Add encryption support through SQLite3MultipleCiphers (#288)

Author: simolus3

.github/workflows/prebuild_assets.yml

@@ -26,7 +26,7 @@ jobs:
         id: cache_prebuild
         with:
           path: internal/prebuild-binaries/build/output
-          key: sqlite-build-${{ hashFiles('internal/prebuild-binaries', 'plugins/build-plugin') }}
+          key: sqlite-build-${{ hashFiles('internal/prebuild-binaries/build.gradle.kts', 'plugins/build-plugin/src') }}
 
       - name: Validate Gradle Wrapper
         if: steps.cache_prebuild.outputs.cache-hit != 'true'
@@ -50,10 +50,18 @@ jobs:
       - name: Set up XCode
         if: steps.cache_prebuild.outputs.cache-hit != 'true'
         uses: maxim-lobanov/setup-xcode@v1
+      - name: Download build tools
+        if: steps.cache_prebuild.outputs.cache-hit != 'true'
+        run: |
+          brew install lld
+          cd internal/prebuild-binaries
+          ./download_glibc.sh
+          ./download_llvm_mingw.sh
+
       - name: Compile SQLite with Gradle
         if: steps.cache_prebuild.outputs.cache-hit != 'true'
         run: |
-          ./gradlew --scan internal:prebuild-binaries:compileNative
+          ./gradlew --scan internal:prebuild-binaries:compileAll
         shell: bash
       - uses: actions/upload-artifact@v5
         id: upload

README.md

@@ -41,6 +41,9 @@ and API documentation [here](https://powersync-ja.github.io/powersync-kotlin/).
     connector provides the connection between your application backend and the PowerSync managed database. It is used to:
       1. Retrieve a token to connect to the PowerSync service.
       2. Apply local changes on your backend application server (and from there, to your backend database).
+- [sqlite3multipleciphers](./sqlite3multipleciphers/)
+
+    - A SQLite driver implementation based on SQLite3MultipleCiphers.
 
 ## Demo Apps / Example Projects
 

build.gradle.kts

@@ -73,6 +73,7 @@ dependencies {
     dokka(project(":integrations:room"))
     dokka(project(":integrations:sqldelight"))
     dokka(project(":integrations:supabase"))
+    dokka(projects.sqlite3multipleciphers)
 }
 
 dokka {

common/build.gradle.kts

@@ -137,6 +137,7 @@ kotlin {
                 optIn("kotlinx.cinterop.ExperimentalForeignApi")
                 optIn("kotlin.time.ExperimentalTime")
                 optIn("kotlin.experimental.ExperimentalObjCRefinement")
+                optIn("com.powersync.PowerSyncInternal")
             }
         }
 
@@ -239,8 +240,6 @@ android {
                 .toInt()
         consumerProguardFiles("proguard-rules.pro")
     }
-
-    ndkVersion = "27.1.12297006"
 }
 
 tasks.named<ProcessResources>(kotlin.jvm().compilations["main"].processResourcesTaskName) {

common/src/commonMain/kotlin/com/powersync/PowerSyncInternal.kt

@@ -0,0 +1,12 @@
+package com.powersync
+
+@RequiresOptIn(message = "This API should not be used outside of PowerSync SDK packages")
+@Retention(AnnotationRetention.BINARY)
+@Target(
+    AnnotationTarget.CLASS,
+    AnnotationTarget.FUNCTION,
+    AnnotationTarget.CONSTRUCTOR,
+    AnnotationTarget.PROPERTY,
+    AnnotationTarget.VALUE_PARAMETER,
+)
+public annotation class PowerSyncInternal

common/src/jvmMain/kotlin/com/powersync/ConnectionFactory.jvm.kt

@@ -5,4 +5,4 @@ import com.powersync.db.runWrapped
 @Throws(PowerSyncException::class)
 public actual fun resolvePowerSyncLoadableExtensionPath(): String? = runWrapped { powersyncExtension }
 
