You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by br...@apache.org on 2024/01/24 13:52:51 UTC

(solr-sandbox) branch main updated: Refactor EncryptionRequestHandlerTest and update encryption.md about jdk 17. (#99)

This is an automated email from the ASF dual-hosted git repository.

broustant pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-sandbox.git


The following commit(s) were added to refs/heads/main by this push:
     new 50b8f9b  Refactor EncryptionRequestHandlerTest and update encryption.md about jdk 17. (#99)
50b8f9b is described below

commit 50b8f9bf740cba4161dd7e0d01edba9677bb5769
Author: Bruno Roustant <33...@users.noreply.github.com>
AuthorDate: Wed Jan 24 14:52:45 2024 +0100

    Refactor EncryptionRequestHandlerTest and update encryption.md about jdk 17. (#99)
---
 ENCRYPTION.md                                      |  7 ++-
 .../encryption/EncryptionRequestHandlerTest.java   | 51 ++++++++++------------
 2 files changed, 27 insertions(+), 31 deletions(-)

diff --git a/ENCRYPTION.md b/ENCRYPTION.md
index 72c7b14..759f77b 100644
--- a/ENCRYPTION.md
+++ b/ENCRYPTION.md
@@ -22,7 +22,8 @@ per-directory, making multi-tenant use-cases possible. If you can use OS-level e
 Java-level encryption.
 
 - Java-level encryption can be used when the OS-level encryption management is not possible (e.g. host machine managed
-by a cloud provider). It has an impact on performance: expect -20% on most queries, -60% on multi-term queries.
+by a cloud provider), or when even admin rights should not allow to get clear access to the index files. It has an
+impact on performance: expect -20% on most queries, -60% on multi-term queries.
 
 [1] https://wiki.archlinux.org/title/Fscrypt
 
@@ -88,7 +89,9 @@ the specified folder.
 `encrypterFactory` is an optional parameter to specify the `org.apache.solr.encryption.crypto.AesCtrEncrypterFactory`
 to use. By default `CipherAesCtrEncrypter$Factory` is used. You can change to `LightAesCtrEncrypter$Factory` for a
 more lightweight and efficient implementation (+10% perf), but it calls an internal com.sun.crypto.provider.AESCrypt()
-constructor which logs a JDK warning (Illegal reflective access).
+constructor which either logs a JDK warning (Illegal reflective access) with JDK 16 and below, or with JDK 17 and above
+requires to open the access to the com.sun.crypto.provider package with the jvm arg
+`--add-opens=java.base/com.sun.crypto.provider=ALL-UNNAMED`.
 
 `EncryptionUpdateHandler` replaces the standard `DirectUpdateHandler2` (which it extends) to store persistently the
 encryption key id in the commit metadata. It supports all the configuration parameters of `DirectUpdateHandler2`.
diff --git a/encryption/src/test/java/org/apache/solr/encryption/EncryptionRequestHandlerTest.java b/encryption/src/test/java/org/apache/solr/encryption/EncryptionRequestHandlerTest.java
index 5b70650..f2515af 100644
--- a/encryption/src/test/java/org/apache/solr/encryption/EncryptionRequestHandlerTest.java
+++ b/encryption/src/test/java/org/apache/solr/encryption/EncryptionRequestHandlerTest.java
@@ -88,9 +88,7 @@ public class EncryptionRequestHandlerTest extends SolrCloudTestCase {
   @Test
   public void testEncryptionFromNoKeysToOneKey_NoIndex() throws Exception {
     // Send an encrypt request with a key id on an empty index.
-    EncryptionStatus encryptionStatus = testUtil.encrypt(KEY_ID_1);
-    assertTrue(encryptionStatus.isSuccess());
-    assertTrue(encryptionStatus.isComplete());
+    encryptAndExpectCompletion(KEY_ID_1);
 
     // Index some documents to create a first segment.
     testUtil.indexDocsAndCommit("weather broadcast");
@@ -106,14 +104,10 @@ public class EncryptionRequestHandlerTest extends SolrCloudTestCase {
   @Test
   public void testEncryptionFromNoKeysToOneKeyToNoKeys_NoIndex() throws Exception {
     // Send an encrypt request with a key id on an empty index.
-    EncryptionStatus encryptionStatus = testUtil.encrypt(KEY_ID_1);
-    assertTrue(encryptionStatus.isSuccess());
-    assertTrue(encryptionStatus.isComplete());
+    encryptAndExpectCompletion(KEY_ID_1);
 
