Merge branch 'main' into PG-1013-Doc-update-functions

percona · Dec 11, 2024 · 9a69dbe · 9a69dbe
2 parents 39347c8 + ec1a9c1
commit 9a69dbe
Show file tree

Hide file tree

Showing 26 changed files with 161 additions and 1,067 deletions.
diff --git a/.github/workflows/postgresql-17-src-meson-perf.yml b/.github/workflows/postgresql-17-src-meson-perf.yml
@@ -1,9 +1,7 @@
 name: Perf test
 on: [pull_request]
 permissions:
-  contents: write
-  pull-requests: write
-  repository-projects: write
+  contents: read
 
 jobs:
   build:

diff --git a/.github/workflows/postgresql-perf-results.yml b/.github/workflows/postgresql-perf-results.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   download:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -43,6 +43,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard (optional).
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
         with:
           sarif_file: results.sarif
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 *.so
 *.o
+*.frontend
 __pycache__
 
 /config.cache

diff --git a/Makefile.tools b/Makefile.tools
@@ -1,20 +1,23 @@
 TDE_OBJS = \
- 	src/access/pg_tde_tdemap.o \
- 	src/access/pg_tde_xlog_encrypt.o \
- 	src/catalog/tde_global_space.o \
- 	src/catalog/tde_keyring.o \
- 	src/catalog/tde_keyring_parse_opts.o \
- 	src/catalog/tde_principal_key.o \
- 	src/common/pg_tde_utils.o \
- 	src/encryption/enc_aes.o \
- 	src/encryption/enc_tde.o \
- 	src/keyring/keyring_api.o \
- 	src/keyring/keyring_curl.o \
- 	src/keyring/keyring_file.o \
- 	src/keyring/keyring_vault.o \
-	src/keyring/keyring_kmip.o \
-	src/keyring/keyring_kmip_ereport.o \
-	src/libkmip/libkmip/src/kmip.o \
-	src/libkmip/libkmip/src/kmip_bio.o \
-	src/libkmip/libkmip/src/kmip_locate.o \
-	src/libkmip/libkmip/src/kmip_memset.o
+ 	src/access/pg_tde_tdemap.frontend \
+ 	src/access/pg_tde_xlog_encrypt.frontend \
+ 	src/catalog/tde_global_space.frontend \
+ 	src/catalog/tde_keyring.frontend \
+ 	src/catalog/tde_keyring_parse_opts.frontend \
+ 	src/catalog/tde_principal_key.frontend \
+ 	src/common/pg_tde_utils.frontend \
+ 	src/encryption/enc_aes.frontend \
+ 	src/encryption/enc_tde.frontend \
+ 	src/keyring/keyring_api.frontend \
+ 	src/keyring/keyring_curl.frontend \
+ 	src/keyring/keyring_file.frontend \
+ 	src/keyring/keyring_vault.frontend \
+	src/keyring/keyring_kmip.frontend \
+	src/keyring/keyring_kmip_ereport.frontend \
+	src/libkmip/libkmip/src/kmip.frontend \
+	src/libkmip/libkmip/src/kmip_bio.frontend \
+	src/libkmip/libkmip/src/kmip_locate.frontend \
+	src/libkmip/libkmip/src/kmip_memset.frontend
+
+%.frontend: %.c
+	$(CC) $(CPPFLAGS) -c $< -o $@
diff --git a/meson.build b/meson.build
@@ -43,15 +43,22 @@ pg_tde_sources = files(
         'src/pg_tde_defs.c',
         'src/pg_tde.c',
         'src/pg_tde_event_capture.c',
+)
+
+incdir = include_directories(src_version / 'include', 'src/include', '.', 'src/libkmip/libkmip/include/')
 
+kmip = static_library(
+  'kmip',
+  files( 
         'src/libkmip/libkmip/src/kmip.c',
         'src/libkmip/libkmip/src/kmip_bio.c',
         'src/libkmip/libkmip/src/kmip_locate.c',
-        'src/libkmip/libkmip/src/kmip_memset.c',
+        'src/libkmip/libkmip/src/kmip_memset.c'
+        ),
+  c_args: [ '-w' ], # This is a 3rd party, disable warnings completely
+  include_directories: incdir
 )
 
