coordinode-lsm-tree 5.7.0

Embedded LSM-tree storage engine: BuRR filters, zstd dictionary compression, MVCC, range tombstones, merge operators, K/V separation, AES-256-GCM at rest.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288

use super::*;
use crate::encryption::key_chain::StaticKeyChain;
use crate::table::block::BlockType;

const TEST_KEY: [u8; 32] = [0x42; 32];
const TEST_KEY_OTHER: [u8; 32] = [0x55; 32];

fn id() -> BlockIdentity {
    BlockIdentity {
        table_id: 0x1234_5678_9ABC_DEF0,
        block_type: BlockType::Data,
        dict_id: 0,
        window_log: 0,
    }
}

fn ctx() -> EncryptionContext {
    EncryptionContext::v1(0, SuiteId::Aes256Gcm, 0, 0)
}

fn chain() -> StaticKeyChain {
    StaticKeyChain::new().with_key(0, TEST_KEY)
}

#[test]
fn parse_metadata_is_key_free_and_matches_seal() {
    // Forensic parse needs no key: seal a block, then read its
    // MetadataPayload structurally with `parse_encrypted_block_metadata`
    // (no KeyChain) and confirm the fields mirror what was sealed.
    let plaintext = b"forensic payload bytes";
    let sealed = encrypt_block(plaintext, &id(), &ctx(), &chain()).unwrap();

    let meta = parse_encrypted_block_metadata(&sealed).unwrap();
    assert_eq!(meta.format_version, 1);
    assert_eq!(meta.key_epoch, 0);
    assert_eq!(meta.suite_id, SuiteId::Aes256Gcm);
    assert_eq!(meta.block_type, u8::from(BlockType::Data));
    assert_eq!(meta.compression_type, 0);
    assert_eq!(meta.dict_id, 0);
    assert_eq!(meta.window_log, 0);
    assert!(meta.ciphertext_len > 0, "body must carry ciphertext");

    // Suite is reflected for ChaCha too (proves it reads the on-disk
    // SuiteID byte, not a hard-coded default).
    let chacha_ctx = EncryptionContext::v1(0, SuiteId::ChaCha20Poly1305, 0, 0);
    let sealed_cc = encrypt_block(plaintext, &id(), &chacha_ctx, &chain()).unwrap();
    let meta_cc = parse_encrypted_block_metadata(&sealed_cc).unwrap();
    assert_eq!(meta_cc.suite_id, SuiteId::ChaCha20Poly1305);

    // Garbage / truncated input is a typed error, never a panic.
    assert!(parse_encrypted_block_metadata(b"not a frame").is_err());
    assert!(parse_encrypted_block_metadata(&sealed[..10]).is_err());
}

#[test]
fn parse_metadata_rejects_truncated_body() {
    // Regression: the forensic parser reads only the BodyFrame header (for
    // ciphertext_len) without the payload. A block cut off right after that
    // header — full MetadataFrame + BodyFrame header, but zero ciphertext
    // bytes — must still be rejected, not reported as structurally valid
    // with a ciphertext_len for bytes that aren't there.
    let sealed = encrypt_block(b"forensic payload bytes", &id(), &ctx(), &chain()).unwrap();
    // MetadataFrame = 8-byte SFA header + 39-byte payload; BodyFrame header
    // = 8 bytes. Cut to exactly that boundary: header present, body absent.
    let cut = 8 + METADATA_PAYLOAD_LEN_V1 as usize + 8;
    assert!(
        sealed.len() > cut,
        "test setup: sealed block must extend past the body header",
    );
    #[expect(
        clippy::expect_used,
        reason = "test asserts the truncated frame is rejected"
    )]
    let err = parse_encrypted_block_metadata(&sealed[..cut])
        .expect_err("truncated body must be rejected");
    assert!(
        matches!(err, DecryptError::MalformedBodyFrame(_)),
        "expected MalformedBodyFrame for a truncated body, got {err:?}",
    );
}

#[test]
fn reconstruct_aad_matches_seal_with_correct_table_id() {
    // The AAD is never on disk; offline AEAD verification needs it rebuilt.
    // Reconstructing with the SAME table_id the block was sealed under must
    // yield byte-for-byte the AAD encrypt_block used.
    let sealed = encrypt_block(b"forensic payload bytes", &id(), &ctx(), &chain()).unwrap();
    let expected = build(&ctx(), &id());
    let got = reconstruct_block_aad(&sealed, id().table_id).unwrap();
    assert_eq!(got.len(), AAD_LEN);
    assert_eq!(
        got, expected,
        "reconstructed AAD must match the sealing AAD"
    );

    // A different table_id binds to a different AAD (table_id IS in the AAD).
    let other = reconstruct_block_aad(&sealed, id().table_id ^ 1).unwrap();
    assert_ne!(got, other, "table_id must affect the reconstructed AAD");

