sqlreplay, api: support encryption method options to traffic capture (#718)

Author: djshow832

lib/cli/traffic.go

@@ -29,8 +29,9 @@ func GetTrafficCaptureCmd(ctx *Context) *cobra.Command {
 	}
 	output := captureCmd.PersistentFlags().String("output", "", "output directory for traffic files")
 	duration := captureCmd.PersistentFlags().String("duration", "", "the duration of traffic capture")
+	encrypt := captureCmd.PersistentFlags().String("encrypt-method", "", "the encryption method used for encrypting traffic files")
 	captureCmd.RunE = func(cmd *cobra.Command, args []string) error {
-		reader := GetFormReader(map[string]string{"output": *output, "duration": *duration})
+		reader := GetFormReader(map[string]string{"output": *output, "duration": *duration, "encrypt-method": *encrypt})
 		resp, err := doRequest(cmd.Context(), ctx, http.MethodPost, "/api/traffic/capture", reader)
 		if err != nil {
 			return err

lib/config/proxy.go

@@ -93,33 +93,6 @@ type LogFile struct {
 	MaxBackups int    `yaml:"max-backups,omitempty" toml:"max-backups,omitempty" json:"max-backups,omitempty"`
 }
 
-type TLSConfig struct {
-	Cert               string `yaml:"cert,omitempty" toml:"cert,omitempty" json:"cert,omitempty"`
-	Key                string `yaml:"key,omitempty" toml:"key,omitempty" json:"key,omitempty"`
-	CA                 string `yaml:"ca,omitempty" toml:"ca,omitempty" json:"ca,omitempty"`
-	MinTLSVersion      string `yaml:"min-tls-version,omitempty" toml:"min-tls-version,omitempty" json:"min-tls-version,omitempty"`
-	AutoCerts          bool   `yaml:"auto-certs,omitempty" toml:"auto-certs,omitempty" json:"auto-certs,omitempty"`
-	RSAKeySize         int    `yaml:"rsa-key-size,omitempty" toml:"rsa-key-size,omitempty" json:"rsa-key-size,omitempty"`
-	AutoExpireDuration string `yaml:"autocert-expire-duration,omitempty" toml:"autocert-expire-duration,omitempty" json:"autocert-expire-duration,omitempty"`
-	SkipCA             bool   `yaml:"skip-ca,omitempty" toml:"skip-ca,omitempty" json:"skip-ca,omitempty"`
-}
-
-func (c TLSConfig) HasCert() bool {
-	return !(c.Cert == "" && c.Key == "")
-}
-
-func (c TLSConfig) HasCA() bool {
-	return c.CA != ""
-}
-
-type Security struct {
-	ServerSQLTLS      TLSConfig `yaml:"server-tls,omitempty" toml:"server-tls,omitempty" json:"server-tls,omitempty"`
-	ServerHTTPTLS     TLSConfig `yaml:"server-http-tls,omitempty" toml:"server-http-tls,omitempty" json:"server-http-tls,omitempty"`
-	ClusterTLS        TLSConfig `yaml:"cluster-tls,omitempty" toml:"cluster-tls,omitempty" json:"cluster-tls,omitempty"`
-	SQLTLS            TLSConfig `yaml:"sql-tls,omitempty" toml:"sql-tls,omitempty" json:"sql-tls,omitempty"`
-	RequireBackendTLS bool      `yaml:"require-backend-tls,omitempty" toml:"require-backend-tls,omitempty" json:"require-backend-tls,omitempty"`
-}
-
 type HA struct {
 	VirtualIP string `yaml:"virtual-ip,omitempty" toml:"virtual-ip,omitempty" json:"virtual-ip,omitempty"`
 	Interface string `yaml:"interface,omitempty" toml:"interface,omitempty" json:"interface,omitempty"`

