(solr-sandbox) branch main updated: Refactor EncryptionRequestHandlerTest and update encryption.md about jdk 17. (#99)

Wed, 24 Jan 2024 05:52:56 -0800 

This is an automated email from the ASF dual-hosted git repository.

broustant pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-sandbox.git


The following commit(s) were added to refs/heads/main by this push:
     new 50b8f9b  Refactor EncryptionRequestHandlerTest and update 
encryption.md about jdk 17. (#99)
50b8f9b is described below

commit 50b8f9bf740cba4161dd7e0d01edba9677bb5769
Author: Bruno Roustant <[email protected]>
AuthorDate: Wed Jan 24 14:52:45 2024 +0100

    Refactor EncryptionRequestHandlerTest and update encryption.md about jdk 
17. (#99)
---
 ENCRYPTION.md                                      |  7 ++-
 .../encryption/EncryptionRequestHandlerTest.java   | 51 ++++++++++------------
 2 files changed, 27 insertions(+), 31 deletions(-)

diff --git a/ENCRYPTION.md b/ENCRYPTION.md
index 72c7b14..759f77b 100644
--- a/ENCRYPTION.md
+++ b/ENCRYPTION.md
@@ -22,7 +22,8 @@ per-directory, making multi-tenant use-cases possible. If you 
can use OS-level e
 Java-level encryption.
 
 - Java-level encryption can be used when the OS-level encryption management is 
not possible (e.g. host machine managed
-by a cloud provider). It has an impact on performance: expect -20% on most 
queries, -60% on multi-term queries.
+by a cloud provider), or when even admin rights should not allow to get clear 
access to the index files. It has an
+impact on performance: expect -20% on most queries, -60% on multi-term queries.
 
 [1] https://wiki.archlinux.org/title/Fscrypt
 
@@ -88,7 +89,9 @@ the specified folder.
 `encrypterFactory` is an optional parameter to specify the 
`org.apache.solr.encryption.crypto.AesCtrEncrypterFactory`
 to use. By default `CipherAesCtrEncrypter$Factory` is used. You can change to 
`LightAesCtrEncrypter$Factory` for a
 more lightweight and efficient implementation (+10% perf), but it calls an 
internal com.sun.crypto.provider.AESCrypt()
-constructor which logs a JDK warning (Illegal reflective access).
+constructor which either logs a JDK warning (Illegal reflective access) with 
JDK 16 and below, or with JDK 17 and above
+requires to open the access to the com.sun.crypto.provider package with the 
jvm arg
+`--add-opens=java.base/com.sun.crypto.provider=ALL-UNNAMED`.
 
 `EncryptionUpdateHandler` replaces the standard `DirectUpdateHandler2` (which 
it extends) to store persistently the
 encryption key id in the commit metadata. It supports all the configuration 
parameters of `DirectUpdateHandler2`.
diff --git 
a/encryption/src/test/java/org/apache/solr/encryption/EncryptionRequestHandlerTest.java
 
b/encryption/src/test/java/org/apache/solr/encryption/EncryptionRequestHandlerTest.java
index 5b70650..f2515af 100644
--- 
a/encryption/src/test/java/org/apache/solr/encryption/EncryptionRequestHandlerTest.java
+++ 
b/encryption/src/test/java/org/apache/solr/encryption/EncryptionRequestHandlerTest.java
@@ -88,9 +88,7 @@ public class EncryptionRequestHandlerTest extends 
SolrCloudTestCase {
   @Test
   public void testEncryptionFromNoKeysToOneKey_NoIndex() throws Exception {
     // Send an encrypt request with a key id on an empty index.
-    EncryptionStatus encryptionStatus = testUtil.encrypt(KEY_ID_1);
-    assertTrue(encryptionStatus.isSuccess());
-    assertTrue(encryptionStatus.isComplete());
+    encryptAndExpectCompletion(KEY_ID_1);
 
     // Index some documents to create a first segment.
     testUtil.indexDocsAndCommit("weather broadcast");
@@ -106,14 +104,10 @@ public class EncryptionRequestHandlerTest extends 
SolrCloudTestCase {
   @Test
   public void testEncryptionFromNoKeysToOneKeyToNoKeys_NoIndex() throws 
Exception {
     // Send an encrypt request with a key id on an empty index.
-    EncryptionStatus encryptionStatus = testUtil.encrypt(KEY_ID_1);
-    assertTrue(encryptionStatus.isSuccess());
-    assertTrue(encryptionStatus.isComplete());
+    encryptAndExpectCompletion(KEY_ID_1);
 