-incdir = include_directories(src_version / 'include', 'src/include', '.', 'src/libkmip/libkmip/include/')
-
 deps_update = {'dependencies': contrib_mod_args.get('dependencies') + [curldep]}
 
 mod_args = contrib_mod_args + deps_update
@@ -61,6 +68,7 @@ pg_tde = shared_module('pg_tde',
   c_pch: pch_postgres_h,
   kwargs: mod_args,
   include_directories: incdir,
+  link_whole: [kmip]
 )
 contrib_targets += pg_tde
 
@@ -136,8 +144,6 @@ if get_variable('percona_ext', false)
   ]
 endif
 
-
-
 tests += {
   'name': 'pg_tde',
   'sd': meson.current_source_dir(),
@@ -150,3 +156,33 @@ tests += {
   'tap': {
     'tests': tap_tests  },
 }
+
+# TODO: do not duplicate
+tde_decrypt_sources = files(
+   'src/access/pg_tde_tdemap.c',
+   'src/access/pg_tde_xlog_encrypt.c',
+   'src/catalog/tde_global_space.c',
+   'src/catalog/tde_keyring.c',
+   'src/catalog/tde_keyring_parse_opts.c',
+   'src/catalog/tde_principal_key.c',
+   'src/common/pg_tde_utils.c',
+   'src/encryption/enc_aes.c',
+   'src/encryption/enc_tde.c',
+   'src/keyring/keyring_api.c',
+   'src/keyring/keyring_curl.c',
+   'src/keyring/keyring_file.c',
+   'src/keyring/keyring_vault.c',
+   'src/keyring/keyring_kmip.c',
+   'src/keyring/keyring_kmip_ereport.c',
+ )
+
+pg_tde_inc = incdir
+
+pg_tde_frontend = static_library('pg_tde_frontend',
+  tde_decrypt_sources,
+  c_pch: pch_postgres_h,
+  c_args: ['-DFRONTEND'],
+  kwargs: mod_args,
+  include_directories: incdir,
+  link_whole: [kmip]
+)
diff --git a/src/access/pg_tde_ddl.c b/src/access/pg_tde_ddl.c
@@ -40,8 +40,6 @@ tdeheap_object_access_hook(ObjectAccessType access, Oid classId, Oid objectId,
 
 	if (access == OAT_DROP && classId == RelationRelationId)
 	{
-		ObjectAccessDrop *drop_arg = (ObjectAccessDrop *) arg;
-
 		rel = relation_open(objectId, AccessShareLock);
 	}
 	if (rel != NULL)

diff --git a/src/access/pg_tde_slot.c b/src/access/pg_tde_slot.c
@@ -56,7 +56,7 @@ tdeheap_tts_buffer_heap_init(TupleTableSlot *slot)
 static void
 tdeheap_tts_buffer_heap_release(TupleTableSlot *slot)
 {
-	TDEBufferHeapTupleTableSlot *bslot = (TDEBufferHeapTupleTableSlot *) slot;
+	// nop
 }
 
 static void

diff --git a/src/access/pg_tde_tdemap.c b/src/access/pg_tde_tdemap.c
@@ -596,7 +596,6 @@ pg_tde_free_key_map_entry(const RelFileLocator *rlocator, uint32 key_type, off_t
 {
 	int32	key_index = 0;
 	char	db_map_path[MAXPGPATH] = {0};
-	off_t	start = 0;
 
 	Assert(rlocator);
 
@@ -680,6 +679,7 @@ pg_tde_perform_rotate_key(TDEPrincipalKey *principal_key, TDEPrincipalKey *new_p
 	off_t xlrec_size;
 	char db_map_path[MAXPGPATH] = {0};
 	char db_keydata_path[MAXPGPATH] = {0};
+	bool success = true;
 
 	/* Set the file paths */
 	pg_tde_set_db_file_paths(principal_key->keyInfo.databaseId,
@@ -757,8 +757,8 @@ pg_tde_perform_rotate_key(TDEPrincipalKey *principal_key, TDEPrincipalKey *new_p
 