-private val powersyncExtension: String by lazy { extractLib("powersync") }
+private val powersyncExtension: String by lazy { extractLib(BuildConfig::class, "powersync") }

common/src/jvmMain/kotlin/com/powersync/ExtractLib.kt

@@ -2,10 +2,13 @@ package com.powersync
 
 import java.io.File
 import java.util.UUID
+import kotlin.reflect.KClass
 
-private class R
-
-internal fun extractLib(fileName: String): String {
+@PowerSyncInternal
+public fun extractLib(
+    reference: KClass<*>,
+    fileName: String,
+): String {
     val os = System.getProperty("os.name").lowercase()
     val (prefix, extension) =
         when {
@@ -34,7 +37,7 @@ internal fun extractLib(fileName: String): String {
 
     val resourcePath = "/$prefix${fileName}_$arch.$extension"
 
-    (R::class.java.getResourceAsStream(resourcePath) ?: error("Resource $resourcePath not found")).use { input ->
+    (reference.java.getResourceAsStream(resourcePath) ?: error("Resource $resourcePath not found")).use { input ->
         file.outputStream().use { output -> input.copyTo(output) }
     }
 

core-tests-android/build.gradle.kts

@@ -8,6 +8,7 @@ plugins {
 
 dependencies {
     implementation(projects.core)
+    implementation(projects.sqlite3multipleciphers)
     implementation(libs.androidx.core)
     implementation(libs.androidx.appcompat)
     implementation(libs.androidx.material)

core-tests-android/src/androidTest/java/com/powersync/EncryptedDatabaseTest.kt

@@ -0,0 +1,57 @@
+package com.powersync
+
+import androidx.test.ext.junit.runners.AndroidJUnit4
+import androidx.test.platform.app.InstrumentationRegistry
+import androidx.sqlite.SQLiteException
+import androidx.sqlite.execSQL
+import app.cash.turbine.turbineScope
+import com.powersync.db.schema.Schema
+import com.powersync.encryption.AndroidEncryptedDatabaseFactory
+import com.powersync.encryption.Key
+import com.powersync.testutils.UserRow
+import kotlinx.coroutines.*
+import kotlinx.coroutines.runBlocking
+import kotlinx.coroutines.test.runTest
+import org.junit.After
+import org.junit.Assert.*
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+@RunWith(AndroidJUnit4::class)
+class EncryptedDatabaseTest {
+
+    @Test
+    fun testEncryptedDatabase()  =
+        runTest {
+            val context = InstrumentationRegistry.getInstrumentation().targetContext
+
+            val database = PowerSyncDatabase(
+                factory = AndroidEncryptedDatabaseFactory(
+                    context,
+                    Key.Passphrase("mykey")
+                ),
+                schema = Schema(UserRow.table),
+                dbFilename = "encrypted_test",
+            )
+
+            assertEquals("chacha20", database.get("PRAGMA cipher") { it.getString(0)!! })
+
+            database.execute(
+                "INSERT INTO users (id, name, email) VALUES (uuid(), ?, ?)",
+                listOf("Test", "test@example.org"),
+            )
+            database.close()
+
+            val unencryptedFactory = DatabaseDriverFactory(context)
+            val unencrypted = unencryptedFactory.openConnection("encrypted_test", null, false)
+
+            try {
+                unencrypted.execSQL("SELECT * FROM sqlite_schema")
+                throw IllegalStateException("Was able to read schema from encrypted database without supplying a key")
+            } catch (_: SQLiteException) {
+                // Expected
+            }
+            unencrypted.close()
+        }
+}

core/build.gradle.kts

@@ -106,8 +106,6 @@ android {
                 .toInt()
         consumerProguardFiles("proguard-rules.pro")
     }
-
-    ndkVersion = "27.1.12297006"
 }
 
 // We want to build with recent JDKs, but need to make sure we support Java 8. https://jakewharton.com/build-on-latest-java-test-through-lowest-java/