WL#9143: Keyring plugin for the Amazon's AWS

         Key Management service

Description: This worklog introduces a new keyring
             plugin -keyring_aws. The plugin will
             communicate with Amazon's AWS Key Management
             Service andfetch keys that can be used by
             MySQL server. It will provide ability to
             store/fetch/remove keys from Key Management
             service.

             In addition, Plugin also introduces two
             UDFs which provides ability to:
             - Rotate Customer Master Key
             - Reencrypt data keys using latest Customer
               Master Key.

Reviewed-By: Georgi Kodinov <[email protected]>

Author: harinvadodaria

CMakeLists.txt

@@ -212,6 +212,7 @@ INCLUDE(plugin)
 INCLUDE(install_macros)
 INCLUDE(install_layout)
 INCLUDE(mysql_add_executable)
+INCLUDE(curl)
 
 # Handle options
 IF(EXISTS ${CMAKE_SOURCE_DIR}/rapid)
@@ -524,6 +525,8 @@ MYSQL_CHECK_LZ4()
 IF(NOT WITHOUT_SERVER)
   MYSQL_CHECK_PROTOBUF()
 ENDIF()
+# Try and set CURL_LIBRARY
+MYSQL_CHECK_CURL()
 
 # Check for SYS_thread_selfid system call
 CHECK_C_SOURCE_COMPILES("

cmake/curl.cmake

@@ -0,0 +1,46 @@
+# Copyright (c) 2017 Oracle and/or its affiliates. All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+MACRO(MYSQL_CHECK_CURL)
+  IF(NOT WIN32)
+   IF(WITH_CURL STREQUAL "system")
+     #  FindCURL.cmake will set
+     #  CURL_INCLUDE_DIRS   - where to find curl/curl.h, etc.
+     #  CURL_LIBRARIES      - List of libraries when using curl.
+     #  CURL_FOUND          - True if curl found.
+     #  CURL_VERSION_STRING - the version of curl found (since CMake 2.8.8)
+     FIND_PACKAGE(CURL)
+     IF(CURL_FOUND)
+       SET(CURL_LIBRARY ${CURL_LIBRARIES} CACHE PATH "Curl library")
+     ENDIF()
+     MESSAGE(STATUS "CURL_LIBRARY = ${CURL_LIBRARY}")
+   ELSEIF(WITH_CURL)
+    LIST(REVERSE CMAKE_FIND_LIBRARY_SUFFIXES)
+    FIND_LIBRARY(CURL_LIBRARY
+      NAMES curl
+      PATHS ${WITH_CURL}
+      NO_DEFAULT_PATH
+      NO_CMAKE_ENVIRONMENT_PATH
+      NO_SYSTEM_ENVIRONMENT_PATH
+    )
+    LIST(REVERSE CMAKE_FIND_LIBRARY_SUFFIXES)
+    MESSAGE(STATUS "CURL_LIBRARY = ${CURL_LIBRARY}")
+   ELSE()
+     MESSAGE(STATUS
+       "You need to set WITH_CURL. This"
+       " variable needs to point to curl library.")
+   ENDIF()
+  ENDIF()
+ENDMACRO()

mysql-test/include/keyring_udf_keyring_plugin_loaded.inc

@@ -1,6 +1,4 @@
 --replace_regex /\.dll/.so/
-eval create function keyring_key_store returns integer soname '$KEYRING_UDF';
---replace_regex /\.dll/.so/
 eval create function keyring_key_fetch returns string soname '$KEYRING_UDF';
 --replace_regex /\.dll/.so/
 eval create function keyring_key_type_fetch returns string soname '$KEYRING_UDF';
@@ -13,10 +11,6 @@ eval create function keyring_key_generate returns integer soname '$KEYRING_UDF';
 