     // Send another encrypt request with no key id, still on the empty index.
-    encryptionStatus = testUtil.encrypt(NO_KEY_ID);
-    assertTrue(encryptionStatus.isSuccess());
-    assertTrue(encryptionStatus.isComplete());
+    encryptAndExpectCompletion(NO_KEY_ID);
 
     // Index some documents to create a first segment.
     testUtil.indexDocsAndCommit("weather broadcast");
@@ -140,11 +134,7 @@ public class EncryptionRequestHandlerTest extends SolrCloudTestCase {
     forceClearText = false;
 
     // Send an encrypt request with a key id.
-    EncryptionStatus encryptionStatus = testUtil.encrypt(KEY_ID_1);
-    assertTrue(encryptionStatus.isSuccess());
-    assertFalse(encryptionStatus.isComplete());
-
-    testUtil.waitUntilEncryptionIsComplete(KEY_ID_1);
+    encryptAndWaitForCompletion(KEY_ID_1);
 
     // Verify that the segment is encrypted.
     forceClearText = true;
@@ -164,11 +154,7 @@ public class EncryptionRequestHandlerTest extends SolrCloudTestCase {
     testUtil.indexDocsAndCommit("foggy weather");
 
     // Send an encrypt request with another key id.
-    EncryptionStatus encryptionStatus = testUtil.encrypt(KEY_ID_2);
-    assertTrue(encryptionStatus.isSuccess());
-    assertFalse(encryptionStatus.isComplete());
-
-    testUtil.waitUntilEncryptionIsComplete(KEY_ID_2);
+    encryptAndWaitForCompletion(KEY_ID_2);
 
     // Verify that the segment is encrypted.
     forceClearText = true;
@@ -187,11 +173,7 @@ public class EncryptionRequestHandlerTest extends SolrCloudTestCase {
     testUtil.indexDocsAndCommit("foggy weather");
 
     // Send an encrypt request with no key id.
-    EncryptionStatus encryptionStatus = testUtil.encrypt(NO_KEY_ID);
-    assertTrue(encryptionStatus.isSuccess());
-    assertFalse(encryptionStatus.isComplete());
-
-    testUtil.waitUntilEncryptionIsComplete(NO_KEY_ID);
+    encryptAndWaitForCompletion(NO_KEY_ID);
 
     // Verify that the segment is cleartext.
     forceClearText = true;
@@ -203,11 +185,7 @@ public class EncryptionRequestHandlerTest extends SolrCloudTestCase {
     testUtil.indexDocsAndCommit("cloudy weather");
 
     // Send an encrypt request with another key id.
-    encryptionStatus = testUtil.encrypt(KEY_ID_2);
-    assertTrue(encryptionStatus.isSuccess());
-    assertFalse(encryptionStatus.isComplete());
-
-    testUtil.waitUntilEncryptionIsComplete(KEY_ID_2);
+    encryptAndWaitForCompletion(KEY_ID_2);
 
     // Verify that the segment is encrypted.
     forceClearText = true;
@@ -218,6 +196,21 @@ public class EncryptionRequestHandlerTest extends SolrCloudTestCase {
     testUtil.assertQueryReturns("weather", 4);
   }
 
+  private void encryptAndExpectCompletion(String keyId) {
+    encrypt(keyId, true);
+  }
+
+  private void encryptAndWaitForCompletion(String keyId) throws InterruptedException {
+    encrypt(keyId, false);
+    testUtil.waitUntilEncryptionIsComplete(keyId);
+  }
+
+  private void encrypt(String keyId, boolean expectComplete) {
+    EncryptionStatus encryptionStatus = testUtil.encrypt(keyId);
+    assertTrue(encryptionStatus.isSuccess());
+    assertEquals(expectComplete, encryptionStatus.isComplete());
+  }
+
   private static void clearMockValues() {
     forceClearText = false;
     soleKeyIdAllowed = null;