Merge pull request #196 from cipherstash/error-or-warn-if-encrypt-config-missing

yujiyokoo · web-flow · commit 6e7f0b202e17 · 2025-04-01T07:53:23.000+09:00
Error or warn if encrypt config missing
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/docs/errors.md b/docs/errors.md
@@ -48,7 +48,7 @@ Check the configured username and password are correct and can connect to the da
 
 Check the database is using a supported authentication method.
 
-CipherStash Proxy supportsseveral PostgreSQL password authentication methods:
+CipherStash Proxy supports several PostgreSQL password authentication methods:
 
  - password
  - md5
@@ -178,7 +178,7 @@ An error occurred when attempting to type check the SQL statement.
 ### Error message
 
 ```
-Statement could not be type checked: '{type-check-erro-message}'
+Statement could not be type checked: '{type-check-error-message}'
 ```
 
 ### Notes
@@ -424,4 +424,4 @@ If using PEM-based configuration:
 Check that the certificate and private key are valid.
 
 
-<!-- ---------------------------------------------------------------------------------------------------- -->
+<!-- ---------------------------------------------------------------------------------------------------- -->
diff --git a/mise.toml b/mise.toml
@@ -318,6 +318,17 @@ mise --env tcp run test:wait_for_postgres_to_quack --port 6432 --max-retries 20
 mise --env tcp run test:integration:migrate
 mise --env tcp run proxy:down
 
+echo
+echo '###############################################'
+echo '# Test: Warning for missing encrypt config'
+echo '###############################################'
+echo
+
+mise --env tcp run proxy:up proxy --extra-args "--detach --wait"
+mise --env tcp run test:wait_for_postgres_to_quack --port 6432 --max-retries 20
+mise --env tcp run test:integration:warn_missing_config
+mise --env tcp run proxy:down
+
 echo
 echo '###############################################'
 echo '# Test: Python'
diff --git a/packages/cipherstash-proxy-integration/src/extended_protocol_error_messages.rs b/packages/cipherstash-proxy-integration/src/extended_protocol_error_messages.rs
@@ -66,7 +66,11 @@ mod tests {
         if let Err(err) = result {
             let msg = err.to_string();
 
-            assert_eq!(msg, "db error: ERROR: Column 'encrypted_unconfigured' in table 'unconfigured' has no Encrypt configuration. For help visit https://github.com/cipherstash/proxy/blob/main/docs/errors.md#encrypt-unknown-column");
+            // This is similar to below. The error message comes from tokio-postgres when Proxy
+            // returns cs_encrypted_v1 and the client cannot convert to a string.
+            // If mapping errors are enabled (enable_mapping_errors or CS_DEVELOPMENT__ENABLE_MAPPING_ERRORS),
+            // then Proxy will return an error that says "Column X in table Y has no Encrypt configuration"
+            assert_eq!(msg, "error serializing parameter 1: cannot convert between the Rust type `&str` and the Postgres type `cs_encrypted_v1`");
         } else {
             unreachable!();
         }
diff --git a/packages/cipherstash-proxy/src/postgresql/frontend.rs b/packages/cipherstash-proxy/src/postgresql/frontend.rs
@@ -86,7 +86,7 @@ where
         let sent: u64 = bytes.len() as u64;
         counter!(CLIENTS_BYTES_RECEIVED_TOTAL).increment(sent);
 
-        if self.encrypt.is_passthrough() {
+        if self.encrypt.config.mapping_disabled() {
             self.write_to_server(bytes).await?;
             return Ok(());
         }
@@ -785,8 +785,7 @@ where
                             msg = "Configured column",
                             column = ?identifier
                         );
-                        let col = self.get_column(identifier)?;
-                        Some(col)
+                        self.get_column(identifier)?
                     }
                     _ => None,
                 };
@@ -822,8 +821,7 @@ where
                         column = ?identifier
                     );
 
-                    let col = self.get_column(identifier)?;
-                    Some(col)
+                    self.get_column(identifier)?
                 }
                 _ => None,
             };
@@ -850,7 +848,9 @@ where
                         identifier = ?identifier
                     );
                     let col = self.get_column(identifier)?;
-                    literal_columns.push(Some(col));
+                    if col.is_some() {
+                        literal_columns.push(col);
+                    }
                 }
             }
         }
@@ -860,9 +860,9 @@ where
 