lib/config/security.go

@@ -0,0 +1,36 @@
+// Copyright 2024 PingCAP, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package config
+
+type TLSConfig struct {
+	Cert               string `yaml:"cert,omitempty" toml:"cert,omitempty" json:"cert,omitempty"`
+	Key                string `yaml:"key,omitempty" toml:"key,omitempty" json:"key,omitempty"`
+	CA                 string `yaml:"ca,omitempty" toml:"ca,omitempty" json:"ca,omitempty"`
+	MinTLSVersion      string `yaml:"min-tls-version,omitempty" toml:"min-tls-version,omitempty" json:"min-tls-version,omitempty"`
+	AutoCerts          bool   `yaml:"auto-certs,omitempty" toml:"auto-certs,omitempty" json:"auto-certs,omitempty"`
+	RSAKeySize         int    `yaml:"rsa-key-size,omitempty" toml:"rsa-key-size,omitempty" json:"rsa-key-size,omitempty"`
+	AutoExpireDuration string `yaml:"autocert-expire-duration,omitempty" toml:"autocert-expire-duration,omitempty" json:"autocert-expire-duration,omitempty"`
+	SkipCA             bool   `yaml:"skip-ca,omitempty" toml:"skip-ca,omitempty" json:"skip-ca,omitempty"`
+}
+
+func (c TLSConfig) HasCert() bool {
+	return !(c.Cert == "" && c.Key == "")
+}
+
+func (c TLSConfig) HasCA() bool {
+	return c.CA != ""
+}
+
+type Security struct {
+	ServerSQLTLS      TLSConfig  `yaml:"server-tls,omitempty" toml:"server-tls,omitempty" json:"server-tls,omitempty"`
+	ServerHTTPTLS     TLSConfig  `yaml:"server-http-tls,omitempty" toml:"server-http-tls,omitempty" json:"server-http-tls,omitempty"`
+	ClusterTLS        TLSConfig  `yaml:"cluster-tls,omitempty" toml:"cluster-tls,omitempty" json:"cluster-tls,omitempty"`
+	SQLTLS            TLSConfig  `yaml:"sql-tls,omitempty" toml:"sql-tls,omitempty" json:"sql-tls,omitempty"`
+	Encryption        Encryption `yaml:"encryption,omitempty" toml:"encryption,omitempty" json:"encryption,omitempty"`
+	RequireBackendTLS bool       `yaml:"require-backend-tls,omitempty" toml:"require-backend-tls,omitempty" json:"require-backend-tls,omitempty"`
+}
+
+type Encryption struct {
+	KeyPath string `yaml:"key-path,omitempty" toml:"key-path,omitempty" json:"key-path,omitempty"`
+}

pkg/server/api/traffic.go

@@ -32,6 +32,8 @@ func (h *Server) TrafficCapture(c *gin.Context) {
 		}
 		cfg.Duration = duration
 	}
+	cfg.EncryptMethod = c.PostForm("encrypt-method")
+	cfg.KeyFile = h.mgr.CfgMgr.GetConfig().Security.Encryption.KeyPath
 
 	if err := h.mgr.ReplayJobMgr.StartCapture(cfg); err != nil {
 		c.String(http.StatusInternalServerError, err.Error())
@@ -54,6 +56,7 @@ func (h *Server) TrafficReplay(c *gin.Context) {
 	cfg.Username = c.PostForm("username")
 	cfg.Password = c.PostForm("password")
 	cfg.ReadOnly = strings.EqualFold(c.PostForm("readonly"), "true")
+	cfg.KeyFile = h.mgr.CfgMgr.GetConfig().Security.Encryption.KeyPath
 
 	if err := h.mgr.ReplayJobMgr.StartReplay(cfg); err != nil {
 		c.String(http.StatusInternalServerError, err.Error())

pkg/sqlreplay/capture/capture.go

@@ -52,6 +52,8 @@ type Capture interface {
 
 type CaptureConfig struct {
 	Output             string
+	EncryptMethod      string
+	KeyFile            string
 	Duration           time.Duration
 	cmdLogger          store.Writer
 	bufferCap          int
@@ -219,7 +221,16 @@ func (c *capture) flushBuffer(bufCh <-chan *bytes.Buffer) {
 	// cfg.cmdLogger is set in tests
 	cmdLogger := c.cfg.cmdLogger
 	if cmdLogger == nil {
-		cmdLogger = store.NewWriter(store.WriterCfg{Dir: c.cfg.Output})
+		var err error
+		cmdLogger, err = store.NewWriter(store.WriterCfg{
+			Dir:           c.cfg.Output,
+			EncryptMethod: c.cfg.EncryptMethod,
+			KeyFile:       c.cfg.KeyFile,
+		})
+		if err != nil {
+			c.lg.Error("failed to create capture writer", zap.Error(err))
+			return
+		}
 	}
 	// Flush all buffers even if the context is timeout.
 	for buf := range bufCh {
@@ -337,7 +348,7 @@ func (c *capture) putCommand(command *cmd.Command) bool {
 }
 