    // Malformed input is a typed error, not a panic.
    assert!(reconstruct_block_aad(b"not a frame", 0).is_err());
}

#[test]
fn roundtrip_aes_recovers_plaintext() {
    let plaintext = b"the quick brown fox";
    let sealed = encrypt_block(plaintext, &id(), &ctx(), &chain()).unwrap();
    let recovered = decrypt_block(&sealed, &id(), &chain()).unwrap();
    assert_eq!(&recovered.plaintext[..], plaintext);
    // Codec context echoes back from the MetadataPayload — the
    // caller is expected to thread these through structured-zstd's
    // FrameDecoder::expect_dict_id / expect_window_log
    // setters when feeding the plaintext into a zstd decode.
    assert_eq!(recovered.compression_type, 0);
    assert_eq!(recovered.dict_id, 0);
    assert_eq!(recovered.window_log, 0);
}

#[test]
fn roundtrip_chacha_recovers_plaintext() {
    let plaintext = b"the quick brown fox";
    let chacha_ctx = EncryptionContext::v1(0, SuiteId::ChaCha20Poly1305, 0, 0);
    let sealed = encrypt_block(plaintext, &id(), &chacha_ctx, &chain()).unwrap();
    let recovered = decrypt_block(&sealed, &id(), &chain()).unwrap();
    assert_eq!(&recovered.plaintext[..], plaintext);
}

#[test]
fn wrong_key_in_chain_surfaces_aead_failure() {
    let plaintext = b"the quick brown fox";
    let sealed = encrypt_block(plaintext, &id(), &ctx(), &chain()).unwrap();
    // Reader's chain has a DIFFERENT 32-byte key under the same epoch.
    let wrong = StaticKeyChain::new().with_key(0, TEST_KEY_OTHER);
    let err = decrypt_block(&sealed, &id(), &wrong).unwrap_err();
    assert!(
        matches!(err, DecryptError::AeadVerificationFailed),
        "expected AeadVerificationFailed, got {err:?}",
    );
}

#[test]
fn missing_key_epoch_surfaces_unknown_key_epoch() {
    let plaintext = b"the quick brown fox";
    // Writer uses epoch 0; reader's chain has epoch 1 only.
    let sealed = encrypt_block(plaintext, &id(), &ctx(), &chain()).unwrap();
    let no_epoch_zero = StaticKeyChain::new().with_key(1, TEST_KEY);
    let err = decrypt_block(&sealed, &id(), &no_epoch_zero).unwrap_err();
    assert!(
        matches!(err, DecryptError::UnknownKeyEpoch { key_epoch: 0 }),
        "expected UnknownKeyEpoch {{ key_epoch: 0 }}, got {err:?}",
    );
}

#[test]
fn cross_identity_substitution_surfaces_aead_failure() {
    // Same plaintext, sealed under one BlockIdentity. Reader
    // attempts to decrypt with a DIFFERENT BlockIdentity (table_id
    // flipped). AAD binds table_id (not tree_id — that is no longer
    // part of the identity), so the mismatch surfaces as AEAD failure.
    let plaintext = b"the quick brown fox";
    let sealed = encrypt_block(plaintext, &id(), &ctx(), &chain()).unwrap();
    let mut wrong_id = id();
    wrong_id.table_id ^= 0x1; // flip one bit of the table id
    let err = decrypt_block(&sealed, &wrong_id, &chain()).unwrap_err();
    assert!(matches!(err, DecryptError::AeadVerificationFailed));
}

#[test]
fn trailing_bytes_after_body_are_rejected() {
    // The encrypted-block format is exactly MetadataFrame ‖
    // BodyFrame; nothing follows. A well-formed block with extra
    // bytes appended (e.g. a stray skippable frame from a
    // retired extension, or junk) must be rejected, not silently
    // accepted by ignoring the tail.
    let plaintext = b"the quick brown fox";
    let mut sealed = encrypt_block(plaintext, &id(), &ctx(), &chain()).unwrap();
    // The clean block round-trips.
    assert!(decrypt_block(&sealed, &id(), &chain()).is_ok());
    // Append trailing bytes; decrypt must now reject.
    sealed.extend_from_slice(&[0xAB, 0xCD, 0xEF, 0x01]);
    let err = decrypt_block(&sealed, &id(), &chain()).unwrap_err();
    assert!(
        matches!(err, DecryptError::MalformedBodyFrame(_)),
        "expected MalformedBodyFrame for trailing bytes, got {err:?}",
    );
}

#[test]
fn truncated_input_surfaces_malformed_metadata() {
    let plaintext = b"the quick brown fox";
    let sealed = encrypt_block(plaintext, &id(), &ctx(), &chain()).unwrap();
    // Cut to just the first frame header (no payload).
    let truncated = &sealed[..6];
    let err = decrypt_block(truncated, &id(), &chain()).unwrap_err();
    assert!(matches!(err, DecryptError::MalformedMetadataFrame(_)));
}