 # Error cases -- wrong argument count
 --error ER_CANT_INITIALIZE_UDF
-select keyring_key_store('Key_1');
---error ER_CANT_INITIALIZE_UDF
-select keyring_key_store('Key_1','AES');
---error ER_CANT_INITIALIZE_UDF
 select keyring_key_fetch('Key_1','AES');
 --error ER_CANT_INITIALIZE_UDF
 select keyring_key_type_fetch('Key_1','AES');
@@ -36,22 +30,6 @@ select keyring_key_fetch('Key_1',NULL);
 
 # Error cases -- wrong argument type
 --error ER_CANT_INITIALIZE_UDF
-select keyring_key_store('Key_1','AES',123);
---error ER_CANT_INITIALIZE_UDF
-select keyring_key_store(NULL,'AES',123);
---error ER_CANT_INITIALIZE_UDF
-select keyring_key_store('Key_1',NULL,123);
---error ER_CANT_INITIALIZE_UDF
-select keyring_key_store('Key_1','AES',NULL);
---error ER_CANT_INITIALIZE_UDF
-select keyring_key_store(NULL,NULL,NULL);
---error ER_CANT_INITIALIZE_UDF
-select keyring_key_store(1234,NULL,'53247@#$%^');
---error ER_CANT_INITIALIZE_UDF
-select keyring_key_store(1,'AES','123');
---error ER_CANT_INITIALIZE_UDF
-select keyring_key_store('Key_1',123,'123');
---error ER_CANT_INITIALIZE_UDF
 select keyring_key_fetch(1);
 --error ER_CANT_INITIALIZE_UDF
 select keyring_key_fetch(NULL);
@@ -103,41 +81,20 @@ select LENGTH(@x);
 select keyring_key_type_fetch('Rob_AES_128');
 select keyring_key_length_fetch('Rob_AES_128');
 select keyring_key_remove('Rob_AES_128');
-# Store AES_128
-select keyring_key_store('Rob_AES_128','AES',"0123456789012345");
-select keyring_key_fetch('Rob_AES_128') into @x;
-select LENGTH(@x);
-select keyring_key_type_fetch('Rob_AES_128');
-select keyring_key_length_fetch('Rob_AES_128');
-select keyring_key_remove('Rob_AES_128');
 # Generate AES_192
 select keyring_key_generate('Rob_AES_192','AES',24);
 select keyring_key_fetch('Rob_AES_192') into @x;
 select LENGTH(@x);
 select keyring_key_type_fetch('Rob_AES_192');
 select keyring_key_length_fetch('Rob_AES_192');
 select keyring_key_remove('Rob_AES_192');
-# Store AES_192
-select keyring_key_store('Rob_AES_192','AES',"012345678901234567890%@3");
-select keyring_key_fetch('Rob_AES_192') into @x;
-select LENGTH(@x);
-select keyring_key_type_fetch('Rob_AES_192');
-select keyring_key_length_fetch('Rob_AES_192');
-select keyring_key_remove('Rob_AES_192');
 # Generate AES_256
 select keyring_key_generate('Rob_AES_256','AES',32);
 select keyring_key_fetch('Rob_AES_256') into @x;
 select LENGTH(@x);