 func (c *capture) writeMeta(duration time.Duration, cmds, filteredCmds uint64) {
-	meta := store.NewMeta(duration, cmds, filteredCmds)
+	meta := store.NewMeta(duration, cmds, filteredCmds, c.cfg.EncryptMethod)
 	if err := meta.Write(c.cfg.Output); err != nil {
 		c.lg.Error("failed to write meta", zap.Error(err))
 	}

pkg/sqlreplay/replay/replay.go

@@ -53,6 +53,7 @@ type ReplayConfig struct {
 	Input    string
 	Username string
 	Password string
+	KeyFile  string
 	Speed    float64
 	ReadOnly bool
 	// the following fields are for testing
@@ -174,9 +175,16 @@ func (r *replay) readCommands(ctx context.Context) {
 	// cfg.reader is set in tests
 	reader := r.cfg.reader
 	if reader == nil {
-		reader = store.NewLoader(r.lg.Named("loader"), store.LoaderCfg{
-			Dir: r.cfg.Input,
+		var err error
+		reader, err = store.NewReader(r.lg.Named("loader"), store.ReaderCfg{
+			Dir:           r.cfg.Input,
+			KeyFile:       r.cfg.KeyFile,
+			EncryptMethod: r.meta.EncryptMethod,
 		})
+		if err != nil {
+			r.stop(err)
+			return
+		}
 	}
 	defer reader.Close()
 

pkg/sqlreplay/replay/replay_test.go

@@ -154,7 +154,7 @@ func TestReplaySpeed(t *testing.T) {
 
 func TestProgress(t *testing.T) {
 	dir := t.TempDir()
-	meta := store.NewMeta(10*time.Second, 10, 0)
+	meta := store.NewMeta(10*time.Second, 10, 0, "")
 	require.NoError(t, meta.Write(dir))
 	loader := newMockNormalLoader()
 	now := time.Now()
@@ -202,7 +202,7 @@ func TestProgress(t *testing.T) {
 
 func TestPendingCmds(t *testing.T) {
 	dir := t.TempDir()
-	meta := store.NewMeta(10*time.Second, 10, 0)
+	meta := store.NewMeta(10*time.Second, 10, 0, "")
 	require.NoError(t, meta.Write(dir))
 	loader := newMockNormalLoader()
 	defer loader.Close()

