wg.Add(1)
-		defer stopCluster(compose, prefix, wg)
+		defer stopCluster(compose, prefix, wg, err)
 	}
 
-	return runTestsFor(ctx, pkg, prefix)
+	err = runTestsFor(ctx, pkg, prefix)
+	return
 }
 
 func findPackagesFor(testName string) []string {

diff --git a/x/log_writer.go b/x/log_writer.go
@@ -19,6 +19,8 @@ package x
 import (
 	"bufio"
 	"compress/gzip"
+	"crypto/aes"
+	"crypto/cipher"
 	"encoding/binary"
 	"fmt"
 	"io"
@@ -39,6 +41,7 @@ const (
 	backupTimeFormat = "2006-01-02T15-04-05.000"
 	bufferSize       = 256 * 1024
 	flushInterval    = 10 * time.Second
+	VerificationText = "Hello World"
 )
 
 // This is done to ensure LogWriter always implement io.WriterCloser
@@ -181,6 +184,19 @@ func encrypt(key []byte, baseIv [12]byte, src []byte) ([]byte, error) {
 	return allocate, nil
 }
 
+func decrypt(key []byte, baseIv [12]byte, src []byte) ([]byte, error) {
+	iv := make([]byte, 16)
+	copy(iv, baseIv[:])
+	binary.BigEndian.PutUint32(iv[12:], uint32(len(src)))
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	stream := cipher.NewCTR(block, iv[:])
+	stream.XORKeyStream(src, src)
+	return src, nil
+}
+
 func (l *LogWriter) rotate() error {
 	if l == nil {
 		return nil
@@ -230,7 +246,11 @@ func (l *LogWriter) open() error {
 
 		if l.EncryptionKey != nil {
 			rand.Read(l.baseIv[:])
-			if _, err = l.writer.Write(l.baseIv[:]); err != nil {
+			bytes, err := encrypt(l.EncryptionKey, l.baseIv, []byte(VerificationText))
+			if err != nil {
+				return err
+			}
+			if _, err = l.writer.Write(append(l.baseIv[:], bytes[:]...)); err != nil {
 				return err
 			}
 		}
@@ -260,6 +280,17 @@ func (l *LogWriter) open() error {
 			_ = f.Close()
 			return openNew()
 		}
+		text := make([]byte, 11)
+		if _, err := f.ReadAt(text, 16); err != nil {
+			_ = f.Close()
+			return openNew()
+		}
+		if t, err := decrypt(l.EncryptionKey, l.baseIv, text); err != nil ||
+			string(t) != VerificationText {
+			// different encryption key. Better to open new file here
+			_ = f.Close()
+			return openNew()
+		}
 	}
 
 	l.file = f