 select keyring_key_type_fetch('Rob_AES_256');
 select keyring_key_length_fetch('Rob_AES_256');
 select keyring_key_remove('Rob_AES_256');
-# Store AES_256
-select keyring_key_store('Rob_AES_256','AES',"01234567890123456789012345678901");
-select keyring_key_fetch('Rob_AES_256') into @x;
-select LENGTH(@x);
-select keyring_key_type_fetch('Rob_AES_256');
-select keyring_key_length_fetch('Rob_AES_256');
-select keyring_key_remove('Rob_AES_256');
 # RSA
 # Generate RSA_1024
 select keyring_key_generate('Rob_RSA_1024','RSA',128);
@@ -146,13 +103,6 @@ select LENGTH(@x);
 select keyring_key_type_fetch('Rob_RSA_1024');
 select keyring_key_length_fetch('Rob_RSA_1024');
 select keyring_key_remove('Rob_RSA_1024');
-# Store RSA_1024
-select keyring_key_store('Rob_RSA_1024','RSA',"01234567890123456789012345678901234567890123456789012345678901230123456789012345678901234567890123456789012345678901234567890123");
-select keyring_key_fetch('Rob_RSA_1024') into @x;
-select LENGTH(@x);
-select keyring_key_type_fetch('Rob_RSA_1024');
-select keyring_key_length_fetch('Rob_RSA_1024');
-select keyring_key_remove('Rob_RSA_1024');
 #Generate RSA_2048
 select keyring_key_generate('Rob_RSA_2048','RSA',256);
 select keyring_key_fetch('Rob_RSA_2048') into @x;
@@ -175,13 +125,6 @@ select LENGTH(@x);
 select keyring_key_type_fetch('Rob_DSA_1024');
 select keyring_key_length_fetch('Rob_DSA_1024');
 select keyring_key_remove('Rob_DSA_1024');
-# Store DSA 1024
-select keyring_key_store('Rob_DSA_1024','DSA',"01234567890123456789012345678901234567890123456789012345678901230123456789012345678901234567890123456789012345678901234567890123");
-select keyring_key_fetch('Rob_DSA_1024') into @x;
-select LENGTH(@x);
-select keyring_key_type_fetch('Rob_DSA_1024');
-select keyring_key_length_fetch('Rob_DSA_1024');
-select keyring_key_remove('Rob_DSA_1024');
 # Generate DSA 2048
 select keyring_key_generate('Rob_DSA_2048','DSA',256);
 select keyring_key_fetch('Rob_DSA_2048') into @x;
@@ -244,13 +187,6 @@ select @x;
 --error ER_KEYRING_UDF_KEYRING_SERVICE_ERROR
 select keyring_key_generate('','AES', 16) into @x;
 select @x;
-# Store wrong key type
---error ER_KEYRING_UDF_KEYRING_SERVICE_ERROR
-select keyring_key_store('Wrong_type','xxx', '0123456789012345') into @x;
-select @x;
---error ER_KEYRING_UDF_KEYRING_SERVICE_ERROR
-select keyring_key_store('','AES', '0123456789012345') into @x;
-select @x;
 