 	/* TODO: pgstat_report_wait_start / pgstat_report_wait_end */
 	/* TODO: error handling */
-	pg_pread(m_fd[NEW_PRINCIPAL_KEY], xlrec->buff, xlrec->map_size, 0);
-	pg_pread(k_fd[NEW_PRINCIPAL_KEY], &xlrec->buff[xlrec->map_size], xlrec->keydata_size, 0);
+	if(pg_pread(m_fd[NEW_PRINCIPAL_KEY], xlrec->buff, xlrec->map_size, 0) == -1) success = false;
+	if(pg_pread(k_fd[NEW_PRINCIPAL_KEY], &xlrec->buff[xlrec->map_size], xlrec->keydata_size, 0) == -1) success = false;
 
 	/* Close the files */
 	close(m_fd[NEW_PRINCIPAL_KEY]);
@@ -776,7 +776,7 @@ pg_tde_perform_rotate_key(TDEPrincipalKey *principal_key, TDEPrincipalKey *new_p
 	/* Free up the palloc'ed data */
 	pfree(xlrec);
 
-	return true;
+	return success;
 
 #undef OLD_PRINCIPAL_KEY
 #undef NEW_PRINCIPAL_KEY
@@ -864,14 +864,12 @@ pg_tde_write_map_keydata_files(off_t map_size, char *m_file_data, off_t keydata_
  * Saves the relation key with the new relfilenode.
  * Needed by ALTER TABLE SET TABLESPACE for example.
  */
-bool
+void
 pg_tde_move_rel_key(const RelFileLocator *newrlocator, const RelFileLocator *oldrlocator)
 {
 	RelKeyData 	*rel_key;
 	RelKeyData 	*enc_key;
 	TDEPrincipalKey *principal_key;
-	KeyringProvideRecord provider_rec;
-    GenericKeyring *keyring;
 	XLogRelKey	xlrec;
 	char		db_map_path[MAXPGPATH] = {0};
 	char		db_keydata_path[MAXPGPATH] = {0};

diff --git a/src/catalog/tde_keyring.c b/src/catalog/tde_keyring.c
@@ -715,7 +715,7 @@ fetch_next_key_provider(int fd, off_t *curr_pos, KeyringProvideRecord *provider)
 		ereport(ERROR,
 				(errcode_for_file_access(),
 				 errmsg("key provider info file is corrupted: %m"),
-				 errdetail("invalid key provider record size %lld expected %lu", bytes_read, sizeof(KeyringProvideRecord))));
+				 errdetail("invalid key provider record size %ld expected %lu", bytes_read, sizeof(KeyringProvideRecord))));
 	}
 	return true;
 }
diff --git a/src/catalog/tde_keyring_parse_opts.c b/src/catalog/tde_keyring_parse_opts.c
@@ -494,13 +494,19 @@ get_file_kring_value(const char *path, const char *field_name)
 	fd = BasicOpenFile(path, O_RDONLY);
 	if (fd < 0)
 	{
-		elog(WARNING, "filed to open file %s for %s", path, field_name);
+		elog(WARNING, "failed to open file %s for %s", path, field_name);
 		return NULL;
 	}
 
 	/* TODO: we never pfree it */
 	val = palloc0(MAX_CONFIG_FILE_DATA_LENGTH);
-	pg_pread(fd, val, MAX_CONFIG_FILE_DATA_LENGTH, 0);
+	if(pg_pread(fd, val, MAX_CONFIG_FILE_DATA_LENGTH, 0) == -1)
+	{
+		elog(WARNING, "failed to read file %s for %s", path, field_name);
+		pfree(val);
+		close(fd);
+		return NULL;
+	}
 	/* remove trailing whitespace */
 	val[strcspn(val, " \t\n\r")] = '\0';
 

diff --git a/src/catalog/tde_principal_key.c b/src/catalog/tde_principal_key.c
@@ -845,7 +845,7 @@ pg_tde_get_key_info(PG_FUNCTION_ARGS, Oid dbOid)
  * Gets principal key form the keyring and pops it into cache if key exists
  * Caller should hold an exclusive tde_lwlock_enc_keys lock
  */
-TDEPrincipalKey *
+static TDEPrincipalKey *
 get_principal_key_from_keyring(Oid dbOid)
 {
 	GenericKeyring *keyring;

diff --git a/src/common/pg_tde_utils.c b/src/common/pg_tde_utils.c
@@ -149,7 +149,7 @@ pg_tde_set_data_dir(const char *dir)
 