     // Send another encrypt request with no key id, still on the empty index.
-    encryptionStatus = testUtil.encrypt(NO_KEY_ID);
-    assertTrue(encryptionStatus.isSuccess());
-    assertTrue(encryptionStatus.isComplete());
+    encryptAndExpectCompletion(NO_KEY_ID);
 
     // Index some documents to create a first segment.
     testUtil.indexDocsAndCommit("weather broadcast");
@@ -140,11 +134,7 @@ public class EncryptionRequestHandlerTest extends 
SolrCloudTestCase {
     forceClearText = false;
 
     // Send an encrypt request with a key id.
-    EncryptionStatus encryptionStatus = testUtil.encrypt(KEY_ID_1);
-    assertTrue(encryptionStatus.isSuccess());
-    assertFalse(encryptionStatus.isComplete());
-
-    testUtil.waitUntilEncryptionIsComplete(KEY_ID_1);
+    encryptAndWaitForCompletion(KEY_ID_1);
 
     // Verify that the segment is encrypted.
     forceClearText = true;
@@ -164,11 +154,7 @@ public class EncryptionRequestHandlerTest extends 
SolrCloudTestCase {
     testUtil.indexDocsAndCommit("foggy weather");
 
     // Send an encrypt request with another key id.
-    EncryptionStatus encryptionStatus = testUtil.encrypt(KEY_ID_2);
-    assertTrue(encryptionStatus.isSuccess());
-    assertFalse(encryptionStatus.isComplete());
-
-    testUtil.waitUntilEncryptionIsComplete(KEY_ID_2);
+    encryptAndWaitForCompletion(KEY_ID_2);
 
     // Verify that the segment is encrypted.
     forceClearText = true;
@@ -187,11 +173,7 @@ public class EncryptionRequestHandlerTest extends 
SolrCloudTestCase {
     testUtil.indexDocsAndCommit("foggy weather");
 
     // Send an encrypt request with no key id.
-    EncryptionStatus encryptionStatus = testUtil.encrypt(NO_KEY_ID);
-    assertTrue(encryptionStatus.isSuccess());
-    assertFalse(encryptionStatus.isComplete());
-
-    testUtil.waitUntilEncryptionIsComplete(NO_KEY_ID);
+    encryptAndWaitForCompletion(NO_KEY_ID);
 
     // Verify that the segment is cleartext.
     forceClearText = true;
@@ -203,11 +185,7 @@ public class EncryptionRequestHandlerTest extends 
SolrCloudTestCase {
     testUtil.indexDocsAndCommit("cloudy weather");
 
     // Send an encrypt request with another key id.
-    encryptionStatus = testUtil.encrypt(KEY_ID_2);
-    assertTrue(encryptionStatus.isSuccess());
-    assertFalse(encryptionStatus.isComplete());
-
-    testUtil.waitUntilEncryptionIsComplete(KEY_ID_2);
+    encryptAndWaitForCompletion(KEY_ID_2);
 
     // Verify that the segment is encrypted.
     forceClearText = true;
@@ -218,6 +196,21 @@ public class EncryptionRequestHandlerTest extends 
SolrCloudTestCase {
     testUtil.assertQueryReturns("weather", 4);
   }
 
+  private void encryptAndExpectCompletion(String keyId) {
+    encrypt(keyId, true);
+  }
+
+  private void encryptAndWaitForCompletion(String keyId) throws 
InterruptedException {
+    encrypt(keyId, false);
+    testUtil.waitUntilEncryptionIsComplete(keyId);
+  }
+
+  private void encrypt(String keyId, boolean expectComplete) {
+    EncryptionStatus encryptionStatus = testUtil.encrypt(keyId);
+    assertTrue(encryptionStatus.isSuccess());
+    assertEquals(expectComplete, encryptionStatus.isComplete());
+  }
+
   private static void clearMockValues() {
     forceClearText = false;
     soleKeyIdAllowed = null;

Reply via email to