 --echo # Testing privileges
 

mysql-test/include/keyring_udf_keyring_plugin_loaded_store_operations.inc

@@ -0,0 +1,75 @@
+--replace_regex /\.dll/.so/
+eval create function keyring_key_store returns integer soname '$KEYRING_UDF';
+
+# Error cases -- wrong argument count
+--error ER_CANT_INITIALIZE_UDF
+select keyring_key_store('Key_1');
+--error ER_CANT_INITIALIZE_UDF
+select keyring_key_store('Key_1','AES');
+
+# Error cases -- wrong argument type
+--error ER_CANT_INITIALIZE_UDF
+select keyring_key_store('Key_1','AES',123);
+--error ER_CANT_INITIALIZE_UDF
+select keyring_key_store(NULL,'AES',123);
+--error ER_CANT_INITIALIZE_UDF
+select keyring_key_store('Key_1',NULL,123);
+--error ER_CANT_INITIALIZE_UDF
+select keyring_key_store('Key_1','AES',NULL);
+--error ER_CANT_INITIALIZE_UDF
+select keyring_key_store(NULL,NULL,NULL);
+--error ER_CANT_INITIALIZE_UDF
+select keyring_key_store(1234,NULL,'53247@#$%^');
+--error ER_CANT_INITIALIZE_UDF
+select keyring_key_store(1,'AES','123');
+--error ER_CANT_INITIALIZE_UDF
+select keyring_key_store('Key_1',123,'123');
+
+# Store AES_128
+select keyring_key_store('Rob_AES_128','AES',"0123456789012345");
+select keyring_key_fetch('Rob_AES_128') into @x;
+select LENGTH(@x);
+select keyring_key_type_fetch('Rob_AES_128');
+select keyring_key_length_fetch('Rob_AES_128');
+select keyring_key_remove('Rob_AES_128');
+
+# Store AES_192
+select keyring_key_store('Rob_AES_192','AES',"012345678901234567890%@3");
+select keyring_key_fetch('Rob_AES_192') into @x;
+select LENGTH(@x);
+select keyring_key_type_fetch('Rob_AES_192');
+select keyring_key_length_fetch('Rob_AES_192');
+select keyring_key_remove('Rob_AES_192');
+
+# Store AES_256
+select keyring_key_store('Rob_AES_256','AES',"01234567890123456789012345678901");
+select keyring_key_fetch('Rob_AES_256') into @x;
+select LENGTH(@x);
+select keyring_key_type_fetch('Rob_AES_256');
+select keyring_key_length_fetch('Rob_AES_256');
+select keyring_key_remove('Rob_AES_256');
+
+# Store RSA_1024
+select keyring_key_store('Rob_RSA_1024','RSA',"01234567890123456789012345678901234567890123456789012345678901230123456789012345678901234567890123456789012345678901234567890123");
+select keyring_key_fetch('Rob_RSA_1024') into @x;
+select LENGTH(@x);
+select keyring_key_type_fetch('Rob_RSA_1024');
+select keyring_key_length_fetch('Rob_RSA_1024');
+select keyring_key_remove('Rob_RSA_1024');
+
+# Store DSA_1024
+select keyring_key_store('Rob_DSA_1024','DSA',"01234567890123456789012345678901234567890123456789012345678901230123456789012345678901234567890123456789012345678901234567890123");
+select keyring_key_fetch('Rob_DSA_1024') into @x;
+select LENGTH(@x);
+select keyring_key_type_fetch('Rob_DSA_1024');
+select keyring_key_length_fetch('Rob_DSA_1024');
+select keyring_key_remove('Rob_DSA_1024');
+
+# Store wrong key type
+--error ER_KEYRING_UDF_KEYRING_SERVICE_ERROR
+select keyring_key_store('Wrong_type','xxx', '0123456789012345') into @x;
+select @x;
+--error ER_KEYRING_UDF_KEYRING_SERVICE_ERROR
+select keyring_key_store('','AES', '0123456789012345') into @x;
+select @x;
+

mysql-test/mysql-test-run.pl

@@ -2607,7 +2607,6 @@ sub environment_setup {
   $ENV{'MYSQL_BINDIR'}=       "$bindir";
   $ENV{'MYSQL_SHAREDIR'}=     $path_language;
   $ENV{'MYSQL_CHARSETSDIR'}=  $path_charsetsdir;
-  
   if (IS_WINDOWS)
   {
     $ENV{'SECURE_LOAD_PATH'}= $glob_mysql_test_dir."\\std_data";

mysql-test/suite/auth_sec/r/keyring_file_data_qa.result

@@ -14,19 +14,17 @@ PLUGIN_NAME	keyring_file
 PLUGIN_VERSION	1.0
 PLUGIN_STATUS	ACTIVE
 
-SET @@global.keyring_file_data= 'MYSQL_TMP_DIR/keyring';
+SET @@global.keyring_file_data='keyring_file';
 SELECT @@global.keyring_file_data;
 @@global.keyring_file_data
-MYSQL_TMP_DIR/keyring
+keyring_file
 CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB;
 SET @@global.keyring_file_data= 'MYSQL_TMP_DIR/new_keyring_file_data';
 SELECT @@global.keyring_file_data;
 @@global.keyring_file_data
 MYSQL_TMP_DIR/new_keyring_file_data
 SET @@global.keyring_file_data='';
 ERROR 42000: Variable 'keyring_file_data' can't be set to the value of ''
-SET @@global.keyring_file_data='#^$^@E&(';
-ERROR 42000: Variable 'keyring_file_data' can't be set to the value of '#^$^@E&('
 SET @@global.keyring_file_data=1;
 ERROR 42000: Incorrect argument type to variable 'keyring_file_data'
 SET @@global.keyring_file_data='/';