 /* returns the palloc'd string */
 char *
-pg_tde_get_tde_data_dir()
+pg_tde_get_tde_data_dir(void)
 {
 	return globalspace_dir;
 }
diff --git a/src/encryption/enc_tde.c b/src/encryption/enc_tde.c
@@ -22,6 +22,7 @@ iv_prefix_debug(const char *iv_prefix, char *out_hex)
 }
 #endif
 
+#ifndef FRONTEND
 static void
 SetIVPrefix(ItemPointerData *ip, char *iv_prefix)
 {
@@ -39,6 +40,7 @@ SetIVPrefix(ItemPointerData *ip, char *iv_prefix)
 	iv_prefix[4] = ip->ip_posid / 256;
 	iv_prefix[5] = ip->ip_posid % 256;
 }
+#endif
 
 /*
  * ================================================================
@@ -269,14 +271,16 @@ AesDecryptKey(const TDEPrincipalKey *principal_key, Oid dbOid, RelKeyData **p_re
 {
 	unsigned char iv[16] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
 
+#ifndef FRONTEND
+	MemoryContext oldcontext;
+#endif
+
 	/* Ensure we are getting a valid pointer here */
 	Assert(principal_key);
 
 	memcpy(iv, &dbOid, sizeof(Oid));
 
 #ifndef FRONTEND
-	MemoryContext oldcontext;
-
 	oldcontext = MemoryContextSwitchTo(TopMemoryContext);
 #endif
 

diff --git a/src/include/access/pg_tde_tdemap.h b/src/include/access/pg_tde_tdemap.h
@@ -73,7 +73,7 @@ extern RelKeyData *tde_create_rel_key(RelFileNumber rel_num, InternalKey *key, T
 extern RelKeyData *tde_encrypt_rel_key(TDEPrincipalKey *principal_key, RelKeyData *rel_key_data, Oid dbOid);
 extern RelKeyData *tde_decrypt_rel_key(TDEPrincipalKey *principal_key, RelKeyData *enc_rel_key_data, Oid dbOid);
 extern RelKeyData *pg_tde_get_key_from_file(const RelFileLocator *rlocator, uint32 key_type, bool no_map_ok);
-extern bool pg_tde_move_rel_key(const RelFileLocator *newrlocator, const RelFileLocator *oldrlocator);
+extern void pg_tde_move_rel_key(const RelFileLocator *newrlocator, const RelFileLocator *oldrlocator);
 
 #define PG_TDE_MAP_FILENAME			"pg_tde_%d_map"
 #define PG_TDE_KEYDATA_FILENAME		"pg_tde_%d_dat"

diff --git a/src/include/common/pg_tde_utils.h b/src/include/common/pg_tde_utils.h
@@ -20,5 +20,5 @@ extern int	get_tde_tables_count(void);
 #endif /* !FRONTEND */
 
 extern void pg_tde_set_data_dir(const char *dir);
-extern char* pg_tde_get_tde_data_dir();
+extern char* pg_tde_get_tde_data_dir(void);
 #endif /* PG_TDE_UTILS_H */
diff --git a/src/include/pg_tde_fe.h b/src/include/pg_tde_fe.h
@@ -54,13 +54,15 @@
 			exit(1);				\
 	} while(0)
 
+#undef elog
 #define elog(elevel, fmt, ...) \
 	do {							\
 		tde_fe_error_level = elevel;	\
 		errmsg(fmt, ##__VA_ARGS__);		\
 		tde_error_handle_exit(elevel);	\
 	} while(0)
 
+#undef ereport
 #define ereport(elevel,...)		\
 	do {							\
 		tde_fe_error_level = elevel;	\