#[test]
fn encrypt_block_rejects_empty_plaintext() {
    // Spec docs/aad-block-format.md §5.3 row "BodyFrame
    // PayloadLen": valid range [1, 256 MiB] for v1 suites.
    // encrypt_block enforces the >= 1 floor so an empty input
    // can't produce a sealed block the decoder would reject.
    let err = encrypt_block(&[], &id(), &ctx(), &chain()).unwrap_err();
    assert!(
        matches!(err, crate::Error::Encrypt(_)),
        "expected Error::Encrypt for empty plaintext, got {err:?}",
    );
}

#[test]
fn encrypt_block_rejects_unknown_block_flags_bit() {
    // Symmetric to the decrypt-side rejection: encrypt_block must refuse to
    // PRODUCE a block whose BlockFlags carry a bit outside the KNOWN mask,
    // so this version never seals something its own decrypt rejects as
    // forward-incompatible.
    let mut c = ctx();
    c.block_flags = 0x10; // reserved bit, outside KNOWN
    let err = encrypt_block(b"payload", &id(), &c, &chain()).unwrap_err();
    assert!(
        matches!(err, crate::Error::Encrypt(_)),
        "expected Error::Encrypt for unknown BlockFlags bit, got {err:?}",
    );
}

#[test]
fn invalid_window_log_surfaces_malformed_metadata() {
    // WindowLog spec: 0 (no enforcement) or 10..=31. Tamper a
    // sealed block to put a forbidden value (9) in the
    // WindowLog byte; the decoder must reject before any AEAD
    // work even though the AEAD tag is over the AAD that
    // includes window_log (so a subsequent tag-verify would
    // ALSO fail, but the structural check fires first).
    let plaintext = b"the quick brown fox";
    let mut sealed = encrypt_block(plaintext, &id(), &ctx(), &chain()).unwrap();
    // MetadataFrame layout: [4 magic][4 PayloadLen][1 HeaderByte]
    // [1 KeyEpoch][1 BlockType][1 SuiteID][1 CompressionType]
    // [4 DictID][1 WindowLog][...]. WindowLog is at offset 8 + 9
    // = 17 from the start of the sealed bytes.
    sealed[17] = 9; // invalid (< 10, not zero)
    let err = decrypt_block(&sealed, &id(), &chain()).unwrap_err();
    assert!(
        matches!(err, DecryptError::MalformedMetadataFrame(_)),
        "expected MalformedMetadataFrame for WindowLog=9, got {err:?}",
    );
}

#[test]
fn oversized_body_payload_len_rejected_before_alloc() {
    // Forge the BodyFrame's PayloadLen to advertise the maximum
    // legal u32 — a naive decoder would try to allocate ~4 GiB
    // before realising the underlying reader has no such data.
    // The upfront cap rejects before any allocation.
    let plaintext = b"the quick brown fox";
    let mut sealed = encrypt_block(plaintext, &id(), &ctx(), &chain()).unwrap();
    // MetadataFrame total size = 8 (framing) + METADATA_PAYLOAD_LEN_V1.
    // BodyFrame starts right after it; its PayloadLen is at frame offset 4.
    // Derive from the constant so this keeps hitting PayloadLen (not the
    // BodyFrame magic) if the payload length ever changes again.
    let metadata_frame_len = 8 + METADATA_PAYLOAD_LEN_V1 as usize;
    let body_payload_len_at = metadata_frame_len + 4;
    sealed[body_payload_len_at..body_payload_len_at + 4].copy_from_slice(&u32::MAX.to_le_bytes());
    let err = decrypt_block(&sealed, &id(), &chain()).unwrap_err();
    assert!(
        matches!(err, DecryptError::MalformedBodyFrame(_)),
        "expected MalformedBodyFrame for oversized BodyFrame PayloadLen, got {err:?}",
    );
}

#[test]
fn unknown_block_flags_bit_rejected_before_aead() {
    // For an encrypted block the BlockFlags byte is the only transform
    // descriptor the reader can trust. A byte with a reserved bit set (a
    // forward-incompatible transform stack this build cannot process) must
    // be rejected structurally — before the AEAD runs — not authenticated
    // and then mis-processed.
    let plaintext = b"the quick brown fox";
    let mut sealed = encrypt_block(plaintext, &id(), &ctx(), &chain()).unwrap();
    // BlockFlags sits at MetadataFrame payload offset 10 → absolute offset
    // 8 (framing) + 10 = 18. Set a reserved bit (1<<4) outside KNOWN.
    const BLOCK_FLAGS_AT: usize = 8 + 10;
    sealed[BLOCK_FLAGS_AT] |= 0x10;
    let err = decrypt_block(&sealed, &id(), &chain()).unwrap_err();
    assert!(
        matches!(err, DecryptError::MalformedMetadataFrame(_)),
        "expected MalformedMetadataFrame for unknown BlockFlags bit, got {err:?}",
    );
}