     ///
     /// Get the column configuration for the Identifier
-    /// Returns `EncryptError::UnknownColumn` if configuratiuon cannot be found for the Identified column
-    ///
-    fn get_column(&self, identifier: Identifier) -> Result<Column, Error> {
+    /// Returns `EncryptError::UnknownColumn` if configuration cannot be found for the Identified column
+    /// if mapping enabled, and None if mapping is disabled. It'll log a warning either way.
+    fn get_column(&self, identifier: Identifier) -> Result<Option<Column>, Error> {
         match self.encrypt.get_column_config(&identifier) {
             Some(config) => {
                 debug!(
@@ -871,20 +871,24 @@ where
                     msg = "Configured column",
                     column = ?identifier
                 );
-                Ok(Column::new(identifier, config))
+                Ok(Some(Column::new(identifier, config)))
             }
             None => {
-                debug!(
+                warn!(
                     target: MAPPER,
                     client_id = self.context.client_id,
-                    msg = "Configured column not found ",
+                    msg = "Configured column not found. Encryption configuration may have been deleted.",
                     ?identifier,
                 );
-                Err(EncryptError::UnknownColumn {
-                    table: identifier.table.to_owned(),
-                    column: identifier.column.to_owned(),
+                if self.encrypt.config.mapping_errors_enabled() {
+                    Err(EncryptError::UnknownColumn {
+                        table: identifier.table.to_owned(),
+                        column: identifier.column.to_owned(),
+                    }
+                    .into())
+                } else {
+                    Ok(None)
                 }
-                .into())
             }
         }
     }
diff --git a/tests/mise.tcp.toml b/tests/mise.tcp.toml
@@ -3,3 +3,5 @@ CS_DATABASE__HOST = "postgres"
 CS_DATABASE__PORT = "5532"
 CS_PROMETHEUS__ENABLED = "true"
 CS_LOG__LEVEL = "debug"
+CS_DEVELOPMENT__ENABLE_MAPPING_ERRORS = "false"
+CS_DEVELOPMENT__DISABLE_MAPPING = "false"
diff --git a/tests/python/tests/test_error_messages.py b/tests/python/tests/test_error_messages.py
@@ -54,7 +54,10 @@ def test_encrypted_column_with_no_configuration():
 
                 sql = "INSERT INTO unconfigured (id, encrypted_unconfigured) VALUES (%s, %s)"
 
-                with pytest.raises(psycopg.Error, match='#encrypt-unknown-column'):
+                # This is EQL catching the error and returning it. Details are in docs/errors.md
+                # When mapping errors are enabled, (enable_mapping_errors or CS_DEVELOPMENT__ENABLE_MAPPING_ERRORS)
+                # Proxy will return an error that says "Column X in table Y has no Encrypt configuration"
+                with pytest.raises(psycopg.Error, match=r"Encrypted column missing \w+ \(\w+\) field"):
                     cursor.execute(sql, [id, val])
 
 
diff --git a/tests/tasks/test/integration/warn_missing_config.sh b/tests/tasks/test/integration/warn_missing_config.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+#MISE description="Test for warning about missing encrypt config. Run with mapping enabled and mapping error disabled"
+
+# This test assumes that Proxy is running with mapping enabled with mapping error disabled
+
+set -e
+
+# Simulate delete config by renaming
+docker exec -i postgres"${CONTAINER_SUFFIX}" psql 'postgresql://cipherstash:password@proxy:6432/cipherstash' --command 'ALTER TABLE encrypted RENAME COLUMN encrypted_text TO unconfigured_text;' >/dev/null 2>&1
+
+set +e
+TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+docker exec -i postgres"${CONTAINER_SUFFIX}" psql 'postgresql://cipherstash:password@proxy:6432/cipherstash?sslmode=disable' --command 'SELECT unconfigured_text from encrypted' >/dev/null 2>&1
+LOG_CONTENT=$(docker logs --since "${TIMESTAMP}" proxy | tr "\n" " ")
+EXPECTED='Encryption configuration may have been deleted'
+
+# Simulate delete config by renaming
+docker exec -i postgres"${CONTAINER_SUFFIX}" psql 'postgresql://cipherstash:password@proxy:6432/cipherstash' --command 'ALTER TABLE encrypted RENAME COLUMN unconfigured_text TO encrypted_text;' >/dev/null 2>&1
+
+if echo "$LOG_CONTENT" | grep -v "${EXPECTED}"; then
+    echo "error: did not see string in output: \"${EXPECTED}\""
+    exit 1
+fi
+
