Re: Key management with tests

On Tue, Jan 12, 2021 at 12:04:09PM -0500, Bruce Momjian wrote:
> On Sun, Jan 10, 2021 at 09:51:16AM -0500, Bruce Momjian wrote:
> > OK, here they are with numeric prefixes. It was actually tricky to
> > figure out how to create a squashed format-patch based on another branch.
>
> Here is an updated version built on top of Michael Paquier's patch
> posted here:
>
> https://www.postgresql.org/message-id/X/0IChOPHd+aYC1w(at)paquier(dot)xyz
>
> and included as my first attachment. This will give Michael's patch
> cfbot testing too since the second attachment calls many of the first
> attachment's functions.

Now that Michael's hex encoding patch is committed, I am reposting my
key management patch without Michael's patch. It is improved since the
mid-December version:

* TAP tests for encrypt/decryption, wrapped key creation and decryption,
and KEK rotation
* built on top of new hex encoding functions in /common
* passes cfbot testing
* handles disabled OpenSSL library properly
* handles Windows builds properly

I also learned a lot about format-patch, cfbot testing, and TAP tests.
:-)

It still can't test everything, like prompting from /dev/tty. Also, if
we don't get data encryption into PG 14, we are going to need to hide
the user interface for some of this until it is useful. Prompting from
/dev/tty for the TLS private key passphrase already works and will be a
useful PG 14 feature, so that part of the API will be visible in PG 14.

I am planning to apply this next week.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com

The usefulness of a cup is in its emptiness, Bruce Lee