pkg/sqlreplay/store/encrypt.go

@@ -0,0 +1,134 @@
+// Copyright 2024 PingCAP, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package store
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"io"
+	"os"
+	"reflect"
+
+	"github.com/pingcap/tiproxy/lib/util/errors"
+)
+
+var _ Writer = (*aesCTRWriter)(nil)
+
+type aesCTRWriter struct {
+	Writer
+	stream cipher.Stream
+	iv     []byte
+	inited bool
+}
+
+func newAESCTRWriter(writer Writer, keyFile string) (*aesCTRWriter, error) {
+	key, err := readAesKey(keyFile)
+	if err != nil {
+		return nil, err
+	}
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+	iv := make([]byte, aes.BlockSize)
+	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
+		return nil, errors.WithStack(err)
+	}
+	return &aesCTRWriter{
+		Writer: writer,
+		stream: cipher.NewCTR(block, iv),
+		iv:     iv,
+	}, nil
+}
+
+func (ctr *aesCTRWriter) Write(data []byte) error {
+	if !ctr.inited {
+		if err := ctr.writeIV(); err != nil {
+			return err
+		}
+		ctr.inited = true
+	}
+	ctr.stream.XORKeyStream(data, data)
+	return ctr.Writer.Write(data)
+}
+
+func (ctr *aesCTRWriter) writeIV() error {
+	return ctr.Writer.Write(ctr.iv)
+}
+
+func (ctr *aesCTRWriter) Close() error {
+	return ctr.Writer.Close()
+}
+
+var _ Reader = (*aesCTRReader)(nil)
+
+type aesCTRReader struct {
+	Reader
+	stream cipher.Stream
+	key    []byte
+}
+
+func newAESCTRReader(reader Reader, keyFile string) (*aesCTRReader, error) {
+	key, err := readAesKey(keyFile)
+	if err != nil {
+		return nil, err
+	}
+	return &aesCTRReader{
+		Reader: reader,
+		key:    key,
+	}, nil
+}
+
+func (ctr *aesCTRReader) Read(data []byte) (int, error) {
+	if ctr.stream == nil || reflect.ValueOf(ctr.stream).IsNil() {
+		if err := ctr.init(); err != nil {
+			return 0, err
+		}
+	}
+	n, err := ctr.Reader.Read(data)
+	if n > 0 {
+		ctr.stream.XORKeyStream(data[:n], data[:n])
+	}
+	if err != nil {
+		return n, err
+	}
+	return n, nil
+}
+
+func (ctr *aesCTRReader) init() error {
+	block, err := aes.NewCipher(ctr.key)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+	iv := make([]byte, aes.BlockSize)
+	for readLen := 0; readLen < len(iv); {
+		m, err := ctr.Reader.Read(iv[readLen:])
+		if err != nil {
+			return err
+		}
+		readLen += m
+	}
+	ctr.stream = cipher.NewCTR(block, iv)
+	return nil
+}
+
+func (ctr *aesCTRReader) CurFile() string {
+	return ctr.Reader.CurFile()
+}
+
+func (ctr *aesCTRReader) Close() {
+	ctr.Reader.Close()
+}
+
+func readAesKey(filename string) ([]byte, error) {
+	key, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+	if len(key) != 32 {
+		return nil, errors.Errorf("invalid aes-256 key length: %d, expecting 32", len(key))
+	}
+	return key, nil
+}

pkg/sqlreplay/store/encrypt_test.go

@@ -0,0 +1,62 @@
+// Copyright 2024 PingCAP, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package store
+
+import (
+	"io"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.uber.org/zap"
+)
+
+func TestAes256(t *testing.T) {
+	dir := t.TempDir()
+	rotateWriter := newRotateWriter(WriterCfg{
+		Dir:      dir,
+		FileSize: 1,
+	})
+	keyFile := filepath.Join(dir, "key")
+	genAesKey(t, keyFile)
+	aesWriter, err := newAESCTRWriter(rotateWriter, keyFile)
+	require.NoError(t, err)
+	require.NoError(t, aesWriter.Write([]byte("test")))
+	require.NoError(t, aesWriter.Close())
+
+	rotateReader := newRotateReader(zap.NewNop(), dir)
+	aesReader, err := newAESCTRReader(rotateReader, keyFile)
+	require.NoError(t, err)
+	data := make([]byte, 100)
+	n, err := io.ReadFull(aesReader, data)
+	require.Equal(t, len("test"), n)
+	require.ErrorContains(t, err, "unexpected EOF")
+	require.Equal(t, []byte("test"), data[:n])
+	require.Equal(t, fileName, aesReader.CurFile())
+	aesReader.Close()
+}
+
+func TestAes256Error(t *testing.T) {
+	dir := t.TempDir()
+	rotateWriter := newRotateWriter(WriterCfg{
+		Dir:      dir,
+		FileSize: 1,
+	})
+	keyFile := filepath.Join(dir, "key")
+	_, err := newAESCTRWriter(rotateWriter, keyFile)
+	require.Error(t, err)
+
+	rotateReader := newRotateReader(zap.NewNop(), dir)
+	_, err = newAESCTRReader(rotateReader, keyFile)
+	require.Error(t, err)
+}
+
+func genAesKey(t *testing.T, keyFile string) {
+	key := make([]byte, 32)
+	for i := range key {
+		key[i] = byte(i)
+	}
+	require.NoError(t, os.WriteFile(keyFile, key, 0600))
+}