WL#10957: Binary log encryption at rest (Step 3)

Made mysqlbinlog to state that it cannot read encrypted log files.

@ sql/binlog_istream.{h|cc}

  Added a new Error_type to Binlog_read_error specific to mysqlbinlog
  client program.

@ sql/binlog_istream.cc

  Instead of trying to deserialize the encrypted reader, mysqlbinlog is
  now reporting it cannot read encrypted binary log files directly.

Author: Joao Gramacho

mysql-test/suite/rpl_nogtid/r/rpl_nogtid_encryption_read.result

@@ -98,6 +98,8 @@ ERROR HY000: Can't find key from keyring, please check in the server log if a ke
 UNINSTALL PLUGIN keyring_file;
 SHOW BINLOG EVENTS IN 'master-bin.000002';
 ERROR HY000: Failed to fetch key from keyring, please check if keyring plugin is loaded.
+# Part 5
+include/assert_grep.inc [mysqlbinlog reported it does not support reading encrypted log files]
 [connection slave]
 include/start_slave.inc
 include/rpl_end.inc

mysql-test/suite/rpl_nogtid/t/rpl_nogtid_encryption_read.test

@@ -62,6 +62,11 @@
 # After uninstalling the keyring_file plug-in, the server shall throw an error
 # when requested to access the encrypted binary log file.
 #
+# Part 5: mysqlbinlog is unable to dump encrypted binary logs
+#
+# Request mysqlbinlog to dump the content of the encrypted binary log file
+# and parse the output asserting that the expected error message was thrown.
+#
 #
 # This test case rely in two previously generated files:
 #
@@ -243,6 +248,20 @@ UNINSTALL PLUGIN keyring_file;
 --error ER_RPL_ENCRYPTION_FAILED_TO_FETCH_KEY
 --eval SHOW BINLOG EVENTS IN '$binlog_file'
 
+--echo # Part 5
+--let $output_file= $MYSQLTEST_VARDIR/tmp/mysqlbinlog.log
+--let $error_file= $MYSQLTEST_VARDIR/tmp/mysqlbinlog.err
+--error 1
+--exec $MYSQL_BINLOG -F $binlog_file_path > $output_file 2> $error_file
+--let $assert_text= mysqlbinlog reported it does not support reading encrypted log files
+--let $assert_file= $error_file
+--let $assert_count= 1
+--let $assert_select= Reading encrypted log files directly is not supported
+--source include/assert_grep.inc
+--remove_file $output_file
+--remove_file $error_file
+
+# Cleanup
 --remove_file $keyring_file
 --source include/rpl_connection_slave.inc
 --source include/start_slave.inc

sql/binlog_istream.cc

@@ -56,6 +56,8 @@ const char *Binlog_read_error::get_str() const {
     case CANNOT_GET_FILE_PASSWORD:
       return "Cannot get file password for encrypted replication log file, "
              "please check if keyring plugin is loaded";
+    case READ_ENCRYPTED_LOG_FILE_IS_NOT_SUPPORTED:
+      return "Reading encrypted log files directly is not supported.";
     default:
       /* There must be something wrong in the code if it reaches this branch. */
       DBUG_ASSERT(0);
@@ -134,6 +136,7 @@ bool Basic_binlog_ifile::read_binlog_magic() {
   */
   if (memcmp(magic, Rpl_encryption_header::ENCRYPTION_MAGIC,
              Rpl_encryption_header::ENCRYPTION_MAGIC_SIZE) == 0) {
+#ifdef MYSQL_SERVER
     std::unique_ptr<Binlog_encryption_istream> encryption_istream{
         new Binlog_encryption_istream()};
     if (encryption_istream->open(std::move(m_istream), m_error))
@@ -146,6 +149,10 @@ bool Basic_binlog_ifile::read_binlog_magic() {
     if (m_istream->read(magic, BINLOG_MAGIC_SIZE) != BINLOG_MAGIC_SIZE) {
       DBUG_RETURN(m_error->set_type(Binlog_read_error::BAD_BINLOG_MAGIC));
     }
+#else
+    DBUG_RETURN(m_error->set_type(
+        Binlog_read_error::READ_ENCRYPTED_LOG_FILE_IS_NOT_SUPPORTED));
+#endif
   }
 
   if (memcmp(magic, BINLOG_MAGIC, BINLOG_MAGIC_SIZE))

sql/binlog_istream.h

@@ -61,7 +61,8 @@ class Binlog_read_error {
     // The binlog magic is incorrect
     BAD_BINLOG_MAGIC,
     INVALID_ENCRYPTION_HEADER,
-    CANNOT_GET_FILE_PASSWORD
+    CANNOT_GET_FILE_PASSWORD,
+    READ_ENCRYPTED_LOG_FILE_IS_NOT_SUPPORTED
   };
 
   Binlog_read_error() {}